Create Interactive Tour

Analysis Report 0ef0070d_by_Libranalysis

Overview

General Information

Sample Name:	0ef0070d_by_Libranalysis (renamed file extension from none to exe)
Analysis ID:	410393
MD5:	0ef0070dfc132fc368c950f0bef762a3
SHA1:	572c864dfc9160e5aef2dcc9359bf909ca4ba1c5
SHA256:	097d28021ffb26cb5b7d2d1377578cd6e2005549e44b5b2491fd310ecf50f7a8
Infos:
Most interesting Screenshot:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Found Tor onion address

Modifies existing user documents (likely ransomware behavior)

Contains functionality for execution timing, often used to detect debuggers

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

0ef0070d_by_Libranalysis.exe (PID: 6720 cmdline: 'C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe' MD5: 0EF0070DFC132FC368C950F0BEF762A3)

conhost.exe (PID: 6740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• AV Detection
• Cryptography
• Compliance
• Software Vulnerabilities
• Networking
• Spam, unwanted Advertisements and Ransom Demands
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: 0ef0070d_by_Libranalysis.exe	Virustotal: Detection: 40%			Perma Link
Source: 0ef0070d_by_Libranalysis.exe	ReversingLabs: Detection: 68%

Source: 0ef0070d_by_Libranalysis.exe, 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp

Binary or memory string: -----BEGIN RSA PUBLIC KEY-----

Source: 0ef0070d_by_Libranalysis.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED

Source: 0ef0070d_by_Libranalysis.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 4x nop then mov ebp, ebx		0_2_00D748C0
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 4x nop then mov ecx, eax		0_2_00D759D0

Networking:

Found Tor onion address

Show sources

Source: 0ef0070d_by_Libranalysis.exe, 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp	String found in binary or memory: http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4
Source: 0ef0070d_by_Libranalysis.exe, 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp	String found in binary or memory: http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4az
Source: 0ef0070d_by_Libranalysis.exe	String found in binary or memory: http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4
Source: 0ef0070d_by_Libranalysis.exe	String found in binary or memory: http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4az

Source: 0ef0070d_by_Libranalysis.exe, 00000000.00000002.664146284.00000000117A8000.00000004.00000001.sdmp	String found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 0ef0070d_by_Libranalysis.exe, 00000000.00000002.663579660.00000000116E6000.00000004.00000001.sdmp	String found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
Source: 0ef0070d_by_Libranalysis.exe, 00000000.00000002.664651562.000000001181E000.00000004.00000001.sdmp	String found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)

Source: 0ef0070d_by_Libranalysis.exe	String found in binary or memory: http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af5
Source: 0ef0070d_by_Libranalysis.exe, 00000000.00000002.664081645.0000000011798000.00000004.00000001.sdmp	String found in binary or memory: http://www.amazon.com/
Source: 0ef0070d_by_Libranalysis.exe, 00000000.00000002.663502998.00000000116DA000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: 0ef0070d_by_Libranalysis.exe, 00000000.00000002.664738506.0000000011828000.00000004.00000001.sdmp	String found in binary or memory: http://www.live.com/
Source: 0ef0070d_by_Libranalysis.exe, 00000000.00000002.663616279.00000000116EA000.00000004.00000001.sdmp	String found in binary or memory: http://www.nytimes.com/
Source: 0ef0070d_by_Libranalysis.exe, 00000000.00000002.663631064.00000000116F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.reddit.com/
Source: 0ef0070d_by_Libranalysis.exe, 00000000.00000002.663579660.00000000116E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.twitter.com/
Source: 0ef0070d_by_Libranalysis.exe, 00000000.00000002.665404721.0000000011880000.00000004.00000001.sdmp	String found in binary or memory: http://www.wikipedia.com/
Source: 0ef0070d_by_Libranalysis.exe, 00000000.00000002.664651562.000000001181E000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com/

Spam, unwanted Advertisements and Ransom Demands:

Modifies existing user documents (likely ransomware behavior)

Show sources

Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	File moved: C:\Users\user\Desktop\WHZAGPPPLA.mp3	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	File deleted: C:\Users\user\Desktop\WHZAGPPPLA.mp3	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	File moved: C:\Users\user\Desktop\UBVUNTSCZJ.jpg	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	File deleted: C:\Users\user\Desktop\UBVUNTSCZJ.jpg	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	File moved: C:\Users\user\Desktop\BWDRWEEARI\DUKNXICOZT.png	Jump to behavior

Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D770D0	0_2_00D770D0
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D818E0	0_2_00D818E0
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D580B0	0_2_00D580B0
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D6C0B0	0_2_00D6C0B0
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D5B830	0_2_00D5B830
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D779F9	0_2_00D779F9
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D6F910	0_2_00D6F910
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D602F0	0_2_00D602F0
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D76250	0_2_00D76250
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D923C7	0_2_00D923C7
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D783F0	0_2_00D783F0
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D65CD0	0_2_00D65CD0
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D74C4C	0_2_00D74C4C
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D57DE0	0_2_00D57DE0
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D60D80	0_2_00D60D80
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D6E540	0_2_00D6E540
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D61D30	0_2_00D61D30
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D60EF0	0_2_00D60EF0
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D776E0	0_2_00D776E0
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D5CE39	0_2_00D5CE39
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D68FD0	0_2_00D68FD0
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D77F90	0_2_00D77F90
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D66F10	0_2_00D66F10
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D87729	0_2_00D87729

Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: String function: 00D82D70 appears 373 times
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: String function: 00D80D70 appears 363 times

Source: 0ef0070d_by_Libranalysis.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal56.rans.evad.winEXE@2/145@0/0

Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe

File created: C:\Users\read_me_unlock.txt

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_01

Source: 0ef0070d_by_Libranalysis.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe

File read: C:\Users\user\ntuser.ini

Jump to behavior

Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0ef0070d_by_Libranalysis.exe	Virustotal: Detection: 40%
Source: 0ef0070d_by_Libranalysis.exe	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe 'C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe'
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe

File written: C:\Users\user\ntuser.ini

Jump to behavior

Source: 0ef0070d_by_Libranalysis.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 0ef0070d_by_Libranalysis.exe

Static file information: File size 2207232 > 1048576

Source: 0ef0070d_by_Libranalysis.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x101e00

Source: 0ef0070d_by_Libranalysis.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: 0ef0070d_by_Libranalysis.exe

Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D8D002 pushfd ; ret	0_2_00D8D003
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D97C9A push esp; retf	0_2_00D97C9B
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D704AA push eax; iretd	0_2_00D704AB
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D89479 pushfd ; ret	0_2_00D8947A
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Code function: 0_2_00D8CF81 pushfd ; ret	0_2_00D8CF82

Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe

Code function: 0_2_00DA9C40 rdtsc

0_2_00DA9C40

Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe

Code function: 0_2_00D7C800 SetConsoleCtrlHandler,GetSystemInfo,SetProcessPriorityBoost,

0_2_00D7C800

Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe

Code function: 0_2_00DA9C40 rdtsc

0_2_00DA9C40

Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe

Code function: 0_2_00D91490 AddVectoredExceptionHandler,SetUnhandledExceptionFilter,

0_2_00D91490

Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Documents and Settings VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\All Users VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\ProgramData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\Application Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\AppData\Roaming VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\Documents\My Music VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\Documents\My Pictures VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\Music VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\Documents\My Videos VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\Pictures VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\Videos VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\Local Settings VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\My Documents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\AppData\Local VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\Documents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\NetHood VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\PrintHood VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\Recent VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\SendTo VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\Start Menu VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\Templates VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default User VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Public\Documents\My Music VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Public\Documents\My Pictures VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Public\Music VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Public\Documents\My Videos VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Public\Pictures VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\Public\Videos VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\user\Application Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\user\AppData\Roaming VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\user\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\user\Documents\My Music VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\user\Documents\My Pictures VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\user\Documents\My Videos VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\user\Music VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\user\Pictures VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\user\Videos VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\user\Local Settings VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe	Queries volume information: C:\Users\user\AppData\Local VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	Security Software Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	File and Directory Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Proxy1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	System Information Discovery12	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information3	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
0ef0070d_by_Libranalysis.exe	40%	Virustotal		Browse
0ef0070d_by_Libranalysis.exe	69%	ReversingLabs	Win32.Ransomware.Encoder

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af5	0%	Avira URL Cloud	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af5	0ef0070d_by_Libranalysis.exe	true	Avira URL Cloud: safe	unknown
http://www.wikipedia.com/	0ef0070d_by_Libranalysis.exe, 00000000.00000002.665404721.0000000011880000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.com/	0ef0070d_by_Libranalysis.exe, 00000000.00000002.664081645.0000000011798000.00000004.00000001.sdmp	false		high
http://www.nytimes.com/	0ef0070d_by_Libranalysis.exe, 00000000.00000002.663616279.00000000116EA000.00000004.00000001.sdmp	false		high
http://www.live.com/	0ef0070d_by_Libranalysis.exe, 00000000.00000002.664738506.0000000011828000.00000004.00000001.sdmp	false		high
http://www.reddit.com/	0ef0070d_by_Libranalysis.exe, 00000000.00000002.663631064.00000000116F0000.00000004.00000001.sdmp	false		high
http://www.twitter.com/	0ef0070d_by_Libranalysis.exe, 00000000.00000002.663579660.00000000116E6000.00000004.00000001.sdmp	false		high
http://www.youtube.com/	0ef0070d_by_Libranalysis.exe, 00000000.00000002.664651562.000000001181E000.00000004.00000001.sdmp	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	410393
Start date:	11.05.2021
Start time:	03:06:26
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	0ef0070d_by_Libranalysis (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.rans.evad.winEXE@2/145@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 26.6% (good quality ratio 7.9%) Quality average: 13.7% Quality standard deviation: 23.6%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Report size getting too big, too many NtQueryVolumeInformationFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\MSOCache\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Reputation:	low
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\PerfLogs\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Reputation:	low
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Recovery\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Reputation:	low
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\System Volume Information\tracking.log Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	16644
Entropy (8bit):	7.989506046763439
Encrypted:	false
SSDEEP:	384:TuJZdZ3ObUJyH/wrg6jJGG+mtymL7oL9tj2sKe82yafjQu:TuJ7pe4tGGftyGgtj2uyafj
MD5:	27DE24CBCB94F548531CC421421EF03C
SHA1:	EF553B84159AFCBCDB40AE18D539D680D5059CD5
SHA-256:	3076CF6BFD655ECB1927BD4A432A1C13126B6E5FF7EEB6C8FC5B4D3A488284D4
SHA-512:	3376F940209F1A8938BCA519D8B05CF847DC347B4757C003126D8E76DEAF1B65847D24CC6242EDB24D2539202CE542655481C15E39AABD7A6A30D0F0A3A1C82B
Malicious:	false
Reputation:	low
Preview:	..n.Y~O......,....Qi,=..V..d\|...w.......F6]......YO.dS..R.s@.....w..{}.8..jO.+...M1....g..K...-._...5.H..{..e=.2h.[.....H.W.......O.......d..4.X....B.Oh...].....MY....9.)..l.......H.m.:N\|^.2.+...`eB......G..AD8w.m.s..0.+C..aL.{'.E;..J.......;0.0FI5Q/...G......9.P...Z..l..0d..Z.....%.&..>G..wV..T....<...9.c.....S....Rk.....y...P..U. C.>."..Bk...R.....u..$..=..<B....l.Fy(....}...OCz.....g..Q,.l......./gT..P.`9;.8....a...;.....Gn.P....tz..[2{..\..:"o..`c.L..T....c...."..2...<.5.;l..\|.A..PjhLM..N&.........{L{.._6..Z...........z.....".y.h..k...xo......p80.....'...x...........8}qfsh...V.i4..1..&r]Pgt..../L7;...q........5..n.1".iFj>.2.XW.I#.$.4f.w...e;.......UIA./....a..8F..F.-..Bh.....U..G..........G...2.5..........]F.(+.E}...#9.J..-{W.....M..g\..5d..3.........\|.U.`yq$...a....5....>B......j~....Ql.-.Iq.N...1.(..[..".1.....Z.......w...c..#nZO..W.........Y...m.K..Xm...(...`.p....AG...&.....4U.x..f...M&...x.........^M/7.K.5.L.LQ9.@Y!YG.

C:\Users\Default\Desktop\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Reputation:	low
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\Default\Documents\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Reputation:	low
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\Default\Downloads\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Reputation:	low
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\Default\Favorites\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Reputation:	low
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\Default\Links\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Reputation:	low
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\Default\Music\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Reputation:	low
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\Default\Pictures\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Reputation:	low
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\Default\Saved Games\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Reputation:	low
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\Default\Videos\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\Default\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\Public\AccountPictures\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\Public\Desktop\Acrobat Reader DC.lnk Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	2388
Entropy (8bit):	7.90555610730316
Encrypted:	false
SSDEEP:	48:OnGvWRTC+WSDMOdYfqUPKgc0iewYR2QWiIpYLDWOl:O+1SjqfDPbi9W2ALzl
MD5:	116C8EDA09554FB76E4A579F78EE9512
SHA1:	924A2320238B5A18A7E76A3A210A995C2D2A0570
SHA-256:	069F60E7EDE781532817D07C6177409F7BF2E0A13C1145C7EF6222B18C7CE766
SHA-512:	0AF363376E2F300B01CD7AD44F2CDFBE5D9AF76FD442F647943D8BFB4BAE22904DD4151EEC6557D63B0B9F53CB1C6348A05EBC094D3B09011BF04007DDA85625
Malicious:	false
Preview:	....u.j}..&5X..h..SZ.r.:.....R.....nk.C+......#.`.q....gf.\v..P..m.. 5.\.....}.E:..=....c#..d..\|....;3[....NkK.."..i@UFt.\|.>..b..}.W..k......<..SMr...nF....k.b.`#;.Q......^.V.(V.V.g.I."9+6vP....... y..`.w^....F...W...J.,.w....Ac...y...._....../6..G...5>))cmrl.q>. S91..c..Sh.&. .s..4M.?........:.pz.=..ld!.F.r+9A..8.5.uB..Tv..@0.]C...d.I...Y..p6...;.Y.....<.p...;p..........\.g.... `.Z.n..R.W.E..Z....H.-..9.Jo..../.?.C,.;..".';pK.\|...'.Jp.T(.../.....L-.%G.84..B...f....@.=s.......A.k...V]./...2q.m?...p2&8..,..o..v.I-...Y,.....V.\|6.TP.E.......6&Z.....~./c..v..J...E.UK`Lv. ..~.>^...<.'...OI.x..@5i..Wq5gF%.-..1E.!.._..T..4.A.6km.cx..\...u..sZ .....4.....6.M.i....D.QW.6JR....R...6.CIM...m7.Q..B.~(`.+Lh^. .\....l...~. L..f....jp.Z{.....V....ARS.5<h.9.$..K...y2.t..%..)I{da.....d.NW.......Ss.H..%..>uk..Sb..P....A.0Rd.....^.'..QP....s..R0."b.."...?.U.p?D[..ky...-...o3..nP.]@...R.M.!..h......(.vu.....e....9..TTC7`..7).YC......b.........G...G$mc.....

C:\Users\Public\Desktop\Google Chrome.lnk Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	2548
Entropy (8bit):	7.928128127042908
Encrypted:	false
SSDEEP:	48:lt86pq+X1JxtnQSIk7kAZmocUbZVAbianj3tTJ1kzVNYstqk2A1c2rF2rwPeHjMz:b86p7X1Jxt/kAZyUbEjtjkrYWL02mDR0
MD5:	D6063857BFA6A7090A4275E059DC16A4
SHA1:	8DAFE8E06AA61AC92C56BAA02F4E41A983DBE11F
SHA-256:	E042DDCB9E89CCE245FAAE6B531EC270899872EAE7BABC27C4E316F50F6219C1
SHA-512:	2F3C3BF8993DD5F467062393539850B63C7E49BA92CC403F81F998970F1D698EF9D866CF869480B7367559568808352E7463427FA4EE9BCDD5101C052E88591C
Malicious:	false
Preview:	a.. .2..$l_.../<..CZ..w.\|...p.mn....s.}.(H.T.U3...~\|...k$...sA.........-.G..x.Pm...[.G.........h....dq..:.$...q..3..V.4.....zE...b...?..Z.;/T.O.0Ok...D.heo'.n.2Y.../......i..v...B.W]4..\...aj.T......(b.k.n.{Z~7.C... .d4..7v[(T.....%.$.X. .......{(..Yl:a..fa.O.H..B...k\FM!L.Gy.G...v.?.%.v....^....0.j....9...b..L............}1.<.K...d.y.jq.PZ..W.7F'/.....E....&..\q.. .R.Lrp..X.....C..\|....7..x....f..T.....}......0..8.Xj..Ab..........".k....Q...E.m)lm0..~;..E.S.....g....}..\|U....`...1k.9.L..p.%..5.-..f4.._.!.C....)..F.}L.#...Aw." )...........S.Z....E2R^1.....Z).....hx.C..!..-}~.<...dR....H.om5..........CX..$..e....%!....K....l.2...w8^.\|.?...5.Iw.Ku.3..mQ._u.DL.E>j........Y..C..L..\|}..<....Rt...-.QA.....g?.L{G.A.(.5s/6....N.x.+x23.!.+9wI...Z..z....(.s...5..+~.]b[..i....3B\|...5..;..6.H.}8>....c.!/.......$......G.m..K...`."..[o..r...$..,.@q....lX.1.p.0,}v..Z..qxI^..N.m.J=....G..<.U........2.....M>$W.....A(......YE.vO6.....C.>.,......'.uh..

C:\Users\Public\Desktop\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\Public\Documents\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\Public\Downloads\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\Public\Libraries\RecordedTV.library-ms Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1268
Entropy (8bit):	7.863587554782291
Encrypted:	false
SSDEEP:	24:2LWQ7WU3on38C0vZlB0AiiVnTY2gPUWZXipAi7NqXc28MCdZjOWUp1hzm:OvT3on9inSgn82gP9ZXipAOqn8MCLaHi
MD5:	797289FF0D157E9E167A702FCEFE0CB2
SHA1:	2F922B3A25A83C8B022F204F4B5DBCA62EB0A2DB
SHA-256:	9B05DEFBC08A2A77525175CAD0D657AEECA329C3F7EDDAEF5DCEE99F4ED17F0B
SHA-512:	E8EF9DB7414476DF6176CD99B5B2199CA00D1D180FACE877A1FD705BDCB51C5E2782D97AC45E0AB98E56EBF4A0384AB8643B571669BE054FBAECD4265B258192
Malicious:	false
Preview:	....aw..S`.M..gy...M...{....x00.3..)[..L..W......l.=.X,.$K.H........b...CJr.....VO.`L...o...<~.p.>[...q.`Q....T.oK.....u0,.....A>RU:.P.x..)>.~.."=..y....Gu.......e.......).k....Z...i}...G.xs4:.....".....e.L4.e.J.....D...[^..^5H.......a59.B.Nt.S+ee.Z+........Z.'JL.Y<7..sb}{......iW.."fg..Qb#qo....E.[..._F...I%.6\C.}.z.'.. ..E..w......l...b...I.......:zy...U...q..UF<.#...D..W:O......M.)m6..g..a.dx..O..s(.5l.7..9..h..q....<....b=1........}...=..jF.7.$... .\|....v2...a..+..+d.P2I...,.,........M..e.......Z.8...../X..,s.....B.....#H`.>...[4.V.,.. ..n..+....3...@.?.ba.vBHA......q..,[{.9.).D.].j.Nr.'[.$....#.."5.u.F.'....]L...v....Z.....K...P.}...x..$.(^.Ng.l....VZ5...)d.U.Gt`.;h.....E.....yA.....O.s...;.e....3Y..]....2+#'.(Xl..n...l.4g%.^.%...:.H.P..:P{.V........S_}....s.x..D..q\|.K.......Y1pL........"gp4.j...`H=[.....u.B....r..... .M...$.t9*.Q...[$@at.4.I...)T.D._Ew...# ..........G3..YA.h5..B'j_..).."..0.4.u......_>.q..L....eSJ@....&.

C:\Users\Public\Libraries\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\Public\Music\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\Public\Pictures\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\Public\Videos\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\Public\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\3D Objects\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Contacts\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Desktop\BUFZSQPCOH.pdf Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.851208888874728
Encrypted:	false
SSDEEP:	24:Gz+3ZuNyqJe6hZFvp8SZw/ezTLXQ/7HEWopsyAuNpGzfsiZrqc5Wvyhs9PMwn8:PErGePA/TELpsyAjVrqcQvyS0S8
MD5:	0AFC6BCC171B7D85725BBE19E0FF77BA
SHA1:	7ABE2B53CF78DF8BCF6C963E27FAF66F1BB25BE8
SHA-256:	3468E7334D5957A902FFCC9FD162E1225C625EFF51E242EC425D8AD1A7B0E80E
SHA-512:	A762D679D6B1CCB39CF6C77E14FB660EF71FF1BBF56A417722184AC54C0754A0C228620BA6CBFF251DD5D78141698C1141BDE1A429F6E5A3753ED9024445792A
Malicious:	false
Preview:	.k...@.t.........C.ZH......J8..N.EF@t.pk"...#.2..#.Qe.".T:...Y.&.HQ.._......{3mF.V<.S.k...\W.Q..f\|...0....X..F.m...>....DB.gF........M.l.....A.[.U.....-p\|t.f._wp..&......4\-...QY.MZ..lE .......7..R;.6~^......G3..-.FsB...4......4_., Ai~...f...%.\|.:v.Rx{.t..mI+..mN.bO.....X.L.k.&n..VTB.md........T.n....P.`..-.\.v..jk..,...Z....r.\|.l.3Dq0Yf..1...utKq.9S]..8o..)....P>\|.ee...g.p4.j..Y....&d.z......>....-..]gS....q]..l..i......l.<..b...q...5......R..1....M.N....#_O_`..^.,.1.L.(.y...OQ+.X..@R. .....U....?n...W_....oS...ZR(.tAM={.Id.=...Z.q.!6$..0.o.W..%b~...J...)aoR.U%~....,....3\......1{.h.[...-.....A..%.F!......u..Z...<.t. ...."..p)..FH.&..Lf..8..l......._.s.t..4......5C.].L..!.Z ..P.'..G.....qEKD.....G...in.9T..^...?...{...b'>...&R.9.L...R.....dV\.!.........5Q...:.L27.......`@...........{..y@....i..M....=.. I..d~.v.3......Ma.._......6.l.{...DLV...s........u...1.2..v.i.u')Y3`.p.L...`a......:...#.9^q.t3...m..q.....}.$4\|.b....o).)._k..a!.F..

C:\Users\user\Desktop\BWDRWEEARI.docx Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.854549478370728
Encrypted:	false
SSDEEP:	24:2FG9GDcIupyGTV8UQBGlDlkofwHKOgCKK+SAsCt87zu8ZV/cTSpwva:2FGH3yGTpQWlfeV9ye7zXrka
MD5:	3C5313E2F2FCF53CE3FAEE8CE2504892
SHA1:	ADD13F4EE3B4975D22C23EFA9F99A4726FAF2B3E
SHA-256:	1D709EFF6A4FE0FC63A6F5DE0B0EDF3E17401615263DE7E0F3FD14E39296FE9F
SHA-512:	4708A322194EE9D87DE0DD0591E5673A75482440C566A2757B553F36ACC3CC6DCFC8652857C4D021A2D48F6CCC1A42F1AD7656041C85D24C9252C9B9ED3CDDC9
Malicious:	false
Preview:	....9..g.fZ.%\j..u.......,.`g.....h..\.!.....B.{. .}..5.)z~..+._.(....y.z...%......q'...[e...w.m.[NwE..`...RU....O.v.F...M...]....N.S.....sR....Wf..<..P....#.#..w..-,v...']..\|..d.i..W.<..W8.b....y.":......C..pCnRy4.q.....'\|....i...3.:.K(e...\|.F=..[ ..^..~_...Xp..........3...K{+@.Jp..&.(?.Z.y...._7.6.K].j..].....e..(.sz....C..3=..S......_U%.A...K...E..,..c....h......i%M..............I......3Zt..'.6(..\|d...0o.........W.j...l &...i^.....sg.....y9,....}.w.g.../W.....u.O.,..l.:.t...K..P.(...bi.8u.7.R.........Y...tU+.k..25.)....cca......U.....c.q.#..T.l.x.`.N.....%E...oxiW...x....rt....6...1NyN\|X.....Re.\|7K.(.;.....~..../.%..E9tb./.jC...2k.......=v..d...E.....I....).......hP.....{#..N.A..o..Y.c...^t...>..VBu.ZUp.=.U...6.k.?Kw.7........l....p..qD.O.)..BE.....N..q( .,..........J5.&+...O...3.3.wW.....s....A..tt..p>....W.r.H...7.:n.9...y.nU.=p......A".6.AQ..?..G..F6..:rLU..35~.Z..uj.>......e=......d..&_}...P..2.S..I.P1.N.G..J... [.....i..@..z....

C:\Users\user\Desktop\BWDRWEEARI.xlsx Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.836093391789401
Encrypted:	false
SSDEEP:	24:eyG7NTpF7Ht1TwbyiGpt+bZFqxZAo09XvQvtx9MG1Xge1Hv0idkRDNs0mH:iZTvHTwOpt+MxBAvQ9M+Hv0idqDq0Q
MD5:	5718AEC592BFB5E3BB084C4F9C609577
SHA1:	96A6E7921C34533274552EE1A007C75131999D70
SHA-256:	0D12310F64C4B745DFF4D35CE239409748F040A19274E849ECCD2CB6180D1735
SHA-512:	DD432DCB85CFEA082BB5D5B974A11C3817AB47351E849F9D8DE3D22BECB64F2C4C936735646FF5F388BC0741F6F74373528CA949D744F5FE1D7EC97D4777A620
Malicious:	false
Preview:	I^..e.M+......B&D9.......&@]Z.E.....0t.Z..[..$....Jw.h..%..j...=..A.7.3=0 .g.h%m...?M.]...:n..`Qw(.../m'.}...Ax.g.=~..Z.-..N...&x_......7.v.......0..X.1.hM......Z......:....\CwM.2....]..."TBO..>...>......#..R......1....&Pv...Q....V...4y..x.T....;.`dJ..#V..i..&..J.@4N..'.O.5wJ............8M7..11.m[=m..n..%zi.C.a..J..X=x..]>.T...N..wY?........0.n...-l...y.0......8N.S...%..%.t...C..}W1.......5b.... .3.1..r.{...M.\.S#./.)HMz..%!...~.X.f..,....W`.....Sl..K.K.Q.QE....;P..=.M.. .)..R.....O.A...D.L-Y..qD...Bt.:..)........$....t.v.~.A......K.Nax.;t..C...+..a...........-.'..c.Y.....R.i.7U./...<...UM .&[.lX........z.c..hu.Z..\|.......t.......4R.-.~C..7...A....}H,.M7.....-.a...p.%......BeLD........E.......U.t`b..A.4..#.....Q......D..On.S.....i8...e..OI=(..dtT..........R.t.q&..=..\.W..7=f.G....d.......Z.......U#.D.Mx.G..\.$;k.Cex.NK.?i...\...r.AJ.o...7.;..l....Y..FJ#.#OtJ........xV..CVu....3<J......R.N....*....0..~L.p.K...-M.z.7..t.Z.....n..

C:\Users\user\Desktop\BWDRWEEARI\BWDRWEEARI.docx Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.84717630341948
Encrypted:	false
SSDEEP:	24:3iQnfgBCXV+nsVVn5fZavnsftZZovQxaVvdqMpuG/Ndl3f+nCHRYnKD+z:3PfMCl+nCH6avhAVFjpDNdlmnCxgA+z
MD5:	E3598E1172BFB6B3F76FA2FF0089E8FA
SHA1:	EAD5C340A37E78C43060126064508B85D4D572AB
SHA-256:	4431127BA75448D11BCBBB828F3C616664CF516F6E64B64678959E95492DBA0A
SHA-512:	5002D9884DE4A578BC5130FC0FFD10F7E4CCB7D05CC13238BF47D850A576A16026792A9A74755C209608E87F642A033EE9E0B2539EC1F62AB6B8913B8F49F71B
Malicious:	false
Preview:	(..]:Z.. ..I.."u>.s`.h....C......V..L.z.[.z.r.%...I..}.r{.B.`.._..g....DF.tg.CC`...}....}.t...[.\|6%.q] ........ ..0i?(..w...3xz......`.aBD.!X..$....C..[...!R..J...I%.Q...u.;..c[.;.I!.d..\..0.......J.D......%...R...o..B...B....z....H..8.[...F..iUJ...q.h...=.v.+...K.jSP....G.4.. .bv...3.YR..'!......m.-<..j\m....w.VG.b.z...g]:..RX-..:2H..E.....g.G.#K......1z....K.uxJu...8^....._r..d....)}... R.3.H.D..:......%=...A....[.W6-....O....[P...<..v&..L...].iG..M@.$......I..H...M..{j.nV...)......(....FK...9.;..v.%..pj.......uR.Ilw.".`...1du.`.5..+.Cw......U.n{.{.?@..Q.#.g..#..0...i....."...9..z..+8.TQ..&...3....n.oT..<.G>....-....-;.....<..Z:!.....^9;M.[C....#..<.\|rx.aj?P....y.....M..;R..yj!C.=...&.?...&.....;5Sx.T.8D8.?.H./.........h...qu......I'{N.....!....<,n..b...W....u.8...>2,.9.C]9o...G.."..k2,...[.#.=g..I"b.0.4.Kx.e...j.@..(.7.o...B0.. .rO?...7gx..V.+e.&..w..X...4..........6..K..UV.$..x.-...<..I....RR.L^.Cfp.Gx<.v..h..h_.f.........H..t..........

C:\Users\user\Desktop\BWDRWEEARI\DUKNXICOZT.png Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.843904605607549
Encrypted:	false
SSDEEP:	24:X5x7rmOdmS5b3ePI4aX3SqbrWfWm19pzEMtGmiRgoT6T++FzdEdu/ZzJ3:px76OdrLePMnS0rWfjLEGG9qo+qqEM1R
MD5:	44B2A7F8AD04F1959FEEAB348CDCA545
SHA1:	D1CD57525DA9EAFAB342B1EA6CDF8F3EA3174691
SHA-256:	390B59259FA7D998368497F4F82E20482037A3E590741E59A4C157D9CD9A5426
SHA-512:	2E405E587F08D25CEC0B068F975DD9EC546D092488A0787192048D7AB5A2852360ABFDBBDE699BEA98547FB56927BA9E294F7C57AA546948E92B942A75A7A65E
Malicious:	true
Preview:	..........I...'.........0.az^v`....Y....... ]8...S..\|t....+.9#.2.O.-ZE.DG.K..{e..LbeR..,.e.e.%4.R...^>.....\.)..].)<d.....v....P..H...w..7....?;.......RJ8....5..w.....AbQ....hs.B.".2q..PB.....:....c.1...7....b....XS..!....M.V[...Z.&K..VT..`..[h7e..,....d......`/...Wu....u...<....m.K...5.A_.3.8.......B_v...Q.P_y.)..?,..p.....~..FU......\..G....%...'......8.Mq)}.ia.&..\|.p(..=J..N...4.q..ia@,+^Ws.x_$.H.}..]......m.T9.&3p..4..P....m...1y.O.W....n\|......[.g.?.')._...K..}.2..B.."(uGB.5.lw:.............K.l.M...v..H..,.@..vQ......{\.....>.AlW....1._.....l...s4.n.?...,+..1..w......h,....G,_.}.@.../Dx..s....b\.C.....* :E.c.g$....!..&.........V....Z.d..r..$...ql..c}....6...r...W..x.99.ax.Q-......3......b......W............\$..{...+...7h.....ZC_G>........n!.0.B....n...%h...j.=..@...0%?..{..dM.sF..."K...uL...G..6.z......p"O....6.,....9.7.....K.WH.Y{.z..U>...`.VZK2.u.r......%.x...T.(.../Y..RK..GcG.....K....x..D.+-8b....jJ..uS.E..*DB.f}...>..

C:\Users\user\Desktop\BWDRWEEARI\MIVTQDBATG.mp3 Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.850920503911001
Encrypted:	false
SSDEEP:	24:UPzDd/XnlorGQ1CxkEc5hnrNCdT6tKPoyAD2VMuyl4F4pcdaVWxn5:U7DFlZxkEyaTHPiyjyY4pcP3
MD5:	5D8C34B539BFD2546073B67849525A92
SHA1:	BA88CCA7DDC97771CA3B317D30B7D450544AF43D
SHA-256:	6AB0901DEE6DFA1B9265723E7F30884CEA9FC7E7970463058EDA2F94F712BE2D
SHA-512:	6D139255FE52A9D44D5ED6FBA8177E272E7836EFCF199BEAC68B9E6CF6F5DDDBCB5C280A59A10CCB5E40A69F8663320AB545F361A73B7B3305ABAE3AA3CF67ED
Malicious:	false
Preview:	../Q..al]5....A...X..I..Y......7...O.[~...gu..G.......^1MpY.`>...Ui...=....W...=..@S...{..wC"...r...~...5w.....3..3.wU........h.TS.O.....[..l.X..F."7k.b.\|.H..[QE.7~...t.?H..C]..{..QZ.w...&A..^B.?)..@.8.+.r..&....\.`\|..3T.m....=.b..}......(..g.v<....z.]Q..!..H..q.a..x..)...@..w.M..)p="..z..2..R.'F>x..G.J..l....N..k[eg.....G..-......c....'..C[.-72..r...B..`02............h.}V...?Xt..E>....j~.p.VI].JU.V.tcE..IC....7.y..........\|...n..>..v.gk.......&.Pp.6..U..qN..vg.......bV.w].o.....-.e./.V.'....u.m.`.{...0[....5.g.Jn.e......n...5......l.#...-..u.0..[A.'....\.\|X.F9.f.B....Zl...\..H^.. u..3..B...6F.&..l!m#.Fo......s...>G.G..I........2...LPR...w...h...(..H/4...}...6.#..#...B..w......Afs.-4...FI..F....O._.^.W..O8.]1e..s=)X.aj.].=^r.&.....[...M....,..'...L.......;m.F...d" ..CK......C..C.]......f.........).Z4.9bW.\..P..:.o.6...j.4`.Jx...b.xG.}...H......{...n.1..&...}....>....c.y..l..+T.[F...-....q}.%...t.2...-...........TCI......

C:\Users\user\Desktop\BWDRWEEARI\OVWVVIANZH.jpg Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.856352018763571
Encrypted:	false
SSDEEP:	24:2dpHnPxOAw8R0LIM6+gbsVo8Y1awLk2L6cYYMscBO2LvzdJdYuFE6B0moMfSO:InPxOAw8R0tpJu8dat6jDXOMdJDFBlbp
MD5:	4627C0C196A2DED4AFC33ECF11772D83
SHA1:	D31CFA143639B54E79C63455B5E310857674851C
SHA-256:	E466B6087352DA12D3B44046615C5673577205803B981AE19969206DF40B90A9
SHA-512:	E7BD1EF1165E0BD8E95A62C4270B12C36E2226E9AD4543284EC33EC0E2AF828B4049A3E2923246AB793F90D2D0DA28E570F464CF192EF88A1D99001292961B00
Malicious:	false
Preview:	...+:X2.'.FS:.k?[kd..v ....x...V.O,....=..)..6z..q.8...~..T....K..BJ......'.`[(.3Q.p<.Bd....Wk&..>>&AS.I.PY.5.vqi.Y{..n.\|..zz.=..V.8..o .P.J..Cc......E.....`<..2.Y.c..R..O........<...n....... [.r..rE.P.^... .3.tX......G2\....($3..4...j..k.....4....B...{.....AZd.8P...<j?YKch^.......H2H.d.....q .z......W......N...e..7.?........./.C0.na\|.......A~E..R..Fo.."......G-j....eL,.Ft...Q.S8.]v..`..q.J<...=Y)\|j&7.O......N.$s.....O...... ..e6..?e.w.V..[f..Ch..S....K3}M.....\h\|>m..H.x>8 ...-....:.......s..~.'.q.8.....?&d?.....?...$...].?....g...x.n._...b'4.px...Y.H@..N R$j..0i...Z.....4..dW..)5..W.j......J.s-~.N....W.!kI.(..~..>.....7.x..Y?p5..+..;........`.Y...&.c...d..I..`....A...H....S....{.-x........t.-o.#...".....;y......8m..x..8t...I.\|.c...mA..c.....#..[....j.. dN7Y@...9Sm.\|..c.....\|.7.M.......i.pxg.j.X...,.R.5..Dg...E9.........P..qF.?vt.b...._*2u..!.)S8....pU...\|f..../.@..nw.z$.F...V.I...].W...)..#.'..)......X...$s...b...

C:\Users\user\Desktop\BWDRWEEARI\UBVUNTSCZJ.xlsx Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.8405948466363125
Encrypted:	false
SSDEEP:	24:BQ/9n8gL6Z37X6pwg3lb7pgA/ZSgTeFrBvaKCDOosFWwpYefhnpjhj8Dfz:u98gL6N6pFVb7pgApeF9vaK6OJpXphYf
MD5:	E4AE210FC12ED0776929EBED00AF5C5F
SHA1:	D10B8D7C6C7C0763BE6505A6915FA91678FEBAD1
SHA-256:	E67F2022DDB4EDE5A29243FFF74E36DE1DB1C9DC4E27711007CC6E6EE70434EC
SHA-512:	466E1DA7290D6D349831F521DDA8D6B15EF00014428336DE36FEBBC035CBC50F6CED45A11799D7D8461A66E8302493DCADF66E307BED753622591D2C1D25F694
Malicious:	false
Preview:	z...."j........+} R.....P.c..n...E@...$.M..b..p..i\%o..S&H!.."K..}u>Lw. ...v...V$.Yj.Q.a..d..)..D....wM../3.. ....W@........`..T.....vK:..&ck...~........a7.\...h....L.B......&...aFB..R~..=.....&V...g...}...A.@.....DOK._.Q8c.s...C.$r.!..h.~E/...-\|.R.xX..."...L.....g.....j.;..{>....yU7E"x.S.B..yk.....mpT..S.......J$z...MF.d..S..&\7.}F...Q../.f$}..QP.~.+ba.3.b...K...T./.qFy.V.rk.kN..k..@03.r..!.430l0h....N..U...]....v.,.....!..)v.<..&.6...<`b.s..Z.[..w.P....%Kn..I.y,..?.lkI...c(._...c.~.P.\|..L.....^..q.X../.........a...CE.<....1{H...X..r.b...cK[,k.....r.W..o]...P..#d.J..w...V../o..q.\|,......,.."nneU.....Qs...8R....a...<v.u.....bI..C./.\|Va0W#..~.\|u...1..,o+.1b..4~R.0a.z...._m.J"#-$.vs.....C.#....C./..M...,..S...1.~..-.).$.....< ..`..4.;K.y.....kl....'......La....^bF....OR9.,..E..H..pr...@.8)25.Q...i..z-...Bi.d...s....c.o.5...o....DmIf..L...<.g...p...>..,.9.I..._I=.j.Gq.U.amNz..~{.m.........&.,..S...'.1..\|X.....U L.(.[....8s`..r.f+.LbSsy.,.

C:\Users\user\Desktop\BWDRWEEARI\WHZAGPPPLA.pdf Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.847971878696799
Encrypted:	false
SSDEEP:	24:tiJHx6cDrOIdMSZe+h5+ZeL2hcHJZiRDEfQntippbYqbv0gDCN8EsGDBYKPEPG:tiF9n+SZe+hIZVcHJi1tQFYqbv0g2EGp
MD5:	28B0AB77E685324EB8428E0A56770B35
SHA1:	E6EF64BDD9A930C123CC869BCFD57CFC86859F72
SHA-256:	FAEBDEC4E98FF76998183B672A7C10CFFCC2EA96AEE63DD3CF24C2BBA1FF7CD7
SHA-512:	0FAD010A8F77E30407C9CC97E368B058D7AD843DE4EF091D92450D7B6EC91C1769C50322337194A7B1DB9FB8BC9D343F12257DD1CF04B583D0BF592FB3E2D4AF
Malicious:	false
Preview:	....=..Y..pGJ-.....%O.G.u..W.../...!.n._$..Xz`....W......o..6.4p.%.n7[......a{..K2..+Wt}...SM@.......r..V....C......^c...@.~xR].t.....^..2.r\|.I7..!T...%p......N..xW.......[x:...5.{....V.[p.p..;.O.Y...%puu/....,..m!..4..u.<I.}....G..x!.h.3....H.}J..Z^..i.CvgN....!...=4r#o...J.d..V..aI}z[.6..15.K.[IX[.gK......!..(..lY........?.^.&U.q/....p..g3Oh...T+M5$..O.......1QW.'..B......"...F[..z..I..b..&..{.e,H- O."......At.?2... .n.[6..43.zq..G?QLf1...1......[........p,..x.._.......#.L".../..q.ao.gNi.1.xJ.7.....w#..>.+(.~Y,q..l_E<.....A....f.......]....3.....i.U..?.).sPX.`.s.1....".>b..t.............(&.(gr.......:...%......e..............jN........G...R2...r(......D..W&...Uo;..&..0.0.o....xJN..s....?....~k...u.y..#...4..?1....X...e...C.E......9.A^.m..".#`.u..Q.........\..{\|...}r.-T-..n$..>..FI...../E...P..71'.....t.y.#f....#w.5T..A3.......E%..n.]..Z.,.0...)..........sL..E...h.$.Q.._.B+........GwD...I.........M)l.zoA?....C.,\|.f.......B..

C:\Users\user\Desktop\BWDRWEEARI\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Desktop\BWETZDQDIB\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Desktop\DUKNXICOZT.png Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.861242624242266
Encrypted:	false
SSDEEP:	24:zG5GyN0qCll3BdQlUlFSw+MtGdNqK7Jq4k0QitViYEpKLq:dy6rll3nXVK7J8c5Egm
MD5:	FA64C5FE7D43177FD5FA959A1DA239E7
SHA1:	79E15DB957E2654CAA2C2BD5716F0EBF85837D93
SHA-256:	CC047E570554C91E1679BE60D69C81C00B5208D0218F89F39FBAF39E353CB9CC
SHA-512:	921314862D81B19AFB82B03FC52B35D59C22AA916A4D295C281D5D89689529FE302ACAC967814F110C70B6C4BFB3468A211658FE6D790EA4BF23777C7D495768
Malicious:	false
Preview:	..682.Mq.@m$WT.n.Bq.;..o...&.I}4<R...<.....oj.d.m..).A./...$...yC..`.....q.2`.'.....Q..?..M=....k...2.....q...%.....eA.f{..x.T....."...8s.....(.....7.;<....[.b.uq9'Lm.d`.......t.j<-...J......h.h/D........>^......ZU_..,4eJ.n.r..S..].Q1;dy..%.P.Sf..)&.\n.>tX..~.hW......C..?8-....r.3.a.F..p..9.}...a...Bc..1C.E.c...p..>^.;........".~...B..H0..;ey>I.. .w...E.l7. .b3@O.n.e&.7...l..%`....A(...'G..6....."..M.VK\|.....5.T......."..)1B..."5....fA=2.e..v.v}.P.[.o..p..=.....t..F..l.Z\|.m.....h..947.9............Ym..9\,5.F...y.....O..^...f5A.5.....V."\|..Jr.y.X.V.%..>....FZw_.....o[.B3..-W}C...Kp+.........~/.Rh....H......t.<g..%EP.#.{..uz..3$.b.q....l.+.-.._.-..1q=.J........GA~.a.'...V,MX4.=.....2..<...4....R.Q[."W.n.b._...&).....<.l?d...._v...Rh.........s.)`....$............=X...Hq`.19..9...w~.6....D..6=5.+"!t^.n.^...&i..Xy@e........yw'.?...a.............Qc...F.I,....W.Bg.p..m..Z~.Y\.O.+..UO..7KB...V..%.B..]`8...H]D....g!%.u....`...LU...`mN.....

C:\Users\user\Desktop\ERWQDBYZVW\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Desktop\Excel 2016.lnk Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	2932
Entropy (8bit):	7.932390892445492
Encrypted:	false
SSDEEP:	48:xv1euMGWLArOcP5joCc8iTquixXSr8TABA/8E/8MzgwROanP4MLTCFR13LS1eNaE:xNPLrH5jvczkiwTAnYOawMLTCFu1SEK/
MD5:	B02B3B18E1F68D031421DCCC4FB036BC
SHA1:	BF802273BE58CF19C819AAF6CCDF5B52C3696D30
SHA-256:	781416CEFD6DB313D934F9B613D34AEA58B6F44006A49CB89CD76F162E668DDB
SHA-512:	62E0A2336872AAD892CBDB3B193E448B637AB62220CE0360F4D77C54883D926A686D398A6640717624A0B68F80A5BA7A49C17301FD042965271E3A780DC4F144
Malicious:	false
Preview:	..2.y <....Q.qyv....b....{.Q...7...#.M`.j.J..z.Ra.%t~q.,..m(U..M."V...Kc.ROk...5.h.H.... c.p..7+A..(%....:o[......:...G"#......t.._..)..{.3....V..\|. ...<.........z.VH.....F.oB.Y.Gw.NADD......n.<<.........M....X..^..z...]..yX...6.m.(....W...OZ...b.Y./{...K....`...X.\|..Q=..Y.....B..T....?....}p.6..=-...)E.(.@..;.I..\..lUn.....\|.~...H......aU5.q..\...7.:...:d..-.[.....0.%.4j.....>2........u..j.,ZT.<..7)~...F...8....X.\|_R..;......i...W......e.p^.....vKk.Dv'.5.k.{SY..1H..7.p..a...b.......:C...=q{..3.Y.B.U2.!}S1b.RY.e........GcQi..uV........#v.2.:.......:.y.e..p..d&.-.H@MP..,>...8....U.F..t.... ...,....1b.9.....s..h@.0d......C......Fb2E.%.......r...I\|;..~%..7Z.n./...{.....D.J...........Oa>#......n.Q.7.URn^Y..!7z.V..r~mfQ..+9gG......0..).k..,T..._Z ....Z...O.16.b.%@.C...A.Y......l.AvB..k0....a.....I/...4H.#]".o".hA]......T..UL_s...(F..O.. .)...;{q..pL9..dJ.`.eB~..@...U(..g.....,..Ty7....Z'.l..7...[.H....+....G.u........XQ.I.

C:\Users\user\Desktop\FAAGWHBVUU.png Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.836790826448407
Encrypted:	false
SSDEEP:	24:jfhHJS7MR8D8hxPF9Rvzfz78Hqi7Ik3B7xs7L7kgZuJf+kCaI498wwHK9zwthTxp:jfhr08Z77fzi7Ie7a7L4MAfnIgpwHS67
MD5:	FEFE94E2C80742469D772D8DB0F7984B
SHA1:	382E42D44A0B08B283D044653DDD8A98A3BAF5C8
SHA-256:	478CD8F0AA3BD383D91C79D0A9EF098731202979532C4079145D2AB35BA01F5D
SHA-512:	F7548C0E7E196372AAC09924F75B86D98B2276D07FB1B81446720EDDEBFF6267033411BABD68D21845C58909034DE80C945CEE16FA269026CE800135C7D32F90
Malicious:	false
Preview:	...1....I....^..U..8..........=...^.d..(..VQ..)......l..s..P..YL.......;...j_...._..=...-..8.o...rJ.Ls[.Vv..#..O...!.b....F......F#4.;........H...j.K..>.+.yw.@../....m...PMAy.D...B..O+&....K{..._.Ij..l..v..y.......=.../...._.!..S9.P#.0.....#e.....K.V..K...#.Y.S..~OM.^.^.v...%.UP...>...u.bc.CA..R.N.....iVB.2.5.xL.t..%,...H..C.f.q...o......."8....&..p..gS!O.+..8..4.[.ft~.@M\|.u.\....K....+.;._.l.YN}.(gl.Q.u...p/.H0..j..4..4S.CL..6._`\|.Mu.$.f..<.I.!0.kt...3h............;z\|..?..R!D..u....!S........r.iIG.`K..;...*..5.....#O.;.?.2w...T..SS".4C..4yO.."`.~I......D(..X.....[....0{.#....EV.t.a..@c....gN!.......G6%kB{.../...+...M..+.i_..5w..C..7...N....03.I.~q.6..5....i...j...t%V..T...>\|.=.2O.hE=o.......%..Y/..U..[..:.lL.0...T>......WP!......".)bQD....s..b\..'/..Sh.6."R..J8=D..8~$B..#.'%(..E.i'.8.....=Z..E.EX.c.+....+h...4.Po.......j...R.-..L..g.N..k....+6......ccH.C..t..I0..n..Y.e....r.V.}Ix...`...2e .h.....x...z@.o.."..S5#7q....k......

C:\Users\user\Desktop\GNLQNHOLWB.docx Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.8536202658585275
Encrypted:	false
SSDEEP:	24:0/ABwIaq6vjQOvemQ49LVJDxp7KO26hHckfYqhRdoTFvaeS+:0/AeIa1vfWmQ63tesHcaZ3eTFS3+
MD5:	969D214824DEFA005E6C7E3A090288CF
SHA1:	95C85145741DF71E9DBCDFA5F80ACF42ADC075C6
SHA-256:	1A74C3E8A7C0163D80DA0B88816BF627EFFC38E8FE3C07667591BCD4776F2417
SHA-512:	87C49D61650E4EFFE931313CE3D6F2FB7C967B6E15D43A87EE04F145468256670E3213F2B5769804ED3C0AF24139873E099E0BDF486CE1CA724269A4C2C9237C
Malicious:	false
Preview:	....$._Zr>W..W .3..J...k..`..0.\|J...;...s#.8A.Lx3q.xN.........b.'...D.....)....&.i...k.DeB!...v.@....\|..2V.y..k(3.i. .A...Y..z._:A.....{O(Y.X..k)VX...6...].OF........g..f.v.7..9$.1..l....}...D.Xa..>-.+'...ng....3...4...z..j.r{..l....F1...~.2..k:<.5.....[.....\|.....)v.J.6...g......76!...x.wlT/=..]..)..iF..L..T..M9......5....-s9........rl.L..S..7H.;...Af..~A....C.......ah).g....M6e..%.D.]$.].....C4......R?......c.S..}..d.Ut.p.2..[c.H.>.!k,...L.#.6.P.s;.JE../.v...o8t...u....c...TF%..:..".q.B....U...d..[.U.}Q.4...-..4.5.;g0..\...L.Cq2J/....z....o......E.6.l.L..iA...E..!1.a.o``...`...O3;.....1[.p.g._...x4#f.`..[...(>.4.=...<..O.v.r]....'...f,.b#..(J...\|...QC^E./+.)".AJQ...V.\|q.2...,e8.?up......Cp...t.[..W..V.on%.G....TXH.^D.D.......&.....qQ..E.`.O.<......H.bB..(1......'....ui.J...PX.6O.x.d..$m<.-n....P...g..57...4.e<1...S.EW....>....?....*.u..e..-W....~..<}5.K.a.$..\|......V...b...=.B}.....`."...w...9.2.D...9.,l.HC.hz.-...%.G.......D...

C:\Users\user\Desktop\GNLQNHOLWB\BUFZSQPCOH.pdf Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.874381711118074
Encrypted:	false
SSDEEP:	24:ZXspknchukSU65KzOYNum+RvpRTC0Eryn9KIeNpBzut5w89XTsRfJy1A3meb687y:ZcrQkSXoOYNum+XRm0EY3oz89DMkC3ml
MD5:	81CC903BC731F8748E32639962061AC0
SHA1:	83D37242489A6BD7FEA0E00144B11FEB28FD66F0
SHA-256:	C1E01DD0551F2C89EDFA1EC2C07409CD75594608878246857BDBA9F0F3A0669D
SHA-512:	280E1BDF5EABA3A98954FDC76985BEDECDB321D51AB6F5DD96C95EFAD2E580E3A06AD7DD349DF3A1239AD415A33B59704EDB2185AF8CA9DB3E715920241C9239
Malicious:	false
Preview:	.8.G.Q.}jEx..E..+`].0...;..IR/...M.p...`'=..(:..bY..y..J...=......{.....!.G.D.W....0.N.G..\!.a'E...F.c}.A.c\..g.,:.^..o.j......../.?.z.O~~........:<fU;.OQ. .k.h..L.....#...6...t`.HP......I...FO.]..3..)..#.W7i.7#....e........;..#.z.p.a..M..{#......o........Z+?ol..OM"......u...3........_%...(3t.M....N.....lV..c)rF...S....>W8w....`7.k.+..eG..k,.."....V.2.z#.,...y:...9.[..ZkZ+..c.V...W..^>..Ru`)f..}!._L.B\....[P..Z.y.a.%.f.5..s... 9[.O..d.........}.t.....FC3Sp...:<....\B.....Z...!.#......k[..?..p...t...$.w.B.....K!.Zh{.=......f....iv..............7, W....F.........f.%..%.b..h(Kc"c........n{......lO%...N.:.....;<..D._.{.'...Z.g......^k.V...-Y..!.".....PH$..A.c......`j..d.].E...H<..'(=\|....."r5$.An.`..i-.x..d...I..mjK.....zJ..$/._(.h..._..v.J.....t.._)2..].Bl.4J1....2.x.......#.@..........S..W.EXu@.2.....`..'.......5_v....?,..!V(`<...8...=V..6.......Q......9...2T.w...PMs-.5E..g.mr..~..C.....F..}...&.J......#.lW....-.....h...?..s....h.....$e.t.>.

C:\Users\user\Desktop\GNLQNHOLWB\BWDRWEEARI.xlsx Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.847569004274721
Encrypted:	false
SSDEEP:	24:csfao4n5FoJ36NCgcH6PdGNkFQzpIxeSIuNEkBgwHQ82x:N94n5FoJqNCgcH6FGCeKFJEWv32x
MD5:	90C53F72871AB25A54D25BBD79B32E5C
SHA1:	F45D21202B38EEC1485107D537619D3F1CA9AE6A
SHA-256:	FF32CC3F00BFC5F506E3DB32100A91C9C0C1C75E59546691F48D01DBF3D2B2E9
SHA-512:	A9C1B8FD9B6E0A8D1E577AE7E6EAE7523D30D2D8A6EEA0A2AF61F84C7CB27D64DC14E97D015A797A8FB8AB85FBF7FAB4D4A63BF824A97960DBD7AC5D16AF1868
Malicious:	false
Preview:	.....[..sLo.....\.h..D..r...DoK.=o...q......5..o\..'..5.qA.......g./c.._cs..sP..]U.......3............,....d.I....2.J8Z.`.`.v..#nk~.(..Y.m..N....pp.N...h.....C...>.1P..K..#......T.X.l.-{m1ZY.....m.......r.k..}..'.......-.5(fpZ7.0.L.8.........aW.G...zE~.B0W....N.....+...q..k$rs$..?F............./3f8.$.........c../...._.@.P.?....-....i...9qy..0.YY...3..s......,.Yb..B.....gS....i.@{..=]....0..I..:>=...-....W.TH.9:..o9....0...&..vf......%R...2........1..7..A........5UD...} .G...J.N._fH...G.I.l2.......@^X.A...9....Y..PmUY......&...N...rL%d.Ph..b3..[......W..w?.)...r.=.u.......0..i.].......z.;cH..XF.dcd\|H......./..v..P0d..3..[3...r....f........J.Q.`..u&66..fe............v.......]./..?..I..0.kg.fn.Go.{...6...4....12O..._.6...3.}B3;.....y.5.\.Z...6..+m........`....5...9=U.(.Nq........X...m.d.d.1k..~..q..#.u..;..S....m..9!.AM.N.BH .(.`.)>.....{.E......$...,..3pp..n...I.w..J....$.\...C...(.....DO...\\|.7......D..V..E.."...`...Z.l

C:\Users\user\Desktop\GNLQNHOLWB\FAAGWHBVUU.png Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.855248236649397
Encrypted:	false
SSDEEP:	24:ChAWhl9NucaorhJfX0CqX7go0nFEykqamnP6m6+Z/nx0h0zuC0ZplWr4a:ChAa9AcaorhmCqrsnqyfnP64/xa0iHlO
MD5:	D95E1254EF08DBD7494DA7BE4CAA8EEC
SHA1:	899655A0767C4E3A939AECAA38E3FD35EF69B272
SHA-256:	3D0413D916EF6C6BEF3A8F84AAEE99A43D8EB381D81DB246DAD366322324275F
SHA-512:	909B5C6F4214220F44985B8352EA18C4113F9F07221785E6175292A1F60B22970A27ECF0F9EB1777F72F6F4D73B6FD80D5793C5E1C0D0BE8B7458AC61B26FFF3
Malicious:	false
Preview:	....w&.'@.P.P...)+.2...x...n.4lL.B.^x..?x..`..pW..C.... ..f..].b3...>...-,3.)..U...Z^...D.......G..<A....h.....DF...Ap....=-.._.L..Ma..y.....!.],l.P.44.l.2.v ....$..C.S.X..Q.YP2.Z.qV...6....qn..h.oi.T(.B!.p2M..)...O19....C.x\F....&..6U.@.....P.+@...........[......@.NU....~+.8.yjCMp#..Y.0...!..i..<O..AYh...LT3u1...o...2P].....b.<...B=x..>/...uU...%..u...9.?C....m.a....B.h..y.}^..=.....o...xL..+.{G.....S.........;..5>eR...d.k)`......#b....%W. x...xz'..9K.....9...a.F81QA,-.........Z..^..p..s...?.F3Y.Y.A...KP..!B..#........O....*@....Ux.S.D..g..D.\|..Q>/0.p...N..w.....I.....`.U..B........-V.y.Up..`.S,h.r=.W.X.....tL...q.]QR......8..;.......\.?l0....../..F.8.c.. (/.....Z........].7...{.C.C@..)...._0...{.U...8......4..KE.........-.'hi.14K+.P8s.l(.rg....[BO.#.t%...9(I...G.@g\N.~........H IC.3...O{/...P'mj.u.._.......7.v)..s.6..v....%.}x...y.h.w../..n.VO.../r..@.jg..aM.R.;p.....k....hX...l~.{N.....We..!.J'.../[Vq-3.>.2.m..Df.......G..^.@........@.

C:\Users\user\Desktop\GNLQNHOLWB\GNLQNHOLWB.docx Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.857194350152846
Encrypted:	false
SSDEEP:	24:eqs3zSCuDaTll/30LuTWWTUXp/HyxmwfYaPVLGJ0JLCy23tpkVAUSc//ixFY:eqsjasll3yua8UZ/HyxmwfPV6oCP3tpu
MD5:	BCBE375ACA8C2BC903E0ED49B3598333
SHA1:	67632FB3F8BD83CC075610392A3A78E1CAF8F60C
SHA-256:	66E5EEA5A9EED0AC8E1ABC2A3CA64487F0D2989A6A4EEB1BE55AFEE3C0CAFC46
SHA-512:	2707487B6E54D686D139DC255BF582B1431D82BE6C653D3AD2F952566C4EB6E5C87B67C98301DCC8770406826F20892C55E7415BA07C435E15C41DBAD435CD93
Malicious:	false
Preview:	......~....zDA...~...4....?.........s ...<.C..x..n..L..[...8LB.TG,...a.......M.N...4.#.$.L..%I\|.==)..f....%....9.v.Z....{...y...5.v..........D.^...7...+tCu....7.1w.v7rj..........g.c1.Px...\|...L..,.x.j..Sm..;.b....+.3.......0c;)....ra.$..].......H ..$..}.,c..s.?...<i}5.S.D..Og...v5rb....F.9...O.c.:M..8/o..A..... v...;8....1w.9..^lv.{..:..?.c......{....&...B!h.#=....B!.b!.(, ..$7U4..c....Q.5..^....B.s..n5U....q.4 ..i...2.$......"I....<..........0..9.7..VJ.n....I./}.e..uh..h6.:t#.u....A.\.r1a}...t` .@.>..+Nf.i.Y$.-..&.@tC..G..Y5..LK?T%......Y.sU..vo`4.Qn[. ;.5.S"J.....\rg..............)Aa.BkHj...TY....Z.[...j...C:...?.......V...C.{8..rHa3.)Q.....N.9.-v...q!V.]>..._!eUJ.~;D..#....L.#...+P}.]@...G.(..Q......z^.o@G9......G...8A#5l.1..zZ.@.x..'~. W...(..0MG\|Xb.p.-[..A6.).,1....*xS..H..o.%.687A.....SW=.LF.r.'.<..<.$k..D..7A..W=4.\|c;FIk....1h.H...@.-.m&...#....1......#..1!..P..kG.Yt....D$.....Xp.....o...l......{"..i.p.Z..\|..t.....+......L3....

C:\Users\user\Desktop\GNLQNHOLWB\UBVUNTSCZJ.jpg Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.858680396134411
Encrypted:	false
SSDEEP:	24:h7g6xfFrvzP0JHhcxWJSdVFOVCkzWehx6Y7/52w4LFfFNr52ro7iarl/SqiIYizN:h8sWhcxW+XYCkSehx9t2w4RfjBiGhSSR
MD5:	985D4FF97F036EED2EA34718C59DB5B9
SHA1:	195ECFEA17C090E1215CFB77FC825663E6AC3738
SHA-256:	1936FF46ADE0B32D2691EAB473E49850329656A6C894580EF2889272195367C7
SHA-512:	E180702C9EC99A19807CFC88B96324A7D5020D21278A47E7827B00AC1D74829FF36CD11297919699A7E4355D4AA65BC5854BA704A7A09172F6841BD7E84318B2
Malicious:	false
Preview:	(9.....v....{...'.C.F....j..}.....y.....v.J.SsE.N=.....X/~..I".)....A.$al....e..o;{;I.?..S......[..Xp...\|v..!...S.....ww.$*.c...;."..3...7...cY.r.0.......?.1O..k.aR......<.u..n...,.r......pNg..b.C.l....s.3..&Ai...47...cpX/.l...k.pr.-].II.........J.....W..S.QV....u..]..JN........L....... F2S&......cg..B.....68..+.n.OI.S.W......H....e=.m....k.IH..I=o......k(i..g....@.-z^.y]0...9@..r].o$..)..,....#W....../c.3.2\...h.......4OU..."V.hGx.....P]G..@G:.....y.....w.elu@...k9....K...-..-n.n.0kk.<..~c..8...=v.7..}+_.oX.<.\|..d ..-e..?icC..a.\|E&..?.Z.Z..&.....5.K..\|K0.=-C.$)..A.....T...l....^NVj..a?..o.q..I[.. ...8..7..I....J..rX.k..o)..I..........Y.UDC.e6.Z.%+....5..f.S...M.q]a.+-.o*...3.).f.D..+..'%....K..$\k.........cF.\|.D...iZ..pj...N.V.v.Q\|4.hR.....z..!...., 9..)!..P,s..0.....?@...<b.s..C...K.]u...)Q"...:y3Q.9/..=.$. `.v..T`.1......}..H........G......E..L....e..&B..&.L.@B0.c.....{.[....gi!...V.:....T..&...bR........kGR..../_.t...

C:\Users\user\Desktop\GNLQNHOLWB\WHZAGPPPLA.mp3 Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.833764495537887
Encrypted:	false
SSDEEP:	24:YK1k89q+iHpF3CXTm6AK92PXk2cK1zjM7VP3jaZx6G4sBu07hMoT/SGF4m:F+Mq/HpF3QTm692+KRkVP3jbGFBfSGFR
MD5:	092EF1CE90C2F6D927C2FD5D3E323E41
SHA1:	1EB6D03AE86582343922C948005D5F42E7AB9511
SHA-256:	8D8BE97A0A40F20782959427CC4D9E50C0CDA96E526C060C8A7282B6460BB4FD
SHA-512:	419540B69C3DF68A0AA2A21C02A9E810C0E05D15CD5EA69139D7F3D0E16F820229258AD47B86576A2FB56952B8B7AD9F0743DB3E9A227C43E0704EBD24FCEDCA
Malicious:	false
Preview:	R.2...H..\|...Q .....7..K.e.w"...0M.\.T...."..SZ...a....ZJ.Ui'$..S..e.h..dk..(...F.w...2.'..G..82..?.sf..?$...@......Q..Y.:_..W..j.`.i{f.....^.@.%o.I4eF...`....M....PdC%.......11.#-.s..^...D..a.?Z........n........m.kDf]..9...E...:....7...R....Uk:...l5..1.w~..........;.........Z..........N.....;...Y.1.@.u." <Vk..'......."F.....Ia.&v.=..G..h6..JS..`.o.`N..U..-.:....6../D...F[.d~8:........j...."..b6.E...p....>.yT.mp.{@.!......y.!.p....?4..........68.......d.p......."M....x._g.$.<......7..AJ.._.w.... /Q8....n..[8E..L.)hx...>>.....Zm..'....x...60o.^>A.K_$1.s.._.`.ONnK.W.....T.+D.9.M.0.z..8..Ylx.\fL M.\|...YW=.B..........@JJ....3..u.%.W....MEP.2#. .>.......<..K..m....QM.....54.2.Y...s..\.$..C.$k.Y......a../y.@H....&.......j...R....$..$H,'..dpe....3'.$.gz..8.R..C/..Y!v....=Cd..D..~.{.t]....rm..#z.V/./.h..>C\.u.k......j.;.5.iCC..:.Qb.H......\|"k.XM(...(.<LL.WX.........`f...c<2....Z..U4...W....X....... ... ...Db.Mg<..oC-_....L].,.tJ...*.

C:\Users\user\Desktop\GNLQNHOLWB\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Desktop\MIVTQDBATG.mp3 Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.832873778109858
Encrypted:	false
SSDEEP:	24:kInb4Tf5fVtES/mLws8roBiOx/yFh3mSt6AwPVxCnjU2wGsKYxPb:kIb4TpVtE1KGuQJ9knjNxspT
MD5:	A99CAB17E55AA660D8056BB3613C5B38
SHA1:	937390A27CB4E041BBFCD7DEBB1ECAD33DA38AA3
SHA-256:	B0D9C8422E5023BE2C3D65A19C17B20A8DDD3515A086C19DEF9CD9BA3CF57D32
SHA-512:	0BFC071419150C8CAB405CD9D25A83D201D65B87137A58712621813434A7007345AB924D05E1308397F90B9B6D43B29ED0A1AFA7F714A923E8F14E25A69DAF86
Malicious:	false
Preview:	..}.....\..pq..9Qn."..l...:..\k.-.....\|.a.u.@X...aw...}IB/.\r.........!...=,+....i..`"..w$...{..i..q.....Gj...F...!.!Y4+<..m5.1.M..(#./.n...../..?].G.Z."...C!.......?..F.z...w.<+f..........#.).BJ......8zl......\j.../....]v/}.E....E.....y,F..L.RP[&..'%f2.J...;0.o....". ...,...k..H..H.X.(....<d.a...r..xM...Uo....\J.....&....j9.g..Gm...,\|.1...E...zE..Tw...+.4....r...k[.i.Z....IA..).\|...O2....v'W..GO...!._...M.y.-.v...u..'p..g..Y.r.......M....@m........A..... ....#...?..4D.'.q...B......8.F.+.?.`...f......c%s.'-.NK..j...... ......"...R`l.....C.G...%.....5._...(2.....3.......m....m..n.N..(h.%..;.y{..8.>..Qm.3..~+...k.a....i.w..v..2I>.....q.e..y.CtUp(.2\]......o...[X[.c\|...F...+c).....i..%Q.i...^.>...j7..:Q.4ui'g:...\|......gE.".z{..p\...L..........t .9...]..h..$..v.9../"...a..-....3......mw..v.e\|)..N..r.....;.u/..W..{i%f..i.....V'b0>2.."..-.....]`.S..oX'.)e..~..F..."..\|T.zty..C}...z.L../^>....kzbaI.C]S."..GX.Uc.Z..G>.?.5.I...d.......khM.oh<

C:\Users\user\Desktop\MOCYNWGDZO\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Desktop\Microsoft Edge.lnk Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1684
Entropy (8bit):	7.885989711540288
Encrypted:	false
SSDEEP:	48:k1vD6ZwA8/QPoZce8a4xV8r65KSdb0Uik9Z5Zb+:k1L6Z38/QPsuaKV8msaPzb+
MD5:	E0FF2C0AD3138061FAAD3E5D0FE2BD09
SHA1:	2B432B45BA26323219AC76DBE9081B73998992B7
SHA-256:	0F787D8DC42EFF873304A7B5D6C11793BC97E20A1179F3C56951C2574A712A56
SHA-512:	ED91FE243CD4CB49561EA5CA96D3B9D6CABC47251A29C19B0726FD1A56394C95B1AB2D7116F2DB7B5E515473112D4A568EA35DACD3F438F64BF12CADB30784EF
Malicious:	false
Preview:	y0.......y.=WF8X.G.........,S...tQ...[\|.Z...z..C.A......P.hqw.1..w...]..`g{2....#.....r\.,)...Y]c.i,.T.>.r}.7,.~\|..M. ....$.....u....k.;.....).........N_.a.8T7....qg....1..4<8.i.J.f....V.!...Q...kUPt_..3...D.o..Nnul.p...h..3.C..{....Tf.....y.p);..ZP..)...wz.w.^...A..R]z..&.t'w gq...g>....pJk...U.N.C#.......R..Pd!jE.FW.gt..<.G.vz..........6...@...\|..C.]/..`..e.q.f...h..(.l.)R..N..'D..YLj.y..p."'.Sm...E.?. j].sl.s...Jn..j.......E.q5.}BHL..H....#o?".J...]E.....nv.H........"`.Y..[..Z5..=...H....L.=.%....5.)%.!\|...r.{.....<a@a(.`..../s$.2.u=\..)6....1..y....}.[.$.u..nJ.3u.....T...j.....\|...Y..I....p.8...wDJ>6..g...Y..2..I.."e....d .....{a\|j..S..@<.Xocv..+...$0,_T...K......2..!....bq...79.D.w..P.......N.......N...d).Lf..=)S......?.F.AO..Q.m.A.q.0/..SR...3.m.3.:.^.=..(...^sE....RlQ_[.z..V.+..A<..x......"k....pQ...h...Mp.HZA.....H..P$+....0x....P{....s'.'~f.....T.KOo..v.%>.....>.?.z..z......E.g._.M?.t.....I%.Z..vm{...8..u..{..:...h.S..Q\|.

