Windows Analysis Report
JRDpxoBkBJ.exe

Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	File created: C:\Windows\perfc.dat	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\perfc	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\dllhost.dat	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\perfc.dat

Source: C:\Windows\SysWOW64\wevtutil.exe

Process token adjusted: Security

Source: dllhost.dat.1.dr

Static PE information: Resource name: BINRES type: PE32 executable (console) Intel 80386, for MS Windows

Source: JRDpxoBkBJ.exe, 00000000.00000002.1694947366.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameRUNDLL32.EXEj% vs JRDpxoBkBJ.exe

Source: JRDpxoBkBJ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: JRDpxoBkBJ.exe, type: SAMPLE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: JRDpxoBkBJ.exe, type: SAMPLE	Matched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: JRDpxoBkBJ.exe, type: SAMPLE	Matched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
Source: JRDpxoBkBJ.exe, type: SAMPLE	Matched rule: ransomware_petrwrap copyright = kaspersky lab, author = kaspersky lab, description = rule to detect petrwrap ransomware samples, version = 1.0, reference = https://securelist.com/schroedingers-petya/78870/, last_modified = 2017-06-27, hash = 71b6a493388e7d0b40c83ce903bc6b04
Source: JRDpxoBkBJ.exe, type: SAMPLE	Matched rule: doublepulsarxor_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
Source: JRDpxoBkBJ.exe, type: SAMPLE	Matched rule: doublepulsardllinjection_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar dll injection shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
Source: JRDpxoBkBJ.exe, type: SAMPLE	Matched rule: Petya_1 author = kevoreilly, description = Petya Payload, cape_type = Petya Payload
Source: JRDpxoBkBJ.exe, type: SAMPLE	Matched rule: Win32_Ransomware_NotPetya tc_detection_name = NotPetya, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000001.00000002.1737559683.00000000043BD000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
Source: 00000001.00000002.1737559683.00000000043BD000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: doublepulsarxor_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
Source: 00000001.00000002.1737559683.00000000043BD000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: doublepulsardllinjection_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar dll injection shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
Source: 00000000.00000000.1691609553.0000000000E96000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
Source: 00000000.00000000.1691609553.0000000000E96000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: doublepulsarxor_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
Source: 00000000.00000000.1691609553.0000000000E96000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: doublepulsardllinjection_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar dll injection shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
Source: 00000000.00000002.1695711231.0000000000E96000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
Source: 00000000.00000002.1695711231.0000000000E96000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: doublepulsarxor_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
Source: 00000000.00000002.1695711231.0000000000E96000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: doublepulsardllinjection_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar dll injection shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
Source: 00000001.00000002.1737025242.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
Source: 00000001.00000002.1737025242.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: doublepulsarxor_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
Source: 00000001.00000002.1737025242.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: doublepulsardllinjection_petya date = 2017-06-28, author = patrick user, description = rule to hit on the xored doublepulsar dll injection shellcode, reference1 = https://www.boozallen.com/s/insight/publication/the-petya-ransomware-outbreak.html, reference2 = https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf, company = booz allen hamilton, hash = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
Source: Process Memory Space: JRDpxoBkBJ.exe PID: 6672, type: MEMORYSTR	Matched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
Source: Process Memory Space: rundll32.exe PID: 6788, type: MEMORYSTR	Matched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html

Source: JRDpxoBkBJ.exe

Binary or memory string: MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+YLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/+mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgq+CXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu6zfhzuts7KafP5UA8/0Hmf5K3/F9Mf9SE68EZjK+cIiFlKeWndP0XfRCYXI9AJYCeaOu7CXF6U0AVNnNjvLeOn42LHFUK4o6JwIDAQABC:\Windows;.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.%ws.*...Microsoft Enhanced RSA and AES Cryptographic ProviderREADME.TXTQ

Source: classification engine

Classification label: mal100.rans.spre.evad.winEXE@24/35@0/3

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7052:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6884:120:WilError_03

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Temp\74A4.tmp

Source: JRDpxoBkBJ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1

Source: JRDpxoBkBJ.exe

ReversingLabs: Detection: 78%

Source: unknown	Process created: C:\Users\user\Desktop\JRDpxoBkBJ.exe "C:\Users\user\Desktop\JRDpxoBkBJ.exe"
Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 14:60
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Temp\74A4.tmp "C:\Users\user\AppData\Local\Temp\74A4.tmp" \\.\pipe\{93489684-E94E-42C2-BE94-1B9F236C3B77}
Source: C:\Users\user\AppData\Local\Temp\74A4.tmp	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 14:60
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Setup
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl System
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Security
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Application
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\fsutil.exe fsutil usn deletejournal /D C:
Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 14:60	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Temp\74A4.tmp "C:\Users\user\AppData\Local\Temp\74A4.tmp" \\.\pipe\{93489684-E94E-42C2-BE94-1B9F236C3B77}	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 14:60	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Setup	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl System	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Security	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Application	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\fsutil.exe fsutil usn deletejournal /D C:	Jump to behavior

Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\74A4.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wevtutil.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wevtutil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wevtutil.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wevtutil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wevtutil.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wevtutil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wevtutil.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wevtutil.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Infects the VBR (Volume Boot Record) of the hard disk

Source: JRDpxoBkBJ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: JRDpxoBkBJ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: JRDpxoBkBJ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: JRDpxoBkBJ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: JRDpxoBkBJ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: JRDpxoBkBJ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: JRDpxoBkBJ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: JRDpxoBkBJ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\src\Pstools\psexec\SVC\Release\psexesvc.pdb x source: dllhost.dat.1.dr
Source:	Binary string: c:\src\Pstools\psexec\SVC\Release\psexesvc.pdb source: dllhost.dat.1.dr
Source:	Binary string: lsasrv.pdb source: 74A4.tmp, 00000004.00000003.1700548079.0000000002840000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lsasrv.pdbUGP source: 74A4.tmp, 00000004.00000003.1700548079.0000000002840000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\src\Pstools\psexec\EXE\Release\psexec.pdb source: dllhost.dat.1.dr
Source:	Binary string: C:\Users\PC\documents\visual studio 2010\Projects\NotPetya\Release\NotPetya.pdb source: JRDpxoBkBJ.exe

Source: JRDpxoBkBJ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: JRDpxoBkBJ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: JRDpxoBkBJ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: JRDpxoBkBJ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: JRDpxoBkBJ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Persistence and Installation Behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File written: C: offset: 512

Writes directly to the primary disk partition (DR0)

Source: C:\Windows\SysWOW64\rundll32.exe

File written: \Device\Harddisk0\DR0 offset: 5120 length: 5120

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\dllhost.dat

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\dllhost.dat

Jump to dropped file

Boot Survival

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 14:60

Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 2700000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 900000	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Dropped PE file which has not been started: C:\Windows\dllhost.dat

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe TID: 824	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6824	Thread sleep time: -2700000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7152	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6824	Thread sleep time: -900000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 2700000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 900000	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: rundll32.exe, 00000001.00000002.1737025242.0000000000B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000002.1737025242.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\AppData\Local\Temp\74A4.tmp

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\74A4.tmp

Process token adjusted: Debug

System process connects to network (likely due to code injection or exploit)

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.168.2.0 139	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.168.2.1 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 173.222.162.32 445	Jump to behavior

Source: C:\Users\user\Desktop\JRDpxoBkBJ.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 14:60	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Setup	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl System	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Security	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Application	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\fsutil.exe fsutil usn deletejournal /D C:	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: Yara match

File source: C:\Windows\dllhost.dat, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	111 Process Injection	2 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	2 Bootkit	1 Scheduled Task/Job	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	1 DLL Side-Loading	1 DLL Side-Loading	111 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Bootkit	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Indicator Removal	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
JRDpxoBkBJ.exe	79%	ReversingLabs	Win32.Ransomware.Petya
JRDpxoBkBJ.exe	100%	Avira	TR/AD.Petya.wuwtd
JRDpxoBkBJ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\dllhost.dat	3%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://192.168.2.1:80/	0%	Avira URL Cloud	safe
http://192.168.2.1/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://192.168.2.1:80/	rundll32.exe, 00000001.00000002.1737833292.0000000004B99000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.168.2.1/	rundll32.exe, 00000001.00000002.1737025242.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000002.1737833292.0000000004B99000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
173.222.162.32	unknown	United States		35994	AKAMAI-ASUS	true

Private

IP
192.168.2.0
192.168.2.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1453826
Start date and time:	2024-06-07 19:56:33 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:
Sample name:	JRDpxoBkBJ.exe renamed because original name is a hash value
Original Sample Name:	63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a.exe
Detection:	MAL
Classification:	mal100.rans.spre.evad.winEXE@24/35@0/3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Connection to analysis system has been lost, crash info: Unknown
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: JRDpxoBkBJ.exe

Simulations

Behavior and APIs

Time	Type	Description
13:57:27	API Interceptor	28x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
173.222.162.32	smartsscreen.exe	Get hash	malicious	Xmrig	Browse
	java.exe	Get hash	malicious	Tinba	Browse
	java.exe	Get hash	malicious	Tinba	Browse
	java.exe	Get hash	malicious	Tinba	Browse
	p2pWin.exe	Get hash	malicious	Petya / NotPetya, Mimikatz	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	SecuriteInfo.com.Win64.Evo-gen.5863.31650.exe	Get hash	malicious	CleanUp Loader	Browse	23.60.200.80
	https://lovechloe-my.sharepoint.com/:b:/g/personal/heidi_lovechloe_org/EcawKiHvvl5PpCtvIDebR_IBPC8eGOn9GDpMZtPOiwMQdw?e=jN2Hh6	Get hash	malicious	Unknown	Browse	2.19.126.199
	QPT 8.9 for PowerPoint.exe	Get hash	malicious	Unknown	Browse	184.28.90.27
	MeetOne.pkg	Get hash	malicious	Meethub	Browse	23.193.120.219
	QUEL-SONT-LES-ELEMENTS-POUR-FAIRE-UN-FEU-V10 modifi#U00e9.ppt	Get hash	malicious	Unknown	Browse	184.28.90.27
	https://559130-81.myshopify.com/_t/c/A1020005-17D67710C1FD3FFE-54C78B72?l=AACRiPXRxK9LeRpD4cDvoS9bXCG%2BDAoDLNX5fp0sgIPztMUhUGzEyWVsmaTksaZVS8V3tfLQ58vzz2CePbxcXEYwKSCD5peaw2J77oTKvLDc6KjHRaVw1W0pAmx5U%2Bczno0GShAHXkFB4SJaL6iDI743h5X2ryzKYUuyFe%2B9bCuz5inYqkE%3D&c=AACU2WYm1YoxWX5Q222lkeLwuWaMJFo59Hn1KMR2ZoViL1nGLNWCfjXDhau8hrsOB%2B2%2FHRQolBOCcsaU6ND3PolllDNHZ0If4DZGqCRFSJKRwvrmEl42UkTTn4seuYIceVRWOWSJE2ktSPZuF0p5tjBKVRIUmrKXwy%2FD9PT9htiTisub374iNBS8YPBp6THkFoI3ehY%2FFYDn6YJe6PGDLYcm3L6uSxtWRMuxI51PFZk%2BQvmn%2B5jZpZ%2Bs4DdJ6bzOFuOZ12RBUusMnpMo8fbe7fnB1yJt55fknY9xECgMUbR0VkzVxXkJK2%2FyuEo8frl%2FN0x5XBMHMlz6ZEFI9o4pUbROv6EKUuydsOjkD96hSzMCifNDDSC9A5ZZcjGYBaYaiwjxOqGhn5JcYalZxPA3GJHXvng4PBdCLlgG%2FRyJIgpRxYNnhzb%2BwAINxPJ6xdJopT2wJp5S0WSxrkKh9xIsAlYimr6BYs6KyQ9elJDUWm43PkznrhvHJMBOZ4KbdNhrhpgE1ZDCGM5q%2BR6FX3ttOb8qezmca%2FnHBqeGl87Bms79cWAL%2FpNGlyHHnVQd63lmjaWb9ipYZiIl5bQjsjRv6i7AkjMhQO4LE%2BldC66RLNigq9Ug%2B%2BN%2FXJAFah%2FfWRM%2FvaOjrg6lurHyQJQ8poHSNGbqtQY72wpHRmHBZBhYFXVsTojrOuzj	Get hash	malicious	HTMLPhisher	Browse	2.19.225.87
	https://h.oyzb.link/	Get hash	malicious	Unknown	Browse	2.19.126.213
	https://ijkhg3.pages.dev/	Get hash	malicious	Unknown	Browse	2.19.126.213
	https://cv.liul02972.workers.dev/	Get hash	malicious	Unknown	Browse	69.192.160.133
	https://tea02.pages.dev/	Get hash	malicious	Unknown	Browse	69.192.160.133

