Play interactive tour

Edit tour

Analysis Report Q1xEDBAmY5

Overview

General Information

Sample Name:	Q1xEDBAmY5 (renamed file extension from none to exe)
Analysis ID:	377652
MD5:	7d4550dd4c6996057147ecc996b14e9a
SHA1:	d0d68281f8459b5558559fbbf8c6c8ab4ddfec8b
SHA256:	ea310cc4fd4e8669e014ff417286da5edf2d3bef20abfb0a4f4951afe260d33d
Infos:
Most interesting Screenshot:

Detection

Hades Ransomware

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found ransom note / readme

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Hades Ransomware

Deletes shadow drive data (may be related to ransomware)

May encrypt documents and pictures (Ransomware)

Modifies existing user documents (likely ransomware behavior)

Tries to detect virtualization through RDTSC time measurements

Uses cmd line tools excessively to alter registry or file data

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found large amount of non-executed APIs

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

Q1xEDBAmY5.exe (PID: 5032 cmdline: 'C:\Users\user\Desktop\Q1xEDBAmY5.exe' MD5: 7D4550DD4C6996057147ECC996B14E9A)

Unistore (PID: 1752 cmdline: C:\Users\user\AppData\Roaming\TextNotepad\Unistore /go MD5: 7D4550DD4C6996057147ECC996B14E9A)

cmd.exe (PID: 4844 cmdline: cmd /c waitfor /t 10 pause /d y & attrib -h 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore' & del 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore' & rd 'C:\Users\user\AppData\Roaming\TextNotepad\' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 3528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

waitfor.exe (PID: 2076 cmdline: waitfor /t 10 pause /d y MD5: 9509EC0B3D20348D129183021BF38BBB)

attrib.exe (PID: 3576 cmdline: attrib -h 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore' MD5: FDC601145CD289C6FBC96D3F805F3CD7)

cmd.exe (PID: 5112 cmdline: cmd /c waitfor /t 10 pause /d y & attrib -h 'C:\Users\user\Desktop\Q1xEDBAmY5.exe' & del 'C:\Users\user\Desktop\Q1xEDBAmY5.exe' & rd 'C:\Users\user\Desktop\' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

waitfor.exe (PID: 1752 cmdline: waitfor /t 10 pause /d y MD5: 9509EC0B3D20348D129183021BF38BBB)

attrib.exe (PID: 5656 cmdline: attrib -h 'C:\Users\user\Desktop\Q1xEDBAmY5.exe' MD5: FDC601145CD289C6FBC96D3F805F3CD7)

cleanup

Malware Configuration

Threatname: Hades Ransomware

[+] What happened? [+]Your files are encrypted, and currently unavailable. You can check it: all files on you computer has extension *.gn9cjBy the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant get back your data (NEVER).[+] What guarantees? [+]Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practiAe - time is much more valuable than money.[+] How to get access on website? [+]Using a TOR browser!  - Download and install TOR browser from this site: hxxps:\/\/torproject.org/  - Open our website: hxxp:\/\/khfsk3ffg3av3rha.onion  - Follow the on-screen instructionsExtension name:*.gn9cj-----------------------------------------------------------------------------------------!!! DANGER !!!DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.!!! !!! !!!ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) will make everything possible for restoring, but please do not interfere.!!! !!! !!!

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: Unistore PID: 1752	JoeSecurity_HadesRansomware	Yara detected Hades Ransomware	Joe Security
Process Memory Space: Q1xEDBAmY5.exe PID: 5032	JoeSecurity_HadesRansomware	Yara detected Hades Ransomware	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: HOW-TO-DECRYPT-gn9cj.txt5.1.dr.binstr

Malware Configuration Extractor: Hades Ransomware [+] What happened? [+]Your files are encrypted, and currently unavailable. You can check it: all files on you computer has extension *.gn9cjBy the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant get back your data (NEVER).[+] What guarantees? [+]Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practiAe - time is much more valuable than money.[+] How to get access on website? [+]Using a TOR browser! - Download and install TOR browser from this site: hxxps:\/\/torproject.org/ - Open our website: hxxp:\/\/khfsk3ffg3av3rha.onion - Follow the on-screen instructionsExtension name:*.gn9cj-----------------------------------------------------------------------------------------!!! DANGER !!!DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.!!! !!! !!!ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) will make everything possible for restoring, but please do not interfere.!!! !!! !!!

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Metadefender: Detection: 50%			Perma Link
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	ReversingLabs: Detection: 82%

Multi AV Scanner detection for submitted file

Show sources

Source: Q1xEDBAmY5.exe	Metadefender: Detection: 50%			Perma Link
Source: Q1xEDBAmY5.exe	ReversingLabs: Detection: 82%

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Unpacked PE file: 0.2.Q1xEDBAmY5.exe.140000000.2.unpack
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Unpacked PE file: 1.2.Unistore.140000000.2.unpack

Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe

Code function: 0_2_00000001401B86FF GetLogicalDriveStringsW,HeapAlloc,GetLogicalDriveStringsW,lstrlenW,QueryDosDeviceW,lstrlenW,StrCmpNIW,HeapFree,

0_2_00000001401B86FF

Spam, unwanted Advertisements and Ransom Demands:

Found ransom note / readme

Show sources

Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-gn9cj.txt

Dropped file: [+] What happened? [+]Your files are encrypted, and currently unavailable. You can check it: all files on you computer has extension *.gn9cjBy the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant get back your data (NEVER).[+] What guarantees? [+]Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practiAe - time is much more valuable than money.[+] How to get access on website? [+]Using a TOR browser! - Download and install TOR browser from this site: hxxps://torproject.org/ - Open our website: hxxp://khfsk3ffg3av3rha.onion - Follow the on-screen instructionsExtension name:*.gn9cj-----------------------------------------------------------------------------------------!!! DANGER !!!DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.!!! !!! !!!ONE MORE TIME: Its in your interests to get your files

Jump to dropped file

Yara detected Hades Ransomware

Show sources

Source: Yara match	File source: Process Memory Space: Unistore PID: 1752, type: MEMORY
Source: Yara match	File source: Process Memory Space: Q1xEDBAmY5.exe PID: 5032, type: MEMORY

Deletes shadow drive data (may be related to ransomware)

Show sources

Source: Q1xEDBAmY5.exe	Binary or memory string: vssadmin.exe Delete Shadows /All /Quiet
Source: Q1xEDBAmY5.exe, 00000000.00000003.351265737.0000000002790000.00000004.00000040.sdmp	Binary or memory string: .exe\|.dll\\?\CryptAcquireContextWadvapi32Low\CryptReleaseContextkernel32ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/%appdata%\\|$$$}rstuvwxyz{$$$$$$$>?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\]^_`abcdefghijklmnopq\BaseNamedObjects\\REGISTRY\USERCryptGenRandomConvertStringSecurityDescriptorToSecurityDescriptorW%SWow64EnableWow64FsRedirectionFloppyMicrosoft Corporation. All rights reserved.system32\REGISTRY\MACHINE\SOFTWARE\Microsoftcmd /c waitfor /t %u pause /d y & attrib -h "%s" & del "%s" & rd "%s"osk.exemsconfig.exewmic process call create "%s" > nul && exitConsoleWindowClass-5#32770en-USSysListView32List1%uvssadmin.exe Delete Shadows /All /Quiet/user/prio/path/uac/go%s - %u
Source: Unistore	Binary or memory string: vssadmin.exe Delete Shadows /All /Quiet
Source: Unistore, 00000001.00000003.347686759.0000000002740000.00000004.00000040.sdmp	Binary or memory string: .exe\|.dll\\?\CryptAcquireContextWadvapi32Low\CryptReleaseContextkernel32ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/%appdata%\\|$$$}rstuvwxyz{$$$$$$$>?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\]^_`abcdefghijklmnopq\BaseNamedObjects\\REGISTRY\USERCryptGenRandomConvertStringSecurityDescriptorToSecurityDescriptorW%SWow64EnableWow64FsRedirectionFloppyMicrosoft Corporation. All rights reserved.system32\REGISTRY\MACHINE\SOFTWARE\Microsoftcmd /c waitfor /t %u pause /d y & attrib -h "%s" & del "%s" & rd "%s"osk.exemsconfig.exewmic process call create "%s" > nul && exitConsoleWindowClass-5#32770en-USSysListView32List1%uvssadmin.exe Delete Shadows /All /Quiet/user/prio/path/uac/go%s - %u

May encrypt documents and pictures (Ransomware)

Show sources

Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\msocache\all users\{90160000-0011-0000-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\msocache\all users\{90160000-0016-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\msocache\all users\{90160000-0018-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\msocache\all users\{90160000-0019-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\msocache\all users\{90160000-001a-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\msocache\all users\{90160000-001b-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\msocache\all users\{90160000-002c-0409-0000-0000000ff1ce}-c\proof.en\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\msocache\all users\{90160000-002c-0409-0000-0000000ff1ce}-c\proof.es\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\msocache\all users\{90160000-002c-0409-0000-0000000ff1ce}-c\proof.fr\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\msocache\all users\{90160000-002c-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\msocache\all users\{90160000-0044-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\msocache\all users\{90160000-0090-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\msocache\all users\{90160000-00a1-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\msocache\all users\{90160000-00ba-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\msocache\all users\{90160000-00e1-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\msocache\all users\{90160000-00e2-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\msocache\all users\{90160000-0115-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\msocache\all users\{90160000-0116-0409-1000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\msocache\all users\{90160000-0117-0409-0000-0000000ff1ce}-c\access.en-us\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\msocache\all users\{90160000-0117-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\msocache\all users\{90160000-012b-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\users\default\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\users\user\desktop\bpmlnobvsb\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\users\user\desktop\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\users\user\desktop\nikhqaiqau\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\users\user\desktop\zbedcjpbey\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\users\user\documents\bpmlnobvsb\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\users\user\documents\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\users\user\documents\nikhqaiqau\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\users\user\documents\zbedcjpbey\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\users\user\downloads\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\users\user\favorites\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\users\user\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\users\user\searches\how-to-decrypt-gn9cj.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: c:\users\public\libraries\how-to-decrypt-gn9cj.txt	Jump to behavior

Modifies existing user documents (likely ransomware behavior)

Show sources

Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File moved: C:\Users\user\Desktop\BPMLNOBVSB\MXPXCVPDVN.jpg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File moved: C:\Users\user\Desktop\NIKHQAIQAU\SQRKHNBNYN.png	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File moved: C:\Users\user\Desktop\ZTGJILHXQB.jpg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File moved: C:\Users\user\Desktop\GAOBCVIQIJ.mp3	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File moved: C:\Users\user\Desktop\ZBEDCJPBEY\RAYHIWGKDI.jpg	Jump to behavior

Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_0000000140004DE4 lstrlenW,HeapAlloc,PathFindFileNameW,lstrcpyW,ZwClose,lstrcpyW,HeapFree,	0_2_0000000140004DE4
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_0000000140008FD8 RtlInitUnicodeString,RtlpNtOpenKey,RtlNtStatusToDosError,NtEnumerateKey,RtlNtStatusToDosError,NtClose,	0_2_0000000140008FD8
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_00000001401B8494 RtlDosPathNameToNtPathName_U,HeapAlloc,RtlDosPathNameToNtPathName_U,ZwSetInformationFile,RtlNtStatusToDosError,ZwClose,HeapFree,RtlFreeUnicodeString,	0_2_00000001401B8494
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_000000014000293C ZwQueryVirtualMemory,HeapAlloc,ZwQueryVirtualMemory,RtlNtStatusToDosError,HeapFree,RtlNtStatusToDosError,	0_2_000000014000293C
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_00000001401C0D0F lstrcatW,RtlDosPathNameToNtPathName_U,RtlDosPathNameToNtPathName_U,ZwClose,	0_2_00000001401C0D0F
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_00000001401B8D30 EnterCriticalSection,HeapFree,LeaveCriticalSection,DeleteCriticalSection,ZwClose,	0_2_00000001401B8D30
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_00000001401BC979 ZwQueryInformationFile,ZwSetInformationFile,RtlNtStatusToDosError,	0_2_00000001401BC979
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_00000001401C296F RtlDosPathNameToNtPathName_U,ZwSetInformationFile,RtlNtStatusToDosError,ZwClose,	0_2_00000001401C296F
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_00000001401BF96E ZwQueryInformationFile,RtlNtStatusToDosError,ZwSetInformationFile,RtlNtStatusToDosError,	0_2_00000001401BF96E
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_00000001401BB247 ZwCreateEvent,	0_2_00000001401BB247
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_00000001401BFA90 ZwCreateSection,ZwMapViewOfSection,RtlNtStatusToDosError,ZwClose,RtlNtStatusToDosError,ZwUnmapViewOfSection,ZwMapViewOfSection,RtlNtStatusToDosError,ZwUnmapViewOfSection,ZwClose,	0_2_00000001401BFA90
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_00000001400082B0 PathCombineW,PathCombineW,HeapFree,StrTrimW,_wcslwr,_wcslwr,lstrcmpW,StrTrimW,lstrlenW,lstrlenW,HeapAlloc,_wcslwr,lstrcpyW,lstrcpyW,HeapFree,lstrcmpW,lstrcmpW,StrTrimW,StrTrimW,lstrcmpW,_snwprintf,_snwprintf,ZwClose,	0_2_00000001400082B0
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_00000001401B6AA9 ZwCreateFile,RtlNtStatusToDosError,ZwQueryDirectoryFile,RtlNtStatusToDosError,WaitForSingleObject,ZwClose,HeapFree,	0_2_00000001401B6AA9
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_00000001401BBADF ZwWriteFile,RtlNtStatusToDosError,	0_2_00000001401BBADF
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_00000001401BD6E7 HeapAlloc,RtlDosPathNameToNtPathName_U,ZwSetInformationFile,RtlNtStatusToDosError,ZwClose,HeapFree,	0_2_00000001401BD6E7
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_00000001401C2B01 ZwCreateFile,RtlNtStatusToDosError,RtlFreeUnicodeString,	0_2_00000001401C2B01
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_00000001401BA75C RtlDosPathNameToNtPathName_U,GetFileAttributesW,SetFileAttributesW,RtlDosPathNameToNtPathName_U,HeapAlloc,HeapFree,ZwClose,SetFileAttributesW,	0_2_00000001401BA75C
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_00000001401C0FD6 ZwQueryInformationFile,RtlNtStatusToDosError,	0_2_00000001401C0FD6
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 1_2_00000001401B8494 RtlDosPathNameToNtPathName_U,RtlAllocateHeap,RtlDosPathNameToNtPathName_U,NtSetInformationFile,RtlNtStatusToDosError,NtClose,HeapFree,RtlFreeUnicodeString,	1_2_00000001401B8494
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 1_2_00000001401BC979 ZwQueryInformationFile,NtSetInformationFile,RtlNtStatusToDosError,	1_2_00000001401BC979
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 1_2_00000001401C296F RtlDosPathNameToNtPathName_U,NtSetInformationFile,RtlNtStatusToDosError,ZwClose,	1_2_00000001401C296F
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 1_2_00000001401BF96E ZwQueryInformationFile,RtlNtStatusToDosError,NtSetInformationFile,RtlNtStatusToDosError,	1_2_00000001401BF96E
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 1_2_00000001401BFA90 ZwCreateSection,NtMapViewOfSection,RtlNtStatusToDosError,ZwClose,RtlNtStatusToDosError,NtUnmapViewOfSection,ZwMapViewOfSection,RtlNtStatusToDosError,ZwUnmapViewOfSection,NtClose,	1_2_00000001401BFA90
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 1_2_00000001401B6AA9 NtCreateFile,RtlNtStatusToDosError,NtQueryDirectoryFile,RtlNtStatusToDosError,WaitForSingleObject,NtClose,RtlReleasePrivilege,	1_2_00000001401B6AA9
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 1_2_00000001401BBADF NtWriteFile,RtlNtStatusToDosError,	1_2_00000001401BBADF
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 1_2_00000001401C2B01 NtCreateFile,RtlNtStatusToDosError,RtlFreeUnicodeString,	1_2_00000001401C2B01
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 1_2_00000001401BA75C RtlDosPathNameToNtPathName_U,GetFileAttributesW,SetFileAttributesW,RtlDosPathNameToNtPathName_U,RtlAllocateHeap,HeapFree,NtClose,SetFileAttributesW,	1_2_00000001401BA75C
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 1_2_0000000140004DE4 lstrlenW,RtlAllocateHeap,PathFindFileNameW,lstrcpyW,ZwClose,lstrcpyW,HeapFree,	1_2_0000000140004DE4
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 1_2_0000000140008FD8 RtlInitUnicodeString,RtlpNtOpenKey,RtlNtStatusToDosError,NtEnumerateKey,RtlNtStatusToDosError,NtClose,	1_2_0000000140008FD8
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 1_2_000000014000293C ZwQueryVirtualMemory,HeapAlloc,ZwQueryVirtualMemory,RtlNtStatusToDosError,HeapFree,RtlNtStatusToDosError,	1_2_000000014000293C
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 1_2_00000001401C0D0F lstrcatW,RtlDosPathNameToNtPathName_U,RtlDosPathNameToNtPathName_U,ZwClose,	1_2_00000001401C0D0F
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 1_2_00000001401B8D30 EnterCriticalSection,HeapFree,LeaveCriticalSection,DeleteCriticalSection,ZwClose,	1_2_00000001401B8D30
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 1_2_00000001401BB247 ZwCreateEvent,	1_2_00000001401BB247
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 1_2_00000001400082B0 PathCombineW,PathCombineW,HeapFree,StrTrimW,_wcslwr,_wcslwr,lstrcmpW,StrTrimW,lstrlenW,lstrlenW,HeapAlloc,_wcslwr,lstrcpyW,lstrcpyW,HeapFree,lstrcmpW,lstrcmpW,StrTrimW,StrTrimW,lstrcmpW,_snwprintf,_snwprintf,ZwClose,	1_2_00000001400082B0
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 1_2_00000001401BD6E7 HeapAlloc,RtlDosPathNameToNtPathName_U,ZwSetInformationFile,RtlNtStatusToDosError,ZwClose,HeapFree,	1_2_00000001401BD6E7
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 1_2_00000001401C0FD6 ZwQueryInformationFile,RtlNtStatusToDosError,	1_2_00000001401C0FD6

Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_00000001401BDDA1	0_2_00000001401BDDA1
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_00000001401B6AA9	0_2_00000001401B6AA9
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_00000001400032D8	0_2_00000001400032D8
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_00000001401BA75C	0_2_00000001401BA75C
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_0000000140009754	0_2_0000000140009754
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_0000000140006BC8	0_2_0000000140006BC8
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_00000001401BBFD5	0_2_00000001401BBFD5
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 1_2_00000001401B6AA9	1_2_00000001401B6AA9
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 1_2_00000001401BA75C	1_2_00000001401BA75C
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 1_2_00000001401BDDA1	1_2_00000001401BDDA1
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 1_2_00000001400032D8	1_2_00000001400032D8
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 1_2_0000000140009754	1_2_0000000140009754
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 1_2_0000000140006BC8	1_2_0000000140006BC8
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 1_2_00000001401BBFD5	1_2_00000001401BBFD5

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\TextNotepad\Unistore EA310CC4FD4E8669E014FF417286DA5EDF2D3BEF20ABFB0A4F4951AFE260D33D

Source: Q1xEDBAmY5.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Unistore.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Q1xEDBAmY5.exe, 00000000.00000003.334294259.00000000004E4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClassicStartMenu.exe< vs Q1xEDBAmY5.exe
Source: Q1xEDBAmY5.exe	Binary or memory string: OriginalFilenameClassicStartMenu.exe< vs Q1xEDBAmY5.exe

Source: Q1xEDBAmY5.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Unistore.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.rans.evad.winEXE@17/191@0/0

Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe

Code function: 0_2_0000000140003734 GetDiskFreeSpaceExW,

0_2_0000000140003734

Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe

File created: C:\Users\user\AppData\Roaming\TextNotepad

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4936:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3528:120:WilError_01

Source: Q1xEDBAmY5.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Q1xEDBAmY5.exe	Metadefender: Detection: 50%
Source: Q1xEDBAmY5.exe	ReversingLabs: Detection: 82%

Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe

File read: C:\Users\user\Desktop\Q1xEDBAmY5.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Q1xEDBAmY5.exe 'C:\Users\user\Desktop\Q1xEDBAmY5.exe'
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Process created: C:\Users\user\AppData\Roaming\TextNotepad\Unistore C:\Users\user\AppData\Roaming\TextNotepad\Unistore /go
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Process created: C:\Windows\System32\cmd.exe cmd /c waitfor /t 10 pause /d y & attrib -h 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore' & del 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore' & rd 'C:\Users\user\AppData\Roaming\TextNotepad\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\waitfor.exe waitfor /t 10 pause /d y
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Process created: C:\Windows\System32\cmd.exe cmd /c waitfor /t 10 pause /d y & attrib -h 'C:\Users\user\Desktop\Q1xEDBAmY5.exe' & del 'C:\Users\user\Desktop\Q1xEDBAmY5.exe' & rd 'C:\Users\user\Desktop\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -h 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\waitfor.exe waitfor /t 10 pause /d y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -h 'C:\Users\user\Desktop\Q1xEDBAmY5.exe'
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Process created: C:\Users\user\AppData\Roaming\TextNotepad\Unistore C:\Users\user\AppData\Roaming\TextNotepad\Unistore /go	Jump to behavior
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Process created: C:\Windows\System32\cmd.exe cmd /c waitfor /t 10 pause /d y & attrib -h 'C:\Users\user\Desktop\Q1xEDBAmY5.exe' & del 'C:\Users\user\Desktop\Q1xEDBAmY5.exe' & rd 'C:\Users\user\Desktop\'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Process created: C:\Windows\System32\cmd.exe cmd /c waitfor /t 10 pause /d y & attrib -h 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore' & del 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore' & rd 'C:\Users\user\AppData\Roaming\TextNotepad\'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\waitfor.exe waitfor /t 10 pause /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -h 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\waitfor.exe waitfor /t 10 pause /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -h 'C:\Users\user\Desktop\Q1xEDBAmY5.exe'	Jump to behavior

Source: Q1xEDBAmY5.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Q1xEDBAmY5.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Q1xEDBAmY5.exe

Static file information: File size 1915904 > 1048576

Source: Q1xEDBAmY5.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1c9800

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Unpacked PE file: 0.2.Q1xEDBAmY5.exe.140000000.2.unpack .text:ER;.rdata:R;.data:W;.pdata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.pdata:R;.bss:R;.obX0:ER;.rsrc:R;
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Unpacked PE file: 1.2.Unistore.140000000.2.unpack .text:ER;.rdata:R;.data:W;.pdata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.pdata:R;.bss:R;.obX0:ER;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Unpacked PE file: 0.2.Q1xEDBAmY5.exe.140000000.2.unpack
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Unpacked PE file: 1.2.Unistore.140000000.2.unpack

Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_000000014000E00A push rdi; ret	0_2_000000014000E00B
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_0000000140016CE6 push rcx; retf	0_2_0000000140016CF1
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_00000001401B8D30 push qword ptr [000000014000B0A0h]; ret	0_2_00000001401B8EA1
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_000000014001927A push rbp; iretd	0_2_000000014001928A
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_00000001400AE6A0 push qword ptr [000000014000B328h]; ret	0_2_00000001400AE6A6
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_0000000140017E9F push rdi; retf	0_2_0000000140017EAE
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_000000014009B6D7 push qword ptr [000000014000B330h]; ret	0_2_000000014009B6DD
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_0000000140007BDD push rax; ret	0_2_0000000140007BE6
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_02103A1F push edx; ret	0_2_02103A22
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_02105A04 push FA262755h; retf	0_2_02105A0B
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_021062D4 push ecx; ret	0_2_021062FD
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_021052C6 push edx; iretd	0_2_021052D0
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_02102360 push ecx; ret	0_2_02102389
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_0210238B push ecx; ret	0_2_02102389
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_02104BDE push ecx; ret	0_2_02104BE1
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_02108BFD push ecx; ret	0_2_02108C19
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_0210600B push ecx; iretd	0_2_02106040
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_0210502E push ecx; ret	0_2_02105045
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_0210384E push ebp; ret	0_2_02103858
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_021050E2 push ebp; iretd	0_2_02105158
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_02107135 push 2E52FD49h; ret	0_2_02107153
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_0210293E push edx; ret	0_2_02102985
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_02105123 push ebp; iretd	0_2_02105158
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_02105190 push ebp; iretd	0_2_02105158
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_021061AE push eax; retf	0_2_021061BB
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_0210364E push 6879ACCAh; iretd	0_2_02103667
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_02109EA3 push es; retf	0_2_02109EA8
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_0210876D push esi; ret	0_2_021087A7
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_02108791 push esi; ret	0_2_021087A7
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_02108F99 push ebx; ret	0_2_02108F9A
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Code function: 0_2_021047CD push 9D6EFE5Dh; ret	0_2_021047D3

Source: initial sample	Static PE information: section name: .text entropy: 7.93629055935
Source: initial sample	Static PE information: section name: .text entropy: 7.93629055935

Persistence and Installation Behavior:

Uses cmd line tools excessively to alter registry or file data

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior

Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe

File created: C:\Users\user\AppData\Roaming\TextNotepad\Unistore

Jump to dropped file

Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe

File created: C:\Users\user\AppData\Roaming\TextNotepad\Unistore

Jump to dropped file

Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\waitfor.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\waitfor.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\waitfor.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\waitfor.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	RDTSC instruction interceptor: First address: 0000000140174702 second address: 000000014017470C instructions: 0x00000000 rdtsc 0x00000002 cbw 0x00000004 pop edi 0x00000005 inc esp 0x00000006 xchg cl, ch 0x00000008 inc ecx 0x00000009 pop ebp 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	RDTSC instruction interceptor: First address: 000000014017A2D8 second address: 000000014017A2FE instructions: 0x00000000 rdtsc 0x00000002 cdq 0x00000003 inc ecx 0x00000004 pop ecx 0x00000005 inc eax 0x00000006 setnb ch 0x00000009 cmovo bp, di 0x0000000d dec ecx 0x0000000e movsx eax, bp 0x00000011 pop ecx 0x00000012 pop ebp 0x00000013 inc ecx 0x00000014 pop edx 0x00000015 lahf 0x00000016 pop ebx 0x00000017 inc ecx 0x00000018 mov bl, ACh 0x0000001a inc cx 0x0000001c movzx edx, dh 0x0000001f inc bp 0x00000021 cmovnle ebx, edx 0x00000024 inc ecx 0x00000025 pop ebx 0x00000026 rdtsc
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	RDTSC instruction interceptor: First address: 00000001401486B6 second address: 00000001401486BF instructions: 0x00000000 rdtsc 0x00000002 cdq 0x00000003 inc ecx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 lahf 0x00000007 inc ecx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe	RDTSC instruction interceptor: First address: 00000001401486B6 second address: 00000001401486BF instructions: 0x00000000 rdtsc 0x00000002 cdq 0x00000003 inc ecx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 lahf 0x00000007 inc ecx 0x00000008 pop ebx 0x00000009 rdtsc

Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe

Code function: 0_2_000000014013B8F9 rdtsc

0_2_000000014013B8F9

Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe

API coverage: 9.9 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe

Code function: 0_2_00000001401B86FF GetLogicalDriveStringsW,HeapAlloc,GetLogicalDriveStringsW,lstrlenW,QueryDosDeviceW,lstrlenW,StrCmpNIW,HeapFree,

0_2_00000001401B86FF

Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe

Code function: 0_2_000000014013B8F9 rdtsc

0_2_000000014013B8F9

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\waitfor.exe waitfor /t 10 pause /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -h 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\waitfor.exe waitfor /t 10 pause /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib -h 'C:\Users\user\Desktop\Q1xEDBAmY5.exe'	Jump to behavior

Source: C:\Users\user\Desktop\Q1xEDBAmY5.exe

Code function: 0_2_0000000140007D62 GetVersion,lstrlenW,lstrlenW,HeapFree,HeapFree,

0_2_0000000140007D62

Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\Default\Documents	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\Public\Documents	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter1	Path Interception	Process Injection11	Masquerading11	OS Credential Dumping	Security Software Discovery21	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection11	LSASS Memory	File and Directory Discovery11	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	System Information Discovery14	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing22	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	File Deletion1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Q1xEDBAmY5.exe	53%	Metadefender		Browse
Q1xEDBAmY5.exe	83%	ReversingLabs	Win64.Ransomware.Crypmodng

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\TextNotepad\Unistore	53%	Metadefender		Browse
C:\Users\user\AppData\Roaming\TextNotepad\Unistore	83%	ReversingLabs	Win64.Ransomware.Crypmodng

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	377652
Start date:	29.03.2021
Start time:	20:52:30
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Q1xEDBAmY5 (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.evad.winEXE@17/191@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 41.8% (good quality ratio 21.6%) Quality average: 28% Quality standard deviation: 32.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated
Warnings:	Show All VT rate limit hit for: /opt/package/joesandbox/database/analysis/377652/sample/Q1xEDBAmY5.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Roaming\TextNotepad\Unistore	19BVpBUTg1.exe	Get hash	malicious	Browse

Created / dropped Files

C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	true
Reputation:	low
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.810651551272016
Encrypted:	false
SSDEEP:	24:xGf0/bxybVo/Up6Vd2stAAlRrVTI//BAS7v3IE6CxJYql:0G0+/UMH2qFlZMpv7vYKYql
MD5:	3C2B3AF93CA0EFD930920834C441CEB8
SHA1:	92FFEEF6C568F035E88D0F206F5BA759466A0C51
SHA-256:	322A2F32473F712FA26B11FAB93B1F906F6A109019F3E1C28E1CF7C61C83DBBA
SHA-512:	3783FFED340287604248FB0056BAFF4CE7989ECC65FC19A84CDD05DFA95C4BF3FD43E0C598685F40AD5D8ED4F9E89A1F4289B331233EF54FDEFDFCDB028701A3
Malicious:	false
Reputation:	low
Preview:	An+.c..<.....,...l.pX.Q].../.\e+c.]...k.Q.-j.H.I.BI;.+b...lzXK....i..b.q.Y.{ #.rY...T..[u..u.p.9=/gX.nt`.&.R.95..=..<.......m].V...Za]2......>.c...2......4...k...2,..H:.F]M'.....'E{....1...HD..1....A].#....J...K..@]..J....S..f.......Tr.S6...f.3.o.t)X.\.LY..VS.E....o.....(.<..q.N..{......-.5.\.......h..a$....>6..._.u.Z..b..(d}.]...V&...h!N.K .t.y2....)....';A.dMt........^.9C.,l.7.."k..d8;.T.5.5.x`.%n..^t./...(.s\|1.@..........~[...E.@z,T.......HX.....H..b2V...P.f..;86z.+(.3":j..C.O.... .4../...?...~.....n.\|.R......,."........af.....a.z.V..3.V.'..k.\..]..V.H..u@.zm..y..y.L......m...#u....R!.&.p......9+..~./Q......F.5..'....j..]Z1...!<...`m...]..;K.(.......g...'.....2"....#fQS.. .......s.v...".x..r#R...S.!....Sw.v........eW..6.f ...k.$..>F.Jb{.....(.#..}.1....[.h.....P.\.K3...v.!.t......A...ifr.J..)...U.!cg...@.L.B.qO..a+.{D......5T...^..c.A...[.......qL)d-.I...q...\}..E.]G{.O.M....[x..+{wH.7....Z.^..).j..../C=c...{V..n.x%N..<..U!.t...\|......tX#

C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1068
Entropy (8bit):	7.8113967262060635
Encrypted:	false
SSDEEP:	24:KfBXuxK6ESNi8DYCbZA1dbj+hjwpd1gqfPKmotJn1SXQWFG:KfBXuxK6RrFadX+h8pE8KlmG
MD5:	996C2AB3AADFFC386D641851D5B94524
SHA1:	2665FE2219596D21C0BA3528FE91DD47DD06C43D
SHA-256:	B49080ECB70CD0C025ED338B286C16EE0DBB7115B1C12EF90889AE534760E2BE
SHA-512:	B9EEE5E8E5CAFD1B832B589458140AAC89391002B3951FE303C86D78477261F71FFDC41E571F54259E743143B217A0A9EB57CC1DC05D166CB7803682B0D65878
Malicious:	false
Preview:	a..t.P_.....B..zwP.n....]Y.tN.....W.+....\|........E-.Bb.f!3C!O5)ATPY.\..5@.).>P_.[..9\..j:(..... .....U...0k.D.FN./.E...qc....>.P...X_.Yz..l$".1...7......y.Ex....Rp1..E............;`.....g91kr./..x....;g}/}.!.'..b.x0!..Q..=Oz.U.I...5...$........o...Fd.~...mN.c..&...41..5..NY.2.n...k..H,.......OJ.{.N.XN..r....h...P.`.. .....O.S.....l......qS4..$...3\|.!.....7H."p6.s.^...TI.%a.U....L..9.g....3?,..v.}..7./j..y13B._A.q..I@.Qq.1..Y...].s.GR..!.Xm.M..b@C..k..5...=.X".r-.B.h....{.sO.....T.U..u..'...g..2.8..;o....1...^].....n.\|.R......,...CD..K..$P...%..Ik.7^..U./I.@.'=.....P\|G...z.........Q.#"M.B";.....).f.q...[.S..x+.P.o.....w.E.....?...(.H.`......4(,...Z.+@.... ...H..j..C.I.Qwc......Z1,.!.......h/E.L.&.W..j...k..u..X!..B....{....]...G[..'..F...Z...;.VH.O......wd...^.J.... ..IMK.....B.QS'.Uy`......0..Bt.!..x........O....p.E...Y.H.^b.1..T...w9.."../......`..Cg...u.!...G.a.bGE...Fz..h.b'.[.>I.f.'.y&M.-..).j.m....:...'.[oU.\.>...xV$k/....B.G..9..:$.