C:\Users\user\Desktop\OVWVVIANZH.jpg Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.842613938155801
Encrypted:	false
SSDEEP:	24:+cTbWl5xspvxjqKsnp6J4rQDSe+HsWkgsWyBAA+XtvaA775lpIIO:GhIxjqf6JiQDskgsHAJtyUzA
MD5:	CAF155F792494B339A4675892BA39509
SHA1:	7C7A3339A7165AA8855A21B1B2E2682AB54AACF1
SHA-256:	F8F8C23CEA0D0E29856BB4478BB67C05D1A6EC3B2844DBCDFA9555F69B98CC09
SHA-512:	318707644D7F2334EA82765B768FABB558A65108266030BB320C5F36C443FDCEDDB4BB5273D694F0BCB85B24EA232C09641BA7967A37F267D54ED76FD7A7B430
Malicious:	false
Preview:	.@AIc..^+d..).3.)...<.....%h ..f.?6.x..:X\..\....1....a..e}.qE.....9,.-.J....B.B]..$.v.2?...x..#5....<x...V......"..h.s....b.N.P(....]....On0.=5...C..(.........5A\|i......Rh.+...5.vm.......!J....+=...u.........+L....D=........n\|;k.2........!.w=.=F.E..v.t....;/.<....T:.Y..4zQ...t..&y.$k....br......e..f......Tg.I..nc-.PYh.I.....>2\......G..i.._.n..(.X+.s.7.........$V..t....$...@..j.........K}.:!..`....K.JU.p.....].."..i..+Z.Y...i.j..c.w.........n..%.k..>a[.y......R\|.-q....Yi..#>.%.~DC.}~=.W..2B...a&pm.S..Y.....D...b'_...3(.B:..i.s....[-D=.....^..l[.w.d...T.....Hur.5.T..iK...I9e..vo..u.._.....P'.]...C..\|e..e..;.W.n....).-'......}..(,.$).K..V..7.I4{.....%b.y.%D..&.:.....z<#..m...5i....m.(>.....B.....J.<[...%....(..]......$...EQ.g...?....5\|.)5.2.'.N...-..Z...,S.H....4..A(......\..{'.>.Bb.kz..&8.].gP'.7#(.j..Y..8.....6..D.c....q.2..>..$..X...D...Q..L......`d.\...4..4(;p.u..?>.......x....:.1..p...f.]._.V......`...f.J.m..!.Y.=9.!.J(.~.<

C:\Users\user\Desktop\OVWVVIANZH\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Desktop\UBVUNTSCZJ.jpg Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.854009513768799
Encrypted:	false
SSDEEP:	24:NsSmHJ/UYCFM8ORvQG6SBJ0X5u7Haa/tChoDalG9k3A6vIoy0VlXapac4t7tZwG:xCVU+vR0X5eHJcGalG9kwhqKpMZT
MD5:	88DFD526C2FDB4AFC98221C448B43316
SHA1:	A4494614946139B95EEE8A3B8FD50CEFFB9DFC14
SHA-256:	23040729927CBE050396882B35DE7FF8B8DC18D7F5CA3105B5F82EC2A5594BB1
SHA-512:	E3B39FBBF399F236513C1FA9825209F92D5671380F5CF6721D65C4AC49299A0383F82AEB02AC023947FFEA8D2C6EDE90FF72AA8BBFDEF94E879FDC32EE2F4B22
Malicious:	true
Preview:	-_.R..3fl..#...F...rSR......4........vWv....../PU.]....6...C..&cL....T_.`.....9D..._.B.x`.~M.)..........ES.lL.... .6..bx..L_.w.\.....S..9.#%n....U....>&.X...Sj{)c..M.j...FJ....H....I.d.Z....X.....K'C.qJ-z1O-..]b.0.q._{..x..H...r6^.....&.s.,.7=.Ow.W.G.AQ....Psc.,.)^.....!...I'.N..OF..^_.;...si..\..,...E..a]....Z.4..)f.ua.....Ce,.mz..e.5Q..V}........-..o..=!..<ly..'......;.$..Kp.K.c)..m.P...:.....d..%h.'._%&.B.J;.~....5iW..=.....+R.....>...I.Gcf.\....&D.IT........9lwA./G......j.\|6.. .~Z..@..s.\|.....Y...O...!....^.......0t.N]c...r...U#....[.Ra.F.....h..@..=.po1....m..~.\|..\.<..Z.{...$..Cjc.Ja......]....\|..+.N..I..c...xC&@;.j..H.D&.oI.N._..V.H..{)mB%..>..7gJ(.....<...G..m.....#....[.q.....S..2..j...>Q..H..../t.%.....{Uo.r..t.p4t.[..#.....P.n............"~@v.u..;.qj.6g.....9&.S..ad.@....>`,....H..h9y....t....T.B...y.........5^.SV..q.U...s...u....7.OV.Z~k.j,...V'..._a.~.2lD.Q....h....P>%.X..hScJ.}.cQ.C:.e.....*.`......!.. ...

C:\Users\user\Desktop\UBVUNTSCZJ.xlsx Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.838797720197989
Encrypted:	false
SSDEEP:	24:c+zN7V7dc6f8S644klPSsGlProOMg3ioLCTvkbCHOrkOIvix/kjA+slCPi09BfZe:cgf7dcS8S64pJzG1ojgSo28rkVyTlMLg
MD5:	3FFF422E9B10AE3EE8D144A3E9FD78DA
SHA1:	4520EABC6536F0C320E9EF37CC5D8E6954A081CC
SHA-256:	27FD2EA9B0603A472B1FD37DDA165AD96512EE905256F9B044551B41511BF833
SHA-512:	A6B3AC3C14650438DEBBBC262EF437C0EF84E66D42225E71C10FD1496E6979B159779345613E72D5BAB0698D51070004D5C79FBF6109F5C70002F93896A48EA6
Malicious:	false
Preview:	Mf.ZK...0...u.Q.n..e3."..w?]'..N.....^..#....y.T..b...P.6K...}.6..'a.-{jk_..}......o(]..$3...%.l(...4..:..=....L..?_.....X.&......;...q..g/.....P...f.\|X.qV).'...wy.....X.L.n..qhZ..1k...p.z.%....{....,.S.k..c.P..j..%Ds......[.J.{O6F....W.........,..#3...^p.fnw9..V.}.YI\.z...D#T..Z9[..S,J..A9.......'...X...]...v)`w...^.I...._...El.L.......@b.ON\...7V+.n..[....{U`+.+...E8.n...7I:.jE...N5.1.OU....T:p}.`B.....s...&.x.B..=P..x.&l...;Sw...\|................].^-.h....0........q.#7.T.i.....>:#..!......q...........-..h\|.BG."...t.6..JL..8../.W..qy.L....%.j.....OJ..Q....NU...h..{........1qD.T...z,5=.[....XY..X<]W.n..".....YNi.Vu."%..'..GG.....t..?.79....~y...?....k.\|.o...:.(..A(.q.7^S7.........4.tY8...=.M+H..}.iH......%..E4V.F..ZR0GvX.DZ....F].g......-..H...9..h.....i-'...*FE.c.5..[.......D.z.))...E......_wb+....E.....w...>.Yf.,.c.cFaoL..-..&.....Sf...3.g.....f...}....@6iv....J.!.2.....).R...!C.1.6.(.Fa...u.3iG]..N...gY.O.>7.wB....

C:\Users\user\Desktop\WHZAGPPPLA.mp3 Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.83845168043972
Encrypted:	false
SSDEEP:	24:h0KN6hwHKW805qfCbO7EQ/v8YRfJP+DOYu4FipHXgotA29xkeKyJjd:h0cswnEfCbNEJP+DO4FipHwF2xnjd
MD5:	C00D315F492EC9A54784DE0C0F62098C
SHA1:	216C73EEE55E6D3E12C35E46E74ED82217D9015E
SHA-256:	B938C84309DD84CA54E2A214FBD142C2C9687A01AF386CF31FA9888DD75C8278
SHA-512:	E20927BFEB83B4712C0DB25756EE7D60142EFE38432C8DE174E83F50C252A2ACE88695CDBF487ABF1DF0E6545C22A36230B14A7627B0ACA4B82AE422CDDFBEED
Malicious:	true
Preview:	..zh%.../.rC}..'.......i...L\..g....4.....F.P.p.x...k....J\|..b..o.H..a.}....X.h...,=.S.?.#`...~..n(.3...{c....77.?j...?....`..O..[...C..Pt..{..6..}.Yb.H..........^.r..^...bN.8&.sf.z..h.....IEO.db>.EU.$.-U.......w......}...b.5.3...U......(. ....".w.o.'.K.M..U..P..I.n.'!Q%.x.c...q+...1........\|.\|..`].;R9&.(d.Hxx.....DI...o....:.>....?.+4...J"..._W4._.-..&...k..q%)....N..p.Pie.a.[.s..E....?.e..].7......V........Dlx...Er...\|...C7..`_..Y.z.K.~.^..S...z.8..U.\|.l0MP..h...:S.)u. .f.a.vy....mgc..."Rb.L5;....p2&.P..8v. ..7K\.E..:Z..h.F..p.[.Z......\|........4.4..U...U.0-.$Z.3.YgXX...:w.....I.<;l.(96jxJ@.....Oxbg1zl.U.$g..0....C.U.....~....u.A.....q..l........&..&....mZ..: .E.i...W.M....K)^..62......3.\.$....o.$..@!^.g..H..b=O....f6.&.r...[..M..A....~s...v.....78..H!....p]L..}wg..g..)j..J...a.A..h.G...u..PK....!...i.\wB.F..{.2..H.S........7Ks70..&g..M'.ZO...B.}....fV.4.{. ..Ki\.<;"..?_......i...8Pr...ab.g......zK.b..'A._j.@..oO..........E.o..m%W..mz'

C:\Users\user\Desktop\WHZAGPPPLA.pdf Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.878241131946313
Encrypted:	false
SSDEEP:	24:Xxllyspv6nk4a6DswkkJ05GSQWq2iqj4PKU3MtMVQP+lJt6gWnMuQD:Xxllv9SsFkcQM34yLt+U+lXiMx
MD5:	B979358F04BC0D242F8B7CDDA3594672
SHA1:	56494D7D2C8342E0509BEC68DA3FEDFBC3B0AE2F
SHA-256:	CAA4DEC1D904364E661B488A110AB6168A13D16548762386AE07A49EAC3C93EE
SHA-512:	9673E62CF65CE1705890D8EBCC4E75F09AE5BD3574B1C2301A6109BEFEDFB795DAAD91CCB3007780FE81B1C2B12919B88B21619B05F5081E46C952C31A41DC72
Malicious:	false
Preview:	.1m.....Z.R...P......WSq.y.].P...<f.\|@..".W^aM].@...2..L..T........n.x.IhqC}U=(.....o...."..!e~^.....L.....c.m....?~.r./...9.\|.f.Z....Fl._..M...x{X/..[....0.A..k.._z.....).U......F....).".f...'lT.L@G...N......-)N....c9!......$.M...1e.....O..>....Wq..%,.2.+......4eA_u....`.Q..X_.0.....^.i&...t>..>.!.......n&0..B{4....H)@.K...^Yo4.W.i........j......Y.#V...m..h..2.......g..2:._....8..rW......&..q(.Y=B.k...6.......Fjz..!....>[...?.j.3W..f...HX..N...!..d,iR@....{.C.bC.7D.p...;/[e5..1.x,<..3......&...\|D.).X.u}:..;wa<.Sm0e+.w..f.KT...t5+...)....0.......).....q .4..=.... .Q....d+..&..`...Vd.8.P.H.v.]...>..(.'...!.....J.X...q.j!........[.8...WN.....5..zR...S.....P.P...P...[Q..FO........O}.i._I..o.T.....e0.hN.O...~m...0.d..#.9..<..\|.q...PV...r.l..X-...T..1tT...t....J..9P..{.Q...".....O"../.....x..{.w..^..<\.>}+!v\|J....sV.D.v.?...q....Z[.xyN.].....V?.'..h.b..z........0...[..^>.N.....A.Jjw.9..Mj....h..s\)..]..F..{.....W.."..i.'..

C:\Users\user\Desktop\Word 2016.lnk Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	2932
Entropy (8bit):	7.926112835621476
Encrypted:	false
SSDEEP:	48:/5DwkiLnvD3vRscqDMkGNeQ4CA0yZaGfCUKi2lqWRejyPXSF+dE4WW5SbTTet8E:/hwDLnvD3J7qDMkGbbA0maGfqiEGj6Zx
MD5:	61B89A717B0A298FF9281F5E9480500C
SHA1:	852DDDDB8CED55718F1EC53DA9A1356DB04E1C9D
SHA-256:	C44F9CA56DB825E0F9F91971D96A296608EFFD436AECB1BEAB0813DC830347CA
SHA-512:	121BE5537BDA32501DC078B1C2DE4FFE3430E3CC466EC7A57F16AF414FB2F14F15C1DDBD737D6F5A7FC6E9BD782206F02A6820DC533A3D30DA52B219A8B7C973
Malicious:	false
Preview:	..%>...~.Q..M....Ei..ve...:`c.2...f..9......@..J.........=xH..:fDW..i.....:....7+.F..U....T.a...SC.tXwqv...{Td........J..A.,...b...a},.d....4........v2#..Da.J`..5......^5p.....I.=.........Y..d.v.]..6,.........S\|...N1......Ax....S.t.....x....@......i.6...I....F.r...j.....u...d._."..B.....F`p_..O...4..OB..w...n.~..w.2...tS5..?`....e..^.J..S.@E .......+.....f.7.;....~&(.)A.:k4........d..:(.#.'.....(..0....b.x&.%..8..f~.@....\|.....~R.Q..J?.,X..\|jF...".O.~.B.+.}?.f....O.7.p..U..8..\|0...=.#\6u..uV...V....X&`_..HM0b.j..}.d9.p`..v.8...pk.S.c0.8X..1t2_.?.."Yw:.....:A......X...rG..j.'8...[.b....._F0{....VS.?d..z.`..O...s~...f.......1...o.".AL.r..#^.u...B-/.Xc..\|=..6)..d..qh}\.a.35v.`...m5p.P..\Q>9.N..@..FW\|.......-.nO.-n..l(..^BH........2.V..k.+V..]4.:[.<Q...W.....4..>.....^.n.f1.....Z.../.g..4..7.h.S....8....tV.O`.A.4/>..)..x.HBD......c.......\....&i.G..C/]......o.z.X..zv7gy.....HQ6...%n...s5...BV........Z..x>............A.v...(

C:\Users\user\Desktop\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Documents\BUFZSQPCOH.pdf Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.860328801512073
Encrypted:	false
SSDEEP:	24:LIH2gsVIXSOa7x0tZQ3FCtmzqlFqIZZ8nqsOWfk/5626R8Ax:8HLsVuXa7xGO3Atm2lrAn7loiRVx
MD5:	DB5AA5A55B7E515878E829E7636D0436
SHA1:	6F08862F70EEACE35200C856FA257F6B054A23BE
SHA-256:	227D14D941C9487587837DECAFB71E0BAA6B9228CF4B151D95F2E8DE25807E3C
SHA-512:	7F9C331DCB03CE362836D847027BCEA1EA82F308BAACD2DD1652B556884F7B4541658075B8DEFA8E5C91470F6B51EBBF4DE833414BF27F9564213F50CB417DE2
Malicious:	false
Preview:	..^.'g..$....G.....}...^..G...`K.CV......A...\-..gf...k+.n6..~..U.........D{{,c....O..{1./.I.o{."....~..#_x......B.....^M.R.....l(g..<.."T.<V..Hzr7y}.!.<.tZ9F.U.~.6...'XC...+f.Ln..D.Q@z..m....tJ..C..O.p..%..'U....Y.p.....a.L.Y7z..:..J.H.J>\=q.N......W!.F...6x.B.........h.0N\.....iI\|.v7p%5.4(@........~...$[.H.]..NN.t.`..aR.3.g....D..........."Nr.....F.E.......u.M..&2.)/5..}.9i.z...JM..D)W..v.......lSt.....6..BI.e8.`..C.........#;(.x.....n.......:.....%....F..<px..lr"..=...n..\P8....t.....f...Y.....Q.J..B...\|..s...;.D...iv.kqk......N..=.)...E..\|#.)...M..JXj...C.0..z.D...;.............z.....`#..[.,C.L....$L..`.Mnj..6...vf..>.w#.U.)....n... ...C.*..?...t..4..#.h.....5..g.!.s\Bl9.....l...9..EwUg.W.Em.m...L..XN..].A..h!.+U..{..\.2.F....H9...8.U.>..3.-Rf6:..Z.>je.^...,.1..{biv\....]..;....>..l.w{.xx...>...d.b.M..9.B....QK....p..}...M...@....9H...N.q.1..!@..6l..B.1.FF.z....G..h.Wn)p... ....k.....KE:.....-.^..-[MB..v.@@Ed.E,....ft O........Wu

C:\Users\user\Documents\BWDRWEEARI.docx Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.851386878840173
Encrypted:	false
SSDEEP:	24:SrXFZ55o+I4q8ez8PBPH6nDRIQ/RWLKKsRI8g0Ind63ms/3P7sG9ZUR:SrFZ/I4qr8J/TQMKjGZd2Z9ZUR
MD5:	F51DFD8C09531B611B06AE1CCBB26171
SHA1:	8E459721437FF7024AACBCDCDC3C8344BEA84FB0
SHA-256:	3C7430FD42148160315E791F19E0F469149E55BB6AE0C0AE83F5BC0EF7C81DA6
SHA-512:	1FAEC7D3AE17896F71C4D58CA1BD42003CCADA07A25BCEC38793FF7B1C2F34B6B7FEF5623E5436E43CB4233BF36C6A3EBE91A2EB752493AC2B04C051D74D23DC
Malicious:	false
Preview:	..S[q.....79+~...U..2!...g..m...........B6..$w..........B.g...+.5..vH:.f}...d...l\|q.h.^W..^1`....&..E..P....Y..1?.......:^F..0......a ...ngc6..<........c..D.A\....x.)...t!.n3F.?.>..f..#G..on~..i.eH#.f.9.tZM.\.t;.[..2.:z.F...O.p.......;W. a...!...g...........Y.z...;..O........S.k../p.[.@.@.$..+... .\|.VhxZ...t..B..~.d..Y....\.Y..P%.._..G..\|.'.],l.B.w.+2....R.i.?.F.&.vnc.-t?......L....kt....P%.....)..Y.).j....C...pM.\|..X.G.#../f..H....o.....5c..Y;............... 1...j...Of.+..^..F..J=.;...i@...(.... P.:..3W.2.....o.M.Cq^........42.rR.;..Q..V..x...=.!/..n.$2...T...j{..3..'3.n)y.aB~e.. i.t3\|..0...n$.a5..=.y....K....<......{,..i..`.r.lh....;..9.....Kn........E...\}vOG.O...........J,N..tP.16...!.I.:..]...$....\|..<.@^.R..$.O...AN].i.uCi9o..9CNbj..S+A....CB................W..UG....q.....*'..V.M#W..>n.-..._1.....Z.].>.<..Ag..@.h...8.q[ 2[..T.......U...Q.W....y...\|&.%.8.....`..K..!/.iH..a...5..+..1Q..m.e.{.h......d.+..E.n.j.....Z...U.k.W.....m.

C:\Users\user\Documents\BWDRWEEARI.xlsx Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.857003071410958
Encrypted:	false
SSDEEP:	24:ODVxoJXOHpM22SBqfhbeQ/MDglFG1VysT8t8DAHZtaD0+Brv:/XOHuPXheGeglF4VCEAGgYrv
MD5:	D6DBAF4057DA1C27CE23ABF594B77336
SHA1:	D12396E065F7A765CE3E6CAFD1B37BAB2A59B0C5
SHA-256:	F36D0B2952A6FEC95169786AA1955D901F8BD5C053452367F8A84A74E652E48C
SHA-512:	FF37D6A36FBFCE4FA812B1AF4A011924BD642F55E6CD9BA2246D4EBB478F010C32678654E0A5CD864F0BE81FEF5820E1F9C6AB1EC7B05C2F5DACCB1B890D7612
Malicious:	false
Preview:	.....er..#..DP$.NS..K,....\g..j%.Q1.....1......y.[&..++F.r.3@sHe...Z.N...vW<...xV.....+....+P...6.C.E{.l...{.....B.A.......>....l.g..&...C.n...:v^..%J...x..R.e....T..._..e.v\|b.>..U..w.?[.F....#................}.6.UF..w....AF=n....{xD3.........KT.yy..x.zu+.Pf..!!.A.s.Le. ...t..?.?.3..V&Z..........>..$.^..q..=".t%.d..2....@..1..keK..1[......f?.&4&I@....0K..BK.&+~.y..+.t.~.N.....-.$Qc..X.........(.)....O...`X.......]....T.....i;a....-.1z.....J......\c>\|\^e+.Po.....?.}..-..A..rNa.+$......LiIP.4......X...cwt...k;.. &c...n. ...W...=.cf\|._.O.'{.., >..[.vG..B.5<.T]......Bh..@H....o...0....kv..2M...(.X......+.}.&...6..v.l`.8.tqm.V.\|.5....JA.......Q..u..D.....3.U(.y.HG..(.....$..Q$..V..m.s.Q].W.=._./...}o."?...k.DM%.0].Xv[Q.X} ....<Y.L......OJI;.p.^t.^..u...B..]8.....$...1....?..g..aO."."v......\|..Eq.g-.}4c......9Gf......./H.Z_...M.}..F.aa..}..G.S.\|.a].e......KPX...@.......5f.T8.@b.-ImY..r.S^B.....!..~\|B.].4..7u,.$.9.Be..n......[.....3

C:\Users\user\Documents\BWDRWEEARI\BWDRWEEARI.docx Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.8557084356299045
Encrypted:	false
SSDEEP:	24:5MCrDbOQWvhociGffGWGOFwEw7XhRbC31TKdt0C438yXDCfA/:xfWvhlX4O27XhRiNUv43/TCfA/
MD5:	680A4FAC3E8F6E3DF08A75D786CB112F
SHA1:	13320E7166C591A972981516B92BD462F62568F5
SHA-256:	E5BB80E7ECAF5F7FBF3BCE58C7832162A46AA40BC28587661046DA0883833F07
SHA-512:	23D7B4AF9984308C244809B5B69E7489B9DC137FB9D01B4B067810C1DCC078D44F00FD27D050740CF7BCECDEC3A578523705002AF8FD978A79C6CEE66D2343DD
Malicious:	false
Preview:	m.#...8h."~.u...k....:."..`...H5...(.:x..p...N.T...#Du..x..RX.Y9.%+.._.y.G...........Y.N........V.M......\...j.2JJ]S..@.H.D..6.E..0...P...l........... ..!....+.C....T..V!k.0?.w._\|..r6+a,2./.D.hQt<....y.C..I......1...a..n.f...."..I....Z.....+.L..!.......x.Z8.G'.[o.+...#s.m.?.BK.}1\..+..$MF..dD......C.l.qtu...$.p.h-...lgB.......u.t.uS.S7>.F.E.M=m...G...lSC.L..K...........eH.b.E.jc..D.....)..B.ng....2...vBl...1........tI.k;$>f...^#...G..."..E..KN.\.o,^..g.4X....Nvm........H..)'..e.[.V.=..(.)w...7..l.....V..cJ....o......J._S..a...^.S;.u.\|X;f>...jG.W..Z.1.s....A.....WLf.....N........P_..........]............}...>.-?,...Wf{.E.H...t"}E.u.....x..>.. !.A_c..}..Y...!..,..U..qN.tS.H..i\|Os.Q........~..K.....\.......1.@.F...O>.U&,.l..;..9.s.".`.......e.i...L....a.....7.n..>.N.O.E...6....$.fC..C.n-.#.[....].D...g.H......".8........l.O.R.xh......G...g~V.....'...-I.kN..c.H.....H_.x..,..v$M...\|..,f.z<.n..o6gP.uKW..M=..0...yA.f"....*..sNU)?.

C:\Users\user\Documents\BWDRWEEARI\DUKNXICOZT.png Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.853038387435388
Encrypted:	false
SSDEEP:	24:hWnL2vJ79rF84QXCt17QkO/oO8DoncCArS1johSaMDOcX7lRyzc:h+AVmyP7Q4JW14baOMf
MD5:	AC99DC98E05F08A2217B86A556870753
SHA1:	32F3045103801C2227D82FCA3EF5B31D940154A3
SHA-256:	C07E0788735F2305B9EB9A5B375F3B31C2BE892D30792E33770BFA3149561030
SHA-512:	577989E143ED374E4094A7BEA48DC7C0CFD5FA3B09AB5D54275C9C5A289C09A68DB761D4DE33AB77AAF9682FF230C24EF5E404EBB459EBF42F80B3D88A303BA3
Malicious:	false
Preview:	.Q.....:{9A..q.H...m...8T..Vc..........B.b_?.N.%....a..p.c.....o.....}9C.%9....I@.~...W....,_U..5....V...A.NSDl".7V..8...a@;u....co..,...2O2Q.PdB..E.....t...H&.}\..i..G.c....m...3j........Fi."Q......ln..G.P..D..`...5.....ABh.....%..D/..).i.........&-=S.m.x@.?_...wS....\|...n...Oyv...m...=.......x..]...7.(..X..:..t.c...O...A...........@.h_..i.6.^.8..G~.D/b^g\|z.l.H.Wp....g..i.:=...Qb<.%..wu..e..m.t.8h..f.a.eBa..[..A..m..Ym:w"....2.,....p...{..O..8...bR..gB?..-.."N.....^...............5c....W,+..#U.&,wuK+.]....w\f.2z]...?..I..~3GX.Y.Y- ..P@....5.R..@[=A..$.4..G1S...hpFp...g.<..Q.f...=w.....cW.]9..X%..eq..A.>K.S....B}..4...+...c....Y&0A_....Dp..Z\E..g..MC//6.............4\.]./2.K4.fz.~..}...q;.<2.q&....-....8<...i.Ha.....,..D.....)...T8Q.......>.3...k.2..d..k.Rgq.......&.....e.Yv9 0N.E%.B...,:.7..^@.J....IC..ng..+..^.(e....'........7...ET_..myt.Hi).wU....sE.'..."..i..Y...3....v`?.9]\..aS[_@Z...R...n...L.U..`&.S.d....t.]F%.G.[...!.U...}@..q\;W.

C:\Users\user\Documents\BWDRWEEARI\MIVTQDBATG.mp3 Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.861940260317183
Encrypted:	false
SSDEEP:	24:WV/qFMipHnqK7f8fidsznSSrwLdALOSHtKwMOn7OA0+ajYFF0qLmT6wW:BZpHqKjsFwKJNzME7OQaqXLkW
MD5:	2E4E22F0F1C8EBD4AA35FAC7C61D5962
SHA1:	609B10923A039606FAE9945FA2966D51E59062F7
SHA-256:	A13E7640CC951EB77C38B47C974E16C294A0E2EDE46437CA5A317118C08014CE
SHA-512:	219CF2ABCDA7B7391DDD0CEBB7CEF5CA005056F523883525DDE0461FA4BF263430A8AC5C33BDC81E3224A41179380F086E23DC01F2A24C336E1EBD3E46733E1C
Malicious:	false
Preview:	....(].&.#T..E.d:.XW^.SGP......I4\Tf].o4.5c.....m..2>uP......x.....GhMC.6N.5e....g..o...P.l....}...........2....S.:....).^..._>R6.isL..L....J3...D. }....T_d6".u.8...5......r....\>.V)p.x........5W.....L...2...+.}.)6...DY.3.>.JaD.`F...$....L..'..~j.......:.....^o....F.CJ......H.9.....J`...$.b ...iP....{..{..^.=.1.........H....x..2O.f.'..>?j.W.A.ER..L:5'O..F.5.....c...EK......Ya...\|.hq.#<Rjo.x..`.......1....J#...S....~]A..kIt..z~M.'..rb3..[..B...1....$..}.'.7....E5gn.8%hu\..._.C.u.]9..5..X.kl...~......R.%.Q...eI.n!..s..s......~s..b........oz{....R.`.U;P....gUl.9.........}.....C...$v[.......V..i.<.7.:~..B&...x.hEM.Ml.P91.I......../.G6.i.lL..'.sW[..Hu.]..Km...M.............R.u...P..CJ\9.)4 r...Wb.(..5.....>..P...;...h*i[...g..g....0x.v.'..Z.X.z.2{....#Fx ..e:._..j....}I=<".W\|G.....L.-.g.2.}[...~.....w.x\.h..:..Oi.{.'zv........v4..."N.\|..y~0.D........&X.k"....HP#........by.b....35....k-.....0.._.b. .9 `5r.ws.Y..E.Cz....8,.\|.8.YH

C:\Users\user\Documents\BWDRWEEARI\OVWVVIANZH.jpg Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	PGP\011Secret Sub-key -
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.873963769687806
Encrypted:	false
SSDEEP:	24:v0eEKiuQPiPexQmZ//PK8Ls5jD+caNi83MBfvAAXyWhzDxhyOQ7jxpKE04:vrIiE/HJNi83ofvAAXyYxkOojjKE04
MD5:	4BF76A7908D5ACB546845249F8D0CDA3
SHA1:	0753B6849FB174D8426D7EFE4BA79E69718AA436
SHA-256:	7903896BFE7BC84A87E7C99FA93F0B4829F4D79ED04762403B8D06097BABD8BB
SHA-512:	50069F113D4DCAD082AED9C5150663625EE5EC084AB183345BF9B0F71FE5F41F7DD71B1C911818B76F5BC83C8A3B978FD3E2F777BB5AE607F43247162016DB99
Malicious:	false
Preview:	.uLh.]E...t...E..-.y.....g....}.M.....l....^.]5.C".k....;.1..u8..ZpgAE..bA..].xQ2..{...,)...o.N^.#\a.O..e.N.../.'..E.b.H.'.NV...J...+.. .q.w.;AXw`..3..~..".jg.Z.+v);?.w..M..$.7.rDK .u......o.RN..W~#..qh.!i........p4..{'...`....Y..`..%S.[p.n....7.k.v...un...N..+.... .d.`..=.v..d .-....h.0...r...ga....+>..O......5......._.IS.ey....>.e'..w...y.tgk{4...K...L4.p\<.(Am.-l...~2x...%...3..Y....;...t.B..i%.u.........8<!..W....}..(k....n.7..2./xsD......MLJ..)o.IB.Z..k..ak^......!h..4nf..\).oU#...../...L....t......2r)....A..g.4.Z.b........K....bRd....}....EC....-...~..O.(1...#k..].!......2..a<klt..Dt+f\bFDF...1o6\|o...9(f.\.5...z.<..?.u..2.....l........@...hA...q\|9..jti.....V....+rS.0_..N...E.#..g.b....9.143.$n<..J....l..L.....QNu. ..c..J......(Ib.[F.P.h..Q.".."...NR...a..r.....nU...).\|.-.BR.].?\|+....I.r...a[8w..k..6...~ZY..(.2...WkB..\|w.._.."..O9L!{...[.+-Dv.z.TN..~M7Z^H`.\.......`..e.a...DC.I.vj..).3y...r......}..........g..]....q....n....X...

C:\Users\user\Documents\BWDRWEEARI\UBVUNTSCZJ.xlsx Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.861117797627432
Encrypted:	false
SSDEEP:	24:nfi2QeACTToarxSSGh8BAcxdJv4NcM8+bEc+RYMiuV0p9Eu:sW37S8aOvXMvbsRY89u
MD5:	6C7045ED18170842A5553701F52857E7
SHA1:	5E00F38BC6DB1145998A8B5C3D7A0DD0165FA04B
SHA-256:	F128F6CFB6C44580500276026FB693D90720A338BC96BAE6D50C4D47EABBB0EA
SHA-512:	98A63A11BDB7B7F61C58F997AD917C49713B6EA9D986FACF415D56736CC83595E2D290DB86E0EED523EED2FEF665D38E8BBC1B568B4A16D376B94B13DD5728C6
Malicious:	false
Preview:	D...Vp;...0.r.-:.@...h.....g.....J.O......?..B...."....bX...IE......Y.F.@ .SK..(.........{...:...8....=..........#.).&.q....t.3..y@ou&..q.....J.:..4.+..G[nd,l..W..P...{.....A......PX...`.J.q.d..#3....SS9.[.k....L.2K....xK._..<.u....s.2...=F.7..]...~.\|..........lgOi...4..$a7...0..a...6.X'.<;...k.,.9D.a}-{..^....]g...Jq~a.u.g..... .{.z.......I.............VB..t2f^..._.)...Ar..6./.....1.D..^..O...Dg.]..t.x...]3?...H!.-.M......#.ut#!..}....MB\|...q5.....M...-....;...0..z4n4.~"...&".....+E.....g......VX;....$.VT...J..q...KN2F...L...t.wZ.'v~...LC....R.M.+.......w.l/...TB.K.z.7i...9.....l8.........\|.@.20;#:.......9`..4.t..6.Z.C.)L........8:.W..T.....k.#..r2.A&......ayL.^u. .?.B.......+.r..k_.n...9...o....;R.....ur+....m.3..]"w...^...w%I....X'..a0...~.j...F.e<.9.j.....k).......We....!.D.....B..+y.X..j.....O......R.YX.y7ux.~^....qx,.?.TO..hAs.......,..w..A.{...I...gg.....u.\G..N...m.(.....8.....Pg3.!A...D.!Z. .A..d.N.M...B\o.....(d...

C:\Users\user\Documents\BWDRWEEARI\WHZAGPPPLA.pdf Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.834232450158898
Encrypted:	false
SSDEEP:	24:uZn9XTjVjGPla0pYxgg5KzfpC/2D3M0GyIDJGViDcTDDPXa5TDPYXnWlYETC:uZn9XTj9m/egHRJVGnDJG8DCDbq5vPY5
MD5:	B5242B71FBD79D0DF8AA3E2B35950562
SHA1:	37F5F4AF1A390FFB1D0EB392DC0D1CF9D47351B0
SHA-256:	4A2E4489763A935CE2138B22DDEF8112292984CF596B3F25276F9C40AEC35FFB
SHA-512:	0445BEEC60AA8E28D528428022C7B46B54871BBB0A2371C5A56DFC0F3596FB71719B95BF265E34708F6429A3C58802F97A4DE8D3E6EA639C53209BD20561AD4C
Malicious:	false
Preview:	/..........8.Z.bE..`$....3n.AH.7.,.....GRk..Q..3e......?.Q.7..0....._H.m...q=..[E+.......<..Q..H...%W..?..#..F..J&.x...W..._.........n..5..Y....+.8?...i....c.R.p..>...{...".Q~.e~0^G...T.QL.15u.N..w...UYN}...X2.z.8LX..b.l..#[.....6..BF..(.G.h.B>..3....#P..hn....b..).!].]..7..^......I}`..3[.e.Y.M.("6......z..T.{.....Rv`.7.G).....l.......L.Q=........&...Y.h..`PS.....,R..T..%.b......z2.....7...Z..0_.G.........9...=..g.Qj..K....wa...L...8i.Zx.I.3.yH>....Q...Tf.W...\....>.C=......_1......\|J..1...r.r...."...=.t.-..a..HVMM.ol..$.4$v....3T.ENX..~q&..a$"N...r.A)4_.V....wYATn.......QB....tF...w.{u.........&..h....,..>..<b`p4...6D....mD..40.c .C.u..NlG.v..`[.p.S.z....2~.&.,.6.Z..6..P....v,. V.'CU....@.G...y........i#].".p.G.!{...i.j...f$..H.Xt..>"[\<...L....H......n3<Rc..?...g.T.....65.M....R,.v.II1..?{...\.... t7Y..3<t....7Z...{h.......n..x...pT..._..G...B........N:#.HP.L....4T...x.cMfVcs...v...-2.E..ls.-...Q<..!......5...m....1

C:\Users\user\Documents\BWDRWEEARI\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Documents\BWETZDQDIB\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Documents\DUKNXICOZT.png Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.832924688788324
Encrypted:	false
SSDEEP:	24:vzeAuOYAvQvgLVfBmOyoy8PoLnDS82dUjKr5E2FvgFkbcFgEGB:7VuOKYVfBm9obOnMUjOYFkbqGB
MD5:	4522D40C83EA618FFF5925BA68334FE1
SHA1:	5D02A9C16C12E3B7ECAF3BDE6AD8B18293D53E5A
SHA-256:	1BF1B23760FB47C7934778650E361EDE4F5B707D6040591C0BC9C0ADF853D518
SHA-512:	3FC920A27CF42D357710F36C960E906F0F17CA54CF8CD1536BF9FCF1F346328D019550DBAE5A864A60B76FB4FAB08C8ACDF0DB63A97A890618A8480F5B921261
Malicious:	false
Preview:	..Q...0....Q.Y;.7...z>.....j....@;...z.~....5..;=...)....L.C......P...V(....h.G.y..&.......>G....0..,j.M...O.sC...w.}.17..t#...!A"./...!.,....Y.....\|yr....Y........(.D1./{..7.rT.5..43"T..,ZF...&.wb.Gq.]q"I.].j...... :.Ij....2....N.0.Q.3.j...J....Si...jVgc..=..}....Tj...[.y..pi.d?......%.....O_..li.+....".Z.d.........nv/........P..X.7"~.{.......4...yQ^..G.0....~Z..e]n!..[Ez:.%....h.L.Io. ....K...G.iX8.....HU\7,'.y....m.Lj.u.=..!......Hid.J5".....i ..2JF.....x.}...Y..7g..P..C ...ZA+..J..u.....z..... p.t....L._v..4....[ZBH.e'.....w.r.g.(.!..E.2.Mj.6.=.j...(kS.e9k...H:......Z.o.....].v5..4..8..7...M.`N.@w.%.}.+.hd..s3F.....?yr ...R...y.j...^.u8..1.&..B....._.........M8...\z........H.....vN.....L.n...<.Q...D...~.\|.{cy.gl..A.....(..Hr#g........MW..l.....2t.I.\|W..o.3......!I%...O..j2.H..?....a......S..P..4.W..iq.T5..x.b.%.n.#..0.;;...<eq9....0"e....7.}!~...<.2v.H.V...2.u..!;9.^.[?..Yl5"mly..SV..Z.....V.Vz.#.........^uo...H8......4.

C:\Users\user\Documents\ERWQDBYZVW\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Documents\FAAGWHBVUU.png Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.861683347952865
Encrypted:	false
SSDEEP:	24:Xd+PH4uN1hldtcN7bJBt5/KWw1/6Yv/gpw4Du4fcfBrnuZbYRYMzYsAi/ff3z:Xg/4KV87bt5/K7QYXsLC4f8VnT6ezfL
MD5:	AD1EEEA3FC941EC3583ED7290AB14A3D
SHA1:	06DAED0109F9C198A6F64ECA18FB413609E7B25F
SHA-256:	0DCE6DCCB3E8037074A779CBAEBF51CCABA1EA8B4BEAB9D3BAA0F8727417380C
SHA-512:	7F44297F190B0FDA180D9D2C4D3EC642BEC0AACDB6FC70B6A2A3452371B6DE4499853CAD8C36B764C8D7C644C0823FA3852E3C0162D66824F7FEE907A1FDCB51
Malicious:	false
Preview:	.d@.oO...C..._...-...,..z.j.y..b.k..e[.&..`.:...Llc.K.c....'\Si.._8\.R.J..E]L..\|....9>.G.2....W.S%....AL.Y...w.../... Gx.....GJ.....,.1quN}.o...N..3s.k....F/\|..]=g .,.M.3}L....y=.5Bv...A.d........EY.....>.Ze..)pG._.{MU..a....5f..?.5...'.{fXG...8...97.t....n:.-.;...'...8p.~.`.k......8.<...... .N..S....{S.. .h....[..'9.X......A.=j.. ..z=...;...h.m.-aw..Q.,.X.........F.........a..S..^Ws....7..cP.$.....4..)e?.i.,......7..GO.%Dp\.............ZLq...d.....t.....K.N.......Fp_).9.YS#8.\|....6..-...#..05q...m.%...=......'.G..R..r........D.l.;.g8.4{...U...3\|.......a..^.+f7..&..c..r...@._sW.uO............?W.:x&.u.1.^_...&vI .\.@...O...\|..,~~5.ng..).H..V.. j.._....h.#U(QY......2:.,..w~....1.BH.....GL..D.....M.u...........]#a....`4.u...;.G...u.y..........t...[5).<....uGc.r.....0..Je..Y.7...Z%.....\|..\|D........V.ULo....f.!.,\|E..{@..;..F4../.).R..q.@.... ....D.J..n.....?....P...r...(..p.:....A?..U.l>>2.^....&B..tL..XdA5_.W.{..xG..y..\|Byv....j@D2..N.c..

C:\Users\user\Documents\GNLQNHOLWB.docx Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.847013210057941
Encrypted:	false
SSDEEP:	24:nxqvlAu4Qg7bo8lNRpiDwWjJtsEh0o3goF1P92VpouUA:8mubgZNRQ05qQoFTng
MD5:	D772816B67DBA8508ACE22256783D150
SHA1:	07233F1E083B5F3D4D74BA85A4A4C648BF740BAF
SHA-256:	64929C2D84AE852ED61A781B7B737540C2F9C9AE5FF2FB41E0DC471A0B4C500B
SHA-512:	B43BB5DB952E623351A83B62B2F517F1FCBB9660D14E4C919A66C4F4E0773552964D2BA6BBC98BA46C5C74FD0F858AD1C66AA013289B842782D4FD06932EA7E3
Malicious:	false
Preview:	.9..9...7...G..>.So."6.....Q...I...y}.w0H...U..<.>....QR4.b..h........5.~.\|_5...P..#Q.'f.Zr.......X..G........C.g.Pl.U.^`......^l...Z.q.....P..Cj..P.;L:.C.[!...#.d..+....i..TJJC...A.pex.$^.uE...@./~........ :S.h..L.......9...X.;5_k.I.z3.X.z..}.T=...\..u\|..e............9.....-.d;P@....h..?.W....B.....q..}5T)....?A.s.B..a_....0b........J...).O/.cS./..h....ne.1....a....p..qzah{.."..V.:nd}.p..,_}y.......R~.pZ.7.8.&.s.U...%.....!.5..}H-.4y.Q....I.....[..>.a..p.r..x....=....#..7.V.........3db.mM....t...Z......W%.W.7..?w.)....muF...3Eo[U...P=..}.).X]....J].@.$.."...<.q5.VW@.k.....B..h..ORT.f...U.........6./.....Q...a.@q.K.o...BT:c..=.gy.....:f.r0,,V(..}u.9.Z.=r> w.!/...=7O\.D..G.G3...QuH.^...@'..s.3.b.\2v.qqr..z...:.5....C..K.A......f...._...9..o;iM5I.6n`..7.-..-......~.e....Q;&._boJ>RKC....4...-...?.......~/...]z..GD..Sw....?.....[.. &rK...U.p.\|F^.r........6..5X.#.2..{C...(....?W..h.ZdHD<-..Z.V.@...5r.p ..E..C.>..\7.E..0..W.......X-"...

C:\Users\user\Documents\GNLQNHOLWB\BUFZSQPCOH.pdf Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.877259810015747
Encrypted:	false
SSDEEP:	24:tmCpjqLzcaUUI7kdQuHKx8aaXVIydJFTmRFdrmtrGFCLxe:tmClapUUBaaFTdJcXRmtrGsLxe
MD5:	1452230BD7265D08BE4493409427CA4E
SHA1:	1D2AB415C210A5B68650D51F887167CBDBB05358
SHA-256:	C0C0FC32212D8E3A31C2961B5EDA244F3AF0D1794C98526FD67B87413871E2AE
SHA-512:	9472A20CA0CD01480A88411909A8CF1F0EBC641B112EC5B7C8A2118B37C1CB724AC3159DC07AD363BA306F5A08A5534324DD98AD52B1490C7FF3FE05E09C1595
Malicious:	false
Preview:	..Q......-n+y8Dm...P.T.M.. .wi..(......1.?5JiU.k...t.1...lm...........\7W<]..F:..6...............{..8u.#[!..s..H.\|J.....0?15?..O....).3r.7..LO..p..b...=..d&..7.C.t...}.vDg.HO..A (...?...r.s.).XC.#T...:.....`[..1.<..G6..d.zx...7....Cyd-a.Gk.../. .i.T..BE...q...O..\|+.../.'(LN.Ie.L..U.v..Ys.......b..F..u.&i....e.y9..7b....v.... .=H.?..H7O.XD..\ .H.H!..sw..L/.....l...s..[.h.........c....j9......:$....db_.A.?A..._..[.`4h._...0%.z..n.I+.%p....-#.'..>..&...tC..r[.}.\..U.....[.~#..:..$.q....5....P .D.........HaDn..\|.!..\|],.\.(..<.W^e......vc.Z..W.N@.j..S...f.\]u...Y.o.Y.=.m.).5.#.F.-...C....I..L...`...eM.R<\.vZ1N.S..P.)......y....[.I3.>.CM.....g....6...Y.xo%.N..K.....X.7pds._vy...@)k.td.0.V.8..n:;...!-.........#.b"2.M..^...F.,.U.#.@b...(.'.yN...._.....mE.?u....H.V...C.Y_Gfw}3.4..:.q^D.../...>.U..PJ)....x.t!vI.\|........0.<.O....B;)../.;..A.........6.{w..-?u..Wzw}g........sr.6....R....:K.'.#..-YT.c.....4......."xd..&&.#....}.w.y$m%p...Z....

C:\Users\user\Documents\GNLQNHOLWB\BWDRWEEARI.xlsx Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.87392632127731
Encrypted:	false
SSDEEP:	24:BO4LqgmFIC9ytjIcdOeA5YCqSYd1wVHgrzV7VKpMMS9srABYpJS:BOgpqIVtIY7HrzVBuABYpJS
MD5:	0DC6A4DC6D8D1A7E20FB004F040AC130
SHA1:	9E1FF9A7A6C5F4F900035CF04776A091BA7CD4BA
SHA-256:	4C5B7BB02B0662D76BA8FC88D2044FE37D27A904C08A90AC8D12D83A4FBCFE6E
SHA-512:	7A2C6C931D897D8022A63AC83A1FD7393FC9BCF34EFF6ED7D0274DEEB0AF5EE6A45F81977F6289128656DAF399F8099AA712E7D6ABEAE27C7BB510DE7BB9DCF3
Malicious:	false
Preview:	Ft..\'.b.......[..y..j..l}2.V...3..Y.t`..?...#.l.._.vg.k..^.`...5.-&.;.;...%..NwJ..&I0._?v...."...jK.7.7%T.X.1'.f....t.....)...k....[./.."].gr...>7wW.Zf. a..s/I.=.a..-.(p..)..{.?$..N.3g,.W.......p......!9t.-64.".4q...Dy.J..S..9=[...q.O..V3.g.F~$..g.#.QY....2.{...?...y..K..O.S...x..M..h..O-.wXzD.......e...Z...;.\..s)I]=z....<5-L.KP.....................x.g9..>.t9...>X4.U./.:r......e....l.41.31.J..O?...3.....BB......7.x.H..&.ESN.t.C...F[.>.E..m..V....[u...p.G.[...c.U.l.R...3h,...0.#J..(.Y.O.k.........R./.._Ah.....'......R...".K.?%i;.X.(G.t#\|.0sx....U}_....'...PJ/.;...X...1.T.#6.1.{..2.T....... [.....Y......A.v...W..x..D.......7..8r.@c#..e..9.......3Q@.-....5../...K{2....&>..Q...:..U.<.HS..+E...P+(0zjY.=Kl..=_.!.D..c.{,[.s...[...s..r....$U$%...n.&.......&.I....._... ..x...!.k...Z.>..`...uE.._i.~\...T.._T f\|A.V/.L..I(.k....m..Hr.n.9./..S4..(...~.Wuk.e..J=.....&}.$OGR...xn..1`.G.Q.....ae.@:$ny...B..q.qE.u._.1...-..s.Pr...l}..L>.].....*

C:\Users\user\Documents\GNLQNHOLWB\FAAGWHBVUU.png Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.87308075440478
Encrypted:	false
SSDEEP:	24:Ikq9X4sdQoasXeMdUtmkmL/keW2QlP9V36ZjRykor/tVYK04:IkafdQVPME2kel4Pb6ZcrV+i
MD5:	C76E7FD94F351AE465CAD6838BF6BBCA
SHA1:	849D3C3C947438EF1B09015B2F128BE0885B32BA
SHA-256:	56AB0920E2A9C5FA73495825B44687948779F6821AB074C66CC6FA64DE467494
SHA-512:	D31E7AD75727FD0C756912CED378187336C754B2514277A61B2FA82307A4FBE070C4EC45DF984605B238DE1058DA8388FFB9592E9AF621AD0A618DCE867AAB97
Malicious:	false
Preview:	...rM3..h...XR...\|vl#.M;@.Z.6w.[9B...:.O..&.........d..VTXjkoT.f....LK..%Z..... ..4q.&.p.W.Tx.Ec.w>7...!.G..b...Z.M...LFc.\|.S.5.T.+...._.=..S.+m..hG.c!-h...ai'..H...>..Ke.T.~nT:...J(......].R....3....&..Z.H.....T..[.l..O....8.c9...8l.cQ.E.y.WN.....=.^.`9..".6...c.a...@....z.5G...o7.Y..U-.....^...m{...s..T.k.......ch.2P..).dF..k.....%.x......8u.\.B]G..5pv..~}!.....{....b......Fx.~.+.........).l@.e~Q...O...!......Ea .3z.X..)....g.]Y..a.pE.........\|..-v.../Y...E.r.....)..uS.."avX....r.B.]...f.-...&K..<{_vL.]TO....j.2.y.......<..',........h.....CD...$..hC..>(.@G..L>...;.lv Q.@...;....Cf...)..4.v..t.ItC.%.`.b...9...C.c.........X!..R(.......#CQ.....M..R....$..c\|..{..M:....".w"%.b.=(<.o.}...Cz.\..(.#..i.."..]1..Y.....D.V....[..&c...;..Q/&....;...2q....p:.y...G.s....[.p.....6.sL..x.UY..V{.Aq.@.ah..)q5/..Z.y.t...t....grB.2.....B...G.7.u.*.IuSf.....R.8...FO.B.'.5v.iz.lmv./.....T.........^..#.......(.ra..Hm.....I....:.)9.z.+..U......O(.

C:\Users\user\Documents\GNLQNHOLWB\GNLQNHOLWB.docx Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.862055693944115
Encrypted:	false
SSDEEP:	24:JYRqeL8WEYioMh+khEovLERG3Z/ERotIeqqRzhJJCb2LvZwbiuc1Ou/p9+iVBXu4:Hy8gpQGoDEitERot8ozrJ5Su/p9a0v
MD5:	75D7F529334294D5CE920653E19D97CF
SHA1:	35343EB6F6D056FA871666410B4631ABDFA86954
SHA-256:	90846F9F6FF2894E234EA9FFF3874117AAA0754616DF37D061844332E98E67FE
SHA-512:	0ED456C396CFD5FAA05D9AC6351E1A2C0523518A308848959836CDDF093335AF72753E7BDC7FFD5784C91BB0E89B44D2FEDA968B9A399CEE9B6AA80B83396387
Malicious:	false
Preview:	.{.D..65}.54k...8.[....?..K......I..<.{.4y...!...-.._.)...?Da-.!n\../z.K...r.F).5..,0..Caq..c`0..>.L..e..SgX..2T...>...{.-...q..0..J....H.._W...u.......N...sqH'...%.d..gt..T&G......A.....)...?.L..Q"...W...;.\w.fS.+...o..f_%...5.....I.....y].....#>a.5.c.r.{yE.4.J:d..n..Z./.$..L..n...7...........D...o.3..#l(.2......4.,.1..\..$.DrU..@.HCB.........iI.D.A.e3z.{@8...g.?td.:....X)H.../..e...u.Ra..A.U.......~.YF<..:5.k..~.W..E....}....m...".9OD.HN.c.w.+..O..Po..2..L.+.....T......)..H.8F.p... ....MX..~!..kS...&.X8g.....k.n...:h..c.....].@...7S...y....O/.I..r0O.I.....A..>.%...!e..{.dn.`.lto..sJ.4.......L.@6.xp.j.P..t....A&b...al[...H..y.i.%.d...I.y>0\. Q.....v.../....c....E.sl.-.t....TUyg...Tv.:.k.......V%a...O.R..M.Z.`.U.BSt..!..w.....yf+W..^Xrd$.Bt.......m....(.Z......d..3..vv....\|.E\.....&&.Dt.%S...l[6.x.+.......Q...n6.+{..7...r........a`.&.* +.)/.]..`..7`..y`........}{.s@ID..3U...W.<.5.s....j.O1......~..Q^\|,.Yu..b}d.x.;.e._C....m...

C:\Users\user\Documents\GNLQNHOLWB\UBVUNTSCZJ.jpg Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.849781640733211
Encrypted:	false
SSDEEP:	24:anq7lTE9+GhwSwyq39NR0AfOLW9MQVQnR+Wps3bA/oROfyOhZYqy+k7j:vl4phwSc93TaUR3bioR/OhZ/yB
MD5:	45DFD3225D545B1DFE89D159FBE5A7D4
SHA1:	0F0344AFD8C2A675F3A8EAE4B451E29D15474ECF
SHA-256:	C5BA0F0413264C808396109BCA2ABF98FB664135CA1AA45F4BC512E9ABFA934A
SHA-512:	23E06D3A7A0368BE64D90BB01CE610C0DC51B3B3323E0E6C4F4F407A7ED74BB9CEB1F82AE8DF3475439CA07C1ED0A112634860BF2D9240CF637EF5CB57F895B9
Malicious:	false
Preview:	:.".7..).k..97...h.Y..T..C..z...:.....@.'...wmwc..!_..^iR...?....J$Cc...+......X..P...#c......+K,E..y!:....Gi.8q....r.N..m..........-r../.5T....n..Q..h.b....m...!...w...`.........".N.)...\A.._...h..p..J...>[m\|I...~..l..0..h.Qj,.^.lF..[V.Sy....Q.K..>..dH_...l.f.,............h..K..<.~G..+F....^U:.4~f.[M...........x..t.4..,....H..[.G...b...E..3.G.pn.m.E.......t.y.]2@6.q....T....:...~.h..`Ug.F./..mt...DB.......p..i..D..V.G? )..9.k.......H..4uo...eYM.-../...........1....8c..Ys....7....0.6N_.py.[..A....e.x.Q.O."....?l..EE.eA..a-F.l..>.?..&../...A.i...V.-..6.H.S....Z..G#.....:7....U.R.'..y.xF..6[..;..5.G...j..cR....V?F..M.....g.>.C..U.[4!M.0.r....9.!:@.ME.9I..FW....-:..}9..;..7.....J.WN..7y.o\|h....Y.@.....0w.o.<_..i.".a.....:5...H>......D.R.....%.x.*.....F.]?.g..g..;.......L. ...a...Iq..2W$D..O}.{..Eok....^._N.c.\]...h).6.29vSvF.; ..e~K.[..O..../6.m.....Yg-.T.`...".t..Q..1PY.HT. p.$......u...pU....68u.T...O'.;,`..{k.h..\|....C:^.....b4...

C:\Users\user\Documents\GNLQNHOLWB\WHZAGPPPLA.mp3 Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.848843808144371
Encrypted:	false
SSDEEP:	24:HmHefIkD5o7f+sIkVXXizNqxpoyIe22rasG4nFW3JFEYQMRoWjHIfu4JZuCbTBi:KSoDEoizo3+enrNsZFEYQeT74JxXU
MD5:	1F98F53E255FA05E5EE3A415135FB86D
SHA1:	A43246C822F87F5CDAAFA05C6DB402CA531AC2E9
SHA-256:	9D56C0FDCA39ADA3D6B5B82FC05E78D59B90B9B159554266DFBAEE097309AF25
SHA-512:	D83E92422EE1AE17907D5B889EBDBBE64E25EFB14992B0293B093859776307A1DA0407512A1B8E6A3BB09E4AAF4EA4AC18CED967AB6A7DB7016C8553893260DB
Malicious:	false
Preview:	~.n.".............o..V.T.B..&.L..4.C.W.3(%2..r.>....7N..mw....!...K.x. 1.Hr0)I.1...n.......[0.To.5V]>..s..x..=........G..:.R.{$..o.i........o..#....gU...tGT/..u...w.b4C]...\...........M...^..1....h.....R.m7$7.+.o..~..;(d....b......!7/...dX...-.-.#../..r?...[dM..@....kF:...Pn..$r....4..)..=..gC(..n.....2...........D...Yc...k.)....'.......C.&R..d.:X7.mB..x....Bm.........8..;..C.o[...H...IY.J.xR..@.....V7"$.i3..j...Ma..+.m..@...N...@.}h.].]...v...es...8.t..=2.}......X;H,.A.4...T.....[:.....~.y....YZ.s...%,?....1......]...YX.F..V..w..6.K......."..F....-..w.w.h...oe.q.wW..#..U#..m.8.{G. ....!..".9d.O-.*T..+.yW..n..`.-;.I]..N.$)...zx.E$]J..7Y.W=c.!.}`..T.U.Zn..02pg.-...gv...R3>I\|..+:..].......\9xa/,.....$.>Y..E1....[..S`.a.1j\...:....7..A.s.:....K..v...Xc.C...~mH..........l:-\..5m.....B<I8..}.k..5.F.[.%.'...N]e}.....Tla.....)..r..,...S3..c.i.....k7.'X&........H../.,....c..Q..?.'U...^jK.&...1.....a.......~t.:b.^.UC..zhxlr............c$.......U

C:\Users\user\Documents\GNLQNHOLWB\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Documents\MIVTQDBATG.mp3 Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.838697913953746
Encrypted:	false
SSDEEP:	24:MwK4UDZ+UPIOvEXGRFoNGDvOehKC05qSxhSPA33/7DGGkiqm5D+AfD2a78jRzpKL:w4GZLPIJWReKpb056PKzDOzm5D+Ar2a1
MD5:	3ECBB4B87604BE516685BE87B2E50174
SHA1:	23EDD2B0270FED530D653DFA1AD06E8911D52A8A
SHA-256:	0532F29987AE35C8B19CCDE58EF90313598D31CE28B8D9F0122C209A8B557092
SHA-512:	E3CF3090DCC15375629601869F05B00ED8B07544EF527F70638AA375FF8B77104DEC2B6F3A37BCBD1728D6CDA7C0124158822E2AB875DCDA95CEEF800CF84F20
Malicious:	false
Preview:	..qNx,..`...j.2.......M^...NK.]Zq.Z..;..JN......0.N......7...i.q.......R.(.Z.g..`G3^.n3...P../..l.h..'.Oa..._7.\........G<..m..Q.6&..0..j.p..?cK......EpOz=m..?.1..0.h....{..z0.t7..^..I.. .........%]...2..w-S....l....0...kPQ.d.....?....nz..."......,.e/.e..A0..<.......>K....>..D.I...[ x0,...F.hd).....6..$..B...)s......g....$..;.P.2.....X./............`.,T....#0..x,F&.8C..Z@........Dy...\.E.j....{?...[V.?#.+s....7...-...i^..~....e.D..C93....A.o...h...o...I.K.C.rD.6...r.>I.Aqm.....]Y..<...-.....Ah.46....J..,q.H.m..v.j......0.'.>..y....F...[l#........O./.\|....ujt&.9.....j..(t,..&%.!a.N................_Y.:O]T.;....K.9j...C.....d].b.....9S..\|...L.......`..\94.%\|m.S.6s0...e..a..T..zl.2kH=t....uG........$.q.L...5..{.I...U.f8...o..!#O....?..MP...'.F.>..hAt?Ah.0.. 8`KA...9-......\|....b.....v.Z...$U......E.......von.d....p&r....U3G..\|.4..v.Z9...aH..F.tX..D.6..5E..8."...I7.NT..@a?0p4.\..f...'....`Y......4=.."..~......Q,.Yj=..B.O.

C:\Users\user\Documents\MOCYNWGDZO\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Documents\OVWVVIANZH.jpg Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.855996523640146
Encrypted:	false
SSDEEP:	24:EXuXsfqBXq/l2SK/YNSrBVVVqaPLXpIqBBmVV8wfP03QQ6qg3J1fezgAMyBrb:kZ5/lrkvLX33mVVzHIdg7GzgByt
MD5:	5127AF1D8853615D0FFBFD1DDAE09DE9
SHA1:	489C062343C8F4C24DFC969D27595678D4E0232F
SHA-256:	C73E29F357335DC1D97B713A6C511B2C202EA97120D67BE73333D37653ED6EAD
SHA-512:	3575802E2AC2D3F1F412E7AFB3637CF160C70C2BE95827BDAB179D5AB2E5D4343545FBF5BC1C05DE8FB37B689B4B8E4ACF134022BF6B2CF87E58FF59AEF2E620
Malicious:	false
Preview:	.:c.Z".H...(..v9[.9.......)......_.S..:,.P..cDHX.>1.t..:..Q...N..v.....J.$.\.D..RL56.".......(1.w.\..}m.....g...]...%.........5.M3;...J...wju.K..6.."_...j.h.K.0<.W..F....)..v6g..G...k...5oY.V .....B.G.......?..c..J...sI..'Z..........J....y.r.L...O......H..X..RP.h...6:.t...9..r.8T..v....N.......c..xh..........E.:+v...d./~.I.\| .M.E.DR+.........3..L..QV...D....mJl...-.2.-...A..w..0.1..].....Q_h....`.=)1.!....P2.a\|..".....\7l.........E.A...;...M..A.P%......b.8.:..o.C..6..=.. [..&.}....Bo.iJ.?.a.....wcG?F...p......Z.+......_xJD...UHO l.P.Gj..N......>....b.U~c1...eF.,..t.r....Q.eZ..J.a.t+.........."6....}<.f..dGh\|...\...8Po..h.(.N.~A.1......+6.jd{..Y..G.b.f.+.....d..b........+..~.L.....=...... az.P..........&.....M......E.0*#....pn....Sy...;...n!..H..r[...O.v.^2?9..c......5+...:2.j...U.....!....KBqFB...9L.pm.....(1=...5..,.6.S..WN..c...U.R.<...A.yb?r...K1..`.J7..t....'.U16 ].l..w..z].A.lI..u.,N.B.r ^o..2.7.....AW...k..d..H.w....J.+5.m..>

C:\Users\user\Documents\OVWVVIANZH\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Documents\UBVUNTSCZJ.jpg Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.852627505712796
Encrypted:	false
SSDEEP:	24:kiKFtA7YgALEkaxVxYn1vnyMo9B64kbq1gz/LkmivFF3XRTFkcYeCvQ:QFWU9EGv4c4kZjHidF3XRTFkcOvQ
MD5:	CB02337F562F388F4FC6D96E5047DEF1
SHA1:	390AA466B07CC9C2474E0E41D917082300FF1C57
SHA-256:	EA7D1DDEAA1020462A9F1D88D949CDF28F24A6BAF62AE15A141165507499B2B0
SHA-512:	0055F7482C0DF0248826402FBB935CE9479F3832205DAEEFB7BE0DEB41A96284909163C7B65DC89856C4B4B7CDEC650DD35BD4A8609473BC08DB8AA662ED5E7A
Malicious:	false
Preview:	&~FD.{..-p...Pt....."..Ho...rv.0.8.b..d..~s.!....?L.(.h..YnO. ?..c....[c'..89..."....E....L...uR.]....ers_.Ky~[g..Z..........&...iM..A&...t.~..C...`'U...SxhN...X..ZH2.M...y.F6...".=C.^qw.....{>E~4.M..^.<.c....2.3...s..yg.I.5....q..m..I..}.)....;r.......\H.o.J..8.....3.l`..{~.a...R..a..6.euK........Q)g....C.\|.g.%.4&g..4`..=..ys.'.q...(>..'m..7.D?.k..B.<....0^...'......X..&..vo.%Gx....q...y...&Y(..XO<......P....%i.]@.y....R..........<..s..U...+..jD...N..GF..a..o...7.......~.!..A.p\.Yhg z..RrFaP.S..ty...M............2..vq<c.k.b.L..,..~!...?D...Ry..%hh.z.. m.../.....@D....\|..EJup.^..6. d".uD.........p..g.........j..9..Anl...'..;(.F.8....d..c.\.HX...7.n}....n#=..Z.J......4q9mf..O~5..=..+L...-E..p...;o.H.Ax....^M....l.\y..9..i...u.w......k.0@.L.n~...'d.......K............r.#.G.J..GKA.V...Q....y.qr;..:....0!.\|._..2.f.}8&.U..Nm.....8..&.E.....ik...9.q.KF c.Z\|x.f.....!.{;........W...B...m<..F.....$....jG..C._\..'lr.n.I;.NTtH6.P.0......._..