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\dllhost.dat	p2pWin.exe	Get hash	malicious	Petya / NotPetya, Mimikatz	Browse
	027.dll	Get hash	malicious	Petya / NotPetya, Mimikatz	Browse
	QYXZGHJc38.dll	Get hash	malicious	Petya / NotPetya, Mimikatz	Browse
	NotPetya DLL.dll.dll	Get hash	malicious	Petya / NotPetya, Mimikatz	Browse
	Trojan.Ransom.exe	Get hash	malicious	Mimikatz, NotPetya	Browse
	qFTst626iV.dll	Get hash	malicious	Petya / NotPetya, Mimikatz	Browse
	NotPetya.dll	Get hash	malicious	Petya / NotPetya, Mimikatz	Browse
	notpetya.dll	Get hash	malicious	Petya / NotPetya Mimikatz	Browse
	6r3kQ7Ddkk.dll	Get hash	malicious	Petya / NotPetya Mimikatz	Browse

Created / dropped Files

C:

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.10191042566270775
Encrypted:	false
SSDEEP:	3:qCll:qC
MD5:	B87ABCAEA49865F3DCF02323BEF8656F
SHA1:	8AC4DC0FB14BC0F8DBCB363E68758DF1CAC6E783
SHA-256:	C7C8843F4EE28F926DB82CF2AEEACEAD4B55667EF507BCF428DD59CEC86ED72F
SHA-512:	86ADBFCCE6269B032EB7ADC2C002608E489FC57F76631CCDFACE8AA6144B6E3FB3D82336B1D781EE55D2FD0AA8A6F067D807AE727E3F1EED783A80DC093F8C59
Malicious:	true
Preview:	.....:..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3_DLL.h

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	13008
Entropy (8bit):	7.986522066264414
Encrypted:	false
SSDEEP:	384:47SVbWxTrtO2YfhEAzq6CFEZPoqlBGJ9rkcWIzWfMwsMc5F:pbWxTp+fDe6Ci2qlIJtHyKF
MD5:	69DFAD3668576C6441CF7E2272724737
SHA1:	6111768757AAF7880F6832DF0D5AE0F692505BB5
SHA-256:	3E8110E6049E67C9FDDD638EAAD0533664432B2C6BA73ED19988601AD156927F
SHA-512:	39203000CC975EAD367FEA991350A65F9B47B85CF43E4CA31A01B24D95F94286BA70A2F9074BB1D7D04E6BEFC964AF19C420648FBC61EB62D602DB231BE2C446
Malicious:	false
Preview:	.......I.k.eQ5.?6.v.oK...\,.....`>....2...m..H..........7W....\|.qHSl.JP:7.....RH.-7.w..X.QI..8..>.Ub.CE."..e&..S;......a_k....&.^.p<....x...IX....5.[....E..w3..0....3....@.9..>........I....1h....Rk<y.T.......>3D.T.8..O....t..I..pi.]3.L.%}E.-ip.=..9d..+..)...t..:..R.p.....\|.-M.E.a...._.........[I..%..M..[+........NZ[O..G.=$.....t.......-j9.HX....v=..v...de.."Q.#o....W.e.-.3.6..\..vpML.L9.../......b.:G&....b..u>n.x..;D+.\..l.....;...".............-...&.Q.W...g;...RD..Y. 8...\.}]._L..e....T.2^. ..O...6.jm..).....4rZ..k......R...A.[G]....=..R{.F.....<..]2c..7....oK.k.z....~..=.T...[)....[..s.....3.D..KQ.......~l.........`..b......<..o..Q.D.[.v...b..=r..)...%.R?u.....h.....%#(..1Y.S.........V)..\Q......J...`.=..z 7F .V?X.:..M....\}d.x..`wb7P...M..}.v..}...=..4Y..R../.....a...q..W....+"@~-ue.w...oP......T...6F3..x?>..r,./@.D/.U.......C.99.J.(.c..hN._ .6.<.....Y..,.K.z..."z..{...+.Z.@..k==....WD..q..@...l3.`.....9...4...".#.9S.D..Y>G...

C:\Program Files (x86)\AutoIt3\Examples\COM\Worksheet.xls

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	13840
Entropy (8bit):	7.985310111199912
Encrypted:	false
SSDEEP:	192:UhFs4VSYB1UvhAK9yWLK/hfY72UkQXvaWaSu0rNvKmrwBRB7F3KWAjksvlu/MPO:csjoshddGJY7a7EymrynFertu/2O
MD5:	5BE2E40DC5DAF504BC4F863539F2DB2B
SHA1:	F5DF00B77332FE4429F3FFA0233E945B160ABA22
SHA-256:	48E6AF52DE8B9E9CF748A9C32FBAF450591863DF9635F693450E594FE07D3F78
SHA-512:	0C69F6D360F35D2A85944C232E4AE710CAAC7DCC77884601607481AF4CBD811D23D348BEC5EF1B245090E528478D3816B598FF59A872F5E24DEA69B989E7915F
Malicious:	false
Preview:	.UY..h.x....g.(F.P..p.A.BnY..3...%#?m).9.v.1.<..<..M.."`.+...f...MXs.8..0.-K.<..g..X.y.l.s.55@...D...5z.y9s..O.X[...dX.f..t....f^.Y&p.&.-f`...`..{..&..!......xS.m.,..,@~X...).u_.(X.J.....<....P...s.1..A;x.....UO..4........G.M....,xE.......:....B.........l...U...M.(....K...a...#r@ .......4..L.......CU/N...!\|E}...<:..l.2..5WCD..g8<n{K3..v.!..e"..?cG.!.....Q.U...e6.Dr......v..M....R.-K5.k;1..6...~.= .._F.s.0._.p.K7...j9..............i...e.F&.U.g..$..3J2......$......,......<f..NJ.'.........>+s;Q.1s.._....{j.S.>}.F."i........k%e...U....o.........q5.Q.........}.+..Z.H..t....b.....,eIkv....2..u..9.W.....P....+...,.u.LK.p[]z.c.1.~.g...@.0..c......\|..J..j............u.S..a.T.s...)S..g4.{1.!v..$.^u*DJ.\....p....A....lt;.4.g..G..H2W["..."TF.......>G..../..L..?...P..F]Kf...9..{....=\.P.......A.k}S....Z;j8Hg.&.zu.....@....Q.bQWm.&.w.M....a.{g........^..#.O@.7..#....v1C]K..\|.....EG.../5J...8,......J.......#...Q....'.x.N.q.L.:LW...I....~...

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\Test.doc

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	50704
Entropy (8bit):	7.996214048406519
Encrypted:	true
SSDEEP:	1536:Sr76WXNyydG6xH8An+7TKqr5voMWysDB8:67dM8dSi+PKaRWrDS
MD5:	95F1E8F1ECCEDDF384145615601326DD
SHA1:	E5996136698F3EF091B5305831702780DA1C87B5
SHA-256:	8B8D72928DC26263747BE0E7193C2C94219C55926DDE4F4D89E4950A55743DAC
SHA-512:	22E42BAD8AE5EB22276C91E49797434C52AF408E1E376CAA56A29C4BAD2DC013C9691287E0D9987F147B4C4B91D31AF5CBB2FEEDD17089356FFE33A40F483BDB
Malicious:	false
Preview:	.UY..h.x....g.(F.P..p.A.BnY..3...%#?m).9.v.1R..X.A..&...9Y.N.nX..qC.U@.6&...p.F?.#...C.z.e.V]..$.\.;e.6?B.2.,>........I.../.C.Q....Qyo..$.....m.k.....f$.....>.....F.$[....=."...fV..vN.......U..d...t.=BJ.6..>.`...._....Z..Q.J.....$.ka.....pp.......C.0..1.x..M.S..&..f.J(..Y.q..+..#........l.9Q.....R.5...%cm.@5......x..tP.%.9j_A...B..ZC\|!...Ul%.\.Bd.C._.P.".`A3.......'Y........v.x.y..O.<Y>x...[_..p......0k?..e.L.-GR.?t.a..TK..e...t...........0..t....ih....#H.cyX....Y.Mv^T.<c,.....{.r.Y.........+.....w....F.j.2....F.W.6H.-zC+]..?.P..W.....-..U..N....x'._+d9Z ....0..Y$Vcg.....1....w.T..G..w...{....(.n#......<..0"i..8?...............d1EV..{....rF..(.w..q.....X_....ju.F..4.#lY[.6ak.."v.F.(.a]"...r...L...E..]+..-...4_.6.r.....gP5c=.#..3......v.u......yu\..ei j......xx.\z....,T*;xT.............T]..dY...F.\...~.\?~.....WR...\...5....t.c....].J.\a.\..9.....1..o@...A...&]..t.#.$.~.}5.Y...{.~7...vF.0..5..G....T}.:..i.r.D.+.M55.

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\Test2.doc

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	32784
Entropy (8bit):	7.995106936406232
Encrypted:	true
SSDEEP:	768:16GguFDRvYmkzODwDw6pwIt8mxoc/2CbgNo3sggCuVSksGA59hCf:+i7kawDwqDt8s/2CtsUiSVtDsf
MD5:	A1ACF141A64F0A14796E499924CA3739
SHA1:	1869CEA3AE699F06E33F81544AC1A29758DDA104
SHA-256:	B0AAE4612A3760F087E3E607A228F2C2A87C08B90974FAF3065C20FDFEAB6DB8
SHA-512:	ACEB27B30F64BEC52B20CFF7A21D0A38872D5801BB08EA55DB920D9F49ABE9E65A7D9B093D2A64ADDC3CEE65EA17EE2E4354B823BB9137FEB8FB3FB7E9D76226
Malicious:	false
Preview:	.UY..h.x....g.(F.P..p.A.BnY..3...%#?m).9.v.1.GY...&....Vn.u...NW....V....A...5....nz..!.jHd.Op(L..&b.#..}0..6.~....N...##y9h.+...GtW...X.<.._...-J.....#..O`Z...j..O..1.w..t\H.'t..f...zN@F..P...U\|`.Y.~a2$.KH.R.aB....N!.....f4.~.1..t....:.E..Rm1.&'....+..}?T.b....Vg...\.p;.I..OU.s.3BG.D=...p.l..)./a(]..Itp..[...p...\.....(......T....6d.(...v..>. ....c...c7h..y....2........).l.......r.3.A;{...K1/.t..Y........8..mh.c..........K\|g....w..F&..o.....1...'..:";9N.l._\Y.:j..q..z#/.Kk....d?..7i..@.."%T....Z.zP$....d..,8.e.^.w...?.v......+T.\n....T/VF...B.Sj..6.w\&...e8y......~!..........<4.."...e...x....P.S.+..c_.X..M......:.j.;;l..... .u...V...Z..r..<...\|K..7U}p.C.Q9S.#..C.....b..^...Ul..sT.9.2..]$0JI.o.E<..+.....U...Z..}0.e...si. ....r....j.#.o.._A.lx8..RY.gm..S...x......n.w..}gtQ.@.a.T.Xk.D..g..~hO.>=.@B\|P... ..4l.c....o...~.....;Y.0.n{<q8$~.B.p..C.}..z.brA...yV.>.&..&wu..G.E.....Y.G........7.6@\|...q?..j...@.N?.\|.~./.0..WL..&.