C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1066
Entropy (8bit):	7.813487479500333
Encrypted:	false
SSDEEP:	24:PlVG0Ch8Xmeb1/4bXgPMyCaLdhvztfAFpKoyasuBOHGDl:dVha8l/Rn3ztf4MapBmQ
MD5:	8789103E892AFFA247CDF874184E5C37
SHA1:	E4E8EB93771B1403EA58B862A95A695406E3ED57
SHA-256:	9E73DAED90576D3362C59E7576328127DE79ACFEE79DB15F77BA95D4C5402F20
SHA-512:	F135416362E938954106BEB1FD688EC2CCBAB7CA2FC14F089B3467CF4A0BEA3382175498651D6CDAC09EE2935E7BEE2B41744F92C020A5D12D4575279737740C
Malicious:	false
Preview:	.H...c.A.6..-....I....A.NP.V{R..&NsN T.b\>o.U%...........6...>...[A%RoK...}....X.(...BF...7.hVMx#Q.[..0,..6\|~..=.31...:..J.U.K.qQ.).o..#...{.+.#...A3..j..E..(.?y.T......c..Y.6.9m....},+..^b....o._.(.@.z..>.....Yt...6..p8V.....3o...0:....h...A..!..@....>d.0.A)>..F.... ...;.Ik'. .{m.gYJ#x..S...B...y.;r./E..3.9..G.Y9;...s....sH.j..q.....xn.c.5.U....1.8.? ....f.:...Q..>.U!............d.E.-...~.<%5..K...kK....@y!S.J4....9........T...Q.D...~V./.....W.c....yN./.........T.k...\|..v.I..G...... .^}...F.(.~<.]..Y-...\|Y.....n.\|.R......,.....N{...'.....g@...>1.P...t.s.C.}....1Of$.V.N.&..c.....,]m.w..)..Y. 7.H..\|F.....Y.uN.p_E.._T...<R'.m....%.B.a..Yq..`.k.z.Gz.1..c.........e..Ks.N.#.k....pJ".H&o.z..3...qa.^Ou...-.4r..SZ.L.X...G%C..hq].I..p0.......$..oM...G..&.w.R+l.]..Q...$.`.........q..7P..4.....9.D...P}.BN.\|.a+.9.B..QLV...cd......`3...)..i....Zq...G.R!>G^R.Q...b......v......}T.,...J\...Y...v(.\,....(.~L..2.gF.V...C..9R._.....c"...$L..-)]..m.E"..z...x..3Q].

C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1061
Entropy (8bit):	7.830011591016198
Encrypted:	false
SSDEEP:	24:NB6z9Yf6+pyjrUTxNJwTjabm1BJ7pGK5I2fjLCO+Q3nEeB:NBw9YffyjrUTxNSnym1BXTuo96g
MD5:	CFBD7199E60DAD3B8A470A48BB503336
SHA1:	98BF37673665D95CEA1B88B6686C50E7C0E4DD76
SHA-256:	9CACA9A42281EB113C207CDC57E3A9E055E99ABBC5C79C6E3F26957FEC21E7D1
SHA-512:	806A8DC89AD68D3E6F8FFD788B05703FBEB790E10664821880C3D7D05A1AD352AD20F11266E40EA3F88E85942187684EA3A176DBBD9133C8367CE23165987C24
Malicious:	false
Preview:	.+..v.....)..".E.....AeG.P..".....Qq...v.1#..\&U.;...").C.,.d..6i]....F....+.i...$i...P..<..u:k..,4.\|f{,..Z.$_"..H..S6Y..V.P...e.R.....}.m.'M.$e..$b..z.(../.w.e ......~..6.....)....o.B.w[..W.M.?......B...l(T.....[.(R.........4.....gC..m.....PZA$....F......Ssv.6)+.]$Tr...x../.....W!.t}lTe.y.".z...m..y..c..-..RF.....i.-Y..:U..^Jj..7f...C]U....l..j......I..d.....QU./....Bh..t..z.+....Z.7...k..J?g`F...E..dF.!T%3.L...t..7...!0+..... cB.h.I.l.GR.."....uL.`....p.+2\|..&.wI.}..N.x....5.i..,NZ..NU.h........n.\|.R......,.;....3.A.0.....Q..V.2......k#.z<Wv.\|...n..G6.9. ....9...2..='x(......z.."._I}.1..\%...{.}....3.\V.i....G]H.l../.E..<'>.3.....y..V...e..V.a.s.ea.D....m.O._..$.....R..W.o....'.!L.Zr.....qP....Q...E.J.....l-Q..#}.X'.H.Z.R5)^.X.9^.zE.7...!2R~..$g....u....ZV~..GN. .#Q.......vUCf7.F....c.Th..c..s.Vj7.-.&..+@.s.P.0k..9..3}\|z.....N..p..q.Y>...1.Q..V(.%z....r@.YW.*.t...x.9f.y^?.g;X...h.{s).....1&.<@..(.@...vX.f..me.#av....M...V..X..

C:\MSOCache\All Users\{90160000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1068
Entropy (8bit):	7.8089942896384335
Encrypted:	false
SSDEEP:	24:FqTFQzkEvHtLhJnOnw43h5RvL5LqiKGup:cTIxvtbu3hj9LqIup
MD5:	3679DF3021F73DD24746B76BFB15D00D
SHA1:	67BE3165DDAE5BB1BFF5EA16347703B85F8D1863
SHA-256:	A90A93533DFA94809FD47945D5C43D5C2A76CFD72904C603554B8EE0282AC95D
SHA-512:	F7A68B0E0AFC74239F51F0BFF159DCCFEF45978B40C73530418194815B2E38E5F4BE3A430C264CC76DA563535BD5C977899F2C7D0B783C2B8B9FE05BB172BB87
Malicious:	false
Preview:	.A..q..a.s;..3ga....7.U...Q..&.ZM.L..)..i.:1^.E_...;.\0..O.....I..A.v.+......Z......5I....A.....t.g>.d......vcA.6.o.9.+).\?&..nB..xXT.uE\|.JR2.AG.$/.+dv'.Z....TU.Q..p.......#l......"+Xo.b.}.....9:.\WE..=YQ..wV.)o'...q+.wbi..;K.y..t{......g...C..+.{...`....w...0Zf~.m..L.r.H.Lxy.$Uqz&H....:.`v=wq......6.L..].{.:..W0.ta..(........6..`..u.O\....SxMvt....^b..h..>...6..@...:....aaV.X.......<....+.....e..N..^.p.XD X...J..~....(..+XY..H0..O\|.'..;...5...k.. .].iq&j#.......eK...B.7L..\Fa.$n3.....:..G....$.W....../...l2k......n.\|.R......,MRIu............t'..hW.....Z...uG[..v..S..5...%.7.9."...E...dPs........;..i....?].=S...f..NVl..O.F..../.....p.O_0^.l.X..l.s....3.G&..dr..A=.+.5......G..>.L.d....Yil......H(=!..l.e......%.\/.pI..M.XSI.....28.Aa.}..<.#......`h.+.#C@%@)._Z+.B.......*.yr.\|..........7T..of./.!...k.X....T......t.P.P..Q@.....K.J.\|".7N....-...U.x..].............-. y.Y..........i........ET@q..&.P..[..p0...7'1d.....z..%5.t..w.#.."..E..;..f.i..9.....+0

C:\MSOCache\All Users\{90160000-0016-0409-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\MSOCache\All Users\{90160000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.82810674017785
Encrypted:	false
SSDEEP:	24:l1Ie517w/NWBwiYUULICupj54d6TUza/nvwifmxQ3nyFBkCtCvlrWy5SUB:lee5a/NWBJYFhuV54d6YInuQ3nsBxCYw
MD5:	E842C668DFC0D352B7C3A9DCE26E4D32
SHA1:	7686829769698E34DB79D82B4F32B7A9AD961C49
SHA-256:	8ADE94CB4BF789B660F14423F0D90D50A797E49ED5BFFC81C180EDB9D45B835A
SHA-512:	2B4B7C1DA74C1E6C085840129C92A3C18FDC1E4D0B0CD9BBFAFF36063B2CB35FCDB3A822477FF6D2A9CE0421DB636FA59752E78E43FFB7A12A3D78FCEB1D2AA7
Malicious:	false
Preview:	#...H...&...P..D.#.:s....>.......1.L..;:.1..z_m.._a..Y..C....Ny.Y+....".._.Mp]......<.._....}.c4.U.8.Ri........6^L.I....n....a..U.u].Pc.8., .!.Yq(...K..T...$. $)..&.VUFn:T.8..K........IS#h_\.T+...S.8.......a"..t.?..Cw....4y.=?y_+...JZ.L..%.F.~....~.P...k..4{....y.......7i...nkI?.._.f.."..k....l....@.-..F..a.qk....CH.....8.,.B.$c.J,...i.e..yc.....2...I..C.=...h!..!{x09.:\|;W.q..B..5....~."..k..`....T.~..d.#^)G...a.}j.....{......{.;......U..O...s.s.~..b8....C.qu..\|..y`H.o.^..b.g..$.........yW.\h...I....r.U.".....n.\|.R......,...j...._-W.'.\...^.....O...+.n...;.\|.1ZUs..(;.:tI..:..d...l.0M0....Q..z41.r....s..}.A.y....x%1}q...2...fau...._x)..$-....\.%.hV......qr.....a..U.M....4..[...Dug.\0d.S...0..}....r....~.[d.....M..C.z..)b)..?...:..h...Y..>.w......].w.l.%...<..C.Q..f....p...1.y..`>W...\......~"_...k.....%H`.....Q"...f1^.........'..9..+...:...VY~.O.5....c..WV../....9..K........R..+.z..g8.]'"..........>...s....l....ZY...O.uC..p....

C:\MSOCache\All Users\{90160000-0018-0409-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\MSOCache\All Users\{90160000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1059
Entropy (8bit):	7.814154809109892
Encrypted:	false
SSDEEP:	24:XQxdyDHTghq4HvallAKy3EyrZAZeIDOPajNxLvmsG8MbQ3b:U8TGq4H6lAKjeZAdSPapBGTwb
MD5:	8FA706BC0B39EF7C11073840E5E1C756
SHA1:	CC57A05E705F8136D8388A49424369A8F0D120F6
SHA-256:	C3D5528CD0B73F438E1A6743BAE072AF961B08897E19F6403EF431FE69049906
SHA-512:	54F065E366076BC59C0B45E99F14228C0E0BDEF64A5AEA9B5291361CF146907DBB9EF68A4EF448BB712719625A80F782C595F37C8A9E084104A61EAC83BD87C2
Malicious:	false
Preview:	..3v3.1...e..S......n.i.I.%.V`..o\CKxd.0.=L..C....c\|..E.JI.~..Q+......6.O.BeS..wzW.}.d]..e..q(P!.w..o....a.x.gD.0....Tt..h..l..l......6"@.0hmj.`%B...i;......._E...$.E.....t..!.!x.~E.U._.v~[...j.i..FGI.9.........\|-....'`..O..T.^P..f.l...Q...g....../D....U{S.?..XIA..t.Q.Z.\|!.2....D0M.=uQ.N..=p......../..<&(...jHl.f4.a{...C.C.&..h....)...}.=.j\|......9..$[...K.K....+.>...vh..+..>l#.i./...N*...p.i\...U.t4...w....h.m.GY....L2S)..N..G...k].=..7?k..s....A...,.q..2H.R.$.$)..E!.x..M9n.j9.\........j(..\|iVYnt.yfm.....f.+.....n.\|.R......,S"..7.k.....8.....m..pl.N....'....G{...1..A....F..7.....o..H...e....F.@zj_.1.pg...a....U..3............=..7...S...D6...i:q.@...#[.Cx77j...........b..D./1Hl....!.}..mi.....Y..q....b.eV.$R..(.4.{.L..u.@<pj......c.@.3../m....(..6...B.y..;.-.....~4.A..K............mQ.........`.6K.../...:X..G.:.i.C.fd~..k..%%.vqn. T.......mNy......'.).4.U4c..{~.7OAM.!...9...%..@.I.T.h...%ae..l1.]..=/3`O.$.2$.........._. Ua......x=...ikj.h.......W.;.

C:\MSOCache\All Users\{90160000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1064
Entropy (8bit):	7.814839637795631
Encrypted:	false
SSDEEP:	24:V7omi9KhpTv5aXEptFcJer/txWCEWA9R60wvRjYuPHPf7Em62YxkbFb:V7omKkpTELJerFxqWEMOwH7E9xkxb
MD5:	CEF293CE7EAD8E10908334E1234414B5
SHA1:	5F001A1EF96E17BE6D0814D0B0B724F5E32B560A
SHA-256:	6D63DC28BD22BEC062A2E625608893F282A6DC4C2081BAE19B2BCB7A9C43E901
SHA-512:	1DF50FA7F4E4FD8991543EAE4CCB7B87038A10EDC7FB9E7C7A6CB9889CEB96CD1ECA1240F7B8BE69827F35E9B759A8CCD4CCB4E45F03FA97735EC4B86F956CF5
Malicious:	false
Preview:	E.p.%......ro.....nr.[......M=nO.D#.8...4.u...u&.&=...Y...'...Up(.........j<u..Sw.4....-f.k...M.K..\......to.Xu...U.$......A;.....t....GP....8.....tX(..46.0...v<.p..:.@..S...o....Hi.Z......j.4.....C...@.6N........C3...D..G-.......0....3......:.;..r.....r.cO.Mt?:@VN............%..l.Vs.W.{(E...6@.4....rQ.{.D@....0..(T...1.......{..x.....1.@...'F...&(.(..\....M...'..8i..@.wM...l]...l.eH3......v.S.....zKgl.Z....<....J...Z....g..x.L....9.L..O..9..m.!&.d.&...d..Y?7W.W..^..D.B.........u...5..z....k.k..i...6......&........n.\|.R......,........(.:u8<.F....u.?w^.>..j..g..A.a.O,k#....../.....J!P@.'y.>...-..........K0.u... ,.<(..^.t}.q...vP...&..q.=..Po5h.....k.T.z.......@...U.y>....C...Zd{a/[7.?'..FcX......6H..KEd.g/..........4B.:M.z.J.e.0R5D..].......zxm.....sG.... .n\|u...:Da.-.!..2e.[).J.G3....M.h..=.................S.2..^..4...H......RW/P....j...U.......h....3<W`..=...5"u.7....,.....N...w...#. '\|q.....@b....a..piCw.....V..].D...o2...7....E#...o...^.:."