C:\Users\user\Documents\UBVUNTSCZJ.xlsx Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.861603476675002
Encrypted:	false
SSDEEP:	24:lSkskZzwsHIfWo2JqV5fDgPzXOush/UJZf6uZ5WeZl9MKDD6jPMV:ltNZzwsHP2CbnsxU3jZgm1DWjPi
MD5:	639B214948FC57311C7F869ADB307CFF
SHA1:	C0434A86330D6F7F79226F41753E8803849ED925
SHA-256:	ADB83ABD6A2F717396C776544910018ADEA9AFC574FC0EFD2A860BF017D70D24
SHA-512:	90F5D3B10C34DC7747F95A5816D6ED499CB86733DD0F8FCF60B44DF097B30E3AE24AD39EE65D43D548B8D680C6FBB22EC30AD4D318E611CD5281F67A383827C8
Malicious:	false
Preview:	.4.$O....(..K...4iz.......U.q..,.&.....W.....>.7.'.'...M...x..<......0.......gA.+R......B\|.."....p.2...#...l7..h..A.>E(..f.V..P.y......X/..........od..^..F..M5 .aj#...o.7_81...7....v..,..o.7.o...W.P..y..z.iF<...h%14b.1...`..r.:...{..].........F:..wa.WW....G...l.....\..lX.'..IE...!=x'.]l...{..2...).j.hZ.....UgKh.....,.r.W.e..p..acCG.....".#%lV.02&...?..y.h/O..,I.....B.O....Z...;L...UI<u.ar...JO.%1.g..D...N..sV..`".....!...8:.[.-..$k..'.K.\SruB... ...d..F'......eB!WK^...o\...>.r......;Llb.4V...6>..f........0..AA.A....._...l....o...e....[R...\|....(.W.@....H......bN.EyV..9Z...-i.5..b./g(.;.!..f.nR....;. ..n..yL....L5>.....1"......_.....,..p.].....e@t_W_/.D.V..6.....o......&..........P.w2..G........q...aE.&..j..V.[.JS..-..e....vQ..S.{^am.........P(-...i...B..k.eg.g...}.j.....jn4....o..0.E....>....y....!...?...(.HH..Uc.F...4...X(.P+cJ.=......,>.......Gm...J......#.\..q*......>..t..<u.I..<..<...?+X%f[Y..w...#...X'&...L..

C:\Users\user\Documents\WHZAGPPPLA.mp3 Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.847014022296174
Encrypted:	false
SSDEEP:	24:IrGJ6sjUkf2610FVRPq5WY8cMs9foXzK6ZGUgYE4Vo3Mkqa03zL:IrGMrk+663Pq5WY19gu6ZRgY1Voc1L
MD5:	0492D4F76E1EFFB4057FA6CA57AC0585
SHA1:	C75398B71607CD35EDB2D3E37584C687C1AE9CAA
SHA-256:	47F87D6DD4ED3D46E165F32573D4DFA6C915F3242EC2F756561304BA766F4D3E
SHA-512:	D559E8A97AF09FE41ED2AFE9FB236BC8C4D523FBB9EB278B22E7C5FD369B390498694BD2229C6A267D5025B5374EAC74D2F2E602E76AE6E2AC696DAC99A9CA08
Malicious:	false
Preview:	..FD...u....@.o..;.N..K<..n.nX......0..<h.)...R......z..MSu..c..B...Y+.b.\|@.....N...v8.7.ebK.p.._....u\|vMn.._o.....nV..o.b...~=m...[...?.w]..C......e..iHc<..ub.id....2.F.x s.dp.......z.vL.>....0.i..iX.G....2.bS.W}i..v.?2]R.`...-G......'V.$.1..A-Q..4.K.>V....q-R...vEz...FYt.......C....,....v.}..8\..S..Pi5:..!.../.7E.}.(.....Ih..gb.......R..uJ..;w`-M`... .{.}.h3.@.K/&.{./...\|...H.......]ZX.......C....J.\|V.<R.....Y.."..S.3.Ir/.....M..l.}mH.......H.s....;.ham.RdK%..B..:]A.$?z.g....=#pn.'..CY.{P#.Um....7)....q....&..c!..b4.......5.......&......i).CF...+.....;.O...j.5l...1.}....)H.sd...f...q...B..S/.g. ..ew.4N./5;.\..~HK....#...f.09......~......./.....8.8.0.m......._.S.J..?dw....?..N....3..>.gG........`..8.J..S.}.y...(..E......pd..tiQ.\M.z(k.X..7.I..K.or.b:...t.%.e.6.O].R..:\....Q...C.....Co..o.(.\|k.Y.....=..@..._.....yY.2a...s`s>CVf.....&...:.r`.{.1.....:N..a._lL`...6`..a.\|....u..`....G.Y,....7.bt).a..'..^.&5......Rc)E<...A.

C:\Users\user\Documents\WHZAGPPPLA.pdf Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.845798436101699
Encrypted:	false
SSDEEP:	24:oB9iqap15FjrrHSuITUto2PZlfrDoR4ggpxY/THzs9WCS0R9m+OYMWIDYbghO:Bj1v3jXIYrZlf3etEa/TTswZsORDYbb
MD5:	B788E030EF911359D78A478CEE2F0854
SHA1:	ED2C84E3E68CE2D61FBABB31DFD7078D283648B6
SHA-256:	942FC62D4E32CBB8A175E138608B4445E7AEA245EB8B4ECE49FC94C5E1BB2FFB
SHA-512:	688D01E0CF7BEABD5786F031EF399FDCA14F2587DA4FB0DE92DB06096E63D6EB6FFD1146E78830823C6110251085F3207B0B9B0E2FC274AA6C1236C3653109B6
Malicious:	false
Preview:	...F.f$.bH.&.{.\|.....Xp...]6.^.!..vn.5.\|C..q......+.%......"..........:...."I.{.6..?..... aeg....d......z...BA..n4.gL..e..Bq+..5...f...f.)s..H...J.'..Pyt..d.....{7.m....[...4]...~n...Zf....:.uxU....AF.....[.......0#...]!...e.82.?....^Iw "J.2.2.....$...:..W....K.Z........Z.B[.......Q&sG..n..g...2.!0..}RPI.}W.{.....45Z.(.7N..}.RI@.R_g..-.{T...N....wg.,...E....c+..L..l.U...E...Mi.}h..~..z...i...X.9!_)u.8.$....C..QG.9.t......D.s.....~O'..u<Y....T..uGl.....1..w.........7....r>.....[.......0...O...G..S7...........N.U\|..-.....j....y..Lk...A...v.....;.y.{L.......}r.%...N@L.o......:.J....J..pzc..+...C.x..}.....W........&p.8...6.G....U.....@EW.#.lH..g....K5.....uS~q.v..>!..oE6...2j.@..._..-<.LH..A#..S...~...3.Z_..#kH.......R...K.N.....4...zo.x.V[.F).L]-.V.k..6J..,#.F..]r...j.r.&...{...ve.^.L}...1.ls+....^.K...R.h.F.N.m.L...<.,[..\|.bC.&.3u...^o*.a..2{.#....M..O`CUX$.....?.'.f...zW....4<.\|1...q..de[s.G_..3..O....<.:t<..e\|..2A.....

C:\Users\user\Documents\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Downloads\BUFZSQPCOH.pdf Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.871843192238823
Encrypted:	false
SSDEEP:	24:H8VN4KiCmSFwV3mJeppY2BesDLjCQIqFrmxUuY7tePBTD:Hk4KvookO21DHCnql74JH
MD5:	4F0B2395EA6362F18E24A34F36C63763
SHA1:	766FB62DB34BFEF17F0D954385344A1DAFE94143
SHA-256:	90F54C24DB3EF137AD583DA941A76A45BBD0869CC998075305075ADB633DCE8D
SHA-512:	0CD651F010BE9BC174AD134FB77CD981F4EF15B86A06F3EA2CECCA40A43FBA971E395590BC000A9C17C1EE2B5B12E32E0DB91D6821CE0EE4FE4764C6212564C3
Malicious:	false
Preview:	.H...!.'.&....#....YASl..\|4...D.G.........R...x^.M.3=..1.q..d..$.....t...3.k..5.......6`.f...95...z..0.....;.4.W..d.u.6.:._.".......W]..y....9.5.......,Q.B.]....>..>Q.lRvh..@..s.[wg.].P$zD>....e0D.v....s.9...\|...[..q.#..3.xQ........~.#...8...Q-..^>........s.. >......<of....B.+...$..3....>..(uj.Q....J....g..........R...Z......X.....n.. -..._.j...........9...e{.=..'VL.......o..W.m..]....C.........f........Z.x...C......].&B.To...8.e.x.jm..V....v}w"..1..b.d.-...O..N..?..U...=O.iuY7Z.&.p.x..!.....n9.z....(...M../b.'.I...Y!P..b.=..........'...U.U..R.3.F0...N...y.RQ.u.DV.w.Ocy;,..z?.......X.c~..2.V`P..Ux]........F..dL.v+..H]M...c%Y.X...).D...#.p....;.*.;'.6..g.Jt............'...Z.......k..4..a.....v.j..!..=.n._U.D..(P.(..o......../{.E..7i..]......g.V.k..Giui.......L..$"....0..!._.)......k.hn.&Ou.\|.2p[.V.o.T..:w..5.U....bs..j..6.j:.O4\|....q.;6]..c.(...jI9.O."E..=...5..V...S..}i,.P.T1...px.v.>.....#.m.......(.)fX.v}.X..x...9Q..(.\~..t(.e.._....

C:\Users\user\Downloads\BWDRWEEARI.docx Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.867267941411988
Encrypted:	false
SSDEEP:	24:6qq04nr3kEX2asoUkWwK64PvEUX3ZADUstigfiEyZVb/B4GrTKN5Poa22yN+J:6qqvr3rGasnfSec6ADDogqEyZVbJ4mTW
MD5:	F9050056BB4498B0B1265515A2CE18CE
SHA1:	D08B9D85A1283D208787812D72A5BEC06446E53B
SHA-256:	D29ED72D7861049C6EFDBC48E94596CC9590BBC073B83BD2E6E8C5B42892480F
SHA-512:	06F76C3E5E8C8AC18A6D531FD46C2CA8810A9C52BDD9731EEA0B6CE1B4136A64C395276DD42F69B03113B90F24E6ADB11E7F51E523A49306AB2A83A34103CCD5
Malicious:	false
Preview:	~d.........7.m....e....?.-..I.`.bW.3&.E.w..cb...^.w.CQ..ld.0..S(..$..M....8%.I.0..V......Z.2L.E.7..1TV...!....5.......K\..F.6........`5.e.R.?0...Z....=.s....V..o....A?M.q.r.F.1n\.Y......^.l..'uQ..C....g.kV_.I...!...N.Z.!(.TO..[q.cB;.....{./.%}....Ao-.]&.[._O".w&./.~.v...@.......Q.e....}....\Ll.G.1.9K......@S..\...~..8..Z.?...:..Rn.d..nW.....c....rE..n.....A..r.&..(..N..6.:....l..=.~..P..%7LAYp.......9KU...D..p.:.n..4N.z.sA..R..d.......NUrh$.]...4+!M..E..f.3%.._T..!.Ny`..N.... .......={..7].<..A...._Mm5.C.c..Y.5.g....?..H..D...B.kA.......~r..i.\|..p`..;.D..u.7..9{...3.....!....Y.qc..8...I.n.{..#o.....wm8b..a....yt...coi.O.Q....^D...L..T......I4m.3V../z2-_.G.B6.c'P.-.*..{....Dk...X..Y...b..85oA'....}./.p....w.......o...=.Y...9cG.W...U...-..x...[/F...N.l..$X.........N..H...!MV(....Q....<...N.... .%.<.H>....`!...&...g8D2X....b.kl.sC.J..n....4.D.O....8...G...=..."......x.W ...X,.8,<.(...........,..$...~.D...}.t[A.&.r.N.Er.?O1.X........} =..R

C:\Users\user\Downloads\BWDRWEEARI.xlsx Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.836917275703651
Encrypted:	false
SSDEEP:	24:B8+5soIbK0kPVgf6JDmgBnxXXwy3Xo4hJ9NxrLyw/Hsf1YxOJWOM2DFb7VyRrC:B8+tIbK0igSAgVxXXwyHVTHsNYoJWOM6
MD5:	3BCEAA1552B9F810C090FD5047F60055
SHA1:	5B54B1E0B256289C5CF797169E4BC28CA9B3741B
SHA-256:	75585A52A69D7DA14B81716524FF7CB4AFA1F53C37CC6B4FFDB9BFA4D9AF3324
SHA-512:	FA55CD081AE5289764C3AEFB380736AB29C3AE7F7492D68FCD2F94BE63350A6787CA15A380B6FED2C58E389E8AAD31D856F7383BC09613E065AE2E9A970E60C4
Malicious:	false
Preview:	...U+..MYC.eQh.h.Y.%..G...rA.......~.......oi....,07w.W.W..N...$}.].S%4......6,.~.T....M..>.....tG.M r....Zr.:!#.O..-?...(.m]..4N5.d...Ga.....\|..<J.x4....J.X.X..C.......I.E.,4.J...\.~.7`.d...&..+.....j3S.W<"...Z..AD..w...M[..RT.P.O\|n{y..Z....Z.......#.U."....}.'..N+.if^Lk.a... .q...^..w.k..E>...LGS.&.hXG.0...Q;.#..=....O..+.....A,N.o.5h....nk1..R..u.e.:.)C..2...H4.....f.WX..Z.......Gq7....t..).0t......z..z%{/J.^.../.b.....u....<...<.....m.M&...........)H...s.k..Nc7........BU...{......U.!...W.>.^..J..Dk.....b.1...n.K...(...fkv.z....F..oq../..E..l..Z.E(.".\|..D..~........pI..>.:t.5.<.C..;.Xi.(rTt...r.4...60",.6.7.71...#^...tR..g.7.....Z.H...6............sO.J.B./..~2c..9...>O......O=...%...>.N.....q.?.6.;.{.;DLVdA?I.4..0Gd..Tab.^.X.0.X..y.V.L..l.>^.%.....-..A..B..3"81P=....l.}XF.....W:..+....s.t.["..,...l~&...u.F.v.5...#...Y.XVb...........0.H.I....uMF...?B.\X..x.....xR.<......}.&..eC....zN.N43Z\|..t6L..p......l.X..S.KOn..+(.....4.tE.*..

C:\Users\user\Downloads\DUKNXICOZT.png Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	COM executable for DOS
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.85665939333653
Encrypted:	false
SSDEEP:	24:RgU3K17Tpk8+4xgnVTW0FrnXaxIy+eoKDj3JMQ1Fzy4GZRVCAUKzjvDharA8xwAv:RgU3IPaqijFLkIy+ejn1FJGvVRUKfvDA
MD5:	9FB57E21D44572F43A214B0B34991391
SHA1:	0F8EE32455AF3056971434BB83BE4C32A4728B2C
SHA-256:	AD506170DE71921DFA0F05F5C82001EDF042276E31E7023D1535AB9CDA0D3209
SHA-512:	35A822D7AF21AEFB61C5A84CDAAFEAC1F913CF4DB1FC0F8B26AB78BFE7E06FFE7A2500707C20D25E63157320B6AF54242E9A74AA57FC4866A74AD386FBFCA29A
Malicious:	false
Preview:	...E.4.'t.x..R..HL..}....cJf.K.2J..+K.IGi..N.p......X.[....y..en.h...0..DF.(..4.=..aB..\..7}.46.A.T8.....^^...{(vL.n..(.W.oz.#._.ab.....MfA.:.6=4...F7-e......w..2..".^k._....mZu...i\|,....l..C2(.&-.P\|.%N...'dr#..E...%R..........."5.\|.W....8.ZG.\|k.N..#t@[Zb.uR2...\|.....u.FO.iBy.I.B.,..\|.r....;.D..e.....'{z..r.Q.q.&.....I.G.+..\..Q........Ip.q.d...>#.T.i....;.....+6p.Z{.?.(mG+.......[..+.b!......'C...[a"N'...SX..z...2......2....=Y~$;:i.x.x..G2..........C_o%XU...f.e..-Id........O.".%...$Z...+.M..Fi./3...g+Ag.......o..$<....}.0.k.9&.u......N.u..l......Y.?..))Y.s..q.D2..K....}z...<N...`.~eX.G..I....T.;.n9..N>..., ...\.........N...]....2.......<8;/_..........u..pGE(G.(.c.JC..I.bG}.e.....ay.TJX...,..QTll.k.0g....vP.!:...s2...L..M;y.\|.n}x.../.$3......V.O.?.<......Kl).I.\.....U.._c..i....vp..y...0a..H..x[...X.....6.....'...6....RzyG*..~.Wx9.=...u&ZM8$.>r'E@.....I/.....'....u..c...t..O .S....3Xo..?N.....(..B.L.5=.......>..0.,B.#.EN.ib.....(.

C:\Users\user\Downloads\FAAGWHBVUU.png Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.85027471301719
Encrypted:	false
SSDEEP:	24:/zgSGr0b6gHLzCJhlatOrPhzA3bJHHC080SFt+VTU6:/kSGrglHCfHW31COe6
MD5:	EC5BCE635E9F61A64D5101EFEE88250B
SHA1:	1011479E9AAB2AE1476E1CACD071A9E394EA615E
SHA-256:	EF9CDBBF6FED36A50F78D696A4414207576FBF9022FFF74FC430B38FADCDFAEF
SHA-512:	68CF654F306EAAED873C584300F825D6FE4F04185730B7E8357FE3C3246C5F6DCE004950326457938F09FFC1D6D7ECCFC1AEE51BBEBCB2EBC1C6691767746657
Malicious:	false
Preview:	.g.'h...f......RNU.a.Ax...H.5...].....<....f..~K.\......Q..1.l...F...F.(.1OQ......1d.,..A.VbE'8.rFf..\|....6T.K..H.}.....U-..u...?....OT..srh.....E.t~.e...VKJ....../....sq.fT7.q.4.+wD.G...._.)..n. ..tS9.mf(1e.M.$Y~.H..#j......?4..p..D.k.5mP..8%fv'.]+...V&...?....UU..?."..8......Q.>#........O........qQ1?;I.{..b#.8.1.[..2DR.a.V .M.....X.e../.L..Z...S.a.4.8.........`..{..-.....DRC).(p.i..............H...3v.'X.&.O]...K..../...loF....S.M8.Z..".}`.L.y..[M.x....r......].......Sd.............H.z..e..........SJ.L>.>.S..iPd ...M.E@+.....".y...U.....QCZ@.&...Adnm`Ej....F....<.-..c.)...,=.YiV...W\;.}S...S.w.2....}..I.U.-u...e.G....].......].8Q.^}._ .Q.."2AD.}..(.....z..`o.7!..\|..%.-}......~,.q.Z.N.97.....L.[.S./X..%..1FH...9.o...0..b.....??..=o.^.3..m.....r...K...K..V..O.)&e.UHa.4.....vr.z$..$&np2:......Q.1...,1.+...bR..d.*`.......T.x%=u$..,.r5O...z...2r..r..W.Z..........._.?@I]"...(.&.5.~hKN...........D4.\.K........Fbr.rY.=`.YW..uC.....B..J

C:\Users\user\Downloads\GNLQNHOLWB.docx Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.834810212526431
Encrypted:	false
SSDEEP:	24:DRNu7pinclC2+VKBJseb3nrFxlbPA+9La4meHx2QXmkJ/O:Fj0Nb7FXEXLkxLXfxO
MD5:	F3F51455EADDDD2EFB45FF1A660DF81D
SHA1:	7231B71F046A6475CF086E46BD37E60CFA95EC93
SHA-256:	D1C5A2D4112150BB40B5915F5398E3E5DE1E680A5B3C4136565D0EF913155D23
SHA-512:	B3E101590BED443DC33B2B9E51512099FE6CC0B551334260BF3C49F4531E30BACB87CC838C1B4FD75FA1021616028B37BF2C494CECD656EC3F414C752E432F84
Malicious:	false
Preview:	....zv...t/M..V..bk@Wmo:y..sg..v.ks.).E..1..}..hpW6..<...o..bH.y...Cw.i..?.....y.e.....?#..y....H....f.o(.Q.K..".Y.y}.e;...D....mnX.....`.zm.!...5...kdBb...i?.`......T"'z......iy...?y.\|1{..2.>O........w..\N.G6.4\..._k..#.....'.......{).`.W....S.5.a..R..Y..l.e0.../\l.iY..iJ...Eh....X.In....p..&.}.".~e`/S.....".:..w..E.S...iZ5..eWZ.zF..;d..y.;.(.l.D..;.3.h.....G..#\... ..3.v.."..._ YPv..;...'{s......O...+=..9.@....y.>..j...3.....4.]x.B.L.=Iu.^.....P...(.F....,...Y#GA...{o..a.b.."~...............Y..d.p. .@?..<.-./......;...:....%...&....d....7Fp...7..z....d.Fn.q5d.q...X....c....i.l..h........E.;LY.....OR..JG...j...-./Wz.d@.zs.x.:........y.kj9'.N...y...b..{./.]_W...V....O.L..z..ZK..2......Y.8....x}..$._..RC...x.tK.d...k..:3.r......I; L.Q...\&.&a.d..........B.A6.'.]fs....X).s =..{...+r.L1..X)_.l........W]...xoQ.....`..&.g]p.'.........Y~..............[...q..../}E.qu.X."...;.P........."...\|H...3W..rm.S.).-.."o..."........58B.-..>....n

C:\Users\user\Downloads\MIVTQDBATG.mp3 Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.848272370711994
Encrypted:	false
SSDEEP:	24:39ksHPl8i2t6hAJiutBmVMaG9mH5rC+ue/NXsQfHQooUkVx8kDno18n:tksvV20+3tZaGOuelHfHwx8kDno18n
MD5:	75DBA5CEC0E28557218EC4BC62658598
SHA1:	D445EF3153B45984E78BD51CA72E24F07D0890B2
SHA-256:	17361B32BC300D88ED2A469BD82FE84BF90BD6F0D6D3D27329B80DDDD5192B71
SHA-512:	2322032CD532F5CF5BE91C5E5AB40C49D8C40DD6A6819B5F7169F6E3A3DF4991BD89D0E5490DD62583616C6D09F17D1C931DA6784695A3638145E6205DB21743
Malicious:	false
Preview:	Z..4..nFf..$3v.u..+.!....V. .....E6X..oX.%T...9.e...P.A...v...^h.6u..~..\.Z.fJ;[........f;.8.;c....e\|.....8U....m...Ys%X.hrB%.x(W0.n.m....2.{__<....9M..u.........o2...y..e.$.!"EA..I;.....o/.P\x..cR...`,:!856.%.U-I......#.i..O.xjb...~S_......[.1deTXH.1.Fy`FT.J.F...G..zE....0G9.WW.Q.O.... ....g8H.2.5..7.......^.M..q/.\|..._..8...-.zZ.}f.(..o..:...!r.Nr..@.N.....~]..w.~..U.(......r.AE`..M.uG..IP.w.h..6X..u.2V.\.1.o-...P`9...?...Z.oQ..+........&......q).n......g.P}.z?r...!.Zf-..;.p+9t.j..@9'.....Z....l..n...hK$?..'.W..WG~.x.I....#......yA.t);.....4nK./HMI..z1...<..YH.3b.r.}.S6.+D.....1^....u.F...s..$"K.g}.s..i...J..T6..'..I.uC9..6.2....\........K#aw.\...:.....xC~S..!.2...4..5..b.i....+/Ou..n..b%.#..}Z...L....6.....l.!.+CmY#.....E.L...JA.1...x.m..l.~......za.....m=.....l/].....T.!~T.E.-YV.VLW....<..Hp...H.R.xiRs!\|A.C..Re.....t........G....Fle**.j..;....f....9.m.&.j...f.Y."()~.........W.(h..l..D.]...>.xmR..&..D4..n..)pt..%(..;...p.^...Q=.n.!...;.G.4.Z:

C:\Users\user\Downloads\OVWVVIANZH.jpg Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.876976074732253
Encrypted:	false
SSDEEP:	24:tzHXpIe4UToAA7KVHYqwUhWHROoTCqItN2VE4qUsdhzc8t8FFAfNB/pQjR:ZZIe4UUA2qH4FxbTioVE3JdhzcfwN4d
MD5:	C0728CC00856BB72F47547C53744FF71
SHA1:	7AA6FC681C21D0348872DFCDF58D1D5D2C3C9747
SHA-256:	EA2C3BAD15049DC35985667C6EABCF0C5E533C4C914F2F7C605081A503E6DA92
SHA-512:	61422CCC16E07AC6907D346CE18994645AC7C7D0FEA83E894F322F63CC6D673DDDE39778F6A54AFBE80D694616017AFAEBF8C7DB2AF90E5E14DF33712AE00CCF
Malicious:	false
Preview:	...r/..~...b6H.I..G..G..].{.^.&.`.Gx...5...{ ....w3...\.u5_'D7...Pk..6..wKL.!X..+J...[z.~>,.J......0.C.C.m..5.n..k.Q...{..`nuod9P.:.Y/..T.. ....O]IO.#...../..`]L~.2S.%...s...t..i3&.'.d....3...V......{...?"Nw....ECj........".bY..v]......G..E.......>..U).T@H@........E...:0&N.....p....Y2.<..\y.m.n...e.ZK.V8?.G.c..\...$P(..&.p.be.......H...#..\.=.....ti....\|.>.99+.iBwC.~...L.].#lz=..V..R8..M..z..6x......'7.k-:..3.....Z..!k....F;-]....[........(............1.;....l\|j[....CP}..4.8h.;..y..F..s...0...n...n.oS.e......H.=]E./..>..qY.{...i.g.`.1....T.H...c...E.M.IT$.M.d4.....A..$B..w...OoKXTp.9K..^9......N.....FN..T.2(...j.}m.H..Lk.........4...+g..J........I`yk..k7.....>.N)Lx.1..[q...80rs..mW8...3...A..........<.......)...E...Q.......-.3.2$P.Wb..J.F.%..b(Y....[.]...X.??....P...8....ez....x.&.....4.:.#Y^..0.h.`6r......F.J.B..r......E....$`K.x.: .3.H.E.MD.9q.y.u..\|{.%=P.p`3R..%.0......Z.N...V.c.......Z..........Kf_a...)...iK..F.D.H.2......

C:\Users\user\Downloads\UBVUNTSCZJ.jpg Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.848779605733862
Encrypted:	false
SSDEEP:	24:wrOYvn/229hRgWl8LuWNLxQwPJa7XbghyoYmJX7+3vmcaM9pCYC1qg0KU:QJG2dGyc/PU/DB+7IvVJeqXt
MD5:	DBA2A66DA3467C9B55C4246EA385AF6D
SHA1:	DBFE6F9E5A13B7B1BA79CE577FF79E73786207FB
SHA-256:	171BAA81CD8A0AC6ECFB20649BDD8EC7DFFB07F30F4E9B2AFFF98DC4D92D2DE2
SHA-512:	D845E33F08EE424375AD55D3FB6164D1CDDF9A68FAA81DF904A95089C63EF6A6F0FB24AE874204C3284BC251C32F8246D606AC06A6046E03CB571628CAA2BD63
Malicious:	false
Preview:	.o.G..2..6...Ta....".b..@t.....H...x.th...M.m......b.e.A.r.{...5....H-.I...pR.8...iO.CE=.D.Yiz.>77$.jf......Q.N.....0.m........Ur...0..K.b).)..qzD....0...E....9.m.dv..i..[..j..i...G...[......@....#.....A...'`D.D!.fh])g.....[.y..s[....6._.a^Y...J`......U.6J.=....p..@....V..Z..{....(.25B1z.......S..].....(V}vX.5..).<.......ei..\|:.Vk.+z..F.-....n..dj-....e....zj..=....W.A.....N......m.q.U.t..)w.U..~.M[ G.G.[.}t.O..URn.\u\|....E@....a....'.^..B...P.)q.;6vq.7C.....q...c.V...3..3/.4.N.g`}GD1.{..-h..+t.^.v8...~.ia.E....0.......}....u.F.ns.pq..-.....v.>.c"...=.."..Z.--..q......A.....m....u.M.7@KRa.......]..#...&....;4......n...o...h..F....#].(..!.~B..Ue1..\|..Q.?J.........`8.)..8pP..g...>..!n.L.C&t.-;.1?@.$.=.C..d...c.x..6.....2P.M.T.J9!2.%.!.U.$.WC..u[.r!.r....G=.J.(.u.a..W[..f/...._..~kQ.%.....nJ.Z4..T.V..."...j:.s.6.i.".s.U.%...H.-..J..<......C..Ib....@..}."..Ay...!n?.9...e.j......FK.(.X..i.....x..W....4.LI.o.G#...LF6.Zs=E..(.....?...aA.^.p.".Q.A

C:\Users\user\Downloads\UBVUNTSCZJ.xlsx Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.86805536338524
Encrypted:	false
SSDEEP:	24:RMgP62xzCHuYOIzzEN2R57TNEp5qP/4pZEc4X6h5WkNTgdbJQbGFtY0IIXQaC271:RMg5CH6+omTeWPQvEc4piTgdbJQKFahW
MD5:	509641CBA09780F2BF14EE85C93A9A6E
SHA1:	C868176C26574D3F214E582ECD79B3B377B43029
SHA-256:	1B37568B75A02D012CF79EBF97EA2214369BE77D74AE6027246D89735162C96B
SHA-512:	2D40E727BC6E5F7FC7632217CBA856F39FDA8CDA5672C8845CFD82C6828529AFC08E14F21E665E2D9C231AF10F4CD1723A93DA09621B6EEFE4131F98B7BFD3AE
Malicious:	false
Preview:	..M..V.L..R..E..........sbw.7...LE...Ti.:~F....O..j..c.tA.n.6k.Gb.p@.z....kv...k..s.....O.\|..08.m........Ft.;o.xX.D%p..@...N.{G..t;N....\|....0GqS.O....{..i.RG..1_..gdnZu.J.&....%.,.wz3Y....,... .....(....c%.HbQ......:.T\.\59......Ql\..H...H.7...'X=.0.'....r.u..U.j.8..t.)5U.$w.j.vn.]f.T..j..-.H.FO\|...8.5..A..n.qIV0......a..z[}~.S......18=.W< ..[....P-...A3..u.wW.,T.^@t&.wK^P8hY4jh}..t...2..6.....Q.v.&r/.l..LI..p"y...s%e..O.Ry@\@....hYo..5.yo...J.d..G.b....3.b...........o}\|..:h...d..B..i...ho.f...Z...!.....D.k.z7.<C5t.=.....I:.\|.f............R.....W!}........o.M....w`j........[....^..../@..\.G.8.1.#^..}&V....6...o..L.+.O..j!.c.00}^\x=...../.....$.E...r.7C...&...h2..../.1.3..?.IEt...g...PF(.6...g..*..1..RK.P....w.@o!..F..s....\....93}.7.W7./.g.g.I..._.zJ...b...z.._?..k....M..W6...rfo..H.......w.X.C.V&.~\|..(..)...C.&...[+Wm... N.v%.......u"..o...Z9....,VC...6.$...f.4..1T..%.g......{..NL.)x.Oj.t..#.1.........zY."........-fOq<..Kw...%.i.

C:\Users\user\Downloads\WHZAGPPPLA.mp3 Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.857630540181237
Encrypted:	false
SSDEEP:	24:dH94cQv9+CgLY3cB3gZ788QLXm72MwkiictMMqMNuGkSCYwWBXin:EcW9+vEkC7XKFWCMMdRpwky
MD5:	CC725A5D42C093AC0F34BF1190D6C188
SHA1:	0B1CC7F4810750976AF7E01970EFD82FD7CC0A68
SHA-256:	7B1698DA9AE84A6136928F7945F1743C790E457E36AEDF416F02C4A3A9886A4F
SHA-512:	B076669CE7D8E9A1441E29CE222F33610F862CD1B7270D4D3591F39DA444DB5CF5D03CABCC4C05BD93709A793C5D5E9C1FFE085D5D892BF9EFE3C0C274339187
Malicious:	false
Preview:	o........+..T^..@82..8d......XH-M......Id.]..\|..2wA.Ey.U...X6..6.....N..W. .s.&@..A....d.E..}..GoX..a T...l...p......l.HQ=..Q.'5.i.......K..."o.....7EV.t.@q}.%.6....T.w.5...3.-0.F P."".....)p.t.r....@..+...5.....f....d.D...U...S./-+c..;.Y..T.W^.Z....o`mMf.h.FGWI3.@4.KB..;...t.F...4ev1"N..}.X.~.7].....\..X.....b.....q...#...^`B.....8..1...{..~:t...../r.....1.._~[aen.7...I...ux.ssF.....-..-q....iB...L.g}..F.5.M9..y...tb.C.\|...bB........} 1..'..o..F.`..yq.J.F.'.....liy..+.S...?:....P...["y...t...2.oG......F.....((...v.m.6...D..M..=S$..C....).9&.3.d......)....Y\|.\|....}....>S.;C..m.h{...K_.y/.[.......EsF.....D.....d.W.<Kb.A...gx9....?.,,G.O...R...~.{4..2.....[fg.".X. :H..M...GF.....vSV...s...\|17.X....j.de.m......B.9..Z..}..i.H.AP....?.....d.Li..,)ic{x3.3...#Ll....L.U.+9....../..U_..f.3..?[!.....G.H;~.......>..\g.}..A..}T$^.h.R..XL.O..e+.f...ZB0..V.~Ms..n18...}....zc../.....'^.y.....*O.--..<..p.f..sA.-\|...q.bD<FZ..\.h...?......... ..@..].-\|.....

C:\Users\user\Downloads\WHZAGPPPLA.pdf Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	7.838138064657329
Encrypted:	false
SSDEEP:	24:YA3ZjYJW7SQPe31gACsn4P5WA3gZj6YqhXciw7T7FCHM7ptgJRcOa3plulg:b3aMk1gACsDAe6HXFs7pKJRcz3v9
MD5:	D0690880E7EE0B5B309B6EBFAE4AD965
SHA1:	07BFAFA46CBB0FE2154A18655B388550AE090208
SHA-256:	749EA15254BB3036AE6D107B7D1183AF2AC82F64794CAA019CC59824A1ED5F6A
SHA-512:	73F53835BC453195FA527E760FF7AEFAB94BA797CCFFB70D3C483B9D3E1AD71D833D4C598ED4B48C06F15827C39836EBDC6E1FFF82E2A6AB6351E9E92C394167
Malicious:	false
Preview:	....n.t.m.K.3..="......Q......p...Lmxf:.x3....'/.....XQ.}..7.b.NB~......T-Ug...6.A..G\\%.1.........~Q...}$U'...JN.?...m........m..}H.'.B...K......]\|.?...F .w.v..-..4....:.S...]...lR.L....r.s?..M.......%.i.zK@..fA.RRRq...TE.z...Ay4<M....6v.'}qF.=..3.@.I...._....?.O~.o7......RT.z.'.p.....R+Ls!.18..q..[..\..w...1...;.....(.3z2.7%y<{p)w4..T.......:....m....e..d...%Y4..f..efv...0O..']....!47..C...3V.........),....c..\|}t.%....Tu^..'.XZx!.+Cx.&~.78....}mN.?.$~z".4,.hP...&...N.Z...n.S<..t{WvI...}_/.......q...]k..}>...W.E>..9 ...s...3L... ......../.......F._S....:.P0ah.{^..s.........\U...=.5..z..U].$............d.....~j..\|.l....{.:..X.('W.f..!.G{5B.9AX`4a.o"..P...\..."....x...6..W.>...9..c.g....9M..........8..1.GD.5.0.~77.@5...QN.o.(...p.?Oo'N..X...m#Al.2.-..L5Q...P._.*z.6.~...e2.9.....z...._s..9...R.o...,X..p4X..z...q..0.ki..&........=..!.bS.v...Q...T.....4c.fWl..+..&..}...h..c.uS.?..+..@..R>.2G.3..\|:...>dP}..Q.#e.F..+..hU.%...NO...

C:\Users\user\Downloads\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Favorites\Amazon.url Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	372
Entropy (8bit):	7.459480468299983
Encrypted:	false
SSDEEP:	6:QHiWH5juHG6F1kwzQmpm8fGuWgu50V0ZjHESg125hoq0VF1iP1DDQZ3ZPhK01VNY:UH5KGAWwzBGuGyijHEf1ooxG9/QZ3ZPG
MD5:	9B79003A1489EF525A8BEA7B1E452642
SHA1:	1228CF970DD372F98CE5251B523F02FB3DB512C8
SHA-256:	D471E7426375A5C768BC3904D5F760B8A3CAC106A0D27F5FC2734CDE174FB71E
SHA-512:	AB54CB1FA515E203A52F02309F943397BE7107A7045F1A1E37C838265D2253A6A51EA3CE239866FC70BB8D5F64C7D6ABD1F78EE35CD4F151A5CEDD96B78F3E50
Malicious:	false
Preview:	.w.....P.r..E9. ..?y.=..Z..J..H....0.N..cO9..ac..3A8........b.B......P.J1.U\|Y.OO}....fd.c_..%.QkS[.#...J.......w..........J(H.lqTl ..\...K..c.F.@..C..+.Y..."....&x^..V.........KX.:B....B..\..<.....T..GU:.2...jG.m.^.%.T....gue.h?..&.....C........6Ts...G.'..$.. .....;.)2 ./v]..l{.v.uY....Y.......a..z;.,=0.W#...<..6Y.V...t...}..cB.m.A-....X.C9....Q.

C:\Users\user\Favorites\Bing.url Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	468
Entropy (8bit):	7.50396247198524
Encrypted:	false
SSDEEP:	12:py+IxIovX2eZW7Hn9MXlBG0QNt9p5p9LaG2b3QceWYvKQqgn:p4xIKX2J9mW0QNt35zGRbgjCSn
MD5:	0E51B6D3853AD898D26DEA644B5CF0A6
SHA1:	CED15D7ADB4EE5396EFC8A7B0E3EB92A5B170CFD
SHA-256:	33350015ECF9A635082D383E0F28F8C203378D49ABD8B909619D0104469B9A17
SHA-512:	EF75ACEE4C7B74EEFD21639C6E4CE7A7C7AB848037A06ACA3009C864901C65E9D358E8AC884587216DC2899B20CB655857B6E6E86D7BDA2D615D6703342E0BD6
Malicious:	false
Preview:	`..l9...\..nz.....U./..JH....jF1....q!a.:?.@.}.......B....S..IUP...#...e.t....,.@.)..t.L....6..A=v..at.\..Z!.}~.......n.v.^...Z.d..3r...F........v..U...UW....9..........A.SIQh......]..x.N....}km...nw...........z..`..p.]rwB..L.h..r....9s..S...*LR.. v...G3.@<;....=...{.........@RNl.....}.g...g.. ..E.=...N.Z...~t.<.\|1c........5dm...$...'.....0m..#.@..[o..!.......>634.L..,x..\<.....U....^...7N..JC..s..{t..T.........Z}...=......=_.[.^!.5f.U.1..v...yt

C:\Users\user\Favorites\Facebook.url Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	388
Entropy (8bit):	7.462155844920995
Encrypted:	false
SSDEEP:	6:S2cxpMeBowkveoaaG2lda46ODfvji2ab2oYDkYbgSiSNuB8M/KXlGZUVkpaGnjG+:S2WMmCatpgAa/bg68KXlGqLEjFF
MD5:	DB4685E9EC17717DA17C3EF52DD6C9FE
SHA1:	3F36AD50D1D36CE9087BDD21E898DE1C14ED77D2
SHA-256:	A381C8575A59E3C205244C65BD13437A17B5D10A2D9F1DFD78ED258049C72DFD
SHA-512:	04A4BB82874E59BE7C605CB11D0703762DC2362663A71482E75FE922C74464903CDE0F85C120C870C011B06611F6B40370F041731EF4AD13865347A01DB84CF3
Malicious:	false
Preview:	.....]..HZ}(..K5.hi.g....cr`2....V..!..T".z_....b...`../;.(.......]...W.&"j.9.-.W.....O.+...'.(w.....;...&z."0....k`.+.w.:3+.......b......f.Tq\|}..~{:........F.P.z..../..~fv.Y...}Q.....r.I.r...(J....6....1m..s.u.k.CI.g.].u0K...Gv..:{>..)......_..kX.a...~.7.Y.......d..]/...q!a..HS.../E6[.d7@._?.+.......1..".z...Gj%..p.eQA;\|.K...s...\.....E...c...K..Bj$.N).{/..$.. d..F'

C:\Users\user\Favorites\Google.url Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	372
Entropy (8bit):	7.313677159274378
Encrypted:	false
SSDEEP:	6:pJecJKBQ1dHeSkX00h9mZpNTFTslNWuQ1sAS6Cy6HwojA0bD8TYNwb5KpLPNaw1V:KBQX7S0s9mZpbguuQaHnnFwbALPIUMrg
MD5:	C06325519A97B0EA859B66E98A4BD3FD
SHA1:	841C06F7BC1E85918A59F2C5C31CC904E01D70FA
SHA-256:	655F261C9E6DCFE285D53CBC0D584827A7759C092F0901BEDA14ACD624B42C20
SHA-512:	A83A51EDAF9669B177158CACCDA765FEA9059E1A197AC747CCC20BE26690DA8A6CFF4E7727C23475BDDB4C01046D52F68D61399E5F79BE83D14ED65156538721
Malicious:	false
Preview:	...>..po.X.MkTK....;.`....wX.Q....1.3q...".o....A.]s...R...Gm...D..........].,.....s/.....\|%.....C.Uqn....!....%...._lF..A..$m.;.7.:b..K..o.......W..(../..t.\.Wd.\|]^...">.....P.7.m.o..#...!.5...7]X<..A.2.5..(%.M.....\|'..-V..]....:.FR../.....\|4D..n..G;nP.&!..:.!1.V.KH.`.~...k.F..7k....;2-.^m.O.&..f.r.......w1t..k.N..l.N.&.......\,..m@......{..J.rm.8p...6....

C:\Users\user\Favorites\Links\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Favorites\Live.url Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	372
Entropy (8bit):	7.456844850043687
Encrypted:	false
SSDEEP:	6:GUvkzOjAaZR3930O0kJtTPOspqHNziK/0JpFy/E5MYuvKXhXfNAR107/ejN9dD44:GrqZb30On9Ou4ikrEKL29KR08DPCU
MD5:	090ECA6B1F9D20CC3088F8A24C08E71A
SHA1:	F70C1FD38085557CD75258F28E306B6392381F01
SHA-256:	2CDEED4425CEF5799C62F276CC6B63A20469DE933564A459ADE92BDF6CCECF35
SHA-512:	5BA790C90D38F9E56D9B0C6AFE4D834C1493BF78A70280748819CB266F50EB1EEFEDA8F3732AA81D71FA2B67EC1ECE35D3378D9E058489296A1D1F1760D37F6C
Malicious:	false
Preview:	./gz.......-n)zb....ltr..3z{......f....\.aIM~.W....1t.us.#...g......J.f.zy...VR...G./...e...VyjAd.9.J..+...........@c[h.....k...M...Im.:7.0k.(...f6...?..^.8..7..s...td....V..L..8l...m.....v.....u.;.A...+*..r....l.A..t..d..../q&..Px.r.....[t\|t.{.;L........e.._h.c.^.9.........%.,.....<.N.dN.%...h.x.\|.o........%..u.fW.....x'..&.yY...o..jKH.7..=.i....C.+

C:\Users\user\Favorites\NYTimes.url Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	372
Entropy (8bit):	7.422825973613436
Encrypted:	false
SSDEEP:	6:ad2Kj8ybWmzrYS5ybSbFaU9Afl+uownpH/UiS0jF9ItDgOAC9MvHC6aR69Kut0LM:eAbmzckumGwhwpH/7J9qDg5C9MvHC6SO
MD5:	2A651EB0DC44B06EF461962DDF891CDC
SHA1:	894FAD30241470BB22AAB48CB1FE0F39D1314D9A
SHA-256:	AC2E8FC1D056272B508265BC04CD5A1F3DDFD68FCF2D9FC1F1095023B74F3920
SHA-512:	76E461F15CE67A595F9A2729F3B9C6043D6D25C0C51B28085BDA5633446C26443895A1E47651A250FE7DF20C690BE5F9002B7B68F848F85CC4AF3DDD280D2D85
Malicious:	false
Preview:	..Y..Cr.2K......#B.5..Y`.4N../P...._...l.m...s../.S....u...2..J.M..,C.b.,=#.8v..oG..\jA.2..,.q...:......V.UOL..j.....,..7Y.#.PD.%8...D}..>.....}sa.........`4N..vz`w..#p..Z..i@$b......sd.A..SErn9..1.. ..u"Z..w.A...R..&4..8........K../.-.>......np..k..k..n3G..*m~:++...ZO....$<.Q.L....Y.:....j-._?m....wj.A...E..x..Sk....V..J..".MF....E...j!.T...v<.n.bk...M.p

C:\Users\user\Favorites\Reddit.url Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	372
Entropy (8bit):	7.3743093005699265
Encrypted:	false
SSDEEP:	6:QxDgfLDLaevNtNXvH8TpqgO/4Ir5/nBfH3L33vMiDUsYXZzbkN4vLJITUx+sB:Xf7aevNtd6IDRnBPzkcExITUxTB
MD5:	8B02B7F81BB5BF07D34022D4E0E6683A
SHA1:	EF9E3AFA3C1FC1742EBCC68E607CAB317775A8EA
SHA-256:	34E31DA3F38090BD0E8FA383ADC73586496C57C28F4701056E8DA0E2D9E4D690
SHA-512:	04954283EC75BCBCFA8E1234294F88CB1C979818BB8BDD9343CA8B2200B52922F8134B5CA8FD90BFA9275B0549FDE63F707BAA3843C65323175DADA69496091A
Malicious:	false
Preview:	.,.R...ck.._.w^.....&...%e.."@.G[BH..{.hc...OP...h.^...W.R..b...[#o....6^..[#.(l..N..T..Z....%.. ..k..C.....%%=Rz.:..:....%..?.....8[.f..f......q..N.....0u."Se.[vX...H....C.....$..m.}j..H/MR........B...=7fD.....bU...\...S&...r..().f.-.'.v.C..........\^..[........O.#T.s.?...t..F.. ^3.2.s.s....nJ2......rK.(.f....1..E.L.9.V&.B)...... ...pA.SV.......I.O@

C:\Users\user\Favorites\Twitter.url Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	372
Entropy (8bit):	7.372141153795492
Encrypted:	false
SSDEEP:	6:xgMMM4rMZW7bXs+8QpzA5XBYhQFpd6NbdumV5gtnfDaF9FKCWf+QG5lD1I/9MZZ/:xgMMG2bXs+8LWQR6NbdtTuujLWf/mmGj
MD5:	EF75B1320D4636D929AB2BC4733B4A44
SHA1:	4E952E5A4013633C6F17CB568F0434216798E065
SHA-256:	165B768C980E6790C567819F1674DCC16A665089A34E844AA63480CD3A1D8001
SHA-512:	266551F74BF4381B60FD74C0ACD3AEF3289F89297D63F4086C5538D890ED2507F494DCBD23649F414B0E959579DD3C4B010D0F4106FB3A5E73E20163301D5000
Malicious:	false
Preview:	.......y..g..i.....M.IC.P.m.....R.\.k...$/..h.)G....H....F.r.../u.sNK...$d..bS..+U.2m......)....R..(....p....x.....Am...r.......g.r.p.....~.}.$9a.`......\........"..U-.....S.9z......a.\|.....6F....8......-..C.3....n..T......Z.`..../.... !...............l.K.}.?...'...Pq..MU..lx......8.... .N..B./...iv.-M.e"m...K.r...U.t./.4]........v.........<..{.k.

C:\Users\user\Favorites\Wikipedia.url Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	388
Entropy (8bit):	7.453009259813686
Encrypted:	false
SSDEEP:	6:KLlzO07SLzNo6nZcb/LwJPrOxz93xVoHGoft1vXjCek7GAJNy6ZqaqaevZgxxln:mzOkS3mjLwJPcRB0GoboPJNF5qRZ2ln
MD5:	5F042271EE67544634ECBDFCE85D2087
SHA1:	83B285249619CB785816204D99F38E827245E2DF
SHA-256:	A4937614DDB762E93EF53999F8AF8720658513DF81A9F603FFEC68521D653199
SHA-512:	256EC4F2FEB7CEE1BE2873D17A2FD40DC754A1180DEAB97E57853FA6B1AEFEE8C91071E6AB435872D9F297F144AB2828DC1AE33205ACCCD11D2FEFFB56512AE3
Malicious:	false
Preview:	..u...Hg..../....[3.......\|.p.q.;!:9Rn.i.g.....g.D.w..y.$.-..x.........T.'.g...:}...B.k....z_8.``u.....R..%;<..1A.....N.Vub....i......?.@4...n..i......&R.9\|9.\#^..3R.l..9vX.?.j.UBj..z^...N.,.m3.T.^.5C6..{..........>?K.zR...TW.q.6.3..1...F.......R.^o...d.;=.n.P....].~"^....1.....i...d..(."...[,.P.....9...{.......~..T.t,..o..._.G....O?........_(.2.#o.........kG.m.\.q..

C:\Users\user\Favorites\Youtube.url Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	372
Entropy (8bit):	7.388945976478675
Encrypted:	false
SSDEEP:	6:u6/zvBBesAKh3xl6hvK9m9BrLfu7Olyzovpcd//kNWq6QEMRAcof+YGNY3Rj2/f2:u6/Db3xl6h+y5LgKYovyWNWq6QE9vfx9
MD5:	7817826B4E7DFAC6D90A80FE845AEB7D
SHA1:	7F8DDE8D168E9F3DCB6CF5A60FD5EC3301BE08DD
SHA-256:	2F63309EC1121F6D5A4D8F42A8C6A6DAAC5F74D3E3D6C0E3883A4286C413AA3F
SHA-512:	967A0AE1D4C117090F30854886A6558F8C2DDAD2F04383736C4567B8913E90B105C22B162946012F5FB6015CCB3B799589DEE6BCA51DB2B718FDF5441612E73F
Malicious:	false
Preview:	;.!(oP.ek05./6,......a.-...%_.`).....LdZ.^X.........%L...c...g..$....l.@...//.S.GCOE.q...=.=F,.$...qH........Y.GCd........r.....dntf......j..e....&....QjW..rh..J.a...!.@.....%.#m..}...W...po....)dBN8....V...WPzC...r.(Y.T#.)....(t....z.?C3J.;.....#.0r-,...r.4...q#...%."Sy...../....Sb..U...5..aC'Yb.n..4..C...c.~..u:6.j.`%N.............3...;.!..

C:\Users\user\Favorites\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Links\Desktop.lnk Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	756
Entropy (8bit):	7.739197650155807
Encrypted:	false
SSDEEP:	12:mBny3IRD00OsDiReJA1jY2u+6kJqGVrrUOUpXpVuJ0v+EdTGkKM0mGfNiwZSO2G4:Ums+RxYVJYwOJw+ElSntFQRGgvd
MD5:	42E91EF60AF97F01CA0B03AB9C019569
SHA1:	CA200B4ABEBD3FCBF781A1459DA6C4B8541FCA69
SHA-256:	F2E3461254904EAAA693618136A99D6895E752021D50D53EBE128A256EC164B1
SHA-512:	5D9822059BFCAA974ADCDD740E91B83383DAAAE149C7700DFA2C052C7FB7230EF3C92691703F8C2145C9FB02DE995B0B9F82A45165353D78A0105D70B9A00DFA
Malicious:	false
Preview:	.......Q...%.+...\|.e......~.ws.Dx.H.\|......>D....2.u..&..5!.=mh._}g..vB.g.s^,..!....r3.<....:.G.@.....7..3...0...uN..._.I.@.._ht..y3.P..m..........S...Kb.....La@..... .......O.H.3.....[p.l=b.&...-..._.o...8..1.c...[~.....^P..}......+.8FV..In.. .5v.po..J.&n.!?.........\|......R..m..;..f..E..S.4.>qC..L....../.C.=ICWD".....-b.!%.VJ.. .........Q.y$:....N.h.#...T...TE..Wd .....~/...."@UuA...>y....%.TM@.......s;....S....$P>.M.IU.....t.....1{Q.q:Y.1.2.n...2.&..~t@b<....p........:/`.x..e.2h.Y..b.....q..q....#....J<h~0.$64..:l..K.ka%.z.....J.'.....L*..".GB.._G..:Hn.."A.....O..E.l....Y...m...Zx.Y...$.9L...I..t...D...........x....!9Di3..+...qM7._...3...=.7.......#..S..>.?of.T....l......Y;...B.K........:xi.)...@..Na..y

C:\Users\user\Links\Downloads.lnk Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1204
Entropy (8bit):	7.8585543086180865
Encrypted:	false
SSDEEP:	24:Ee3iaxg6aP4+FVm+LcEzq3O1z2a5zo8V5/VH35uKKlCo:EQDxgjdE+1AMyah35uKzo
MD5:	A2CA49DFEFDB5E58C0E1D8313704CC29
SHA1:	ADDB5403F782EF6F94652748BB64B37A51114B5D
SHA-256:	FF899DFB01D32DAF409D19DDD04A5C86CC4BBC3EEC99640C72273772FE246527
SHA-512:	02A1B8A1AFCBD1E44FDAA2B9964CCBE2A7B905E5CB069346F635EF6C05EDA98AFDECD630452AB4981C670D43AFE698135A049DC4B8E332C8C3D7A6D76D77E824
Malicious:	false
Preview:	......D.........)".X..`6.!.Y.....`.2....N.......Q5......sn.C...q......F...G?.c.zs..X.....M..i.[....}m.uBf.'.F......e.H\|'...UI..\^.In...6..o..........]$.\l.....z>L5..e..z0>.r...3'n&.@..zbShY.3..D..r...`F.'G.....GK..Q.......h.;\...]Wu".m...pf....D...x.@.tj.3.x.....w...g....eM.X.w.dz}..^]_uT?..dMt.'_...8a.mVf..+....A....;..z%%............$U5....aO..=.l.r{.pb~.q.ob%... .....p^.&Rk2.}EL0#.....8.].$<J7:"...{..i..P.......q....."C@.Jn1..~,.e......."rZFA....tg.\|......N\..X..D..R.V...m..u.V..mG..]...?4.\|.."5.r...2..V...%-U}.j..}#k$....P.=..?..s/lJ)Y.[....x.W"`...+.y...WD{..y.'.,...U.....A.I....'.gY......-.v.....Ln.\|.....b-.....$6..k...tH...G.c.y5H..2....../......2.\|.g%.....".N@.:(..^B-....p6.....LZ..+..)........8. .E..(.k...[#>..7..1Z..+'x....cU.\.=....r...L.8.3.tmlk.E....T.K_W..3".."..$.......$.6...[./4....c..,...Ts..k..../S.M...I0T.....(......%.......-o.......H ..\..().0..N./.aa.!......Y......j. S. .......3.<..z.....+....z-......6.

C:\Users\user\Links\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\MicrosoftEdgeBackups\backups\MicrosoftEdgeBackup20200930\DatastoreBackup\edb00001.log Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	82180
Entropy (8bit):	7.997770955967962
Encrypted:	true
SSDEEP:	1536:/xvZUFllTyFS3cbJa8GX0YQlO17MO2zmL09ASjNh96b6BeaSAqgjqLW52pE:/5ZUFWjUfQc1IO2zmw9Zjz9Teaaeq6gE
MD5:	ECD525D19C59605776739AFD546F7680
SHA1:	72E86C79419F76977A3DF5898E71A87407DE83E2
SHA-256:	79D2F95DDE291FAAB29DBF6A65A29C5A942DE79608FA27E6588815F1782100CD
SHA-512:	7810F98E5284B867C5A1AFE29B63D1924698D9408BD90821E3A3304F84FB736C901F9F16892772EA81386C84AA3EB134FBFD25B2DA0BA9BEA7D7E81348127B0E
Malicious:	false
Preview:	Q..s...4f..lB.r.w..%....A&.!y!.5.Z..4..._\|..9..Z..Y.....vK.f.......y.jm..D..P+.C.I...l.N.fg.:...o.....y...z.....%G.c.. r.O.{....k.40...G.....K{.,...i.../:..K\.1n...c...N.dK.^.xAC:s$..\.............Q.....".q-k.ep!..t.Bc..#.z.8c..W.>.n7<._...\|..]?T.)j....j...r.n\|l...y....Y..S.4.....Q......L....%..~i.^...>..\|.u.o.[9........."_.,.u....=!c2..i!.....Y.(!.a.......*..k.....k!......Y...e .R.-.>...+ x...C..~H....,\|`&A.%.....v.\|..\|..a..H...w&L..6.MX.'...me.^...W.G.."..\|/.../0.....2....T.P.N.>..ns1K.v.xM"....K..j9.V..N_.D#o..E...."J.O.p(Ry..... .=...../........$7...?.@O.w.}Z.........kY....f..3...$.S.k)>7.......5...J)..O0.j..$..n..Y..$u......)<.]).yWLS.q.f.}rOt.}....C&..`.3#.u...t...ewO.........3.\.. ........Z....c0.hl8_.d./.........&.u.A..$.t...1[?.-_...%...>...0..z....T5.+.....1...(.L..}3P7.......Zr[Qcw.g-......{..._..ev..S.v.:.[p.\|k.$..r...`n0;...z{.q..>..cb\..q...A.w..m^..MD....H.N..)....d3......0F...tK)dF}..1..{..Q]p.......w.....

C:\Users\user\MicrosoftEdgeBackups\backups\MicrosoftEdgeBackup20200930\DatastoreBackup\edb00002.log Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	49412
Entropy (8bit):	7.996361101884164
Encrypted:	true
SSDEEP:	1536:+81C/UgYWALfiL1L6Qyl6cUELfqkyGKtOJSFiPs:j1CMguf86qB6RCOJSFWs
MD5:	653E26B87C4EDFB1FB84C6E0854A9AC8
SHA1:	1F63B5299A414C90A83A9071452BEE2B27A1A6F9
SHA-256:	02B9CD08BCB295C488BE4B78ECBCB766BC1C57BDAA0923903B5516C52FDB4A25
SHA-512:	9B2987CF85EFF473424831DA0343725810496355DCFA61B7FB92F82C0E854C364F25C7C5CD8D85AEDBE839D87008A0FAD152673784DE99C16BED02535C4F7249
Malicious:	false
Preview:	....k..x.A..3....$..}....;.7<..U...~L....... H.Q.m..&..ND...8\|/.\|...=F..LW.........\.]..A..:..............1K.x+.. .~.A...R.S..<.....a(......!k...2...U.o.8.W%..TX.xb.v.y.y.=B..z3\N..P...\....-).....F{...u....T.n.Y"JA$.E.......K....<9.!c......w..Wc.N>....Fx.QhD.#..xQ.....V..g...t.$ss..vV.D.....0..n...x.!t.%p...:.km....\|#]..,.B...7...#..q..-=....~.A..1(.&\|..dS7..%.....c..W.tt..`.c..<.UNU.9%.;~9tO...;..^.......+..S#...H.}.........o...D...?....V.n.o....X.B...iE.tT....U.\w....B>M..Y.....T/.........o.s.B^...;....B.......r.H.i.^.?L....>.[.;.......D..N."u..B.J.h........`!.g.....3.2...{^(.ze,.{.$..W.]i`.#.hh.s..f....# ...*.S..F7\|..J6..^....&qeZ..4..!#.m...-xq+....^......%b...sS...G..&..6...5..a...r.I.P6.,7.@.......7.......~. ~.D.27.>.G/.....!...P>'... 8..D.......Z-.E.D...0_..M.}..a=.P....~.......!......`^.3aM..z;.1KJo..s...o..G..+...V!q}..=\h....{.r2L.....i.M...L.....Cz...+.?.\.C..R.M...7....Y.&..2l...X.....)...".jc.o?x.p.=...<uND..'j.N

C:\Users\user\MicrosoftEdgeBackups\backups\MicrosoftEdgeBackup20200930\DatastoreBackup\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\MicrosoftEdgeBackups\backups\MicrosoftEdgeBackup20200930\DatastoreBackup\schema.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	7.285105156466586
Encrypted:	false
SSDEEP:	6:4x6tnqLjuoH68MbHT2VMN29b2KTJlx6REmrT/TFKSR27foJAqpQW7:4x6FqX1a8aKVaaxTB6Sqbgi88pJ
MD5:	5DB9821418CC0EF6D642FDBB6D22CAB5
SHA1:	D3C1FD2A12624BEFA1315799845AE95CCA4BC795
SHA-256:	C6C297834717406359FB8D5AB0B430CD4C86A8AE0CC97AB4743EDA38973FE3B5
SHA-512:	35C39B8DA00132D09490FC715948813BE6BF8A5317292BA7451A8E3F5E4396C22D474F1980919249BB894EBE43262A8B327068C49766F39096202AB3F329A3F9
Malicious:	false
Preview:	....,..........].z....9.........1s.s..>.k:1EH.y#.?...ofD..W..}O+..1....%..[.P$L,..U..vo..A<.'^E.G.D?Z\| ]s]fi...."#q....\|rX...b..j.....5...._...y0<2.1.{....._o.M.d....oO.[....Z._....(.{8...."../..np..x..O......6......d...H.ui!I..P...J.&.c.n.....I0.lV....f.F......OQ.rcwy/..I......

C:\Users\user\MicrosoftEdgeBackups\backups\MicrosoftEdgeBackup20200930\DatastoreBackup\spartan.edb Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	180484
Entropy (8bit):	7.998975511685634
Encrypted:	true
SSDEEP:	3072:avPbDYi3kOSQKTZwqmIDWd5YE18E4TkLYLxi9roxwhE0rlXAHAi5tw0iNItFgF:sDsrO889dis/iLU9rVE0ZXk5hyIs
MD5:	B781281CDE1771A46778B256122ACA4B
SHA1:	4F8DB0F63B1C66EDF6428C8B2F63AF84F5F90F86
SHA-256:	8F33A5D1F1981446E784A6A513EA777AE62D9AB13FBE4AF758BF94DA0E5851B2
SHA-512:	6E2550E5C7A5E19B7E47D6EC30A38FEA40149735E6724024EFC704A9E9A635038B7AE9D95E1F1158B0F08222F2DE41A60A8222BEFFB8C8249CAE848B6BB450A3
Malicious:	false
Preview:	...P3..y..i..'.&..\Dw"<F.J.=...7...\|........sTi!..5....k.jY..^..R..T.'......"...}.s..0P.A..A.<.Y.f..^......kcWBa=J..:..+..j.t#.....uu...........n........cy.....H.o.. Kb........s.R.u).>e.....3.~h....V ....-...8.\|.$..M=.Tn_.w.c...<.#...5.u\|<..P_(FT../.k......a.8.W..%..4Y=.M#I...6..5...6.T..H.o..Y.O....[+.P,u.....}[."r."....<.R!aZ.5.u..!..}.2PB..F;.......Q..@kToqM..4>;,....B...h..,.Y.)..4P....&8..q..8...<d.$.]....$..w0...U.J...;..O[.....@12...8C.J\.....H..X....l....b.]v+.t....V~;..@...(...<..^.{3#/5.PAa......jue.~..!.a. ..8.G..g...[..c..o.e...T'YL@...... ...n...d.6....}K..m3...S.4..y......M.T-.....$G....-NPP....g!WJ."...K$.-...~...qI..j...8Y,C.2G..jR../B7.@..q.2?...C.O^.).../.(......R....$....y.o!.r...i.U.N.....y........'..yF..<.u..{.;...U6l.......?......1A......}...".-..6..(..l...C..yg......o.....5..W.x..b......>...bl...... .......P:....l.R.9..........a..+...d\o&XK.m".0r......#..>xB..6...\.l_.d.A4...L.. S.(Q)...p.......S..-...!.s

C:\Users\user\MicrosoftEdgeBackups\backups\MicrosoftEdgeBackup20200930\MicrosoftEdgeCookiesBackup.dat Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	516
Entropy (8bit):	7.550433670357233
Encrypted:	false
SSDEEP:	12:id6+gO9qo9D1CsALghSJNEgBNGOi/7XaHvCITVPGrr:i81OUo9DgsAUUJNs//76C6Pe
MD5:	0A9A61F37E4F234E47263BE4E15BD05D
SHA1:	9CF1C996CD9027CDD0E0D295798685F44FA2C5EA
SHA-256:	3F012D497D0453B7C89CB217B14E909C0532E081276C7846E01ED0446FBB280C
SHA-512:	F364A13BBE48A5F4AA76A940D67BCAC3D446319D0EDB9693AF4076D8F82232E714F2D60877E97699CF62762BA4B678BE17A24F764A5CB5A74AFC571F017FB48C
Malicious:	false
Preview:	d.....z.4......4}r...j.R.[R....8..w.Ng......_........D_S.q...Sx.E..1../..t...).....r..L...v'.j.Q..&.[...N..R..=-....D..O..L...4.,?]..<BF......2".2dV...f S..P..?A.8...f....3.?.x..Q..=C..\|.x... ......"..R...F.Yx.hc..H..8. d......L..s..5.....~/NMJ...X.ak.e..j.......>.W..X......X.YM.....e.......d.%.u....as_...%....F.=~...PvjP..Z......M.V^u&.~.;......4..{.OX1$.F.N....&.`X..........A.l._C.,......Q.u..u...l..]...p.......[...i.<.X......_5)..=.X....W7..#8......=.....&.r.s.=%7..E.H.~.r..

C:\Users\user\MicrosoftEdgeBackups\backups\MicrosoftEdgeBackup20200930\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\MicrosoftEdgeBackups\backups\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\MicrosoftEdgeBackups\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Music\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\OneDrive\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Pictures\Camera Roll\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Pictures\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Recent\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Saved Games\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Searches\Everywhere.search-ms Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	516
Entropy (8bit):	7.587322928209809
Encrypted:	false
SSDEEP:	6:/0iksBejJTkO5d7JAr12auvLbVF8V8ayl2elSktl/hH2y+ZCgw/Xp0RXqiFa/nzR:/Yk9Cnblq2xky+c/50RXnaSf4gIn
MD5:	842C9937A1F75F6A62FC356F593E2128
SHA1:	201F0463F553884533E7D5C28AC76AC4844FB28B
SHA-256:	3732C337C985B01D965A6476E80FE8F818D68FD81B997C5EDAED951156EB0442
SHA-512:	549C5C7FFD122578E2B0B95AFDEE6A7D86E32B85996AAC75810E57831350EAA55C99463F86EDA9348188E5D5C4623C8D9336A88668ED9BCEA12B7E291B873CBA
Malicious:	false
Preview:	:...HYQaz..8N..c..?..j:1...vR.)...B}.q..z..C..w.~......(.j.......K....x1..Yx...f8B.2!i.>P...g.U.....p.(...(/..m.r...D.k.;.i,8.?.RN(.).%}.....VA......L....g.=.?....WeQ.L.i...k)r..$h.....U\|..LI`Y..>.<.............+}>...o^......U?.n9......F...$.y.:....x.g\|...c5........q...L.,....d......S..K..W...Y"..J.....\c.q.7...M...E../..qZ.a8...y..c..r$.......*[P.....ubB........_......Q....2.+.....u7.....NW.,R..En.......S..9@.x....q...4.k.j24.]..F...d...D.yO8m.U....9...,\.......YQ.5P.h...c....ce[..

C:\Users\user\Searches\Indexed Locations.search-ms Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	516
Entropy (8bit):	7.5745013739176645
Encrypted:	false
SSDEEP:	12:NCJXY2FhjUj/BK3OJMApQIjvMTqxMTYh7jJxEKHUG:NKXbnju/5MApQWMexM671xXUG
MD5:	66AB6F2FF27DDA156F7EEB6366B2C5A5
SHA1:	146970D90B03BF349BDF59940D13E7CF183CFF1D
SHA-256:	F61F81C81A0BD55C703D6834C4E8176DA2D3DE63AC68AAB3D4E968ACCE620CCE
SHA-512:	5017FB04F3D27C7EA66BCE5D5FA18B7CEB02B7233BCEEC7526483D2027426D3A9713C6C1B2B96AE56332F4713481618AD6BB5183D4A03A58E385379155AC2FCD
Malicious:	false
Preview:	Q.f.s...H..0...d.C.g.X9....7p..k.H.C.^....'..cXMk...=.{..Y.Iv..[...q..R...Z...n.u..{8.BdN..r....B....O...0.>..<..X-OD.... .W..@..t<..Q..ng.3.!... .`.'..%....W..6..6J.u!..dE.......H.h@vu-....S.J...g6..7KG.E&c....B..........H.-kH......J...c..i..9G....,.j.o.#.....)....Tau.& ..z^'+,.@nm....1......J&..oU...Wbl..`./...c....j......V-.o ../.k0.^A+..]./..s.a....x.]...3.N.u..I....t....:[.p.S2.Q.T5.`..6..K3..o..x.C.....J#.......C.`.....@9..g}...Ly..7.6....kw...J.2........0...j...