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\_Excel1.xls

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	398352
Entropy (8bit):	7.9995276765142265
Encrypted:	true
SSDEEP:	12288:NeuqH2m1y+8/7xAPJWsR/vNjh4mSQHu67ojRaDybX/:zhOAsjh3dHu67lybv
MD5:	DF1B5D813A6D5CBDC31730A332566E58
SHA1:	A31A49984D387F5731E19F1AFA0ADFF49B59C455
SHA-256:	BED55A83AE58D0337E83258CFEAA05D09CE4520FB218ADF08AD6AE4AEFC5BAF4
SHA-512:	0EB2CBE1D705AFCDBDE9EEEFF415F07FFE2364B7A585C12CB0FC1DD4836AA37C842CA9A43538F7267C57CE623A33442CE0C6A269528667220FDAD4B76EEF52AD
Malicious:	false
Preview:	.UY..h.x....g.(F.P..p.A.BnY..3...p..OI.p& B.....{h .(.6....VX.AK.@..'...(.tK.2@(......y............_...q.....z.b...#0Z..1x../y.j...F.......-h..4C..A1..9...IuA.i............8............m..I.$l/.%B?^/.^o.'B.c...y#.f.e.'..........T1.....^.p,..@.U..PX.+.KE.4.E:...7.n.E..n...+0Mu..g...L.^.....BHy......].oT..{...h.{u4....>.M.G@k&..9m.>.Y..khj:.{......E.\|.za.@\|k.e.y{(.t.8<Y.V...s.q@s5..q..;._.g..^...1-.w.......J.\.h(.Cry.y8.B..r...L.V.?+./.......^n.~..j..F.....X6..A;..N~.s..m..0...t:.e{. %d1-QF(1..dj.7Y..5....s...\|.....p..K..mA.O....hrLp..jL.....W.I...9.r..%/D...\|.-...K...........wa.....Q.g...7.......b. m.:.>..(....'.-p$........z....9.Z.R...ML....C..!..9... ... ...Q....7..z.l......A.Z2.X!D..N.N.$......7..I.r..F.p..1H....L.E...t}&.U.h.G..~.....j..x.;...?........k..VT.!.n..U)...4..Ye.h...uu.)=..V.[...... ...z_.......4...Z..{g.......xp*!..(7o,..m.T.Q...T.2......t..j.....@g.......B4n!.R..x..g...oHfoi.y..jM...#.......]]}..)...< ..?../.D4.t

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\_Excel2.xls

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	486416
Entropy (8bit):	7.999586273056825
Encrypted:	true
SSDEEP:	12288:BR6RpJbG5q1H/Km+Q0u4mwPr9CAx7sQIAzoD0:L6Nuq1H6ucPr9C4snv0
MD5:	5BB06195AD0BFA6AFCDF2C3D3B8004C4
SHA1:	AA5DA838E372DD0B74EF4FADCAAA56CA2AE4EA8B
SHA-256:	F24384F244FEFCCB1AA0E39C6D3BC35866A618B3E5AF3A789B25681B8E1BA989
SHA-512:	907B842BC79EF77B154A77FD04A2361E8DB28D77CACE4F5D63440ED1F1A7EC6ACDB96688952AA54381FA00FFBBFB456C5C6FE93AD780B2CE928B066C0CB06542
Malicious:	false
Preview:	.UY..h.x....g.(F.P..p.A.BnY..3..P^.5...F.3.)..E\o.\....H....d.;&.....cqN....?.R...50.;.o_...D...C%..%S.F.;..m.\|..+F..E...9..;.y...J.^.e......+T../!;q...+o..e..-[...(of.....].a..Zg..4..r.[A%y.....TU0. d..>j.<.x$..'.s..N./*......<C.c!..A>...2.,..K.:...EQ.k-6T...U.<......Gi...!}..Dw...g.....}8f.d.#..%.....Q.v..L.p.~f......I.a..s..S...`.^@.7...j\|3..&.G..o...r3..L......&6.......^s.u..>.G..,...w.W`..\|...U..I.)F\|+4...m$m.....?.n?.0...\.^..e7=0b...I....R.<e..z..i..j...k~...1....>...".4+......J]..}..?0...5I....b.sy..nK.w;.K..k...+.0.zoL..D...1...y./..........Egc}.}.M;T.@......"....h..Hf.3E.s`..-..d.a...V....D?.%u........l..<...:.....1............u.24.I.`...Rj..v...f.x..A....O...vU`...\|-...N.+.o./..a...Y.......=.Li.....k;...7=.r[.<........+....V...#.7...%7..B.[.OP.lp.@....u~.llE.._./R..N.wG.L..v.e.....3.].....j.}.....m...E.aHc....P$...m].Yq.....o.c..0Y........X7./..d-NF}.1.5.{X...v.K........>on...^..Y...G......C....@Vl=...C.v....w;k...8..Y.P......c..

C:\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	186848
Entropy (8bit):	7.998952401778078
Encrypted:	true
SSDEEP:	3072:FgHJKbZT+GPH0T55nYwt5detWYs+qw+sgg0/de9Sja1bBkuAacZXG8Ut8oLlRtX8:2HJKbIGPUTnYwhet1AP3/deCa16nacZP
MD5:	763DA1D17DC054F0A38161FEF9D45FCA
SHA1:	0EAA1F61352B8BCED356539CD0A5F36FDCB00E82
SHA-256:	783C58B52BBFC1E0E88506B38A9888EEC7954FE09D538A2D7512F660C4ED2A12
SHA-512:	C628F064AB33F1BD593F71F3BF1D841DB08607A3063D56F480C13CFD7B6E1C0D64EA71233496875687FB8047CB8CFBC30485C23599FB3ECCE51F2A665B2FAAC0
Malicious:	false
Preview:	.....[_..X...2-'...hN.O.w...n...'.[..K........X._...]....$..P..^op.A..?wN..o.h..D....... ...^.......wP..Md...8....Y.)T...?U.~^OQ.=u..>.f.<.+P.M?..i...S.2X.._+e..$cz;....be...z}"S..VI..\...<.'.t!.~...o..S..V..."...~..[@.`w..KU........O.....rS-.../.s...[.g.o..4.e...P./c.~.....Xj...L.....lS{...f.. ....k_.K_.......f.......k.5.....}j..y..+7.......,t..W...r.......3....v.$.....o..n.J.%3o..;.N..`...Q......h.Y].k.>k].zj.wK..M...6.g..o.v.....S.. .PA.'.&...KE........QR.d...S..+.z..C.......h.<....}M...v.i5.ii.?)@. .L..M.ps...:.....xb,....d.........+..4..S.?\|.7..Ts\|F......UOX......d.&e..=.'....}.C.M.8WNl7(N.^..qLf.#...._Q!-.=..cL...L...e..c%....U..n.XY...uBR.F@..j.T...p5o... \.,.T....L7...M}5.{O.2r..."...B....@.R....k.4..^..<.Ku.z..<h..3..Y.\u.......*...u@.`1&.<?.y?.\...P...S1........^..3.s..........}C....p.;pjX....TE.u.....T.&8\|.B.4............o..X.d.R(....o\}t.N..x..a..9....(G....r+..C.e...9q....,...^T.."..i.1dS......\....EJ.\@..L.^

C:\Program Files\Adobe\Acrobat DC\Acrobat\Click on 'Change' to select default PDF handler.pdf

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	186848
Entropy (8bit):	7.998952401778078
Encrypted:	true
SSDEEP:	3072:FgHJKbZT+GPH0T55nYwt5detWYs+qw+sgg0/de9Sja1bBkuAacZXG8Ut8oLlRtX8:2HJKbIGPUTnYwhet1AP3/deCa16nacZP
MD5:	763DA1D17DC054F0A38161FEF9D45FCA
SHA1:	0EAA1F61352B8BCED356539CD0A5F36FDCB00E82
SHA-256:	783C58B52BBFC1E0E88506B38A9888EEC7954FE09D538A2D7512F660C4ED2A12
SHA-512:	C628F064AB33F1BD593F71F3BF1D841DB08607A3063D56F480C13CFD7B6E1C0D64EA71233496875687FB8047CB8CFBC30485C23599FB3ECCE51F2A665B2FAAC0
Malicious:	false
Preview:	.....[_..X...2-'...hN.O.w...n...'.[..K........X._...]....$..P..^op.A..?wN..o.h..D....... ...^.......wP..Md...8....Y.)T...?U.~^OQ.=u..>.f.<.+P.M?..i...S.2X.._+e..$cz;....be...z}"S..VI..\...<.'.t!.~...o..S..V..."...~..[@.`w..KU........O.....rS-.../.s...[.g.o..4.e...P./c.~.....Xj...L.....lS{...f.. ....k_.K_.......f.......k.5.....}j..y..+7.......,t..W...r.......3....v.$.....o..n.J.%3o..;.N..`...Q......h.Y].k.>k].zj.wK..M...6.g..o.v.....S.. .PA.'.&...KE........QR.d...S..+.z..C.......h.<....}M...v.i5.ii.?)@. .L..M.ps...:.....xb,....d.........+..4..S.?\|.7..Ts\|F......UOX......d.&e..=.'....}.C.M.8WNl7(N.^..qLf.#...._Q!-.=..cL...L...e..c%....U..n.XY...uBR.F@..j.T...p5o... \.,.T....L7...M}5.{O.2r..."...B....@.R....k.4..^..<.Ku.z..<h..3..Y.\u.......*...u@.`1&.<?.y?.\...P...S1........^..3.s..........}C....p.;pjX....TE.u.....T.&8\|.B.4............o..X.d.R(....o\}t.N..x..a..9....(G....r+..C.e...9q....,...^T.."..i.1dS......\....EJ.\@..L.^

C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\ENU\template1.pdf

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	15760
Entropy (8bit):	7.987337910264865
Encrypted:	false
SSDEEP:	384:kNdbTzxnI2SDijWNKIITN361vYdiNFVdtY/ejk/bSnn:CdO2Sujy3CfiNFVdi7enn
MD5:	02AF7DDD6DDA1D6431A278BAB24A3EC6
SHA1:	B74A5BF52269615388CD85152533B81F44502B1E
SHA-256:	7AE6971DF33DE508C3713BCDD3756622C551CA9AC1DEB4F04A6CE77CA2DA01D0
SHA-512:	69D523C6BB9B4A09FBA2F2682FBB8CF1BDB69F43475A8AA97B4CF8F86BB80A350FD84D973697150E9A827B93F6914D05F03690E7840FCFB132A4E59115F97728
Malicious:	false
Preview:	........5..0.-Z..n\|Q4.h....`.+.B..k+........`.....P.{l..N...:.{2..`.c......y.Mn.A]........"p%......G.Z....ma..m..^(..i(.R....g'H.}.N.h'9....4ug.GB...]9h$$.++&.........T&NK}F...iL...P..DUwqd.U&.P...../3...V..A{l..z....6E2.......o.2.k5..[....W..sr."/....W....f.a<.M..].....ck_...k-?.+F..~....#Mv.........s......B.VI.f...,P&.....#....G:...l..kk....e0.l;.O.\...+y ......{..s...T...r.......g..WA7U.gL..A..V...B?........byC.......v.@H.~....\|..9.......o"h...\|..C.m.-hE.cy..'.g.....T.lJ..y..o..k.PN..Y.~UK..p....D..h.0V.]^5#S.s..`eJ..;....D.<...C..Q..k...LW..e(...`....Z..vk.`0........?.v".n........v.../.........JU....e^.K..y?6.\|\{,....."....6.S....W>U{Q\&..5L.(.p...V..../..).D.lG....J....[.02H.. '....1.......!.tN ...c.....2.u>..;.g...].Q....w[T.W..OU.Au.$.._.3.~0.0..m...J..P...a.q*b\.....lI..X...IP..+.?.l. ...c ...9....O.\.8..A......\..0:>....Wy.+...]1...... 3$....L.G.{....lS.....1.-.......sr.lF6...%.;....L...-...PjW ..d+...8r.....\|.;M.:....

C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\ENU\template2.pdf

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	29424
Entropy (8bit):	7.992380817237096
Encrypted:	true
SSDEEP:	768:qGAYqD4yTInyUEFYNXGtwp9fENZExvW5y6:q1YRyTIyU2V8unEx+U6
MD5:	36D88DBFB578A828082AAB93B9BEC8CF
SHA1:	C87601339BC49862FB0EFDA3A2FA26EDC6BC59AD
SHA-256:	DAA57EE6BF608A14E54EC0277701FA6DDA56ADF132F1D83B857844CAEDE472DD
SHA-512:	631F6A739CB467FB6D213B608F2A80F2715A31EE0527CC239BEDAB935D0F1ACF8A6115CC5CCFE6C56512C7F3B222C8F0249254AA12F610A78D3039E5A3812DAA
Malicious:	false
Preview:	........5..0.-Z..n\|Q4.h.... f\On.t..gp....#...b.'.B...R..&2X!z{b.......i..K....3.z..2..=..;d.o..J..'....._A.Q&...qd.K..^Lq......B...%y.-5..=..........p.s.........#A..`.^..bMh..X7lcD,........g.`.~......[.=.w..t...x'.lml.......8#.>..I.%.:..I.g...H...8D..M...#......)..s >.,5...$!......MQ..........a.On.J?.E,g.....\|...<O}.....:....8XZ8r.9.y...O.R...h..">>i...u.2E...xp?C..n...........S....%y.&.<f..5..\\|.y..1...P.. ..Kb.q.0.%...# %....`.^...w7.Z.{g.U<..u._.X...S..su'.f...4.-...gF.&..\.Y....,..Q..#.'i_]...9b...J.....$._...Jf .h..C.\|.\.....U.].;....v..eE2u...p-........t<..B1.\.....Q1..i%...+....<.....?W..ci...\....2...9..~...F..e.........2.9...a..Rw^....jR........2.2.....z...+.....B.>^...?.}...N.Z....e%...r...T.+..9.(S.......}....u.I[..o.....#c.......y....+).@....Tw....w..[e..e..z..~..U.V.X.\|.....\...K[..).rs%& {..fwf.~.6t.-r..(.YN.J.a.y..-..........1_.B..{.....?)Xk..6.-. ..._d.u. ....^..Z2.....}.=.....u...-.V....<.V.FS.y.`7........=..