C:\MSOCache\All Users\{90160000-0019-0409-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\MSOCache\All Users\{90160000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1058
Entropy (8bit):	7.816813126637524
Encrypted:	false
SSDEEP:	24:pT4jP9TXHwCqbVDufUZMJu80l7ZcofXBUrUajU2:B4b9TXJPUG48IRRUrUaI2
MD5:	F36258568C6EDC1C74952B31D642763E
SHA1:	CFDFBF505C78FF624B4D471349E1561F9E2D82D8
SHA-256:	B8471C0897AC91DB4CC59585BF4C971DE602E31BB4970B089F13708D7B25C2DB
SHA-512:	05E48FEF679EC007F90C7283145254A4A843AEBAA49BFCC995A037388923E05CFCD3F7D8956AB9F22BBBAE0F295870B0A510C37534051B9B91E85FF84D30282D
Malicious:	false
Preview:	....U.M_/-Y......wnT.G.a.CU&.E.(....O.]b....z....G.Mr&}k.....KI.......i.r...J.l;y..So.......6.....u.\0..w.0.^...a...>....;..B...j.B.N...'..gv....g...I.q..C.!..\|{..s6...<]:q.-w.?.6..Bt...G..cX.:,/...y..O>h.e:B.iu....A?....n.]a.%.{.QX..s..ne....'...d....O.D.b.gS...i.<....;..b3i.9j...J.z1..[.7.....-{..!Sz./ZU....E...].s.JS.P.7..h..s.~.e.e.~..ids.M........"5...9`..K/.5...go+c...9.l;..(:.$#.I"VN....Q4S.e..1...L...\..e...lO.3..\|.m.W.z.....D..xV.....1}a..{...H.m.......4.0..."....Cb^....X..t.A.....^n....n.\|.R......,.7{.G.0...W...2....)[...q/,..[qwB...O. ...y.i.$F.J..7Q.Z...z.n..V`..3"i&).......l...>c...H..0=.W.Ww.......y+.bP.r...../.t+......O.d....?.....;..E..d...........<~...KV......]\-.:8......1......F...e..;...{.sK.!6.{P..\|y(....w^H..H....._h!..no..Z...kZ..cE..EV\..Cc..?.3....(m}Z.]..p..u.....:U..m....O..r.#.......>h.\|I.G..a.Gt;-?...&....hT..n.'.J6....Iw.i./.2...E,....H....k....G.&Qa...{w%...a..9..."f....Z'*a%)l.Evg..r...w....q ..&..#...Vh

C:\MSOCache\All Users\{90160000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1069
Entropy (8bit):	7.820931994281958
Encrypted:	false
SSDEEP:	24:CXHwx8Wj6K1XX++AxxvU8+hw1Av2mIS/9URkvYdiPHv6s/UtXpa:RF64XXDUpUpL5/9URkACPnUa
MD5:	A1C63B5CC015492FC8DCDE6CDF3AEA8A
SHA1:	E4C81E1554BAA19490AA2546FA6498509F864101
SHA-256:	6A580DA1686A06658A10F8F454F90A95CE6980DBD52D284C13A78FF791DC20FE
SHA-512:	D7DDA6A40E9115B081DFB4EB364FA5E1742A5F744A22DE3A6C23E68AFC2FFF375746B8E247CB2DFF1F4F3FA86FA96F9789615CDF0AB19CD4A5394D9E280899AC
Malicious:	false
Preview:	B....!dEr.ve.....E.By.~j.T;=b...9.......m.bP.U.R.z....W]l/....'......es........?...PC6....C.."..=.eh.og.X3...q....4.8s..N..S5\N./.....,..d.b5.i0Q.Yl.]d.2x..<...P.T.....^...`...........P...:X.vp..... .A...`.r.q6..IE..%......U/.h.m$D....g....]..vS...w.~..F.u........t.G........x...U.x..:l_..I.S..?<.m.Q1<.X.l0..:.....<M>..1.p...H...K...l...j.\..4...J.o..K<Fij..H.....H..........S..4........6....nB.U..v....E..B..#..@.g.4...O=W.kd....~..{.A........a......"...8{+".&..Z..#Jy4t...^..65.....[.%.....i....}?.....y....n.\|.R......,b..Gj{n_N.h.K2i1@.5tg..T`70..^:^......:V..k..........<r..\&%.?O.vj>.t.O....b..>4..$.\|....<...B.....+y..Gz...,B/e..q..=..5..6...IUL.j.+.."...cg\.AZy.9R\j.6....N........k..B..>.T....../a...6.3*.......3{..mK9.h..N..D...........?.....+r..K.l...k.op.!TV+J..:.mf5=.. _..G....%..C..E.<c_...&p..&w..G`..Nz........lX8C..o....l9..=:......`.G.....@..^am..x....4."..."j...%..W.... ....#.f..7..........3....C..U...N...nd..H.

C:\MSOCache\All Users\{90160000-001A-0409-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\MSOCache\All Users\{90160000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1067
Entropy (8bit):	7.7996071519136
Encrypted:	false
SSDEEP:	24:nVIs+gw9qRQiDT0sNPZ8jB3sjuOVSGG4+jN2wkTYgGEFTg7OJKmAG065KVkn:W5gDRPZ8jm7EjszT5GEFTgSJKm70N2n
MD5:	3A1EBEFD633A0B5198B8F4D3199B403D
SHA1:	A853262140159E11EA638BFC06ED64672CFC5F5E
SHA-256:	FB9FCC108CFF1BA086A4A92DD6CA177ED06515EE2482278CA6E1A648933F0CDD
SHA-512:	843A2D5830BA8188B99B2740E90A342702A5ECFFC9F19F9C695470F7FCA360C9E6DE30AF89B80D17B6E33B6AE583C550FC14EEE867DA89BA3E6A7E519F9C79C1
Malicious:	false
Preview:	....b.O.S{R.=..C..y.;.......rR;[.j.OA.f@=...U...I.O........U9.3.Z.4,0...-..b.8h.I...O.Y..v.yc-....U....nI.tL.Q.......P.A.[..W..P.A..s.......\.+.].o...+"...?\.k....p.. .......:...i9...8......quh81.y>b8.\$,........V...].A..p...Yv....T....n>'?..\aD.;......K\..}..D....s..l@=...O$r..6v.L....t\'.K.R..;I..nz._Z.Z...ofD.../.i....us8.U`.0ag.M7._.}ft;..<=.W....%/v+.u.$..........4)_.S.Rxj..oz/.x..cJ.W....i.q.....=) J...v..}w.g...1..A....<r0i.".TD...b.p!..c.HD..{.qVJ\...Gq...........@CE..,.S.Y.c].g.....y.f4.R...k..sE....n.\|.R......,.....<.=.~mFt....\.x8.:.l...._l...t..bO..h............13..! .......#K..PI.....P..a.+..<..[Gq....Y.....W..p...X..AE.+..V.d..Cj......1.2P\..<xU..v.....2<j\|.dK]..?.x.8.L,j.A.(?.G.H..bn......3.P..s#.v..>}.l"........):.....P..F.[...>.(`......`....j...^.aW..JWM.~.;........qBY9.....gE..2{.1N.a.o...fp..XG?.....Rv...l.Y..uN6..Vml..K.}uL.....S.TUs...).>.y..m.P*.%x.me....F ..g.;....q6.F..L....2.l1G.%..a\|.B.9...)..2....r.\^P'.z..

C:\MSOCache\All Users\{90160000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1058
Entropy (8bit):	7.8367700501068445
Encrypted:	false
SSDEEP:	24:QLzWD0F/5EhNa1bc/u3kQ82Jf5e362/rHU4:cWAHp0u0p2Jf5e31rHj
MD5:	786BD268BD9CDB087347E2B1AAB40C16
SHA1:	5BA72B81F260E1A0EA37D384510680E22CA13260
SHA-256:	652FCE1834469847C518B253801E1BAAF55049C4E8AAA9E6E4B069E4AA4387BB
SHA-512:	432E4B47621C31EA412C6CC279A748FA8E0C05B6AFBBAD869202B372318606BC044291170E51E6FDFDF45C8394205796D41C859898B101F69B43AFEE19F7522C
Malicious:	false
Preview:	hS..l.X...-\.v8...D+.nY@..N+.2;........&.~.>.27.8j....i.D........).a..Z..3.#.T. k)...7.......K)..k`.....x....-.......!.\..2+.Z."t.O....r...K.i.].u...G.~.."R.>....E.n.Uf.(..#.V0.r..T/....2.%Z^....c.{.{k..y.].3!V..K....h_.y_..-P....n.b..r.0...,A.....M.....Da.y.).[I.DHj...".Lt..6....KpF.....V...8.$\|...^}.w.....".;.....=,K-..F....x...?q..I2.b..Oz.m...dH.)v...+.M..].g.......<.7yVqg.;.....#..l..oW.T4i.07D.....1Q.V"+L._..b.._g..9.f..ai...z.....n.Q..$.w......+E.......2.....z.qj...M..=.....k..E....n.\|.R......,..e.Q..l..iI...s.u.?.u...F... ...5..O.A..).@....-...A...LuzwG.t.....T...-.._..6....sps..~J.B.Iiz5.jz..yS............z....G.( .p=.3.......}u&..*>...$....%.$$...fn.{b4H.~...5e+wD<.C...m..{4....<......7...\|..cSO.%...<.D.a..Jjf.S.[C.g\|q.x.hY....?.t...n....>.W}4...+..[...G..`........+.....KQ.T4F.2Z?e.....^`.#..2f..:\.,.6....x...q_'..T...&<.cP..FmXKx..l._..l....nv...^...1.E.C..t...U..?.....Cx>i,.oWD.a.N..t..<.d.....m1j..z..U.....;0.(

C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1068
Entropy (8bit):	7.81816204872542
Encrypted:	false
SSDEEP:	24:P3KWPisK1nM8MW0LKUxn+n6Bh238u+QMbll5slg5kD6a6h:FisKI7ujnAMJ+FHg6ag
MD5:	A1CAA9C0C0841EFC3AC60F91E7A76C24
SHA1:	02B0862E92A925B608FA1DF6D1D4EC4DC45DD3EF
SHA-256:	4088C2F245DD700E405BA1EBD82EDBA06F1DA52768DBA17AC349770E41DA6E16
SHA-512:	F3E7C06CD6E3FFDF2099D1E3FD10DF95BE733E936EB1A78A0E59544CF8451BC7D4E75C6F7DC4027D7D56F084822D01D5EF078EF78035D3779640A9A2BAAAE5FD
Malicious:	false
Preview:	...P....^\|...,.e.iL/..4.e88.o....[K..O...h8Ks......y....q.....^k5>2z.....J.f.'.G.;.h......MT....w{'.a.J..........QYlY8..+.W.\|h.....#B...........!JeV4T...5..f.Nt.s.U5.c.H....u.5.N1.F..W.P.......L.N......~@.-.Jc.z.....O.=./?.l...C..BSIz>h.^...).....-.m.3ut........H..m...e\...Y...#.X.K;.P^-..lNb.Q.;....DCT....u.O.Ta.....Z>Z..%@....$...l.s.........7...{_].B..!\\|,B.Y....dk.:}.5'..c..3`..<~.Ie.G..%.......3M.IbJy.. .9..e..{Y.U...._.~\|...q.......A.M.".8..`.w.;.....=....5....WM.u..~f.:)...,...`+..X._.Q..k...hWLQn....]....n.\|.R......,....}R...'.R..l.R;...cq'.7.hp.;.x-.3..&. c...^...m...".F...2M..Sa.c.ir;...f..W ........:&P.&.$(8...E.Y'<`.4x..U......M._)A.[....H1.AL..+-.P..~.u.T...g.2Y\|..S7..*....?S...b.K.._\`..<lFSp.N.`7u.A..."...QZE..hn0_.{..y.kn....Y~.}o..."nQ7....8.k..........\|...Zf.p......&.6..cZ.Q...L....M..........5.._.'6.>.Xj<.h..0?}^...S..$.....$...y.....k.%...?...\|.c..}5.+"...uG....)...../.&...b...'2.f.B........h..A....G...W)a.

C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1060
Entropy (8bit):	7.807830915152831
Encrypted:	false
SSDEEP:	24:XPHeDkV1eXNzNS43B1ZALPZjPn4xp0VrruhDYCj3q58topy:XPHeDkCXN7gLx08V2hDhj6qF
MD5:	65F2ED8BF503147D2A195316E0E2F568
SHA1:	8FB2DBD63936A0231D9C9B664CC9489A278398A1
SHA-256:	B14FEFA58612A3093FAAB25C385CA886751ECE56A02883367009DAAA1E66E2AE
SHA-512:	B75FEB88C41C8F1DC85862547E28392D485A01E616A3D82C9DEECC79CD0F9370892636F7D1C3DB09A599126A07A9BB331473A9493BC1301FDACF421320F0AD9F
Malicious:	false
Preview:	\|...,+Z5Bkb@....?W%......2.t.v..aM6..`]...A.#.<........Xm..........Fr.....C.J?.<......d.d..t.:.^q..b..5M...&$...t..:....#.z}4x?.yOb.....O.O...t...J...,..\|.7.V...x;<$...GeG/$?.....Y.#.O.7.......Ic.......MG...[...n!......y..Y.P^c....{m-.`...P.F...R.i'..CL........L{.Q....X.,f+.H..h...<1...[.Uz..G.IO.......A.{q.f ~9..=..'..RH.....YT...-..=JH8.R.<?}.'..P..XI..I..6.t.$.^. ..05Do..B.A._...1.]...'...I.....6tJb`..#..t..H.`......a...b.F.[.a\|F^.."......LII....Y.?..M..O.i.#..\#V..B..,.x.C.N.v...W@\g`...2`...c....Z.....n.\|.R......,.P...X.ac..\|..~..I{J..~`...M..f....J#...Hj..A1@LZc...`..o'....C..../\..s..r.+.......~.6... ..5G.&....r.\|.(.#.l......'...]. .\....W.u...J....i_...0).I......Wtz........Re....3.B....v?.k>mX.U.q..F.......3......2..,.J...O..u....c(.......2.:.&..WW9^.iU!EH;'...e........W.Js$.`..f...g...y:..@..\|...Yk...-x.3ok.W.U..i.x.mh...R...g..T(.....1.@...;;..(.[..V..........[H..<..b9..iKFuJ...DXSLz..r...CKo.f..G.Vg.....3.-.U2.O.=..;....0.....X.

C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Proof.en\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1069
Entropy (8bit):	7.8434476839276055
Encrypted:	false
SSDEEP:	24:Xn+k4zTwT2wFJ4TBZ4KNnjBIpeWGTZmETwAJ09d9K:Xn+ST2ws/njOME25Jwd9K
MD5:	E74D249D26D699786FCA09DAF2F73D78
SHA1:	4A566234A077E7DCD9F8A04C8B971DB890D9AB5C
SHA-256:	86C5548A9CF3292052294B750AF791A16609C37B8AE09D428AAB70835C723748
SHA-512:	A9BBCF9E9E81C02436F9F390F41D6054D9621EB1B43334A9477CDE8B428751B52433897B326CAFD3AFED443D3D8C4DE129FCC99386886DE75EAE5543D0E2C2E5
Malicious:	false
Preview:	>.K.".......=>...3.R.n..Q{..h'.T.._..S....M.......S?...d...^j<8..=..Jp.o.L\|.:.X...s.V..0.7...R..18....M./...^+...Hp......{.B....uE...a6.)T].jv.4l...V.Q.nX..,ul..de.... .......o.C?....XQ..ov.....(8K..R]..K....:...\.q...G...J.5,.....v....\..j...;ed9.5W.BC.Zy..v.>;.&..........I*.L...\Kj.........J.x.{......Sw......F...6...m.....z..-.......$...v........b~k.._.m..._.p5.'..c..5"..Q....Vi..U...HPIF../..g.t.[......<pT..D.y........K...'.3......O,P.&..p...R...'.D.26.=S.>...\|.....q..,.#.(....P..M..h........1..M.K..#?.._....n.\|.R......,@ILD.x.#.Zv....>.\|.}0k.U..h..Y.B<.m..^.&.$.;...]o5..3y....0....[6........J..Z.v...........m.Z}.s%..Q9.. ........\|.%./x../w..p...,..)M.%..-..d...[....cO{...f..... r6r.8 ..c......] ..jq..V..A.. .f. ..b.........8.4i.4o...9....7..s...a.Y.<....Z...oC.....%...D.{...ZO..~.......,....Z,..ye.~.....5W....Z.Y....\|m..0d$5.C....._..Fy..f..#.....M...G,....}_.r.......h..2..+.....l..2...p..j..\|.z^...j9.{...\..(.O...q.3....Z.....L6

C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Proof.es\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1071
Entropy (8bit):	7.826142363902439
Encrypted:	false
SSDEEP:	24:IQgvc2Fw/h3RZ+U5XZ+uFRZ5gwqE+kgpRiJjvCi9oT:Iy9J2sPRzgwNngqJJ9Y
MD5:	40B314291303FF845C5D2491DD6BEB00
SHA1:	2C1132BAA6F984A68E3096FB6B56D13ECBF3EC14
SHA-256:	3F1CD2F3195A3B5F769535C61DDF8A7B8981E3053409B9BB38A37A8E1921F56F
SHA-512:	34F68DA4FB59D5623A1947E016AA8173EC6DC4A455AFAC52EF871D3FC8C7E2DE5AA1DE055CBD160CCBE55E34BA587C1EC60583B9BF039F68778F589F1664A3D0
Malicious:	false
Preview:	.:$...,......h."=..af.H.2.....d...5A..Mf...4..?.!..=.... ..>d`.}.....b...&...F....n.....C..../....H...3-..0..]Hm[ua....A9....D4{Ya..L7......6.I.`...K..{f.....$..WQn.;.1.%G.i...U..'f4..W}Z..z.a.......e........O............6.s".G..h\...;R!<..+:r.v2....6@.H..q.5;s.....&.....k.J...k.#..%.O8.8.........O.I...nI.....J..[...Jl..Tj.".........cC...5y.WfS`.,.p0>i.'YR:...A_.G.H....F.L.........8......k...$...a..T..F.x...tQn.....Ar.....?..0Y..c.B\J.....`..K...-....$...yf...T.....Z.Bs..G.......63.#..LH..W.kI.....c.u.....n.\|.R......,..0.VZ7.N@....In.$.... md...F.u....C.i"y$......8...@;.-..3..M..?}..L.](7.b..l.Q..lm......'Z....$k(...g.@eK..4.....q..0qcr..].n<...M....#`j~..S<......`#.@.g.l$#.l.....3..W.~..........Y.......\]HH{..v.`..<...p..+a.....<.j......8...........V<X<.y...,Y.~5....Me{.?..........M...6.1..:...........[ ..q....v.O.i..s..1VB.>....t..(....Kl..x....U...?".!.....k.O...L...x.4.+..`-...w...6..)...q'2.z....W.-,......*.kH...!.