C:\Users\user\Searches\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\Searches\winrt--{S-1-5-21-3853321935-2125563209-4053062332-1002}-.searchconnector-ms Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	dropped
Size (bytes):	1124
Entropy (8bit):	7.806620831483269
Encrypted:	false
SSDEEP:	24:te1nvVWy8dSqa4j3fZ0uS5r1wwDN3r6rCIlLU9:I9VB8dSd4jB0D2wVwU9
MD5:	E1B7FBD788952D95A4EA9C0B39FBF6CC
SHA1:	9F9FB8E77387C9CAC88C691BBA9CCE35BBEE5DED
SHA-256:	20C096DDCB4A4FE43FA7AA7E4CDD5DDBF7B580061FE2783153488E19F9A0366C
SHA-512:	A1F7287C1AD0AC629412B49CD2B47FA29357DF824704D7CD3A3DA1B2872A73A9557F513CA11E42EBBF98FF971CB2C16D8FA28C8B7D99060C4CD33A5C9AB3F382
Malicious:	false
Preview:	7u....N5m...(.}....vH.RJ...C.vi../......D.I..A."..MG.)...E..K..c,'N...6.f..:...H...\u.N...Z..8@...I..n.8+j.....x.....R41....._./C... j.^.5.M.....-.O1...F.3..=..u.2.....#.B....k..&dE..g.k.K;k!0e.L.%~. =m$.i./6!..0.=.W......d.g..[.`..LXc..}..c.S...F....^..8..T.q.t..K.L.'+.YVI....Jn. .l.l..n.B+.......uqE.[.r.]a.p.....K.3.}.eK..(f..MiZvg5....c..f...-J.Iz.O.$.\|..!#i.6.u....>.C.+.5@........Z.0.E=..fLi.,.]....;.... .`.#<...Y......U.......v...?C.t...b..;.56}...I..d..a.Cb....$x....FE..U.y..)...JPdD.x..f.;.F.......AQ.Q;..f.vq7.6&..x.......Z.4.Vr}..<.8.......,u..,J..n.V.G.V.f8..d.OM....)O..O+..F....'$y.%.cw/.2..M...._.J.U....B....pM..3.+...G/.@..k]....oM.-...vu.k.....]+#Q.t...].p.....'.`.s....o....N.......!..2......Z......~l....(....^....7.....`...v.....Q2..g.9.m.2..s.?9x.JL^.`.!...A.......-..d~M.+pj6.h..d....V ..*..p#.r..Ub...~.......G.Kab.\|bC0....:../.....7.az}..[nM..)4..^KGPW.6..8....d....N...r$.S..6.....T...5...@.+..~C.h..<.._....!

C:\Users\user\Videos\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\user\ntuser.ini Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	data
Category:	modified
Size (bytes):	292
Entropy (8bit):	7.228021969821385
Encrypted:	false
SSDEEP:	6:eUIXxYFaDous2kTA9kkoth8HX4vEtygmtf+7+EulgtI:UY+ov0OCRmtf+jggC
MD5:	2094AE63D0FF7457FD6308F97CE4C097
SHA1:	77A38CFB7120D1361D5CC138CEA217BB85DF3F5E
SHA-256:	560B80335AAD324AD771EBB607711170311AD2527E70F000BA8623148298C6A9
SHA-512:	753A228CCD6F3D569C9E2A99A1677A2AB7629FD0A05C6B5536551DFE58A2F3C76F9CA348315689DF4B3FE1FBA6368B84C22A4D0B3BF033902C3F7F8BF0985646
Malicious:	false
Preview:	..{z.t;.j)...D@?....r@..V@....@.........t.w-,Kn....i.5...?..a......\b...V.j..1SL.J....G%J..Jy.q(....D.9.....`."${..m._.rV...rx.M...8y59....=..=Z`\|F.8..o......<..........:.-}.#j.{.x(.{$....{.D.........fi/...S....SM....S)e........5T.........0..,.L.+:.3..g.:...X....u..M6.%.%..#{

C:\Users\user\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\Users\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

C:\read_me_unlock.txt Download File
Process:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	696
Entropy (8bit):	4.881841175168212
Encrypted:	false
SSDEEP:	12:awnG6J+d6tYzsqoo85X2OqHEMN94XsEU14HQ5BRWH1:aYC6GX85X2fHx/4cES4HEBy1
MD5:	04953EFE5CE48616B2ACD837ACCD6EB8
SHA1:	F7E7DF61C8556A9DF22208114C9D77C50B882731
SHA-256:	DAFC32C6BA65F27943B0E7E1C6F714A0C909904FB3156E7123F8A978F0948CD4
SHA-512:	888A80330EC599E48A6BBA56F709C3BB2EE12A9D582D45D861D42845CC65D0DF1B7B9C84D41395ABDAE88204D5DBF4876767891A062A7951EB059F19A063B523
Malicious:	false
Preview:	Hello dear westernpathologyinc! ....Unfortunately, your files have been encrypted and attackers are taking over 1 TB of your personal data. ....financial reports and many other documents. ....Do not try to recover files yourself, you can damage them without special software. ....We can help you recover your files and prevent your data from leaking or being sold on the darknet. ....Just contact support using the following methods and we will decrypt ..one non-important file for free to convince you of our honesty....use TOR browser to talk with support....http://uqudwxzszbcj6uxbhbdccmixvwjfewn565ifotzvcbbimsjjcczsvpyd.onion/25659336f9879d3f18e3f621199af56de327d220d444654779aeb406a360f2d4

Static File Info

General
File type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.293867473541274
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	0ef0070d_by_Libranalysis.exe
File size:	2207232
MD5:	0ef0070dfc132fc368c950f0bef762a3
SHA1:	572c864dfc9160e5aef2dcc9359bf909ca4ba1c5
SHA256:	097d28021ffb26cb5b7d2d1377578cd6e2005549e44b5b2491fd310ecf50f7a8
SHA512:	487062105c1af064fed38285aacd155971e29e295ac963619c4d3175677b3639d6d6c44a0925ba31a1eca99a1866d5be22234c2918d5db0919c32cace70ad83b
SSDEEP:	24576:O4tzlJ7As0QZi28TP4pK6uoLF/K8ctF5SA3dx2QiD3oLeus/hFeIqf0eaZgHwX+O:OIrfK8mF5ZNoXeXQXYpriCqg92+F1P
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........!.......................................@.......................... $...........@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x45a990
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	4035d2883e01d64f3e7a9dccb1d63af5

Entrypoint Preview

Instruction
jmp 00007F8F14A52EF0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
sub esp, 28h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+10h], ebp
mov dword ptr [esp+14h], esi
mov dword ptr [esp+18h], edi
mov esi, eax
mov edx, dword ptr fs:[00000014h]
cmp edx, 00000000h
jne 00007F8F14A55379h
mov eax, 00000000h
jmp 00007F8F14A553DFh
mov edx, dword ptr [edx+00000000h]
cmp edx, 00000000h
jne 00007F8F14A55377h
call 00007F8F14A55469h
mov dword ptr [esp+20h], edx
mov dword ptr [esp+24h], esp
mov ebx, dword ptr [edx+18h]
mov ebx, dword ptr [ebx]
cmp edx, ebx
je 00007F8F14A55393h
mov ebp, dword ptr fs:[00000014h]
mov dword ptr [ebp+00000000h], ebx
mov edi, dword ptr [ebx+1Ch]
sub edi, 04h
mov dword ptr [edi], 004356C0h
sub edi, 28h
mov dword ptr [edi+24h], esp
mov esp, edi
mov ebx, dword ptr [ecx]
mov ecx, dword ptr [ecx+04h]
mov dword ptr [esp], ebx
mov dword ptr [esp+04h], ecx
mov dword ptr [esp+08h], edx
call esi
mov eax, dword ptr [esp+0Ch]
mov esp, dword ptr [esp+24h]
mov edx, dword ptr [esp+20h]
mov ebp, dword ptr fs:[00000014h]
mov dword ptr [ebp+00000000h], edx
mov edi, dword ptr [esp+18h]
mov esi, dword ptr [esp+14h]
mov ebp, dword ptr [esp+10h]
mov ebx, dword ptr [esp+1Ch]
add esp, 28h
retn 0004h
ret
mov ecx, dword ptr [esp+04h]
mov edx, dword ptr [ecx]
mov eax, esp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x22d000	0x3d6	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x22e000	0x1236c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1ee020	0xa0	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x101cba	0x101e00	False	0.448896858337	data	6.16170912852	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x103000	0xea514	0xea600	False	0.427442708333	data	5.6555431619	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1ee000	0x3ede0	0x1bc00	False	0.528777801239	data	5.7441661505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x22d000	0x3d6	0x400	False	0.4912109375	data	4.65623872064	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x22e000	0x1236c	0x12400	False	0.579783818493	data	6.56832610351	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x241000	0x4	0x200	False	0.02734375	data	0.0203931352361	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, Sleep, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

• 0ef0070d_by_Libranalysis.exe
• conhost.exe

Click to jump to process

Memory Usage

• 0ef0070d_by_Libranalysis.exe
• conhost.exe

Click to jump to process

Behavior

• 0ef0070d_by_Libranalysis.exe
• conhost.exe

Click to jump to process

System Behavior

Analysis Process: 0ef0070d_by_Libranalysis.exe PID: 6720 Parent PID: 5928

Function Logs

General

Start time:	03:07:17
Start date:	11/05/2021
Path:	C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\0ef0070d_by_Libranalysis.exe'
Imagebase:	0xd50000
File size:	2207232 bytes
MD5 hash:	0EF0070DFC132FC368C950F0BEF762A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

File Opened

File Created

File Moved

File Written

File Read

File Attributes Queried

Other File Operations

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Process Terminated

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Execution Suspended

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Chronological Activities

Analysis Process: conhost.exe PID: 6740 Parent PID: 6720

Function Logs

General

Start time:	03:07:18
Start date:	11/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Show Windows behavior

Memory Activities

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Analysis Process: 0ef0070d_by_Libranalysis.exe PID: 6720 Parent PID: 5928 0ef0070d_by_Libranalysis.exeCOMMON

Executed Functions

Non-executed Functions

Function 00D6F910, Relevance: 15.7, Strings: 12, Instructions: 663COMMON

Download Yara Rule

Strings

previous allocCount=%s flag redefined: %s, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCentral Standard TimeChangeServiceConfig2WDeregist, xrefs: 00D701B7
mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory, xrefs: 00D70105, 00D7029C
sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin12207031256103515625: parsing AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDeprecatedDevanagariDnsQuery_WException GC forced, xrefs: 00D700DB, 00D70272
mspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol driver not attachedreflect.MakeSlice: len > capreflect: In of non-func typeregion exceeds uintptr rangeruntime.semasleep unexpectedruntime:, xrefs: 00D702E6
nalloc= newval= nfreed= pointer stack=[ status %!Month(.crypted2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDEK-InfoDecemberDuployanEqualSidEthiopicExtenderFebruaryFullPathGeorgianGoStringGujaratiGurm, xrefs: 00D7018A
mspan.sweep: bad span statenot a XENIX named type fileprogToPointerMask: overflowrunlock of unlocked rwmutexruntime: asyncPreemptStack=runtime: checkdead: find g runtime: checkdead: nmidle=runtime: corrupted polldescruntime: netpollinit failedruntime: thread I, xrefs: 00D702D0
swept cached spanthread exhaustionunknown caller pcwait for GC cyclewine_get_version, xrefs: 00D7008B
mspan.sweep: state=notesleep not on g0ntdll.dll not foundnwait > work.nprocspanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value, xrefs: 00D700AD, 00D70244
mspan.sweep: bad span state after sweepout of memory allocating heap arena mapruntime: blocked write on free polldescruntime: casfrom_Gscanstatus failed gp=runtime: function symbol table header: stack growth not allowed in system callsuspendG from non-preempti, xrefs: 00D70139
, xrefs: 00D70226
runtime: nelems=schedule: in cgotime: bad [0-9]*timeBeginPeriod, xrefs: 00D70160
sweep increased allocation countuse of closed network connectionx509: unsupported elliptic curve of method on nil interface value142108547152020037174224853515625710542735760100185871124267578125CryptAcquireCertificatePrivateKeyGODEBUG: no value specified for , xrefs: 00D7021D

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: $ mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory$ nalloc= newval= nfreed= pointer stack=[ status %!Month(.crypted2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDEK-InfoDecemberDuployanEqualSidEthiopicExtenderFebruaryFullPathGeorgianGoStringGujaratiGurm$ previous allocCount=%s flag redefined: %s, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCentral Standard TimeChangeServiceConfig2WDeregist$ sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin12207031256103515625: parsing AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDeprecatedDevanagariDnsQuery_WException GC forced$mspan.sweep: bad span state after sweepout of memory allocating heap arena mapruntime: blocked write on free polldescruntime: casfrom_Gscanstatus failed gp=runtime: function symbol table header: stack growth not allowed in system callsuspendG from non-preempti$mspan.sweep: bad span statenot a XENIX named type fileprogToPointerMask: overflowrunlock of unlocked rwmutexruntime: asyncPreemptStack=runtime: checkdead: find g runtime: checkdead: nmidle=runtime: corrupted polldescruntime: netpollinit failedruntime: thread I$mspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol driver not attachedreflect.MakeSlice: len > capreflect: In of non-func typeregion exceeds uintptr rangeruntime.semasleep unexpectedruntime:$mspan.sweep: state=notesleep not on g0ntdll.dll not foundnwait > work.nprocspanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value$runtime: nelems=schedule: in cgotime: bad [0-9]*timeBeginPeriod$sweep increased allocation countuse of closed network connectionx509: unsupported elliptic curve of method on nil interface value142108547152020037174224853515625710542735760100185871124267578125CryptAcquireCertificatePrivateKeyGODEBUG: no value specified for $swept cached spanthread exhaustionunknown caller pcwait for GC cyclewine_get_version
API String ID: 0-1742291590
Opcode ID: eb4a1dcba390f7eeacbe30803f048f69567036d3ddb25c0e5a6938803cc8fab8
Instruction ID: 78dd1b4bd14a039bcef0b8ab670751cebfb48f5d52f9db5b9ee60eb4634dd71a
Opcode Fuzzy Hash: eb4a1dcba390f7eeacbe30803f048f69567036d3ddb25c0e5a6938803cc8fab8
Instruction Fuzzy Hash: C05258B05087548FC710EF28C09066EBBE1FF88714F55896DE8D88B392E774D949DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D74C4C, Relevance: 11.7, Strings: 9, Instructions: 457COMMON

Download Yara Rule

Strings

] = ] n=allgallpasn1avx2basebindbmi1bmi2boolbootcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3profreadrootsbrkseeksmtpsse2sse3tag:tcp4trueudp4uint -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max=, xrefs: 00D74FC7
runtime: level = runtime: nameOff runtime: next_gc=runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcwait for GC cyclewine_get_version, xrefs: 00D75054
, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256-CBCBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruExitProcessFreeLibraryGOTRACEBACKGetFileTypeIdeographicMedefai, xrefs: 00D75083
, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCentral Standard TimeChangeServiceConfig2WDeregisterEventSourceEastern Standard TimeEnumServ, xrefs: 00D751AA
, i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED STREETStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UT, xrefs: 00D75122
runtime: levelShift[level] = runtime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = runtime: unknown pc in defer semacquire not on the G stackstring concatenation too lon, xrefs: 00D7517D
bad summary databad symbol tablebinary.BigEndiancastogscanstatuscontext canceleddivision by zerogc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusinvalid spdelta length too largemSpanList.insertmSpanList.removemess, xrefs: 00D7570F
runtime: p.searchAddr = span has no free objectsstack trace unavailablestructure needs cleaning bytes failed with errno= to unused region of span2910383045673370361328125AUS Central Standard TimeAUS Eastern Standard TimeAfghanistan Standard TimeExpandEnvironm, xrefs: 00D750F8
, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBrailleChanDirCopySidCypriotDES-CBCDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaRadicalSHA-224S, xrefs: 00D750B0

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: , i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED STREETStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UT$, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBrailleChanDirCopySidCypriotDES-CBCDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaRadicalSHA-224S$, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCentral Standard TimeChangeServiceConfig2WDeregisterEventSourceEastern Standard TimeEnumServ$, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256-CBCBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruExitProcessFreeLibraryGOTRACEBACKGetFileTypeIdeographicMedefai$] = ] n=allgallpasn1avx2basebindbmi1bmi2boolbootcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3profreadrootsbrkseeksmtpsse2sse3tag:tcp4trueudp4uint -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max=$bad summary databad symbol tablebinary.BigEndiancastogscanstatuscontext canceleddivision by zerogc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusinvalid spdelta length too largemSpanList.insertmSpanList.removemess$runtime: level = runtime: nameOff runtime: next_gc=runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcwait for GC cyclewine_get_version$runtime: levelShift[level] = runtime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = runtime: unknown pc in defer semacquire not on the G stackstring concatenation too lon$runtime: p.searchAddr = span has no free objectsstack trace unavailablestructure needs cleaning bytes failed with errno= to unused region of span2910383045673370361328125AUS Central Standard TimeAUS Eastern Standard TimeAfghanistan Standard TimeExpandEnvironm
API String ID: 0-3421612158
Opcode ID: 9a4a5bcd716155d34c74c84aff70c37a54e68ed1ea8737f9583d82ae625dec46
Instruction ID: e0fb26c8bfc8cdfa48360c9c5090dd153162216a1fca28b2cca7c2d98092f1c9
Opcode Fuzzy Hash: 9a4a5bcd716155d34c74c84aff70c37a54e68ed1ea8737f9583d82ae625dec46
Instruction Fuzzy Hash: E51266756097048FD324EF68C48176EB7E1FF88340F55882DE99987351EBB4E849CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D66F10, Relevance: 9.6, Strings: 7, Instructions: 898COMMON

Download Yara Rule

Strings

gc done but gcphase != _GCoffgfput: bad status (not Gdead)integer not minimally-encodedinvalid length of trace eventio: read/write on closed pipemachine is not on the networkno XENIX semaphores availablenotesleep - waitm out of syncnumerical result out of rang, xrefs: 00D67F90
%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12125625???ADTASTAprAugBSTCATCDTCETCSTDecDltEATEDTEETEOFESTFebFriGMTHDTHSTHanIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMSKMSTMarMayMonMroNDTNSTNULNaNNkoNovOctPC=PDTPKTPSTSETSatSepStdSunThuTueUTCVa, xrefs: 00D67908
(forced) blocked= defersc= in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= u_a/u_g= unmarked wbuf1.n= wbuf2.n=%!(EXTRA (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00244140625: status, xrefs: 00D67EF4
., xrefs: 00D677F7
ms cpu, not in [ runtime= s.limit= s.state= threads= u_a/u_g= unmarked wbuf1.n= wbuf2.n=%!(EXTRA (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiBigEndianClassINETCuneiformDiacriticFindCloseHex_Digi, xrefs: 00D67CE9
gcinggscanhchanhttpsimap2imap3imapsinit int16int32int64limitmheapmonthntldrntohspanicpop3sscav schedsleepslicesse41sse42ssse3sudogsweeptraceuint8usagevaluewinntwrite Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= next= p->m= prev= span, xrefs: 00D66FE2, 00D67F55
ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256-CBCBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256ClassHESIODCloseHandleCoGetOb, xrefs: 00D67A99

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: (forced) blocked= defersc= in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= u_a/u_g= unmarked wbuf1.n= wbuf2.n=%!(EXTRA (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00244140625: status$ ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256-CBCBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256ClassHESIODCloseHandleCoGetOb$ ms cpu, not in [ runtime= s.limit= s.state= threads= u_a/u_g= unmarked wbuf1.n= wbuf2.n=%!(EXTRA (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiBigEndianClassINETCuneiformDiacriticFindCloseHex_Digi$%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12125625???ADTASTAprAugBSTCATCDTCETCSTDecDltEATEDTEETEOFESTFebFriGMTHDTHSTHanIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMSKMSTMarMayMonMroNDTNSTNULNaNNkoNovOctPC=PDTPKTPSTSETSatSepStdSunThuTueUTCVa$.$gc done but gcphase != _GCoffgfput: bad status (not Gdead)integer not minimally-encodedinvalid length of trace eventio: read/write on closed pipemachine is not on the networkno XENIX semaphores availablenotesleep - waitm out of syncnumerical result out of rang$gcinggscanhchanhttpsimap2imap3imapsinit int16int32int64limitmheapmonthntldrntohspanicpop3sscav schedsleepslicesse41sse42ssse3sudogsweeptraceuint8usagevaluewinntwrite Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= next= p->m= prev= span
API String ID: 0-998994384
Opcode ID: 6b9a74e4e407118833bd7403ba8dcb8c1b367ee1ce8bcef3c306fd6561bbaf94
Instruction ID: 438649254f9dba764db276eced753a355b619d369c68f7dbd113ed30188703ad
Opcode Fuzzy Hash: 6b9a74e4e407118833bd7403ba8dcb8c1b367ee1ce8bcef3c306fd6561bbaf94
Instruction Fuzzy Hash: EF92F7746093448FD324EF28D984B9ABBE1FF89304F45892DE88D87361DB749885DB63

Uniqueness

Uniqueness Score: -1.00%

Function 00D65CD0, Relevance: 9.2, Strings: 7, Instructions: 425COMMON

Download Yara Rule

Strings

heap_live= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256-CBCBLAKE2b-256BLAKE2b-384BLAKE2b, xrefs: 00D66250
minTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>$recycle.bin%!(BADWIDTH)) p->status=-byte limit152587890625762939453125Bidi_ControlCoCreateGuidCreateEventWCreateMu, xrefs: 00D662CD
initialHeapLive= spinningthreads=%%!%c(big.Int=%s), p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method AdjustTokenGroupsCertFindExtensionCryptDecodeObjectDnsRecordListFreeFLE Standard TimeGC as, xrefs: 00D6627A
heap_marked= idlethreads= in duration is nil, not nStackRoots= out of range s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsEx, xrefs: 00D66226
triggerRatio=unimplementedunsupported: value method xadd64 failedxchg64 failed}sched={pc: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625: extra text: CertCloseStoreC, xrefs: 00D662A4
gc_trigger underflowgo of nil func valuegopark: bad g statusinvalid request codeinvalid write resultis a named type filekey has been revokedmalloc during signalnotetsleep not on g0number has no digitsp mcache not flushedpacer: assist ratio=preempt off reason: , xrefs: 00D66301
runtime: next_gc=runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcwait for GC cyclewine_get_version, xrefs: 00D661FC

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: heap_live= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256-CBCBLAKE2b-256BLAKE2b-384BLAKE2b$ heap_marked= idlethreads= in duration is nil, not nStackRoots= out of range s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsEx$ initialHeapLive= spinningthreads=%%!%c(big.Int=%s), p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method AdjustTokenGroupsCertFindExtensionCryptDecodeObjectDnsRecordListFreeFLE Standard TimeGC as$ minTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>$recycle.bin%!(BADWIDTH)) p->status=-byte limit152587890625762939453125Bidi_ControlCoCreateGuidCreateEventWCreateMu$gc_trigger underflowgo of nil func valuegopark: bad g statusinvalid request codeinvalid write resultis a named type filekey has been revokedmalloc during signalnotetsleep not on g0number has no digitsp mcache not flushedpacer: assist ratio=preempt off reason: $runtime: next_gc=runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcwait for GC cyclewine_get_version$triggerRatio=unimplementedunsupported: value method xadd64 failedxchg64 failed}sched={pc: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625: extra text: CertCloseStoreC
API String ID: 0-3718698689
Opcode ID: 9ca87ddb5990872a57927de13e01b1b3a10176e5b11dddb533b64f917417cd41
Instruction ID: 225a572f1499c0c685650a8e23cc5030e5bf678074c7bea6b3600f7b31aaeb99
Opcode Fuzzy Hash: 9ca87ddb5990872a57927de13e01b1b3a10176e5b11dddb533b64f917417cd41
Instruction Fuzzy Hash: D1026D75A097048FC305EF69D48061ABBE1FFC9340F148A2DF89997351EB74D889DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D87729, Relevance: 7.2, Strings: 5, Instructions: 929COMMON

Download Yara Rule

Strings

findrunnable: wrong plink has been severednegative shift amountpackage not installedpanic on system stackread-only file systemreflect.Value.Complexreflect.Value.Pointerreflect.Value.SetUintreleasep: invalid argruntime: confused by runtime: newstack at runtime:, xrefs: 00D889BA
!, xrefs: 00D889AD
findrunnable: netpoll with spinninggreyobject: obj not pointer-alignedmheap.freeSpanLocked - invalid freenetwork dropped connection on resetno such multicast network interfacepersistentalloc: align is too largepidleput: P has non-empty run queuereflect.MakeSli, xrefs: 00D88978
findrunnable: netpoll with pfound pointer to free objectgcBgMarkWorker: mode not setgcstopm: negative nmspinninginvalid runtime symbol tablemheap.freeSpanLocked - span missing stack in shrinkstackmspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1, xrefs: 00D8898E
findrunnable: negative nmspinningfreeing stack not in a stack spanheapBitsSetType: unexpected shiftindefinite length found (not DER)invalid value %q for flag -%s: %vmin must be a non-zero power of 2misrounded allocation in sysAllocreflect.nameFrom: name too lo, xrefs: 00D889A4

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: !$findrunnable: negative nmspinningfreeing stack not in a stack spanheapBitsSetType: unexpected shiftindefinite length found (not DER)invalid value %q for flag -%s: %vmin must be a non-zero power of 2misrounded allocation in sysAllocreflect.nameFrom: name too lo$findrunnable: netpoll with pfound pointer to free objectgcBgMarkWorker: mode not setgcstopm: negative nmspinninginvalid runtime symbol tablemheap.freeSpanLocked - span missing stack in shrinkstackmspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1$findrunnable: netpoll with spinninggreyobject: obj not pointer-alignedmheap.freeSpanLocked - invalid freenetwork dropped connection on resetno such multicast network interfacepersistentalloc: align is too largepidleput: P has non-empty run queuereflect.MakeSli$findrunnable: wrong plink has been severednegative shift amountpackage not installedpanic on system stackread-only file systemreflect.Value.Complexreflect.Value.Pointerreflect.Value.SetUintreleasep: invalid argruntime: confused by runtime: newstack at runtime:
API String ID: 0-2268694656
Opcode ID: d5134bd051675154c0809254532dd35c1fc81bfa0a1d1d15a0257d052024d6a1
Instruction ID: ccb0f55eb11f9011be36fd9d246b2025757a7badd98efbde033b2bf8ee81f8fa
Opcode Fuzzy Hash: d5134bd051675154c0809254532dd35c1fc81bfa0a1d1d15a0257d052024d6a1
Instruction Fuzzy Hash: 4192167460C3818FC724EF25C490B6EBBE1AF89700F59892DE9C997351EB70D845EB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D60EF0, Relevance: 5.8, Strings: 4, Instructions: 790COMMON

Download Yara Rule

Strings

heapBitsSetType: unexpected shiftindefinite length found (not DER)invalid value %q for flag -%s: %vmin must be a non-zero power of 2misrounded allocation in sysAllocreflect.nameFrom: name too long: reflect: Field index out of rangereflect: NumOut of non-func t, xrefs: 00D618C1
heapBitsSetType: called with non-pointer typeparsing/packing of this section has completedreflect: internal error: invalid method indexreflect: nil type passed to Type.AssignableToruntime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx fail, xrefs: 00D6192E
runtime: invalid type runtime: netpoll failedruntime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (time: i, xrefs: 00D618F7
-, xrefs: 00D61937

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: -$heapBitsSetType: called with non-pointer typeparsing/packing of this section has completedreflect: internal error: invalid method indexreflect: nil type passed to Type.AssignableToruntime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx fail$heapBitsSetType: unexpected shiftindefinite length found (not DER)invalid value %q for flag -%s: %vmin must be a non-zero power of 2misrounded allocation in sysAllocreflect.nameFrom: name too long: reflect: Field index out of rangereflect: NumOut of non-func t$runtime: invalid type runtime: netpoll failedruntime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (time: i
API String ID: 0-461050017
Opcode ID: 6e679d63f29a3f099ee34fb63fb777eac93a0b4e4c56a947ef3c7948b4468085
Instruction ID: eed9fc93c250fac34827e1f993703536902ae8d1fd5aa43489f9e439890d84cc
Opcode Fuzzy Hash: 6e679d63f29a3f099ee34fb63fb777eac93a0b4e4c56a947ef3c7948b4468085
Instruction Fuzzy Hash: CE629076A083958FD724DF69C88065EF7E2BBC9300F19892DE9D987341D770E905CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D6E540, Relevance: 5.5, Strings: 4, Instructions: 499COMMON

Download Yara Rule

Strings

min must be a non-zero power of 2misrounded allocation in sysAllocreflect.nameFrom: name too long: reflect: Field index out of rangereflect: NumOut of non-func type reflect: array index out of rangereflect: chanDir of non-chan typereflect: slice index out of r, xrefs: 00D6EB7A
min too largenil stackbaseout of memoryparsing time powrprof.dll, xrefs: 00D6EB2B
runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding p already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory, xrefs: 00D6EAF7, 00D6EB46
!, xrefs: 00D6EB83

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: !$min must be a non-zero power of 2misrounded allocation in sysAllocreflect.nameFrom: name too long: reflect: Field index out of rangereflect: NumOut of non-func type reflect: array index out of rangereflect: chanDir of non-chan typereflect: slice index out of r$min too largenil stackbaseout of memoryparsing time powrprof.dll$runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding p already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory
API String ID: 0-94317560
Opcode ID: 9310583806c184ef5bbb152b4d148bc13a2d180531ce1a430f39e1b04bbcd7de
Instruction ID: 5b02f15ca76accc561b60096cdc8664062037e8db2b782f82bc4748ff2c104ff
Opcode Fuzzy Hash: 9310583806c184ef5bbb152b4d148bc13a2d180531ce1a430f39e1b04bbcd7de
Instruction Fuzzy Hash: D2029E3960931A8FD310EF99C4C061EB7E2FBC4344F58893CE9958B345EB75A949CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D818E0, Relevance: 4.1, Strings: 3, Instructions: 314COMMON

Download Yara Rule

Strings

invalid g statusinvalid spdelta length too largemSpanList.insertmSpanList.removemessage too longmissing stackmapnewmHandoff.lockno route to hostnon-Go functionobject is remotepacer: H_m_prev=reflect mismatchremote I/O errorruntime: g: g=runtime: addr = runt, xrefs: 00D81D9C
suspendG from non-preemptible goroutinetags don't match (%d vs %+v) %+v %s @%dtransport endpoint is already connected13877787807814456755295395851135253906256938893903907228377647697925567626953125MapIter.Key called on exhausted iteratorNumericString contains , xrefs: 00D81DB2
', xrefs: 00D81DBB

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: '$invalid g statusinvalid spdelta length too largemSpanList.insertmSpanList.removemessage too longmissing stackmapnewmHandoff.lockno route to hostnon-Go functionobject is remotepacer: H_m_prev=reflect mismatchremote I/O errorruntime: g: g=runtime: addr = runt$suspendG from non-preemptible goroutinetags don't match (%d vs %+v) %+v %s @%dtransport endpoint is already connected13877787807814456755295395851135253906256938893903907228377647697925567626953125MapIter.Key called on exhausted iteratorNumericString contains
API String ID: 0-97834633
Opcode ID: c4d3d82ae9e4e5e899457857f9431346d274b1a37e0fe11aa9e516f7a12cf9cf
Instruction ID: e9d2a95e35ee8092b8af6d7c69ee95e834337f9d8fddfb61526bb105bd385306
Opcode Fuzzy Hash: c4d3d82ae9e4e5e899457857f9431346d274b1a37e0fe11aa9e516f7a12cf9cf
Instruction Fuzzy Hash: 29D110782093008FC704EF25C190A2ABBF5AF89744F58886DF8D99B351D735ED4ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D602F0, Relevance: 2.8, Strings: 2, Instructions: 311COMMON

Download Yara Rule

Strings

bulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0crypto/cipher: output smaller than inputrefill of span with free space remainingreflect.Value.SetBytes of non-byte slicereflect.Value.setRunes of non-rune slicereflect: FieldByName, xrefs: 00D606FE
(, xrefs: 00D60707

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ($bulkBarrierPreWrite: unaligned argumentscannot free workbufs when work.full != 0crypto/cipher: output smaller than inputrefill of span with free space remainingreflect.Value.SetBytes of non-byte slicereflect.Value.setRunes of non-rune slicereflect: FieldByName
API String ID: 0-3305243670
Opcode ID: 57c6a6f6bb1d422eb67fcaeb4f68ae689c9ae9121d987afb78431c4bfa1ecce8
Instruction ID: 0bf6946d628646710d6221d7099ce328433ceacae5c260e7f5d1212f5da542d1
Opcode Fuzzy Hash: 57c6a6f6bb1d422eb67fcaeb4f68ae689c9ae9121d987afb78431c4bfa1ecce8
Instruction Fuzzy Hash: F5C10175A083058FC718DF68C48062BFBE1BFC9704F59896DE9998B351E774E844CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D923C7, Relevance: 1.6, Strings: 1, Instructions: 377COMMON

Download Yara Rule

Strings

!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 00D9258C, 00D9265C, 00D9272D, 00D92825

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
API String ID: 0-2911004680
Opcode ID: 4b1b8b391c64f7bb7152ca45456d7157674486051572113d6e87cf218d894946
Instruction ID: 328207e18d1e7b459b8abb8aa1cad352bc06454f7108493de40f0c482f29ffb3
Opcode Fuzzy Hash: 4b1b8b391c64f7bb7152ca45456d7157674486051572113d6e87cf218d894946
Instruction Fuzzy Hash: D6E10C31A083159BCB14DF19C89027EB3E2FBD4350F588A3DF99697391DB309949CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D779F9, Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

, xrefs: 00D77A32

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9f18131436f9ec47d7609ba40fd73cb6556e876e2975cac1aec19aafd8ddeb59
Instruction ID: 78b06743e4f2d730add85167f599c4ae0cba066c317dd5fd5455d1acf495f9ee
Opcode Fuzzy Hash: 9f18131436f9ec47d7609ba40fd73cb6556e876e2975cac1aec19aafd8ddeb59
Instruction Fuzzy Hash: 57910733B593394BC3258E998CD0159F7E2ABC8740F0A453DDE956B344EAB1AC09CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 00D6C0B0, Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcwait for GC cyclewine_get_version, xrefs: 00D6C397

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcwait for GC cyclewine_get_version
API String ID: 0-308715034
Opcode ID: 71d581c194f773109be9a0af81ec799da0345f10745e9db7c33adac65267cfa5
Instruction ID: 271a02208fdf76be1d1d45631b2175063cf37a3fad39ebce7f7ac652fb30c5da
Opcode Fuzzy Hash: 71d581c194f773109be9a0af81ec799da0345f10745e9db7c33adac65267cfa5
Instruction Fuzzy Hash: B4913474A183488FC314DF55C480A2AF7E2BF89700F19992EE9D98B352D774ED01CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00D61D30, Relevance: .6, Instructions: 584COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8680a2e32dddbfa7d2ebbff2d177b30c242607ecd0883c9c42d8f03d3ac8713b
Instruction ID: 740879f90a70981a9c528c03073f08a58f40720ffdaf8c17f53da0cb634ba149
Opcode Fuzzy Hash: 8680a2e32dddbfa7d2ebbff2d177b30c242607ecd0883c9c42d8f03d3ac8713b
Instruction Fuzzy Hash: 1A12E236B087158BC715CE59C8C022AF7E2BBC9700F298A7DE99597381DB71ED09CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00D770D0, Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bddb3af23eb66af1d498ce5b6596d04d035c3e4decfdba4340060dd86a1963c3
Instruction ID: 4cd4db8e989d9580ac040547d832042676b4d8ce6b99c2bbb838af9a1cd1ae0a
Opcode Fuzzy Hash: bddb3af23eb66af1d498ce5b6596d04d035c3e4decfdba4340060dd86a1963c3
Instruction Fuzzy Hash: 6A02B573F187254BD3148E5DCC80249B2D2ABC8634F4EC72DEDA9A7341E974AD468BC6

Uniqueness

Uniqueness Score: -1.00%

Function 00D68FD0, Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba7ead89dbb33d72d9bb308817cdc28f411339e5237a69748a97b64912b3bf26
Instruction ID: 9a73e31ae2cbb380398585691d9425430eee6f97987e4b2fbd44f638c17a4d8b
Opcode Fuzzy Hash: ba7ead89dbb33d72d9bb308817cdc28f411339e5237a69748a97b64912b3bf26
Instruction Fuzzy Hash: 7BE19032A093198FC714DE5DC98030EFBE6ABC8304F49893DE9948B355E7B5AD098BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00D77F90, Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c575c27e578c678a8483d126d01c224378a2f983071d8c2340a8c1300a1d13c1
Instruction ID: c8032727b8fcbb556424da11a523442ade21c3285ecc8013a6720373eb368907
Opcode Fuzzy Hash: c575c27e578c678a8483d126d01c224378a2f983071d8c2340a8c1300a1d13c1
Instruction Fuzzy Hash: 3BC102727493158FC315DE99C9C061EF7E2ABC8340F59853CE9988B385FB71D809CA96

Uniqueness

Uniqueness Score: -1.00%

Function 00D776E0, Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a8aa44d123ccff1bebae0c03484193f85f367f3fa19ffe8aae88d3a8892b050
Instruction ID: 88ccbda1f5348458c56f0225b2885bf9c76ccad5c8b6064f705f119e624f27ed
Opcode Fuzzy Hash: 5a8aa44d123ccff1bebae0c03484193f85f367f3fa19ffe8aae88d3a8892b050
Instruction Fuzzy Hash: AFC1A131A0D7198FC315EE99C8C021AB7E2EBC9704F59893DE9994B381FAB09D09C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 00D783F0, Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80c409b295ac7ae25c3ce9195771eba50aa5a176f63ae197e8ac3f5d4ebe9a52
Instruction ID: aaa066dc612279f37d8242deb36bcf442fb6e20e14e05af5ed5112fb21255b5a
Opcode Fuzzy Hash: 80c409b295ac7ae25c3ce9195771eba50aa5a176f63ae197e8ac3f5d4ebe9a52
Instruction Fuzzy Hash: 81B1373278932A4FC315DD588CC061E7693ABC4354F69863CE9698B3C5FFB19806D6D1

Uniqueness

Uniqueness Score: -1.00%

Function 00D76250, Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef5800a17d2dcc83bdaaf0b3a6f653197f1eccf788ef4ae9a3ec3d54eda920d
Instruction ID: e127c13ee05d89b25ff9b313029824099aae8a6570c5c0a4b09a5697a95084bf
Opcode Fuzzy Hash: bef5800a17d2dcc83bdaaf0b3a6f653197f1eccf788ef4ae9a3ec3d54eda920d
Instruction Fuzzy Hash: 5CB1A373A157254BD314CE59C8C020AF6E2ABC8624F4D873DEDA8A7385EA71DD098B85

Uniqueness

Uniqueness Score: -1.00%

Function 00D580B0, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae457200141a83881c33f070b0daf980aee52872713947711114a794282280ce
Instruction ID: 6f86588b16fefc8340a7107c562e91d1d9ba54af99fc555883e555e4b23ab33d
Opcode Fuzzy Hash: ae457200141a83881c33f070b0daf980aee52872713947711114a794282280ce
Instruction Fuzzy Hash: 625104326097254BE711DEA9C8C071E72D2EBC8701F48463CDC959B385EBB1AD49D2E5

Uniqueness

Uniqueness Score: -1.00%

Function 00D5CE39, Relevance: .2, Instructions: 187
COMMONCrypto

Download Yara Rule

C-Code - Quality: 53%

			E00D5CE39(intOrPtr _a3, intOrPtr _a7, intOrPtr _a11) {
				char _v49;
				intOrPtr _v61;
				char _v65;
				signed int _v69;
				intOrPtr _t33;
				intOrPtr _t62;
				signed int _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr* _t70;

				L0:
				while(1) {
					L0:
					L1:
					if(_t70 <=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x14])) + 8))) {
						L15:
						E00DA8880();
						continue;
					}
					L2:
					_t70 = _t70 - 0x48;
					_t33 = _a7;
					if(_t33 == 0) {
						L14:
						 *_t70 = 0xe67c80;
						_v69 = 0xeaf3c8;
						L00D805D0(_t67);
						goto L15;
					}
					L3:
					if(( *(_t33 + 4) & 4) != 0) {
						L13:
						 *_t70 =  &M00E80B1C;
						_v69 = 0x15;
						E00D80D70();
						goto L14;
					}
					L4:
					_t65 =  *((intOrPtr*)(_a3 + 0x2c));
					_t69 =  *(_t33 + 8);
					_t68 = _a11;
					 *_t70 = _a11;
					_v69 =  *(_t33 + 8);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a3 + 0x2c))))))();
					_v49 = _v65;
					_t62 = _a7;
					 *(_t62 + 4) =  *(_t62 + 4) & 0x000000ff ^ 0x00000004;
					if( *((intOrPtr*)(_t62 + 0xc)) == 0) {
						L8:
						_t63 =  *(_a3 + 0x28);
						_t65 =  *_t63;
						 *_t70 =  *_t63;
						_v69 = _t63;
						_v65 = 1;
						L00D5AE60(_a3);
						_t64 = _v61;
						if( *0xf779c0 != 0) {
							L11:
							L00DA9DE0(_t64, _a7, _t64, _t65, _a7 + 0xc, _t68, _t69);
							L12:
							asm("stc");
							asm("iretd");
							L10:
							_t62 = _a7;
							goto L5;
						}
						L9:
						 *((intOrPtr*)(_a7 + 0xc)) = _t64;
						goto L10;
					}
					L5:
					L6:
					_t69 =  *(_t62 + 5) & 0x000000ff;
					L7:
					asm("out 0x8d, al");
					asm("outsb");
					goto ( *__ecx);
				}
			}

0x00d5ce39
0x00d5ce39
0x00000000
0x00d5c950
0x00d5c960
0x00d5ce30
0x00d5ce30
0x00000000
0x00d5ce30
0x00d5c966
0x00d5c966
0x00d5c969
0x00d5c96f
0x00d5ce17
0x00d5ce1d
0x00d5ce26
0x00d5ce2a
0x00000000
0x00d5ce2a
0x00d5c975
0x00d5c97c
0x00d5ce01
0x00d5ce07
0x00d5ce0a
0x00d5ce12
0x00000000
0x00d5ce12
0x00d5c982
0x00d5c986
0x00d5c98b
0x00d5c98e
0x00d5c992
0x00d5c995
0x00d5c999
0x00d5c99f
0x00d5c9a3
0x00d5c9ae
0x00d5c9b6
0x00d5cd9d
0x00d5cda1
0x00d5cda4
0x00d5cda6
0x00d5cda9
0x00d5cdad
0x00d5cdb2
0x00d5cdbd
0x00d5cdc3
0x00d5cdd9
0x00d5cde2
0x00d5cde3
0x00d5cde3
0x00d5cde4
0x00d5cdcc
0x00d5cdd0
0x00000000
0x00d5cdd0
0x00d5cdc5
0x00d5cdc9
0x00000000
0x00d5cdc9
0x00d5c9bc
0x00d5ca82
0x00d5ca82
0x00d5ca84
0x00d5ca90
0x00d5ca92
0x00d5ca93
0x00d5ca93

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d90abcdac8e712fb9c5a3dd3cff0cdcc5d82eec16f0c38628252446c556de13b
Instruction ID: 62eae0d1f79cd4cb0dd323cc68e4fa6330324e0832c147baf76dc3bf63865896
Opcode Fuzzy Hash: d90abcdac8e712fb9c5a3dd3cff0cdcc5d82eec16f0c38628252446c556de13b
Instruction Fuzzy Hash: C0719D75A083498FCB24EF28C881656B7A1FF54700F4945A9ED589B343D730ED89DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00D748C0, Relevance: .2, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E00D748C0() {
				intOrPtr _t107;
				signed int _t109;
				signed int _t113;
				signed int _t116;
				signed int _t121;
				intOrPtr _t122;
				signed int _t127;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				signed int _t136;
				signed int _t141;
				unsigned int _t142;
				intOrPtr _t143;
				signed int _t153;
				signed int _t158;
				signed int _t159;
				intOrPtr _t169;
				intOrPtr _t171;
				signed int _t174;
				void* _t179;
				unsigned int _t182;
				unsigned int _t186;
				intOrPtr _t187;
				void* _t188;
				intOrPtr* _t189;

				L0:
				while(1) {
					if(_t188 <=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x14])) + 8))) {
						L11:
						E00DA8880();
						continue;
					}
					_t189 = _t188 - 0x38;
					_t107 =  *((intOrPtr*)(_t189 + 0x3c));
					_t132 =  *(_t189 + 0x40);
					_t141 = _t132 + ( *(_t189 + 0x44) << 0xd) - 1;
					_t133 = _t132 >> 0x16;
					_t142 = _t141 >> 0x16;
					_t186 = (_t132 & 0x003fffff) >> 0xd;
					 *(_t189 + 0x30) = _t186;
					_t182 = (_t141 & 0x003fffff) >> 0xd;
					if(_t133 == _t142) {
						_t143 =  *((intOrPtr*)(_t107 + 0x30));
						 *((intOrPtr*)(_t189 + 0x34)) = _t143;
						_t134 = _t133 << 7;
						 *(_t189 + 0x20) = _t134;
						 *_t189 = _t143 + _t134 + 0x40;
						 *(_t189 + 4) = _t186;
						_t109 = _t182 - _t186 + 1;
						 *(_t189 + 0x1c) = _t109;
						 *(_t189 + 8) = _t109;
						E00D770D0(_t109, _t179);
						 *(_t189 + 0x18) =  *(_t189 + 0xc);
						 *_t189 =  *(_t189 + 0x20) +  *((intOrPtr*)(_t189 + 0x34));
						 *(_t189 + 4) =  *(_t189 + 0x30);
						 *(_t189 + 8) =  *(_t189 + 0x1c);
						E00D78800();
						_t113 =  *(_t189 + 0x18);
					} else {
						_t169 =  *((intOrPtr*)(_t107 + 0x30));
						 *(_t189 + 0x2c) = _t133;
						 *(_t189 + 0x28) = _t142;
						 *(_t189 + 0x24) = _t182;
						 *((intOrPtr*)(_t189 + 0x34)) = _t169;
						_t135 = _t133 << 7;
						 *(_t189 + 0x20) = _t135;
						 *_t189 = _t169 + _t135 + 0x40;
						 *(_t189 + 4) = _t186;
						_t153 =  ~(_t186 - 0x200);
						 *(_t189 + 0x1c) = _t153;
						 *(_t189 + 8) = _t153;
						E00D770D0(_t107, _t179);
						 *(_t189 + 0x18) =  *(_t189 + 0xc);
						 *_t189 =  *(_t189 + 0x20) +  *((intOrPtr*)(_t189 + 0x34));
						 *(_t189 + 4) =  *(_t189 + 0x30);
						 *(_t189 + 8) =  *(_t189 + 0x1c);
						E00D78800();
						_t121 =  *(_t189 + 0x2c) + 1;
						_t158 =  *(_t189 + 0x28);
						_t171 =  *((intOrPtr*)(_t189 + 0x3c));
						_t136 =  *(_t189 + 0x18);
						while(1) {
							 *(_t189 + 0x10) = _t136;
							if(_t158 <= _t121) {
								break;
							}
							_t187 =  *((intOrPtr*)(_t171 + 0x30));
							if(_t121 < 0x400) {
								 *(_t189 + 0x14) = _t121;
								 *((intOrPtr*)(_t189 + 0x34)) = _t187;
								_t127 = _t121 << 7;
								 *(_t189 + 0x20) = _t127;
								 *_t189 = _t127 + _t187 + 0x40;
								 *(_t189 + 4) = 0;
								 *(_t189 + 8) = 0x200;
								E00D770D0(_t127, _t179);
								 *(_t189 + 0x1c) =  *(_t189 + 0xc);
								 *_t189 =  *((intOrPtr*)(_t189 + 0x34)) +  *(_t189 + 0x20);
								E00D78860();
								_t121 =  *(_t189 + 0x14) + 1;
								_t136 =  *(_t189 + 0x10) +  *(_t189 + 0x1c);
								_t158 =  *(_t189 + 0x28);
								_t171 =  *((intOrPtr*)(_t189 + 0x3c));
								continue;
							} else {
								E00DA9E70();
								goto L11;
							}
							goto L8;
						}
						_t122 =  *((intOrPtr*)(_t171 + 0x30));
						 *((intOrPtr*)(_t189 + 0x34)) = _t122;
						_t159 = _t158 << 7;
						 *(_t189 + 0x20) = _t159;
						 *_t189 = _t122 + _t159 + 0x40;
						 *(_t189 + 4) = 0;
						_t174 =  *(_t189 + 0x24) + 1;
						 *(_t189 + 0x1c) = _t174;
						 *(_t189 + 8) = _t174;
						E00D770D0(_t122, _t179);
						 *(_t189 + 0x18) =  *(_t189 + 0xc);
						 *_t189 =  *(_t189 + 0x20) +  *((intOrPtr*)(_t189 + 0x34));
						 *(_t189 + 4) = 0;
						 *(_t189 + 8) =  *(_t189 + 0x1c);
						E00D78800();
						_t113 =  *(_t189 + 0x18) +  *(_t189 + 0x10);
					}
					L8:
					 *(_t189 + 0x10) = _t113;
					 *_t189 =  *((intOrPtr*)(_t189 + 0x3c));
					 *(_t189 + 4) =  *(_t189 + 0x40);
					 *(_t189 + 8) =  *(_t189 + 0x44);
					 *(_t189 + 0xc) = 0x101;
					E00D74410(_t113);
					_t116 =  *(_t189 + 0x10) << 0xd;
					 *(_t189 + 0x48) = _t116;
					return _t116;
				}
			}

0x00000000
0x00d748c0
0x00d748d0
0x00d74b14
0x00d74b14
0x00000000
0x00d74b14
0x00d748d6
0x00d748d9
0x00d748e6
0x00d748ea
0x00d748f4
0x00d748f9
0x00d74902
0x00d74905
0x00d7490f
0x00d74914
0x00d74aa8
0x00d74aae
0x00d74ab2
0x00d74ab5
0x00d74abd
0x00d74ac0
0x00d74ac6
0x00d74ac9
0x00d74acd
0x00d74ad1
0x00d74ada
0x00d74ae8
0x00d74aef
0x00d74af7
0x00d74afb
0x00d74b00
0x00d7491a
0x00d7491a
0x00d74920
0x00d74924
0x00d74928
0x00d7492c
0x00d74930
0x00d74933
0x00d7493b
0x00d7493e
0x00d74948
0x00d7494a
0x00d7494e
0x00d74952
0x00d7495b
0x00d74969
0x00d74970
0x00d74978
0x00d7497c
0x00d74985
0x00d74986
0x00d7498a
0x00d7498e
0x00d749f1
0x00d749f1
0x00d749f7
0x00000000
0x00000000
0x00d749f9
0x00d74a05
0x00d74994
0x00d74998
0x00d7499c
0x00d7499f
0x00d749a7
0x00d749aa
0x00d749b2
0x00d749ba
0x00d749c3
0x00d749d1
0x00d749d4
0x00d749dd
0x00d749e6
0x00d749e9
0x00d749ed
0x00000000
0x00d74a07
0x00d74b0e
0x00000000
0x00d74b0e
0x00000000
0x00d74a05
0x00d74a0c
0x00d74a12
0x00d74a16
0x00d74a19
0x00d74a21
0x00d74a24
0x00d74a30
0x00d74a31
0x00d74a35
0x00d74a39
0x00d74a42
0x00d74a50
0x00d74a53
0x00d74a5f
0x00d74a63
0x00d74a70
0x00d74a70
0x00d74a72
0x00d74a72
0x00d74a7a
0x00d74a81
0x00d74a89
0x00d74a8d
0x00d74a94
0x00d74a9d
0x00d74aa0
0x00d74aa7
0x00d74aa7

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0706ff06337dc727af6047767c4422147426819d5a07d92ea36adac4707df6
Instruction ID: 050414954d1727c18b228ab8e752437f889b428869a0722b34a8e0674b39d259
Opcode Fuzzy Hash: 4f0706ff06337dc727af6047767c4422147426819d5a07d92ea36adac4707df6
Instruction Fuzzy Hash: 7771BFB49093459FC308DF18C190A2AFBE1FF89304F509A2EF89997351E734E945CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00D759D0, Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00D759D0(void* __edi, signed int _a4, signed int _a8, signed int _a12) {
				signed int _v4;
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				short _v24;
				signed int _v28;
				signed int _v32;
				signed int _t59;
				unsigned int _t63;
				signed int _t64;
				signed int* _t65;
				signed int _t70;
				signed int _t81;
				signed char _t82;
				signed int _t85;
				signed int _t91;
				signed int _t93;
				signed int* _t94;
				void* _t95;
				unsigned int _t102;
				signed int* _t103;
				signed char _t104;
				signed int _t108;
				signed char _t109;
				unsigned int _t114;
				signed int _t115;
				signed int _t118;
				signed int _t121;
				void* _t122;
				unsigned int _t123;
				signed int _t125;
				signed int _t127;
				unsigned int _t133;
				signed int _t135;
				void* _t139;
				signed int* _t140;

				L0:
				while(1) {
					L0:
					_t122 = __edi;
					if(_t139 <=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x14])) + 0xc))) {
						goto L19;
					}
					L1:
					_t140 = _t139 - 0x24;
					_t59 = _a8;
					_t118 = _a4;
					if( *(_t118 + 0x34) > _t59) {
						 *(_t118 + 0x34) = _t59;
					}
					_t91 = _a12;
					_t135 = _t91;
					_t93 = (_t91 << 0xd) + _t59 - 1;
					if(_t93 >  *(_t118 + 0x78)) {
						 *(_t118 + 0x78) = _t93;
					}
					if(_t135 == 1) {
						L15:
						_t94 =  *(_t118 + 0x30);
						__eflags =  *_t94 & _t59;
						_t127 = _t59;
						_t95 = _t94 + (_t59 >> 0x16 << 7);
						_t63 = _t127 & 0x003fffff;
						_t123 = _t63;
						_t64 = _t63 >> 0x13;
						__eflags = _t64 - 8;
						if(__eflags >= 0) {
							goto L18;
						} else {
							L16:
							_t125 = _t123 >> 0x0000000d & 0x0000003f;
							_t108 = _t125 - 0x20;
							_v20 = _t108;
							__eflags = _t108 - 0x20;
							asm("sbb ebp, ebp");
							_t109 =  ~_t108;
							__eflags = _t109 - 0x20;
							asm("sbb esi, esi");
							__eflags = _t125 - 0x20;
							asm("sbb edx, edx");
							_t65 = _t95 + _t64 * 8;
							 *_t65 =  *_t65 &  !(_t118 & 0x00000001 << _t125);
							_t65[1] =  !(0x00000001 >> _t109 & _t127 | 0x00000001 << _v20 & _t135) & _t65[1];
						}
					} else {
						L6:
						_t70 = _t59 >> 0x16;
						_t102 = _t93 >> 0x16;
						_t114 = (_t59 & 0x003fffff) >> 0xd;
						_t133 = (_t93 & 0x003fffff) >> 0xd;
						if(_t70 == _t102) {
							L14:
							_t103 =  *(_t118 + 0x30);
							__eflags =  *_t103 & _t70;
							 *_t140 = _t103 + (_t70 << 7);
							_v32 = _t114;
							_v28 = _t133 - _t114 + 1;
							E00D76DD0(_t133 - _t114 + 1, _t122);
						} else {
							L7:
							_v4 = _t70;
							_v8 = _t102;
							_v12 = _t133;
							 *_t140 =  *(_t118 + 0x30) + (_t70 << 7);
							_v32 = _t114;
							_v28 =  ~(_t114 - 0x200);
							E00D76DD0( ~(_t114 - 0x200), _t122);
							_t81 = _v4 + 1;
							_t115 = _v8;
							_t121 = _a4;
							L9:
							while(_t115 > _t81) {
								_t104 =  *(_t121 + 0x30);
								_t150 = _t81 - 0x400;
								if(_t81 < 0x400) {
									L8:
									_v16 = _t81;
									 *_t140 = (_t81 << 7) + _t104;
									E00D77070();
									_t81 = _v16 + 1;
									__eflags = _t81;
									_t115 = _v8;
									_t121 = _a4;
									continue;
								} else {
									L11:
									L17:
									E00DA9E70();
									L18:
									E00DA9E70();
									goto L19;
								}
								goto L13;
							}
							_t82 =  *(_t121 + 0x30);
							__eflags =  *_t82 & _t82;
							 *_t140 = _t82 + (_t115 << 7);
							_v32 = 0;
							_t85 = _v12 + 1;
							__eflags = _t85;
							_v28 = _t85;
							E00D76DD0(_t85, _t122);
						}
					}
					L13:
					 *_t140 = _a4;
					_v32 = _a8;
					_v28 = _a12;
					_v24 = 1;
					return E00D74410(_a12);
					L20:
					L19:
					E00DA73F0(_t150);
				}
			}

0x00d759d0
0x00d759d0
0x00d759d0
0x00d759d0
0x00d759e0
0x00000000
0x00000000
0x00d759e6
0x00d759e6
0x00d759e9
0x00d759ed
0x00d759f4
0x00d759f6
0x00d759f6
0x00d759f9
0x00d759fd
0x00d75a02
0x00d75a0b
0x00d75a0d
0x00d75a0d
0x00d75a13
0x00d75b1d
0x00d75b1d
0x00d75b20
0x00d75b23
0x00d75b2b
0x00d75b2f
0x00d75b34
0x00d75b36
0x00d75b39
0x00d75b3c
0x00000000
0x00d75b3e
0x00d75b3e
0x00d75b41
0x00d75b44
0x00d75b47
0x00d75b4b
0x00d75b4e
0x00d75b50
0x00d75b52
0x00d75b55
0x00d75b57
0x00d75b5a
0x00d75b5c
0x00d75b89
0x00d75b8b
0x00d75b8b
0x00d75a1d
0x00d75a1d
0x00d75a1f
0x00d75a24
0x00d75a2d
0x00d75a36
0x00d75a3b
0x00d75afc
0x00d75afc
0x00d75aff
0x00d75b06
0x00d75b09
0x00d75b12
0x00d75b16
0x00d75a41
0x00d75a41
0x00d75a47
0x00d75a4b
0x00d75a4f
0x00d75a58
0x00d75a5b
0x00d75a67
0x00d75a6b
0x00d75a74
0x00d75a75
0x00d75a79
0x00000000
0x00d75a9d
0x00d75aa1
0x00d75aa6
0x00d75aab
0x00d75a7f
0x00d75a7f
0x00d75a88
0x00d75a8b
0x00d75a94
0x00d75a94
0x00d75a95
0x00d75a99
0x00000000
0x00d75aad
0x00d75aad
0x00d75b93
0x00d75b98
0x00d75b9d
0x00d75ba2
0x00000000
0x00d75ba2
0x00000000
0x00d75aab
0x00d75ab2
0x00d75ab5
0x00d75abc
0x00d75abf
0x00d75acb
0x00d75acb
0x00d75acc
0x00d75ad0
0x00d75ad0
0x00d75a3b
0x00d75ad5
0x00d75ad9
0x00d75ae0
0x00d75ae8
0x00d75aec
0x00d75afb
0x00000000
0x00d75ba8
0x00d75ba8
0x00d75ba8

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1787e1777de1f0755ae118a56095b75a2b671110d6b402b806a79527c044da8
Instruction ID: 892076b2b5a0f7b2f837ee706a6faae1dbcf6f4e25723917d13dec5479a914fb
Opcode Fuzzy Hash: f1787e1777de1f0755ae118a56095b75a2b671110d6b402b806a79527c044da8
Instruction Fuzzy Hash: 5A517AB6A187158FC354DF28C4C0629B7E0FF88344F158A6DE899D7742E770D985CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D57DE0, Relevance: .1, Instructions: 130
COMMONCrypto

Download Yara Rule

C-Code - Quality: 69%

			E00D57DE0(signed int* _a4, signed int _a8, unsigned int _a12, signed int _a16) {
				signed int _t21;
				unsigned int _t23;
				signed int _t31;
				signed int* _t39;
				unsigned int _t47;
				signed int _t62;
				signed int _t90;
				signed int _t91;
				signed int _t92;
				signed int _t93;
				signed int _t96;
				signed int _t97;
				void* _t98;
				void* _t101;

				while(_t98 <=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x14])) + 8))) {
					E00DA8880();
				}
				_t21 =  *0xf779b0; // 0x0
				_t47 = _a12;
				_t62 = _a8;
				_t23 = _t21 * _t47 + _t62;
				_t39 = _a4;
				while(_t47 != 0) {
					_t101 = _t47 - 4;
					if(_t101 < 0) {
						asm("rol ecx, 0xf");
						_t23 = (( *(_t47 + _t39 - 1) & 0x000000ff) << 0x00000010 ^ ( *(_t39 + (_t47 >> 1)) & 0x000000ff) << 0x00000008 ^ _t23 ^  *_t39 & 0x000000ff) * 0xbce2d621 * 0xc70f85e1;
					} else {
						if(_t101 == 0) {
							asm("rol ecx, 0xf");
							_t23 = (_t23 ^  *_t39) * 0xbce2d621 * 0xc70f85e1;
						} else {
							if(_t47 <= 8) {
								asm("rol edx, 0xf");
								asm("rol ecx, 0xf");
								_t23 = ((_t23 ^  *_t39) * 0xbce2d621 * 0xc70f85e1 ^  *(_t47 + _t39 - 4)) * 0xbce2d621 * 0xc70f85e1;
							} else {
								if(_t47 <= 0x10) {
									asm("rol ebx, 0xf");
									asm("rol edx, 0xf");
									asm("rol edx, 0xf");
									asm("rol ecx, 0xf");
									_t23 = ((((_t23 ^  *_t39) * 0xbce2d621 * 0xc70f85e1 ^ _t39[1]) * 0xbce2d621 * 0xc70f85e1 ^  *(_t47 + _t39 - 8)) * 0xbce2d621 * 0xc70f85e1 ^  *(_t47 + _t39 - 4)) * 0xbce2d621 * 0xc70f85e1;
								} else {
									_t96 =  *0xf779b4; // 0x0
									_t97 = _t96 * _t62;
									_t92 =  *0xf779b8; // 0x0
									_t93 = _t92 * _t62;
									_t90 =  *0xf779bc; // 0x0
									_t91 = _t90 * _t62;
									while(_t47 >= 0x10) {
										asm("rol eax, 0xf");
										_t23 = ( *_t39 ^ _t23) * 0xbce2d621 * 0xc70f85e1;
										asm("rol edx, 0xf");
										_t97 = (_t39[1] ^ _t97) * 0xc70f85e1 * 0x319bca41;
										asm("rol edx, 0xf");
										_t93 = (_t39[2] ^ _t93) * 0x319bca41 * 0x8b421a21;
										asm("rol edx, 0xf");
										_t91 = (_t39[3] ^ _t91) * 0x8b421a21 * 0xbce2d621;
										_t47 = _t47 + 0xfffffff0;
										_t39 =  &(_t39[4]);
										_t62 = _a8;
									}
									_t23 = _t23 ^ _t97 ^ _t93 ^ _t91;
									continue;
								}
							}
						}
					}
					break;
				}
				_t31 = ((_t23 >> 0x00000011 ^ _t23) * 0x319bca41 >> 0x0000000d ^ (_t23 >> 0x00000011 ^ _t23) * 0x319bca41) * 0x8b421a21 >> 0x00000010 ^ ((_t23 >> 0x00000011 ^ _t23) * 0x319bca41 >> 0x0000000d ^ (_t23 >> 0x00000011 ^ _t23) * 0x319bca41) * 0x8b421a21;
				_a16 = _t31;
				return _t31;
			}

0x00d57de0
0x00d57fa7
0x00d57fa7
0x00d57df6
0x00d57dfc
0x00d57e03
0x00d57e07
0x00d57e09
0x00d57e74
0x00d57e7c
0x00d57e7f
0x00d57f99
0x00d57f9c
0x00d57e85
0x00d57e85
0x00d57f6a
0x00d57f6d
0x00d57e8b
0x00d57e8e
0x00d57f42
0x00d57f55
0x00d57f58
0x00d57e94
0x00d57e97
0x00d57eca
0x00d57edc
0x00d57ef0
0x00d57f03
0x00d57f06
0x00d57e99
0x00d57e99
0x00d57e9f
0x00d57ea2
0x00d57ea8
0x00d57eab
0x00d57eb1
0x00d57e69
0x00d57e19
0x00d57e1c
0x00d57e2d
0x00d57e30
0x00d57e41
0x00d57e44
0x00d57e55
0x00d57e58
0x00d57e5f
0x00d57e62
0x00d57e65
0x00d57e65
0x00d57e72
0x00000000
0x00d57e72
0x00d57e97
0x00d57e8e
0x00d57e85
0x00000000
0x00d57e7f
0x00d57f2b
0x00d57f2d
0x00d57f31

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f673525d3cdd031e4fe3850cd2d8b46c6edf729442a5f26cd6a01d85d2843efb
Instruction ID: 0e788ff51e8cbc203e80ee965300d533d835b42ffbf4e8136916674ff02dba78
Opcode Fuzzy Hash: f673525d3cdd031e4fe3850cd2d8b46c6edf729442a5f26cd6a01d85d2843efb
Instruction Fuzzy Hash: 6941C97175C2058B8B0CCA3589D7526BB57EBCA201B24F16FDD06CF5E9DA30DA06DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00D5B830, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da46bbf7fb37958deb5aed140f7f2296c6d58d67a372614dfd06ddbef47cad81
Instruction ID: edb71370836ea785c842d3e268da900865d98370927713343d1e7323b85bca6b
Opcode Fuzzy Hash: da46bbf7fb37958deb5aed140f7f2296c6d58d67a372614dfd06ddbef47cad81
Instruction Fuzzy Hash: 1641C071908B048FC706DF79C49131AB7E1BF96390F14872EFC5AAB292EB3598428A51

Uniqueness

Uniqueness Score: -1.00%

Function 00D60D80, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 673dc5ac511e53a7e891fd2e50513ba275099a8f6182266049762825cd5b0c19
Instruction ID: e20cd074af1a70f2269d873fd4a80128d7ab29f0e6a4133c0bdff5b7fdbc843b
Opcode Fuzzy Hash: 673dc5ac511e53a7e891fd2e50513ba275099a8f6182266049762825cd5b0c19
Instruction Fuzzy Hash: 97416273C187289BC300AF4DC840209F7E5ABD0660F5FCA5EDD9867312E6B1AD119BC2

Uniqueness

Uniqueness Score: -1.00%

Function 00D7C800, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64e4948cac03bd68b8b59c68544d6397aa3a84d4fe44625932ee17433e076786
Instruction ID: 804646c20642391f5a95cc5fc4c7287c8992a03f16bfe7d1441eb6911bbd2b71
Opcode Fuzzy Hash: 64e4948cac03bd68b8b59c68544d6397aa3a84d4fe44625932ee17433e076786
Instruction Fuzzy Hash: 69316970919308CFC708EF24E88166977F0FB44305F04991EE89D972A2EB70A848EB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D91490, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d681e28c7200ef0bc486df923e01131e8d1feab634558ae94d752101be0ea2
Instruction ID: 83d620dd05cfb45dcc9a4de7e6764cfe317bcfdc761b2a42f6e54e684636d988
Opcode Fuzzy Hash: 40d681e28c7200ef0bc486df923e01131e8d1feab634558ae94d752101be0ea2
Instruction Fuzzy Hash: AAF017749093468FC305EF24D5887A4BBE1FB44704F89889DD88A433A2E735A848DB22