C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\ENU\template3.pdf

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	26256
Entropy (8bit):	7.993154375367533
Encrypted:	true
SSDEEP:	768:VzxsJyQ1QYYLB61tM6+NODNiCSaWKMP6FNBh3LTbtCkGfbhu:VzxQ+YuQt318tKrFdbtCkGVu
MD5:	C0BFDE4161F784DB2DDBE3A3205B320D
SHA1:	5DBCDB7B4868B86474C5B4D45BEA3DFDEBE2E351
SHA-256:	1941A85AEDF637A35240A64062478F56D67342395E381703A484065009A19785
SHA-512:	DD68742A79FC8D9EAF3CEED97E00DA12C6EEA9175F3A881BC4D7790B212241B2F147266D0F9BCBA6892F22C7EE10B2CF520674D0DA0ADA2028CDA86D122AE17B
Malicious:	false
Preview:	........5...L.@..I..\|..y.h..[ ..5;....`K..=.B.WFg.r.'.D..b....9:...Xk..k.xG{..`.H..e..>.f...W...I....:F.O?..qF;.....-z ...h.L.:..7.i..h~...^.4OR!,.e..h.rb.7....z r../.%.....:.w\|..W......#2^.`@].=.B...)N...-.A.6e.0...AWp.W..z.T...Z'......g.....h...?hm.M..Q........9..&.8G.\|[ZkA..t...!.u....?..`:F..EX.7....f.\|..m.F ...=..p.QA..H...V,..n!..$...c.vt.v.J........._.}u..l..Tx.:8.B2LE..6....E.......ZJ....1!.M{_.~.Z.\|...#1...yt.'{..D....0.is..U..I...[...x.....\|..^.Z5.e\.-..wD.N.9...F.h...)...l..k&.....W.:.N.`$.!.aC.!.Xg<..t......&...F...e..W..-..:0..7T...}..=Ox..r.5..).u....{...!m....9-.T.#B5$..Ym.E.jASg.A.$.N}D`...r.`...+!.....H.Gb...B.%_.q.-.....f..o.....b6.....T.D..5.^........=......e..i=.#....Gm....8F~..[..S......G.:..F...0...B.......JE.4.........dK...P.U.)%.8n1K..q.....1;GB...w.^.`.S.D.....i.5.s...E..... K.b...(})'.!!~.o..a..y...w.....#.oz.y.......8.......V.v a...o..B....0...^....A....y..H.]..-...k[..9..3......7.}\|.&MX...u.wF..

C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\ENU\template1.pdf

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	61376
Entropy (8bit):	7.996947668526091
Encrypted:	true
SSDEEP:	1536:3XNd9+DwbNTdkEeoV46Pf3eSeqGyin7SI:LEDu5kfMfOdR
MD5:	0206F864BA151AB465E5596268462DB8
SHA1:	67E2982144EB1644E094584D135BC9480750246E
SHA-256:	1A67F390377935597C847A380C1D7DF42BC810229C5B2B2B66DCB07F9B36567D
SHA-512:	618823F5333AFA5C358DC65E2A2B81B4AFA18B02DE91212CD27875B33419D1279C61AFE081807B83693AE8B69D29070F4B41EC227F5A3BC761592DAF6D57BB1A
Malicious:	false
Preview:	........5..Q..1._O...81..c.]...<...).2...V$.D.......mx.5bHJ......^...}.%.(....@....AV..-. Qg..h..1.yBU...%........}..j.G.Y...h....h.3.p..US........g.w@GV....T..lVY&...k4N;........=n..L..C).)+.......{P..kk..T.y.J_.LRO-..L.x6....@.;.b..n9..<./X...\|.}..8.....x.E.....Y.b\|..3.<e.4.}....IP..FE.L.Y.....h.Q~..H..r......l.R........a. ../i...wYv_ {j4.r...}....2.._..E.6.D..Q$.o...X..r.6.G.S. ..W...N#s.!...%&x...[..r.V.b.V9.i}.....Z.'.b.9N`e./.O.G....'F..A.._K....X.e......-Tl..&.h.9>g.d^./.MTO.q.'U..W...........M..Y]n@.3Al.`...&&..3...=.C...6...... =..4I8K..M..&..0.n..bQ.&o.[[...q..va....3}M?....ADz&..T.T:3..T.(^w....Bt.@..G.r.../`..I-.@...."...`....d..-k....!.....SE.{....._%.>...&.W......4o...)..n8w..].^B..1l?',".....H;c..w.3Q*....!`V........$..N.n..V.'..+.,..s.%.T.7.....j..!..E0..&...Y............$..?F$... PV$.C...R...Y.-.r..'........a8...vm...m.yL..........p.1.g..@..9._r.....IP#.@./..Np.....r....FP.mXlxU.....^U...8H.A..D.5..O7..PG.N.h.' ...

C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\ENU\AdobeID.pdf

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	82080
Entropy (8bit):	7.997497362040933
Encrypted:	true
SSDEEP:	1536:M1ud64K8nF589/VXsObeo8NRtr2JNXS8l/roxBDfByOOnoz98GbOOv:M1Fo5s/lsPoeESY/CDfZOxG1
MD5:	BDEF4F9AA0A450284A7F70CC5BD65802
SHA1:	AE14AE366DF8D9B00AB1229DE3DCA6559960D312
SHA-256:	94B493DCA249D0D0C7B2B415032E34B844EBDB65CF81BB03FB60599CD15E1D1C
SHA-512:	AFCBB90B7048873DE220C8198F71A9C143A16B8056AB9FBA1FFB73C266EDE57DB5A1DB1A89BF6A03ECAE9702F93346A44DED4D6216F5362A03BD4C8C66816F1E
Malicious:	false
Preview:	........5...D....qC,....jR.(...5s....s....B}.W.B..:d..n.~.........4+.......... .6j\f..$....S..e.Rh.r.4Wp.W.l.HQ%l...n....3..(p....g...d^76.\|].z+.~2vJ......f;.nJ..I..l.....`..gU..Kj..~.4!vhy....N.a$......0.........P...N........a.9.yk\.....S....+j.Rl.Nx...."..p....s.5....C...2...d...;../k......~e......]....\|..?..p!...>...p.kQ/?FF..6_..~..8.h.J.ME............)......=g(..z........XT..s.t.+.C}.8.C....J....@....6.L.Y..,[G...>...\...../....=PZ.K.g.V...m....r.#.}...Ou6}.P..>...P.....GF.kM!H.._J......R.ig.+2Q....K..A!.!{j.Ms9...n..?n.Cu....J"..d=..91^.}.Z...o........dR.n...d..x4..V+.z>.<..v.]....................C`i..3-.......8.....C.K!..z.u..".@.B..Q{.?..Tv......\+L..z..zd._%W=2...u......=..4EW..c&Mc.2_.{^x..c.._4....Tn....iP..3.w.'.c.Y&...,.ao-<.4....J..P.4s....p.o.n..X..a.m...w.....j.t..T....03..$......>P^........6.+.eZ...Za).y.;;1..G\|0....S..k..}...J....!..q..,.)&....!.....!...\.h......M.....H.r.R..hXIZC.S[....$.H...{XZ......<Ra...c

C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\ENU\DefaultID.pdf

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	80656
Entropy (8bit):	7.997376551969807
Encrypted:	true
SSDEEP:	1536:7jrvsYdwyUvPq4uvMafAx2GHx1WZgzqGDybsNezMQ6car+CJNWD1b:bE0wtXqXvMZxfHL+3Cusezxar+VDh
MD5:	73F57F30010DAEBCDDB7788AE3BF850A
SHA1:	47E3FCD37411523B4826D2D8AE54CB9C6063FD32
SHA-256:	BA3D2725A6433139E32C65637983DDF8D61BD33DA58553DB72EABAF09361FB97
SHA-512:	2498636F407CCFC8AA586B30198225E0A51B0F95F22D28976DBA91108ACA1573018A0AB20E993B7A3079A0C02E9FB6669A869B9EA0CE11E5BD73FDB4FDE92F2C
Malicious:	false
Preview:	........5...D....qC,....jR.T..=.X.Y....@.....S%.o[.w..HJ.$i...e.........cM0.....k.?,.Tv1...A.j.(zT...L...v..c_..&.^0.....A._kx.c..K....q&....k.)p...3.......b.B.....f.w....$.h.p.....g......^.....l.{...Er.-DX-..GD........=H........H....#....W..-......v.A%$.j..l..R....!...$.b.l.W.m..^m..m.CG\|.....7..Y.q.H...bu...]\|\h.,z..p...\|.~.0.u.i/6&R....t'..^i3.........8..C.33....Q..#...@...\|.,.4...t.-f..3.. .'.D0.....j.^80R..{..>...<.._.CR..c.N).....<yM.m..-..<hV...v. .@.Z.....T.b...;jbD.......Yd.92}.B..K....[vg...H.aG.....Q.J6AV..D..OC6"...Tk.....L.i...".y..VUT.............YQ....o.{...L.$! ~..a,.Q6...H..@X.{1.. .w.]:_...X.n..`.d/..Y.ks...`..I0..(.....4......6.P.9..`..i. ...0..n?1..[DDS...D.r..D...am.*....%>...u"........w.`..sM..e`........:..@.(.P7..5.l...d...#........y.....s.PQ.N\..........c_U.....'....O[hzT.........P.....+V.....d52gV_....<.D\..?.....S..A..M.<....uH..E.s.!._.....i....P..<m.v.1..L..M....X?...?..S....[.p.>E.....\6.a.y!k......

C:\Program Files\Adobe\Acrobat DC\Acrobat\PDFSigQFormalRep.pdf

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	468208
Entropy (8bit):	7.99963446622772
Encrypted:	true
SSDEEP:	12288:BfQ/FQ+eYXlzSOugC1DTqdkGyfPmB97YCLZxfM3:tQ9BNSOQFTqS/uNZxfM3
MD5:	53AF95BAC7BA5FEA44DB7BD365D0EBC2
SHA1:	E59EF0D9DBD5DFA310DA1E31FFF47608C29637D8
SHA-256:	D0DE5A480D9BC6B8594A2475B7B2C6E440C1DB7608D27F53B21E2BD9A11BD692
SHA-512:	76FE04FDD0E2E78A00BD9E9DADAC6C58CC03E222C61FC32C8F313D5A9E29935EF764BEEB348E5128EECE459785958EAD42FDF5958DB89D2B0CC41DBFB28856B7
Malicious:	false
Preview:	........5.........n.!.g...#.vzM.Aeg...m.X....!....'.#..2...!...n.....h..>&FTHA...W.\..{.....Qq..{...H..e.Y{..B.BHgh`..?..X .2u.=.>..I*p..../.....%..0..i. .\..d2^a.@.Xca....bi=...[..M;.dz.M...@.Y....)..;V..s.Q..}bV..D....chH..7N .,.T..].>!Q.6m..>..J.!=.......i..#b'Jgb.B...a.^.'P.+R.(....F[../LD%.Z..q>R...?.....N...y..\..$..%.v.M.G.%.A. ..`.%H.l...:.,P.]..Pj6.NR.$W...]&._F#Y..A.==......1M..W..........b.......L4V.4....^..^..r}........uW.,...7........3/.WI...I.e.B...v.....%.......'.d^.. {...=.(.8...R........i...`./,..@.....$..\|...{W.]y..2...r.$`i..2=.X...22................q.S(....J.<..3...H....^....nn....Gt.X..0.......$...^..LiBu..Y.A....Y.Va./Fg...YS.._...$..\twVi...$.8...A.....z..-..:Pt.E..F.%u.j.Z.Vj....bR0...7..p.$.py;....QJ..4+[...Jb9.........D..CDok..'.,.2.S..#..h9.k...x....g.-$8..jf...pe.?../..k.A.....c.w.i...{..h5.ResJ.....c...?..t..c.1.>....NL....sY.C.3....r..;.rHS:...F.......S7O<...g.3..5~........lz...u..j'..WT_h.}G..6l.K

C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\on-boarding\images\A12_CrossLarge_24_N.pdf