C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1071
Entropy (8bit):	7.81327851565456
Encrypted:	false
SSDEEP:	24:5F/148duPSqw7Lwj4T8liO0u3xsGqxW63lp/97TVV:5zjaSqUT5Tu3uGqZ3rBTVV
MD5:	466625C5AE9B24A0066B404199BA1FFF
SHA1:	11D856A83F2389BA5391C950D172473604F04AFB
SHA-256:	142ED34BFD5D9A54BB9A216478492768EF871C79BAEBDCB84FF6F1EAD1AD35E8
SHA-512:	603E2CB7623A2DFF4C5CB0D8AFABF570B8F92071EA7FDE7F92AF774884519D4AD2AE6E3FFAF3C1693004D6106C80E75740135AE3D4FFCDFA7BA3E4186BF30C37
Malicious:	false
Preview:	Q{\..`R..H)[...kq..7.vx....-..JU...[UTX./.z+?.5(L..........R.....$.BQ...UB.x.c......./..7..t/]w.'0+.5....OT.n.M....V.(a9..2-...7L...S..J..\|.}........^.a...]9.x..w{/.u..l.Z3.........)h[........+B.?e.t.a%....t0......B...}Q..,,y.d1.tf...B.3<.6k..1.Z;9/\|.i..D..DgO...bf.87..:..SXMJ..Y<.K....ms...M9.L.;_S.I....z....k..C.5I.......q..M..x....U...A..M..Z...m {.5.\.\qz.1L..<.}5.m..l.!D......iI.....(..[}..Dn..L.\......J..k..c.H..%x.?..1.........wn%.R.W.).6G>...R5PE..k...7..[..?D9.>..z.._..?.ss,q.....3..e.&z:...%F@.7r.m..1..C....n.\|.R......,l.c`..U............O]S..._....(...:..I.$6..p......<.......?.{,...{f-L+o.N..J;.~.#O:g~..>1W....~$...d.......m...K..}2,o.l.^.j..6O..i...lN.P..y.......1T....;..5.h......B.O.L....*.0...8....O(.......D%x9....)m;..@Z.~.....ZS.I......a..$.I....^.HX(Z..Y.1;......%.....L.....ZMa ./M1.{..C..4..~.?L..7.ra...0.F.V...V......F..J...s.M..z.v.wU..4...H....h6...XM....Yt`.Z.~4.>.v..8.a\.-9.N...S.g.#..,....;..u<. ..mQ.b.%.ha.\|6.9.D..

C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.809483424253221
Encrypted:	false
SSDEEP:	24:qO8GtFHbgBS+un2XKuvbOLMej8YIXWvyNm97S+Hz0zrHa:qO/kwn2XKMkj8OvyNmJHzYrHa
MD5:	8B7DB88C461377C8ADEA38679D5B97FB
SHA1:	3F9D3827534A4F717528B1A476F58B1197B673EB
SHA-256:	08DFCB84FEE496481F61774A544A305A93CFEE76700FFF72D95051DABFEDBF70
SHA-512:	C802B441210A036255EC6B530F4E07DFA7D47ED50C8987609CCFFD42C7E9C1325C9866D57B99E24FD78133C6B9CEFFD05DEB1D1E761DE4A7CBE8383F0BB0D2CB
Malicious:	false
Preview:	.o.P.+.W.g..k.4...[TE..b.$.`f.`3..>.l.(Z..]..n..#...8..p...Rq..7.RCY..\...Z..R.vA^.F....}z.F.}H..d.=.[.O"....'X.+......z..R;8....n...>$V...}j......R.V`..p........[....vw.\|.6.....m.........Z.....d.......P....f"#.;.+.. .&..x..(.............v["...!..v.,..[\.P.t..85c.....3.].u...5........$.X....?..k....m..O...!..jEw....C.....:.k.. ._V.ND..h~.....Ap+......I!../.'E>../...^.B^....\|_..;)T..V.l..ndd.~2..m-X.....[.#c.....n.V=.(.o..R...Z..791.gK0{....v..,1....A..'....9.b....H.*.;.n..).g.ni...e3\/;Fa.Y.}.}........n.\|.R......,.cB.1.....zk..K..$%...%w.:,..5...J...0_?U...LO..Q~...W{...o..J..i...}\|7`...2d..\.]..i.......[..Y.x.>.v+D'.O..R.'...Z.p......K.[2../.....F.T.dL8.......bA..d..`.M4]..c1....:.."...8....E...O.N..j>.r....ru>.....@sa..J..L..u........F.Y;.[.y^cF.0w.@..T...g....M...o.-..b`i.L:@.....T...S.....u/v..u.e.....~>.m....y....M.f....^....<E..~~0..)......J.A+gE.tt0...l.....'.......@.<.7..d....)......RD$.J..i.&&i6a=.....~u......J...:5...[w1..

C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1069
Entropy (8bit):	7.7978545666311545
Encrypted:	false
SSDEEP:	24:22SBWvRICKm0V70Az4eJox4O1MkIDWdpF5sESwevqfP:ckRFPC7R4eJCz1M6d3CE5eYP
MD5:	F10E72E2B0857503F5E2925F71557730
SHA1:	21804770A72E6A3825235D7187F634D3881FC970
SHA-256:	E1759A72D58D3CFA1D2DE951B1A903C32E149AF1B56A1023B5667E379B81BB3F
SHA-512:	110DBFBFFE2F01EE6B9A99990C5E92FFAA41E533748940C2EA11667C999C6C0F6538697234082230DCE525645A876131B157EAF6E7FD4B6BFA6CB65A609CD285
Malicious:	false
Preview:	.X..M.3R...."....}E.....Bt7........>C..........^..]>.......A.......&..~....7]ofs)..-..J.Q ....-N> q.~2`H....p.n .7-...n...O..V....W...,Y...)...}A.a.7D1..8.f....e9....8J..%1...xzTe..:G..YZg.(.......`g...b.w+.....}.IL......M^.Bn..&...=.W..w..4-....ts...(........./(..B}.Ms.?B....v.;.`....2<(..;...(Z..R#o.........6O..P.h.Vv......Qy. ..k.........?. .Fp3.1[..'...h+..X....J......`\|K-..<.......&.....4...\.M.y..[N...k.....(Kr........1..]....L]....:]...-..Z...B..B..,.T..........z%..O8..}L.B......,......n.\|.R......,V..C......s..T5....M-..l.G.s...F:../..o._..l%%`.[..p.x....a...#...r.G...l..b.K.u..P.9....\.....SSe.$.....q...fvd....B..P..j..+..9.l....K/..+V....}.C..+1.. z...i.....$.x.s.......0..._G.YK..K.G../O..u.'..7......S...>92".../......Hz.......Y....JwT..k.`..)B. ..E\|...7..sJ..[.9..~.w.....k.11I'...\|,c.c..%b..&......:V..f.Y.w.N..,...S.=....P}..3...w...?k.......qt}i...P>h...W..([.M..^.goA"..[n).../..-D..(r....!/.^fJ.#\.+....

C:\MSOCache\All Users\{90160000-0044-0409-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\MSOCache\All Users\{90160000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1058
Entropy (8bit):	7.800270725952644
Encrypted:	false
SSDEEP:	24:jKhvjXoUklNT8MhhZxTgB/vzMzqFDaPqmH1otTVl0imTyfKK:GhbXoUkl/ZxTq/7dmfWtRl0im8P
MD5:	8E703DB8745FE7806E33DC40ABBB3EB3
SHA1:	6A15B50036F49EFD46D981C8025184A13E985833
SHA-256:	403FB2496DDF85C0BAA13DF00C1C4273F1560F4028BF82420F682EC839A02B63
SHA-512:	8C7005313C6DFE57212FE658E6B5DA77819C837B815D2A254650EC990F59B573AD04AE108272C94CE455F5B545E710472E8245A99347E067F848183E3E06D9F4
Malicious:	false
Preview:	P.........6U...{RY..Q.8...CT....w.%.CT.lS..._ ....l..sh..R......$h..s...y.<...?..W.C.....n.x3..#..KZ.......... .[N.J"..,N....1....``.W.-..ZO..G.u../...z.#..g........vY.#-{..V..R&.\|.l....7a (..?._....=.....E.......x...$t`xP!...Z.K-...m`..\|....$.........Ig..b.Z#..M.{^..M).c.$Q.^,.[....?...Q...t.).i).I~.6(.&..G...5.j.a........-.>Q...U...7w.)..Rqi...K.)...'.o.=.AqO`.y+^I.D>-}$A.O.]$...M.k.p.{.[.....T...q6.._1~.....r.,....xp.~.Lb.r...e.....V.)5.........1.D....d.Jl.x...MK"...{h..3f3.2............n.\|.R......,...~...7.^.......=..........8.\|....^.h.~...R..<=to.;cO...xDf..\|.S.!.[.3[Y.{.\.Gdd..uD..2...\|.4.Y.<.....f .Z..5.._.My.q&...Qe"bJ..TO.Px...l..._[.YO.>. ...%.b!......j...J..k.XNF....K:...%....^....yS.(.r..........'./.<.#V":d...:.pk..I..l.<...05f.Z...^.~...{.y .vv..z...m.e..f..Vt.s?.O..V\#....>....+...#...(.....5d....Q..b.,q.....J.^o..L.)i0....ou</....=}.M.9.X.\|...1.~n.&.\|k.W-y.`.....VD.QF1'..k...Q.......B....t...=.~X..^...C..}.

C:\MSOCache\All Users\{90160000-0044-0409-0000-0000000FF1CE}-C\Setup.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1069
Entropy (8bit):	7.8049675365874265
Encrypted:	false
SSDEEP:	24:b6J600wlTtwNoO4m9lSD3YI6fLrxqK3iCCGUtQLdjviwKadcism:y60ntnm+oI6PYyJCGOQLQWzl
MD5:	924FD6176F35CB743C45B270FA4D05F1
SHA1:	689B62BFE999587996AB1CE71C6D5C29B764101A
SHA-256:	714853C0BAEAE968D7A62B93809F6151E4490028206FFCBB19BE54F32455BCD3
SHA-512:	954E59DEC51E27E2129ED10B796BF2FEB95860462A2748615E1C574F9A8EF40DD2C878FE14943DEFE1D97E67BDE8482F966E718D4C6090941FC20F053F5B9B83
Malicious:	false
Preview:	."p..\|%...S......_.E5......Q..z..n._.\.O#l..f.....!..T}..{k...W.....x.S..\...j=5..b.@..bbI.I.$...}).G....+.S.S..8Eug.!.s..>...-...?u.v......59E.iD...$$`...".,.R$..sp.x..M.....5..d...L[......l9.....}......B0M....l..B....u~.J..........T.ZZ<...qQ^.$...x....X..Ak....\|.hM3...B3"w.....k..........#..b.p.SF=?...@...?...NT.......8.....v..2...T.66v.q....m..^..?@.....@l-.(..e^^..O.9.....#(..1[D.....SX.<6... /.9......(....r...a.2..:f..~E...D.p...Ap.?.t..g./l2.Y.........{.......Y.[:...x.....>dx..W.].....os8q..f(.ZgZl...Q....n.\|.R......,......`=.\....O.M\|..^i.\..j.v.@5...G.(...Gs<.\....R......j...[...XyS.X.....W\|Nd..z.Qe.v..A...4.c...Ga5-..C.~9...Wj<.~..v.kN.1....0l.E..^...m..O.9.y.Q..,....O..[v.".......,.Y.V...I.F......lp\}.!Y.f..&O.8.Rn.1....>....Z................<._4......v.....PT5v..p...UT.4U.n..jb....G]...C.g.3.$....>$..K.T...SM....%#....cueF.o.;'..\d.].\....z.hL.....qQ.i....N.Z...T.x...p..q....I4.y@....o.E.....!fX........(......F.n../."

C:\MSOCache\All Users\{90160000-0090-0409-0000-0000000FF1CE}-C\DCFMUI.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1057
Entropy (8bit):	7.832906683278953
Encrypted:	false
SSDEEP:	24:iJKhaNdeIePw/MljKcJPj68oSYSvxK1+LCQfmfHehN:ikha0Ps7or6dS/vM1+mQf4+hN
MD5:	FFA92801E54013AED118BE9050A074B9
SHA1:	28B7D091A88215BE590256A0F528D0B19CB3A43B
SHA-256:	40972D053C7851CD63A3063F5D5322C67751FF6C7000573FBE7E403AECC29BB1
SHA-512:	1C0E1F8791A34CF2869A8823EBE90437199F1270A98776A43135EDA4E0159CC292C8680B73C861CC5C89050D3CD104EC45F3FE89B648231303D4D0B591D7167A
Malicious:	false
Preview:	.v....1....-eK.v;a=......n......J/..~>sge}..2Z..B..+..I...5.....b............{`.w.4.c....F...gO...=....a}..G.......&...K....gw...dk..w...n...,.R..T..b?aK........wv...g..J....22....E.k..tV&...((.Z...MhU......6.p..=.G.%.....).V$@!...y....u."......\|..............2.7Ww.2;....g7i.\...o.....+.../.s...0.cD.1..B.....H.`..$>..W......@..y{..F.g..RMD..G"...>.z.9..\.^..J..6).E..... l._.{...X.....u....Mp...A.....\....hB.~=..].=).x......}...v.Eh.....G....TH.u....{..........#'#...&.5a.W.._...y`.. .>.H.......n.\|.R......,i7(0..w..=k...6.l.........<3qAw-......1.......A.[93..9.2Xo.rm2tn...xWD..n+.....?.E.........P.Vg..I..E.i..o,\....Q......H._VC,./-.0.x...$..l. J..SgY._......$....oT#..'{..{.0~r..N.W7[..H5.....L......'.3...b.0..9S..b.G...PxA..c.3.5..p..h........-1..].1ZPD..ai..N8..z.._........b..q.1...yN....F.(.....`.ny.\...A...u...t.\|=e...#.2.b....'..d.......5C...M..O.mQ.vwg.....;.R....[.!.+..k.8..+.l....=.S.}...s.MF.......,..O>.s..L..J.V-0hS.G>...