Uniqueness

Uniqueness Score: -1.00%

Function 00DA9C40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dbea12bfc5f642e4bccc9f961063821581c20f0f01669fc4b1e7ebbec30f11e
Instruction ID: 519d281b0b2d826b703da9d9b3371add37712379fe14b4f1a845969fed098b7d
Opcode Fuzzy Hash: 1dbea12bfc5f642e4bccc9f961063821581c20f0f01669fc4b1e7ebbec30f11e
Instruction Fuzzy Hash: 65C012A088DBA5ACFB20AB109624350FEC48B9B774F58C4CEA0CC21011C2B688C8A722

Uniqueness

Uniqueness Score: -1.00%

Function 00D7BE90, Relevance: 46.6, Strings: 37, Instructions: 308
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00D7BE90(void* __ebx, void* __edx, void* __ebp) {
				char _v24;
				char _v27;
				char _v47;
				char _v50;
				char _v70;
				char _v72;
				char _v88;
				char _v90;
				char _v106;
				char _v107;
				char _v123;
				char _v139;
				char _v144;
				char _v151;
				char _v154;
				char _v166;
				char _v169;
				char _v181;
				char _v183;
				char _v195;
				char _v196;
				char _v208;
				char _v209;
				intOrPtr _v213;
				intOrPtr _v217;
				char _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				char _v230;
				intOrPtr _v234;
				intOrPtr _v238;
				char _v240;
				char* _v244;
				char* _v248;
				char* _v252;
				signed int _v256;
				char* _v260;
				char* _v264;
				char* _v268;
				char* _t126;
				intOrPtr _t131;
				intOrPtr _t136;
				intOrPtr _t141;
				intOrPtr _t146;
				signed int _t149;
				intOrPtr _t159;
				char* _t164;
				intOrPtr _t169;
				char* _t174;
				intOrPtr _t179;
				intOrPtr _t185;
				intOrPtr _t199;
				signed int _t207;
				signed int _t216;
				signed int _t218;
				signed int _t220;
				signed int _t222;
				signed int _t223;
				signed int _t225;
				signed int _t227;
				signed int _t228;
				signed int _t229;
				void* _t265;
				char** _t266;

				L0:
				while(1) {
					L0:
					_t264 = __ebp;
					_t230 = __edx;
					_t211 = __ebx;
					if( &_v144 <=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x14])) + 8))) {
						goto L50;
					}
					L1:
					_t266 = _t265 - 0x110;
					_v196 = 0x6e72656b;
					E00DAA522( &_v144,  &_v195,  &M00E7E28E);
					_t5 =  &_v196; // 0x6e72656b
					 *_t266 = LoadLibraryA;
					_v268 = _t5;
					E00D7DFE0();
					_t126 = _v264;
					if(_t126 == 0) {
						L49:
						 *_t266 =  &M00E810DC;
						_v268 = 0x16;
						E00D80D70();
						goto L50;
					}
					L2:
					_v244 = _t126;
					 *_t266 = E00DAA518(_t126,  &_v123,  &M00E7ECFA);
					_v268 =  &_v123;
					_v264 = 0x10;
					_v260 = 0x10;
					E00D7BC70();
					_t131 =  *0xf779c0; // 0x0
					_t216 = _v256;
					if(_t131 != 0) {
						_t131 = L00DA9DE0(_t216, __ebx, _t216, __edx, 0xf59cf4,  &M00E7ECFA, __ebp);
					} else {
						 *0xf59cf4 = _t216;
					}
					_v27 = 0x56646441;
					E00DAA504(_t131,  &_v24,  &M00E82B37);
					 *_t266 = _v244;
					_t18 =  &_v27; // 0x56646441
					_v268 = _t18;
					_v264 = 0x1b;
					_v260 = 0x1b;
					E00D7BC70();
					_t136 =  *0xf779c0; // 0x0
					_t218 = _v256;
					if(_t136 != 0) {
						_t136 = L00DA9DE0(_t218, _t211, _t218, _t230, 0xf59cf8,  &M00E82B37, _t264);
					} else {
						 *0xf59cf8 = _t218;
					}
					_v154 = 0x64616f4c;
					E00DAA522(_t136,  &_v151,  &M00E7E9F7);
					 *_t266 = _v244;
					_t26 =  &_v154; // 0x64616f4c
					_v268 = _t26;
					_v264 = 0xf;
					_v260 = 0xf;
					E00D7BC70();
					_t141 =  *0xf779c0; // 0x0
					_t220 = _v256;
					if(_t141 != 0) {
						_t141 = L00DA9DE0(_t220, _t211, _t220, _t230, 0xf59d00,  &M00E7E9F7, _t264);
					} else {
						 *0xf59d00 = _t220;
					}
					_v169 = 0x64616f4c;
					E00DAA522(_t141,  &_v166, "dLibraryExW");
					 *_t266 = _v244;
					_t34 =  &_v169; // 0x64616f4c
					_v268 = _t34;
					_v264 = 0xf;
					_v260 = 0xf;
					E00D7BC70();
					_t146 =  *0xf779c0; // 0x0
					_t222 = _v256;
					if(_t146 != 0) {
						L00DA9DE0(_t222, _t211, _t222, _t230, 0xf59d04, "dLibraryExW", _t264);
					} else {
						 *0xf59d04 = _t222;
					}
					if(_t222 == 0 ||  *0xf59d00 == 0) {
						_t149 = 0;
					} else {
						_t149 =  *0xf59cf4 & 0xffffff00 |  *0xf59cf4 != 0x00000000;
					}
					 *0xf77796 = _t149;
					_v209 = 0x61766461;
					E00DAA522(_t149,  &_v208,  &M00E7E20C);
					_t43 =  &_v209; // 0x61766461
					 *_t266 = _t43;
					_v268 = 0xd;
					_v264 = 0xd;
					E00D7BCF0();
					_t153 = _v260;
					if(_v260 == 0) {
						L48:
						 *_t266 = "advapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillcannot allocate memoryduplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: internal inconsistencyinvalid number base %dis encrypted pem blockkernel32.dll not foundminpc or maxpc invalidnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledprotocol not availableprotocol not supportedreflect.Value.SetFloatreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemsscanstack - bad statussend on closed channelspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largewirep: invalid p statezero length BIT STRING) must be a power of 2\n23283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Standard TimeCertGetCertificateChainDeleteVolumeMountPointWDestroyEnvironmentBlockE. Africa Standard TimeE. Europe Standard TimeFreeEnvironmentStringsWGetEnvironmentVariableWGetLogicalDriveStringsWGetSidSubAuthorityCountGetSystemTimeAsFileTimeGreenland Standard TimeGreenwich Standard TimeLogical_Order_ExceptionLord Howe Standard TimeMB during sweep; swept Marquesas Standard TimeMauritius Standard TimeNoncharacter_Code_PointNtSetInformationProcessQueryServiceLockStatusWQyzylorda Standard TimeRegNotifyChangeKeyValueSetEnvironmentVariableWSetInformationJobObjectSetKernelObjectSecuritySetNamedPipeHandleStateSetProcessPriorityBoostSingapore Standard TimeSri Lanka Standard TimeTocantins Standard TimeVenezuela Standard TimeVolgograd Standard TimeW. Europe Standard TimeWSAGetOverlappedResult";
						_v268 = 0x16;
						E00D80D70();
						goto L49;
					}
					L14:
					_v90 = 0x74737953;
					 *_t266 = E00DAA518(_t153,  &_v88,  &M00E7F8F7);
					_t49 =  &_v90; // 0x74737953
					_v268 = _t49;
					_v264 = 0x12;
					_v260 = 0x12;
					E00D7BC70();
					_t159 =  *0xf779c0; // 0x0
					_t223 = _v256;
					if(_t159 != 0) {
						L00DA9DE0(_t223, _t211, _t223, _t230, 0xf59d14,  &M00E7F8F7, _t264);
					} else {
						 *0xf59d14 = _t223;
					}
					_v230 = 0x6c64746e;
					_v228 = 0x2e6c6c64;
					_v224 = 0x6c6c64;
					_t57 =  &_v230; // 0x6c64746e
					 *_t266 = _t57;
					_v268 = 0xa;
					_v264 = 0xa;
					E00D7BCF0();
					_t164 = _v260;
					if(_t164 == 0) {
						L47:
						 *_t266 =  &M00E7FFE0;
						_v268 = 0x13;
						E00D80D70();
						goto L48;
					}
					L17:
					_v252 = _t164;
					_v72 = 0x6157744e;
					 *_t266 = E00DAA50E(_t164,  &_v70,  &M00E80EA2);
					_t64 =  &_v72; // 0x6157744e
					_v268 = _t64;
					_v264 = 0x16;
					_v260 = 0x16;
					E00D7BC70();
					_t169 =  *0xf779c0; // 0x0
					_t225 = _v256;
					if(_t169 != 0) {
						L00DA9DE0(_t225, _t211, _t225, _t230, 0xf59d08,  &M00E80EA2, _t264);
					} else {
						 *0xf59d08 = _t225;
					}
					_v240 = 0x6d6e6977;
					_v238 = 0x2e6d6d6e;
					_v234 = 0x6c6c64;
					_t72 =  &_v240; // 0x6d6e6977
					 *_t266 = _t72;
					_v268 = 0xa;
					_v264 = 0xa;
					E00D7BCF0();
					_t174 = _v260;
					if(_t174 == 0) {
						L46:
						 *_t266 =  &M00E801BB;
						_v268 = 0x13;
						E00D80D70();
						goto L47;
					}
					L20:
					_v248 = _t174;
					 *_t266 = E00DAA518(_t174,  &_v139,  &M00E7F1CA);
					_v268 =  &_v139;
					_v264 = 0x10;
					_v260 = 0x10;
					E00D7BC70();
					_t179 =  *0xf779c0; // 0x0
					_t227 = _v256;
					if(_t179 != 0) {
						_t179 = L00DA9DE0(_t227, _t211, _t227, _t230, 0xf59d1c,  &M00E7F1CA, _t264);
					} else {
						 *0xf59d1c = _t227;
					}
					_v183 = 0x656d6974;
					E00DAA522(_t179,  &_v181,  &M00E7E7D6);
					 *_t266 = _v248;
					_t86 =  &_v183; // 0x656d6974
					_v268 = _t86;
					_v264 = 0xe;
					_v260 = 0xe;
					E00D7BC70();
					_t185 =  *0xf779c0; // 0x0
					_t228 = _v256;
					if(_t185 != 0) {
						L00DA9DE0(_t228, _t211, _t228, _t230, 0xf59d20,  &M00E7E7D6, _t264);
					} else {
						 *0xf59d20 = _t228;
					}
					if( *0xf59d1c == 0 || _t228 == 0) {
						L45:
						 *_t266 =  &M00E83934;
						_v268 = 0x1d;
						E00D80D70();
						goto L46;
					}
					L26:
					_v220 = 0x5f327377;
					_v217 = 0x2e32335f;
					_v213 = 0x6c6c64;
					_t94 =  &_v220; // 0x5f327377
					 *_t266 = _t94;
					_v268 = 0xb;
					_v264 = 0xb;
					E00D7BCF0();
					_t193 = _v260;
					if(_v260 == 0) {
						L44:
						 *_t266 =  &M00E80781;
						_v268 = 0x14;
						E00D80D70();
						goto L45;
					}
					L27:
					_v50 = 0x47415357;
					 *_t266 = E00DAA50E(_t193,  &_v47,  &M00E81659);
					_t100 =  &_v50; // 0x47415357
					_v268 = _t100;
					_v264 = 0x17;
					_v260 = 0x17;
					E00D7BC70();
					_t199 =  *0xf779c0; // 0x0
					_t229 = _v256;
					if(_t199 != 0) {
						_t199 = L00DA9DE0(_t229, _t211, _t229, _t230, 0xf59d18,  &M00E81659, _t264);
					} else {
						 *0xf59d18 = _t229;
					}
					if(_t229 == 0) {
						L43:
						 *_t266 =  &M00E84374;
						_v268 = 0x20;
						E00D80D70();
						goto L44;
					}
					L30:
					_v107 = 0x656e6977;
					E00DAA518(_t199,  &_v106,  &M00E7F65E);
					 *_t266 = _v252;
					_t108 =  &_v107; // 0x656e6977
					_v268 = _t108;
					_v264 = 0x11;
					_v260 = 0x11;
					E00D7BC70();
					_t207 = _v256;
					if(_t207 != 0) {
						 *_t266 = _v244;
						_t207 = E00D7CB30(_t211);
					}
					return _t207;
					L51:
					L50:
					E00DA8880();
				}
			}

0x00d7be90
0x00d7be90
0x00d7be90
0x00d7be90
0x00d7be90
0x00d7be90
0x00d7bea7
0x00000000
0x00000000
0x00d7bead
0x00d7bead
0x00d7beb3
0x00d7bec5
0x00d7bed0
0x00d7bed4
0x00d7bed7
0x00d7bedb
0x00d7bee0
0x00d7bee6
0x00d7c4ba
0x00d7c4c0
0x00d7c4c3
0x00d7c4cb
0x00000000
0x00d7c4cb
0x00d7beec
0x00d7beec
0x00d7bf02
0x00d7bf0c
0x00d7bf10
0x00d7bf18
0x00d7bf20
0x00d7bf25
0x00d7bf2b
0x00d7bf31
0x00d7c42c
0x00d7bf37
0x00d7bf37
0x00d7bf37
0x00d7bf3d
0x00d7bf55
0x00d7bf5e
0x00d7bf61
0x00d7bf68
0x00d7bf6c
0x00d7bf74
0x00d7bf7c
0x00d7bf81
0x00d7bf87
0x00d7bf8d
0x00d7c41a
0x00d7bf93
0x00d7bf93
0x00d7bf93
0x00d7bf99
0x00d7bfab
0x00d7bfb4
0x00d7bfb7
0x00d7bfbb
0x00d7bfbf
0x00d7bfc7
0x00d7bfcf
0x00d7bfd4
0x00d7bfda
0x00d7bfe0
0x00d7c408
0x00d7bfe6
0x00d7bfe6
0x00d7bfe6
0x00d7bfec
0x00d7bffe
0x00d7c007
0x00d7c00a
0x00d7c00e
0x00d7c012
0x00d7c01a
0x00d7c022
0x00d7c027
0x00d7c02d
0x00d7c033
0x00d7c3f6
0x00d7c039
0x00d7c039
0x00d7c039
0x00d7c041
0x00d7c3e7
0x00d7c055
0x00d7c05d
0x00d7c05d
0x00d7c060
0x00d7c066
0x00d7c078
0x00d7c07d
0x00d7c081
0x00d7c084
0x00d7c08c
0x00d7c094
0x00d7c099
0x00d7c09f
0x00d7c4a4
0x00d7c4aa
0x00d7c4ad
0x00d7c4b5
0x00000000
0x00d7c4b5
0x00d7c0a5
0x00d7c0a5
0x00d7c0c2
0x00d7c0c5
0x00d7c0cc
0x00d7c0d0
0x00d7c0d8
0x00d7c0e0
0x00d7c0e5
0x00d7c0eb
0x00d7c0f1
0x00d7c3dd
0x00d7c0f7
0x00d7c0f7
0x00d7c0f7
0x00d7c0fd
0x00d7c105
0x00d7c10d
0x00d7c115
0x00d7c119
0x00d7c11c
0x00d7c124
0x00d7c12c
0x00d7c131
0x00d7c137
0x00d7c48e
0x00d7c494
0x00d7c497
0x00d7c49f
0x00000000
0x00d7c49f
0x00d7c13d
0x00d7c13d
0x00d7c141
0x00d7c15e
0x00d7c161
0x00d7c168
0x00d7c16c
0x00d7c174
0x00d7c17c
0x00d7c181
0x00d7c187
0x00d7c18d
0x00d7c3cb
0x00d7c193
0x00d7c193
0x00d7c193
0x00d7c199
0x00d7c1a1
0x00d7c1a9
0x00d7c1b1
0x00d7c1b5
0x00d7c1b8
0x00d7c1c0
0x00d7c1c8
0x00d7c1cd
0x00d7c1d3
0x00d7c478
0x00d7c47e
0x00d7c481
0x00d7c489
0x00000000
0x00d7c489
0x00d7c1d9
0x00d7c1d9
0x00d7c1ef
0x00d7c1f9
0x00d7c1fd
0x00d7c205
0x00d7c20d
0x00d7c212
0x00d7c218
0x00d7c21e
0x00d7c3b9
0x00d7c224
0x00d7c224
0x00d7c224
0x00d7c22a
0x00d7c23c
0x00d7c245
0x00d7c248
0x00d7c24c
0x00d7c250
0x00d7c258
0x00d7c260
0x00d7c265
0x00d7c26b
0x00d7c271
0x00d7c3a7
0x00d7c277
0x00d7c277
0x00d7c277
0x00d7c285
0x00d7c462
0x00d7c468
0x00d7c46b
0x00d7c473
0x00000000
0x00d7c473
0x00d7c293
0x00d7c293
0x00d7c29b
0x00d7c2a3
0x00d7c2ab
0x00d7c2af
0x00d7c2b2
0x00d7c2ba
0x00d7c2c2
0x00d7c2c7
0x00d7c2cd
0x00d7c44c
0x00d7c452
0x00d7c455
0x00d7c45d
0x00000000
0x00d7c45d
0x00d7c2d3
0x00d7c2d3
0x00d7c2f0
0x00d7c2f3
0x00d7c2fa
0x00d7c2fe
0x00d7c306
0x00d7c30e
0x00d7c313
0x00d7c319
0x00d7c31f
0x00d7c398
0x00d7c321
0x00d7c321
0x00d7c321
0x00d7c329
0x00d7c436
0x00d7c43c
0x00d7c43f
0x00d7c447
0x00000000
0x00d7c447
0x00d7c32f
0x00d7c32f
0x00d7c347
0x00d7c350
0x00d7c353
0x00d7c35a
0x00d7c35e
0x00d7c366
0x00d7c36e
0x00d7c373
0x00d7c379
0x00d7c386
0x00d7c389
0x00d7c389
0x00d7c381
0x00000000
0x00d7c4d1
0x00d7c4d1
0x00d7c4d1

Strings

advapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillcannot allocate memoryduplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversi, xrefs: 00D7C4A4
dll, xrefs: 00D7C1A9
nmm., xrefs: 00D7C1A1
WSAG, xrefs: 00D7C2F3
AddDllDirectory, xrefs: 00D7BEF7
ws2_dlldll., xrefs: 00D7C2AB
Load, xrefs: 00D7BFB7
dll, xrefs: 00D7C10D
, xrefs: 00D7C43F
adva, xrefs: 00D7C07D
time, xrefs: 00D7C248
dll., xrefs: 00D7C105
Load, xrefs: 00D7C00A
ntdll.dll not foundnwait > work.nprocspanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcda, xrefs: 00D7C48E
dvapi32.dll, xrefs: 00D7C072
WSAGetOverlappedResult not found" not supported for cpu option "crypto/aes: input not full blockcrypto/des: input not full blockinteger is not minimally encodednumerical argument out of domainpanic while printing panic valuereflect.nameFrom: tag too long: refl, xrefs: 00D7C436
Syst, xrefs: 00D7C0C5
winm, xrefs: 00D7C1B1
ernel32.dll, xrefs: 00D7BEBF
dLibraryExA, xrefs: 00D7BFA5
kern, xrefs: 00D7BED0
winmm.dll not foundzero length segment markroot jobs done to unallocated span37252902984619140625Arabic Standard TimeAzores Standard TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCryptAcquireContextWEg, xrefs: 00D7C478
ws2_32.dll not found of unexported method previous allocCount=%s flag redefined: %s, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCentral S, xrefs: 00D7C44C
stemFunction036, xrefs: 00D7C0B7
meEndPeriod, xrefs: 00D7C236
GetOverlappedResult, xrefs: 00D7C2E5
WaitForSingleObject, xrefs: 00D7C153
wine, xrefs: 00D7C353
ine_get_version, xrefs: 00D7C341
VectoredContinueHandler, xrefs: 00D7BF4F
timeBeginPeriod, xrefs: 00D7C1E4
NtWa, xrefs: 00D7C161
timeBegin/EndPeriod not foundtoo many open files in systemx509: unknown encryption modezero length OBJECT IDENTIFIER (types from different scopes) in prepareForSweep; sweepgen locals stack map entries for 227373675443232059478759765625Central European Standar, xrefs: 00D7C462
kernel32.dll not foundminpc or maxpc invalidnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledprotocol not availableprotocol not supportedreflect.Value.SetFloatreflectlite.Value.Typeremote address changedruntime.main not o, xrefs: 00D7C4BA
AddV, xrefs: 00D7BF61
dLibraryExW, xrefs: 00D7BFF8
ntdl, xrefs: 00D7C115

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: $AddDllDirectory$AddV$GetOverlappedResult$Load$Load$NtWa$Syst$VectoredContinueHandler$WSAG$WSAGetOverlappedResult not found" not supported for cpu option "crypto/aes: input not full blockcrypto/des: input not full blockinteger is not minimally encodednumerical argument out of domainpanic while printing panic valuereflect.nameFrom: tag too long: refl$WaitForSingleObject$adva$advapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillcannot allocate memoryduplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversi$dLibraryExA$dLibraryExW$dll$dll$dll.$dvapi32.dll$ernel32.dll$ine_get_version$kern$kernel32.dll not foundminpc or maxpc invalidnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledprotocol not availableprotocol not supportedreflect.Value.SetFloatreflectlite.Value.Typeremote address changedruntime.main not o$meEndPeriod$nmm.$ntdl$ntdll.dll not foundnwait > work.nprocspanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcda$stemFunction036$time$timeBegin/EndPeriod not foundtoo many open files in systemx509: unknown encryption modezero length OBJECT IDENTIFIER (types from different scopes) in prepareForSweep; sweepgen locals stack map entries for 227373675443232059478759765625Central European Standar$timeBeginPeriod$wine$winm$winmm.dll not foundzero length segment markroot jobs done to unallocated span37252902984619140625Arabic Standard TimeAzores Standard TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCryptAcquireContextWEg$ws2_32.dll not found of unexported method previous allocCount=%s flag redefined: %s, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCentral S$ws2_dlldll.
API String ID: 0-4214203382
Opcode ID: 5a5ae13942fae3c25e5efb45eff9fb0978baafaa2e17fc5e884c709bd11ada5a
Instruction ID: bc15435920b7e83248efb065449eee5dee80c658708277440f847cd9decf3323
Opcode Fuzzy Hash: 5a5ae13942fae3c25e5efb45eff9fb0978baafaa2e17fc5e884c709bd11ada5a
Instruction Fuzzy Hash: EFE1D0B1109346CFD764EF25D8817AABBF0FB84304F41C82EE58897251EB74E949DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D8D530, Relevance: 17.9, Strings: 14, Instructions: 443COMMON

Download Yara Rule

Strings

runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin12207031256103515625: parsing AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNETCreateFile, xrefs: 00D8D959
runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin12207031256103515625: parsing AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipe, xrefs: 00D8D747
threads= u_a/u_g= unmarked wbuf1.n= wbuf2.n=%!(EXTRA (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiBigEndianClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayala, xrefs: 00D8D6C4
idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256-CBCBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s, xrefs: 00D8D697
ms: gomaxprocs=network is downno medium foundno such processnon-minimal tagrecovery failedruntime error: runtime.gopanicruntime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding p already; errno= mheap.sweepgen= no, xrefs: 00D8D66A
gcwaiting= heap_live= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256-CBCBLAKE2b-256BLAKE2b, xrefs: 00D8DFAD
sysmonwait= wbuf1=<nil> wbuf2=<nil>$recycle.bin%!(BADWIDTH)) p->status=-byte limit152587890625762939453125Bidi_ControlCoCreateGuidCreateEventWCreateMutexWDES-EDE3-CBCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempP, xrefs: 00D8E033
spinningthreads=%%!%c(big.Int=%s), p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method AdjustTokenGroupsCertFindExtensionCryptDecodeObjectDnsRecordListFreeFLE Standard TimeGC assist markingGMT S, xrefs: 00D8D6F2
idlethreads= in duration is nil, not nStackRoots= out of range s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFile, xrefs: 00D8D71C
P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12125625???ADTASTAprAugBSTCATCDTCETCSTDecDltEATEDTEETEOFESTFebFriGMTHDTHSTHanIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMSKMSTMarMayMonMroNDTNSTNULNaNNkoNovOctPC=PDTPKTPSTSE, xrefs: 00D8D87D
SCHED STREETStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11WanchoYezidi[]byte blockschan<-domainefencego1.16gopherheaderlistenminutenot okobjectpopcntrenamesecondselectsendtosocketstringstructsweep sysmontelnetti, xrefs: 00D8D63A
unknown wait reasonwinmm.dll not foundzero length segment markroot jobs done to unallocated span37252902984619140625Arabic Standard TimeAzores Standard TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCry, xrefs: 00D8DF02
gfreecnt= pages at runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin12207031256103515625: parsing AdditionalBad varintCancelIoExChorasmianClassCHAOS, xrefs: 00D8D989
nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625: extra text: CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGen, xrefs: 00D8DFDA

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12125625???ADTASTAprAugBSTCATCDTCETCSTDecDltEATEDTEETEOFESTFebFriGMTHDTHSTHanIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMSKMSTMarMayMonMroNDTNSTNULNaNNkoNovOctPC=PDTPKTPSTSE$ gcwaiting= heap_live= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256-CBCBLAKE2b-256BLAKE2b$ gfreecnt= pages at runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin12207031256103515625: parsing AdditionalBad varintCancelIoExChorasmianClassCHAOS$ idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256-CBCBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s$ idlethreads= in duration is nil, not nStackRoots= out of range s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFile$ nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625: extra text: CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGen$ runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin12207031256103515625: parsing AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNETCreateFile$ runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin12207031256103515625: parsing AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipe$ spinningthreads=%%!%c(big.Int=%s), p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method AdjustTokenGroupsCertFindExtensionCryptDecodeObjectDnsRecordListFreeFLE Standard TimeGC assist markingGMT S$ sysmonwait= wbuf1=<nil> wbuf2=<nil>$recycle.bin%!(BADWIDTH)) p->status=-byte limit152587890625762939453125Bidi_ControlCoCreateGuidCreateEventWCreateMutexWDES-EDE3-CBCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempP$ threads= u_a/u_g= unmarked wbuf1.n= wbuf2.n=%!(EXTRA (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiBigEndianClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayala$SCHED STREETStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11WanchoYezidi[]byte blockschan<-domainefencego1.16gopherheaderlistenminutenot okobjectpopcntrenamesecondselectsendtosocketstringstructsweep sysmontelnetti$ms: gomaxprocs=network is downno medium foundno such processnon-minimal tagrecovery failedruntime error: runtime.gopanicruntime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding p already; errno= mheap.sweepgen= no$unknown wait reasonwinmm.dll not foundzero length segment markroot jobs done to unallocated span37252902984619140625Arabic Standard TimeAzores Standard TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCry
API String ID: 0-1148505105
Opcode ID: d2ad54fa8d00173b282021570df1b6a402b66f88dbc12a64cc5efba2760381df
Instruction ID: 81a2977b99fc8e1ca325f5f8df43049f29ba4f136795460b7c360955c1678c61
Opcode Fuzzy Hash: d2ad54fa8d00173b282021570df1b6a402b66f88dbc12a64cc5efba2760381df
Instruction Fuzzy Hash: 8D2203B45097448FC314FF69C58166ABBE1FF88354F10892DE9D987392EB34A848DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D64340, Relevance: 17.9, Strings: 14, Instructions: 397COMMON

Download Yara Rule

Strings

because dotdotdot to non-Go memory , locked to thread298023223876953125: day out of rangeArab Standard TimeCaucasian_AlbanianCertGetNameStringWCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnprotectDataCuba Standard TimeFiji Sta, xrefs: 00D64828
runtime.SetFinalizer: cannot pass runtime: g is running but p is notruntime: unexpected return pc for schedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.net, xrefs: 00D646D3, 00D64764, 00D647EC
, not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory, xrefs: 00D64884
runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt baseunexpected call to os.Exit(0) during test17347234759768, xrefs: 00D6486A
runtime.SetFinalizer: pointer not at beginning of allocated blockstrconv: internal error: extFloat.FixedDecimal called with n == 02695994666715063979466701508701962594045780771442439172168272236806126959946667150639794667015087019630673557916260026308143510066, xrefs: 00D648AF
, not pointer-byte block (3814697265625CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetDriveTypeWGunjala_GondiMapViewOfFileMasaram_GondiMende_KikakuiOld_HungarianRegDeleteKeyW, xrefs: 00D64922
G, xrefs: 00D643C4
to finalizer untyped args -thread limit1907348632812595367431640625: extra text: CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assist waitGC worke, xrefs: 00D646F5, 00D64786, 00D6480E
(, xrefs: 00D64912
+, xrefs: 00D64956
runtime.SetFinalizer: first argument is nilruntime: casfrom_Gscanstatus bad oldval gp=runtime: heapBitsSetTypeGCProg: total bits runtime: releaseSudog with non-nil gp.paramruntime:stoplockedm: lockedg (atomicstatus=unfinished open-coded defers in deferreturnun, xrefs: 00D6494D
runtime.SetFinalizer: first argument is runtime.preemptM: duplicatehandle failedruntime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type x509: trailing data after DSA parametersx509: trailing data after DSA public keyx509: trailing data , xrefs: 00D64908
nil elem type!no module datano such devicentuser.dat.logpollCache.lockprotocol errorruntime: full=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytimeEndPeriod, xrefs: 00D648DB
runtime.SetFinalizer: pointer not in allocated blockruntime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetcompileCallback: argument size is larger than uintpt, xrefs: 00D648C5

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: G$ because dotdotdot to non-Go memory , locked to thread298023223876953125: day out of rangeArab Standard TimeCaucasian_AlbanianCertGetNameStringWCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnprotectDataCuba Standard TimeFiji Sta$ to finalizer untyped args -thread limit1907348632812595367431640625: extra text: CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assist waitGC worke$($+$, not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory$, not pointer-byte block (3814697265625CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetDriveTypeWGunjala_GondiMapViewOfFileMasaram_GondiMende_KikakuiOld_HungarianRegDeleteKeyW$nil elem type!no module datano such devicentuser.dat.logpollCache.lockprotocol errorruntime: full=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytimeEndPeriod$runtime.SetFinalizer: cannot pass runtime: g is running but p is notruntime: unexpected return pc for schedule: spinning with local workslice bounds out of range [%x:%y:]slice bounds out of range [:%x:%y]too many references: cannot spliceunexpected runtime.net$runtime.SetFinalizer: first argument is nilruntime: casfrom_Gscanstatus bad oldval gp=runtime: heapBitsSetTypeGCProg: total bits runtime: releaseSudog with non-nil gp.paramruntime:stoplockedm: lockedg (atomicstatus=unfinished open-coded defers in deferreturnun$runtime.SetFinalizer: first argument is runtime.preemptM: duplicatehandle failedruntime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type x509: trailing data after DSA parametersx509: trailing data after DSA public keyx509: trailing data $runtime.SetFinalizer: pointer not at beginning of allocated blockstrconv: internal error: extFloat.FixedDecimal called with n == 02695994666715063979466701508701962594045780771442439172168272236806126959946667150639794667015087019630673557916260026308143510066$runtime.SetFinalizer: pointer not in allocated blockruntime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetcompileCallback: argument size is larger than uintpt$runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt baseunexpected call to os.Exit(0) during test17347234759768
API String ID: 0-3781276192
Opcode ID: 5ea7098e5e8b318820e1233d1bd37cc52d854477556be719f25a164b6cca8e30
Instruction ID: e74d64db5fdecc884c3269cd3b01bb8ad07652ddcfcbccdecc12437d0e742555
Opcode Fuzzy Hash: 5ea7098e5e8b318820e1233d1bd37cc52d854477556be719f25a164b6cca8e30
Instruction Fuzzy Hash: 0F0212B4608741CFC714EF24C08066ABBE1FF88740F55892EE9D98B351E775E985CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D8FA10, Relevance: 16.5, Strings: 13, Instructions: 281COMMON

Download Yara Rule

Strings

bad timedivbroken pipecgocall nilclobberfreeclosesocketcreated by crypt32.dlldesktop.inifile existsfloat32nan2float64nan1float64nan2float64nan3gccheckmarkgeneralizedgetpeernamegetsocknamei/o timeoutmSpanManualmethodargs(mswsock.dllnetpollInitparse errorprogram, xrefs: 00D8FEED
float32nanfloat64nangetsockoptgoroutine goru = %dimpossibleinvalidptrmSpanInUsenotifyListntuser.datowner diedruntime: gs.state = schedtracesemacquiresetsockoptstackLargeticks.locktracefree(tracegc()unixpacketunknown pcuser32.dllws2_32.dll of size (targetp, xrefs: 00D8FDCF
atomicand8complex128debug calldnsapi.dllexitThreadfloat32nanfloat64nangetsockoptgoroutine goru = %dimpossibleinvalidptrmSpanInUsenotifyListntuser.datowner diedruntime: gs.state = schedtracesemacquiresetsockoptstackLargeticks.locktracefree(tracegc()unixpacket, xrefs: 00D8FE3D
cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3profreadrootsbrkseeksmtpsse2sse3tag:tcp4trueudp4uint -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ms, ptr siz= tab= top= u_a= u_g=+0330+0430+0530+0545+0630+0845+1030+1, xrefs: 00D8FE69
assembly checks failedbad g->status in readybad sweepgen in refillcannot allocate memoryduplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: internal inconsistencyinvalid number bas, xrefs: 00D8FD8D
cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3profreadrootsbrkseeksmtpsse2sse3tag:tcp4trueudp4uint -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ms, ptr siz= tab= top= u_a= u_g=+0330+0430+0530+0545+0630+084, xrefs: 00D8FE95
cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3profreadrootsbrkseeksmtpsse2sse3tag:tcp4trueudp4uint -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ms, ptr siz= tab= top= u_a= u_g=+0330+0430+0530+0545+0630, xrefs: 00D8FEAB
atomicor8bad indirchan sendcomplex64copystackctxt != 0d.nx != 0debugLockfuncargs(hchanLeafinittraceinterfaceipv6-icmpmSpanDeadmSpanFreentdll.dllole32.dllomitemptypanicwaitpclmulqdqpreemptedprintablepsapi.dllrecover: reflect: rwxrwxrwxscavtracestackpoolthumbs.d, xrefs: 00D8FE53
cas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3profreadrootsbrkseeksmtpsse2sse3tag:tcp4trueudp4uint -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ms, ptr siz= tab= top= u_a= u_g=+0330+0430+0530+0, xrefs: 00D8FED7
cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3profreadrootsbrkseeksmtpsse2sse3tag:tcp4trueudp4uint -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ms, ptr siz= tab= top= u_a= u_g=+0330+0430+0530+0545+, xrefs: 00D8FEC1
FixedStack is not power-of-2GetFileInformationByHandleExGetProcessShutdownParametersGetSecurityDescriptorControlInitializeSecurityDescriptorPrepended_Concatenation_MarkSetProcessShutdownParametersSetSecurityDescriptorControl[originating from goroutine comparin, xrefs: 00D8FDA3
cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3profreadrootsbrkseeksmtpsse2sse3tag:tcp4trueudp4uint -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ms, ptr siz= tab= top= u_a= u_g=+0330+0430+0530+0545+0630+0845+10, xrefs: 00D8FE7F
float32nan2float64nan1float64nan2float64nan3gccheckmarkgeneralizedgetpeernamegetsocknamei/o timeoutmSpanManualmethodargs(mswsock.dllnetpollInitparse errorprogramdatareflect.SetreflectOffsruntime: P runtime: p scheddetailsechost.dllsecur32.dllshell32.dllshort w, xrefs: 00D8FDB9

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: FixedStack is not power-of-2GetFileInformationByHandleExGetProcessShutdownParametersGetSecurityDescriptorControlInitializeSecurityDescriptorPrepended_Concatenation_MarkSetProcessShutdownParametersSetSecurityDescriptorControl[originating from goroutine comparin$assembly checks failedbad g->status in readybad sweepgen in refillcannot allocate memoryduplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: internal inconsistencyinvalid number bas$atomicand8complex128debug calldnsapi.dllexitThreadfloat32nanfloat64nangetsockoptgoroutine goru = %dimpossibleinvalidptrmSpanInUsenotifyListntuser.datowner diedruntime: gs.state = schedtracesemacquiresetsockoptstackLargeticks.locktracefree(tracegc()unixpacket$atomicor8bad indirchan sendcomplex64copystackctxt != 0d.nx != 0debugLockfuncargs(hchanLeafinittraceinterfaceipv6-icmpmSpanDeadmSpanFreentdll.dllole32.dllomitemptypanicwaitpclmulqdqpreemptedprintablepsapi.dllrecover: reflect: rwxrwxrwxscavtracestackpoolthumbs.d$bad timedivbroken pipecgocall nilclobberfreeclosesocketcreated by crypt32.dlldesktop.inifile existsfloat32nan2float64nan1float64nan2float64nan3gccheckmarkgeneralizedgetpeernamegetsocknamei/o timeoutmSpanManualmethodargs(mswsock.dllnetpollInitparse errorprogram$cas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3profreadrootsbrkseeksmtpsse2sse3tag:tcp4trueudp4uint -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ms, ptr siz= tab= top= u_a= u_g=+0330+0430+0530+0$cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3profreadrootsbrkseeksmtpsse2sse3tag:tcp4trueudp4uint -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ms, ptr siz= tab= top= u_a= u_g=+0330+0430+0530+0545+$cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3profreadrootsbrkseeksmtpsse2sse3tag:tcp4trueudp4uint -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ms, ptr siz= tab= top= u_a= u_g=+0330+0430+0530+0545+0630$cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3profreadrootsbrkseeksmtpsse2sse3tag:tcp4trueudp4uint -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ms, ptr siz= tab= top= u_a= u_g=+0330+0430+0530+0545+0630+084$cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3profreadrootsbrkseeksmtpsse2sse3tag:tcp4trueudp4uint -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ms, ptr siz= tab= top= u_a= u_g=+0330+0430+0530+0545+0630+0845+10$cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3profreadrootsbrkseeksmtpsse2sse3tag:tcp4trueudp4uint -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ms, ptr siz= tab= top= u_a= u_g=+0330+0430+0530+0545+0630+0845+1030+1$float32nan2float64nan1float64nan2float64nan3gccheckmarkgeneralizedgetpeernamegetsocknamei/o timeoutmSpanManualmethodargs(mswsock.dllnetpollInitparse errorprogramdatareflect.SetreflectOffsruntime: P runtime: p scheddetailsechost.dllsecur32.dllshell32.dllshort w$float32nanfloat64nangetsockoptgoroutine goru = %dimpossibleinvalidptrmSpanInUsenotifyListntuser.datowner diedruntime: gs.state = schedtracesemacquiresetsockoptstackLargeticks.locktracefree(tracegc()unixpacketunknown pcuser32.dllws2_32.dll of size (targetp
API String ID: 0-1293351504
Opcode ID: 57f18b147c4202a9bf9c4deb0779196843f4a21041caefb6d08cbf99bceef11e
Instruction ID: 50c8f4a8d73280a0e4fed55ff965b8bca3295ed3fb28f318f70a3cdae0bd8a91
Opcode Fuzzy Hash: 57f18b147c4202a9bf9c4deb0779196843f4a21041caefb6d08cbf99bceef11e
Instruction Fuzzy Hash: 2EC18EB10097458ED711EF64C48035EBBE4EF89764F048A2DF4E8A72D1E7749989CB63

Uniqueness

Uniqueness Score: -1.00%

Function 00D685E0, Relevance: 15.3, Strings: 12, Instructions: 328COMMON

Download Yara Rule

Strings

next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED STREETStringSundaySyriacTai_LeTangutTeluguThaanaTy, xrefs: 00D68A28
jobs= list= m->p= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED STREETStringSundaySyriacTai_LeTa, xrefs: 00D68A52
flushedWork heap_marked= idlethreads= in duration is nil, not nStackRoots= out of range s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcesses, xrefs: 00D6887E
wbuf1.n= wbuf2.n=%!(EXTRA (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiBigEndianClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataea, xrefs: 00D688C4
8, xrefs: 00D68B53
wbuf1=<nil> wbuf2=<nil>$recycle.bin%!(BADWIDTH)) p->status=-byte limit152587890625762939453125Bidi_ControlCoCreateGuidCreateEventWCreateMutexWDES-EDE3-CBCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWJoin_Con, xrefs: 00D68945
nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256-CBCBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256ClassHESIODCloseHandleCoGetObjectCreateF, xrefs: 00D68AA7
in gcMark expecting to see gcphase as _GCmarkterminationprofilealloc called without a P or outside bootstrappingstrings: illegal use of non-zero Builder copied by valuegentraceback cannot trace user goroutine on its own stackruntime: checkmarks found unexpecte, xrefs: 00D68B4A
P has cached GC work at end of mark terminationRtlDosPathNameToRelativeNtPathName_U_WithStatusasn1: Unmarshal recipient value is non-pointer attempting to link in too many shared librariesracy sudog adjustment due to parking on channelruntime: CreateIoCompleti, xrefs: 00D68991
runtime: full=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytimeEndPeriod, xrefs: 00D689FE
work.full != 0x509ignoreCN=0zero parameter with GC prog,M3.2.0,M11.1.00601021504Z0700476837158203125: cannot parse <invalid Value>ASCII_Hex_DigitAddDllDirectoryCLSIDFromStringCreateHardLinkWDeviceIoControlDuplicateHandleFailed to find Failed to load FindNext, xrefs: 00D689A7
runtime: P runtime: p scheddetailsechost.dllsecur32.dllshell32.dllshort writetracealloc(unreachableuserenv.dll KiB total, [recovered] allocCount found at *( gcscandone m->gsignal= minTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.swe, xrefs: 00D68853

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: flushedWork heap_marked= idlethreads= in duration is nil, not nStackRoots= out of range s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcesses$ jobs= list= m->p= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED STREETStringSundaySyriacTai_LeTa$ nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256-CBCBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256ClassHESIODCloseHandleCoGetObjectCreateF$ next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED STREETStringSundaySyriacTai_LeTangutTeluguThaanaTy$ wbuf1.n= wbuf2.n=%!(EXTRA (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiBigEndianClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataea$ wbuf1=<nil> wbuf2=<nil>$recycle.bin%!(BADWIDTH)) p->status=-byte limit152587890625762939453125Bidi_ControlCoCreateGuidCreateEventWCreateMutexWDES-EDE3-CBCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWJoin_Con$8$P has cached GC work at end of mark terminationRtlDosPathNameToRelativeNtPathName_U_WithStatusasn1: Unmarshal recipient value is non-pointer attempting to link in too many shared librariesracy sudog adjustment due to parking on channelruntime: CreateIoCompleti$in gcMark expecting to see gcphase as _GCmarkterminationprofilealloc called without a P or outside bootstrappingstrings: illegal use of non-zero Builder copied by valuegentraceback cannot trace user goroutine on its own stackruntime: checkmarks found unexpecte$runtime: P runtime: p scheddetailsechost.dllsecur32.dllshell32.dllshort writetracealloc(unreachableuserenv.dll KiB total, [recovered] allocCount found at *( gcscandone m->gsignal= minTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.swe$runtime: full=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytimeEndPeriod$work.full != 0x509ignoreCN=0zero parameter with GC prog,M3.2.0,M11.1.00601021504Z0700476837158203125: cannot parse <invalid Value>ASCII_Hex_DigitAddDllDirectoryCLSIDFromStringCreateHardLinkWDeviceIoControlDuplicateHandleFailed to find Failed to load FindNext
API String ID: 0-1837691289
Opcode ID: 528ef7929481aea80bd2973abd329d991fbb4454691594db88a9a55392454217
Instruction ID: 57ae8eb5716bb5ce909fa35cca83f4f10798fe965b008f1975c25775420419dc
Opcode Fuzzy Hash: 528ef7929481aea80bd2973abd329d991fbb4454691594db88a9a55392454217
Instruction Fuzzy Hash: BBE1E5B4509305CFC344EF68D58562ABBE4FB88354F44892DE88987352EB749889EF73

Uniqueness

Uniqueness Score: -1.00%

Function 00D68040, Relevance: 14.0, Strings: 11, Instructions: 281COMMON

Download Yara Rule

Strings

&, xrefs: 00D68527
gcBgMarkWorker: mode not setgcstopm: negative nmspinninginvalid runtime symbol tablemheap.freeSpanLocked - span missing stack in shrinkstackmspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol, xrefs: 00D684C4
work.nwait > work.nprocx509: incorrect IV size116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAzerbaijan Standard TimeBangladesh Standard TimeBuildSecurityDescriptorWCape Verde Standard TimeCertFreeCertificateCha, xrefs: 00D6842D
work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetDriveTypeWGunjala_GondiMapViewOfFileMasaram_Gondi, xrefs: 00D683F9, 00D6847A
work.nwait= , gp->status=, not pointer-byte block (3814697265625CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetDriveTypeWGunjala_GondiMapViewOfFileMasaram_GondiMende_Kikakui, xrefs: 00D683CF
runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = runtime: unknown pc in defer semacquire not on the G stackstring concatenation too longsyntax error scanning booleantimeBegin/EndPeriod not foun, xrefs: 00D683A4
worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB) workers= called from flushedWork heap_marked= idlethreads= in duration is nil, not nStackRoots= out of range s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, , xrefs: 00D684E9
work.nwait was > work.nproc args stack map entries for 18189894035458564758300781259094947017729282379150390625Aus Central W. Standard TimeCanada Central Standard TimeCen. Australia Standard TimeCentral Europe Standard TimeCertCreateCertificateContextEnglish n, xrefs: 00D684AE
runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptionx509: invalid padding%SystemRoot%\system32\/lib/time/zoneinfo.zip4656612873077392578125Aleutian Standard TimeAtla, xrefs: 00D68450
gcBgMarkWorker: blackening not enabledindex out of range [%x] with length %yinsufficient data for base length typeinternal error: unknown string type %dmakechan: invalid channel element typeruntime: blocked read on free polldescruntime: sudog with non-false is, xrefs: 00D6851E
GC worker initGetConsoleModeGetProcAddressGetShellWindowGetTickCount64GetUserNameExWIsWellKnownSidIsWow64ProcessLoadLibraryExWMB; allocated MakeAbsoluteSDNetUserGetInfoOpenSCManagerWOther_ID_StartPattern_SyntaxProcess32NextWQuotation_MarkRCodeNameErrorRegSetVa, xrefs: 00D68082, 00D68379

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetDriveTypeWGunjala_GondiMapViewOfFileMasaram_Gondi$ work.nwait= , gp->status=, not pointer-byte block (3814697265625CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetDriveTypeWGunjala_GondiMapViewOfFileMasaram_GondiMende_Kikakui$&$GC worker initGetConsoleModeGetProcAddressGetShellWindowGetTickCount64GetUserNameExWIsWellKnownSidIsWow64ProcessLoadLibraryExWMB; allocated MakeAbsoluteSDNetUserGetInfoOpenSCManagerWOther_ID_StartPattern_SyntaxProcess32NextWQuotation_MarkRCodeNameErrorRegSetVa$gcBgMarkWorker: blackening not enabledindex out of range [%x] with length %yinsufficient data for base length typeinternal error: unknown string type %dmakechan: invalid channel element typeruntime: blocked read on free polldescruntime: sudog with non-false is$gcBgMarkWorker: mode not setgcstopm: negative nmspinninginvalid runtime symbol tablemheap.freeSpanLocked - span missing stack in shrinkstackmspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol$runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = runtime: unknown pc in defer semacquire not on the G stackstring concatenation too longsyntax error scanning booleantimeBegin/EndPeriod not foun$runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptionx509: invalid padding%SystemRoot%\system32\/lib/time/zoneinfo.zip4656612873077392578125Aleutian Standard TimeAtla$work.nwait > work.nprocx509: incorrect IV size116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAzerbaijan Standard TimeBangladesh Standard TimeBuildSecurityDescriptorWCape Verde Standard TimeCertFreeCertificateCha$work.nwait was > work.nproc args stack map entries for 18189894035458564758300781259094947017729282379150390625Aus Central W. Standard TimeCanada Central Standard TimeCen. Australia Standard TimeCentral Europe Standard TimeCertCreateCertificateContextEnglish n$worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB) workers= called from flushedWork heap_marked= idlethreads= in duration is nil, not nStackRoots= out of range s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=,
API String ID: 0-2493046689
Opcode ID: 881609b4f4498c06fbe1ec889b1cd2b457400c114cf03ccf121845aae05440e6
Instruction ID: 316b3d3c2bc674afa5301e7dd313453cc7cd97638f651f8e094d5b0646d280c9
Opcode Fuzzy Hash: 881609b4f4498c06fbe1ec889b1cd2b457400c114cf03ccf121845aae05440e6
Instruction Fuzzy Hash: C4D1D1B4509705DFC744EF24C194A6ABBE0FF88704F048A6DE88997362DB34D889DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00D51120, Relevance: 12.9, Strings: 10, Instructions: 407COMMON

Download Yara Rule

Strings

!, xrefs: 00D514F6
", missing CPU supportasn1: structure error: bytes.Buffer: too largechan receive (nil chan)close of closed channeldevice or resource busyfatal: morestack on g0garbage collection scangcDrain phase incorrectindex out of range [%x]interrupted system callinvalid, xrefs: 00D5169F
", required CPU featurebad defer entry in panicbad defer size class: i=bypassed recovery failedcan't scan our own stackconnection reset by peerdouble traceGCSweepStartfunction not implementedgcDrainN phase incorrecthash of unhashable type initSpan: unaligned , xrefs: 00D5163B
GODEBUG: can not enable "GetFinalPathNameByHandleWGetQueuedCompletionStatusGetSecurityDescriptorDaclGetSecurityDescriptorSaclGetSidIdentifierAuthorityInitiateSystemShutdownExWIsValidSecurityDescriptorKaliningrad Standard TimeMiddle East Standard TimeNew Zealan, xrefs: 00D51675
cpu., xrefs: 00D5117E
GODEBUG: can not disable "GetConsoleScreenBufferInfoGetFileInformationByHandleGetProcessWorkingSetSizeExGetSecurityDescriptorGroupGetSecurityDescriptorOwnerGetSystemWindowsDirectoryWLine Islands Standard TimeNewfoundland Standard TimeNotifyServiceStatusChangeW, xrefs: 00D51611
GODEBUG: value "GetComputerNameWGetCurrentThreadGetFullPathNameWGetLogicalDrivesGetLongPathNameWGetNamedPipeInfoGetPriorityClassImperial_AramaicMeroitic_CursiveNetApiBufferFreeOpenProcessTokenOther_AlphabeticRCodeFormatErrorRegQueryInfoKeyWRegQueryValueExWRemo, xrefs: 00D5143B
GODEBUG: no value specified for "GetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListconcurrent map read and map writecrypto/aes: output not full blockcrypto/des: output not full blockfindrunnable: negative nmspinningfreeing stack not in a stack , xrefs: 00D514ED
GODEBUG: unknown cpu feature "GetProcessPreferredUILanguagesGetSecurityDescriptorRMControlGetSystemTimePreciseAsFileTimeMapIter.Key called before NextPacific Standard Time (Mexico)SetSecurityDescriptorRMControlTurks And Caicos Standard Timeabi mismatch detecte, xrefs: 00D513D4
" not supported for cpu option "crypto/aes: input not full blockcrypto/des: input not full blockinteger is not minimally encodednumerical argument out of domainpanic while printing panic valuereflect.nameFrom: tag too long: reflect: NumIn of non-func type refl, xrefs: 00D51465

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: !$" not supported for cpu option "crypto/aes: input not full blockcrypto/des: input not full blockinteger is not minimally encodednumerical argument out of domainpanic while printing panic valuereflect.nameFrom: tag too long: reflect: NumIn of non-func type refl$", missing CPU supportasn1: structure error: bytes.Buffer: too largechan receive (nil chan)close of closed channeldevice or resource busyfatal: morestack on g0garbage collection scangcDrain phase incorrectindex out of range [%x]interrupted system callinvalid$", required CPU featurebad defer entry in panicbad defer size class: i=bypassed recovery failedcan't scan our own stackconnection reset by peerdouble traceGCSweepStartfunction not implementedgcDrainN phase incorrecthash of unhashable type initSpan: unaligned $GODEBUG: can not disable "GetConsoleScreenBufferInfoGetFileInformationByHandleGetProcessWorkingSetSizeExGetSecurityDescriptorGroupGetSecurityDescriptorOwnerGetSystemWindowsDirectoryWLine Islands Standard TimeNewfoundland Standard TimeNotifyServiceStatusChangeW$GODEBUG: can not enable "GetFinalPathNameByHandleWGetQueuedCompletionStatusGetSecurityDescriptorDaclGetSecurityDescriptorSaclGetSidIdentifierAuthorityInitiateSystemShutdownExWIsValidSecurityDescriptorKaliningrad Standard TimeMiddle East Standard TimeNew Zealan$GODEBUG: no value specified for "GetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListconcurrent map read and map writecrypto/aes: output not full blockcrypto/des: output not full blockfindrunnable: negative nmspinningfreeing stack not in a stack $GODEBUG: unknown cpu feature "GetProcessPreferredUILanguagesGetSecurityDescriptorRMControlGetSystemTimePreciseAsFileTimeMapIter.Key called before NextPacific Standard Time (Mexico)SetSecurityDescriptorRMControlTurks And Caicos Standard Timeabi mismatch detecte$GODEBUG: value "GetComputerNameWGetCurrentThreadGetFullPathNameWGetLogicalDrivesGetLongPathNameWGetNamedPipeInfoGetPriorityClassImperial_AramaicMeroitic_CursiveNetApiBufferFreeOpenProcessTokenOther_AlphabeticRCodeFormatErrorRegQueryInfoKeyWRegQueryValueExWRemo$cpu.
API String ID: 0-3688833765
Opcode ID: 900fcc813eb087a8fe361452dd0e1025291379bcca3ef5320c6e731778e058eb
Instruction ID: 0115bea0b49234075ceb2e21a7ec9f586c94ffa69a343f4807c71fbd12270b2f
Opcode Fuzzy Hash: 900fcc813eb087a8fe361452dd0e1025291379bcca3ef5320c6e731778e058eb
Instruction Fuzzy Hash: D4F15A786093088FCB14EF68C4C062EBBE1AB89346F44496DED9987342D735DE49DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D59FE0, Relevance: 12.7, Strings: 10, Instructions: 228COMMON

Download Yara Rule

Strings

bad TinySizeClassdebugPtrmask.lockentersyscallblockexec format errorfractional secondg already scannedglobalAlloc.mutexinteger too largeinvalid bit size locked m0 woke upmark - bad statusmarkBits overflownil resource bodyno data availablenotetsleepg on g0permi, xrefs: 00D5A409
) is smaller than minimum page size (2220446049250313080847263336181640625UnsubscribeServiceChangeNotifications_cgo_notify_runtime_init_done missingall goroutines are asleep - deadlock!cannot exec a shared library directlycipher: message authentication failedc, xrefs: 00D5A302
system huge page size (time: invalid duration too many pointers (>10)truncated tag or lengthwork.nwait > work.nprocx509: incorrect IV size116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAzerbaijan Standard TimeBa, xrefs: 00D5A212
failed to get system page sizefreedefer with d._panic != nilinappropriate ioctl for deviceinvalid function symbol tableinvalid network interface nameinvalid pointer found on stacknotetsleep - waitm out of syncprotocol wrong type for socketreflect: Elem of inv, xrefs: 00D5A3E9
$, xrefs: 00D5A397
) is larger than maximum page size () is not Grunnable or Gscanrunnable0123456789abcdefghijklmnopqrstuvwxyz444089209850062616169452667236328125Go pointer stored into non-Go memoryIA5String contains invalid characterUnable to determine system directoryaccessin, xrefs: 00D5A38E
) must be a power of 223283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Standard TimeCertGetCertificateChainDeleteVolumeMountPointWDestroyEnvironmentBlockE. Africa Standard TimeE. Europe Standard TimeFreeEnvironmentStringsWGetEnvi, xrefs: 00D5A23E, 00D5A2A0
system page size (tracebackancestorstruncated sequenceuse of closed filevalue out of range called using nil *, g->atomicstatus=, gp->atomicstatus=149011611938476562520060102150405Z07007450580596923828125Altai Standard TimeBahia Standard TimeCanadian_Aborigina, xrefs: 00D5A274, 00D5A2D6, 00D5A362
bad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection timed outdodeltimer0: wrong Pflag: help requestedfloating point errorforcegc: phase errorgc_trigger underflowgo of nil func valuegopark: bad g status, xrefs: 00D5A2BB, 00D5A347, 00D5A3D3
bad system huge page sizechansend: spurious wakeupcheckdead: no m for timerexplicit tag has no childinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing traceGCSweepStartno buffer space availableno such de, xrefs: 00D5A259

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: $$) is larger than maximum page size () is not Grunnable or Gscanrunnable0123456789abcdefghijklmnopqrstuvwxyz444089209850062616169452667236328125Go pointer stored into non-Go memoryIA5String contains invalid characterUnable to determine system directoryaccessin$) is smaller than minimum page size (2220446049250313080847263336181640625UnsubscribeServiceChangeNotifications_cgo_notify_runtime_init_done missingall goroutines are asleep - deadlock!cannot exec a shared library directlycipher: message authentication failedc$) must be a power of 223283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Standard TimeCertGetCertificateChainDeleteVolumeMountPointWDestroyEnvironmentBlockE. Africa Standard TimeE. Europe Standard TimeFreeEnvironmentStringsWGetEnvi$bad TinySizeClassdebugPtrmask.lockentersyscallblockexec format errorfractional secondg already scannedglobalAlloc.mutexinteger too largeinvalid bit size locked m0 woke upmark - bad statusmarkBits overflownil resource bodyno data availablenotetsleepg on g0permi$bad system huge page sizechansend: spurious wakeupcheckdead: no m for timerexplicit tag has no childinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing traceGCSweepStartno buffer space availableno such de$bad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection timed outdodeltimer0: wrong Pflag: help requestedfloating point errorforcegc: phase errorgc_trigger underflowgo of nil func valuegopark: bad g status$failed to get system page sizefreedefer with d._panic != nilinappropriate ioctl for deviceinvalid function symbol tableinvalid network interface nameinvalid pointer found on stacknotetsleep - waitm out of syncprotocol wrong type for socketreflect: Elem of inv$system huge page size (time: invalid duration too many pointers (>10)truncated tag or lengthwork.nwait > work.nprocx509: incorrect IV size116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAzerbaijan Standard TimeBa$system page size (tracebackancestorstruncated sequenceuse of closed filevalue out of range called using nil *, g->atomicstatus=, gp->atomicstatus=149011611938476562520060102150405Z07007450580596923828125Altai Standard TimeBahia Standard TimeCanadian_Aborigina
API String ID: 0-725932376
Opcode ID: d24bf29059b05fe0bf841433195b313374b7b489736e719e5ea6fc5f6a758f2c
Instruction ID: 0061b749de15b498d6634e66e6161c4b3800e6faa3bc2e178536d55af9cd600a
Opcode Fuzzy Hash: d24bf29059b05fe0bf841433195b313374b7b489736e719e5ea6fc5f6a758f2c
Instruction Fuzzy Hash: D2B128B01197058FD704FF68D48576ABBE4FB48345F10892DE889C72A1E7789889EB73

Uniqueness

Uniqueness Score: -1.00%

Function 00D8DAAF, Relevance: 12.6, Strings: 10, Instructions: 148COMMON

Download Yara Rule

Strings

curg= free goid jobs= list= m->p= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED STREETStringSu, xrefs: 00D8DB75
preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>$recycle.bin%!(BADWIDTH)) p->status=-byte limit152587890625762939453125Bidi_ControlCoCreateGuidCreateEventWCreateMutexWDES-EDE3-CBCFindNextFileGetAddrInfoWGetConso, xrefs: 00D8DBF5
blocked= defersc= in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= u_a/u_g= unmarked wbuf1.n= wbuf2.n=%!(EXTRA (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00244140625: status=Authorit, xrefs: 00D8DC9B
M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12125625???ADTASTAprAugBSTCATCDTCETCSTDecDltEATEDTEETEOFESTFebFriGMTHDTHSTHanIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMSKMSTMarMayMonMroNDTNSTNULNaNNkoNovOctPC=PDTPKTPS, xrefs: 00D8DB1A
mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256-CBCBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256ClassHESIODCloseHa, xrefs: 00D8DB9F
throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin12207031256103515625: parsing AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDeprecatedDevanagariDnsQuery_WException GC forcedGOMAXPROCSGetIfEntry, xrefs: 00D8DBCA
dying= locks= m->g0= nmsys= s=nil zombie, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBrailleChanDirCopySidCypriotDES-CBCDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicM, xrefs: 00D8DC4D
spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin12207031256103515625: parsing AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDeprecatedDevanagari, xrefs: 00D8DC78
: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolbootcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3, xrefs: 00D8DB4A
locks= m->g0= nmsys= s=nil zombie, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBrailleChanDirCopySidCypriotDES-CBCDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenM, xrefs: 00D8DC22

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12125625???ADTASTAprAugBSTCATCDTCETCSTDecDltEATEDTEETEOFESTFebFriGMTHDTHSTHanIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMSKMSTMarMayMonMroNDTNSTNULNaNNkoNovOctPC=PDTPKTPS$ blocked= defersc= in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= u_a/u_g= unmarked wbuf1.n= wbuf2.n=%!(EXTRA (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00244140625: status=Authorit$ curg= free goid jobs= list= m->p= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED STREETStringSu$ dying= locks= m->g0= nmsys= s=nil zombie, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBrailleChanDirCopySidCypriotDES-CBCDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicM$ locks= m->g0= nmsys= s=nil zombie, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBrailleChanDirCopySidCypriotDES-CBCDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenM$ mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256-CBCBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256ClassHESIODCloseHa$ preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>$recycle.bin%!(BADWIDTH)) p->status=-byte limit152587890625762939453125Bidi_ControlCoCreateGuidCreateEventWCreateMutexWDES-EDE3-CBCFindNextFileGetAddrInfoWGetConso$ spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin12207031256103515625: parsing AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDeprecatedDevanagari$ throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin12207031256103515625: parsing AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDeprecatedDevanagariDnsQuery_WException GC forcedGOMAXPROCSGetIfEntry$: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolbootcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3
API String ID: 0-1796823951
Opcode ID: 07b364634c42b30715941441466a9383044d2d128017b34d8b619b6565dcd143
Instruction ID: ccea426db5426a48f2e224778de5564595d2e99576f59ed1b64533e8b4bbad3c
Opcode Fuzzy Hash: 07b364634c42b30715941441466a9383044d2d128017b34d8b619b6565dcd143
Instruction Fuzzy Hash: 99719FB450A7418FC354EF29C180A6ABBE4FF88740F45886EE9D887362D734E845DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D5A430, Relevance: 11.6, Strings: 9, Instructions: 350COMMON

Download Yara Rule

Strings

) not in usable address space: ...additional frames elided....lib section in a.out corrupted11368683772161602973937988281255684341886080801486968994140625Central Brazilian Standard TimeCertDuplicateCertificateContextMountain Standard Time (Mexico)W. Central A, xrefs: 00D5A9B2
., xrefs: 00D5A9EF
out of memory allocating heap arena metadatareflect: FieldByNameFunc of non-struct type reflect: funcLayout with interface receiver use of WriteTo with pre-connected connectioncannot send after transport endpoint shutdowncharacter string exceeds maximum length, xrefs: 00D5A8E7
runtime: memory allocated by OS [runtime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of rangeslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingstruct contains unexported fi, xrefs: 00D5A95E
misrounded allocation in sysAllocreflect.nameFrom: name too long: reflect: Field index out of rangereflect: NumOut of non-func type reflect: array index out of rangereflect: chanDir of non-chan typereflect: slice index out of rangeruntime: castogscanstatus old, xrefs: 00D5A933
out of memory allocating heap arena mapruntime: blocked write on free polldescruntime: casfrom_Gscanstatus failed gp=runtime: function symbol table header: stack growth not allowed in system callsuspendG from non-preemptible goroutinetags don't match (%d vs %+, xrefs: 00D5A91D
arena already initializedbad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timerexplicit tag has no childinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing tr, xrefs: 00D5A907
out of memory allocating allArenasreflect.FuncOf: too many argumentsreflect: ChanDir of non-chan type reflect: Field index out of boundsreflect: Field of non-struct type reflect: Method index out of rangereflect: string index out of rangeruntime.SetFinalizer: , xrefs: 00D5A8D1
memory reservation exceeds address space limitpanicwrap: unexpected string after type name: reflect.Value.Slice: slice index out of boundsreflect: nil type passed to Type.ConvertibleToreleased less than one physical page of memoryruntime: failed to create new , xrefs: 00D5A9E6

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ) not in usable address space: ...additional frames elided....lib section in a.out corrupted11368683772161602973937988281255684341886080801486968994140625Central Brazilian Standard TimeCertDuplicateCertificateContextMountain Standard Time (Mexico)W. Central A$.$arena already initializedbad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timerexplicit tag has no childinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing tr$memory reservation exceeds address space limitpanicwrap: unexpected string after type name: reflect.Value.Slice: slice index out of boundsreflect: nil type passed to Type.ConvertibleToreleased less than one physical page of memoryruntime: failed to create new $misrounded allocation in sysAllocreflect.nameFrom: name too long: reflect: Field index out of rangereflect: NumOut of non-func type reflect: array index out of rangereflect: chanDir of non-chan typereflect: slice index out of rangeruntime: castogscanstatus old$out of memory allocating allArenasreflect.FuncOf: too many argumentsreflect: ChanDir of non-chan type reflect: Field index out of boundsreflect: Field of non-struct type reflect: Method index out of rangereflect: string index out of rangeruntime.SetFinalizer: $out of memory allocating heap arena mapruntime: blocked write on free polldescruntime: casfrom_Gscanstatus failed gp=runtime: function symbol table header: stack growth not allowed in system callsuspendG from non-preemptible goroutinetags don't match (%d vs %+$out of memory allocating heap arena metadatareflect: FieldByNameFunc of non-struct type reflect: funcLayout with interface receiver use of WriteTo with pre-connected connectioncannot send after transport endpoint shutdowncharacter string exceeds maximum length$runtime: memory allocated by OS [runtime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of rangeslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingstruct contains unexported fi
API String ID: 0-3668713575
Opcode ID: f68d9bec45e514942e81b2243458d82ea4748139fc1e87e575c453c38dbe4b6a
Instruction ID: 34d6825d4f2a78a8cd472e2e313f265237e03fe211293a2804ea67ac12ade683
Opcode Fuzzy Hash: f68d9bec45e514942e81b2243458d82ea4748139fc1e87e575c453c38dbe4b6a
Instruction Fuzzy Hash: 08F1F2B45093558FC744EF68C08066ABBF0FF88705F55892DED888B352D770E849CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D6C990, Relevance: 11.5, Strings: 9, Instructions: 241COMMON

Download Yara Rule

Strings

unknown(wsaioctl (forced) blocked= defersc= in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= u_a/u_g= unmarked wbuf1.n= wbuf2.n=%!(EXTRA (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:002, xrefs: 00D6CD39
*( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12125625???ADTASTAprAugBSTCATCDTCETCSTDecDltEATEDTEETEOFESTFebFriGMTHDTHSTHanIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMSKMSTMarMayMonMroNDTNSTNULNaNNkoNovOctPC=PDTPKTPSTSETSatSe, xrefs: 00D6CBFB
s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetDriveTypeW, xrefs: 00D6CAA4
s=nil zombie, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBrailleChanDirCopySidCypriotDES-CBCDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberO, xrefs: 00D6CD8C
s.limit= s.state= threads= u_a/u_g= unmarked wbuf1.n= wbuf2.n=%!(EXTRA (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiBigEndianClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawad, xrefs: 00D6CA7A
s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin12207031256103515625: parsing AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDeprecated, xrefs: 00D6CA50
<== as at fp= is lr: of on pc= sp: sp=) = ) m=+Inf-Inf3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolbootcallcas1cas2cas3cas4cas5cas6chandead, xrefs: 00D6CCB1
) = ) m=+Inf-Inf3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolbootcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itab, xrefs: 00D6CC4F
s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>$recycle.bin%!(BADWIDTH)) p->status=-byte limit152587890625762939453125Bidi_ControlCoCreateGuidCreateEventWCreateMutexWDES-EDE3-CBCFindNextFileGetAddrInfoWGetConsoleCPGetLastE, xrefs: 00D6CACE