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	4112
Entropy (8bit):	7.9538289984124955
Encrypted:	false
SSDEEP:	96:d+PyUA4vg1Vm5iOdLeYV3zlr7s5RcZ89er0P:d+6UAxMimFDlnE+aegP
MD5:	3AE00E696ECABC70B9CE62FBECC4F155
SHA1:	C0620F9A4DBC2A1C4F2F8FE0292A18D71D14B49E
SHA-256:	D6BBE25FC84A0F2FB6E3DB9A59A7654469FAE25A76F57B223F5F8384B9C0C66E
SHA-512:	84EEEFB4F009F7ADACD104D919AE32DB41E4D5536C60326F1C75E3D56E67888CF6C4DC3FBEB4344A9DB9E3AA6B03C8D7917971485A8439544FED253F6D40E4CC
Malicious:	false
Preview:	...(.1y.\',Q.!.........`..K.\G..m..C7.E....L.us.F........Y.b#....;...^.`..l.:HXmy.V..2..4i......}.."..\....E`..+..ej .>......%n....u..........=..Ck......td.#c.=._....h}(-Od.O.......P.xF+.8...byk.E...}C"E.lq..U...Si..g8t..d6..........F.$h.._......Z].aMw.v.Sb~..:.P%........_..a-...hQ....g..IM8.}....S..P......dYJ.........i..t..5d??.n.k.LX......N...EL.rb.D.=1.....\|.....qn-/.[.....\&W....[...\...H...w.....dO.;.z...Y.ohH........1<..........7w@.DH.k.....s.#<......x......M..,.....YT&\ ...(1T....d...=`C3%........<.......;c....g.9Jua..).#...^..in.:.".{..k?x.2${.7D.,...N...@/4.@......I....pj!...[}.<..u....../7.Q..^..%..C`.x.....2..J....;.i..Kv-.....q....T..........:......_.(.K......q.d.....VWM..w.rw..c.g.kQO9...e..^....;c3I.U.T2....C...;.P.H....Q@..R.:./f.?.;.5[x...f4..kz..[%..YU....f.5(..Y........9;...:m....B..9..4]z..j.......S..0mn...@..........~....,.e........u......q.R.o....J../....I.ICr.6...44...D^........5...,1..U..q.......R......3C.

C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	146784
Entropy (8bit):	7.998638776646595
Encrypted:	true
SSDEEP:	3072:Qh8I4RYEYzgeWj6SBjKmSCfyIYke430qOp3roEMfw0stNHf/:QhB4RlsrWjtRTefroE0stNH3
MD5:	536B560D4970D4EBF3D781BACA0A9635
SHA1:	441113DC352D504B382EEAF5D07DB41866D75240
SHA-256:	B057D9125AD138D9761BF80A18FEF2156CF3708B6F68BD5B52030FB09164A0A5
SHA-512:	6D6686C4AC67C468F122B636DA9A5504C8475BB214463C558A37596D6768CC2CA48A5AFF6B9CE781C3E6C7CD07A3C34F95C3A2B69AE783C0A14D017D646A5B2A
Malicious:	false
Preview:	.}.+G......M&...W..HVq.....N.....m.Y<......o.......3..@..N.......J..#.,q#.O...t.......O!._)&. u....Jx..f...D..N.-....(....Q..s..b^...nW.mQ....``..T...z9.....K..[b~...P..:y1........6..P...-..`.).#.YT>7S.....q.i.........;..G..K.....q;.o.)...@gDr..1...IH...fO..P.......2.=p.q.$.RA..'M.g.........:.....M......._.4C...I....j.l..7f.]..)......s....VVz..)?.A....e....amW...;.n[n-a2.h..]y._..wUF=Q.;-...B...s...N.}.A..e.[J.-..m.K..S..M..}..../.....?....MYWou.L.%..O.Qe~...=...<....%....E.<.....0V..../!C.>..Ml.G3.}..+..c.W.tv\]\v2f.....Y..t...V...4..K...y..Y....."".....J..6...kQ.bKU/.....3..4...S.?[r..x.d.J....s..O.!z...\.C.l..o\(.:..5`..~....0c..z...uN..s8}2.6.=k0....o]Aq.P~..m.}.Lo....V..[Z...7..8.$...Z.l.......A1.....I:...Ls{..;#.....*.O..8..$.l.,...X..i`....v.......w..c#.R.-Q....te).X.O..".iZEe~q?..p. .Is.........(..../i..\|..[7!no..S...A8...hG(JHWZs......2.....t@Bqx..`.....>K2\|.\...^cE......~..B~.O..tMK...kT"..\|..P.[I...2....$M...%I.. .;3I.p

C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	310544
Entropy (8bit):	7.999335606771811
Encrypted:	true
SSDEEP:	6144:5tFgjHnIPRA73MZ5oG8a4uHAMp71DeGkuCGHlOMldm4Ga:5Dgjo23FzS1DeGku/lnl84Ga
MD5:	17C95E963B421AC8BC0915B9F67EA7CA
SHA1:	ABF1373572CD8BC8232A4497D6FE37EFB65E05B7
SHA-256:	5633005049BD812FC3A2CEF1795BCDBB120C06AD73601BB1C4AE71005B3FF179
SHA-512:	FE3E338786E109806A2E16AE6AEFE765D10B8DBF66F3CE936A28FDAA8A41DB7CC366BB7F4638B9291E6C80E142FEF840BDBE2D0851B6F7CB839A601EED597CF2
Malicious:	false
Preview:	.....k.c.....r...9.]......&...\|2kN.+\....0.2.A..`T.WZ,.u4..c..\|....D...-..V].}..L.lh.w..;.X..U.^.2.v9.:\|.....W..$/.fx.s..U..F. ...h..R...e;......6,...~..F(.D.5.....^I\|.s&}...8}1...u.N........Q)50....O....>.}. sD..Y_...U.r-.d..C...E.c...;.=.....r.Ski().2..A.b+......l......h.....$.-.q... ...@....h.h.KMlt..o..........p.%.V.1Nd..Nq..6Y.E.q..'/.$.e..2..%.h,.%\....L..i.g...S.7}p.s..n.h...aPpe.z....S.C.vr.9.&......9..m$\..{vG.%'.-Y...._.......gO..Q\K.p.{.]....c..R\|~A.$..H...ZD.Eb...8Lr.,.r.<....S.-.O.....=...8...\|#- ...+.<....v+:..*.5X..Sq.}R.....,:..G.&!8z...FW.V..K.j.0.\.].s).1l.v!.t(.E.C.$!..N5....=^...J_..<....Fp.....S.&..{..w..h...R.....t.. ..R..T.....G.. l....M..yQ.........q....q.gdQ..p:.\|..{u.y........ItGx.a...j......2.&r..E)TF....1.K.2..c.> Z...p.....~........o'M....!....KI.A6'..X... &...%........^.n.Vh...OV.l..q.!+d...W....b.L...D<.wCO...a.Y..p.p_...H.wU~..i(.y42b.....?..<a.t.$eW....%k..e.D...FOU-"^.\......~.u.,cr.aog3..0(.f..m_8.9

C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	426016
Entropy (8bit):	7.9995594698095935
Encrypted:	true
SSDEEP:	6144:DEibSWTJmB0lWYvVQ2+MVHQlTK+HNGVuHpkhi3OLnyoZFcueRIfEsAHLx3:DECJTJmByZb+ZVYSpk8+6umIcsAr9
MD5:	937A58C3793B972423E6B268B6DC0002
SHA1:	F3E7AAA062F70A19EF10B72B81ED831E995B2174
SHA-256:	C1D0DE96A14181820780733AB7E0F38713C68B4671A90904036BE35902F05349
SHA-512:	1BECC7BFF45BD37635A985F1B48E76EAD0C030E2D35B6947EC0E96F66F33910BB202967FABF281040B8260B438BA29839C86BED03C3DF0D83E7B22B71D415EAB
Malicious:	false
Preview:	.....k.c.....rE...].....p.....-.?.O........K....#%d...16...L..gw..q.MK.wk._.Q....@...SH.T=L..Y+......5(.}....#..&n...w."bY..7.......Z.&..Ku.7....>..x.......!B7.........AZY.}..b...N.}Z.....o.....#.@r<i.iO._.I<9.n).0}.....lV.#...'.^....e\|...T.G.?T...~..F~&.(q....1[/~.8.2S#=9.....)$..`.-#.....0.$.e&t...z!..C...zr.-J.......q?.#..K.Qtu.!s.4.Af..%..Kv.}.?.....>S.#.......?.f..".......RW.Ah.o...p@Z!..`..I&0m.1=`...#\...K`.#..F.R......J..@,..R....@...R......f7......W..]qjZ=.'.....>.f.0..N=k7.D..E. ..@..N.Gj6}..b.b...2..\|.......:.F....wY4.A.......]h...1.:.V...-.."..@..x....F...{..?..........V...:..5.....qN..a].!..T....BBF@.0PI5P2...nu.................$h....I..Z.X.-O...<...]";a...:...t99.2.b...]......yx_X..O..h].`.^.D9.7..m!.....m...G....4.1.&.\|.]..k(E...u(.7......g...$..../].$vH........w.x{z.P.As..m..%,E.F..I.b.1Q!..........=..!6.....KfT.z...).{UC..![Q.{.h...f).."....0....?7.I.O.\|y..2l........1..p..b.....3.t._..kW......f..s.....?q..W...3.XU:..

C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	938128
Entropy (8bit):	7.999794838112244
Encrypted:	true
SSDEEP:	24576:JKEJnk7upxjsMI/0OH/0EKjiddhBkpYIiMjfqtruHsv1K:JKEJkKplsRfrdQY7CHV
MD5:	C45D9E715497591EACEA53FD59873684
SHA1:	21C419916E68CC1B52DC54385A35D39991872F0B
SHA-256:	3DBCB5D521E81B9024DD6B1D08A66D601B29D8F3AEA0972DCF56A541E79555B5
SHA-512:	B197FFE1F072D96DCBFD12E06A1EAF322D852DE0CD369485F10C49E6F90B0E16621ECD2933B30BF673F589BE3F25D87AF12096F1BA92796236BF7F356E45E588
Malicious:	false
Preview:	.....k.c.....r....L..?.&.0.6w..rj.CJ..).w6g....Tae.t..._.].p.....-."......(s?.x0.....8L8K.$..2".;w.....a.Z.:.X=.:.)..j....4"...g.l..&./.d......C.......%.....C..z..0....a.q...e8.S...bjV.4q..4T(...sKsE..(..C..;)...{F..n....\|......d.K......P....S...~-......{G.d.._.I_.Mc.2l..v..=.;O....M,@I..6...2'.i....2....N......."q?....1[o?~......>.....z....XE...v....'d..x.^...7nA.6...4W.: ...C...wl1....[..+.....,.9..zC....X<....I..P,...zse ..u.Cr....\/w...zw.#....].}.....>..f...PV...9>.Miv2..KW..z..C+\|A0'...Qr.9~.a'O.YN...-.!.`...R......f)..Q.hl...U.!.Z6L.....P-O#..u.0?:....m.-.O......_..S....McIGA._........E.Ib.Q^..$.V.U....N....jkd..C....ee&@.4l.OYa.l._.j)6N.....-v..@.....r..4.:..KQ%g..X..JP........MX....pIt.)[.V..ts6.\|.Cm...hhA.Y.....{.m.d.Q~.r....D.o5...j..[....A.WdWS...%....m..E.'f..n...eq..9.I.[.Uu.p....\.............).+.l.1.....3.i@.$.\I{[.\zE..Z.Z..V.).M.@.6................../.!QAR...m.1.....TG.Y.s...7..6.....&VqS.PV..qT.n0..)..].]..`~J....m