C:\MSOCache\All Users\{90160000-0090-0409-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\MSOCache\All Users\{90160000-0090-0409-0000-0000000FF1CE}-C\Setup.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.8237064316413365
Encrypted:	false
SSDEEP:	24:Eu9Xr9P5oK59lI1pxjQB5Yo9boTLN/QQPHd0rNoTzAGRA/nKwQAq:VJPP/gvQYKbEtP90r+9RASIq
MD5:	FB165D2BB3C5254BDE3D5C376B34B7D6
SHA1:	292F8971606109BCECA3583403DB9EDB2B337FA3
SHA-256:	3D001D29E9EA653B3299BC818732DEAF74E6DFDFF31D85DAD67BE64EA44611DB
SHA-512:	1AA134ADA2635BA943398144BC1EF33E137D6BA3F7CE00DCBCB3EC3FFDB1333C7C60B045BD3DD2B50FE679AAC1AF58C5FB2C0592B0D9B624ED069810702212F5
Malicious:	false
Preview:	...L.5.?.m........-)#..I8K..zb[w.u.y.f.:..p1.&..l.<y..)).!2.........d.r].B...F_G...J.P.Q.\|.z.....#(.\|...L..D.....2.......~..''/.'....u+j!K/.....kL;.s......z..........X~.v.P...g..m...\|.{x~TqC>..D..=o/.0...@...A$-~....Q..../9.....%B....X6b....B.........U.iz..a.J.B7ge,.....I..T..-F..R..4..n.1..KD.r...V.rb..##.....d...W.4m.....w.]..c.A.z...8....`....n..].U.:`dmK'....x^...z.C....@.@J'....#O./..{ZL..S#.`..#t.{G..D...T.....=A.h.}$...].......=.q.{7..uy\.;lE%..i.y........uY.`:R.Q./D..0S.o.....IA.4..GO.g2.....n.\|.R......,.....&.C.Z..3.L...^..n...[.3.n.].w.\|..~.1.@.e.t07....T..&.....q.3,d.....5t.......2. .,.....Z...0.C..C#...Q......m..GdH..Y..E.T..%.0...]8..,{.^@..L2....j.V..+..p.}..e9...j./TReG.h.....:...,. .."..f..6.....5.F.W-{f..g...RZE.2~H...~_g.O..b.....b.......N.FO..L.0.1v.`....l...c........5..B .oU>.D.G..?Q./..p..;?U..'z;......&v..U..p..F.(..w..(..l.>...Wp^y....>...c...n.v...d..IW.y[>.+0..E....z..f..#.1.!...7.h..S..N.:wV.C..<.J.V%./....

C:\MSOCache\All Users\{90160000-00A1-0409-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\MSOCache\All Users\{90160000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	7.833110963191218
Encrypted:	false
SSDEEP:	24:kMBhjurVLEQR6gSNR4w1eo0HEoeCPp0ZS9s/jvHapuzTp07lunHCrKW4aAlI:3furqQNjboCX5Ppt9eu8HpKlCCaxlI
MD5:	D8164EDF70E0D09216C8E5FF3E6028D0
SHA1:	4F847341AE2465B4120F7F4758D2111E2F481E27
SHA-256:	13D7283D878222558C76FAC052369F4DF0C833B92A2F392DEE3D0D78071E5C39
SHA-512:	7981A9835AD553D0FAB583C7425C1B25769FBFAFD86BB13AEB0B260EFCFF4C533954C923FC754CA36140633031F709D06BAF955DEC5BFF7B96B48812FCD776EC
Malicious:	false
Preview:	..4..:..`...8..{..#.....i'..q..z.....^g..f..\dsTP.J..U.Mc....;.d..8'....c5.q.AaH?..g.w..&g..+....Y.!..R.......&l..+>NO.Z}..D1....9.D^^.kKG].......-...)..D.(mi.}.Y/.:..7....bn...:..\|b.ADm.<.Z\=~."......R,.lCDpPR.l.tW3....6;.3.)...i...l.2.U..Fwc.a..P...2..Np.J....F.?b?(......I.....A..#...B..%..f_.%Db..p..0..Bw^.SX...M._tG..J...I....~.-=..$pe e.B'..A.n.Dg........"....[.:..u..a...BY.!......n?)5.,~4.6.....>...\|'..mp.F/.(....z..K....Pps.../Z.Y/a.(.......j..C&.`....e.k.)z....0v..&q.\|..f.0.\....c.Y..R?..#w............n.\|.R......,j0..t...g.l...5......z...0f..^\T..X....$.....z...a.B....... .n0-k....}/b..Z4.....BX\|D........V...)ER..h...:e[s...x................'...z...~ut.>..."u..q.R.)..%...}.69..R...8....'....sF.KQY...[s. 9dl. ..3.oE.A.....=.x..aA.P.{...$..7..-....$3S........f.Tn.k.%..-g./.6c..P...;.u..)....k..,..u... $.J._G.g.A..K.{h..::..U5..L..S...+..^...-.>F...pP#..v...QN....M..l..>....\|`.oV..gHr.#.....B........O..n...z.B..E..o...;.....!.....

C:\MSOCache\All Users\{90160000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1057
Entropy (8bit):	7.807797100608002
Encrypted:	false
SSDEEP:	24:v7eYcIdUHRpIuF7apb/BVmUlJUk0mnwI2IFlcVYK:jmICGnpDtvwliGl
MD5:	665EBCFC8C1CCF406896B5FA8FA2265A
SHA1:	D87BA16241918ED6C5C2301C6EA59944E06AB39C
SHA-256:	DCC56BFB7B060E3100E213F8EF5155BBC4C725A2A73867AD5042B881DAEC7BC2
SHA-512:	77349D8770A498EBE916F2B7686D90B5435C21D2828A33601F708097E2D977E0A8AB9828D1B0C0A71FB5BFE903BEF7F7EC44D75F6FCC8342C091A205600ECD34
Malicious:	false
Preview:	......l.Z..A..'"%..}...K...[[.~...1.....v.i..TE..XV...C..S...mxupX..d.#...l.-..cK..y=4...<.T.1....l...p.4<.-...f..........l`..se.v......&.w..\|._p.a{......9K1/.^..r..v..3..S.6.J..c..V.~......Z..Q.t...g..%q........Q).t{..8.Hp!B...Y.cw..{_.I2......._..bY.,..[.4k...u.G....!.H.\|......U...8.R.]&....."...."..`.T8R.IS... 1......h..A.....x2......x..'tb,&.6}.nREsEbz..l'N.%..j4 ..2..f.7..g..O8n...........6l.....K/..Y.7:.Zh(...G........D..%..<qT:;.H.h.....W[".......4.h7p.hf.7..89.....A.....r......Z...s.3l...........n.\|.R......,....[..5..*-d....^._^w;.`T.....i.. .w.K...&......3..`.zx.ARMk.B...u.YA.F....1....r$n....9.UM...t.r..KP...(2x..g..g.....h.{E.....;...j=).....h.J......r.Hd.}a......#<.<...$..+/..z....C: ...t+(....q..oo..g..p.......>....{..q...\|\|E...D.kO..5...x.....b^..]G..54p.p0D.q...R.\}m@.....5..S.DI.<..mW..GQhT<<.elv.CL@$t..Xc.(.7!dq....k.xi&.=.. ......^86.r\|.H..+.?`.N..%....FY..J..d&.C...i...K.4..o.8f\|.w.j...t.%4.~.....i...}.+...t.........Y..{.K.m>yE.

C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1066
Entropy (8bit):	7.818871629225453
Encrypted:	false
SSDEEP:	24:lN//XKyc1IR/DJQmrK91TmliVsxp+D3soJa7d3+9A:lNnKygIR/3rUTBo+wj
MD5:	F3969ED9E220FEC683C203470A99DB47
SHA1:	04EBADECC3BD26C4A911806742B04490B2E8D105
SHA-256:	1C453F0A500A25F81A7631D9B5C97156FCC9263838F764799D0EF34642352450
SHA-512:	3AD92258ABA1690EA26E9D376182518BAE9AE85F537C00BC66ACF93A4EF1552BAB9DDA5FD80B4E640AD11B8D75907D0C3C924015B33C697E41AFEEDD4D0518ED
Malicious:	false
Preview:	..rjm....'n..... .n....N...[bw..J..:o.k.....q..g.....L...YV..39.h...q.<.K..j'cs...V...../..B.of..3.gZG:...n..yj.Y.....WcC.D.?...g.!.Q........[mY.....}{....%.....R`d."u...8.>..[.v}&)!-wl_.5...[.E.......XJ..,..y.....:..R.\.........Z^:....0..sM.^Z4g..S..h5i3...,;. .+7.A)....G...^....>.-.....H-\...q.T.H.O..S..)`u.s:...z=&Z.]..T...[..a..`..06&n....c.UW.[r`.R...w...D.."BH.[YHNl..6JS^..k..l.......'.`..Q..$`iV.4(@u.......N.u.\|-...Ji.g..]...../"7;y..6"s.x..........MK.@.8..L.g..T.~X?,"......B.P...!o.W.EZ.8(P.Y.i.8..F.s......n.\|.R......,..2..<1......3..0.2Y./.y0.r.....D)....(...~x....}OU..iruUc....!t.8.K...16 S........v..5O....K.'37bH.)..y...K#.k=...5.\|..W[.+.x..TL....Iwg...s.U.dTC9....fXu.{.uDy...t=....$.......z.;..C.....u.....p2..Z$.....l.s.i.G.zZl./j..`...Y.&....J:.A.p..<f..x..,/h..........._.U.$...c..o.IK..S.......C"+.....)..]......!......8....N9..$...uN...V......k...,N./B...m..I.......4..8..1...!.........n..%hdi.....^z p.<...v.....~..R]........Q......K\|.

C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1064
Entropy (8bit):	7.803086106907276
Encrypted:	false
SSDEEP:	24:KjOEfDeNv/aDGzoALqOUTAUIZ9aThttU4FXkyZqUp4wVwYwGsSDlpA6eF5HA+:KjOEfDelS+xLqOCK/iTU4FXVZqUdVwFZ
MD5:	1C0650B3CE032385DC4D17228D603383
SHA1:	E535F387A24DE52D33998C4D900D1693D40F0A7F
SHA-256:	67C5D58BD5F2D94D52A672417BF95CDB8BA15A4650907F8CB3A2754BD532EC7E
SHA-512:	3B3FF63831CFDDE91DBCB3611B42C00B57FA12254CD801926984048B42E69B2A1D2DC442BD1750926D3B51E5484FBA2799742A7CFD95E1691A1164E4C8520943
Malicious:	false
Preview:	.v.3B.. `.`.zj..$m....`r.....>.....0.....dJ..&O.@..UsO..0`..:.i..P.7i......3].$.k..... .>b2.w.....Ky.{.-+-.O1gU.;%..n..WH....~.e....a2FH......j.4\|.....^...s.3. ..{..b...i...l..q.().,`..".M.K...:.....8_......n.vpc.=..lW6.f....O.....I}].u.aT..i..k^...d...t..8Y..za.."...O....n.......#.......w#..x.H.OX..F{...oKxx....1..N..QE.QedPZr..G..........".!..L....b.8....KNA&S$0.?].\|>c.._`d/.6..B.....m..Y..J... .>......U.X..wT..?..oc....'..E{.^gi.Jx\|Mjp..A\|..}.vM.....B74..i.zAQ....n....M:$%{ZrD.4V..]..r.=..zg.2."......n.\|.R......,..{n.VOp[.R.^..X.y@.....Yx+.C`..U.....h!AM..Bw...."...)4c.3H+...w...Q.K.lR......R..n..xs"{..M..?"....i?......z$.0....#....\|Vz.....L..$1..%.4..1.-..>P....n.Tx.l...34.Hp....(...s...o.."^....\........_g...8....kI...%..~..9.I.b...p.'. O.Y..q..)C...Q...H...j.ST.....G.`.. 2....x.=s}_...^Fn.......~.$...W.oat..#+4.U.....J.Nnx...CL....r6....:...J6.K.M9(a...pN.(0+. gp........x7%.8..d.J{.l..Z...Q....4....L.1.soWv.Z..*.x.`.G

C:\MSOCache\All Users\{90160000-00E1-0409-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\MSOCache\All Users\{90160000-00E1-0409-0000-0000000FF1CE}-C\OSMMUI.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1069
Entropy (8bit):	7.782536143791128
Encrypted:	false
SSDEEP:	24:THAUoEDeniAFueAcUv8TyhGyXqwU8ypDonsRToKxP:0U9eniAFurcUfGGU2nQN
MD5:	714AADA68515AFF4C18A9BBDDE05FAF2
SHA1:	D56DDC2BDC82C3E7CB555F0D07F6200FBF9B9A90
SHA-256:	524732AD9762C3B8012F2A379C5D37C40E8E977060438A9F210F09804771B4D7
SHA-512:	693F7199CE6E873B89D26280CBE6907B26C408349E30E14A35CA09AA08A2A15AA287A9C049C7357A2887F56B65F22A69D7C45FB3A4787DE026106DAFB7A439A2
Malicious:	false
Preview:	Xi..J....>fX.!\.E...3....-..3.v.\|`.....T.xI..+z......{..t\..>.A&z........A..e....G..(.\|..:.5J.4...".\u.....5..~...e.+.M..u.0.u...I......Y.a...-.....0.E..p4..k6.L.B^..OS.m.#[.Ho5=.3...O..{.F....=.!.^..\.Y.U..,......eC.....2q..Y.."..........}.......[k.60$7q)..............pk.n.i.......k...O.\.v.Of.5..,85.3..e..c.h~b...{^..P.._d-..@7"..I...yB..]u<..Z..Y........P^....<..0a=xR=...RN...2OB.&:.U.....<x....7h..\L..h8E...N..=T]_.}K...N..t3....Fo..6z.Fg.n.i6r"W.a..-%a\$....}.?...4..=....h.`,I..h.:xgJ.`9.x....n.\|.R......,\.....S$.e...T...b=....Q.2>d39.OK...Q].Y./k..B^......vS!6qB.B..F..:.NO@D.&.o..D.9..v.0s...[^..3\...ss.P..{j....,n..!......"..vT...Y.l....X.Iyc......m......x.hm...M.Gv..e.Q.Z.}........e...I.c..A-...x....E<.0.^.Z....%...n/g...m&....v^.4...c.-.m..._.L.g,.....%.v.........R...T.=\..R..ou..nK..`...........2...9..gx..3....jDH.....B..........m......50.D.v....@2czr..wdB....?..X.$.d..u..Q....xo..m*!yK(...HD....m...

C:\MSOCache\All Users\{90160000-00E1-0409-0000-0000000FF1CE}-C\Setup.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1066
Entropy (8bit):	7.834917633298536
Encrypted:	false
SSDEEP:	24:IplTqA2CCY0+TOPXNI3ADElqODUWTbpY13g3s4oPJh1lHr:Ip57bCY01XNgADEjov13gd6Jdr
MD5:	F2A0BD956DB7F7BCA1085E128F06B97E
SHA1:	2D9BF9C14001D8D6611655F2D6682BC213BEDD4C
SHA-256:	CCBE23C5E99A581FCFBA72F48F0E6CE01961091E74B95DCE80F600CAB8B65FB6
SHA-512:	CD51946C629E024088F8F3FDB528D74B99714B8128804744B09A7E8B49E9A0553197007823E7A6DC81339BC96D25255B8A598B64D8D1F180347F58155ACC87D2
Malicious:	false
Preview:	......<.u.D..!..(p.....;.....7.s..g...0D.Yu...j69.NK).pR....:..3.........4.4.G...1.)......Ep.! ..>o..}.m.ML.b.........Y..bR.v.....F..QO..{.03./.W...v.\|.%%.p..E'.0u..@......t.....#........4<....P\...'.8..H.(.q..+...:.`.>..&l....$..<.#`...gV.K..1....;l.%..Z.'.B..?..<..H'...Y........<.(..{.......A.Z..9....z....&zQ..>...{.`..m.A.!<l..,.......U.>z.......=...l@....@..1V....^...3.Y.s.R\....`Q.....G..>.=)D}.>.+.......c..XQ.ey..<Q.\\|.h..g.A~"!.+F...U.-o...,.Mu={.{."...4...e-D.........<..Z.).EK.x>....p.k.)<........J.....n.\|.R......,B..2...zOYy.'f..*D.....N..>..a.=.. .U~...-.Z....;{.9e.A....W...c......>"4...q.A]...>.....PV..W....H...`..jY7...&?...Z.ph.2{;.........\|...@.,...D..a.......).Fh.0P..._...7-6J.Z._....S..c....%\|...).G...'..../.M.....U...]..'...\...u..1.c3.....=..a.#X.J...r..z....d..U}X<.O/Y....T.....o..MJXC1f..9.Pu.S.&XBH..h. I.........n..[.1..x.Gr....;$.........m.....[....[..w.?...1....$.....3...N.P.,.]$0P.iEc...).z.j.E:.z7.u......L4K.b.=z.R.