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12125625???ADTASTAprAugBSTCATCDTCETCSTDecDltEATEDTEETEOFESTFebFriGMTHDTHSTHanIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMSKMSTMarMayMonMroNDTNSTNULNaNNkoNovOctPC=PDTPKTPSTSETSatSe$ <== as at fp= is lr: of on pc= sp: sp=) = ) m=+Inf-Inf3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolbootcallcas1cas2cas3cas4cas5cas6chandead$ s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin12207031256103515625: parsing AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDeprecated$ s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>$recycle.bin%!(BADWIDTH)) p->status=-byte limit152587890625762939453125Bidi_ControlCoCreateGuidCreateEventWCreateMutexWDES-EDE3-CBCFindNextFileGetAddrInfoWGetConsoleCPGetLastE$ s.limit= s.state= threads= u_a/u_g= unmarked wbuf1.n= wbuf2.n=%!(EXTRA (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiBigEndianClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawad$ s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetDriveTypeW$ s=nil zombie, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBrailleChanDirCopySidCypriotDES-CBCDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberO$) = ) m=+Inf-Inf3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolbootcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itab$unknown(wsaioctl (forced) blocked= defersc= in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= u_a/u_g= unmarked wbuf1.n= wbuf2.n=%!(EXTRA (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:002
API String ID: 0-2990027102
Opcode ID: a5d8bc35e3af670584a75ba84e18b549646b6487cfdcbd19429556d4d47a7a59
Instruction ID: fb68b2cf83e87e7a06259fd4b09fda0ece47fc2a2df0b4e53bb3ca395c855732
Opcode Fuzzy Hash: a5d8bc35e3af670584a75ba84e18b549646b6487cfdcbd19429556d4d47a7a59
Instruction Fuzzy Hash: 8EB1D1B41097048FD304FF68C18162ABBE4EF98304F41986DE8D997352EB38D988DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D83A70, Relevance: 11.5, Strings: 9, Instructions: 229
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00D83A70() {
				intOrPtr _t98;
				intOrPtr _t118;
				intOrPtr _t122;
				intOrPtr _t126;
				intOrPtr _t146;
				intOrPtr _t148;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t153;
				intOrPtr _t154;
				intOrPtr _t157;
				signed int _t158;
				intOrPtr _t159;
				intOrPtr _t160;
				intOrPtr _t162;
				intOrPtr _t163;
				intOrPtr _t166;
				signed int _t167;
				intOrPtr _t169;
				intOrPtr _t171;
				intOrPtr _t172;
				void* _t175;
				intOrPtr _t176;
				intOrPtr _t181;
				intOrPtr _t182;
				signed int _t183;
				intOrPtr _t187;
				intOrPtr _t188;
				intOrPtr _t194;
				intOrPtr _t195;
				intOrPtr _t197;
				intOrPtr _t198;
				intOrPtr* _t201;

				_t98 =  *((intOrPtr*)(_t201 + 0x40));
				if( *((intOrPtr*)(_t98 + 0xc)) != 0) {
					L45:
					 *_t201 =  &M00E845D4;
					 *((intOrPtr*)(_t201 + 4)) = 0x20;
					E00D80D70();
					asm("int3");
					L46:
					if(_t201 >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x14])) + 8))) {
						_t201 = _t201 - 8;
						 *_t201 =  &M00E85625;
						 *((intOrPtr*)(_t201 + 4)) = 0x24;
						E00D80D70();
					}
					E00DA8880();
					goto L46;
				}
				if(( *(_t98 + 0x24) & 0x000000ff) != 0) {
					L44:
					 *_t201 =  &M00E85D8B;
					 *((intOrPtr*)(_t201 + 4)) = 0x26;
					E00D80D70();
					goto L45;
				}
				if( *((intOrPtr*)(_t98 + 4)) != 0) {
					L43:
					 *_t201 =  &M00E845F4;
					 *((intOrPtr*)(_t201 + 4)) = 0x20;
					E00D80D70();
					goto L44;
				}
				if( *((intOrPtr*)(_t98 + 8)) != 0) {
					L42:
					 *_t201 =  &M00E84614;
					 *((intOrPtr*)(_t201 + 4)) = 0x20;
					E00D80D70();
					goto L43;
				}
				if( *((intOrPtr*)(_t98 + 0x2c)) != 0) {
					L41:
					 *_t201 =  &M00E85649;
					 *((intOrPtr*)(_t201 + 4)) = 0x24;
					E00D80D70();
					goto L42;
				}
				if( *((intOrPtr*)(_t98 + 0x34)) != 0) {
					L40:
					 *_t201 =  &M00E83886;
					 *((intOrPtr*)(_t201 + 4)) = 0x1d;
					E00D80D70();
					goto L41;
				}
				_t146 =  *((intOrPtr*)( *[fs:0x14]));
				if( *((intOrPtr*)(_t146 + 0x44)) != 0) {
					L39:
					 *_t201 = 0xe86ac5;
					 *((intOrPtr*)(_t201 + 4)) = 0x2b;
					E00D80D70();
					goto L40;
				}
				 *((intOrPtr*)( *((intOrPtr*)(_t146 + 0x18)) + 0x78)) =  *((intOrPtr*)( *((intOrPtr*)(_t146 + 0x18)) + 0x78)) + 1;
				_t187 =  *((intOrPtr*)(_t146 + 0x18));
				 *((intOrPtr*)(_t201 + 0x28)) = _t187;
				_t181 =  *((intOrPtr*)(_t187 + 0x54));
				 *((intOrPtr*)(_t201 + 0x38)) = _t181;
				if( *(_t181 + 0x734) !=  *(_t181 + 0x730)) {
					L24:
					_t157 =  *((intOrPtr*)(_t201 + 0x38));
					_t167 =  *(_t157 + 0x730);
					_t148 = _t167 + 1;
					_t188 =  *((intOrPtr*)(_t157 + 0x72c));
					_t182 =  *((intOrPtr*)(_t157 + 0x734));
					if(_t182 < _t148) {
						 *_t201 = 0xe5da80;
						 *((intOrPtr*)(_t201 + 4)) = _t188;
						 *(_t201 + 8) = _t167;
						 *((intOrPtr*)(_t201 + 0xc)) = _t182;
						 *((intOrPtr*)(_t201 + 0x10)) = _t148;
						L00D923C0();
						_t118 =  *((intOrPtr*)(_t201 + 0x14));
						_t158 =  *(_t201 + 0x18);
						_t149 =  *((intOrPtr*)(_t201 + 0x38));
						 *((intOrPtr*)(_t149 + 0x734)) =  *((intOrPtr*)(_t201 + 0x1c));
						_t169 =  *0xf779c0; // 0x0
						if(_t169 != 0) {
							_t118 = L00DA9DE0(_t118, _t149, _t158, _t169, _t149 + 0x72c, _t182, _t188);
						} else {
							 *((intOrPtr*)(_t149 + 0x72c)) = _t118;
						}
						_t167 = _t158;
						_t188 = _t118;
						_t157 = _t149;
					}
					_t150 = _t167 + 1;
					 *(_t157 + 0x730) = _t167 + 1;
					_t159 =  *0xf779c0; // 0x0
					_t175 = _t188 + _t167 * 4;
					if(_t159 != 0) {
						L00DA9DE0( *((intOrPtr*)(_t201 + 0x40)), _t150, _t159, _t167, _t175, _t182, _t188);
					} else {
						 *((intOrPtr*)(_t188 + _t167 * 4)) =  *((intOrPtr*)(_t201 + 0x40));
					}
					_t122 =  *((intOrPtr*)( *[fs:0x14]));
					_t160 =  *((intOrPtr*)(_t201 + 0x28));
					_t71 =  *((intOrPtr*)(_t160 + 0x78)) - 1; // -1
					 *((intOrPtr*)(_t160 + 0x78)) = _t71;
					if( *((intOrPtr*)(_t160 + 0x78)) != 1 || ( *(_t122 + 0x65) & 0x000000ff) == 0) {
						return _t122;
					} else {
						 *((intOrPtr*)(_t122 + 8)) = 0xfffffade;
						return _t122;
					}
				}
				_t162 = 0;
				_t171 = 0;
				while(1) {
					_t152 =  *((intOrPtr*)(_t181 + 0x72c));
					_t176 = _t187;
					_t183 =  *(_t181 + 0x730);
					_t190 =  *(_t181 + 0x734) >> 1;
					if(_t183 <=  *(_t181 + 0x734) >> 1) {
						break;
					}
					_t191 = _t183 - 1;
					if(_t183 <= _t191) {
						L38:
						E00DA9E60();
						goto L39;
					}
					 *(_t201 + 0x20) = _t191;
					 *((intOrPtr*)(_t201 + 0x24)) =  *((intOrPtr*)(_t152 + _t183 * 4 - 4));
					 *((intOrPtr*)(_t201 + 0x34)) = _t152 + _t183 * 4 - 4;
					_t194 =  *0xf779c0; // 0x0
					if(_t194 != 0) {
						_t153 = _t176;
						_t195 = _t98;
						L00DA9DE0(0, _t153, _t162, _t171,  *((intOrPtr*)(_t201 + 0x34)), _t183, _t195);
						_t98 = _t195;
						_t176 = _t153;
					} else {
						 *((intOrPtr*)(_t152 + _t183 * 4 - 4)) = 0;
					}
					_t154 =  *((intOrPtr*)(_t201 + 0x38));
					_t191 =  *(_t154 + 0x734);
					_t183 =  *(_t201 + 0x20);
					if(_t183 >  *(_t154 + 0x734)) {
						E00DA9EA0();
						goto L38;
					} else {
						 *(_t154 + 0x730) = _t183;
						if(_t171 == 0) {
							_t171 =  *((intOrPtr*)(_t201 + 0x24));
						} else {
							_t197 =  *0xf779c0; // 0x0
							if(_t197 != 0) {
								_t166 = _t176;
								_t198 = _t98;
								L00DA9DE0( *((intOrPtr*)(_t201 + 0x24)), _t154, _t166, _t171, _t162 + 4, _t162 + 4, _t198);
								_t98 = _t198;
								_t176 = _t166;
							} else {
								 *((intOrPtr*)(_t162 + 4)) =  *((intOrPtr*)(_t201 + 0x24));
							}
						}
						_t187 = _t176;
						_t181 = _t154;
						_t162 =  *((intOrPtr*)(_t201 + 0x24));
						continue;
					}
				}
				 *((intOrPtr*)(_t201 + 0x30)) = _t171;
				 *((intOrPtr*)(_t201 + 0x2c)) = _t162;
				 *_t201 = 0xf5aebc;
				L00D59600(_t152);
				_t126 =  *((intOrPtr*)(_t201 + 0x2c));
				_t163 =  *0xf779c0; // 0x0
				_t172 =  *0xf5aec0; // 0x0
				if(_t163 != 0) {
					L00DA9DE0(_t172, _t152, _t163, _t172, _t126 + 4, _t183, _t190);
					L00DA9DE0( *((intOrPtr*)(_t201 + 0x30)), _t152, _t163, _t172, 0xf5aec0, _t183, _t190);
				} else {
					 *((intOrPtr*)(_t126 + 4)) = _t172;
					 *0xf5aec0 =  *((intOrPtr*)(_t201 + 0x30));
				}
				 *_t201 = 0xf5aebc;
				E00D59810(_t152);
				goto L24;
			}

0x00d83a73
0x00d83a7c
0x00d83da8
0x00d83dae
0x00d83db1
0x00d83db9
0x00d83dbf
0x00d83dc0
0x00d83dd0
0x00d83dd2
0x00d83ddb
0x00d83dde
0x00d83de6
0x00d83de6
0x00d83dec
0x00000000
0x00d83dec
0x00d83a88
0x00d83d92
0x00d83d98
0x00d83d9b
0x00d83da3
0x00000000
0x00d83da3
0x00d83a93
0x00d83d7c
0x00d83d82
0x00d83d85
0x00d83d8d
0x00000000
0x00d83d8d
0x00d83a9e
0x00d83d66
0x00d83d6c
0x00d83d6f
0x00d83d77
0x00000000
0x00d83d77
0x00d83aa9
0x00d83d50
0x00d83d56
0x00d83d59
0x00d83d61
0x00000000
0x00d83d61
0x00d83ab4
0x00d83d3a
0x00d83d40
0x00d83d43
0x00d83d4b
0x00000000
0x00d83d4b
0x00d83ac1
0x00d83acc
0x00d83d24
0x00d83d2a
0x00d83d2d
0x00d83d35
0x00000000
0x00d83d35
0x00d83ad6
0x00d83ad9
0x00d83adc
0x00d83ae0
0x00d83ae3
0x00d83af5
0x00d83c1e
0x00d83c1e
0x00d83c22
0x00d83c28
0x00d83c2b
0x00d83c31
0x00d83c39
0x00d83c9e
0x00d83ca1
0x00d83ca5
0x00d83ca9
0x00d83cad
0x00d83cb1
0x00d83cb6
0x00d83cba
0x00d83cc2
0x00d83cc6
0x00d83ccc
0x00d83cd4
0x00d83ced
0x00d83cd6
0x00d83cd6
0x00d83cd6
0x00d83cdc
0x00d83cde
0x00d83ce0
0x00d83ce0
0x00d83c3b
0x00d83c3e
0x00d83c44
0x00d83c4a
0x00d83c50
0x00d83c91
0x00d83c52
0x00d83c56
0x00d83c56
0x00d83c62
0x00d83c68
0x00d83c6f
0x00d83c72
0x00d83c78
0x00d83c8c
0x00d83c82
0x00d83c82
0x00000000
0x00d83c82
0x00d83c78
0x00d83afb
0x00d83afd
0x00d83b09
0x00d83b09
0x00d83b0f
0x00d83b17
0x00d83b1d
0x00d83b21
0x00000000
0x00000000
0x00d83b27
0x00d83b2c
0x00d83d1b
0x00d83d1f
0x00000000
0x00d83d1f
0x00d83b32
0x00d83b3a
0x00d83b42
0x00d83b46
0x00d83b4e
0x00d83bba
0x00d83bc0
0x00d83bc4
0x00d83bc9
0x00d83bcb
0x00d83b50
0x00d83b50
0x00d83b50
0x00d83b58
0x00d83b5c
0x00d83b62
0x00d83b68
0x00d83d16
0x00000000
0x00d83b6e
0x00d83b6e
0x00d83b76
0x00d83bb3
0x00d83b78
0x00d83b7a
0x00d83b82
0x00d83b93
0x00d83b97
0x00d83b9d
0x00d83ba2
0x00d83ba8
0x00d83b84
0x00d83b88
0x00d83b88
0x00d83b82
0x00d83b01
0x00d83b03
0x00d83b05
0x00000000
0x00d83b05
0x00d83b68
0x00d83bcf
0x00d83bd3
0x00d83bdf
0x00d83be2
0x00d83be7
0x00d83bed
0x00d83bf3
0x00d83bfb
0x00d83cf9
0x00d83d08
0x00d83c01
0x00d83c01
0x00d83c08
0x00d83c08
0x00d83c16
0x00d83c19
0x00000000

Strings

runtime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevscanstack: goroutine not stoppedslice bounds out of range [%x::]slice bounds out of range [:%x:]slice bounds out of range [::%x]software caused connection abortswee, xrefs: 00D83DA8
runtime: sudog with non-nil prevscanstack: goroutine not stoppedslice bounds out of range [%x::]slice bounds out of range [:%x:]slice bounds out of range [::%x]software caused connection abortsweep increased allocation countuse of closed network connectionx509, xrefs: 00D83D66
runtime: sudog with non-nil cruntime: summary max pages = runtime: unknown pc in defer semacquire not on the G stackstring concatenation too longsyntax error scanning booleantimeBegin/EndPeriod not foundtoo many open files in systemx509: unknown encryption mod, xrefs: 00D83D3A
$, xrefs: 00D83DDE
runtime: releaseSudog with non-nil gp.paramruntime:stoplockedm: lockedg (atomicstatus=unfinished open-coded defers in deferreturnunknown runnable goroutine during bootstrap using value obtained using unexported fieldcompileCallback: float results not supported, xrefs: 00D83D24
runtime: sudog with non-false isSelecttime: missing Location in call to Date2006-01-02 15:04:05.999999999 -0700 MST277555756156289135105907917022705078125PowerRegisterSuspendResumeNotification, xrefs: 00D83D92
runtime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime: wrong goroutine in newstackstrings.Builder.Grow: negative countsyntax error scanning complex numberuncaching span but s.allocCount == 0x509: ze, xrefs: 00D83DD5
runtime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime: wrong goroutine in newstackstrings.Builder.Grow: negative countsyntax error scanning complex numberuncaching span but s.allocCount == 0x509: zero or negative DSA parameter) is sma, xrefs: 00D83D50
runtime: sudog with non-nil nextruntime: sudog with non-nil prevscanstack: goroutine not stoppedslice bounds out of range [%x::]slice bounds out of range [:%x:]slice bounds out of range [::%x]software caused connection abortsweep increased allocation countuse , xrefs: 00D83D7C

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: $$runtime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime: wrong goroutine in newstackstrings.Builder.Grow: negative countsyntax error scanning complex numberuncaching span but s.allocCount == 0x509: ze$runtime: releaseSudog with non-nil gp.paramruntime:stoplockedm: lockedg (atomicstatus=unfinished open-coded defers in deferreturnunknown runnable goroutine during bootstrap using value obtained using unexported fieldcompileCallback: float results not supported$runtime: sudog with non-false isSelecttime: missing Location in call to Date2006-01-02 15:04:05.999999999 -0700 MST277555756156289135105907917022705078125PowerRegisterSuspendResumeNotification$runtime: sudog with non-nil cruntime: summary max pages = runtime: unknown pc in defer semacquire not on the G stackstring concatenation too longsyntax error scanning booleantimeBegin/EndPeriod not foundtoo many open files in systemx509: unknown encryption mod$runtime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevscanstack: goroutine not stoppedslice bounds out of range [%x::]slice bounds out of range [:%x:]slice bounds out of range [::%x]software caused connection abortswee$runtime: sudog with non-nil nextruntime: sudog with non-nil prevscanstack: goroutine not stoppedslice bounds out of range [%x::]slice bounds out of range [:%x:]slice bounds out of range [::%x]software caused connection abortsweep increased allocation countuse $runtime: sudog with non-nil prevscanstack: goroutine not stoppedslice bounds out of range [%x::]slice bounds out of range [:%x:]slice bounds out of range [::%x]software caused connection abortsweep increased allocation countuse of closed network connectionx509$runtime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime: wrong goroutine in newstackstrings.Builder.Grow: negative countsyntax error scanning complex numberuncaching span but s.allocCount == 0x509: zero or negative DSA parameter) is sma
API String ID: 0-2899014019
Opcode ID: 5386f7d26c54e9eb3375a3a9897f91cb8850fb25c27f9efbe0c03586db7d098e
Instruction ID: ee9c7ececf13e5f50300a6f151c01414ba27e4b43726c4732c07ea1eaad4cc1a
Opcode Fuzzy Hash: 5386f7d26c54e9eb3375a3a9897f91cb8850fb25c27f9efbe0c03586db7d098e
Instruction Fuzzy Hash: 28A138B4609308CFC714EF25C18065ABBE1FB88B04F54896DED8997312E735EA09DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D55DB0, Relevance: 11.4, Strings: 9, Instructions: 198COMMON

Download Yara Rule

Strings

(types from different scopes) in prepareForSweep; sweepgen locals stack map entries for 227373675443232059478759765625Central European Standard TimeCentral Standard Time (Mexico)CertDeleteCertificateFromStoreE. South America Standard TimeEastern Standard Tim, xrefs: 00D55FE4
, not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED STREETStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UT, xrefs: 00D55E92
is lr: of on pc= sp: sp=) = ) m=+Inf-Inf3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolbootcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunc, xrefs: 00D55E78
interface conversion: internal inconsistencyinvalid number base %dis encrypted pem blockkernel32.dll not foundminpc or maxpc invalidnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledprotocol not availableprotocol not suppo, xrefs: 00D55E56, 00D56010, 00D560BE
, xrefs: 00D55F96
is not mcount= minutes nalloc= newval= nfreed= pointer stack=[ status %!Month(.crypted2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDEK-InfoDecemberDuployanEqualSidEthiopicExtenderFebruaryFullPathGeor, xrefs: 00D5602A
(types from different packages)28421709430404007434844970703125: day-of-year does not match dayCertAddCertificateContextToStoreCertVerifyCertificateChainPolicyGetVolumePathNamesForVolumeNameWMapIter.Value called before NextWSAGetOverlappedResult not found" no, xrefs: 00D55F8C
: missing method AdjustTokenGroupsCertFindExtensionCryptDecodeObjectDnsRecordListFreeFLE Standard TimeGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWIsTokenRestrictedLookupAccountSidWOld_North_ArabianOld_South_ArabianOther, xrefs: 00D5604C
is nil, not nStackRoots= out of range s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceW, xrefs: 00D560E0

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: $ (types from different packages)28421709430404007434844970703125: day-of-year does not match dayCertAddCertificateContextToStoreCertVerifyCertificateChainPolicyGetVolumePathNamesForVolumeNameWMapIter.Value called before NextWSAGetOverlappedResult not found" no$ (types from different scopes) in prepareForSweep; sweepgen locals stack map entries for 227373675443232059478759765625Central European Standard TimeCentral Standard Time (Mexico)CertDeleteCertificateFromStoreE. South America Standard TimeEastern Standard Tim$ is lr: of on pc= sp: sp=) = ) m=+Inf-Inf3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolbootcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunc$ is nil, not nStackRoots= out of range s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceW$ is not mcount= minutes nalloc= newval= nfreed= pointer stack=[ status %!Month(.crypted2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDEK-InfoDecemberDuployanEqualSidEthiopicExtenderFebruaryFullPathGeor$, not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED STREETStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UT$: missing method AdjustTokenGroupsCertFindExtensionCryptDecodeObjectDnsRecordListFreeFLE Standard TimeGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWIsTokenRestrictedLookupAccountSidWOld_North_ArabianOld_South_ArabianOther$interface conversion: internal inconsistencyinvalid number base %dis encrypted pem blockkernel32.dll not foundminpc or maxpc invalidnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledprotocol not availableprotocol not suppo
API String ID: 0-1119302355
Opcode ID: 89bc3d2e870af0cde79ffaef0805e9c4f5190fc7c73f2044b7df8c70d9879611
Instruction ID: c7b5a75ece7b314cae4281ca4a403c56a577627ad1de8ed8f5bfa7c0624dfca9
Opcode Fuzzy Hash: 89bc3d2e870af0cde79ffaef0805e9c4f5190fc7c73f2044b7df8c70d9879611
Instruction Fuzzy Hash: E5A178B45083409FC718DF25D190A6ABBE1BF88740F50892EF9D987361EB75E948CF62

Uniqueness

Uniqueness Score: -1.00%

Function 00DA0680, Relevance: 11.4, Strings: 9, Instructions: 189COMMON

Download Yara Rule

Strings

- < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12125625???ADTASTAprAugBSTCATCDTCETCSTDecDltEATEDTEETEOFESTFebFriGMTHDTHSTHanIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMSKMSTMarMayMonMroNDTNSTNULNaNNkoNovOctPC=PDTPKTPSTSETSatSepSt, xrefs: 00DA0927
not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory, xrefs: 00DA07EE
., xrefs: 00DA0981
base code= ctxt: curg= free goid jobs= list= m->p= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSC, xrefs: 00DA07C4
runtime: text offset out of rangeruntime: type offset out of rangeslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingstruct contains unexported fieldstimer period must be non-negativetoo many Answers to pack (>65, xrefs: 00DA095B
runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcwait for GC cyclewine_get_version, xrefs: 00DA0799, 00DA08D2
runtime: text offset base pointer out of rangeruntime: type offset base pointer out of rangesignal arrived during external code executionslice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to , xrefs: 00DA0978
G, xrefs: 00DA06AA, 00DA0809
out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625: extra text: CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMe, xrefs: 00DA08FD

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12125625???ADTASTAprAugBSTCATCDTCETCSTDecDltEATEDTEETEOFESTFebFriGMTHDTHSTHanIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMSKMSTMarMayMonMroNDTNSTNULNaNNkoNovOctPC=PDTPKTPSTSETSatSepSt$ G$ base code= ctxt: curg= free goid jobs= list= m->p= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSC$ not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory$ out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625: extra text: CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMe$.$runtime: text offset base pointer out of rangeruntime: type offset base pointer out of rangesignal arrived during external code executionslice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to $runtime: text offset out of rangeruntime: type offset out of rangeslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingstruct contains unexported fieldstimer period must be non-negativetoo many Answers to pack (>65$runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcwait for GC cyclewine_get_version
API String ID: 0-339844357
Opcode ID: f706be686d801d2afc308550ac9c7650b236158d20eb8d8468ff5260b7503fe3
Instruction ID: 913a8f58fe674111ad30e3b9cb73271ab6bfd06a1c59e2b71cc17e0708392327
Opcode Fuzzy Hash: f706be686d801d2afc308550ac9c7650b236158d20eb8d8468ff5260b7503fe3
Instruction Fuzzy Hash: F48104B45097018FC744EF64C585A6EBBE0FF89304F45486DE48997392EB38D888DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00DA0370, Relevance: 11.4, Strings: 9, Instructions: 177COMMON

Download Yara Rule

Strings

- < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12125625???ADTASTAprAugBSTCATCDTCETCSTDecDltEATEDTEETEOFESTFebFriGMTHDTHSTHanIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMSKMSTMarMayMonMroNDTNSTNULNaNNkoNovOctPC=PDTPKTPSTSETSatSepSt, xrefs: 00DA0610
runtime: type offset out of rangeslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingstruct contains unexported fieldstimer period must be non-negativetoo many Answers to pack (>65535)too many levels of symbolic l, xrefs: 00DA0644
not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory, xrefs: 00DA04DB
base code= ctxt: curg= free goid jobs= list= m->p= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSC, xrefs: 00DA04B1
., xrefs: 00DA0663
G, xrefs: 00DA03A2, 00DA04F6
runtime: type offset base pointer out of rangesignal arrived during external code executionslice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to pallocChunkBytesx509: failed to unmarshal elli, xrefs: 00DA065A
out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625: extra text: CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMe, xrefs: 00DA05E6
runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcwait for GC cyclewine_get_version, xrefs: 00DA0486, 00DA05BB

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12125625???ADTASTAprAugBSTCATCDTCETCSTDecDltEATEDTEETEOFESTFebFriGMTHDTHSTHanIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMSKMSTMarMayMonMroNDTNSTNULNaNNkoNovOctPC=PDTPKTPSTSETSatSepSt$ G$ base code= ctxt: curg= free goid jobs= list= m->p= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSC$ not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory$ out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625: extra text: CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMe$.$runtime: type offset base pointer out of rangesignal arrived during external code executionslice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to pallocChunkBytesx509: failed to unmarshal elli$runtime: type offset out of rangeslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingstruct contains unexported fieldstimer period must be non-negativetoo many Answers to pack (>65535)too many levels of symbolic l$runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcwait for GC cyclewine_get_version
API String ID: 0-2818232881
Opcode ID: 187a80abce5f24990cc899e5eaa224268ae1d94bd586452a9c3de9d2fdb73156
Instruction ID: 06fbd79909468e3cfa7aca749d56cb3424012d3970156c30f1b59cd04cdd258d
Opcode Fuzzy Hash: 187a80abce5f24990cc899e5eaa224268ae1d94bd586452a9c3de9d2fdb73156
Instruction Fuzzy Hash: 8F81D0B45097019FC704EF64C585A6EBBF0FB89704F45892DE88887352EB74D988DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D7DAB0, Relevance: 11.4, Strings: 9, Instructions: 173COMMON

Download Yara Rule

Strings

runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat overflowtime: unknown unit too many open filesunexpected g statusunknown Go type: %vunknown hash value unknown wait reasonwinmm.dll not, xrefs: 00D7DC54
runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime:, xrefs: 00D7DCEA
runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=scavengeOne called with unaligned work regionx509: trailing data after ASN.1 of public-keyzero length explicit tag was not an asn1.Flag (bad use of unsafe.Pointer? try -d, xrefs: 00D7DD45
runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=scavengeOne called with unaligned work regionx509: trailing data after ASN.1 of public-keyzero length explicit tag was not an, xrefs: 00D7DDA0
runtime.minit: duplicatehandle failedruntime: allocation size out of rangesetprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptoo many Additionals to pack (>65535)too many Authorities to pack (>65535)value too large for defined data typex, xrefs: 00D7DDD4
CreateWaitableTimerEx when creating timer failedcould not find GetSystemTimeAsFileTime() syscallparsing/packing of this type isn't available yetruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject unexpected; result=runtime: waitforsing, xrefs: 00D7DD79
VirtualQuery for stack base failedcrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rsa: missing public modulusdoaddtimer: P already set in timerflag provided but not defined: -%sforEachP: sched.safePointWait != 0illegal base64 data at, xrefs: 00D7DD1E
%, xrefs: 00D7DDDD
bad g0 stackbad recoverybootfont.binbootsect.bakcan't happencas64 failedchan receivedumping heapend tracegcentersyscallgcBitsArenasgcpacertracehost is downiconcache.dbillegal seekinvalid baseinvalid slotiphlpapi.dllkernel32.dllmadvdontneedmheapSpecialmspanSpe, xrefs: 00D7DCC3

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: %$CreateWaitableTimerEx when creating timer failedcould not find GetSystemTimeAsFileTime() syscallparsing/packing of this type isn't available yetruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject unexpected; result=runtime: waitforsing$VirtualQuery for stack base failedcrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rsa: missing public modulusdoaddtimer: P already set in timerflag provided but not defined: -%sforEachP: sched.safePointWait != 0illegal base64 data at$bad g0 stackbad recoverybootfont.binbootsect.bakcan't happencas64 failedchan receivedumping heapend tracegcentersyscallgcBitsArenasgcpacertracehost is downiconcache.dbillegal seekinvalid baseinvalid slotiphlpapi.dllkernel32.dllmadvdontneedmheapSpecialmspanSpe$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=scavengeOne called with unaligned work regionx509: trailing data after ASN.1 of public-keyzero length explicit tag was not an$runtime.minit: duplicatehandle failedruntime: allocation size out of rangesetprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptoo many Additionals to pack (>65535)too many Authorities to pack (>65535)value too large for defined data typex$runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=scavengeOne called with unaligned work regionx509: trailing data after ASN.1 of public-keyzero length explicit tag was not an asn1.Flag (bad use of unsafe.Pointer? try -d$runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime:$runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat overflowtime: unknown unit too many open filesunexpected g statusunknown Go type: %vunknown hash value unknown wait reasonwinmm.dll not
API String ID: 0-2776986474
Opcode ID: 438b624996dc089c0e5bc04b7b576c5f359ab4d2724a24c9773dc864cfdd092a
Instruction ID: 830326df8e6c956e5944ce1e807a58f0c89d787ed47a5604c690d259d356475d
Opcode Fuzzy Hash: 438b624996dc089c0e5bc04b7b576c5f359ab4d2724a24c9773dc864cfdd092a
Instruction Fuzzy Hash: 0E81CDB45097058FD310FF68C58576ABBE0FF88718F018A2DE49897392E7789949CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00DA00B0, Relevance: 11.4, Strings: 9, Instructions: 158COMMON

Download Yara Rule

Strings

- < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12125625???ADTASTAprAugBSTCATCDTCETCSTDecDltEATEDTEETEOFESTFebFriGMTHDTHSTHanIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMSKMSTMarMayMonMroNDTNSTNULNaNNkoNovOctPC=PDTPKTPSTSETSatSepSt, xrefs: 00DA0317
runtime: nameOff runtime: next_gc=runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcwait for GC cyclewine_get_version, xrefs: 00DA017D, 00DA02C2
not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory, xrefs: 00DA01D2
!, xrefs: 00DA0354
base code= ctxt: curg= free goid jobs= list= m->p= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSC, xrefs: 00DA01A8
G, xrefs: 00DA00D9, 00DA01ED
out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625: extra text: CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMe, xrefs: 00DA02ED
runtime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of rangeslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingstruct contains unexported fieldstimer period must be non-nega, xrefs: 00DA034B
runtime: name offset base pointer out of rangeruntime: panic before malloc heap initializedruntime: text offset base pointer out of rangeruntime: type offset base pointer out of rangesignal arrived during external code executionslice bounds out of range [:%x, xrefs: 00DA029F

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12125625???ADTASTAprAugBSTCATCDTCETCSTDecDltEATEDTEETEOFESTFebFriGMTHDTHSTHanIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMSKMSTMarMayMonMroNDTNSTNULNaNNkoNovOctPC=PDTPKTPSTSETSatSepSt$ G$ base code= ctxt: curg= free goid jobs= list= m->p= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSC$ not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory$ out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625: extra text: CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMe$!$runtime: name offset base pointer out of rangeruntime: panic before malloc heap initializedruntime: text offset base pointer out of rangeruntime: type offset base pointer out of rangesignal arrived during external code executionslice bounds out of range [:%x$runtime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of rangeslice bounds out of range [%x:%y]stackalloc not on scheduler stackstoplockedm: inconsistent lockingstruct contains unexported fieldstimer period must be non-nega$runtime: nameOff runtime: next_gc=runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcwait for GC cyclewine_get_version
API String ID: 0-1206335471
Opcode ID: 000828a7035ab50f7b4d198d709ad9dc47d5a06e3a5597cfbae3e08c889dde18
Instruction ID: 414ade6c9fac7d8356add4bfc9d8f586c574f695aa80787607fa6e5d670f1e77
Opcode Fuzzy Hash: 000828a7035ab50f7b4d198d709ad9dc47d5a06e3a5597cfbae3e08c889dde18
Instruction Fuzzy Hash: 9E61CDB45097049FC744EF64C08576EBBE0FB89704F45892DE8C897352EB789988DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D91C90, Relevance: 11.4, Strings: 9, Instructions: 145COMMON

Download Yara Rule

Strings

integer divide by zerointerface conversion: internal inconsistencyinvalid number base %dis encrypted pem blockkernel32.dll not foundminpc or maxpc invalidnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledprotocol not avail, xrefs: 00D91DA6
unexpected fault address unexpected key value typeunknown Go type for slice using unaddressable value1455191522836685180664062572759576141834259033203125: day-of-year out of rangeBougainville Standard TimeCentral Asia Standard TimeCertFindCertificateInStoreCer, xrefs: 00D91EA0
faultfloatgFreegcinggscanhchanhttpsimap2imap3imapsinit int16int32int64limitmheapmonthntldrntohspanicpop3sscav schedsleepslicesse41sse42ssse3sudogsweeptraceuint8usagevaluewinntwrite Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= next= p, xrefs: 00D91ED4, 00D91EF6
integer overflowinvalid argumentinvalid exchangeinvalid g statusinvalid spdelta length too largemSpanList.insertmSpanList.removemessage too longmissing stackmapnewmHandoff.lockno route to hostnon-Go functionobject is remotepacer: H_m_prev=reflect mismatchremo, xrefs: 00D91D7A
invalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characterpanicwrap: unexpected string after package name: reflect.Value.Slice: slice of unaddressable arrayruntime: unexpected waitm - semaphore out of syncs.allocCount !=, xrefs: 00D91DD2, 00D91E29, 00D91E57
*, xrefs: 00D91F15
floating point errorforcegc: phase errorgc_trigger underflowgo of nil func valuegopark: bad g statusinvalid request codeinvalid write resultis a named type filekey has been revokedmalloc during signalnotetsleep not on g0number has no digitsp mcache not flushed, xrefs: 00D91D1C
1, xrefs: 00D91E61
unexpected signal during runtime executionx509: RSA modulus is not a positive numberx509: trailing data after ECDSA parametersgcBgMarkWorker: unexpected gcMarkWorkerModegrew heap, but no adequate free space foundheapBitsSetTypeGCProg: unexpected bit countinter, xrefs: 00D91F0C

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: *$1$faultfloatgFreegcinggscanhchanhttpsimap2imap3imapsinit int16int32int64limitmheapmonthntldrntohspanicpop3sscav schedsleepslicesse41sse42ssse3sudogsweeptraceuint8usagevaluewinntwrite Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= next= p$floating point errorforcegc: phase errorgc_trigger underflowgo of nil func valuegopark: bad g statusinvalid request codeinvalid write resultis a named type filekey has been revokedmalloc during signalnotetsleep not on g0number has no digitsp mcache not flushed$integer divide by zerointerface conversion: internal inconsistencyinvalid number base %dis encrypted pem blockkernel32.dll not foundminpc or maxpc invalidnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledprotocol not avail$integer overflowinvalid argumentinvalid exchangeinvalid g statusinvalid spdelta length too largemSpanList.insertmSpanList.removemessage too longmissing stackmapnewmHandoff.lockno route to hostnon-Go functionobject is remotepacer: H_m_prev=reflect mismatchremo$invalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characterpanicwrap: unexpected string after package name: reflect.Value.Slice: slice of unaddressable arrayruntime: unexpected waitm - semaphore out of syncs.allocCount !=$unexpected fault address unexpected key value typeunknown Go type for slice using unaddressable value1455191522836685180664062572759576141834259033203125: day-of-year out of rangeBougainville Standard TimeCentral Asia Standard TimeCertFindCertificateInStoreCer$unexpected signal during runtime executionx509: RSA modulus is not a positive numberx509: trailing data after ECDSA parametersgcBgMarkWorker: unexpected gcMarkWorkerModegrew heap, but no adequate free space foundheapBitsSetTypeGCProg: unexpected bit countinter
API String ID: 0-1814064194
Opcode ID: 345352c7f659015df5797d1ff8a03ae476e3235693c46810f9958ed27f629905
Instruction ID: e1c963055264a30d85c4a176ae063b0bb73051a99999708de2d89d24dd3e025b
Opcode Fuzzy Hash: 345352c7f659015df5797d1ff8a03ae476e3235693c46810f9958ed27f629905
Instruction Fuzzy Hash: B45105B85087058FCB14EF64C58476ABBE4FF88744F05882DE89987362D734D988EB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D5FD60, Relevance: 11.4, Strings: 9, Instructions: 116COMMON

Download Yara Rule

Strings

span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>$recycle.bin%!(BADWIDTH)) p->status=-byte limit152587890625762939453125Bidi_ControlCoCreateGuidCreateEventWCreateMutexWDES-EDE3-CBCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProce, xrefs: 00D5FE36
found bad pointer in Go heap (incorrect use of unsafe or cgo?)runtime: internal error: misuse of lockOSThread/unlockOSThread4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f55ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b6b17d1f2, xrefs: 00D5FF7C
span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetDriveTypeWGunjala_Gondi, xrefs: 00D5FE0C
>, xrefs: 00D5FF85
to unused region of span2910383045673370361328125AUS Central Standard TimeAUS Eastern Standard TimeAfghanistan Standard TimeExpandEnvironmentStringsWFindNextVolumeMountPointWFindVolumeMountPointCloseGODEBUG: can not enable "GetFinalPathNameByHandleWGetQueuedC, xrefs: 00D5FEAB
runtime: found in object at *(runtime: impossible type kind socket operation on non-socketsync: inconsistent mutex statesync: unlock of unlocked mutex) not in usable address space: ...additional frames elided....lib section in a.out corrupted11368683772161602, xrefs: 00D5FED0
to unallocated span37252902984619140625Arabic Standard TimeAzores Standard TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCryptAcquireContextWEgyptian_HieroglyphsGetAcceptExSockaddrsGetAdaptersAddresses, xrefs: 00D5FDDA
runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcwait for GC cyclewine_get_version, xrefs: 00D5FD83
objectpopcntrenamesecondselectsendtosocketstringstructsweep sysmontelnettimersuint16uint32uint64 (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= s=nil zombie, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBra, xrefs: 00D5FF3F

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetDriveTypeWGunjala_Gondi$ span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>$recycle.bin%!(BADWIDTH)) p->status=-byte limit152587890625762939453125Bidi_ControlCoCreateGuidCreateEventWCreateMutexWDES-EDE3-CBCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProce$ to unallocated span37252902984619140625Arabic Standard TimeAzores Standard TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCryptAcquireContextWEgyptian_HieroglyphsGetAcceptExSockaddrsGetAdaptersAddresses$ to unused region of span2910383045673370361328125AUS Central Standard TimeAUS Eastern Standard TimeAfghanistan Standard TimeExpandEnvironmentStringsWFindNextVolumeMountPointWFindVolumeMountPointCloseGODEBUG: can not enable "GetFinalPathNameByHandleWGetQueuedC$>$found bad pointer in Go heap (incorrect use of unsafe or cgo?)runtime: internal error: misuse of lockOSThread/unlockOSThread4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f55ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b6b17d1f2$objectpopcntrenamesecondselectsendtosocketstringstructsweep sysmontelnettimersuint16uint32uint64 (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= s=nil zombie, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBra$runtime: found in object at *(runtime: impossible type kind socket operation on non-socketsync: inconsistent mutex statesync: unlock of unlocked mutex) not in usable address space: ...additional frames elided....lib section in a.out corrupted11368683772161602$runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcwait for GC cyclewine_get_version
API String ID: 0-48596869
Opcode ID: dfdb6f10b2bc525bf8e5cac8722d09bbb7905488fa74a40615a0e7f1e7edfbf1
Instruction ID: 61191c2d538e98b9e319427aa84ee3d5bd163fcf513167b11f4ad2e81bc2b981
Opcode Fuzzy Hash: dfdb6f10b2bc525bf8e5cac8722d09bbb7905488fa74a40615a0e7f1e7edfbf1
Instruction Fuzzy Hash: 6251A1B41097048FD700FF68C185B6EBBE4EF48758F45882DE8D897252DB789948DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D6ACF0, Relevance: 10.4, Strings: 8, Instructions: 428COMMON

Download Yara Rule

Strings

mark - bad statusmarkBits overflownil resource bodyno data availablenotetsleepg on g0permission deniedreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of runtime.newosprocruntime/internal/runtime: level = runtime: nameOff runtime: next_gc=runti, xrefs: 00D6B3D1
runtime: gp=runtime: sp=self-preemptshort bufferspanSetSpinesweepWaiterstraceStringswintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB) workers= called from flushedWork heap_marked= idlethreads= in duration is nil, no, xrefs: 00D6B284, 00D6B34E
runtime:scanstack: gp=s.freeindex > s.nelemsscanstack - bad statussend on closed channelspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largewirep: invalid p statezero length BIT STRING) must be a power , xrefs: 00D6B418
, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBrailleChanDirCopySidCypriotDES-CBCDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaRadicalS, xrefs: 00D6B2A9, 00D6B373, 00D6B43D
can't scan our own stackconnection reset by peerdouble traceGCSweepStartfunction not implementedgcDrainN phase incorrecthash of unhashable type initSpan: unaligned baselevel 2 not synchronizedlink number out of rangenot supported by windowsout of streams resou, xrefs: 00D6B23D
, xrefs: 00D6B310
scanstack: goroutine not stoppedslice bounds out of range [%x::]slice bounds out of range [:%x:]slice bounds out of range [::%x]software caused connection abortsweep increased allocation countuse of closed network connectionx509: unsupported elliptic curve of , xrefs: 00D6B307
, gp->atomicstatus=149011611938476562520060102150405Z07007450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreateSymbolicLinkWCryptReleaseContextEgypt Standard TimeGC work not flushedGetCurrentProcessIdGetDiskFreeSp, xrefs: 00D6B2D3, 00D6B39D, 00D6B467

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: $, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBrailleChanDirCopySidCypriotDES-CBCDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaRadicalS$, gp->atomicstatus=149011611938476562520060102150405Z07007450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreateSymbolicLinkWCryptReleaseContextEgypt Standard TimeGC work not flushedGetCurrentProcessIdGetDiskFreeSp$can't scan our own stackconnection reset by peerdouble traceGCSweepStartfunction not implementedgcDrainN phase incorrecthash of unhashable type initSpan: unaligned baselevel 2 not synchronizedlink number out of rangenot supported by windowsout of streams resou$mark - bad statusmarkBits overflownil resource bodyno data availablenotetsleepg on g0permission deniedreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of runtime.newosprocruntime/internal/runtime: level = runtime: nameOff runtime: next_gc=runti$runtime: gp=runtime: sp=self-preemptshort bufferspanSetSpinesweepWaiterstraceStringswintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB) workers= called from flushedWork heap_marked= idlethreads= in duration is nil, no$runtime:scanstack: gp=s.freeindex > s.nelemsscanstack - bad statussend on closed channelspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largewirep: invalid p statezero length BIT STRING) must be a power $scanstack: goroutine not stoppedslice bounds out of range [%x::]slice bounds out of range [:%x:]slice bounds out of range [::%x]software caused connection abortsweep increased allocation countuse of closed network connectionx509: unsupported elliptic curve of
API String ID: 0-4128223362
Opcode ID: 90317475e62bd6681a10c345eaf4ec1f6a0828157a2e3b37ad083f2e93d62327
Instruction ID: 4005ac06d3414c8d5bee246cb674584de0c7e68ceeb07e947f576e4f2155ed77
Opcode Fuzzy Hash: 90317475e62bd6681a10c345eaf4ec1f6a0828157a2e3b37ad083f2e93d62327
Instruction Fuzzy Hash: A922A2B4509740CFC364EF28C594AAABBE0FF89314F10882DE89987351E735D889DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00D97000, Relevance: 10.3, Strings: 8, Instructions: 349COMMON

Download Yara Rule

Strings

', xrefs: 00D974CB
runtime: function symbol table header: stack growth not allowed in system callsuspendG from non-preemptible goroutinetags don't match (%d vs %+v) %+v %s @%dtransport endpoint is already connected13877787807814456755295395851135253906256938893903907228377647697, xrefs: 00D974C2
abi mismatchadvapi32.dllautoexec.batbad flushGenbad g statusbad g0 stackbad recoverybootfont.binbootsect.bakcan't happencas64 failedchan receivedumping heapend tracegcentersyscallgcBitsArenasgcpacertracehost is downiconcache.dbillegal seekinvalid baseinvalid , xrefs: 00D9740D
> m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12125625???ADTASTAprAugBSTCATCDTCETCSTDecDltEATEDTEETEOFESTFebFriGMTHDTHSTHanIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMSKMSTMarMayMonMroNDTNSTNULNaNNkoNovOctPC=PDTPKTPSTSETSatSepStdSunTh, xrefs: 00D97191
invalid runtime symbol tablemheap.freeSpanLocked - span missing stack in shrinkstackmspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol driver not attachedreflect.MakeSlice: len > capreflect:, xrefs: 00D9745B
function symbol table not sorted by program counter: reflect.Value.Slice: string slice index out of boundsreflect: non-interface type passed to Type.Implementsx509: failed to parse ECDSA parameters as named curvegoroutine running on other thread; stack unavai, xrefs: 00D9714E
minpc or maxpc invalidnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledprotocol not availableprotocol not supportedreflect.Value.SetFloatreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwai, xrefs: 00D97423
abi mismatch detected between assignment to entry in nil mapcheckdead: inconsistent countscrypto/dsa: invalid public keycrypto/rsa: verification errorfailed to get system page sizefreedefer with d._panic != nilinappropriate ioctl for deviceinvalid function sym, xrefs: 00D973AF

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12125625???ADTASTAprAugBSTCATCDTCETCSTDecDltEATEDTEETEOFESTFebFriGMTHDTHSTHanIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMSKMSTMarMayMonMroNDTNSTNULNaNNkoNovOctPC=PDTPKTPSTSETSatSepStdSunTh$'$abi mismatch detected between assignment to entry in nil mapcheckdead: inconsistent countscrypto/dsa: invalid public keycrypto/rsa: verification errorfailed to get system page sizefreedefer with d._panic != nilinappropriate ioctl for deviceinvalid function sym$abi mismatchadvapi32.dllautoexec.batbad flushGenbad g statusbad g0 stackbad recoverybootfont.binbootsect.bakcan't happencas64 failedchan receivedumping heapend tracegcentersyscallgcBitsArenasgcpacertracehost is downiconcache.dbillegal seekinvalid baseinvalid $function symbol table not sorted by program counter: reflect.Value.Slice: string slice index out of boundsreflect: non-interface type passed to Type.Implementsx509: failed to parse ECDSA parameters as named curvegoroutine running on other thread; stack unavai$invalid runtime symbol tablemheap.freeSpanLocked - span missing stack in shrinkstackmspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol driver not attachedreflect.MakeSlice: len > capreflect:$minpc or maxpc invalidnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledprotocol not availableprotocol not supportedreflect.Value.SetFloatreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwai$runtime: function symbol table header: stack growth not allowed in system callsuspendG from non-preemptible goroutinetags don't match (%d vs %+v) %+v %s @%dtransport endpoint is already connected13877787807814456755295395851135253906256938893903907228377647697
API String ID: 0-3332915330
Opcode ID: 472c22c0e809ba7e865520875af2fad9ad905c0fd15f5854670945268a902e5c
Instruction ID: b5d50b5b7ca693ed650963388d8a95794b15788c515363dc2d8d81162865cef5
Opcode Fuzzy Hash: 472c22c0e809ba7e865520875af2fad9ad905c0fd15f5854670945268a902e5c
Instruction Fuzzy Hash: B9F1E5B46097448FC710EF68C18162EBBE1FF88704F15886DF99987352E734E945CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D7CB30, Relevance: 10.2, Strings: 8, Instructions: 226
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00D7CB30(signed int __ebx, intOrPtr _a4) {
				char _v8;
				char _v24;
				char _v26;
				char _v50;
				char _v74;
				signed int _v80;
				void* _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed char _v113;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				signed int _v132;
				intOrPtr _t94;
				intOrPtr _t101;
				intOrPtr _t107;
				intOrPtr _t110;
				intOrPtr _t113;
				signed int _t115;
				intOrPtr _t121;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				signed int _t129;
				signed int _t130;
				signed int _t132;
				signed int _t138;
				signed int _t140;
				signed int _t142;
				signed int _t146;
				signed int _t147;
				signed int _t156;
				intOrPtr _t165;
				intOrPtr _t167;
				intOrPtr _t168;
				signed int _t169;
				signed int _t170;
				signed int _t172;
				signed char _t173;
				signed char _t178;
				void* _t179;
				signed int _t180;
				signed char _t181;
				signed int _t182;
				signed int _t189;
				signed int _t194;
				signed int _t200;
				signed int _t203;
				signed int _t206;
				void* _t208;
				signed int _t209;
				void* _t217;
				intOrPtr* _t218;
				void* _t238;

				L0:
				while(1) {
					L0:
					_t140 = __ebx;
					if( &_v8 <=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x14])) + 8))) {
						goto L29;
					}
					L1:
					_t218 = _t217 - 0x88;
					E00DAA504( &_v8,  &_v50,  &M00E81B81);
					 *_t218 = _a4;
					_v132 =  &_v50;
					_v128 = 0x18;
					_v124 = 0x18;
					E00D7BC70();
					_t94 =  *0xf779c0; // 0x0
					_t165 = _v120;
					if(_t94 != 0) {
						_t94 = L00DA9DE0(_t165, __ebx, _t165, _t179, 0xf59cfc,  &M00E81B81, _t208);
					} else {
						 *0xf59cfc = _t165;
					}
					if(_t165 == 0) {
						L28:
						 *_t218 = 0xe873cd;
						_v132 = 0x30;
						E00D80D70();
						goto L29;
					}
					L4:
					E00DAA504(_t94,  &_v74, "QueryPerformanceCounter");
					 *_t218 = _a4;
					_v132 =  &_v74;
					_v128 = 0x18;
					_v124 = 0x18;
					E00D7BC70();
					_t101 =  *0xf779c0; // 0x0
					_t167 = _v120;
					if(_t101 != 0) {
						_t101 = L00DA9DE0(_t167, _t140, _t167, _t179, 0xf59d0c, "QueryPerformanceCounter", _t208);
					} else {
						 *0xf59d0c = _t167;
					}
					_v26 = 0x72657551;
					_t189 =  &_v24;
					_t200 =  &M00E827DA;
					E00DAA504(_t101, _t189, _t200);
					 *_t218 = _a4;
					_t20 =  &_v26; // 0x72657551
					_v132 = _t20;
					_v128 = 0x1a;
					_v124 = 0x1a;
					E00D7BC70();
					_t107 =  *0xf779c0; // 0x0
					_t168 = _v120;
					if(_t107 != 0) {
						_t189 = 0xf59d10;
						L00DA9DE0(_t168, _t140, _t168, _t179, 0xf59d10, _t200, _t208);
					} else {
						 *0xf59d10 = _t168;
					}
					_t110 =  *0xf59d0c; // 0x0
					if(_t110 == 0 || _t168 == 0) {
						L27:
						 *_t218 = 0xe82c78;
						_v132 = 0x1b;
						E00D80D70();
						goto L28;
					}
					L10:
					_v84 = 0;
					_v80 = 0;
					_t113 =  *0xf59d10; // 0x0
					_t169 =  &_v84;
					 *_t218 = _t113;
					_v132 = _t169;
					E00D7DFE0();
					_t115 = _v80;
					_t170 = _t169 & 0xffffff00 | _t115 == 0x00000000;
					_t180 = _v84;
					_t142 = (_t140 & 0xffffff00 | _t180 == 0x00000000) & _t170;
					if(_t142 != 0) {
						L26:
						 *_t218 = 0xe88884;
						_v132 = 0x50;
						E00D80D70();
						goto L27;
					}
					L11:
					if(((_t142 & 0xffffff00 | _t180 - 0x7fffffff > 0x00000000) & _t170 | _t115 & 0xffffff00 | _t115 > 0x00000000) != 0) {
						L25:
						 *_t218 = 0xe88929;
						_v132 = 0x56;
						E00D80D70();
						goto L26;
					}
					L12:
					_v88 = _t180;
					_t121 =  *0xf59d0c; // 0x0
					 *_t218 = _t121;
					_v132 = 0xf77900;
					E00D7DFE0();
					_t123 = _v88;
					_t172 = 0;
					_t181 = 0x1e;
					_t146 = 0;
					_t209 = 0x3b9aca00;
					L14:
					while(_t181 >= 0) {
						_v112 = _t209;
						_v108 = _t146;
						_v104 = _t172;
						asm("sbb esi, esi");
						_v92 = _t200;
						_t173 = _t181;
						_t129 = _t123 << _t173 & _t200;
						_v96 = _t129;
						_t130 = _t189 & 0xffffff00 | _t129 - _t209 < 0x00000000;
						_v113 = _t130;
						_t56 = _t173 - 0x20; // -3
						_t132 = _t56;
						_v100 = _t132;
						asm("sbb ebp, ebp");
						asm("sbb edi, edi");
						_t203 = _v88 << _v100 & _t209;
						_t194 = _v92;
						_t156 = _v108;
						_t238 = _t156 - (_v88 >>  ~_t132 & _t130 | _v88 >> 0x0000001f << _t181 & _t194 | _t203);
						_t146 = _t156;
						_t189 = _t194 & 0xffffff00 | _t238 == 0x00000000;
						if((_v113 & 0x000000ff & _t189 | _t203 & 0xffffff00 | _t238 > 0x00000000) == 0) {
							_t178 = _t181;
							_t200 = _v104;
							_t138 = _v112;
						} else {
							_t206 = _v96;
							_t138 = _v112 - _t206;
							asm("sbb ebx, ebp");
							asm("sbb esi, esi");
							_t178 = _t181;
							_t189 = 0x00000001 << _t178 & _t206;
							_t200 = _v104 | 0x00000001;
						}
						_t42 = _t178 - 1; // 0x1c
						_t181 = _t42;
						_t172 = _t200;
						_t209 = _t138;
						_t123 = _v88;
					}
					_t182 = _t123;
					_t124 = _t123 >> 0x1f;
					__eflags = _t124 - _t146;
					_t125 = _t124 & 0xffffff00 | __eflags == 0x00000000;
					_t147 = _t146 & 0xffffff00 | __eflags < 0x00000000;
					_t209 - _t182 = _t147 | (_t182 & 0xffffff00 | _t209 - _t182 >= 0x00000000) & _t125;
					if((_t147 | (_t182 & 0xffffff00 | _t209 - _t182 >= 0x00000000) & _t125) == 0) {
						_t126 = _t172;
					} else {
						_t126 = 0x7fffffff;
					}
					 *0xf778f8 = _t126;
					_t127 = _t126 >> 0x1f;
					 *0xf778fc = _t127;
					 *0xf77797 = 1;
					return _t127;
					L30:
					L29:
					E00DA8880();
				}
			}

0x00d7cb30
0x00d7cb30
0x00d7cb30
0x00d7cb30
0x00d7cb44
0x00000000
0x00000000
0x00d7cb4a
0x00d7cb4a
0x00d7cb5a
0x00d7cb66
0x00d7cb6d
0x00d7cb71
0x00d7cb79
0x00d7cb81
0x00d7cb86
0x00d7cb8c
0x00d7cb92
0x00d7ce38
0x00d7cb98
0x00d7cb98
0x00d7cb98
0x00d7cba0
0x00d7ce84
0x00d7ce8a
0x00d7ce8d
0x00d7ce95
0x00000000
0x00d7ce95
0x00d7cba6
0x00d7cbb0
0x00d7cbbc
0x00d7cbc3
0x00d7cbc7
0x00d7cbcf
0x00d7cbd7
0x00d7cbdc
0x00d7cbe2
0x00d7cbe8
0x00d7ce26
0x00d7cbee
0x00d7cbee
0x00d7cbee
0x00d7cbf4
0x00d7cbfc
0x00d7cc00
0x00d7cc06
0x00d7cc12
0x00d7cc15
0x00d7cc19
0x00d7cc1d
0x00d7cc25
0x00d7cc2d
0x00d7cc32
0x00d7cc38
0x00d7cc3e
0x00d7ce0c
0x00d7ce14
0x00d7cc44
0x00d7cc44
0x00d7cc44
0x00d7cc4a
0x00d7cc52
0x00d7ce6e
0x00d7ce74
0x00d7ce77
0x00d7ce7f
0x00000000
0x00d7ce7f
0x00d7cc60
0x00d7cc60
0x00d7cc68
0x00d7cc70
0x00d7cc76
0x00d7cc7a
0x00d7cc7d
0x00d7cc81
0x00d7cc86
0x00d7cc8c
0x00d7cc8f
0x00d7cc98
0x00d7cc9c
0x00d7ce58
0x00d7ce5e
0x00d7ce61
0x00d7ce69
0x00000000
0x00d7ce69
0x00d7cca2
0x00d7ccb6
0x00d7ce42
0x00d7ce48
0x00d7ce4b
0x00d7ce53
0x00000000
0x00d7ce53
0x00d7ccbc
0x00d7ccbc
0x00d7ccc0
0x00d7cccc
0x00d7cccf
0x00d7ccd3
0x00d7ccd8
0x00d7ccdc
0x00d7ccde
0x00d7cce3
0x00d7cce5
0x00000000
0x00d7ccf7
0x00d7ccff
0x00d7cd03
0x00d7cd07
0x00d7cd0e
0x00d7cd10
0x00d7cd14
0x00d7cd18
0x00d7cd1a
0x00d7cd27
0x00d7cd28
0x00d7cd2d
0x00d7cd2d
0x00d7cd30
0x00d7cd37
0x00d7cd3e
0x00d7cd51
0x00d7cd63
0x00d7cd6d
0x00d7cd71
0x00d7cd7f
0x00d7cd7f
0x00d7cd8e
0x00d7cdb9
0x00d7cdbf
0x00d7cdc3
0x00d7cd90
0x00d7cd94
0x00d7cd98
0x00d7cd9a
0x00d7cd9f
0x00d7cda3
0x00d7cdac
0x00d7cdb2
0x00d7cdb2
0x00d7ccec
0x00d7ccec
0x00d7ccef
0x00d7ccf1
0x00d7ccf3
0x00d7ccf3
0x00d7cdcc
0x00d7cdce
0x00d7cdd1
0x00d7cdd3
0x00d7cdd6
0x00d7cde2
0x00d7cde4
0x00d7ce08
0x00d7cde6
0x00d7cde6
0x00d7cde6
0x00d7cdeb
0x00d7cdf1
0x00d7cdf4
0x00d7cdfa
0x00d7ce07
0x00000000
0x00d7ce9b
0x00d7ce9b
0x00d7ce9b

Strings

Quer, xrefs: 00D7CC15
could not find GetSystemTimeAsFileTime() syscallparsing/packing of this type isn't available yetruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject unexpected; result=runtime: waitforsingleobject wait_failed; errno=slice bounds out of , xrefs: 00D7CE84
GetSystemTimeAsFileTime, xrefs: 00D7CB54
could not find QPC syscallsflag needs an argument: -%sgcstopm: not waiting for gcgrowslice: cap out of rangeinternal lockOSThread errorinvalid boolean flag %s: %vinvalid profile bucket typekey was rejected by servicemakechan: size out of rangemakeslice: cap ou, xrefs: 00D7CE6E
QueryPerformanceFrequency syscall returned zero, running on unsupported hardwarereflect.Value.Interface: cannot return value obtained from unexported field or methodQueryPerformanceFrequency overflow 32 bit divider, check nosplit discussion to proceedx509: fai, xrefs: 00D7CE58
QueryPerformanceCounter, xrefs: 00D7CBAA
eryPerformanceFrequency, xrefs: 00D7CC00
0, xrefs: 00D7CE8D

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 0$GetSystemTimeAsFileTime$Quer$QueryPerformanceCounter$QueryPerformanceFrequency syscall returned zero, running on unsupported hardwarereflect.Value.Interface: cannot return value obtained from unexported field or methodQueryPerformanceFrequency overflow 32 bit divider, check nosplit discussion to proceedx509: fai$could not find GetSystemTimeAsFileTime() syscallparsing/packing of this type isn't available yetruntime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject unexpected; result=runtime: waitforsingleobject wait_failed; errno=slice bounds out of $could not find QPC syscallsflag needs an argument: -%sgcstopm: not waiting for gcgrowslice: cap out of rangeinternal lockOSThread errorinvalid boolean flag %s: %vinvalid profile bucket typekey was rejected by servicemakechan: size out of rangemakeslice: cap ou$eryPerformanceFrequency
API String ID: 0-687299058
Opcode ID: 4419920072d2647d7a673bdd581c15e49c42f1d74108682a60daee2ad28e5c5b
Instruction ID: 65fd52d4fb3efccff93948277f6073b609118534af2113581920653087e2c3be
Opcode Fuzzy Hash: 4419920072d2647d7a673bdd581c15e49c42f1d74108682a60daee2ad28e5c5b
Instruction Fuzzy Hash: 6B9168716193158FD754EF68C88065EBBF1BB88300F54892DF89897390EB70E949DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D578B0, Relevance: 10.2, Strings: 8, Instructions: 194COMMON

Download Yara Rule

Strings

1, xrefs: 00D57B99
value method xadd64 failedxchg64 failed}sched={pc: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625: extra text: CertCloseStoreCoInitializeExCoUninitializeControlServi, xrefs: 00D579F0
panicwrap: unexpected string after package name: reflect.Value.Slice: slice of unaddressable arrayruntime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ystrconv: intern, xrefs: 00D57B8F
called using nil *, g->atomicstatus=, gp->atomicstatus=149011611938476562520060102150405Z07007450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreateSymbolicLinkWCryptReleaseContextEgypt Standard TimeGC work not f, xrefs: 00D57A76
panicwrap: no ) in reflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat overflowtime: unknown, xrefs: 00D57B4D
panicwrap: unexpected string after type name: reflect.Value.Slice: slice index out of boundsreflect: nil type passed to Type.ConvertibleToreleased less than one physical page of memoryruntime: failed to create new OS thread (have runtime: name offset base poin, xrefs: 00D57B09
pointer stack=[ status %!Month(.crypted2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDEK-InfoDecemberDuployanEqualSidEthiopicExtenderFebruaryFullPathGeorgianGoStringGujaratiGurmukhiHiraganaJavaneseKata, xrefs: 00D57A9C
panicwrap: no ( in panicwrap: no ) in reflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat ov, xrefs: 00D57BDE

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: called using nil *, g->atomicstatus=, gp->atomicstatus=149011611938476562520060102150405Z07007450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreateSymbolicLinkWCryptReleaseContextEgypt Standard TimeGC work not f$ pointer stack=[ status %!Month(.crypted2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDEK-InfoDecemberDuployanEqualSidEthiopicExtenderFebruaryFullPathGeorgianGoStringGujaratiGurmukhiHiraganaJavaneseKata$1$panicwrap: no ( in panicwrap: no ) in reflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat ov$panicwrap: no ) in reflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat overflowtime: unknown$panicwrap: unexpected string after package name: reflect.Value.Slice: slice of unaddressable arrayruntime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ystrconv: intern$panicwrap: unexpected string after type name: reflect.Value.Slice: slice index out of boundsreflect: nil type passed to Type.ConvertibleToreleased less than one physical page of memoryruntime: failed to create new OS thread (have runtime: name offset base poin$value method xadd64 failedxchg64 failed}sched={pc: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625: extra text: CertCloseStoreCoInitializeExCoUninitializeControlServi
API String ID: 0-2138095571
Opcode ID: 3f10086f0a1b0e2c3f3b38a72772c0f4235a6f8c99225e2ebbdd12642b34e615
Instruction ID: 932085bc747e37a8074b0b793eb99430d9056c2acc5911e59ab0bb1cf6b848c4
Opcode Fuzzy Hash: 3f10086f0a1b0e2c3f3b38a72772c0f4235a6f8c99225e2ebbdd12642b34e615
Instruction Fuzzy Hash: 22919DB490C7418FC728EF25D09169EBBE1FB88300F50892DE8D987351DB74A948CF62

Uniqueness

Uniqueness Score: -1.00%

Function 00D94F30, Relevance: 9.1, Strings: 7, Instructions: 360COMMON

Download Yara Rule

Strings

bad symbol tablebinary.BigEndiancastogscanstatuscontext canceleddivision by zerogc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusinvalid spdelta length too largemSpanList.insertmSpanList.removemessage too longmiss, xrefs: 00D95240, 00D95417
args stack map entries for 18189894035458564758300781259094947017729282379150390625Aus Central W. Standard TimeCanada Central Standard TimeCen. Australia Standard TimeCentral Europe Standard TimeCertCreateCertificateContextEnglish name for time zone "FindFirs, xrefs: 00D951D1
(targetpc= KiB work, freeindex= gcwaiting= heap_live= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192, xrefs: 00D951FB, 00D953D2
runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat overflowtime: unknown unit too many open filesunexpected g statusunknown Go type: %vunknown hash value unknown wait reasonwinmm.dll not foundzero length s, xrefs: 00D9517B, 00D95352
locals stack map entries for 227373675443232059478759765625Central European Standard TimeCentral Standard Time (Mexico)CertDeleteCertificateFromStoreE. South America Standard TimeEastern Standard Time (Mexico)GODEBUG: unknown cpu feature "GetProcessPreferredU, xrefs: 00D953A8
runtime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding p already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirec, xrefs: 00D95289, 00D95459
untyped args -thread limit1907348632812595367431640625: extra text: CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assist waitGC worker initGetConso, xrefs: 00D952B3