C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	181440
Entropy (8bit):	7.9989378466764105
Encrypted:	true
SSDEEP:	3072:8E/ah94NRzTv1DCv72gCciPM51u8tK1SvdrHAgnY/t9W3cO3ux:8E/a6Tv1eSFcv11Us+fWsr
MD5:	21B310BB0BA6BE0C091B16223324F9BD
SHA1:	D5BE59A43F3971103FB727DDF850E5848241A9E7
SHA-256:	F614082C4F2DCA79873AF73A691E0E1F0006CB4C6BEFD58070A4BD59FF727992
SHA-512:	9C3C205AFE792F41FC4B3DA9B50EC55C6BC32CA60BB26FA1E7E24C11B09BB2918810091C35CFAC3453013717C8D48D9AB73E0414E6639B23F5D6A9109E394B9F
Malicious:	false
Preview:	.}.+G......M&....\|K.M...OS....\|.F..k.iO....k...H.._...<...\g.......A...h4.n..DU7..J.......t..$V2n..Jl...2u.Ui...U...:...t..I...V?...9....Q.&..m.....@..\D....r4.0.9]..E.U.p..t.d....e..Wu..G5.e...H....e.;.....(.....Z/q.af[..d..(.!...R..>Sk.5.....uf..``.).~.....At.\|$.B...T........n....9F...-.NQ.bj.T.Mb.V.....Z..N.2.d.'[.U.v2*6..4..c'4....l."1..DJ.R.z....%F.S..}_.<$yO..M.)..Z...C.....IK....2.N.&f-8^..Y:(8[$qD.xb...(.\.\E...u.R....c.....k9.X...cG....6.h..[>.# .. ....8qC.W{...:.'3F ...Hud..u...\...~kD..=.......Fq.....y..d..j...C.PW3.Z.reo\|.......U ...o9...)_..o8J^....g....^....R.~.8,.WM.l......9`.J.H...US.rIs..j.l....yz..V.....S..f>.>G.c............^M....g:..J....p....q.K.T.K.m.c..5..Y.p..p..Wy..HR......=...;..plP...z..!.6b0i.......q..$.,1)..O..T......:'.c../ .!+.....$B.K...\S..Xu.GkK..o;q..X&..m... ..9s.:.t.\...{....8.bm..G...l:..?.Xt@...Z...o.p;..u..S av.3v3....B.NQ#b..A...b.(a.>u1[U.=......~.S..%.T<8[..P.k..T...}.;..W5..L.G

C:\Program Files\Adobe\Acrobat DC\Acrobat\cr_win_client_config.cfg

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	208
Entropy (8bit):	7.041503900708577
Encrypted:	false
SSDEEP:	6:zzXAHSYEGDoRZFmyfF89ilx4t7WVrQLaHguFThR7Cg:zDAHSF3hF89NtSVrQLaHgudhh
MD5:	34F82E0B0094E735445EFBA34519DF26
SHA1:	EE6758F7071CCEB6B843D0A19B789317ECD34118
SHA-256:	38C2CF3786BCDF1AE2AE9F1219D7489AD2F6ECEEFA6AB1B498E2B83F5BB01FD1
SHA-512:	D13105F651D4070362619270758A80DA3670C3D053BDB1416836AE249F2F598A254F8326C3FABD7D6A455FEA9149AEF427F20FD96FB9A81D84F02FC9371B422D
Malicious:	false
Preview:	........k.""...$_..._...W>...C..5.c.p.B...G4V.R...m.,KM....Xw.W4."./....4@~IGQ.Y'..E....*M..-.6.\|...9.a$...l.....p.i5..0PR......~h. ..S......Uo."...q%.>..o... ..a..H.}.DO.;...=.+.u...^......

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\CompareMarkers.pdf

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	22352
Entropy (8bit):	7.992329989938268
Encrypted:	true
SSDEEP:	384:pX3qTp/blqkM4ZRHgq9yb9IESju2uO8FrVF4H+ePSu9pClPrpnmG/chikxmZn8q:paTFl447g5S9KFgTSbfkkkhq
MD5:	1E20B92E3490FED6EDF5327808AC4F6D
SHA1:	AC155652A768C34AE32B9061920A675D10DD3897
SHA-256:	BFE2C85F9285435138369769DDB2CB079B74C2C6EDF9FF622B197A3D218A83C3
SHA-512:	27BF88A86F3351F73E05EB80E6973169AE7FF57127139D20DB85EBCDBFF5E3BADC4E2D93E7875B7D274DF99CBC380CC18FBCD3E3CF60813DDD68E7D7BCA140CB
Malicious:	false
Preview:	........5.......^..X,P#.q.4..#R......1b,..O\..T+..T..x.e....^j.......vG.X:d.o........Q..,.aT....c@i...H.ou-........ GX..4.7..6.. /4j..yw.E.C>.v./.oe.."...;...;.$.d^T@..mW.B....`..S~.n"xk>.:...Se.L=..........>..0..W......`p.#L.5.............se....Ld........O.8/..._....i....\|RGAm..{E....b"..3^prI.#./OZ...#'x!VJ^5'.,.{.s..t.G`8......l....n....C.9X:.......A.E'N"..'...#..J.&.....%.,..=.....L......Xz..`-..%LU..?.g....C\>.........O=Ly..Y[..$..j"J.\_A.T=..r........u..U..o..[\|..p..........0.t....Jg.>.......o.Q..{......a%.G...@...\|._..})k._..5p..k.\..p?.......1:a.z4.~..q.)]@...)..z9...=..".,...U...W;..RB7s..f#.0.._n..".f.......b.3.hp.aK..4......-u..,^.....FZ.T.........h..^$.[.%..U.....=8.........)...............G.....4./.!..0.(. ....\|:_LD...F...~..vU....!.}{.Pj.7.....c.$1..........'..V..p).Z..!W...5....<".[....CC..B.....K.>......MsiR.]....N....j.iB...L.8......{..3.......`5...D..{..\...%.p.D.a... "q<<...0..X..o..@<n..'...Ar.1:..1.....D.{..Xp]..5..

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	57232
Entropy (8bit):	7.996632721308881
Encrypted:	true
SSDEEP:	1536:HgljBg82t+tnP+d8e5O8Qh47/h7jydT7Xk8WjuqDp/x:Hqv5mfzQh47/h3UDuuqDp/x
MD5:	53F4B0DEF51347BF9F0590A4971AF788
SHA1:	89C87534F5B1F78062EAB037590C1EF0AE11659F
SHA-256:	A2E12F9645BDF918F8B3D4ADBA326FAA14142B6A5480D47BC943C76761FE72DC
SHA-512:	66F240E15D1FC3591CC5D4B65054C9BA635215CC0C41E1706F8095742AA0650209CF3285E64880D287470B9B663A49B4B2326F4A5F33528D7F4255DA396BD0AC
Malicious:	false
Preview:	........5..z8x....n{....!...xu)..:.)t....Dq._.A....f`.q.1......!.......yL.X..2.....x,/.}.m...}!Z........w..+............#..&...J..k[...Lv..B.../ s...X%....M-B../P....J.'...o61...=.....No....f.`.y./..ev..u......_d,.!....K.!.Y. .:.V<..)....J.~.F..gV....=v.]....,...Y.c.j.Z..=.BE......@....~.!...e4.'M...+.bH2V...u\|NNk.F.&.J..:T.."...r.T..b.sS..m........Fe.RnRy.<OQv.F...v..\|Y'\|e?...B.H.....x....v....f.-..r.".ss.....>.}R.66.......5M..1.bx6.;4b.j rH....".!.P......M...b...C.B..a.,...I./9.2...E..G#...py...(..F.0......T..:y....E...F.....r..H.....[...@/.`....Sb.....u!....[0.......Ue.!L..R1\|.G.z,.M...2.....q-.t.h.f.{.c:...o.%~..R....Y....!.6t.y._.?i.u.c#..........3./B.tZ.......<4....^;.5.....Bv."Y.2..v.5.V....A<.P...E.g.....{L.+.e..).:.p..p.....O<d......=.f.......cp..]it4.O^..-.Z..8..FUn._Z. .K.I.LH.p.-.O.}.:.Wg.<.Pn.N..).q.e.97n[(.....,Tl...* ...E.P......Ox....Tc.'.oo..]SQ_(...y s..-.C.4.J.....%.I2C..GN?=.....s$.)...h.QRl......C.J.1..Q..h..r.1

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\Faces.pdf

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	33024
Entropy (8bit):	7.994207367849091
Encrypted:	true
SSDEEP:	768:TJif1TxADmbW78KKKVSvTutHudYPiUqTBq7l3:NifVxpbWkTutHoYP+9q9
MD5:	182FD2A797D23C78E44E5EC2E3C5DE59
SHA1:	A1970D9D6F760B5218C4862AD83589A1ACAD87B2
SHA-256:	3C21E326C3E763F82736311FC59445AEFCD8368AD86C86A60C54DEB67858D2FE
SHA-512:	D1B1C3B55DB3CEB22C3EE8CF45B37D62B72E82DF6513E0CFD7D63DE47E7CEEF07007621712237BF6349321B66DA7422FDABE2F57915DD3B8674A758184F120F4
Malicious:	false
Preview:	.}.+G......M&...,....e.5............C.~..........d..iS...7.#..........F#Q~^Z....s....%.fQP....Eb.._......%...&....\.....(...~V..tI.g>.B.....9.4.II.......j].6Z..K...B{.t[7o1`.: .Cnm...M.Z......S.d).jf....B.#?.H...C.v....^.c.$.qvm......}../.NK...Ra.g..a...F..N..I....x.E".A...Y......U.#.v..m..2;.i..Zq.....<.z..[FIQp...Sx.;........N.....+..?x..9O.....fp...;........x..\I.O.V/.....vH......YolBG.SRL...S...Lo...'6X..8...f lr......`.....n...nd.~..YoRROL2[m...},......Jb~.K..+....V.P.:....2..B.'.se^..._.+C8g@I..\|U#.B.k..M.~.nsS.{....?.K\|.y.).e.......].(y...}.....q.3......<....;.]ny.Y....%....pW..CWJ.8..\...=.]C.&...........C. <.uH....%nU.G`n........+.............r.......V..xR. }.F..uZK...l.%/...H...G.Op. .S....1....o.I....4...j.k.=t...+?..g\..1.E....L.......Uh.!...H....f....DVLd...J...o1.].t-\|.._...7.........9h..3.k.VdkQ.V..:9]..t...9.....C5I..\..k....b.2..Yo..YJP.m.J....'.B..D....].+^.oAI.Z.ezYV..........u...3.....J..{....e..b>.x;...

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\Pointers.pdf

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	46912
Entropy (8bit):	7.995818750880932
Encrypted:	true
SSDEEP:	768:Zuuwl1lX7Bj05QNj/Kmsa0jy7DJ1RUy2sf0Of6riiyFBXoampSYZSSyFpil6OTHF:ZQEyNj/gpOR1uyaOWyF6dd6OTSa
MD5:	15FB4747BA7F05B766A20BD15F36485F
SHA1:	E2BCCD0C5B98BB79E0984B0C1B89382A9FACF24F
SHA-256:	2037F5D114245972C0F08E6E40D411CB96838D5C34144C90633A1BFC47E94146
SHA-512:	8ABC931AF5883777BDEC237028501DC04D63DC477AD665E0948808824AFBF0CB95F28E1A322BA9221A1ADBFE5DA657C00B5F7D5B6DB5D0BC3B27D23196021ED3
Malicious:	false
Preview:	.}.+G......M&...?..Z.uY:..t..2.d..,2.zK....q.Z.'-a..2.ds/.q.3.G$....@+.w..A."...".ek.D.".,A.j.".....#...tH..]...5.JPd....0...#...!.._%.NH.w$......'!@>R.?&..~...r.@.k..l...K....~.<.......e....~..6.4@.T.[...:..U.)\r.EZi_.k......^................8~.......%....Nk..-LyV..x..^ P.,~#..B.g....k.. ...9..?y+.m..4..+%...j..8Mw.Gs_...:.2..>..9..Q\|...X.(....F.7...+K........qo+.0.fT...Q.Nn.8.#f2.#.......Q.A.c2.w.....ZU.)S.R.c.Z.{H1.2..'X.Gw.wD...R...]z.3...R.........G.+.&...yg`.m.+..6.@.g.(.w.a...eq8.#.mG..7..LN.[~v.....O...t...$.....i.N..P?f.\.....j.8.[" .o.M..../W.0.m~...../.2t.#^I:(.j.....RWW.H..@..$........9d...#V\|.!..?<.bX}.3SU..W...`d......Q..L..$.....r..{...s.b#....Jx.3.Z.N....$}5rc:.....ri....}.=...f.@.q.R...4h..4x..E..gq.+.4l.e..y..8.R..f4.Go=.Wq1.....f...RU.s_...E.R..Z. y...C...o.....'..)#..r%..S............O...x....y7.._;B...]i..s.....[.E2H...&n..._.n.....l.Z..\|v...bP.3i..u<.^.ti..Kk.L.....hl....%.e......*....\......X..`px.....K..,qY.