C:\MSOCache\All Users\{90160000-00E2-0409-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\MSOCache\All Users\{90160000-00E2-0409-0000-0000000FF1CE}-C\OSMUXMUI.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.786007426496121
Encrypted:	false
SSDEEP:	24:E0rt//30yRStHre290mSxvda6+uDc3UGXxWNCedSFKwjeDWWE8:E60wQ70h9dahsc3zXxKb8Vyj
MD5:	739F876D00BDF24AFDA1E384F72F5369
SHA1:	7678708ACC40CF15CD4083301433D7C4DDD7994C
SHA-256:	9D889C3D31D5277247413438AF9D9B1CAA2E94D302CBDE5357F4A87C559EA84A
SHA-512:	958288674C75FB7AD2A5FAB38946EF5FDE45EFE0BD35FDD6420888174823E9557D281DD4C04CC52F029F24831FAE2A424B7A7C5C152060A0FD789F17AE496868
Malicious:	false
Preview:	.r.DC............K\$..w..}..uz..5....+D.../...>...!pe?.>.........:q.{t....WW...h.0?.N.._2.......W.............dA.@h........fS..t..1..s....2..k.....\|j..V@..w...\..u.@.Pp'\|..T.."...0.$....j..W..Im.............`....%...II......>.Mf.f..Ix!Q.!.......l.b.S.}=....hb..@.....mMP...wM..........F. ..=.;}..'J3w...p.O.$.-...VQ.m.l@..[....}_.....LP.S_.z...1l,J.a$.HM.6..w,l.I. y..uk....,......^.K.Gy....m.l6C.(.\|....m..g..1TP.K.....;.L.u.........)..w.#9.4nt.S..K..!.z(..I..Lo......p._..g......K....i...D,S..[........n.\|.R......,...q.....A.....]_..a............\yt.#....K..W.v..~..5?......y...a.m@....%z.....T....l..]..(2.z.K.......8M......_.?2.g... ...jd~....BG...H...1.mY7..{.m".r.o.K.T.x......o.;.Q.O...X........D..Y.....o..-.J]..\|........u[.&.+...z!.D...I.K.T]s.4T.6..Me..........t.u...... .5....\.#Ww.l.6..].-F{B.,..#. ..ri..5U.'.....3....S..wL.Ty.P%.w..8.h.H..2S.f..J.....z...\|... ;.E....M.C.tH..dy.9......H!.A.0....s............^.2z.f..pGQP!.

C:\MSOCache\All Users\{90160000-00E2-0409-0000-0000000FF1CE}-C\Setup.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1066
Entropy (8bit):	7.806377286776265
Encrypted:	false
SSDEEP:	24:tjfPVhCS1cuIgxHI0ZnKPLt6/HrVjrnr2/KnBm638P2:B7CS1cxg1IRPLtehiKnH8P2
MD5:	A3F058B8D6CA2BDC87673209D0AC7E2C
SHA1:	985B2A03A573187111182604867FD82F2865A9B9
SHA-256:	CA9076CF7385B5812472C34DCE89703A0AA93D18409E19F522838BD2974585C2
SHA-512:	B77479FC9E33805680E4F9AB2314DCDE0BF9B9ACA6BC010C04CC68AC2EB0405CD54B8C732C4A9128F68C25D5886E09C46F8664402023C6B2486D44063FBDE4F1
Malicious:	false
Preview:	7...^.m...Y..o..5...Y.....2U...T>\./.J...h./&..:..@7\A..d\.M.....nr..\|..\|P....]~K.51"d@..5e(.lmm.B..9}..&. <_..~....VS.R,..>.U...m}k..oN.C.\|... D.lfK..g...X.39....=.D..>.6.....)..;P..m\.b....3.HN.0..b..D.....H.........A`.......8Y...9....[3.....g.....a.E..(.8.....\|/~..M.0.Mw..@##(.%.a.<..\|i..._...8.$...i{...e....w.{.G..8...o...S...v2Rcq4s.p.....v.Q........R...K.q..%.=.4..J'`.....j...&9T#d.m[.95.....0.......X..=..j......4..\.\..........\|.W...K....@....g.Y.%._^n..v..w.XZrW.\|.)3M...ilP.'I...a.\|..\|.S.x.....n.\|.R......,.S[k......LJ~...)^Z....%.Z.V.T...i0....X.1.,~...f.n..uN&;..k.g?[.&<.MqvP..y88.A....-.G.....fu..>;*...c....hm..T.#q....N.).../..W:......T....m...............x....}.V.bc.w...WUZ.7.p..6W.......!.......................qf2.\|/.!.....r!`(.".SI....i.8d..Y.vv.P.........~`....S..n.D.m..osS.P.cx..T>...E.C.g.{...)......Vbj(>./.Zj.j.J-4...gIa0#..}P.s.mu.X.PT.,...]Y.(r:D..g.z\|`...K;T.........@7.?.)z............`h.A.).i..~.q... F.?.

C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1061
Entropy (8bit):	7.802839922110172
Encrypted:	false
SSDEEP:	24:QQkUjG75rJnFOgCYnthVGETb9/TGQ88VQTCcCSgbrtou8F29:QQkOGVNogHr4gByH8KOcJYrtouC29
MD5:	284F465AAD1C8EA03D76B5FF7F144878
SHA1:	7D65A2BE5579FFAA870A1CC22D8DA135890A0873
SHA-256:	77123D040D362141F06EF5AA6EC645C997985A2650A5851A6D265F78307EC946
SHA-512:	43508AB72BBDEB26BDFD807C3A31DB9F79E9F39B2640CF9F5917BA85BB3E24D6084AE8062E98F6AC5F3CFE5EC7127CD0686A0F7B2A9A6A7927B21865C3E917FF
Malicious:	false
Preview:	...&.5.._..xFe.\.2...).(.....]X._..l.$.%.Nn...v~.-.z.....{..^..."e.4!.VE.."..Wq....,.$.z.........a$z.:h..R.D8.yP..>!!..9{...Q.X..\|....n1j..uv>..\..G,..+].@...>!.o[.y&D.[......U..(.-A...........b.Ig7.............Y.Ha.Dl.T.2.M.\|.e..A.S...l..sf.I.I......k#..&R.r...... .3`8.~..v.Q.y4.l\|.....XO>.."M....KG......0..i.H..`...}p.`xn....-..V.\|....R..dq...4&..KO!.@..Z..d...o....4.r. .1...G..v....]..l..#J......." ~.._.38.<&.1H<.....!..K..\|...F.8...-.tF..ax..2...o.d2.T.{4.........1}w....<.SI2.HV..d.....P...VpB.:..s......n.\|.R......,.&X.U.....nwP.....--c...'...\|......f.f.(....xb`.\...t.........J.(......G.X..E...).g.......).?...........^@#Y...........xwJ...8.......c"...M.(c...74}....{~<..=...~...l(3.gD...:.....DU...}..UV.<.z...........N.:R.2.sA&....Z...KnmYN.>.u._....i..U....Aag..\...y8.7....\|..b...;.=...uW;.<#ZAO%_..1.. .os....-..c;.3xl)c.p.C^xA.....i.ID..1.n.w}....].WJ<.Mc.q.2H!J..F..j....].A.I.3....%~...XdK.......>lW......F.$.]....u.cYK\|......./.......

C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1064
Entropy (8bit):	7.828243124029105
Encrypted:	false
SSDEEP:	24:J2h0BVvoDAXnMjTannm3A42rL5woLvuDYwD6SMLhHaupStScAmG:J5YDWnMfSnu10v7BG6SuQupLv
MD5:	34ED29CF65477FDDB0B719FFC96051F7
SHA1:	731615FCFCA33468232F00C9E4DD6E88E84E19B9
SHA-256:	CB1F387BDB905C04B52F2156732CCD00ECCA10CD064AE49FCB444AE405869446
SHA-512:	D9C4C02A684FD9C136786BCDA62B945E83059B272E07719F33BD8AAD74BB545F37D59605959DC393823431FC7293A72B9302C8A6512F7B21A0BF7B9D9729DB8D
Malicious:	false
Preview:	.1; .\|9......#..fP.._..S6.J.{...h.Q.OF.oC..M/..U?..+W_o&.......U..5.Z.&y..'....\|..}.$Q.,........x.. ..9.B..,...-..2.....~\|E.....f.<.sXz.x..Y.g&.......k..&.e...r..K...(........e-k-.!y,.].?......3.j.XZ..Zl"...Y..'.uZ....._.l.T&}.f.i..0.;...w9.H{..."...[.....hq.c..)Ch.."?...y\.}.....e&..=..L..5.....r......1dM....o<.l.....A.:....+......B.....32r/...\|Qw.p.5.d.:..d0N..Yj..'...\|.A....>....x....n......_%...i..;.<..=.....V(....VCA8.....#.}!WZ.j.Xk.Q....a....'.[.....EG.kk.......:..N.J<.O.n...DH.N.....z......n.\|.R......,>.S.Br!X..R.....G_hb.M.K...p....~{...V]......FIH....t..}.{..,..[.....:..<...=..6......3y.u.W......p`o. ..A...@<cxT.i..s....9X.P6.{V..;.\|...\|.v...zS..L+.Mm.....eC....1..G..-.V...{.j.rH2. .c:m.....2../...%.(..9.....L-4G>..]/..8..C....i...C..n...F.T:.?C.j....Z.......sN.>/./..o.=........5....?^..%g9.k.O........,_:Du..[....p.r.1..m..a...M...Vu.L.\.F....gfGKT4.~...r_oO....gi.V$...#@XS....U.b...l.b.>.....;q....D.b...m{......AM.

C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1069
Entropy (8bit):	7.800392754241314
Encrypted:	false
SSDEEP:	24:QDqDVRLx0GLQkPbfE972R+MqamXR8TvLmr9bJKmrDalFWc5PCKd:QDgfSwQkPbs72QMqaSc4dKueWE3d
MD5:	7CC7BA6964E65903E3855880C91F85FA
SHA1:	D79DD8414035C5F21FD2CD6EC7A241DE04EFA303
SHA-256:	D4CC65F6552FD7D197E9A979C431802D61A654D4996D3B5541A37F59EA2DDDB3
SHA-512:	BB69BAB74956C58D07AEB711B04FB50BBA432764241EAB28AB9AE0AA9B7E1A8998A610013F6C88873EF7E8DBC57B29007409278B3256A5ABA071ED7F6BC528F8
Malicious:	false
Preview:	cM.Ht....).O.pA.}.\e.......I...P.>.@.l..?B.g....(.j.Y.u../M......L.A..~.}Pw......"\..W.zB..+7P..\|...&...;M....&.....>E.~............P..v.6..e..N..u.....R..t..O..m...5....sM......-..2.:n.\|..`..7x...>..2C..7....Q...;..F.m.8x'.....RN..%y.....RX.C...5.S.Tw}0&.S .>.F......10.u.......E=)H....F.............o^.I...W.].v.&.:)1.c..y.". .{I@..6.IgL2.z.1...y.m.s.I.......(@{...j...h../..=..I.&#$.....%...e..qJ.OD......d....r3...<Kw .[.O..$.y-...............bml..V7.M....7&o..F9./..!V....Q&X6.`.2&..R.kN:_....4^........n.\|.R......,5...MG...<.2...r...@}.)...'......W.f.... ....C..SL@.^2.An..1../1.1.A.._....Rr.#...x.3..k....f.....Ii..D./cH.........Xt....V.z....d.M.~.J.`.Y....\|...._.r........."HG..[X1..bn..3........L$.......ry9%!........JO...R..K_. {VTx/o..g..2..y+....53........G3(.7..i.... ....].~=...;.X!b_1....v.e..S..;:.....?..N>........Hf..d../..eG..C...WZ......x.qJL.....v.N~.{..}...a..S.....oc.Vm;R..^...Q.VFR%.*..X..y...5.V..o

C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.8082324070926665
Encrypted:	false
SSDEEP:	24:4xs8qiBf5XrUNptYfw8ge5fh/6UFeo2daFgx00UkMLFlagdB2FZTvM5G:4xs8qM574DUw1OkUF72o2i0kF0eByZTD
MD5:	B1FFE297A767A98B9EC1244952E22B5E
SHA1:	E3F04DA5EB09AEEB67660B100E52B87E4D4E582A
SHA-256:	37F954462B3BEA7001CB921540316F10C1FE8A7029E89C22F1B5B3C2DBD1CA42
SHA-512:	2458A80258FECC64FB04F16F054F18516C00C9E96A9482F89E47111462564300994C138F11296015F915FD1B898BEF5C5B503E9D9AD05B5605004D798003A02C
Malicious:	false
Preview:	_....+.W..S5..../a.\|...Z.......y_...V^...\.4..Y.po,..O...g....;....%..v....%CC.D..7..i.w\{=..i.#..w....7.7....tRFO....zv..~...5-MqH.<_.....\..h..W.?...?_<[s...P.e..T.7.$..v.em..c....t..K.,>W..a.`..<` u.:e..9z.TR......a.M......0x;.1....<..).[..u.._0.\.>..A...fc..w.4.f..T%.b./^A.....k...,.'.GG....<@=.G.O.R...b...)..3;...k..pb.._........z....u...%.e.SvxyN......X-.!..!......yvH......~v..Ka`........D.....x.g...Z.P.Ls. .~.2[.k.^...R,..).Nyi...3...d.5.......u.Y....u.q....?.c........_............n.\|.R......,.......w.-3.=........G.".Q/$m.....K.L.a....;d..1.-..:M........1.Un!LG.=.K}.fh...TYs.arra.G...H.\.....9G.T.....r.....>C.G.{Q.RQm..8.Y..`wC.l.2f.twc:.M..{...".?.>.Me.H$U..x..Zj....y.....o.G.O.3..8...._Qz?.E.FY.L..#\|HF...k..)W.^....76.Vl...n.x$.$......$.../@...b...........EA.b.J#K..2.....).."...Y#X..1W.y..l.._.,....u....Z...QO.Q~+.7.O..w.5KK."E.......<.{...... $.......P.u.-M9BfM..d"g.!.......9;x...y.d."RCI.,..M9./...I-.... ..;b.d.

C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\branding.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	7.784920233172768
Encrypted:	false
SSDEEP:	24:HuX1PEIioY99LFN+/K8uMWc9XNfOj0l1ZfetCgg:OXJhMmh1pdmjmcCgg
MD5:	EEF6DF40636DE6203621999C3B350875
SHA1:	BF0CE9A2DD91317E86FFFC800D7BC76B03025CAB
SHA-256:	E59AE26CBCF41F8C3999C84161BBE00DDF2D0610F3CF00E5F48D8897BB8FF21A
SHA-512:	E54EA145D861148AB0161231816087D69CC9BC6696828524444D4471B49F169A16650E311EEF741C077470AFB3BA8E6281DABBB0125957FA287A4870836E71CD
Malicious:	false
Preview:	.U.3.... .L...0..7...._..d.2\U....Z..g.S.(r&...n_.YK+j.QR{.m.}D...........Y....8.0......E.....9%.....-.tt$...A......:..%n.].!?.W...T~..m\...1.Q.Q..1-...._..f.8.K"..w.j.tP_.....}../..ep..(wD".......5'.=.c...=V.G:.e.I.o...N..9....G.\|7...>.S%..Zyf $.X...\|1"z..9..._..=.`}...C...G.....[....$.B.\.Z^.b..f.../..H..V..,5...\|...[....}e...T.....@....E9....'.k....p....u..CJh......'E.......YH..3.:.._E=..,..(.?.........sR)n.m...WQL.1.p}m..\Q......y.=...K..V....t..z-"..{..~......`.\b.K...s.}...W.!._.?I.Q.q....n.\|.R......,.-!.b.._.b..C!...b79.^{;.w6...=.i....!....>4]w....p..Yq..E.VM...,y-....w.t._~6.9L......"y%.Ns -.Am..Y$......x.:.......=K....A.C..p)...i...-^.3...q..jF2X1B,.4..........>1... 8....."\.".......4!.f....Y..m...10.. 0....7.....\|8k.re.....q.~>]n.......u....%N..>.......up.....Q.d..D.g..F.... >.ZaEn..GQ.._..s.X.c.%...p.8K...xc.Z.Bm. c.(.?.o-3..J...W...).]....8...c...Y....F`.p....5(...z.O....O.....T..V....).?.n..1........8*h......l.\|...