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: (targetpc= KiB work, freeindex= gcwaiting= heap_live= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192$ args stack map entries for 18189894035458564758300781259094947017729282379150390625Aus Central W. Standard TimeCanada Central Standard TimeCen. Australia Standard TimeCentral Europe Standard TimeCertCreateCertificateContextEnglish name for time zone "FindFirs$ locals stack map entries for 227373675443232059478759765625Central European Standard TimeCentral Standard Time (Mexico)CertDeleteCertificateFromStoreE. South America Standard TimeEastern Standard Time (Mexico)GODEBUG: unknown cpu feature "GetProcessPreferredU$ untyped args -thread limit1907348632812595367431640625: extra text: CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateServiceWCryptGenRandomFindFirstFileWFormatMessageWGC assist waitGC worker initGetConso$bad symbol tablebinary.BigEndiancastogscanstatuscontext canceleddivision by zerogc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusinvalid spdelta length too largemSpanList.insertmSpanList.removemessage too longmiss$runtime: frame runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding p already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirec$runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this directorystopm holding lockssysMemStat overflowtime: unknown unit too many open filesunexpected g statusunknown Go type: %vunknown hash value unknown wait reasonwinmm.dll not foundzero length s
API String ID: 0-2007095364
Opcode ID: 55a6408d6f886151278b79d3caec83db471f1b98de2d18f8b62d7d52573b8824
Instruction ID: 3507a02b2d2b679d962171842ad75489f51a5c6f88000f2637ef157c18da9921
Opcode Fuzzy Hash: 55a6408d6f886151278b79d3caec83db471f1b98de2d18f8b62d7d52573b8824
Instruction Fuzzy Hash: 98F1D3B45097059FC744EF68D18462EBBE0FF88744F41892DE88987352EB74E885DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D72DB0, Relevance: 9.0, Strings: 7, Instructions: 275COMMON

Download Yara Rule

Strings

mheap.freeSpanLocked - invalid span statemheap.freeSpanLocked - invalid stack freeobjects added out of order or overlappingreflect.Value.Addr of unaddressable valuereflect: FieldByIndex of non-struct type runtime.SetFinalizer: second argument is runtime: block, xrefs: 00D731E9
mheap.freeSpanLocked - span missing stack in shrinkstackmspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol driver not attachedreflect.MakeSlice: len > capreflect: In of non-func typeregion e, xrefs: 00D730E5
), xrefs: 00D731F2
mheap.freeSpanLocked - invalid freenetwork dropped connection on resetno such multicast network interfacepersistentalloc: align is too largepidleput: P has non-empty run queuereflect.MakeSlice of non-slice typeruntime: close polldesc w/o unblockruntime: create, xrefs: 00D731BD
mheap.freeSpanLocked - invalid stack freeobjects added out of order or overlappingreflect.Value.Addr of unaddressable valuereflect: FieldByIndex of non-struct type runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeB, xrefs: 00D731D3
allocCount found at *( gcscandone m->gsignal= minTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>$recycle.bin%!(BADWIDTH)) p->status=-byte limit15258789062576293945, xrefs: 00D73131
sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin12207031256103515625: parsing AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDeprecatedDevanagariDnsQuery_WException , xrefs: 00D7315F

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: allocCount found at *( gcscandone m->gsignal= minTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>$recycle.bin%!(BADWIDTH)) p->status=-byte limit15258789062576293945$ sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin12207031256103515625: parsing AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDeprecatedDevanagariDnsQuery_WException $)$mheap.freeSpanLocked - invalid freenetwork dropped connection on resetno such multicast network interfacepersistentalloc: align is too largepidleput: P has non-empty run queuereflect.MakeSlice of non-slice typeruntime: close polldesc w/o unblockruntime: create$mheap.freeSpanLocked - invalid span statemheap.freeSpanLocked - invalid stack freeobjects added out of order or overlappingreflect.Value.Addr of unaddressable valuereflect: FieldByIndex of non-struct type runtime.SetFinalizer: second argument is runtime: block$mheap.freeSpanLocked - invalid stack freeobjects added out of order or overlappingreflect.Value.Addr of unaddressable valuereflect: FieldByIndex of non-struct type runtime.SetFinalizer: second argument is runtime: blocked read on closing polldescruntime: typeB$mheap.freeSpanLocked - span missing stack in shrinkstackmspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol driver not attachedreflect.MakeSlice: len > capreflect: In of non-func typeregion e
API String ID: 0-71101806
Opcode ID: 323ced6b4fe6e495022dcb4c1cc7008811094034151048d8125325d5a2fbd4d2
Instruction ID: 428e6c6aae4de9d6e7d2188351886f1de16f5e2ffb5c3694a5c8e6f5bfde3b94
Opcode Fuzzy Hash: 323ced6b4fe6e495022dcb4c1cc7008811094034151048d8125325d5a2fbd4d2
Instruction Fuzzy Hash: 42C127742097448FC344EF28C194B6ABBE1FF89700F45896DF8898B392E734D949DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D6F3F0, Relevance: 9.0, Strings: 7, Instructions: 242COMMON

Download Yara Rule

Strings

MB during sweep; swept Marquesas Standard TimeMauritius Standard TimeNoncharacter_Code_PointNtSetInformationProcessQueryServiceLockStatusWQyzylorda Standard TimeRegNotifyChangeKeyValueSetEnvironmentVariableWSetInformationJobObjectSetKernelObjectSecuritySetName, xrefs: 00D6F617
pacer: sweep done at heap size pattern contains path separatorreflect.MakeSlice: negative capreflect.MakeSlice: negative lenreflect: Len of non-array type reflect: NumIn of non-func typeresetspinning: not a spinning mruntime: cannot allocate memoryruntime: fai, xrefs: 00D6F599
pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>$recycle.bin%!(BADWIDTH)) p->status=-byte limit152587890625762939453125Bidi_ControlCoCreateGuidCreateEventWCreateMutexWDES-EDE3-CBCFindNextFileGetAddrI, xrefs: 00D6F667
runtime: bad span s.state=segment prefix is reservedshrinking stack in libcallstartlockedm: locked to metruncated base 128 integer is not assignable to type 363797880709171295166015625AddVectoredContinueHandler, xrefs: 00D6F752
pages at runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin12207031256103515625: parsing AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNET, xrefs: 00D6F641
non in-use span in unswept listpacer: sweep done at heap size pattern contains path separatorreflect.MakeSlice: negative capreflect.MakeSlice: negative lenreflect: Len of non-array type reflect: NumIn of non-func typeresetspinning: not a spinning mruntime: can, xrefs: 00D6F7DE
MB; allocated MakeAbsoluteSDNetUserGetInfoOpenSCManagerWOther_ID_StartPattern_SyntaxProcess32NextWQuotation_MarkRCodeNameErrorRegSetValueExWSetConsoleModeSetFilePointerSetThreadTokenSizeofResourceTranslateNameWVirtualProtectallocfreetracebad allocCountbad span, xrefs: 00D6F5D0

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: pages at runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin12207031256103515625: parsing AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNET$ pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>$recycle.bin%!(BADWIDTH)) p->status=-byte limit152587890625762939453125Bidi_ControlCoCreateGuidCreateEventWCreateMutexWDES-EDE3-CBCFindNextFileGetAddrI$MB during sweep; swept Marquesas Standard TimeMauritius Standard TimeNoncharacter_Code_PointNtSetInformationProcessQueryServiceLockStatusWQyzylorda Standard TimeRegNotifyChangeKeyValueSetEnvironmentVariableWSetInformationJobObjectSetKernelObjectSecuritySetName$MB; allocated MakeAbsoluteSDNetUserGetInfoOpenSCManagerWOther_ID_StartPattern_SyntaxProcess32NextWQuotation_MarkRCodeNameErrorRegSetValueExWSetConsoleModeSetFilePointerSetThreadTokenSizeofResourceTranslateNameWVirtualProtectallocfreetracebad allocCountbad span$non in-use span in unswept listpacer: sweep done at heap size pattern contains path separatorreflect.MakeSlice: negative capreflect.MakeSlice: negative lenreflect: Len of non-array type reflect: NumIn of non-func typeresetspinning: not a spinning mruntime: can$pacer: sweep done at heap size pattern contains path separatorreflect.MakeSlice: negative capreflect.MakeSlice: negative lenreflect: Len of non-array type reflect: NumIn of non-func typeresetspinning: not a spinning mruntime: cannot allocate memoryruntime: fai$runtime: bad span s.state=segment prefix is reservedshrinking stack in libcallstartlockedm: locked to metruncated base 128 integer is not assignable to type 363797880709171295166015625AddVectoredContinueHandler
API String ID: 0-175177115
Opcode ID: dea629858a1bfb1070879edbe1bc9888ec47da6f306d678b965c69c173ad92c2
Instruction ID: e4455ca49b322fc5b17c6b480b439334aed42bcf26989555f3f26a9731046b36
Opcode Fuzzy Hash: dea629858a1bfb1070879edbe1bc9888ec47da6f306d678b965c69c173ad92c2
Instruction Fuzzy Hash: 23B1E4B45097058FC704EF28D581A6ABBE0FF88740F44896DF89987361EB34D989DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D60A30, Relevance: 8.9, Strings: 7, Instructions: 144COMMON

Download Yara Rule

Strings

), xrefs: 00D60C6C
but memory size because dotdotdot to non-Go memory , locked to thread298023223876953125: day out of rangeArab Standard TimeCaucasian_AlbanianCertGetNameStringWCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnprotectDataCuba Sta, xrefs: 00D60C19
with GC prog,M3.2.0,M11.1.00601021504Z0700476837158203125: cannot parse <invalid Value>ASCII_Hex_DigitAddDllDirectoryCLSIDFromStringCreateHardLinkWDeviceIoControlDuplicateHandleFailed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGetAd, xrefs: 00D60B6D
runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime: wrong goroutine in newstackstrings.Builder.Grow: negative countsyntax e, xrefs: 00D60B88, 00D60C4D
runtime: typeBitsBulkBarrier with type x509: trailing data after DSA parametersx509: trailing data after DSA public keyx509: trailing data after RSA public key34694469519536141888238489627838134765625MapIter.Next called on exhausted iteratorasn1: internal err, xrefs: 00D60B43, 00D60BC5
runtime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt baseunexpected call to os.Exit(0) during test173472347597680709441192448139190673828125867361737988403547205962240695953369140625MapIter.Valu, xrefs: 00D60C63
of size (targetpc= KiB work, freeindex= gcwaiting= heap_live= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128, xrefs: 00D60BEF

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: but memory size because dotdotdot to non-Go memory , locked to thread298023223876953125: day out of rangeArab Standard TimeCaucasian_AlbanianCertGetNameStringWCloseServiceHandleCommandLineToArgvWCreateFileMappingWCreateWellKnownSidCryptUnprotectDataCuba Sta$ of size (targetpc= KiB work, freeindex= gcwaiting= heap_live= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128$ with GC prog,M3.2.0,M11.1.00601021504Z0700476837158203125: cannot parse <invalid Value>ASCII_Hex_DigitAddDllDirectoryCLSIDFromStringCreateHardLinkWDeviceIoControlDuplicateHandleFailed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGetAd$)$runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime: unblock on closing polldescruntime: wrong goroutine in newstackstrings.Builder.Grow: negative countsyntax e$runtime: typeBitsBulkBarrier with type x509: trailing data after DSA parametersx509: trailing data after DSA public keyx509: trailing data after RSA public key34694469519536141888238489627838134765625MapIter.Next called on exhausted iteratorasn1: internal err$runtime: typeBitsBulkBarrier without typestopTheWorld: not stopped (stopwait != 0)strconv: illegal AppendInt/FormatInt baseunexpected call to os.Exit(0) during test173472347597680709441192448139190673828125867361737988403547205962240695953369140625MapIter.Valu
API String ID: 0-2032207058
Opcode ID: 2038b667cfb01991074e09cbfb8fbfebcdbacdd9e809600862839907a6de430c
Instruction ID: 9fb5b69762700e13b7d99048200c07fad8c8dbbbb7ebf9480e7a509dbe47cc9f
Opcode Fuzzy Hash: 2038b667cfb01991074e09cbfb8fbfebcdbacdd9e809600862839907a6de430c
Instruction Fuzzy Hash: FC51D4B45097058FC340EF64C19462ABBE0FF88708F45886DE8C89B352E738D945DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D5AC50, Relevance: 8.9, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

1, xrefs: 00D5AE3C
s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256-CBCBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_A, xrefs: 00D5AD63, 00D5ADFF
freeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: internal inconsistencyinvalid number base %dis encrypted pem blockkernel32.dll not foundminpc or maxpc invalidnetwork is unreachablenon-Go function at, xrefs: 00D5ADAD
runtime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (time: invalid duration too many pointers (>10)truncat, xrefs: 00D5ADD1
s.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ystrconv: internal error, rest != 0 but needed > 0strconv: num > den<<shift in adjustLastDigitFixedstrings.Reader.UnreadByte: at beginning of stringx509: Ed25519 k, xrefs: 00D5AE33
s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytimeEndPeriod, xrefs: 00D5AD35
s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (time: invalid duration too many pointers (>10)truncated tag or lengthwork.nw, xrefs: 00D5AD97

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256-CBCBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_A$1$freeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: internal inconsistencyinvalid number base %dis encrypted pem blockkernel32.dll not foundminpc or maxpc invalidnetwork is unreachablenon-Go function at$runtime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (time: invalid duration too many pointers (>10)truncat$s.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ystrconv: internal error, rest != 0 but needed > 0strconv: num > den<<shift in adjustLastDigitFixedstrings.Reader.UnreadByte: at beginning of stringx509: Ed25519 k$s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (time: invalid duration too many pointers (>10)truncated tag or lengthwork.nw$s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytimeEndPeriod
API String ID: 0-4268851145
Opcode ID: 1321df617f71e92ee12b204eae2179fd475d1da1d1541fb848ab583047c58e96
Instruction ID: 909c9427bd20825b9f0ca32e62438f3386d4ada7d654d26d3b9c7b1be08e77b4
Opcode Fuzzy Hash: 1321df617f71e92ee12b204eae2179fd475d1da1d1541fb848ab583047c58e96
Instruction Fuzzy Hash: DC51C2B45087509FC744EF69C19122EBBE0FF88715F50896DE8C987242E738D94ADB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D69640, Relevance: 8.9, Strings: 7, Instructions: 114COMMON

Download Yara Rule

Strings

left over markroot jobsmakechan: bad alignmentmissing type in runfinqnanotime returning zerono space left on deviceoperation not permittedoperation not supportedpanic during preemptoffprocresize: invalid argreflect.Value.Interfacereflect.Value.NumMethodreflect, xrefs: 00D69819
of on pc= sp: sp=) = ) m=+Inf-Inf3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolbootcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttp, xrefs: 00D697D4
goid jobs= list= m->p= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED STREETStringSundaySyriacTa, xrefs: 00D69717
markroot jobs done to unallocated span37252902984619140625Arabic Standard TimeAzores Standard TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCryptAcquireContextWEgyptian_HieroglyphsGetAcceptExSockaddrs, xrefs: 00D697FE
status %!Month(.crypted2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDEK-InfoDecemberDuployanEqualSidEthiopicExtenderFebruaryFullPathGeorgianGoStringGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLine, xrefs: 00D69741
gcscandone m->gsignal= minTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>$recycle.bin%!(BADWIDTH)) p->status=-byte limit152587890625762939453125Bidi_ControlCoCreate, xrefs: 00D6976B
scan missed a gstartm: m has pstopm holding p already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory, xrefs: 00D69798

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: gcscandone m->gsignal= minTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>$recycle.bin%!(BADWIDTH)) p->status=-byte limit152587890625762939453125Bidi_ControlCoCreate$ goid jobs= list= m->p= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED STREETStringSundaySyriacTa$ markroot jobs done to unallocated span37252902984619140625Arabic Standard TimeAzores Standard TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCryptAcquireContextWEgyptian_HieroglyphsGetAcceptExSockaddrs$ of on pc= sp: sp=) = ) m=+Inf-Inf3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolbootcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttp$ status %!Month(.crypted2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDEK-InfoDecemberDuployanEqualSidEthiopicExtenderFebruaryFullPathGeorgianGoStringGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLine$left over markroot jobsmakechan: bad alignmentmissing type in runfinqnanotime returning zerono space left on deviceoperation not permittedoperation not supportedpanic during preemptoffprocresize: invalid argreflect.Value.Interfacereflect.Value.NumMethodreflect$scan missed a gstartm: m has pstopm holding p already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory
API String ID: 0-3919364974
Opcode ID: a1da3fae08e261eb81e092c132e4d3e673a18fa43e4f69f40b03a428548ef27b
Instruction ID: 98ae30eb54597031efba78c54f1894620eb39ef71a3108cc75221cfea5a69b7c
Opcode Fuzzy Hash: a1da3fae08e261eb81e092c132e4d3e673a18fa43e4f69f40b03a428548ef27b
Instruction Fuzzy Hash: 5351CEB44097059FC344FF64D19566ABBE4FF88340F01882DE8D887352EB389989DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D84A90, Relevance: 8.8, Strings: 7, Instructions: 98COMMON

Download Yara Rule

Strings

, newval=, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiBigEndianClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanPalmyreneParseBoolParseUintSamaritanSeptembe, xrefs: 00D84B4A, 00D84BF1
casfrom_Gscanstatus: gp->status is not in scan statecrypto/rsa: message too long for RSA public key sizemallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: GetQueuedCompletionStatusEx failed (errno= , xrefs: 00D84B8A
casfrom_Gscanstatus:top gp->status is not in scan statecipher.NewCBCDecrypter: IV length must equal block sizecipher.NewCBCEncrypter: IV length must equal block sizegentraceback callback cannot be used with non-zero skipnewproc: function arguments too large fo, xrefs: 00D84C31
runtime: casfrom_Gscanstatus failed gp=runtime: function symbol table header: stack growth not allowed in system callsuspendG from non-preemptible goroutinetags don't match (%d vs %+v) %+v %s @%dtransport endpoint is already connected13877787807814456755295395, xrefs: 00D84AFE
runtime: casfrom_Gscanstatus bad oldval gp=runtime: heapBitsSetTypeGCProg: total bits runtime: releaseSudog with non-nil gp.paramruntime:stoplockedm: lockedg (atomicstatus=unfinished open-coded defers in deferreturnunknown runnable goroutine during bootstrap u, xrefs: 00D84BA5
, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiBigEndianClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanPalmyreneParseBoolParseUintSamaritanSeptemberSundanes, xrefs: 00D84B20, 00D84BC7
7, xrefs: 00D84C3A

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: , newval=, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiBigEndianClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanPalmyreneParseBoolParseUintSamaritanSeptembe$, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiBigEndianClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanPalmyreneParseBoolParseUintSamaritanSeptemberSundanes$7$casfrom_Gscanstatus: gp->status is not in scan statecrypto/rsa: message too long for RSA public key sizemallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: GetQueuedCompletionStatusEx failed (errno= $casfrom_Gscanstatus:top gp->status is not in scan statecipher.NewCBCDecrypter: IV length must equal block sizecipher.NewCBCEncrypter: IV length must equal block sizegentraceback callback cannot be used with non-zero skipnewproc: function arguments too large fo$runtime: casfrom_Gscanstatus bad oldval gp=runtime: heapBitsSetTypeGCProg: total bits runtime: releaseSudog with non-nil gp.paramruntime:stoplockedm: lockedg (atomicstatus=unfinished open-coded defers in deferreturnunknown runnable goroutine during bootstrap u$runtime: casfrom_Gscanstatus failed gp=runtime: function symbol table header: stack growth not allowed in system callsuspendG from non-preemptible goroutinetags don't match (%d vs %+v) %+v %s @%dtransport endpoint is already connected13877787807814456755295395
API String ID: 0-4108250
Opcode ID: bfee41de5dcabc1d7547fa79e6c4b725055d12639327ac46778b7634d883b42e
Instruction ID: 6af4062be7e6b335cb03ada616f6dff9fa0f58ae8bf5db0f4e05519696e14baf
Opcode Fuzzy Hash: bfee41de5dcabc1d7547fa79e6c4b725055d12639327ac46778b7634d883b42e
Instruction Fuzzy Hash: F441B2B45097018FC304FF68D18566EBBE4EF44748F41882DE4D89B252EB78D889DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D732B0, Relevance: 8.8, Strings: 7, Instructions: 82COMMON

Download Yara Rule

Strings

prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED STREETStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUT, xrefs: 00D73379
span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256-CBCBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruExitProcessFreeLib, xrefs: 00D7339B
runtime: failed mSpanList.remove span.npages=scavengeOne called with unaligned work regionx509: trailing data after ASN.1 of public-keyzero length explicit tag was not an asn1.Flag (bad use of unsafe.Pointer? try -d=checkptr)math/big: mismatched montgomery nu, xrefs: 00D7332D
list= m->p= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED STREETStringSundaySyriacTai_LeTangutTe, xrefs: 00D733BD
-, xrefs: 00D73336
mSpanList.removemessage too longmissing stackmapnewmHandoff.lockno route to hostnon-Go functionobject is remotepacer: H_m_prev=reflect mismatchremote I/O errorruntime: g: g=runtime: addr = runtime: base = runtime: gp: gp=runtime: head = runtime: nelems=sche, xrefs: 00D733E9
span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED STREETStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UT, xrefs: 00D73357

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: list= m->p= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED STREETStringSundaySyriacTai_LeTangutTe$ prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED STREETStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUT$ span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256-CBCBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruExitProcessFreeLib$ span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED STREETStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UT$-$mSpanList.removemessage too longmissing stackmapnewmHandoff.lockno route to hostnon-Go functionobject is remotepacer: H_m_prev=reflect mismatchremote I/O errorruntime: g: g=runtime: addr = runtime: base = runtime: gp: gp=runtime: head = runtime: nelems=sche$runtime: failed mSpanList.remove span.npages=scavengeOne called with unaligned work regionx509: trailing data after ASN.1 of public-keyzero length explicit tag was not an asn1.Flag (bad use of unsafe.Pointer? try -d=checkptr)math/big: mismatched montgomery nu
API String ID: 0-3347595331
Opcode ID: 1ebea1b68e6b200643050e2f1cf6223a97e7e9f576bdedb8709663af27580c5d
Instruction ID: 46f8bb3368e1ce8b838dabd7cd3dce2e9ae5b6fd4587207979353c26066d23de
Opcode Fuzzy Hash: 1ebea1b68e6b200643050e2f1cf6223a97e7e9f576bdedb8709663af27580c5d
Instruction Fuzzy Hash: 204192B45087018FC304EF64C185A6ABBE1FF48704F55C86DE4898B362EB35D985DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D6C690, Relevance: 7.7, Strings: 6, Instructions: 192COMMON

Download Yara Rule

Strings

marking free objectmarkroot: bad indexmissing deferreturnmspan.sweep: state=notesleep not on g0ntdll.dll not foundnwait > work.nprocspanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value.Fieldreflect.Value, xrefs: 00D6C94A
found at *( gcscandone m->gsignal= minTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>$recycle.bin%!(BADWIDTH)) p->status=-byte limit152587890625762939453125Bidi_Con, xrefs: 00D6C878
greyobject: obj not pointer-alignedmheap.freeSpanLocked - invalid freenetwork dropped connection on resetno such multicast network interfacepersistentalloc: align is too largepidleput: P has non-empty run queuereflect.MakeSlice of non-slice typeruntime: close , xrefs: 00D6C960
basebindbmi1bmi2boolbootcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3profreadrootsbrkseeksmtpsse2sse3tag:tcp4trueudp4uint -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ms, ptr siz= tab= top, xrefs: 00D6C8E7
runtime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = runtime: unknown pc in defer semacquire not on the G stackstring concatenation too longsyntax error scanning boolea, xrefs: 00D6C84E
#, xrefs: 00D6C969

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: found at *( gcscandone m->gsignal= minTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>$recycle.bin%!(BADWIDTH)) p->status=-byte limit152587890625762939453125Bidi_Con$#$basebindbmi1bmi2boolbootcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3profreadrootsbrkseeksmtpsse2sse3tag:tcp4trueudp4uint -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ms, ptr siz= tab= top$greyobject: obj not pointer-alignedmheap.freeSpanLocked - invalid freenetwork dropped connection on resetno such multicast network interfacepersistentalloc: align is too largepidleput: P has non-empty run queuereflect.MakeSlice of non-slice typeruntime: close $marking free objectmarkroot: bad indexmissing deferreturnmspan.sweep: state=notesleep not on g0ntdll.dll not foundnwait > work.nprocspanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value.Fieldreflect.Value$runtime: marking free object runtime: p.gcMarkWorkerMode= runtime: split stack overflowruntime: sudog with non-nil cruntime: summary max pages = runtime: unknown pc in defer semacquire not on the G stackstring concatenation too longsyntax error scanning boolea
API String ID: 0-2807707753
Opcode ID: fd36cade2d1d5775e15d64e6c51657109cadbbd3a0f3ec9ca48f7e6cf5a7be48
Instruction ID: 697d51f7098b3faaf2818e4818edf420c19431dfd32d7de0571a007f644434c1
Opcode Fuzzy Hash: fd36cade2d1d5775e15d64e6c51657109cadbbd3a0f3ec9ca48f7e6cf5a7be48
Instruction Fuzzy Hash: D4814BB45097408FD310EF29C080A6ABBE0EF89704F48996DE8D887342D735D949DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D8F6C0, Relevance: 7.7, Strings: 6, Instructions: 171COMMON

Download Yara Rule

Strings

xchg64 failed}sched={pc: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625: extra text: CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMute, xrefs: 00D8F923, 00D8F939
cas64 failedchan receivedumping heapend tracegcentersyscallgcBitsArenasgcpacertracehost is downiconcache.dbillegal seekinvalid baseinvalid slotiphlpapi.dllkernel32.dllmadvdontneedmheapSpecialmspanSpecialnetapi32.dllno such hostnot pollablepath to workraceFini, xrefs: 00D8F9A7, 00D8F9BD, 00D8F9D3, 00D8F9E9
load64 failedmin too largenil stackbaseout of memoryparsing time powrprof.dll, xrefs: 00D8F991
store64 failedsync.Cond.Waittext file busytimeEndPeriod, xrefs: 00D8F97B
*, xrefs: 00D8F781
xadd64 failedxchg64 failed}sched={pc: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625: extra text: CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEvent, xrefs: 00D8F94F, 00D8F965

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: *$cas64 failedchan receivedumping heapend tracegcentersyscallgcBitsArenasgcpacertracehost is downiconcache.dbillegal seekinvalid baseinvalid slotiphlpapi.dllkernel32.dllmadvdontneedmheapSpecialmspanSpecialnetapi32.dllno such hostnot pollablepath to workraceFini$load64 failedmin too largenil stackbaseout of memoryparsing time powrprof.dll$store64 failedsync.Cond.Waittext file busytimeEndPeriod$xadd64 failedxchg64 failed}sched={pc: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625: extra text: CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEvent$xchg64 failed}sched={pc: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625: extra text: CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMute
API String ID: 0-521141547
Opcode ID: f4b58e9f727049a81faedb875cc1577c3c23a7c23f43973eab7ccb0a5811a2b8
Instruction ID: 6968dd59486bc65640dfb9aa6ce1062b7059dd7f20ec3ad1395456120258eefc
Opcode Fuzzy Hash: f4b58e9f727049a81faedb875cc1577c3c23a7c23f43973eab7ccb0a5811a2b8
Instruction Fuzzy Hash: 9D71E5B411A706DFE700FF64D89576EBBE4AB48315F05882DE48883291E778998CDF63

Uniqueness

Uniqueness Score: -1.00%

Function 00D82730, Relevance: 7.7, Strings: 6, Instructions: 152COMMON

Download Yara Rule

Strings

+Inf-Inf3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolbootcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopen, xrefs: 00D82934
e+, xrefs: 00D82828
., xrefs: 00D82823
-, xrefs: 00D828AF
-, xrefs: 00D82833
-Inf3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolbootcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpath, xrefs: 00D8291A

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: +Inf-Inf3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolbootcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopen$-$-$-Inf3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolbootcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpath$.$e+
API String ID: 0-2448805308
Opcode ID: 4814561540a37b4cd870106057dc515d650ffb8c5bcdc72fbcc2146e76ee550d
Instruction ID: fee1dd8f2885ddf11004083bae78f3032a9e2feb61a411b7ad9e23dcf02f8d84
Opcode Fuzzy Hash: 4814561540a37b4cd870106057dc515d650ffb8c5bcdc72fbcc2146e76ee550d
Instruction Fuzzy Hash: 89512971408B418EC70BFF39849533AB6D4BFA2380F54CB5EE4C666192E774958A8772

Uniqueness

Uniqueness Score: -1.00%

Function 00D7C4E0, Relevance: 7.6, Strings: 6, Instructions: 61COMMON

Download Yara Rule

Strings

erRegisterSuspendResumeNotification, xrefs: 00D7C544
Powe, xrefs: 00D7C552
', xrefs: 00D7C562
owrprof.dll, xrefs: 00D7C505
', xrefs: 00D7C55A
powr, xrefs: 00D7C510

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: '$'$Powe$erRegisterSuspendResumeNotification$owrprof.dll$powr
API String ID: 0-2222458068
Opcode ID: ffa775f8527cf2f773aa2924baa711c3d4b647d64cc576e326b2e1597dc39cd6
Instruction ID: 9bd9e549ba39912d7d4a52d4674233c2fedcc0b84f752fc8770ef6ee074dc22f
Opcode Fuzzy Hash: ffa775f8527cf2f773aa2924baa711c3d4b647d64cc576e326b2e1597dc39cd6
Instruction Fuzzy Hash: 3E31F2B44083458FD310DF25C58575ABBE0FB88344F44881EE49C97251E775EA49CFA3

Uniqueness

Uniqueness Score: -1.00%

Function 00D8EF30, Relevance: 6.7, Strings: 5, Instructions: 445COMMON

Download Yara Rule

Strings

init int16int32int64limitmheapmonthntldrntohspanicpop3sscav schedsleepslicesse41sse42ssse3sudogsweeptraceuint8usagevaluewinntwrite Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= next= p->m= prev= span=% util(...), i = , not 390625<-ch, xrefs: 00D8F0AB
allocs dying= locks= m->g0= nmsys= s=nil zombie, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBrailleChanDirCopySidCypriotDES-CBCDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarM, xrefs: 00D8F520
2, xrefs: 00D8F5D0
recursive call during initialization - linker skewruntime: unable to acquire - semaphore out of syncx509: RSA public exponent is not a positive numberx509: missing ASN.1 contents; use ParseCertificateGC must be disabled to protect validity of fn valuefatal: sy, xrefs: 00D8F5C7
ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256-CBCBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256ClassHESIODCloseHandleCoGetOb, xrefs: 00D8F230

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: allocs dying= locks= m->g0= nmsys= s=nil zombie, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBrailleChanDirCopySidCypriotDES-CBCDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarM$ ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256-CBCBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256ClassHESIODCloseHandleCoGetOb$2$init int16int32int64limitmheapmonthntldrntohspanicpop3sscav schedsleepslicesse41sse42ssse3sudogsweeptraceuint8usagevaluewinntwrite Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= next= p->m= prev= span=% util(...), i = , not 390625<-ch$recursive call during initialization - linker skewruntime: unable to acquire - semaphore out of syncx509: RSA public exponent is not a positive numberx509: missing ASN.1 contents; use ParseCertificateGC must be disabled to protect validity of fn valuefatal: sy
API String ID: 0-1735025476
Opcode ID: 2c67081a632af31082e7ed426ccf05e4e104590d691fda952ee1935af41c4aa5
Instruction ID: a6b69afc1e50da53243adcf9c59cb2edc3da2e3876325decdafedbd90d248a7d
Opcode Fuzzy Hash: 2c67081a632af31082e7ed426ccf05e4e104590d691fda952ee1935af41c4aa5
Instruction Fuzzy Hash: EE1215746097458FC724EF68C48066EFBE1EFC8304F14892DE48987355EB75E949CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D91670, Relevance: 6.6, Strings: 5, Instructions: 318COMMON

Download Yara Rule

Strings

Exception GC forcedGOMAXPROCSGetIfEntryGetVersionGlagoliticIsValidSidKharoshthiLocalAllocLockFileExManichaeanOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseFloatPhoenicianPulseEventRIPEMD-160ResetEventSaurashtraWSACleanup, xrefs: 00D9170C
cs deadlockdefault:durationeax ebp ebx ecx edi edx eflags eip esi esp fs gs infinityno anodepollDescrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.traceBufunknown(wsaioctl (forced) bl, xrefs: 00D91B61
signal arrived during external code executionslice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to pallocChunkBytesx509: failed to unmarshal elliptic curve pointP has cached GC work at end of, xrefs: 00D91C2D
., xrefs: 00D91C36
eax ebp ebx ecx edi edx eflags eip esi esp fs gs infinityno anodepollDescrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.traceBufunknown(wsaioctl (forced) blocked= defersc= in use) lockedg, xrefs: 00D9189B

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: .$Exception GC forcedGOMAXPROCSGetIfEntryGetVersionGlagoliticIsValidSidKharoshthiLocalAllocLockFileExManichaeanOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseFloatPhoenicianPulseEventRIPEMD-160ResetEventSaurashtraWSACleanup$cs deadlockdefault:durationeax ebp ebx ecx edi edx eflags eip esi esp fs gs infinityno anodepollDescrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.traceBufunknown(wsaioctl (forced) bl$eax ebp ebx ecx edi edx eflags eip esi esp fs gs infinityno anodepollDescrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.traceBufunknown(wsaioctl (forced) blocked= defersc= in use) lockedg$signal arrived during external code executionslice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to pallocChunkBytesx509: failed to unmarshal elliptic curve pointP has cached GC work at end of
API String ID: 0-3552164190
Opcode ID: f0e59daefcf2462c5ccda159d59af4dd149774d955d9ff70fd10abb9066a2e79
Instruction ID: 3d611b96dfae860a7fd84dbb716dc6470c04c52137259011f2ef8afd5c347119
Opcode Fuzzy Hash: f0e59daefcf2462c5ccda159d59af4dd149774d955d9ff70fd10abb9066a2e79
Instruction Fuzzy Hash: 90E150B85097018FD714FF68C08562EBBE0EF98304F01896DE8985B352DB789949DFB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D6A4A0, Relevance: 6.5, Strings: 5, Instructions: 231COMMON

Download Yara Rule

Strings

runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemsscanstack - bad statussend on closed channelspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largewirep: invalid p statezero length BIT ST, xrefs: 00D6A81A
work.nwait > work.nprocx509: incorrect IV size116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAzerbaijan Standard TimeBangladesh Standard TimeBuildSecurityDescriptorWCape Verde Standard TimeCertFreeCertificateCha, xrefs: 00D6A7F7
work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetDriveTypeWGunjala_GondiMapViewOfFileMasaram_Gondi, xrefs: 00D6A7C3, 00D6A844
nwait > work.nprocspanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: pree, xrefs: 00D6A878
runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptionx509: invalid padding%SystemRoot%\system32\/lib/time/zoneinfo.zip4656612873077392578125Aleutian Standard TimeAtla, xrefs: 00D6A799

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: work.nproc= work.nwait= , gp->status=, not pointer-byte block (3814697265625CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetDriveTypeWGunjala_GondiMapViewOfFileMasaram_Gondi$nwait > work.nprocspanic during mallocpanic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: pree$runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemsscanstack - bad statussend on closed channelspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largewirep: invalid p statezero length BIT ST$runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptionx509: invalid padding%SystemRoot%\system32\/lib/time/zoneinfo.zip4656612873077392578125Aleutian Standard TimeAtla$work.nwait > work.nprocx509: incorrect IV size116415321826934814453125582076609134674072265625AllocateAndInitializeSidAssignProcessToJobObjectAzerbaijan Standard TimeBangladesh Standard TimeBuildSecurityDescriptorWCape Verde Standard TimeCertFreeCertificateCha
API String ID: 0-1972407623
Opcode ID: 68ae43ee6b46ab0b04f329005f7ba23e5127f5ceb046a0bc536421bab51561d4
Instruction ID: d3c9226a962a1c73eaad8f9e19072a27b357d55ff97572a727c88e5f0ba5dad8
Opcode Fuzzy Hash: 68ae43ee6b46ab0b04f329005f7ba23e5127f5ceb046a0bc536421bab51561d4
Instruction Fuzzy Hash: B0B1E2B45097008FC304EF68C584B6ABBE0FF88704F05896DE8C997352DB79E849DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D830C7, Relevance: 6.4, Strings: 5, Instructions: 198COMMON

Download Yara Rule

Strings

_cgo_thread_start missingallgadd: bad status Gidlearena already initializedbad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timerexplicit tag has no childinconsistent poll.fdMutexinvalid cross-device linkinvalid ne, xrefs: 00D833E4
%, xrefs: 00D833D7
_cgo_notify_runtime_init_done missingall goroutines are asleep - deadlock!cannot exec a shared library directlycipher: message authentication failedcrypto/cipher: invalid buffer overlapcrypto/rsa: public exponent too largecrypto/rsa: public exponent too smallc, xrefs: 00D833CE
runtime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemsscanstack - bad statussend on closed channelspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largewirep: invalid p s, xrefs: 00D83410
nanotime returning zerono space left on deviceoperation not permittedoperation not supportedpanic during preemptoffprocresize: invalid argreflect.Value.Interfacereflect.Value.NumMethodreflect.methodValueCallruntime: internal errorruntime: invalid type runtime, xrefs: 00D833FA

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: %$_cgo_notify_runtime_init_done missingall goroutines are asleep - deadlock!cannot exec a shared library directlycipher: message authentication failedcrypto/cipher: invalid buffer overlapcrypto/rsa: public exponent too largecrypto/rsa: public exponent too smallc$_cgo_thread_start missingallgadd: bad status Gidlearena already initializedbad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timerexplicit tag has no childinconsistent poll.fdMutexinvalid cross-device linkinvalid ne$nanotime returning zerono space left on deviceoperation not permittedoperation not supportedpanic during preemptoffprocresize: invalid argreflect.Value.Interfacereflect.Value.NumMethodreflect.methodValueCallruntime: internal errorruntime: invalid type runtime$runtime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemsscanstack - bad statussend on closed channelspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largewirep: invalid p s
API String ID: 0-3782288179
Opcode ID: 04b11e18490ed3f0f2af9d5095f4aefefbd6f102dcaaa6591b7122cebc981ec6
Instruction ID: 9ae87eb494a15f3a36f654bee6b69be061e645baf1425d9461e136f16e7f043a
Opcode Fuzzy Hash: 04b11e18490ed3f0f2af9d5095f4aefefbd6f102dcaaa6591b7122cebc981ec6
Instruction Fuzzy Hash: 9A913974518745CFD704EF28D485B5A7BE0FF48704F04486DE88987362EB79DA88EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D93030, Relevance: 6.4, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

!, xrefs: 00D932C9
stackalloc not on scheduler stackstoplockedm: inconsistent lockingstruct contains unexported fieldstimer period must be non-negativetoo many Answers to pack (>65535)too many levels of symbolic linksunaligned 64-bit atomic operationwaiting for unsupported file , xrefs: 00D932C0
out of memoryparsing time powrprof.dll, xrefs: 00D9325C
out of memory (stackalloc)persistentalloc: size == 0required key not availableruntime: bad span s.state=segment prefix is reservedshrinking stack in libcallstartlockedm: locked to metruncated base 128 integer is not assignable to type 3637978807091712951660156, xrefs: 00D93294
stack size not a power of 2startm: negative nmspinningstopTheWorld: holding lockstime: invalid location nametimer when must be positivetoo many callback functionswork.nwait was > work.nproc args stack map entries for 1818989403545856475830078125909494701772928, xrefs: 00D932AA

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: !$out of memory (stackalloc)persistentalloc: size == 0required key not availableruntime: bad span s.state=segment prefix is reservedshrinking stack in libcallstartlockedm: locked to metruncated base 128 integer is not assignable to type 3637978807091712951660156$out of memoryparsing time powrprof.dll$stack size not a power of 2startm: negative nmspinningstopTheWorld: holding lockstime: invalid location nametimer when must be positivetoo many callback functionswork.nwait was > work.nproc args stack map entries for 1818989403545856475830078125909494701772928$stackalloc not on scheduler stackstoplockedm: inconsistent lockingstruct contains unexported fieldstimer period must be non-negativetoo many Answers to pack (>65535)too many levels of symbolic linksunaligned 64-bit atomic operationwaiting for unsupported file
API String ID: 0-464376094
Opcode ID: da83701a7a48f9b48daa78d939e6048c06f086f836ce6b79296e8bb41d55ac9b
Instruction ID: 405291e905e818db711f6e77807ca1afdbe153a35b1265fe47dc303923be4292
Opcode Fuzzy Hash: da83701a7a48f9b48daa78d939e6048c06f086f836ce6b79296e8bb41d55ac9b
Instruction Fuzzy Hash: CA714B746093458FCB14EF29C58066EBBE1FF89700F14882DE88997351E734DA89DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00D5BA90, Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

runtime: cannot allocate memoryruntime: failed to commit pagesruntime: split stack overflow: slice bounds out of range [%x:]slice bounds out of range [:%x]time: missing unit in duration x509: malformed DEK-Info header (types from different packages)28421709430, xrefs: 00D5BCFC
persistentalloc: align is not a power of 2reflect: internal error: misaligned offsetruntime: blocked write on closing polldescsync/atomic: store of nil value into Valueunexpected signal during runtime executionx509: RSA modulus is not a positive numberx509: tr, xrefs: 00D5BD28
persistentalloc: size == 0required key not availableruntime: bad span s.state=segment prefix is reservedshrinking stack in libcallstartlockedm: locked to metruncated base 128 integer is not assignable to type 363797880709171295166015625AddVectoredContinueHandl, xrefs: 00D5BD3E
persistentalloc: align is too largepidleput: P has non-empty run queuereflect.MakeSlice of non-slice typeruntime: close polldesc w/o unblockruntime: createevent failed; errno=superfluous leading zeros in lengthtoo many Questions to pack (>65535)traceback did n, xrefs: 00D5BD12
*, xrefs: 00D5BD31

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: *$persistentalloc: align is not a power of 2reflect: internal error: misaligned offsetruntime: blocked write on closing polldescsync/atomic: store of nil value into Valueunexpected signal during runtime executionx509: RSA modulus is not a positive numberx509: tr$persistentalloc: align is too largepidleput: P has non-empty run queuereflect.MakeSlice of non-slice typeruntime: close polldesc w/o unblockruntime: createevent failed; errno=superfluous leading zeros in lengthtoo many Questions to pack (>65535)traceback did n$persistentalloc: size == 0required key not availableruntime: bad span s.state=segment prefix is reservedshrinking stack in libcallstartlockedm: locked to metruncated base 128 integer is not assignable to type 363797880709171295166015625AddVectoredContinueHandl$runtime: cannot allocate memoryruntime: failed to commit pagesruntime: split stack overflow: slice bounds out of range [%x:]slice bounds out of range [:%x]time: missing unit in duration x509: malformed DEK-Info header (types from different packages)28421709430
API String ID: 0-3750156056
Opcode ID: 9cb7b50f5786aa49b17b8802b514abcdc23913a751039b02b9c0aa86328ca713
Instruction ID: 032141d7fdc05d4945739b9181f4b9fed472897b2496d7b82aafaa8349ad8285
Opcode Fuzzy Hash: 9cb7b50f5786aa49b17b8802b514abcdc23913a751039b02b9c0aa86328ca713
Instruction Fuzzy Hash: F1812774609709CFCB14DF24C58066ABBF1FB88314F14886EEC9987321E734E989DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D69D20, Relevance: 6.4, Strings: 5, Instructions: 174COMMON

Download Yara Rule

Strings

s.state = schedtracesemacquiresetsockoptstackLargeticks.locktracefree(tracegc()unixpacketunknown pcuser32.dllws2_32.dll of size (targetpc= KiB work, freeindex= gcwaiting= heap_live= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelem, xrefs: 00D69F73
+, xrefs: 00D69FB4
sweep sysmontelnettimersuint16uint32uint64 (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= s=nil zombie, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBrailleChanDirCopySidCypriotDES-CBCDeseretElbasanElymaicF, xrefs: 00D69F07
non in-use span found with specials bit setreflect: nil type passed to Type.Implementsroot level max pages doesn't fit in summaryruntime.SetFinalizer: finalizer already setruntime.SetFinalizer: first argument is nilruntime: casfrom_Gscanstatus bad oldval gp=ru, xrefs: 00D69FAB
gc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusinvalid spdelta length too largemSpanList.insertmSpanList.removemessage too longmissing stackmapnewmHandoff.lockno route to hostnon-Go functionobject is remotepace, xrefs: 00D69F54

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: +$gc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusinvalid spdelta length too largemSpanList.insertmSpanList.removemessage too longmissing stackmapnewmHandoff.lockno route to hostnon-Go functionobject is remotepace$non in-use span found with specials bit setreflect: nil type passed to Type.Implementsroot level max pages doesn't fit in summaryruntime.SetFinalizer: finalizer already setruntime.SetFinalizer: first argument is nilruntime: casfrom_Gscanstatus bad oldval gp=ru$s.state = schedtracesemacquiresetsockoptstackLargeticks.locktracefree(tracegc()unixpacketunknown pcuser32.dllws2_32.dll of size (targetpc= KiB work, freeindex= gcwaiting= heap_live= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelem$sweep sysmontelnettimersuint16uint32uint64 (scan (scan) MB in Value> allocs dying= locks= m->g0= nmsys= s=nil zombie, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBrailleChanDirCopySidCypriotDES-CBCDeseretElbasanElymaicF
API String ID: 0-1798779747
Opcode ID: aa98940c0f94f692d9930853d58f15db631223d321f09a8d547365451f2b0da9
Instruction ID: 53472622a31f755e97d04b70ed6773ccc81a8844a34245c243ceadc7518b514a
Opcode Fuzzy Hash: aa98940c0f94f692d9930853d58f15db631223d321f09a8d547365451f2b0da9
Instruction Fuzzy Hash: 3E7103B42093458FC704EF24C0A1A6ABBE5FF89304F04886DF9998B392D735D949CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D62510, Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

refill of span with free space remainingreflect.Value.SetBytes of non-byte slicereflect.Value.setRunes of non-rune slicereflect: FieldByName of non-struct type runtime.SetFinalizer: first argument is runtime.preemptM: duplicatehandle failedruntime: out of memo, xrefs: 00D62797
out of memoryparsing time powrprof.dll, xrefs: 00D6276B
(, xrefs: 00D627A0
span has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largewirep: invalid p statezero length BIT STRING) must be a power of 223283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Stan, xrefs: 00D62755
bad sweepgen in refillcannot allocate memoryduplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: internal inconsistencyinvalid number base %dis encrypted pem blockkernel32.dll not f, xrefs: 00D62781

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ($bad sweepgen in refillcannot allocate memoryduplicated defer entryfreeIndex is not validgetenv before env initheadTailIndex overflowinteger divide by zerointerface conversion: internal inconsistencyinvalid number base %dis encrypted pem blockkernel32.dll not f$out of memoryparsing time powrprof.dll$refill of span with free space remainingreflect.Value.SetBytes of non-byte slicereflect.Value.setRunes of non-rune slicereflect: FieldByName of non-struct type runtime.SetFinalizer: first argument is runtime.preemptM: duplicatehandle failedruntime: out of memo$span has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largewirep: invalid p statezero length BIT STRING) must be a power of 223283064365386962890625<invalid reflect.Value>Argentina Standard TimeAstrakhan Stan
API String ID: 0-792077938
Opcode ID: 84f917cac2873ad1948a4cce12c6cf6827d32dec8f6a51a4104e174c841935d1
Instruction ID: a585520ee765117c54e2a4397e660780f83b4eee1c1c6ba3f3f7587714f30b3a
Opcode Fuzzy Hash: 84f917cac2873ad1948a4cce12c6cf6827d32dec8f6a51a4104e174c841935d1
Instruction Fuzzy Hash: E9713BB45097048FC308EF24D494B6ABBE1FF84304F45896DE899873A2D735D989DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00D81170, Relevance: 6.4, Strings: 5, Instructions: 155COMMON

Download Yara Rule

Strings

addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMo, xrefs: 00D81396
code= ctxt: curg= free goid jobs= list= m->p= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED ST, xrefs: 00D8136C
pc= sp: sp=) = ) m=+Inf-Inf3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolbootcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidle, xrefs: 00D813C0
runtime stack:application databad g transitionbad special kindbad summary databad symbol tablebinary.BigEndiancastogscanstatuscontext canceleddivision by zerogc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusinva, xrefs: 00D811F1
[signal stack=[boot.inicgocheckcs deadlockdefault:durationeax ebp ebx ecx edi edx eflags eip esi esp fs gs infinityno anodepollDescrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.trac, xrefs: 00D81316

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: runtime stack:application databad g transitionbad special kindbad summary databad symbol tablebinary.BigEndiancastogscanstatuscontext canceleddivision by zerogc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusinva$ addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMo$ code= ctxt: curg= free goid jobs= list= m->p= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED ST$ pc= sp: sp=) = ) m=+Inf-Inf3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolbootcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidle$[signal stack=[boot.inicgocheckcs deadlockdefault:durationeax ebp ebx ecx edi edx eflags eip esi esp fs gs infinityno anodepollDescrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.trac
API String ID: 0-483389805
Opcode ID: db70968115564df0294eee3fa5a9e7931824da8d9f57718546a92cfde71be6f4
Instruction ID: 0def62d358db2fb9d6cb4baafff14666485240a0a71df2ebdfa00a948ba63b97
Opcode Fuzzy Hash: db70968115564df0294eee3fa5a9e7931824da8d9f57718546a92cfde71be6f4
Instruction Fuzzy Hash: 6361BDB85097048FC700FF68C085B6ABBE4EB89754F05992DE8D887352D738D989DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D75760, Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method AdjustTokenGroupsCertFindExtensionCryptDecodeObjectDnsRecordListFreeFLE Standard TimeGC assist markingGMT Standard TimeGTB Standard TimeGetCu, xrefs: 00D75973
runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptionx509: invalid padding%SystemRoot%\system32\/lib/time/zoneinfo.zip4656612873077392578125Aleut, xrefs: 00D75941
, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256-CBCBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruExitProcessFreeLibraryGOTRACEBACKGetFileTypeIdeographicMedefai, xrefs: 00D758FD
bad summary databad symbol tablebinary.BigEndiancastogscanstatuscontext canceleddivision by zerogc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusinvalid spdelta length too largemSpanList.insertmSpanList.removemess, xrefs: 00D759A7
runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding p already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory, xrefs: 00D758D3

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: , npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256-CBCBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteFileWDives_AkuruExitProcessFreeLibraryGOTRACEBACKGetFileTypeIdeographicMedefai$, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method AdjustTokenGroupsCertFindExtensionCryptDecodeObjectDnsRecordListFreeFLE Standard TimeGC assist markingGMT Standard TimeGTB Standard TimeGetCu$bad summary databad symbol tablebinary.BigEndiancastogscanstatuscontext canceleddivision by zerogc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusinvalid spdelta length too largemSpanList.insertmSpanList.removemess$runtime: max = runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding p already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory$runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptionx509: invalid padding%SystemRoot%\system32\/lib/time/zoneinfo.zip4656612873077392578125Aleut
API String ID: 0-4102996779
Opcode ID: 881f7c901ef86166ce253f225ce424437c9971a2e7fa94505e1000a44bfeac10
Instruction ID: c9bd9be87cd45a38e888e996d600d96d58d7091c3ce626f607cac07cb439cfbb
Opcode Fuzzy Hash: 881f7c901ef86166ce253f225ce424437c9971a2e7fa94505e1000a44bfeac10
Instruction Fuzzy Hash: C361F2B45097058FD344EF64D58162ABBE0FF88314F44892DE8A987342E774D989CFA3

Uniqueness

Uniqueness Score: -1.00%

Function 00D63490, Relevance: 6.4, Strings: 5, Instructions: 104COMMON

Download Yara Rule

Strings

runtime: checkmarks found unexpected unmarked object obj=sync/atomic: store of inconsistently typed value into Valueaddr range base and limit are not in the same memory segmentmanual span allocation called with non-manually-managed typeruntime: GetQueuedComple, xrefs: 00D63536
runtime: found obj at *(runtime: p.searchAddr = span has no free objectsstack trace unavailablestructure needs cleaning bytes failed with errno= to unused region of span2910383045673370361328125AUS Central Standard TimeAUS Eastern Standard TimeAfghanistan Sta, xrefs: 00D6356F
9, xrefs: 00D6353F
basebindbmi1bmi2boolbootcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3profreadrootsbrkseeksmtpsse2sse3tag:tcp4trueudp4uint -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ms, ptr siz= tab= top, xrefs: 00D635DE
checkmark found unmarked objectencoding/hex: invalid byte: %#Uentersyscallblock inconsistent fmt: unknown base; can't happeninternal error - misuse of itabinvalid network interface indexmalformed time zone informationnon in-use span in unswept listpacer: sweep, xrefs: 00D63641

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 9$basebindbmi1bmi2boolbootcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkindopenpathpipepop3profreadrootsbrkseeksmtpsse2sse3tag:tcp4trueudp4uint -%s ... H_T= H_a= H_g= MB, W_a= and h_a= h_g= h_t= max= ms, ptr siz= tab= top$checkmark found unmarked objectencoding/hex: invalid byte: %#Uentersyscallblock inconsistent fmt: unknown base; can't happeninternal error - misuse of itabinvalid network interface indexmalformed time zone informationnon in-use span in unswept listpacer: sweep$runtime: checkmarks found unexpected unmarked object obj=sync/atomic: store of inconsistently typed value into Valueaddr range base and limit are not in the same memory segmentmanual span allocation called with non-manually-managed typeruntime: GetQueuedComple$runtime: found obj at *(runtime: p.searchAddr = span has no free objectsstack trace unavailablestructure needs cleaning bytes failed with errno= to unused region of span2910383045673370361328125AUS Central Standard TimeAUS Eastern Standard TimeAfghanistan Sta
API String ID: 0-3616107999
Opcode ID: 76314be00019b93d8806528a2613d4f3de6d499f68f69dcb4b9b1652d18fefc6
Instruction ID: b12ee26e72f9239233614d4f624b5f4996a4e2f34e9793996ba62987398614e8
Opcode Fuzzy Hash: 76314be00019b93d8806528a2613d4f3de6d499f68f69dcb4b9b1652d18fefc6
Instruction Fuzzy Hash: CA4104B45097409FC300FF28C58576ABBE4EF89708F45886DE8D887392D7789948DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D8DD73, Relevance: 6.3, Strings: 5, Instructions: 89COMMON

Download Yara Rule

Strings

G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12125625???ADTASTAprAugBSTCATCDTCETCSTDecDltEATEDTEETEOFESTFebFriGMTHDTHSTHanIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMSKMSTMarMayMonMroNDTNSTNULNaNNkoNovOctPC=PDTPK, xrefs: 00D8DD97
) m=+Inf-Inf3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolbootcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkind, xrefs: 00D8DE1E
lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= u_a/u_g= unmarked wbuf1.n= wbuf2.n=%!(EXTRA (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiBigEndianClassINE, xrefs: 00D8DE48
unknown wait reasonwinmm.dll not foundzero length segment markroot jobs done to unallocated span37252902984619140625Arabic Standard TimeAzores Standard TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCry, xrefs: 00D8DF02
: status=AuthorityBassa_VahBhaiksukiBigEndianClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanPalmyreneParseBoolParseUintSamaritanSeptemberSundaneseTypeCNAMETypeHINFOTypeMINFOWSASendToWednesda, xrefs: 00D8DDC7

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: G M P ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12125625???ADTASTAprAugBSTCATCDTCETCSTDecDltEATEDTEETEOFESTFebFriGMTHDTHSTHanIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMSKMSTMarMayMonMroNDTNSTNULNaNNkoNovOctPC=PDTPK$ lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= u_a/u_g= unmarked wbuf1.n= wbuf2.n=%!(EXTRA (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiBigEndianClassINE$) m=+Inf-Inf3125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCESTChamDashEESTGOGCJulyJuneLEAFLisuMiaoModiNZDTNZSTNewaSASTStatThaim=] = ] n=allgallpasn1avx2basebindbmi1bmi2boolbootcallcas1cas2cas3cas4cas5cas6chandeadermsfileftpsfunchourhttpicmpidleigmpint8itabkind$: status=AuthorityBassa_VahBhaiksukiBigEndianClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanPalmyreneParseBoolParseUintSamaritanSeptemberSundaneseTypeCNAMETypeHINFOTypeMINFOWSASendToWednesda$unknown wait reasonwinmm.dll not foundzero length segment markroot jobs done to unallocated span37252902984619140625Arabic Standard TimeAzores Standard TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCry
API String ID: 0-1247908507
Opcode ID: f321ba12e0e045ee25016f8c4be3ef7572e579a30ae853a4596b0d86777a8590
Instruction ID: 2c9da6f5b4dc61965d0123f928b69301cdff9b37100c52512ff3e4599d90c045
Opcode Fuzzy Hash: f321ba12e0e045ee25016f8c4be3ef7572e579a30ae853a4596b0d86777a8590
Instruction Fuzzy Hash: C441BDB45097458FC314EF29C181A6ABBF5FF88344F10886DE98887352E734E889DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00D7A650, Relevance: 6.3, Strings: 5, Instructions: 88COMMON

Download Yara Rule

Strings

span set block with unpopped elements found in resetcompileCallback: argument size is larger than uintptrfunction symbol table not sorted by program counter: reflect.Value.Slice: string slice index out of boundsreflect: non-interface type passed to Type.Implem, xrefs: 00D7A733
attempt to clear non-empty span setencoding/hex: odd length hex stringfile type does not support deadlinefindfunc: bad findfunctab entry idxfindrunnable: netpoll with spinninggreyobject: obj not pointer-alignedmheap.freeSpanLocked - invalid freenetwork dropped, xrefs: 00D7A7B4
fully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characterpanicwrap: unexpected string after package name: reflect.Value.Slice: slice of unaddressable arrayruntime: unexpe, xrefs: 00D7A71D
, tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiBigEndianClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanPalmyreneParseBoolParseUintSamaritanSeptemberSundaneseTypeCNAMETypeHINF, xrefs: 00D7A780
#, xrefs: 00D7A7BD

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: #$, tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksukiBigEndianClassINETCuneiformDiacriticFindCloseHex_DigitInheritedInterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanPalmyreneParseBoolParseUintSamaritanSeptemberSundaneseTypeCNAMETypeHINF$attempt to clear non-empty span setencoding/hex: odd length hex stringfile type does not support deadlinefindfunc: bad findfunctab entry idxfindrunnable: netpoll with spinninggreyobject: obj not pointer-alignedmheap.freeSpanLocked - invalid freenetwork dropped$fully empty unfreed span set block found in resetinvalid memory address or nil pointer dereferenceinvalid or incomplete multibyte or wide characterpanicwrap: unexpected string after package name: reflect.Value.Slice: slice of unaddressable arrayruntime: unexpe$span set block with unpopped elements found in resetcompileCallback: argument size is larger than uintptrfunction symbol table not sorted by program counter: reflect.Value.Slice: string slice index out of boundsreflect: non-interface type passed to Type.Implem
API String ID: 0-502964207
Opcode ID: 1db32ea75dfaa15022118371525fe27dad0c852ccdb06195e237c09debad1255
Instruction ID: d68dcf44e24863a27a86a8379a94a3a4782654faba7d0ccbe43acc619261fe2c
Opcode Fuzzy Hash: 1db32ea75dfaa15022118371525fe27dad0c852ccdb06195e237c09debad1255
Instruction Fuzzy Hash: C741DFB45097018FC304EF28C185B2EBBE4FF88704F15882DE88887252E7789949CB73

Uniqueness

Uniqueness Score: -1.00%

Function 00D87290, Relevance: 6.3, Strings: 5, Instructions: 77COMMON

Download Yara Rule

Strings

stoplockedm: not runnableunexpected fault address unexpected key value typeunknown Go type for slice using unaddressable value1455191522836685180664062572759576141834259033203125: day-of-year out of rangeBougainville Standard TimeCentral Asia Standard TimeCert, xrefs: 00D873AE
) is not Grunnable or Gscanrunnable0123456789abcdefghijklmnopqrstuvwxyz444089209850062616169452667236328125Go pointer stored into non-Go memoryIA5String contains invalid characterUnable to determine system directoryaccessing a corrupted shared librarycompress, xrefs: 00D8737E
runtime:stoplockedm: lockedg (atomicstatus=unfinished open-coded defers in deferreturnunknown runnable goroutine during bootstrap using value obtained using unexported fieldcompileCallback: float results not supportedencoding alphabet contains newline characte, xrefs: 00D87354
stoplockedm: inconsistent lockingstruct contains unexported fieldstimer period must be non-negativetoo many Answers to pack (>65535)too many levels of symbolic linksunaligned 64-bit atomic operationwaiting for unsupported file typex509: no DEK-Info header in b, xrefs: 00D873C4
!, xrefs: 00D873CD

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: !$) is not Grunnable or Gscanrunnable0123456789abcdefghijklmnopqrstuvwxyz444089209850062616169452667236328125Go pointer stored into non-Go memoryIA5String contains invalid characterUnable to determine system directoryaccessing a corrupted shared librarycompress$runtime:stoplockedm: lockedg (atomicstatus=unfinished open-coded defers in deferreturnunknown runnable goroutine during bootstrap using value obtained using unexported fieldcompileCallback: float results not supportedencoding alphabet contains newline characte$stoplockedm: inconsistent lockingstruct contains unexported fieldstimer period must be non-negativetoo many Answers to pack (>65535)too many levels of symbolic linksunaligned 64-bit atomic operationwaiting for unsupported file typex509: no DEK-Info header in b$stoplockedm: not runnableunexpected fault address unexpected key value typeunknown Go type for slice using unaddressable value1455191522836685180664062572759576141834259033203125: day-of-year out of rangeBougainville Standard TimeCentral Asia Standard TimeCert
API String ID: 0-2680573957
Opcode ID: e12f51f184edbb08828dd53baf16ecd171b0ae9b900e6473866783bddd31b03d
Instruction ID: fcbe074b6c64c6bf2bcbea340658a63165cf056164850cbbb3d200d82cb5bcde
Opcode Fuzzy Hash: e12f51f184edbb08828dd53baf16ecd171b0ae9b900e6473866783bddd31b03d
Instruction Fuzzy Hash: 1D31F4B46086009FC318FF64C095B6ABBE1FF84314F15886CE8998B352DB39D845CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D665B0, Relevance: 5.4, Strings: 4, Instructions: 365COMMON

Download Yara Rule

Strings

!= sweepgen (default %q) (default %v) MB) workers= called from flushedWork heap_marked= idlethreads= in duration is nil, not nStackRoots= out of range s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block (, xrefs: 00D66BC3
runtime: p scheddetailsechost.dllsecur32.dllshell32.dllshort writetracealloc(unreachableuserenv.dll KiB total, [recovered] allocCount found at *( gcscandone m->gsignal= minTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span, xrefs: 00D66B6E
flushGen gfreecnt= pages at runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin12207031256103515625: parsing AdditionalBad varintCancelIoExChorasmian, xrefs: 00D66B99
p mcache not flushedpacer: assist ratio=preempt off reason: reflect.Value.SetIntreflect.makeFuncStubruntime: double waitruntime: unknown pc semaRoot rotateRighttime: invalid numbertrace: out of memorywirep: already in goworkbuf is not emptywrite of Go pointer , xrefs: 00D66BF7

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: != sweepgen (default %q) (default %v) MB) workers= called from flushedWork heap_marked= idlethreads= in duration is nil, not nStackRoots= out of range s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= , gp->status=, not pointer-byte block ($ flushGen gfreecnt= pages at runqsize= runqueue= s.base()= spinning= stopwait= sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday((BADINDEX), bound = , limit = /dev/stdin12207031256103515625: parsing AdditionalBad varintCancelIoExChorasmian$p mcache not flushedpacer: assist ratio=preempt off reason: reflect.Value.SetIntreflect.makeFuncStubruntime: double waitruntime: unknown pc semaRoot rotateRighttime: invalid numbertrace: out of memorywirep: already in goworkbuf is not emptywrite of Go pointer $runtime: p scheddetailsechost.dllsecur32.dllshell32.dllshort writetracealloc(unreachableuserenv.dll KiB total, [recovered] allocCount found at *( gcscandone m->gsignal= minTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span
API String ID: 0-1623087903
Opcode ID: cd44650eda835e7326e74feebe79a9c27ded7d7d4ea4b131e20774f70e2c2867
Instruction ID: b95d6740a5e9f57ade4f01e029707492e37e98bf5bbddd9fde080f518c099592
Opcode Fuzzy Hash: cd44650eda835e7326e74feebe79a9c27ded7d7d4ea4b131e20774f70e2c2867
Instruction Fuzzy Hash: C10213B4509344CFC300EF28D584B2ABBE0FB89714F14896DE899873A2D775D889DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00D8AAC0, Relevance: 5.3, Strings: 4, Instructions: 285COMMON

Download Yara Rule

Strings

newproc: function arguments too large for new goroutineos: invalid use of WriteAt on file opened with O_APPENDreflect.FuncOf: last arg of variadic func must be slicereflect: internal error: invalid use of makeMethodValueb4050a850c04b3abf54132565044b0b7d7bfd8ba, xrefs: 00D8AF08
newproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol driver not attachedreflect.MakeSlice: len > capreflect: In of non-func typeregion exceeds uintptr rangeruntime.semasleep unexpectedruntime: casgstatus: oldval=runtime:, xrefs: 00D8AEDC
7, xrefs: 00D8AF11
go of nil func valuegopark: bad g statusinvalid request codeinvalid write resultis a named type filekey has been revokedmalloc during signalnotetsleep not on g0number has no digitsp mcache not flushedpacer: assist ratio=preempt off reason: reflect.Value.SetInt, xrefs: 00D8AF28

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 7$go of nil func valuegopark: bad g statusinvalid request codeinvalid write resultis a named type filekey has been revokedmalloc during signalnotetsleep not on g0number has no digitsp mcache not flushedpacer: assist ratio=preempt off reason: reflect.Value.SetInt$newproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol driver not attachedreflect.MakeSlice: len > capreflect: In of non-func typeregion exceeds uintptr rangeruntime.semasleep unexpectedruntime: casgstatus: oldval=runtime:$newproc: function arguments too large for new goroutineos: invalid use of WriteAt on file opened with O_APPENDreflect.FuncOf: last arg of variadic func must be slicereflect: internal error: invalid use of makeMethodValueb4050a850c04b3abf54132565044b0b7d7bfd8ba
API String ID: 0-1174078676
Opcode ID: 4472370571bf242f976e8ce7240445e79d0903b0b1d00f5b9fa02b2f7277785e
Instruction ID: 6a872b10a37969ac1aee05f51999bedddaf21a5f944e7751160d1e6b8e82a90c
Opcode Fuzzy Hash: 4472370571bf242f976e8ce7240445e79d0903b0b1d00f5b9fa02b2f7277785e
Instruction Fuzzy Hash: 11D12AB4609300CFD718EF18C590A6ABBE1FF88704F158AADE8998B352D734D945DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00D74BB0, Relevance: 5.3, Strings: 4, Instructions: 264COMMON

Download Yara Rule

Strings

runtime: npages = runtime: range = {sequence truncatedstreams pipe errorsystem page size (tracebackancestorstruncated sequenceuse of closed filevalue out of range called using nil *, g->atomicstatus=, gp->atomicstatus=149011611938476562520060102150405Z0700745, xrefs: 00D756AA
] = (arraychmodclosedeferfalsefaultfloatgFreegcinggscanhchanhttpsimap2imap3imapsinit int16int32int64limitmheapmonthntldrntohspanicpop3sscav schedsleepslicesse41sse42ssse3sudogsweeptraceuint8usagevaluewinntwrite Value addr= alloc base code= ctxt: curg= free g, xrefs: 00D7560C
bad summary databad symbol tablebinary.BigEndiancastogscanstatuscontext canceleddivision by zerogc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusinvalid spdelta length too largemSpanList.insertmSpanList.removemess, xrefs: 00D756E1, 00D7570F
runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcwait for GC cyclewine_get_version, xrefs: 00D755B4