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\SignHere.pdf

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	40736
Entropy (8bit):	7.99528755582785
Encrypted:	true
SSDEEP:	768:wwk5G0ANwfPm8SLc3RRRz4S2PUjOPQiBjHNoU//24SNRAmEy6DwJ:wwkyAPm5IbQ8j3yqH1HyS
MD5:	DB00465095734D296FC4891ED6ACE35F
SHA1:	8D3EA24EBA86B7FAAE9C3D3CCBEE389C962AD372
SHA-256:	AD8F9CD707442137A68C80F4014BCCB43E615F38641AA6C38F002FCFD4651814
SHA-512:	4469AE942666D57B6FD1D4625F8E3CAD22F8F607F9E8CD0E14F31107ECA342D0413D4E5D760A57939B6F6939752CED00A1EA924C21D7983E2188DCC307E46BB4
Malicious:	false
Preview:	.}.+G......M&...DP.^..sgF...tB.....)..j@.Q...J...D.z..d3.._..... m..!...6 t&0...W..mT?....u$.G...u....B.}I.....N\|...d.&.I....S;.5.Z..=N)(..(....v.h...k^.Y..;..2.^.>..SmN..~}C..d.y...2@......QM.......Lo.Q..%.....N....W..J.RVb.f...>..3...<....J...--.....~..SLip.&.z,.......Q.[.....N....PlE=..y]...5..=...YF..U\|..^`F.3C<rB@...8..F.ZIIhJ:..U..zp ,o..<.....]....\|...S<k..~............b._..W....bP......@..@.l..?.Y.J..\|..`..(_P.....b.$.9....Yk..z"....k......F.zni/...7..v.......`.z..zV....SN.,U.(...g..t%y..})...J\|_.)O.%...;.I.(q..,e.......D...i......PB..B... Wr.P..Z.{...<iM&..I.M..Y../"...".......UGp.%...n..0:D.8Z6.9.u.a..#a.._.&..y........F.+..;g.s?[;ZJ[..R...%E.k..Q6.6<....C.x......xx..\|m.#.;CWw..@p?.......I....ln. .^N.o\|f.3.. 1..+.G.E....7.....:90A...C..}(@....i9Se.s. ...$.3.S.x....?F+:;.?..d...+>.Y.C.}....''....-.@Y....v.W.L.....8t...U......Jed....=......%..<.`\/..#'\|..i....%.....S..?@%.G.b....62.A..&...T...#(o.#j.\bd.p._..../..J....1.......".q.#..

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\Standard.pdf

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	115968
Entropy (8bit):	7.998363331263821
Encrypted:	true
SSDEEP:	3072:pTvWYPUMh9bpXAADBytRGQn1zJhKAIMTEE:pi+t1BWZnXhKITEE
MD5:	98C8A9E53B33F1584B5B1AD7F72EC802
SHA1:	1A4B2C0CCB1FB4FE55BEDB533AE9DBE09D74D22E
SHA-256:	E1B2F0FE233ECC541777E927103A19CE12974A1844C6EA49680AFF9EA443663A
SHA-512:	B13E91C021ED7F25718724004A300F2A625E327847B24603A30AAEDA61B2A76C62A64E7FEE1BF0BAC5BBB63630BF6B8007F8C749C738D2D62394282080F1D665
Malicious:	false
Preview:	...&(.J......k5...oO.?.t........11r.Vf7........#t..^j.rk.....Tm=...9.-i.E.V?:S0...4uf.p.FgPVb.].......N3.......2...L;../@....x.............,.7..5V...;.3.P.......2.2..oQ..8e.IY5.]...+./j....>GS43.MZ^.nU.>....`.5.A.o1\|.f..a....u....e..I1....iT ..s.......U^=xO.M..Y.Ul.".u.X.!\..F.M.w...;s..ReV.e.'.N...g.G...s.%......2..Z6q...........4qI..........b..........}7...x.#...uv./.F..w...]..:(....p.g.....vOO..3...,:.C.2.ld:.x.....{.\.......E.\|.k&...._M^...1M...T.._"F.8...{.y.L.....\B.N.[}.q..S-.n..$y....#........x...u.M.T...u...B......a..$.............D.r.+..Y....$............a._..-d.g........K33.6..e` .h3/.H.t.J....d...p..........`./..i.s..x..I...3K..n.f<%U~.q/(......g.^..^I...+..>..NX.....`.Q.....F..O.......T..}..4.-,.9......^....f.u..W.A...'r..".y`..o<G,....'. .z.J..<.l$':on[.;.$W.Pf.s..Fm...f...O...s..T...w'..6.QZ\.%y[..<.. U...Q.[.......7UR....8xm....d7[...JS....K..0V..Z...Z:.....'.uq50i.L...7]....m.}55...O..Z7.n..+.6.a$`.+.Z.....h.v

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	108768
Entropy (8bit):	7.998318431771078
Encrypted:	true
SSDEEP:	3072:H5fI+BnNsqbJNCIzTgXOzkZGMlFL85BCqh//:ZjViqbuIzTge2lmBRH
MD5:	2F5964D8C6466F0986E95CFF68ABAC33
SHA1:	E4A2215938DC06E90F2DD9B68637729B5E55B0DE
SHA-256:	C25481D2AE61B29D0F597EC5C0AE0EEF5E52E07C8EE43F54B4C8D95175D00CBB
SHA-512:	4A795C0E2CE71AC0A6F47B7FA3217BE8BD7D642D503A83803D073F978FB4C73BD0E5F34F17C80B9F314DAC1F04CD06E18D07AC632964B711FE4619FC6F1AC250
Malicious:	false
Preview:	.}.+G......M&...j.#t.3zE....B.....mqOe'...k.....xJc5...:%Gw>..5i,...[...Nu-'..5h(..(k.._...G.fe.sb.UV;....=.,."...A...d@X.Y.9...Y..<X5a/.....9@......<$.....-..0\|.....[...x...F......S(......3.......u............L..6V2:.=8r..B.....;.7%.}13nk..f...j.....m0.>......E/%...Y).n..._..\2b...nC....z.'....v...9.o.p:Y....ZV.:D.;...81.P..Y....V._B.)l.4..!.yd.,Av.-[0Q.R..Pww~@.bB...`..x...E<.c..]..CmPl..D....;.gTe............\|r..;W.DI...WX.x...Z'H..Q.;.).T=.........."1$M...u..9.U./...}3S.....y....j.".yJ..M. .#._. ...-`./K...Y.....iI....V..9.L.^...Z.c../+.%d.\|.W`...>v..f...:.....%.....K...i@V..=..G.......R..3m..q.KP.#:.....yp...I...f.L-...B....(.5\...ia.MR.01.b.......]<....A?_.%.u...mr.U..!W.}.....[.u1+K.....HXi.+.`K.......kn...)...O.u3}.Ne.........Z~U.....i..x..:h.Z.....bJ...K~q..../....S.i.........3..-.;.nM.(...f....vrY.=wYv.....q.d..G...:OBr..\|..w.TDvN...;_.L{...[tr.((K..5%`.u.9'....`..$.'.....jcp.....o.G.c}.@.s....!..k.v.....Vv.p.t..G.f

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\Annotations\Stamps\Words.pdf

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	112512
Entropy (8bit):	7.998249797249758
Encrypted:	true
SSDEEP:	3072:MkeYmcphTObMV8NLZmVIS9NYYXQXAQnjenTB:MTWdKRZmVCpAQnCnTB
MD5:	52F66782A4CF433C13AAA4AD01BECD8F
SHA1:	BB9A3000FFB0299DB6621A3705F28DE772125074
SHA-256:	0A0ABE851AAEAF673AA72D959678245434D74C21A8CDC5AB7483F04A704021C9
SHA-512:	2A14EC3EE650703DBD077FB8485FF48F8CF9B35452F297891F419D8441865AC4E3D9CBCA3BBF896D26B21962772C67E0B898A8C16F26F47ABDBC9D672AD1F44E
Malicious:	false
Preview:	_TR..'..h#..x.V=........X....I...D..;.G\X4.{"...... Y..+..Y..,.q......C~.l..>....?.N..i3..6R.(Z?:..4{..G.....,5...`k....vPP Jo.o(CW.2..g..3,........h..e.w.XB...dqr.S.....<.M..,....Y.O.ea.Y.-..@J.'Z.. ..%.W?`...^.FJ..8uR.B2ep........m>...D.h.G......f....d7.H...F..0.~].3....$....7..........\|.L{...o..z.=....J:...n..s.@a\..0FE.Ee...}PV....F.. ...TV...[..xT..&.u.(!(.>#u@..,.<...IT.n.j.a..0....:.&..vr..z..+7.._:.../......$.R;....o..$.".........m..#u.....fL..S(>,.....v.....=.D.F&..;f..B...Km.Nw...>...]M....t....6RV...f..X.`.(l..T...v.s..O..I5.n$z.M.t-........v...I."....Q...m..j:.i7.1.........h.........S..Hf.6p._.....MD......'yq.G...$.a7...~...}.F.13s..`=..I.3. T1jn.^............!.].....6...?."Fdd.t@P`i.8.-.C.........h..h..>..0.h.$j5*i......QaA......]!A.A....X.h.Wq/.J.p..G2.I6.....s.]_...`]=5{..e.t.B..\....R-..7..(.@.L;..eY~...5C.......C.j..n...F..\a&..m9.n.#..........@d.c..M..>.d...p.i.E...K.........{.............Q`..RK.R}-..

C:\Users\user\AppData\Local\Temp\74A4.tmp

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	56320
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BFD70118226E2E6391B6A0992F8B5B22
SHA1:	4F9E3810D346B368B7C2437EB4BB040D3F6DAED3
SHA-256:	F8D214080544676394EEA8DDA1CBD79DB436414860E1809CCCD56B2DA039C724
SHA-512:	AB771F24EBDB0C3FFD195AC67B8F655F8EE7037C983AD05CFAC6660BCC5FDDD40E053C859F85990B32227D69E080E2559127A6D9CBF686DC55F0796C7A3F70E9
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\dllhost.dat

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	381816
Entropy (8bit):	6.566133361341289
Encrypted:	false
SSDEEP:	6144:xytTHoerLyksdxFPSWaNJaS1I1f4ogQs/LT7Z2Swc0IZCYA+l82:x6TH9F8bPSHDogQsTJJJK+l82
MD5:	AEEE996FD3484F28E5CD85FE26B6BDCD
SHA1:	CD23B7C9E0EDEF184930BC8E0CA2264F0608BCB3
SHA-256:	F8DBABDFA03068130C277CE49C60E35C029FF29D9E3C74C362521F3FB02670D5
SHA-512:	E7C0B64CA5933C301F46DC3B3FD095BCC48011D8741896571BF93AF909F54A6B21096D5F66B4900020DCAECE6AB9B0E1D1C65791B8B5943D2E4D5BAB28340E6F
Malicious:	false
Yara Hits:	Rule: JoeSecurity_PsExec, Description: Yara detected PsExec sysinternal tool, Source: C:\Windows\dllhost.dat, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: p2pWin.exe, Detection: malicious, Browse Filename: 027.dll, Detection: malicious, Browse Filename: QYXZGHJc38.dll, Detection: malicious, Browse Filename: NotPetya DLL.dll.dll, Detection: malicious, Browse Filename: Trojan.Ransom.exe, Detection: malicious, Browse Filename: qFTst626iV.dll, Detection: malicious, Browse Filename: NotPetya.dll, Detection: malicious, Browse Filename: notpetya.dll, Detection: malicious, Browse Filename: 6r3kQ7Ddkk.dll, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..x...x...x...q.8.R...q.).h...q./.k...x......q.?...q.(.y...q.-.y...Richx...........................PE..L......K.................H...p......U........`....@.........................................................................D...........................x...........`c..................................@............`...............................text...zG.......H.................. ..`.rdata......`.......L..............@..@.data............ ..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\perfc.dat

Process:	C:\Users\user\Desktop\JRDpxoBkBJ.exe
File Type:	data
Category:	dropped
Size (bytes):	362360
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	9A7FFE65E0912F9379BA6E8E0B079FDE
SHA1:	532BEA84179E2336CAED26E31805CEAA7EEC53DD
SHA-256:	4B336C3CC9B6C691FE581077E3DD9EA7DF3BF48F79E35B05CF87E079EC8E0651
SHA-512:	E8EBF30488B9475529D3345A00C002FE44336718AF8BC99879018982BBC1172FC77F9FEE12C541BAB9665690092709EF5F847B40201782732C717C331BB77C31
Malicious:	true
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\Harddisk0\DR0

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	0.01344132662638297
Encrypted:	false
SSDEEP:	3:qCll:qC
MD5:	DDD66EBF22FE50EBCFAD3B5B8E6FE148
SHA1:	530CF77B635C8830D2BBB0297BAA8857A6B28C1B
SHA-256:	480C8E85D1E203B441A4FBF904B395887C6C076088C2FEA670281D1F2CD0916E
SHA-512:	F85133395C96D2C8BC85E72D0B876283A198A5EE69C1B4F067B56BE7CD31CD3F980E495D51D01F3846A08BF1B34EEA84CF31CB05DCF2EC2C30DA5C1F1A4F37F9
Malicious:	true
Preview:	.....:..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.678527817788194
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	JRDpxoBkBJ.exe
File size:	399'360 bytes
MD5:	5b7e6e352bacc93f7b80bc968b6ea493
SHA1:	e686139d5ed8528117ba6ca68fe415e4fb02f2be
SHA256:	63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a
SHA512:	9d24af0cb00fb8a5e61e9d19cd603b5541a22ae6229c2acf498447e0e7d4145fee25c8ab9d5d5f18f554e6cbf8ca56b7ca3144e726d7dfd64076a42a25b3dfb6
SSDEEP:	12288:ef/X4NTS/x9jNG+w+9OqFoK323qdQYKU3:EXATS/x9jNg+95vdQa
TLSH:	B284026131D38172F0F38A3419DAF6674FBEB452877091CECB5A561A2D31781AB383A7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........S..YS..YS..Y<.FYY..Y<.sY[..Y<.GYk..YZ.~YV..YS..Y...Y<.BYR..Y<.wYR..Y<.pYR..YRichS..Y................PE..L.....?\...........