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ] = (arraychmodclosedeferfalsefaultfloatgFreegcinggscanhchanhttpsimap2imap3imapsinit int16int32int64limitmheapmonthntldrntohspanicpop3sscav schedsleepslicesse41sse42ssse3sudogsweeptraceuint8usagevaluewinntwrite Value addr= alloc base code= ctxt: curg= free g$bad summary databad symbol tablebinary.BigEndiancastogscanstatuscontext canceleddivision by zerogc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusinvalid spdelta length too largemSpanList.insertmSpanList.removemess$runtime: npages = runtime: range = {sequence truncatedstreams pipe errorsystem page size (tracebackancestorstruncated sequenceuse of closed filevalue out of range called using nil *, g->atomicstatus=, gp->atomicstatus=149011611938476562520060102150405Z0700745$runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcwait for GC cyclewine_get_version
API String ID: 0-2808297985
Opcode ID: 06a347a20ff7793e24bdd6c24ea12cf4681ffbfcf2c970591eb16c11eae47fc2
Instruction ID: 01faef3d2f7a3495731aaa9906d5e365c08d726005c8afb138e15647a5e6e93c
Opcode Fuzzy Hash: 06a347a20ff7793e24bdd6c24ea12cf4681ffbfcf2c970591eb16c11eae47fc2
Instruction Fuzzy Hash: C0C17CB55097048FD324EF68D48176EBBE5FF88304F51882CE9D987382EB749945CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D85B00, Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00D85B00(void* __ebx, char** __edi) {
				intOrPtr _t86;
				signed int _t89;
				signed int _t95;
				char* _t96;
				char* _t100;
				signed int _t106;
				signed char _t109;
				signed int _t112;
				intOrPtr _t118;
				signed int _t121;
				signed int _t122;
				signed int* _t139;
				intOrPtr _t147;
				signed int _t149;
				char* _t150;
				char* _t153;
				char* _t154;
				char* _t155;
				char* _t161;
				signed int _t163;
				signed int _t164;
				intOrPtr _t169;
				void* _t170;
				signed int _t171;
				char* _t172;
				signed int _t173;
				void* _t177;
				char** _t178;

				L0:
				while(1) {
					L0:
					_t167 = __edi;
					if(_t177 <=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x14])) + 0xc))) {
						goto L47;
					}
					L1:
					_t178 = _t177 - 0x30;
					_t86 =  *((intOrPtr*)( *[fs:0x14]));
					( *(_t86 + 0x18))[0x78] =  &(1[( *(_t86 + 0x18))[0x78]]);
					_t178[9] =  *(_t86 + 0x18);
					_t178[0xb] =  *( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x14])) + 0x18)) + 0x54);
					 *_t178 = 0xf5ae58;
					L00D59600(__ebx);
					_t89 =  *0xf5aefc; // 0x0
					if(_t89 != 0) {
						L46:
						 *_t178 =  &M00E84DD1;
						_t178[1] = 0x22;
						E00D80D70();
						goto L47;
					}
					L2:
					_t147 =  *0xf7781c; // 0x4
					 *0xf5aefc = _t147 - 1;
					_t149 =  *0xf779c0; // 0x0
					if(_t149 != 0) {
						_t167 = 0xf5aef8;
						L00DA9DE0(_t178[0xd], __ebx, _t149, 0xf5ae58, 0xf5aef8, _t169, _t170);
					} else {
						 *0xf5aef8 = _t178[0xd];
					}
					_t150 =  *0xf5aab0; // 0x11404010
					_t178[0xa] = _t150;
					_t161 =  *0xf5aab4; // 0x4
					_t178[6] = _t161;
					_t137 = _t178[0xb];
					_t171 = 0;
					L6:
					while(_t171 < _t161) {
						_t169 =  *((intOrPtr*)(_t150 + _t171 * 4));
						if(_t137 != _t169) {
							_t178[5] = _t171;
							 *_t178 = _t169 + 0x13a8;
							_t178[1] = 1;
							E00D52170();
							_t150 = _t178[0xa];
							_t161 = _t178[6];
							_t137 = _t178[0xb];
							_t171 = _t178[5];
						}
						_t171 =  &(1[_t171]);
					}
					E00D8D420();
					_t95 =  *0xf5ae84; // 0x1141f500
					while(1) {
						L11:
						__eflags = _t95;
						if(__eflags == 0) {
							break;
						}
						L12:
						_t178[7] = _t95;
						_t29 = _t95 + 0x13a8; // 0x114208a8
						 *_t178 = _t29;
						_t178[1] = 1;
						_t178[2] = 0;
						E00D51FC0(__eflags);
						__eflags = _t178[3] & 0x000000ff;
						if((_t178[3] & 0x000000ff) != 0) {
							 *_t178 = _t178[7];
							 *( *(_t178[0xd]))();
							 *0xf5aefc =  *0xf5aefc - 1;
						}
						_t95 = _t178[7][8];
					}
					L14:
					_t96 =  *0xf5aefc; // 0x0
					_t178[4] = _t96;
					 *_t178 = 0xf5ae58;
					E00D59810(_t137);
					 *_t178 = _t178[0xb];
					 *( *(_t178[0xd]))();
					_t100 =  *0xf5aab0; // 0x11404010
					_t178[0xa] = _t100;
					_t153 =  *0xf5aab4; // 0x4
					_t178[6] = _t153;
					_t163 = 0;
					while(1) {
						L16:
						__eflags = _t163 - _t153;
						if(_t163 >= _t153) {
							break;
						}
						L17:
						_t178[5] = _t163;
						_t137 =  *(_t100 + _t163 * 4);
						_t178[8] = _t137;
						_t172 =  *(_t137 + 4);
						__eflags = _t172 - 2;
						if(_t172 != 2) {
							_t173 = 0;
						} else {
							__eflags =  *((intOrPtr*)(_t137 + 0x13a8)) - 1;
							if(__eflags == 0) {
								 *_t178 = _t137 + 4;
								_t178[1] = _t172;
								_t178[2] = 0;
								E00D51FC0(__eflags);
								_t173 = _t178[3] & 0x000000ff;
								_t100 = _t178[0xa];
								_t153 = _t178[6];
								_t163 = _t178[5];
								_t137 = _t178[8];
							} else {
								_t173 = 0;
								__eflags = 0;
							}
						}
						_t121 = _t173;
						__eflags = _t121;
						_t171 = _t121;
						if(_t121 != 0) {
							_t122 =  *0xf63b48 & 0x000000ff;
							__eflags = _t122;
							_t171 = _t122;
							if(_t122 != 0) {
								 *_t178 = _t137;
								E00D9C790();
								 *_t178 = _t178[8];
								L00D9BED0();
								_t137 = _t178[8];
							}
							 *((intOrPtr*)(_t137 + 0x10)) =  *((intOrPtr*)(_t137 + 0x10)) + 1;
							 *_t178 = _t137;
							L00D86F10(_t137, _t163, _t167, _t169);
							_t100 = _t178[0xa];
							_t153 = _t178[6];
							_t163 = _t178[5];
						}
						_t163 =  &(1[_t163]);
						__eflags = _t163;
					}
					L26:
					__eflags = _t178[4];
					if(_t178[4] > 0) {
						while(1) {
							L41:
							 *_t178 = 0xf5af00;
							_t178[2] = 0;
							_t178[1] = 0x186a0;
							E00D59DA0();
							__eflags = _t178[3] & 0x000000ff;
							if((_t178[3] & 0x000000ff) != 0) {
								break;
							}
							L40:
							E00D8D420();
						}
						L42:
						 *0xf5af00 = 0;
					}
					L27:
					_t106 =  *0xf5aefc; // 0x0
					__eflags = _t106;
					if(_t106 != 0) {
						L45:
						 *_t178 = 0xe7f985;
						_t178[1] = 0x12;
						E00D80D70();
						goto L46;
					}
					L28:
					_t109 =  *0xf5aab0; // 0x11404010
					_t154 =  *0xf5aab4; // 0x4
					_t164 = 0;
					while(1) {
						L30:
						__eflags = _t164 - _t154;
						if(_t164 >= _t154) {
							break;
						}
						L31:
						_t139 =  *(_t109 + _t164 * 4);
						__eflags =  *_t139 & _t109;
						_t137 = _t139[0x4ea];
						__eflags = _t139[0x4ea];
						if(_t139[0x4ea] == 0) {
							L29:
							_t164 =  &(1[_t164]);
							__eflags = _t164;
							continue;
						}
						L32:
						 *_t178 = "forEachP: P did not run fnfreedefer with d.fn != nilinitSpan: unaligned lengthinvalid request descriptorname not unique on networkno CSI structure availableno message of desired typenotewakeup - double wakeupout of memory (stackalloc)persistentalloc: size == 0required key not availableruntime: bad span s.state=segment prefix is reservedshrinking stack in libcallstartlockedm: locked to metruncated base 128 integer is not assignable to type 363797880709171295166015625AddVectoredContinueHandler";
						_t178[1] = 0x1a;
						E00D80D70();
						goto L45;
					}
					L33:
					 *_t178 = 0xf5ae58;
					L00D59600(_t137);
					_t112 =  *0xf779c0; // 0x0
					__eflags = _t112;
					if(_t112 != 0) {
						L00DA9DE0(0, _t137, _t154, _t164, 0xf5aef8, _t169, _t171);
					} else {
						 *0xf5aef8 = 0;
					}
					 *_t178 = 0xf5ae58;
					E00D59810(_t137);
					_t118 =  *((intOrPtr*)( *[fs:0x14]));
					_t155 = _t178[9];
					_t73 = _t155[0x78] - 1; // -1
					_t155[0x78] = _t73;
					__eflags = _t155[0x78] - 1;
					if(_t155[0x78] == 1) {
						__eflags =  *(_t118 + 0x65) & 0x000000ff;
						if(( *(_t118 + 0x65) & 0x000000ff) != 0) {
							 *((intOrPtr*)(_t118 + 8)) = 0xfffffade;
						}
					}
					return _t118;
					L47:
					E00DA73F0(__eflags);
				}
			}

0x00d85b00
0x00d85b00
0x00d85b00
0x00d85b00
0x00d85b10
0x00000000
0x00000000
0x00d85b16
0x00d85b16
0x00d85b20
0x00d85b2a
0x00d85b44
0x00d85b48
0x00d85b53
0x00d85b56
0x00d85b5b
0x00d85b63
0x00d85e57
0x00d85e5d
0x00d85e60
0x00d85e68
0x00000000
0x00d85e68
0x00d85b69
0x00d85b69
0x00d85b70
0x00d85b76
0x00d85b7e
0x00d85e17
0x00d85e21
0x00d85b84
0x00d85b88
0x00d85b88
0x00d85b8e
0x00d85b94
0x00d85b98
0x00d85b9e
0x00d85ba2
0x00d85ba6
0x00000000
0x00d85bab
0x00d85baf
0x00d85bb4
0x00d85bb6
0x00d85bc2
0x00d85bc5
0x00d85bcd
0x00d85bd6
0x00d85bda
0x00d85bde
0x00d85be2
0x00d85be2
0x00d85baa
0x00d85baa
0x00d85be8
0x00d85bed
0x00d85bfc
0x00d85bfc
0x00d85bfc
0x00d85bfe
0x00000000
0x00000000
0x00d85c00
0x00d85c00
0x00d85c04
0x00d85c0a
0x00d85c0d
0x00d85c15
0x00d85c1d
0x00d85c27
0x00d85c29
0x00d85c35
0x00d85c38
0x00d85c3a
0x00d85c3a
0x00d85bf9
0x00d85bf9
0x00d85c42
0x00d85c42
0x00d85c48
0x00d85c54
0x00d85c57
0x00d85c66
0x00d85c69
0x00d85c6b
0x00d85c71
0x00d85c75
0x00d85c7b
0x00d85c7f
0x00d85c84
0x00d85c84
0x00d85c84
0x00d85c86
0x00000000
0x00000000
0x00d85c8c
0x00d85c8c
0x00d85c90
0x00d85c93
0x00d85c97
0x00d85c9a
0x00d85c9d
0x00d85d1e
0x00d85c9f
0x00d85c9f
0x00d85ca6
0x00d85cf3
0x00d85cf6
0x00d85cfa
0x00d85d02
0x00d85d07
0x00d85d0c
0x00d85d10
0x00d85d14
0x00d85d18
0x00d85ca8
0x00d85ca8
0x00d85ca8
0x00d85ca8
0x00d85ca6
0x00d85caa
0x00d85cab
0x00d85cad
0x00d85cae
0x00d85cb7
0x00d85cb8
0x00d85cba
0x00d85cbb
0x00d85cd6
0x00d85cd9
0x00d85ce2
0x00d85ce5
0x00d85cea
0x00d85cea
0x00d85cbd
0x00d85cc0
0x00d85cc3
0x00d85cc8
0x00d85ccc
0x00d85cd0
0x00d85cd0
0x00d85c83
0x00d85c83
0x00d85c83
0x00d85d22
0x00d85d26
0x00d85d28
0x00d85de0
0x00d85de0
0x00d85de6
0x00d85de9
0x00d85df1
0x00d85df9
0x00d85e03
0x00d85e05
0x00000000
0x00000000
0x00d85ddb
0x00d85ddb
0x00d85ddb
0x00d85e08
0x00d85e08
0x00d85e08
0x00d85d2e
0x00d85d2e
0x00d85d34
0x00d85d36
0x00d85e41
0x00d85e47
0x00d85e4a
0x00d85e52
0x00000000
0x00d85e52
0x00d85d3c
0x00d85d3c
0x00d85d42
0x00d85d48
0x00d85d4d
0x00d85d4d
0x00d85d4d
0x00d85d4f
0x00000000
0x00000000
0x00d85d51
0x00d85d51
0x00d85d54
0x00d85d56
0x00d85d5c
0x00d85d5e
0x00d85d4c
0x00d85d4c
0x00d85d4c
0x00000000
0x00d85d4c
0x00d85d60
0x00d85e31
0x00d85e34
0x00d85e3c
0x00000000
0x00d85e3c
0x00d85d67
0x00d85d6d
0x00d85d70
0x00d85d75
0x00d85d7b
0x00d85d7d
0x00d85dd4
0x00d85d7f
0x00d85d7f
0x00d85d7f
0x00d85d91
0x00d85d94
0x00d85da1
0x00d85da7
0x00d85dae
0x00d85db1
0x00d85db4
0x00d85db7
0x00d85dbd
0x00d85dbf
0x00d85dc1
0x00d85dc1
0x00d85dbf
0x00d85dcb
0x00d85e6e
0x00d85e6e
0x00d85e6e

Strings

forEachP: sched.safePointWait != 0illegal base64 data at input byte invalid padding bits in BIT STRINGmspan.ensureSwept: m is not lockedout of memory allocating allArenasreflect.FuncOf: too many argumentsreflect: ChanDir of non-chan type reflect: Field index o, xrefs: 00D85E57
", xrefs: 00D85E60
forEachP: P did not run fnfreedefer with d.fn != nilinitSpan: unaligned lengthinvalid request descriptorname not unique on networkno CSI structure availableno message of desired typenotewakeup - double wakeupout of memory (stackalloc)persistentalloc: size == 0, xrefs: 00D85E2B
forEachP: not donegarbage collectionidentifier removedindex out of rangeinput/output errormultihop attemptedno child processesno locks availablenon-minimal lengthoperation canceledread_me_unlock.txtreflect.Value.Elemreflect.Value.Typereflect.Value.Uintreflect:, xrefs: 00D85E41

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: "$forEachP: P did not run fnfreedefer with d.fn != nilinitSpan: unaligned lengthinvalid request descriptorname not unique on networkno CSI structure availableno message of desired typenotewakeup - double wakeupout of memory (stackalloc)persistentalloc: size == 0$forEachP: not donegarbage collectionidentifier removedindex out of rangeinput/output errormultihop attemptedno child processesno locks availablenon-minimal lengthoperation canceledread_me_unlock.txtreflect.Value.Elemreflect.Value.Typereflect.Value.Uintreflect:$forEachP: sched.safePointWait != 0illegal base64 data at input byte invalid padding bits in BIT STRINGmspan.ensureSwept: m is not lockedout of memory allocating allArenasreflect.FuncOf: too many argumentsreflect: ChanDir of non-chan type reflect: Field index o
API String ID: 0-1986939886
Opcode ID: e84d1c9c8e6d66647cdb46040b6b32760b4953e1c6c415b8b636cc98e407369d
Instruction ID: 370dc71abe1a10b114428525b3e65ff923c53beba256c7e3f9c75b508b8e830c
Opcode Fuzzy Hash: e84d1c9c8e6d66647cdb46040b6b32760b4953e1c6c415b8b636cc98e407369d
Instruction Fuzzy Hash: 6AA12874608705CFC704EF24E484A2ABBE1FF88705F14896DE9858B366D734E989DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00D7B800, Relevance: 5.2, Strings: 4, Instructions: 227COMMON

Download Yara Rule

Strings

) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12125625???ADTASTAprAugBSTCATCDTCETCSTDecDltEATEDTEETEOFESTFebFriGMTHDTHSTHanIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMSKMSTMarMayMonMroNDTNSTNULNaNNkoNovOctPC=PDTPKTPSTSETSa, xrefs: 00D7BB6F
4, xrefs: 00D7BB4D
runtime: netpoll failedruntime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (time: invalid duration too man, xrefs: 00D7BB8A
runtime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetcompileCallback: argument size is larger than uintptrfunction symbol table not sorted by program counter, xrefs: 00D7BB44

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12125625???ADTASTAprAugBSTCATCDTCETCSTDecDltEATEDTEETEOFESTFebFriGMTHDTHSTHanIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMSKMSTMarMayMonMroNDTNSTNULNaNNkoNovOctPC=PDTPKTPSTSETSa$4$runtime: GetQueuedCompletionStatusEx failed (errno= runtime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetcompileCallback: argument size is larger than uintptrfunction symbol table not sorted by program counter$runtime: netpoll failedruntime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (time: invalid duration too man
API String ID: 0-3073213288
Opcode ID: c3d74a8745ef93e9ba857cddf19a2aa3b9037c00407d2210cf38fa4b9ba461d6
Instruction ID: 773ce481d1df247de5ed5b998b0cda234c93e32912137c8317248b85859ff03a
Opcode Fuzzy Hash: c3d74a8745ef93e9ba857cddf19a2aa3b9037c00407d2210cf38fa4b9ba461d6
Instruction Fuzzy Hash: 769148B06093558FD364EF24C480B5EB7E1BB88358F448A2EE99C87391E774D845CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 00D7E350, Relevance: 5.2, Strings: 4, Instructions: 219COMMON

Download Yara Rule

Strings

self-preemptshort bufferspanSetSpinesweepWaiterstraceStringswintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB) workers= called from flushedWork heap_marked= idlethreads= in duration is nil, not nStackRoots= out of r, xrefs: 00D7E739
(, xrefs: 00D7E72C
runtime.preemptM: duplicatehandle failedruntime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type x509: trailing data after DSA parametersx509: trailing data after DSA public keyx509: trailing data after RSA public key34694469519536141888, xrefs: 00D7E723
runtime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject unexpected; result=runtime: waitforsingleobject wait_failed; errno=slice bounds out of range [:%x] with capacity %ystrconv: illegal AppendFloat/FormatFloat bitSizecasgstatus: waiting , xrefs: 00D7E6EF

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ($runtime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject unexpected; result=runtime: waitforsingleobject wait_failed; errno=slice bounds out of range [:%x] with capacity %ystrconv: illegal AppendFloat/FormatFloat bitSizecasgstatus: waiting $runtime.preemptM: duplicatehandle failedruntime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type x509: trailing data after DSA parametersx509: trailing data after DSA public keyx509: trailing data after RSA public key34694469519536141888$self-preemptshort bufferspanSetSpinesweepWaiterstraceStringswintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB) workers= called from flushedWork heap_marked= idlethreads= in duration is nil, not nStackRoots= out of r
API String ID: 0-865808360
Opcode ID: 2088274f90c4a982ea9d21a527f8441fc8612c8ae404d6dd7c2e83c4397805c2
Instruction ID: c20412e676d2c623e712ca935c6820ad8e747f5b5216f30c256422d0f88884d7
Opcode Fuzzy Hash: 2088274f90c4a982ea9d21a527f8441fc8612c8ae404d6dd7c2e83c4397805c2
Instruction Fuzzy Hash: 7DA1F3B45097448FC724EF24C585BAEBBE5FF89704F04896CE88C97392E7349948DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D93CC0, Relevance: 5.2, Strings: 4, Instructions: 206COMMON

Download Yara Rule

Strings

stack growth not allowed in system callsuspendG from non-preemptible goroutinetags don't match (%d vs %+v) %+v %s @%dtransport endpoint is already connected13877787807814456755295395851135253906256938893903907228377647697925567626953125MapIter.Key called on ex, xrefs: 00D93FAC
racy sudog adjustment due to parking on channelruntime: CreateIoCompletionPort failed (errno= slice bounds out of range [::%x] with length %yCreateWaitableTimerEx when creating timer failedcould not find GetSystemTimeAsFileTime() syscallparsing/packing of this, xrefs: 00D93F80
nil stackbaseout of memoryparsing time powrprof.dll, xrefs: 00D93F96
', xrefs: 00D93FB5

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: '$nil stackbaseout of memoryparsing time powrprof.dll$racy sudog adjustment due to parking on channelruntime: CreateIoCompletionPort failed (errno= slice bounds out of range [::%x] with length %yCreateWaitableTimerEx when creating timer failedcould not find GetSystemTimeAsFileTime() syscallparsing/packing of this$stack growth not allowed in system callsuspendG from non-preemptible goroutinetags don't match (%d vs %+v) %+v %s @%dtransport endpoint is already connected13877787807814456755295395851135253906256938893903907228377647697925567626953125MapIter.Key called on ex
API String ID: 0-1732042568
Opcode ID: 0df92908dfb592c9d84d89831a749e01b7e071fc6788d09734c94492e2251bbb
Instruction ID: 5cc31ba2a2b873bf746d81cabc6049ca94434f3952bc17a2afb5d54d4656f944
Opcode Fuzzy Hash: 0df92908dfb592c9d84d89831a749e01b7e071fc6788d09734c94492e2251bbb
Instruction Fuzzy Hash: 1D91DF74A093408FCB58DF28C180A6AFBF1BF88700F548A2EF89987355D770E945CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00D61960, Relevance: 5.2, Strings: 4, Instructions: 198COMMON

Download Yara Rule

Strings

+, xrefs: 00D61C29
heapBitsSetTypeGCProg: unexpected bit countinterrupted system call should be restartedmultiple Read calls return no data or errornon in-use span found with specials bit setreflect: nil type passed to Type.Implementsroot level max pages doesn't fit in summaryru, xrefs: 00D61C20
but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625: extra text: CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateSe, xrefs: 00D61BEC
runtime: heapBitsSetTypeGCProg: total bits runtime: releaseSudog with non-nil gp.paramruntime:stoplockedm: lockedg (atomicstatus=unfinished open-coded defers in deferreturnunknown runnable goroutine during bootstrap using value obtained using unexported fieldc, xrefs: 00D61BC2

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: but progSize nmidlelocked= on zero Value out of range procedure in to finalizer untyped args -thread limit1907348632812595367431640625: extra text: CertCloseStoreCoInitializeExCoUninitializeControlServiceCreateEventExWCreateMutexExWCreateProcessWCreateSe$+$heapBitsSetTypeGCProg: unexpected bit countinterrupted system call should be restartedmultiple Read calls return no data or errornon in-use span found with specials bit setreflect: nil type passed to Type.Implementsroot level max pages doesn't fit in summaryru$runtime: heapBitsSetTypeGCProg: total bits runtime: releaseSudog with non-nil gp.paramruntime:stoplockedm: lockedg (atomicstatus=unfinished open-coded defers in deferreturnunknown runnable goroutine during bootstrap using value obtained using unexported fieldc
API String ID: 0-523369342
Opcode ID: eca379deed15aa05f3441a7d33805a7135718494c7363b44daa45593e03ca7e2
Instruction ID: 877d04c2997b95ffac464163b86a29569d6baf48e83adaa04b8d1beb16580eca
Opcode Fuzzy Hash: eca379deed15aa05f3441a7d33805a7135718494c7363b44daa45593e03ca7e2
Instruction Fuzzy Hash: 0A713E786093118BC708EF6CC4D532EB6D2EB95704F19892DE5C987382DA39CD49CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D8FF10, Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

GOTRACEBACKGetFileTypeIdeographicMedefaidrinMessageBoxWMoveFileExWNandinagariNetShareAddNetShareDelNew_Tai_LueOld_PersianOld_SogdianOpenProcessPau_Cin_HauRegCloseKeySHA-512/224SHA-512/256SetFileTimeSignWritingSoft_DottedVirtualFreeVirtualLockWSARecvFromWarang_, xrefs: 00D90172
GODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaRadicalSHA-224SHA-256SHA-384SHA-512SharadaShavianSiddhamSinhalaSleepExSogdianSoyomboSwapperTagalogTibetanTirhutaTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVT, xrefs: 00D8FF3D
=, xrefs: 00D8FFB1
memprofileratenil elem type!no module datano such devicentuser.dat.logpollCache.lockprotocol errorruntime: full=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytimeEndPeriod, xrefs: 00D900BD

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: =$GODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaRadicalSHA-224SHA-256SHA-384SHA-512SharadaShavianSiddhamSinhalaSleepExSogdianSoyomboSwapperTagalogTibetanTirhutaTuesdayTypeALLTypeOPTTypePTRTypeSOATypeSRVT$GOTRACEBACKGetFileTypeIdeographicMedefaidrinMessageBoxWMoveFileExWNandinagariNetShareAddNetShareDelNew_Tai_LueOld_PersianOld_SogdianOpenProcessPau_Cin_HauRegCloseKeySHA-512/224SHA-512/256SetFileTimeSignWritingSoft_DottedVirtualFreeVirtualLockWSARecvFromWarang_$memprofileratenil elem type!no module datano such devicentuser.dat.logpollCache.lockprotocol errorruntime: full=s.allocCount= semaRoot queuestack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytimeEndPeriod
API String ID: 0-1681193934
Opcode ID: 7a08260e0b778573640d2e0f710f1ef08032ffae03a12d501016a4784b21add4
Instruction ID: 7ba2e46136ccfa24b359343030096412756e990d1a9d2e623bcaa23fb6bc72a2
Opcode Fuzzy Hash: 7a08260e0b778573640d2e0f710f1ef08032ffae03a12d501016a4784b21add4
Instruction Fuzzy Hash: B781F0746093419FCB08EF28D490A2ABBE2BFC9340F54892DF89997351D731E949DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D72A20, Relevance: 5.2, Strings: 4, Instructions: 174COMMON

Download Yara Rule

Strings

in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= u_a/u_g= unmarked wbuf1.n= wbuf2.n=%!(EXTRA (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksuk, xrefs: 00D72C92
runtime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type x509: trailing data after DSA parametersx509: trailing data after DSA public keyx509: trailing data after RSA public key34694469519536141888238489627838134765625MapIter.Next called, xrefs: 00D72C3E
-byte block (3814697265625CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetDriveTypeWGunjala_GondiMapViewOfFileMasaram_GondiMende_KikakuiOld_HungarianRegDeleteKeyWRegEnumKeyExW, xrefs: 00D72C68
(, xrefs: 00D72C47

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= u_a/u_g= unmarked wbuf1.n= wbuf2.n=%!(EXTRA (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_VahBhaiksuk$($-byte block (3814697265625CertOpenStoreCoTaskMemFreeDeleteServiceEnumProcessesExitWindowsExFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGetDriveTypeWGunjala_GondiMapViewOfFileMasaram_GondiMende_KikakuiOld_HungarianRegDeleteKeyWRegEnumKeyExW$runtime: out of memory: cannot allocate runtime: typeBitsBulkBarrier with type x509: trailing data after DSA parametersx509: trailing data after DSA public keyx509: trailing data after RSA public key34694469519536141888238489627838134765625MapIter.Next called
API String ID: 0-440059318
Opcode ID: 3d3d1dfbfdca85269f60cc165c9ba57ed574fbe8cfcd1afa4bd597f9f8660060
Instruction ID: e4ba3c9bea641e6a10e4524f8d3efc71905df4ea0e6e9d0975a8829b342dbc8b
Opcode Fuzzy Hash: 3d3d1dfbfdca85269f60cc165c9ba57ed574fbe8cfcd1afa4bd597f9f8660060
Instruction Fuzzy Hash: 2571F5B46093058FC704EF68D58166EBBE1FF88304F54886DE88D8B356E7749949CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D84150, Relevance: 5.1, Strings: 4, Instructions: 139COMMON

Download Yara Rule

Strings

unknown runnable goroutine during bootstrap using value obtained using unexported fieldcompileCallback: float results not supportedencoding alphabet contains newline charactergcmarknewobject called while doing checkmarkinsufficient data for calculated length t, xrefs: 00D84394
+, xrefs: 00D8439D
G, xrefs: 00D84185
GOMAXPROCSGetIfEntryGetVersionGlagoliticIsValidSidKharoshthiLocalAllocLockFileExManichaeanOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseFloatPhoenicianPulseEventRIPEMD-160ResetEventSaurashtraWSACleanupWSASocketWWSAStartup, xrefs: 00D84256

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: G$+$GOMAXPROCSGetIfEntryGetVersionGlagoliticIsValidSidKharoshthiLocalAllocLockFileExManichaeanOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseFloatPhoenicianPulseEventRIPEMD-160ResetEventSaurashtraWSACleanupWSASocketWWSAStartup$unknown runnable goroutine during bootstrap using value obtained using unexported fieldcompileCallback: float results not supportedencoding alphabet contains newline charactergcmarknewobject called while doing checkmarkinsufficient data for calculated length t
API String ID: 0-616733238
Opcode ID: 098ed49d448aab75405dba17fb45ea814ea959ae8ba29e817387baa8173bf664
Instruction ID: 049efbcfb9c34d45ce0704d777c620f838e3906f7263b1eab5cc09414ffdec79
Opcode Fuzzy Hash: 098ed49d448aab75405dba17fb45ea814ea959ae8ba29e817387baa8173bf664
Instruction Fuzzy Hash: 71513770509306CFC744FF25E491A2ABBF0FB95719F10492CE88987362D7349888DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D7F1A0, Relevance: 5.1, Strings: 4, Instructions: 131COMMON

Download Yara Rule

Strings

!"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 00D7F274
bad defer size classbad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection timed outdodeltimer0: wrong Pflag: help requestedfloating point errorforcegc: phase errorgc_trigger underflow, xrefs: 00D7F380
bad defer size class: i=bypassed recovery failedcan't scan our own stackconnection reset by peerdouble traceGCSweepStartfunction not implementedgcDrainN phase incorrecthash of unhashable type initSpan: unaligned baselevel 2 not synchronizedlink number out of r, xrefs: 00D7F2F8
defersc= in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= u_a/u_g= unmarked wbuf1.n= wbuf2.n=%!(EXTRA (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_Va, xrefs: 00D7F34C

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$ defersc= in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= u_a/u_g= unmarked wbuf1.n= wbuf2.n=%!(EXTRA (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00244140625: status=AuthorityBassa_Va$bad defer size class: i=bypassed recovery failedcan't scan our own stackconnection reset by peerdouble traceGCSweepStartfunction not implementedgcDrainN phase incorrecthash of unhashable type initSpan: unaligned baselevel 2 not synchronizedlink number out of r$bad defer size classbad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection timed outdodeltimer0: wrong Pflag: help requestedfloating point errorforcegc: phase errorgc_trigger underflow
API String ID: 0-588955546
Opcode ID: 086710897e876f3553dc9ac9ba710eb6dd3a79bc3c2e50d361cf9e86d23c19ed
Instruction ID: 73fa9f11bf08f744a8badd711e4fbdde5028a13d6c9009132a93b435ddd88d68
Opcode Fuzzy Hash: 086710897e876f3553dc9ac9ba710eb6dd3a79bc3c2e50d361cf9e86d23c19ed
Instruction Fuzzy Hash: 3A519E746097098FC724EF24C49036E77E2FB91340F50C939E99A83692FB3489899B72

Uniqueness

Uniqueness Score: -1.00%

Function 00D546B0, Relevance: 5.1, Strings: 4, Instructions: 120COMMON

Download Yara Rule

Strings

makechan: invalid channel element typeruntime: blocked read on free polldescruntime: sudog with non-false isSelecttime: missing Location in call to Date2006-01-02 15:04:05.999999999 -0700 MST277555756156289135105907917022705078125PowerRegisterSuspendResumeNoti, xrefs: 00D54860
P-, xrefs: 00D5483B
makechan: bad alignmentmissing type in runfinqnanotime returning zerono space left on deviceoperation not permittedoperation not supportedpanic during preemptoffprocresize: invalid argreflect.Value.Interfacereflect.Value.NumMethodreflect.methodValueCallruntime, xrefs: 00D5484A
&, xrefs: 00D54869

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: &$P-$makechan: bad alignmentmissing type in runfinqnanotime returning zerono space left on deviceoperation not permittedoperation not supportedpanic during preemptoffprocresize: invalid argreflect.Value.Interfacereflect.Value.NumMethodreflect.methodValueCallruntime$makechan: invalid channel element typeruntime: blocked read on free polldescruntime: sudog with non-false isSelecttime: missing Location in call to Date2006-01-02 15:04:05.999999999 -0700 MST277555756156289135105907917022705078125PowerRegisterSuspendResumeNoti
API String ID: 0-923452399
Opcode ID: d236c9bb770eec48d0618af5dfe6b20e03610ec3ec3dc541e8de1f71684a9720
Instruction ID: 6d558d8eed6f497ba3e9f1f0e9cc08ccbcd80ea73c9053804368e86b2c82883f
Opcode Fuzzy Hash: d236c9bb770eec48d0618af5dfe6b20e03610ec3ec3dc541e8de1f71684a9720
Instruction Fuzzy Hash: F8514F746083458FCB04EF25D49065ABBE1FF89709F14896DEC898B352D734D889CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 00D6D8A0, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

KiB total, [recovered] allocCount found at *( gcscandone m->gsignal= minTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>$recycle.bin%!(BADWIDTH)) p->status=-byte li, xrefs: 00D6D9C8
(forced) blocked= defersc= in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= u_a/u_g= unmarked wbuf1.n= wbuf2.n=%!(EXTRA (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00244140625: status, xrefs: 00D6DA65
KiB work, freeindex= gcwaiting= heap_live= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256, xrefs: 00D6D991
scav schedsleepslicesse41sse42ssse3sudogsweeptraceuint8usagevaluewinntwrite Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticForma, xrefs: 00D6D94B

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: (forced) blocked= defersc= in use) lockedg= lockedm= m->curg= marked method: ms cpu, not in [ runtime= s.limit= s.state= threads= u_a/u_g= unmarked wbuf1.n= wbuf2.n=%!(EXTRA (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00244140625: status$ KiB total, [recovered] allocCount found at *( gcscandone m->gsignal= minTrigger= nDataRoots= nSpanRoots= pages/byte preemptoff= s.elemsize= s.sweepgen= span.limit= span.state= sysmonwait= wbuf1=<nil> wbuf2=<nil>$recycle.bin%!(BADWIDTH)) p->status=-byte li$ KiB work, freeindex= gcwaiting= heap_live= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256$scav schedsleepslicesse41sse42ssse3sudogsweeptraceuint8usagevaluewinntwrite Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticForma
API String ID: 0-3761302839
Opcode ID: a5ef4b9eb383094c2961c1fc658a66300b5a195a64f2858bff0ca9de8beceac3
Instruction ID: 1336bf6d399e3d8295675f4ef4e3d3e8e58660ee8e5371720fe17338896dd54b
Opcode Fuzzy Hash: a5ef4b9eb383094c2961c1fc658a66300b5a195a64f2858bff0ca9de8beceac3
Instruction Fuzzy Hash: E951ADB45087048FC308EF68D595A2ABBE1FF98704F01892DE8D997352E738D985DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D94BF0, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

shrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (time: invalid duration too many pointers (>10)truncated tag or lengthwork.nwait > work.nprocx509: incorrect IV size116415321826934814453125582076, xrefs: 00D94D5D
shrinking stack in libcallstartlockedm: locked to metruncated base 128 integer is not assignable to type 363797880709171295166015625AddVectoredContinueHandler, xrefs: 00D94D47
bad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timerexplicit tag has no childinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing traceGCSweepStartno buffer , xrefs: 00D94D73
missing stack in shrinkstackmspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol driver not attachedreflect.MakeSlice: len > capreflect: In of non-func typeregion exceeds uintptr rangeruntime., xrefs: 00D94D89

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: bad status in shrinkstackbad system huge page sizechansend: spurious wakeupcheckdead: no m for timerexplicit tag has no childinconsistent poll.fdMutexinvalid cross-device linkinvalid network interfacemissing stack in newstackmissing traceGCSweepStartno buffer $missing stack in shrinkstackmspan.sweep: m is not lockednewproc1: new g is not Gdeadnewproc1: newg missing stackos: process already finishedprotocol driver not attachedreflect.MakeSlice: len > capreflect: In of non-func typeregion exceeds uintptr rangeruntime.$shrinking stack in libcallstartlockedm: locked to metruncated base 128 integer is not assignable to type 363797880709171295166015625AddVectoredContinueHandler$shrinkstack at bad timespan has no free stacksstack growth after forksyntax error in patternsystem huge page size (time: invalid duration too many pointers (>10)truncated tag or lengthwork.nwait > work.nprocx509: incorrect IV size116415321826934814453125582076
API String ID: 0-1576974257
Opcode ID: 99dc181b001ec319a73c3936a0e95f06f8225b70bde298155786982d532032ff
Instruction ID: 8338453d0449b7cd37b2ad0b957994520119034569b64eaec44680d23fc51cf7
Opcode Fuzzy Hash: 99dc181b001ec319a73c3936a0e95f06f8225b70bde298155786982d532032ff
Instruction Fuzzy Hash: FE415A786047008FCF18EF24C091B6977E0EF88704F5888ACE8898B752E735D94ADB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D92AC0, Relevance: 5.1, Strings: 4, Instructions: 95COMMON

Download Yara Rule

Strings

out of memoryparsing time powrprof.dll, xrefs: 00D92C0F
bad manualFreeListconnection refusedfaketimeState.lockfile name too longflag redefined: %sforEachP: not donegarbage collectionidentifier removedindex out of rangeinput/output errormultihop attemptedno child processesno locks availablenon-minimal lengthoperatio, xrefs: 00D92BE3
span has no free stacksstack growth after forksyntax error in patternsystem huge page size (time: invalid duration too many pointers (>10)truncated tag or lengthwork.nwait > work.nprocx509: incorrect IV size116415321826934814453125582076609134674072265625Alloc, xrefs: 00D92BCD
bad allocCountbad span statebad stack sizedata truncatedfile too largefinalizer waitgcstoptheworldgetprotobynameinvalid syntaxis a directorylevel 2 haltedlevel 3 haltedlocal settingsmemprofileratenil elem type!no module datano such devicentuser.dat.logpollCach, xrefs: 00D92BF9

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: bad allocCountbad span statebad stack sizedata truncatedfile too largefinalizer waitgcstoptheworldgetprotobynameinvalid syntaxis a directorylevel 2 haltedlevel 3 haltedlocal settingsmemprofileratenil elem type!no module datano such devicentuser.dat.logpollCach$bad manualFreeListconnection refusedfaketimeState.lockfile name too longflag redefined: %sforEachP: not donegarbage collectionidentifier removedindex out of rangeinput/output errormultihop attemptedno child processesno locks availablenon-minimal lengthoperatio$out of memoryparsing time powrprof.dll$span has no free stacksstack growth after forksyntax error in patternsystem huge page size (time: invalid duration too many pointers (>10)truncated tag or lengthwork.nwait > work.nprocx509: incorrect IV size116415321826934814453125582076609134674072265625Alloc
API String ID: 0-4006563138
Opcode ID: 2d9760f248983bbbdad8acc1e97902ebaf0645505b470dca5f55672b41ac966f
Instruction ID: c9c123fe62096a42c74cd17844ef73075a3d143fe0246158ef1ca27f83e590d1
Opcode Fuzzy Hash: 2d9760f248983bbbdad8acc1e97902ebaf0645505b470dca5f55672b41ac966f
Instruction Fuzzy Hash: BA4179B42097059FC708EF25D190A7ABBE1FF88704F04886DE4898B756E734D949DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D75F30, Relevance: 5.1, Strings: 4, Instructions: 95COMMON

Download Yara Rule

Strings

runtime: base = runtime: gp: gp=runtime: head = runtime: nelems=schedule: in cgotime: bad [0-9]*timeBeginPeriod, xrefs: 00D76022
., xrefs: 00D76089
sysGrow bounds not aligned to pallocChunkBytesx509: failed to unmarshal elliptic curve pointP has cached GC work at end of mark terminationRtlDosPathNameToRelativeNtPathName_U_WithStatusasn1: Unmarshal recipient value is non-pointer attempting to link in too m, xrefs: 00D76080
, limit = /dev/stdin12207031256103515625: parsing AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDeprecatedDevanagariDnsQuery_WException GC forcedGOMAXPROCSGetIfEntryGetVersionGlagoliticIsValidSidKharoshthiLocalAllocLockFileEx, xrefs: 00D7604C

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: , limit = /dev/stdin12207031256103515625: parsing AdditionalBad varintCancelIoExChorasmianClassCHAOSClassCSNETCreateFileCreatePipeDeprecatedDevanagariDnsQuery_WException GC forcedGOMAXPROCSGetIfEntryGetVersionGlagoliticIsValidSidKharoshthiLocalAllocLockFileEx$.$runtime: base = runtime: gp: gp=runtime: head = runtime: nelems=schedule: in cgotime: bad [0-9]*timeBeginPeriod$sysGrow bounds not aligned to pallocChunkBytesx509: failed to unmarshal elliptic curve pointP has cached GC work at end of mark terminationRtlDosPathNameToRelativeNtPathName_U_WithStatusasn1: Unmarshal recipient value is non-pointer attempting to link in too m
API String ID: 0-4217112489
Opcode ID: e74e51d087e85531b5d758e812de34ffc198326377305e360f6e62dc4dc5a30e
Instruction ID: 4d2622fa22eb12e144cb5cb26d9fd4edcc12e20401f6f6177230c1b1f2878e54
Opcode Fuzzy Hash: e74e51d087e85531b5d758e812de34ffc198326377305e360f6e62dc4dc5a30e
Instruction Fuzzy Hash: AF319C75908B098FC714EF24C48122EB7E0FF84700F45882DE99997396E774E949CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D79270, Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

, xrefs: 00D792DA
, xrefs: 00D792E2
, xrefs: 00D79332
, xrefs: 00D793DA

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: $ $ $
API String ID: 0-3535155489
Opcode ID: 476f61090b85214dc6ff346f9948e85b46c227caca3d6f1e8a0fb967006e758c
Instruction ID: d65c7212cbf8e446c0d3139ca0c7578ca6c94b2122c0d851e88af1696bd26131
Opcode Fuzzy Hash: 476f61090b85214dc6ff346f9948e85b46c227caca3d6f1e8a0fb967006e758c
Instruction Fuzzy Hash: E741D0B45093409FD354EF24C198B5ABBE1FF89304F54C92DE4988B392E735A949CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D843C0, Relevance: 5.1, Strings: 4, Instructions: 90COMMON

Download Yara Rule

Strings

, g->atomicstatus=, gp->atomicstatus=149011611938476562520060102150405Z07007450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreateSymbolicLinkWCryptReleaseContextEgypt Standard TimeGC work not flushedGetCurrentPro, xrefs: 00D84516
, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBrailleChanDirCopySidCypriotDES-CBCDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaRadicalS, xrefs: 00D8443C, 00D844EC
runtime: g: g=runtime: addr = runtime: base = runtime: gp: gp=runtime: head = runtime: nelems=schedule: in cgotime: bad [0-9]*timeBeginPeriod, xrefs: 00D844CA
, gp->atomicstatus=149011611938476562520060102150405Z07007450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreateSymbolicLinkWCryptReleaseContextEgypt Standard TimeGC work not flushedGetCurrentProcessIdGetDiskFreeSp, xrefs: 00D84466

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: , g->atomicstatus=, gp->atomicstatus=149011611938476562520060102150405Z07007450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreateSymbolicLinkWCryptReleaseContextEgypt Standard TimeGC work not flushedGetCurrentPro$, goid=, j0 = 19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625AvestanBengaliBrailleChanDirCopySidCypriotDES-CBCDeseretElbasanElymaicFreeSidGODEBUGGranthaHanunooIO waitJanuaryKannadaMUI_DltMUI_StdMakasarMandaicMarchenMultaniMyanmarOctoberOsmanyaRadicalS$, gp->atomicstatus=149011611938476562520060102150405Z07007450580596923828125Altai Standard TimeBahia Standard TimeCanadian_AboriginalChina Standard TimeCreateSymbolicLinkWCryptReleaseContextEgypt Standard TimeGC work not flushedGetCurrentProcessIdGetDiskFreeSp$runtime: g: g=runtime: addr = runtime: base = runtime: gp: gp=runtime: head = runtime: nelems=schedule: in cgotime: bad [0-9]*timeBeginPeriod
API String ID: 0-1464181724
Opcode ID: a20891092cdd2f3d7f8feffdf4c42691a86feb1d5d690281da256ee1717d332f
Instruction ID: 55224ceb3e1de76b88a5c510bf1213d56ecf5263e806270151acf1832ab4fb7f
Opcode Fuzzy Hash: a20891092cdd2f3d7f8feffdf4c42691a86feb1d5d690281da256ee1717d332f
Instruction Fuzzy Hash: BF4180B85097059FC304FF24C185A6EBBE0FF88744F01886DE88887352D778A989DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D6E3E0, Relevance: 5.1, Strings: 4, Instructions: 84COMMON

Download Yara Rule

Strings

!, xrefs: 00D6E522
min must be a non-zero power of 2misrounded allocation in sysAllocreflect.nameFrom: name too long: reflect: Field index out of rangereflect: NumOut of non-func type reflect: array index out of rangereflect: chanDir of non-chan typereflect: slice index out of r, xrefs: 00D6E519
min too largenil stackbaseout of memoryparsing time powrprof.dll, xrefs: 00D6E4CA
runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding p already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory, xrefs: 00D6E496, 00D6E4E5

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: !$min must be a non-zero power of 2misrounded allocation in sysAllocreflect.nameFrom: name too long: reflect: Field index out of rangereflect: NumOut of non-func type reflect: array index out of rangereflect: chanDir of non-chan typereflect: slice index out of r$min too largenil stackbaseout of memoryparsing time powrprof.dll$runtime: min = runtimer: bad pscan missed a gstartm: m has pstopm holding p already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory
API String ID: 0-94317560
Opcode ID: 082376adc71173b97f02f133eb6c3b1b02581a40761a3f0f80ef310791557097
Instruction ID: 6a4dbd3a7460f9ba52d6fea93ba4ee9136a99fa2ce1ab2b2139e4edbe8dd97f3
Opcode Fuzzy Hash: 082376adc71173b97f02f133eb6c3b1b02581a40761a3f0f80ef310791557097
Instruction Fuzzy Hash: 023125B85087458FD710FF64C18132EBBE0FF84708F04896DE8D957282EB38A9499B72

Uniqueness

Uniqueness Score: -1.00%

Function 00DA6B10, Relevance: 5.1, Strings: 4, Instructions: 83COMMON

Download Yara Rule

Strings

syst, xrefs: 00DA6C19
sing, xrefs: 00DA6C05
cras, xrefs: 00DA6BE4
none, xrefs: 00DA6BCC

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: cras$none$sing$syst
API String ID: 0-2613714893
Opcode ID: e479cc61dee1f13fa18837e91e38d821e457c3c34e838cb28c11a3ba4a2764cf
Instruction ID: 745929d50043ed51f743f377a25d8f98c522ce9a230d0645c0fd08bb6c3aac05
Opcode Fuzzy Hash: e479cc61dee1f13fa18837e91e38d821e457c3c34e838cb28c11a3ba4a2764cf
Instruction Fuzzy Hash: EF315E70A09245CADB28DF20C16123A77A2EB53715F6C886DD0C6CB2D1D73ADC96D772

Uniqueness

Uniqueness Score: -1.00%

Function 00D81000, Relevance: 5.1, Strings: 4, Instructions: 82COMMON

Download Yara Rule

Strings

runtime: panic before malloc heap initializedruntime: text offset base pointer out of rangeruntime: type offset base pointer out of rangesignal arrived during external code executionslice bounds out of range [:%x] with length %ystopTheWorld: not stopped (sta, xrefs: 00D8113E
stack trace unavailablestructure needs cleaning bytes failed with errno= to unused region of span2910383045673370361328125AUS Central Standard TimeAUS Eastern Standard TimeAfghanistan Standard TimeExpandEnvironmentStringsWFindNextVolumeMountPointWFindVolumeMo, xrefs: 00D81084
panic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this dir, xrefs: 00D810B9
., xrefs: 00D81147

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: .$panic during panicpanic holding lockspanicwrap: no ( in panicwrap: no ) in reflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Sliceruntime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftskip this dir$runtime: panic before malloc heap initializedruntime: text offset base pointer out of rangeruntime: type offset base pointer out of rangesignal arrived during external code executionslice bounds out of range [:%x] with length %ystopTheWorld: not stopped (sta$stack trace unavailablestructure needs cleaning bytes failed with errno= to unused region of span2910383045673370361328125AUS Central Standard TimeAUS Eastern Standard TimeAfghanistan Standard TimeExpandEnvironmentStringsWFindNextVolumeMountPointWFindVolumeMo
API String ID: 0-2559704698
Opcode ID: 1ce942ceb5cf14a6500ea23223ff01c255cbc5841324974bbbe2daf7306e6173
Instruction ID: b075e25883801b044bc3fda6f95cf4fd7aeccf3e6c7c263df86d5ab0977667c2
Opcode Fuzzy Hash: 1ce942ceb5cf14a6500ea23223ff01c255cbc5841324974bbbe2daf7306e6173
Instruction Fuzzy Hash: 10317AB81087448FD314FF68D885B2A77E8EF50704F45485CE4998B262E779D88ADBB3

Uniqueness

Uniqueness Score: -1.00%

Function 00D7D920, Relevance: 5.1, Strings: 4, Instructions: 82COMMON

Download Yara Rule

Strings

runtime: failed to create new OS thread (have runtime: name offset base pointer out of rangeruntime: panic before malloc heap initializedruntime: text offset base pointer out of rangeruntime: type offset base pointer out of rangesignal arrived during external, xrefs: 00D7D9E2
., xrefs: 00D7D9EB
already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory, xrefs: 00D7DA0D
runtime.newosprocruntime/internal/runtime: level = runtime: nameOff runtime: next_gc=runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcwait , xrefs: 00D7DA52

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: already; errno= mheap.sweepgen= not in ranges: untyped locals , not a function0123456789ABCDEF0123456789abcdef2384185791015625: value of type AddDllDirectory$.$runtime.newosprocruntime/internal/runtime: level = runtime: nameOff runtime: next_gc=runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0select (no cases)stack: frame={sp:swept cached spanthread exhaustionunknown caller pcwait $runtime: failed to create new OS thread (have runtime: name offset base pointer out of rangeruntime: panic before malloc heap initializedruntime: text offset base pointer out of rangeruntime: type offset base pointer out of rangesignal arrived during external
API String ID: 0-3099863928
Opcode ID: 84f0b9855715ca0e54b916449379f69a6b734551e20c2794c66570d2fb628035
Instruction ID: 33cc2601d21e646820e0d29c12a3e600c7795c4d1c808482bdac6f557ae7e69e
Opcode Fuzzy Hash: 84f0b9855715ca0e54b916449379f69a6b734551e20c2794c66570d2fb628035
Instruction Fuzzy Hash: C031C1B45097049FD704FF65D88562ABBE4FF88704F41892DE88893351E778D988DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D8C4B0, Relevance: 5.1, Strings: 4, Instructions: 82COMMON

Download Yara Rule

Strings

p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256-CBCBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteF, xrefs: 00D8C5B9
releasep: m=runtime: gp=runtime: sp=self-preemptshort bufferspanSetSpinesweepWaiterstraceStringswintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB) workers= called from flushedWork heap_marked= idlethreads= in duration, xrefs: 00D8C54B
m->p= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED STREETStringSundaySyriacTai_LeTangutTeluguTh, xrefs: 00D8C56D
releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptionx509: in, xrefs: 00D8C603

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: m->p= next= p->m= prev= span=% util(...), i = , not 390625<-chanAnswerArabicAugustBrahmiCarianChakmaCommonCopticFormatFridayGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLycianLydianMondayRejangSCHED STREETStringSundaySyriacTai_LeTangutTeluguTh$ p->status= s.nelems= schedtick= span.list= timerslen=%!(BADPREC), elemsize=, npages = /dev/stderr/dev/stdout30517578125: frame.sp=AES-128-CBCAES-192-CBCAES-256-CBCBLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256ClassHESIODCloseHandleCoGetObjectCreateFileWDeleteF$releasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverabletimer data corruptionx509: in$releasep: m=runtime: gp=runtime: sp=self-preemptshort bufferspanSetSpinesweepWaiterstraceStringswintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB) workers= called from flushedWork heap_marked= idlethreads= in duration
API String ID: 0-333307292
Opcode ID: 00bf65d5e31f31100f88ab413d5a78136c588f6e1cc34d02fe4b5f56274ba214
Instruction ID: 7a435928ca5550ae1babd4987409287345faeea8d75e072a4e779f348c3bfe70
Opcode Fuzzy Hash: 00bf65d5e31f31100f88ab413d5a78136c588f6e1cc34d02fe4b5f56274ba214
Instruction Fuzzy Hash: 3141DEB4508705CFC704FF64D18572ABBE4FB88704F05896DE8888B252D779D889DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D74110, Relevance: 5.1, Strings: 4, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00D74110(void* __eax, void* __ebx, void* __edi, void* __esi, void* __ebp, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				signed int _v4;
				signed int _v8;
				signed int _t30;
				signed int _t44;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t52;
				signed int _t57;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t65;
				void* _t72;
				intOrPtr* _t73;

				L0:
				while(1) {
					L0:
					_t71 = __ebp;
					_t70 = __esi;
					_t54 = __ebx;
					if(_t72 <=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x14])) + 8))) {
						goto L10;
					}
					L1:
					_t73 = _t72 - 0xc;
					_t57 =  *0xf3e6d0; // 0x12
					if(_t57 > 0x12) {
						L9:
						_v4 = _t57;
						E00D82470();
						 *_t73 =  &M00E84574;
						_v8 = 0x20;
						_t30 = E00D82D70();
						asm("sbb eax, eax");
						_v8 = (0x00000001 << _v4 & _t30) >> 0x1f;
						 *_t73 = 1;
						L00D82B80(__ebx);
						E00D82690();
						E00D824E0();
						E00D82470();
						 *_t73 =  &M00E838A3;
						_v8 = 0x1d;
						E00D82D70();
						_v8 = 0;
						 *_t73 = 0x40000;
						L00D82B80(__ebx);
						E00D82690();
						E00D824E0();
						 *_t73 = 0xe869ee;
						_v8 = 0x2b;
						E00D80D70();
						goto L10;
					}
					L2:
					_t59 = _a4;
					_t65 =  *0xf779c0; // 0x0
					if(_t65 != 0) {
						_t44 = L00DA9DE0(_a12, __ebx, _t59, _t65, _t59 + 0x80, __esi, __ebp);
					} else {
						_t44 = _a12;
						 *(_t59 + 0x80) = _t44;
					}
					_t66 = _t59 + 0x40;
					 *_t73 = _t59 + 0x40;
					_v8 = _t44;
					E00D79960(_t54, _t59 + 0x40, _t70, _t71);
					 *_t73 = _a4;
					E00D75D80(_t71);
					_t48 =  *0xf3e10c; // 0xffffffff
					_t60 = _a4;
					 *((intOrPtr*)(_t60 + 0x34)) = _t48;
					_t49 =  *0xf779c0; // 0x0
					if(_t49 != 0) {
						L00DA9DE0(_a8, _t54, _t60, _t66, _t60 + 0x7c, _t70, _t71);
					} else {
						 *((intOrPtr*)(_t60 + 0x7c)) = _a8;
					}
					_t52 =  *0xf3e10c; // 0xffffffff
					 *((intOrPtr*)(_t60 + 0x74)) = _t52;
					return _t52;
					L11:
					L10:
					E00DA8880();
				}
			}

0x00d74110
0x00d74110
0x00d74110
0x00d74110
0x00d74110
0x00d74110
0x00d74120
0x00000000
0x00000000
0x00d74126
0x00d74126
0x00d74129
0x00d74132
0x00d741b3
0x00d741b3
0x00d741b7
0x00d741c2
0x00d741c5
0x00d741cd
0x00d741d9
0x00d741e9
0x00d741ed
0x00d741f0
0x00d741f5
0x00d741fa
0x00d741ff
0x00d7420a
0x00d7420d
0x00d74215
0x00d7421a
0x00d74222
0x00d74229
0x00d7422e
0x00d74233
0x00d7423e
0x00d74241
0x00d74249
0x00000000
0x00d74249
0x00d74134
0x00d74134
0x00d7413a
0x00d74142
0x00d741ac
0x00d74144
0x00d74144
0x00d74148
0x00d74148
0x00d7414e
0x00d74151
0x00d74154
0x00d74158
0x00d74161
0x00d74164
0x00d74169
0x00d7416f
0x00d74173
0x00d74176
0x00d7417e
0x00d7419b
0x00d74180
0x00d74184
0x00d74184
0x00d74187
0x00d7418d
0x00d74193
0x00000000
0x00d7424f
0x00d7424f
0x00d7424f

Strings

root level max pages doesn't fit in summaryruntime.SetFinalizer: finalizer already setruntime.SetFinalizer: first argument is nilruntime: casfrom_Gscanstatus bad oldval gp=runtime: heapBitsSetTypeGCProg: total bits runtime: releaseSudog with non-nil gp.paramru, xrefs: 00D74238
+, xrefs: 00D74241
runtime: root level max pages = runtime: setevent failed; errno=runtime: stack split at bad timeruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevscanstack: goroutine not stoppedslice bounds out of range [%x::]slic, xrefs: 00D741BC
runtime: summary max pages = runtime: unknown pc in defer semacquire not on the G stackstring concatenation too longsyntax error scanning booleantimeBegin/EndPeriod not foundtoo many open files in systemx509: unknown encryption modezero length OBJECT IDENTIFIE, xrefs: 00D74204

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: +$root level max pages doesn't fit in summaryruntime.SetFinalizer: finalizer already setruntime.SetFinalizer: first argument is nilruntime: casfrom_Gscanstatus bad oldval gp=runtime: heapBitsSetTypeGCProg: total bits runtime: releaseSudog with non-nil gp.paramru$runtime: root level max pages = runtime: setevent failed; errno=runtime: stack split at bad timeruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevscanstack: goroutine not stoppedslice bounds out of range [%x::]slic$runtime: summary max pages = runtime: unknown pc in defer semacquire not on the G stackstring concatenation too longsyntax error scanning booleantimeBegin/EndPeriod not foundtoo many open files in systemx509: unknown encryption modezero length OBJECT IDENTIFIE
API String ID: 0-1734058045
Opcode ID: 20975046a6990f65f9766a44ca9f041e4a3f7e961b64aea05fb8e3879fa76aed
Instruction ID: 4154eef6f1d95384c4c5907a841ff97c3c1d44db98d7b4a905940c6cb3a9ecfe
Opcode Fuzzy Hash: 20975046a6990f65f9766a44ca9f041e4a3f7e961b64aea05fb8e3879fa76aed
Instruction Fuzzy Hash: 653116B46093008FC340FF68D481769BBE1FF94744F50882DE8888B252EB35E889DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D84C60, Relevance: 5.1, Strings: 4, Instructions: 51COMMON

Download Yara Rule

Strings

castogscanstatuscontext canceleddivision by zerogc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusinvalid spdelta length too largemSpanList.insertmSpanList.removemessage too longmissing stackmapnewmHandoff.lockno r, xrefs: 00D84D1D
runtime: castogscanstatus oldval=runtime: failed mSpanList.insert runtime: failed to decommit pagesruntime: goroutine stack exceeds runtime: memory allocated by OS [runtime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of r, xrefs: 00D84CBF
newval= nfreed= pointer stack=[ status %!Month(.crypted2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDEK-InfoDecemberDuployanEqualSidEthiopicExtenderFebruaryFullPathGeorgianGoStringGujaratiGurmukhiHira, xrefs: 00D84CE9
!, xrefs: 00D84CC8

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: newval= nfreed= pointer stack=[ status %!Month(.crypted2.5.4.102.5.4.112.5.4.1748828125AcceptExArmenianBalineseBopomofoBugineseCancelIoCherokeeClassANYCyrillicDEK-InfoDecemberDuployanEqualSidEthiopicExtenderFebruaryFullPathGeorgianGoStringGujaratiGurmukhiHira$!$castogscanstatuscontext canceleddivision by zerogc: unswept spangcshrinkstackoffinteger overflowinvalid argumentinvalid exchangeinvalid g statusinvalid spdelta length too largemSpanList.insertmSpanList.removemessage too longmissing stackmapnewmHandoff.lockno r$runtime: castogscanstatus oldval=runtime: failed mSpanList.insert runtime: failed to decommit pagesruntime: goroutine stack exceeds runtime: memory allocated by OS [runtime: name offset out of rangeruntime: text offset out of rangeruntime: type offset out of r
API String ID: 0-1703227525
Opcode ID: 7671c364fa077d638afdb3bc6d8c83c8a439f8bfe1189cdf23017fc6aa1f7e26
Instruction ID: 10ca3058eaa27af72e24a1d5a45052d238ef7b409b8d54cd2b3cfb7fa8ab5869
Opcode Fuzzy Hash: 7671c364fa077d638afdb3bc6d8c83c8a439f8bfe1189cdf23017fc6aa1f7e26
Instruction Fuzzy Hash: 5E11F3B45097468FC304FF24C19576EBBE0EF84744F45885DE4C887252EB3998899BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D7B700, Relevance: 5.0, Strings: 4, Instructions: 50COMMON

Download Yara Rule

Strings

) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12125625???ADTASTAprAugBSTCATCDTCETCSTDecDltEATEDTEETEOFESTFebFriGMTHDTHSTHanIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMSKMSTMarMayMonMroNDTNSTNULNaNNkoNovOctPC=PDTPKTPSTSETSa, xrefs: 00D7B7B7
runtime: netpoll: PostQueuedCompletionStatus failed (errno= x509: encrypted PEM data is not a multiple of the block size0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZfound bad pointer in Go heap (incorrect use of unsafe or cgo?)runtime: interna, xrefs: 00D7B78D
runtime: netpoll: PostQueuedCompletionStatus failedConvertSecurityDescriptorToStringSecurityDescriptorWConvertStringSecurityDescriptorToSecurityDescriptorWcasfrom_Gscanstatus: gp->status is not in scan statecrypto/rsa: message too long for RSA public key sizem, xrefs: 00D7B7D2
3, xrefs: 00D7B7DB

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ) *( - < > m= n=%: +00+01+03+04+05+06+07+08+09+10+11+12+13+14-01-02-03-04-05-06-08-09-11-12125625???ADTASTAprAugBSTCATCDTCETCSTDecDltEATEDTEETEOFESTFebFriGMTHDTHSTHanIDTISTJSTJanJulJunKSTLaoMD4MD5MDTMSKMSTMarMayMonMroNDTNSTNULNaNNkoNovOctPC=PDTPKTPSTSETSa$3$runtime: netpoll: PostQueuedCompletionStatus failed (errno= x509: encrypted PEM data is not a multiple of the block size0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZfound bad pointer in Go heap (incorrect use of unsafe or cgo?)runtime: interna$runtime: netpoll: PostQueuedCompletionStatus failedConvertSecurityDescriptorToStringSecurityDescriptorWConvertStringSecurityDescriptorToSecurityDescriptorWcasfrom_Gscanstatus: gp->status is not in scan statecrypto/rsa: message too long for RSA public key sizem
API String ID: 0-3983274906
Opcode ID: d8f73bdc82a3bdbe4d34bf5072cce5da7f3d51836aa32ddaf72aa962df1a40a2
Instruction ID: 4993e9ac7ad5158945c96ef7836d2fb1667dc7dd7cc5a80486fd1993281000aa
Opcode Fuzzy Hash: d8f73bdc82a3bdbe4d34bf5072cce5da7f3d51836aa32ddaf72aa962df1a40a2
Instruction Fuzzy Hash: BF21CBB44087048FD304FF64D19572ABBE4FF84758F40881EE8D887292E77999489BB3

Uniqueness

Uniqueness Score: -1.00%

Function 00D59AC6, Relevance: 5.0, Strings: 4, Instructions: 9COMMON

Download Yara Rule

Strings

runtime: unable to acquire - semaphore out of syncx509: RSA public exponent is not a positive numberx509: missing ASN.1 contents; use ParseCertificateGC must be disabled to protect validity of fn valuefatal: systemstack called from unexpected goroutinepotentia, xrefs: 00D59D4F
notetsleep - waitm out of syncprotocol wrong type for socketreflect: Elem of invalid type reflect: Len of non-array typereflect: Out of non-func type runqputslow: queue is not fullruntime: bad g in cgocallbackruntime: bad pointer in frame runtime: found in ob, xrefs: 00D59D7B
runtime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ystrconv: internal error, rest != 0 but needed > 0strconv: num > den<<shift in adjustLastDigitFixedstrings.Reader., xrefs: 00D59D65
1, xrefs: 00D59D6E

Memory Dump Source

Source File: 00000000.00000002.661933456.0000000000D51000.00000020.00020000.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.661927136.0000000000D50000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662082442.0000000000E53000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.662217305.0000000000F3E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662222778.0000000000F44000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662233308.0000000000F56000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662236659.0000000000F57000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662240097.0000000000F59000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662243272.0000000000F5F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662246441.0000000000F63000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662249429.0000000000F77000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662252544.0000000000F7A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.662256348.0000000000F7D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.662259273.0000000000F7E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 1$notetsleep - waitm out of syncprotocol wrong type for socketreflect: Elem of invalid type reflect: Len of non-array typereflect: Out of non-func type runqputslow: queue is not fullruntime: bad g in cgocallbackruntime: bad pointer in frame runtime: found in ob$runtime: unable to acquire - semaphore out of syncx509: RSA public exponent is not a positive numberx509: missing ASN.1 contents; use ParseCertificateGC must be disabled to protect validity of fn valuefatal: systemstack called from unexpected goroutinepotentia$runtime: unexpected waitm - semaphore out of syncs.allocCount != s.nelems && freeIndex == s.nelemsslice bounds out of range [::%x] with capacity %ystrconv: internal error, rest != 0 but needed > 0strconv: num > den<<shift in adjustLastDigitFixedstrings.Reader.
API String ID: 0-236179606
Opcode ID: 4ffd6bde8c5486408eb39022158e3b8e77fa635306cca4440c70cf24519dd1b6
Instruction ID: 3ae7765bdf3ec414c24354484007c1892c6c720f09ba574c3dc17aea10fb897d
Opcode Fuzzy Hash: 4ffd6bde8c5486408eb39022158e3b8e77fa635306cca4440c70cf24519dd1b6
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 0ef0070d_by_Libranalysis

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Software Vulnerabilities:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: 0ef0070d_by_Libranalysis.exe PID: 6720 Parent PID: 5928

General

File Activities

File Opened

File Created

File Moved

File Written

File Read

File Attributes Queried

Other File Operations