File Icon


Icon Hash:	2775250905472797

Static PE Info

General

Entrypoint:	0x40128b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C3F96B7 [Wed Jan 16 20:40:23 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	ab8fd60b3da01515e6706e8d122c633f

Entrypoint Preview

Instruction
call 00007FE744F79B84h
jmp 00007FE744F7852Eh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00461C38h], eax
mov dword ptr [00461C34h], ecx
mov dword ptr [00461C30h], edx
mov dword ptr [00461C2Ch], ebx
mov dword ptr [00461C28h], esi
mov dword ptr [00461C24h], edi
mov word ptr [00461C50h], ss
mov word ptr [00461C44h], cs
mov word ptr [00461C20h], ds
mov word ptr [00461C1Ch], es
mov word ptr [00461C18h], fs
mov word ptr [00461C14h], gs
pushfd
pop dword ptr [00461C48h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [00461C3Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00461C40h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [00461C4Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [00461B88h], 00010001h
mov eax, dword ptr [00461C40h]
mov dword ptr [00461B3Ch], eax
mov dword ptr [00461B30h], C0000409h
mov dword ptr [00461B34h], 00000001h
mov eax, dword ptr [00461004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00461008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [00000044h]

Rich Headers

Programming Language:

[C++] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6024c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x63000	0xb0c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x64000	0x5c4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6130	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5fff0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6000	0xfc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x44c2	0x4600	62f7651f4dd1ee24dacae5faa010d417	False	0.616796875	data	6.430171910742918	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x6000	0x5a810	0x5aa00	292699f8371a7c94f4b365f79453a3e3	False	0.8549515086206897	data	7.762390087611879	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x61000	0x18c0	0xc00	be99c349e53ba582ff2a3dc599760572	False	0.21419270833333334	Matlab v4 mat-file (little endian) \200, sparse, rows 3141592654, columns 1153374641	2.4878952701095853	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x63000	0xb0c	0xc00	97a882d3ea7a9b3fd6f8baa4c523ba8a	False	0.5110677083333334	data	5.423098345300529	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x64000	0xafe	0xc00	a7055f15ec633ce62d2b8cdd5437d5bc	False	0.4313151041666667	data	4.020063597668279	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x630e8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.572202166064982
RT_GROUP_ICON	0x63990	0x14	data	English	United States	1.15
RT_MANIFEST	0x639a4	0x165	ASCII text, with CRLF line terminators	English	United States	0.5434173669467787

Imports

DLL

Import

KERNEL32.dll

GetFullPathNameA, CreateFileA, HeapAlloc, HeapFree, GetProcessHeap, ExpandEnvironmentStringsA, WriteFile, CloseHandle, HeapReAlloc, GetStringTypeW, GetCommandLineA, HeapSetInformation, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetProcAddress, GetModuleHandleW, ExitProcess, DecodePointer, GetStdHandle, GetModuleFileNameW, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, GetLastError, InterlockedDecrement, HeapCreate, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LeaveCriticalSection, EnterCriticalSection, LoadLibraryW, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, Sleep, RtlUnwind, HeapSize, LCMapStringW, MultiByteToWideChar, IsProcessorFeaturePresent

SHELL32.dll

ShellExecuteA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 7, 2024 19:57:28.564030886 CEST	49734	445	192.168.2.4	173.222.162.32
Jun 7, 2024 19:57:28.569011927 CEST	445	49734	173.222.162.32	192.168.2.4
Jun 7, 2024 19:57:28.569222927 CEST	49734	445	192.168.2.4	173.222.162.32
Jun 7, 2024 19:57:28.569494009 CEST	49734	445	192.168.2.4	173.222.162.32
Jun 7, 2024 19:57:28.574420929 CEST	445	49734	173.222.162.32	192.168.2.4
Jun 7, 2024 19:57:28.596196890 CEST	49735	80	192.168.2.4	192.168.2.1
Jun 7, 2024 19:57:28.651715040 CEST	49736	445	192.168.2.4	173.222.162.32
Jun 7, 2024 19:57:28.656840086 CEST	445	49736	173.222.162.32	192.168.2.4
Jun 7, 2024 19:57:28.656980991 CEST	49736	445	192.168.2.4	173.222.162.32
Jun 7, 2024 19:57:28.656980991 CEST	49736	445	192.168.2.4	173.222.162.32
Jun 7, 2024 19:57:28.661923885 CEST	445	49736	173.222.162.32	192.168.2.4
Jun 7, 2024 19:57:29.603537083 CEST	49735	80	192.168.2.4	192.168.2.1
Jun 7, 2024 19:57:30.306766987 CEST	49675	443	192.168.2.4	173.222.162.32
Jun 7, 2024 19:57:31.619158030 CEST	49735	80	192.168.2.4	192.168.2.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 7, 2024 19:57:31.937426090 CEST	61532	274	192.168.2.4	192.168.2.1

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jun 7, 2024 19:57:28.596259117 CEST	192.168.2.1	192.168.2.4	8279	(Port unreachable)	Destination Unreachable
Jun 7, 2024 19:57:29.603602886 CEST	192.168.2.1	192.168.2.4	8279	(Port unreachable)	Destination Unreachable
Jun 7, 2024 19:57:31.619210005 CEST	192.168.2.1	192.168.2.4	8279	(Port unreachable)	Destination Unreachable

Target ID:	0
Start time:	13:57:26
Start date:	07/06/2024
Path:	C:\Users\user\Desktop\JRDpxoBkBJ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\JRDpxoBkBJ.exe"
Imagebase:	0xe90000
File size:	399'360 bytes
MD5 hash:	5B7E6E352BACC93F7B80BC968B6EA493
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NotPetya, Description: Yara detected NotPetya, Source: 00000000.00000000.1691609553.0000000000E96000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: fe_cpe_ms17_010_ransomware, Description: probable petya ransomware using eternalblue, wmic, psexec, Source: 00000000.00000000.1691609553.0000000000E96000.00000002.00000001.01000000.00000003.sdmp, Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick Rule: doublepulsarxor_petya, Description: rule to hit on the xored doublepulsar shellcode, Source: 00000000.00000000.1691609553.0000000000E96000.00000002.00000001.01000000.00000003.sdmp, Author: patrick jones Rule: doublepulsardllinjection_petya, Description: rule to hit on the xored doublepulsar dll injection shellcode, Source: 00000000.00000000.1691609553.0000000000E96000.00000002.00000001.01000000.00000003.sdmp, Author: patrick jones Rule: JoeSecurity_NotPetya, Description: Yara detected NotPetya, Source: 00000000.00000002.1695711231.0000000000E96000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: fe_cpe_ms17_010_ransomware, Description: probable petya ransomware using eternalblue, wmic, psexec, Source: 00000000.00000002.1695711231.0000000000E96000.00000002.00000001.01000000.00000003.sdmp, Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick Rule: doublepulsarxor_petya, Description: rule to hit on the xored doublepulsar shellcode, Source: 00000000.00000002.1695711231.0000000000E96000.00000002.00000001.01000000.00000003.sdmp, Author: patrick jones Rule: doublepulsardllinjection_petya, Description: rule to hit on the xored doublepulsar dll injection shellcode, Source: 00000000.00000002.1695711231.0000000000E96000.00000002.00000001.01000000.00000003.sdmp, Author: patrick jones
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	13:57:26
Start date:	07/06/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
Imagebase:	0xba0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NotPetya, Description: Yara detected NotPetya, Source: 00000001.00000002.1737559683.00000000043BD000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: fe_cpe_ms17_010_ransomware, Description: probable petya ransomware using eternalblue, wmic, psexec, Source: 00000001.00000002.1737559683.00000000043BD000.00000002.00001000.00020000.00000000.sdmp, Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick Rule: doublepulsarxor_petya, Description: rule to hit on the xored doublepulsar shellcode, Source: 00000001.00000002.1737559683.00000000043BD000.00000002.00001000.00020000.00000000.sdmp, Author: patrick jones Rule: doublepulsardllinjection_petya, Description: rule to hit on the xored doublepulsar dll injection shellcode, Source: 00000001.00000002.1737559683.00000000043BD000.00000002.00001000.00020000.00000000.sdmp, Author: patrick jones Rule: JoeSecurity_NotPetya, Description: Yara detected NotPetya, Source: 00000001.00000002.1737025242.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: fe_cpe_ms17_010_ransomware, Description: probable petya ransomware using eternalblue, wmic, psexec, Source: 00000001.00000002.1737025242.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick Rule: doublepulsarxor_petya, Description: rule to hit on the xored doublepulsar shellcode, Source: 00000001.00000002.1737025242.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, Author: patrick jones Rule: doublepulsardllinjection_petya, Description: rule to hit on the xored doublepulsar dll injection shellcode, Source: 00000001.00000002.1737025242.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, Author: patrick jones
Reputation:	high
Has exited:	false

Target ID:	2
Start time:	13:57:27
Start date:	07/06/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 14:60
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	13:57:27
Start date:	07/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	13:57:27
Start date:	07/06/2024
Path:	C:\Users\user\AppData\Local\Temp\74A4.tmp
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\74A4.tmp" \\.\pipe\{93489684-E94E-42C2-BE94-1B9F236C3B77}
Imagebase:	0x7ff7c42e0000
File size:	56'320 bytes
MD5 hash:	7E37AB34ECDCC3E77E24522DDFD4852D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	5
Start time:	13:57:27
Start date:	07/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	13:57:27
Start date:	07/06/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 14:60
Imagebase:	0xc00000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	13:57:27
Start date:	07/06/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	13:57:28
Start date:	07/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0xda0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	13:57:28
Start date:	07/06/2024
Path:	C:\Windows\SysWOW64\wevtutil.exe
Wow64 process (32bit):	true
Commandline:	wevtutil cl Setup
Imagebase:	0xe10000
File size:	208'384 bytes
MD5 hash:	3C0E48DA02447863279B0FE3CE7FE5E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	10
Start time:	13:57:28
Start date:	07/06/2024
Path:	C:\Windows\SysWOW64\wevtutil.exe
Wow64 process (32bit):	true
Commandline:	wevtutil cl System
Imagebase:	0xe10000
File size:	208'384 bytes
MD5 hash:	3C0E48DA02447863279B0FE3CE7FE5E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	11
Start time:	13:57:29
Start date:	07/06/2024
Path:	C:\Windows\SysWOW64\wevtutil.exe
Wow64 process (32bit):	true
Commandline:	wevtutil cl Security
Imagebase:	0xe10000
File size:	208'384 bytes
MD5 hash:	3C0E48DA02447863279B0FE3CE7FE5E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	12
Start time:	13:57:29
Start date:	07/06/2024
Path:	C:\Windows\SysWOW64\wevtutil.exe
Wow64 process (32bit):	true
Commandline:	wevtutil cl Application
Imagebase:	0xe10000
File size:	208'384 bytes
MD5 hash:	3C0E48DA02447863279B0FE3CE7FE5E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	13
Start time:	13:57:29
Start date:	07/06/2024
Path:	C:\Windows\SysWOW64\fsutil.exe
Wow64 process (32bit):	true
Commandline:	fsutil usn deletejournal /D C:
Imagebase:	0xc90000
File size:	167'440 bytes
MD5 hash:	452CA7574A1B2550CD9FF83DDBE87463
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true