C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1066
Entropy (8bit):	7.816880633566443
Encrypted:	false
SSDEEP:	24:1SFQk28xjHTe3jWuuK2Gh+ck86G/AZmDeyqDg:Mr3ezFFRAc6G/AKe/g
MD5:	337D33A7130A0FCB2A6134256304ECBD
SHA1:	DC79F6FAA797D73F484A05957A9CCFBB670345D3
SHA-256:	9EFD6C244F1CC98C4D479FBF5D7D52A992CFACE17CDD78ED5F5A928117C00486
SHA-512:	87E17C2D8D4FA2EB01B10E35D1FE563A8D7C5F484FE9BB6DE5B43ACD9E2DBC7952E033B60C5E38CE017651B1B0735C219642B849338D60E7802604C387880AD3
Malicious:	false
Preview:	.I.j.[.e.v..v.+.....^..... ...w8o...g.d.a..F.V-....... i-.."7L.<... V.......D.+.`.h......O..M..{.._., ].\|.h^..V..8.@_....j.6LvZv.....$7.)....'..n.hT. ...b..'].!..{w..-...i.......N...9......i.!uCYo.8ba.......e.kp..!q..T9..u.-..".Q2..;).]..........HO..a$.d..s.hy.Z........O.H.#V....(vLN.E..?aNK..L.p......E>....>2....I.j..F>....^&.L6.,......`3........k.o.k.{..T%.n)t..B....T...O.M....s...k...........aEI?.........g[.k....p.0Z.W..+._%..!.o:...,n..[:.\|`...>t...@p}.. ....n...b..Q7..@.l..>.OQY..5<.V.w..F.........n.\|.R......,..k\|z5..=3...ED.?...@..i.FF.....c..4Y4k(..1..z%..%..z.E.M.@@..i..c..........[...6...iuo2I..t..Z..L.2Ji.....Q1.p.....L..i.&.;..4...Mi%Pv....6.`3.O1~..zE.7 ........o5d.Uu...O..6<..G..<.t*..c."...47.Z..?.ai......`.%.5..l.=m.!D...e.X{7.......]"..,.eJ.....0..f.s..A{..uq-@.^....%'.y.G.R..F.6..e..~.../N.a:.x....b.PrI;.A...[....C]..@.....,~M..nSp...y.... ...../j.......K.qc..?u......j.=.L.r..br...&>.......g...l.tS8.O..!...."..=.

C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\setup.chm.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1066
Entropy (8bit):	7.795786353083845
Encrypted:	false
SSDEEP:	24:i6dETSM8VYxKQO3Kb7OMugv2S+m7laIE9ANxEZwI4BM:i6dCStYMKWNw7EmkwI4BM
MD5:	96A1EF9E0B66E68322168555275C72C1
SHA1:	1D9198011C2E01F6B3B0F4A4B0C2460923A6FED7
SHA-256:	D4C0F9837BD8B8B18A9E76967DB2CBA9D9C28500CBE361EB7D95C6A90595ED78
SHA-512:	946D46AB4743D8A087E281D7788C9CB4883448717E1F0B9531EA57F6651125D687C6CCD8F520726C0B21858377D45D191133E7CEB737FFB1DDD64F1ED495C833
Malicious:	false
Preview:	.4j(..t .r......b.va9)...G.Om.......<.d.Y...."j..l."...:...D.~..I..0S.....p..dv..k....C8...M.{r...%Y..U..A....M.S.w.n..#.........k..L/E..._J.zG...2.:>.6q.8..I....w'.....5..f..../.....,.x...UA.T....=;{....L.rP..c1..kC..hS.}Y....h... .>..&.^n.. ....+{dq.......Q..M....h..W..=p..c..N.E..p.M....2.R...Qe6kT`.~0f..#....E............\|$..(/..9..3~.e.=.u-G.........b......d....e......s....5h.....{..a).Vi......>.++.8...G.N.v.....u7)X..\|.2.j..`..M&.4..[........kf.C..I...,.....Y..o Lz...e;v+g..m....I..j...n.U4.....u.....n.\|.R......,dGt .Q....n.....G..H..L......;3....L.H<.`0[<.r./.w.. ..........a....h...b...@qW+.J......W].Z....z..a..u....$..r.g@.{P6"@...=..,...o.4.vA"....s...u-.!....#z....VlU.f.3..t.,_."<....,y1..l..p.O.?.h.5?.M...t.G....J.........Z.Qt..}E..{....$..+....!.\|4z..(..r.....(...I.pyV..^.....lz.=..Y..tO....&.c....f}N.;I.g...I.^.$... ....8sh.....-..ACt=.00.c.}....O.....^[o..2.....4....t...-........6A..w.....[ui..el....3.l3z.......4..........`

C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1066
Entropy (8bit):	7.838743403614724
Encrypted:	false
SSDEEP:	24:+f6mPnZvN2kSWSQ+hLBhhMrpjzdIsBRvIwfwt8/R7E8TC+/n:+NPn327WSQ+hjhyZIRw+yR7EmCan
MD5:	F3A1CE479303BAFDDACAE854A61C9035
SHA1:	EC18283C6EA278D391FB187B625FE9FF26C44D78
SHA-256:	9878CA0CC7AD780AD77C9FDB2359805DF3B37447A12A3CD2E8C1078798830775
SHA-512:	D7D836F71252272766EDCCA4D43D22F0C09CC29BF4B729CF161F2DB12A86144EB3B483D22AE5AA536BA5577DB10ECD61A88FBC3D511E0B4DBDCA157AD621F9E8
Malicious:	false
Preview:	a...Ja.zpR4..,S...L....7d..U..PJj.$ZOx.p[r..Y.1.3;h-...u....$...s.&.U'!....JQx....I....-s....j...c.d......e...z.Z.#~.Z.\|q.G..f..8k..Q.\....a/.Y...U...gq..U.i..U.p.La 2n'9...2.y..&..-...;D+..X...t..M.....\....UHQn.-....uZ....\J......b..7....)..H....w{#..Q.;.g.J~...T.FOY...J...}.uY......y...S.6..o.v...b..q<fk..2.\cV.. .)..."...D.a.:....OT...q.g%.h);.e.X....,.6.7n.J.~... 6n9FB..1.........t.MHg...rz_n/%0,f..B.,.Om{.....HD..B......<.~.1h?....8K...).S....9F.Et.[/i4.dcn.."...RfN.l..S..sx.K.=K...wo.].?.......>../....n.\|.R......,....r.....p0c.'.)}~.t...]l%..``O@6E....z.A..8.o.s..H....!..gk....X1.@...~..D...s'...!.W.#.i...u...Y...l.w.....L.J.Kp....YI.. ./'.V.D.......a?..`3...2os..d$...%.v......X..........&...._.O....M.3.u.q...U..n..#.%...7...I:..[. US..a.n}.....~...TY..1'x...&..Y&..IM...z?4..E"Lw..2y.....[.......J.Nxc.~5...u...m.[..q....,..i~h..........-E..........p.7.T.;8..........f...cq/...Kp{..E....2 . I.\|....,p.2....M8....._.V.........A

C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1060
Entropy (8bit):	7.824348270573668
Encrypted:	false
SSDEEP:	24:smuCMziqpvwna68MSLwytvZGKtMO1LMrjWmObTcppEnYls8XJG:4Cgiwvk1BKD2jWmFpEnq7JG
MD5:	72D1C14A4C4ECF1C1B4E668FA54F4AC6
SHA1:	D4DB262889F8D950E06A4D24656046167AF409BD
SHA-256:	C44F3DB253E72F0DB2716F4D7635868BA9FA65E78F9CF4F40DC4ED27641EFE98
SHA-512:	35EDFB78405BE2F86BAC1C2332DF9BCC199613B29EF4344A49537863D2ADC990FE25FC406859C9CB70BC747491F5D0633B23CD4F93E8E5A661FB13588FFD6761
Malicious:	false
Preview:	W+.._..5...R.;...Q.!.63\|Z.=....h...2fA.w8.Zz.9...S.k).f.D..O...[.@{....I....N..s...b>X....M.......'U.QFM........\|...J...yxd.....!....0.W..,.`}.l.Q....T.....3..>j.ee...J.?=...8a/G....E.kP.N..PE.8...Hx..S.L=.o(\|I."}...EE.h.../m..2....[8.$.....l....d#..jQ..@.....f..z.Dn..5.....t0Y..s.N*[..@.h..s2..T...I....B..a.t.(_.ou.."....{.^..B.....g..9L/{.....G.............. .TB(7......VK......3.1}KU.Z<...ug{xOJ...m..t."..Y,&..._o."k...>..D...'J.....c.`..8...%}-.&yJ}.W.~.w?."U..:{E.E.UN.U...Z.S.a.O(f..........~.Za)y....n.\|.R......,...^....G<z....l...,.b...f.:.].f[.`4.m..jk\|@Te....h8..3.....a....)}...5.m.J..Ue8'...\|=....4.^..C.d......M.......I0....7......ljx.z+'....2.le..!..........-W..:..\.h.W.a...O...&p...B....1....WR.....9GzN48+h.{.NCG.t.Pa.3.96...........l.Q..E....u7..H.<.W......&V...W..B............kw....+e!../!...B.M...K..]n7...@..FW....<1.....3Ky.(v..k.....Q..\.l"....X....%.[c...4H...N.`..[.q.3\:h.\|."S......Gj.[..b..p..9.{-P.t..L..{.^\|.}.Y

C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\Setup.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.855078516746073
Encrypted:	false
SSDEEP:	24:MQQr+1ST4sFGFzUcpI+ippIK5++smzbmYWFWcXKSk6epFdiCzz:MmBskzUYIj554Kcfqp7p/
MD5:	6A090DFDEE70467C3D26552AF6451820
SHA1:	2E4AC5BB7E4154166143A7A86F876B048FC7339F
SHA-256:	22A3938FEC4B7574B4B5331064780B95F2E242188D46BCD92BB973C852DD4795
SHA-512:	0C968B58FA2F82157E0BBE26CCD67E878867389E70E453220915D86DF7D80A8004B884FB26F9DB657EB51CC54B24D29329A877428F6F0D6A8987A1DD47C09B25
Malicious:	false
Preview:	....u...S..xb.......Vm>(.{..1...XF....o.St.....~.& ...vV..L<....4m.S.....K.y...<.n.Of;o...N...,...... ..]..(.%4.L.vTL.0.,..#.$.2.#..m..'...._....-6..~../s.D.(.D\+.o."i.qa...N...>..R.A.;...4.#.1z7.@8....:..3JL............<...(S.r\.....#=:.,.>%V..].a.....0.]U.W....qa;.A.s....^?..E.....G\|'....-..d....Q..D....+E>.>W......e.6..G7..q..e.`...\.....Xo..J.......)...Ng.1...D...]+j...;.P...1^.Z...mM..Ps..I.k...!M...x@.,f.v..b...k...e.....O...W.,.7.a..JG.v.R.f6.'.D.&.{..?d....r..J.....+E.!A_3....3)#.=...k.U.....T.......n.\|.R......,.h..w....w...2v...Y....i..&.....s....<........H>.....].q.;l.yj3.."3...:..mG..=kO{...7...N'..y.Nt1.\O.t...Mm?U....$M.W........+...3o.Aa.b\...n.Nud.3YP...J..r..i...}...}.M............^"C......k.......Q.-X2.I.x.......0..7....p....+.>.zD...B..yT.eT.^}..X.yA./,.t.=_<d.[........G_OZ....U.9..&nw,.FL.BoU..w.=..?......0..Z....gD..+......"...^...u..Rf.@.^c~'......8.5b.....v.>1M....Q..a.KJH.k.C.H/v...e]..X...n.&~.?U.

C:\MSOCache\All Users\{90160000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	7.790202668486702
Encrypted:	false
SSDEEP:	24:mzx6KODYyUeqHN2rIL+NIxrzGF/rgob7u1wN5Ez77g/jtwVGFzYbX4d:oIKODp8NiIYIxraFjfO/7yjtwr8
MD5:	479098F74F9917FFD48223B761EBDD68
SHA1:	C990241F47D6A066E20C0D0931388216CFB93457
SHA-256:	11A934ECE5B88C8D336F8D1C81DC244047EA6C9333E97F72BED48420B9148CE0
SHA-512:	F9849F6B5377ECE8662289AA95D60BCBDABA07B34EBB85618F2FA7A9C11A6A607FB5B670C25FBAFB6CD926F38029DDB254B1F5D93F0F7BC5694A1994413B1EBB
Malicious:	false
Preview:	isHN....G..z%..k.csv.....m\.xC.c.;1dS.^."..=.g.u...<z..2\|...N6.J+A.i....=MVh@A+..."D;.........'.-..{E.&...<.J...fS.[.@..D.b..G..23.T....]...3C.E..G.,~........G......S.50..~......l.K..S....S..z...@p.I.-.Z..u..B....K\..M.......Y2.eEv/[.^).I.<...2xE..VJa..b....tp%(......^.+.2..S.\|U}...4..H..A....a...Z~....My.aEpY.h.x..u.R..p.A..@...EY.i.Z...U%.GI.kb]y..:2..EY..d..9..5V\|g.\|.y.VT....lsx..X.z..b...nS<G....Z.........y.-.b.~.S+g..i...Z@....V.1..Z..H.d...,..A.tE.j. ...H.`.....$9U..w;...hah..h_.....Ol...........].......n.\|.R......,s]........RVfv(B.D..w.-.?..]...9..T....^.s@m.Y..z.kS...<.....)..1n.=.fVED.[..X.6.IXw._.j7.4<-..e.bs....h...E..7a.v..v"A...N?#\.j`.)X:..2....].F.f..<.......+..()......I.3w.`.ZP..@s.5..`..CC1y.^.T.KB}.....M.[..S..2g.....26.......q...-h ..B......l.#de}"....6...&....)..v.7.....(..a.H......@_7..h2\|..q..q.."?N....."..v..C]....q..C..{}6.4K.H.E.>$zc.!.z...%.5.V.7...C_M..Th.<.......e.RV...Q4..b..j..-x..G..).YDZ....J>..9....k..{..`.

C:\MSOCache\All Users\{90160000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\MSOCache\All Users\{90160000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	7.829215391519535
Encrypted:	false
SSDEEP:	24:Halv7TvWo97kqWzRALbVbSyBpDWpbGI/+1yfnGzOyMMvewqzV:H8jTjfyALbVxDWplKyezXMMvewqzV
MD5:	F0F3018DB0F68B12FE96CD0CD84DEEEA
SHA1:	A6F55900BFD10BE1F99A1A88E456F67A2BB9BC73
SHA-256:	22EA381D0A002CD3313DFCC3412484773CF5743701B400B0684118A2261B818E
SHA-512:	E18515EDF1764AB2A3BBD8928A5F6548525C8ACAD157301E5F22777B2E2258BB2F56635A92918F9B270BE22887CC0BD8D19C3BB6E89DBA15C6AC883F4A9C639B
Malicious:	false
Preview:	a.7./X..1gi9-..Z+..]....o0.H.}}F.2...xX.......L.9.....0)Ys.)..E[6..G{.#.C."...Y..SwV.....&..*.G.aTI .9 ...d&g..X.....qt9.Z..V...QU...........R..S....o.S.........0...........4.Y6...nnH..Z.\.s.H.y..._.bz.....^.e.Z.4..}:....@.=\....x.Sk.x..o{..M.x..X;..1>..H.<..Y.I...y./.L;........N.- 2.....k...3.E~.b)..W.op.St.ui....a......X..J`l...!..N.o...b...N..Z#[....c.J...'&H..f.......;....V..j3...S.O.i.h..q....T...u9........s.....h.LQD}...}......s.Wb...r....n.K......KMKGr..6..A..!+.ee.../.k.uS.....C.3.1.......b..B......n.\|.R......,+.s..:.B#$...o-A......Zy....yQ.1.rpq.j.Q.p..d..S7.o..ca..\|u..../.?]..#U...!Bj.]..j.LJ.T.+6.BB^'.7.....\|3ze.`.Ou.\...u.%.....v..84....r....'.!.45..H...v&..;...;....[..g.....Q.6..).G21.1O...../....D.Tc.z.eU.i.........A..........-.WlT..>V^.~.do.....s2.D.e...iR.>.JD......G....qj.;.:.....K..O...`...%.I....m..9(.Yq0...P@...:.....".z;.....cL..&2..A..]#..hIV..X..,@tI.F..B_...._l....7....Fi.J~.....E.....f..:.:/Z.H..+...%..Ma.....Y..4Nm.

C:\MSOCache\All Users\{90160000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1064
Entropy (8bit):	7.807245966420782
Encrypted:	false
SSDEEP:	24:QUym4AQxw68ftalhPDgr3VOoXLv6SivOJL2H+KbJo3F:Fmn8Vsoj6OLCo3F
MD5:	24A88CFBE81D82D2472B8C98FD7A39AD
SHA1:	C9BC57AC5F9B45F0B414C7CE6402E6CF391C063B
SHA-256:	58536799140B95CEE12DD8B6F4DFE31281AC29ECE505EB62F6DE9F623090DD7B
SHA-512:	85569F41227EF34E4F6987005006CC1A20413C856BEA043357F67B3C8453F45D2544C50ED088901A5F4C0B6B7F90A9665E4AD3471959ED32F7AAD736CE73EA59
Malicious:	false
Preview:	.hA..1...)?....3.... .5N.W......f.]....EL...........p.4C...}.<_..%8u.b...(....+.....$J....D0.b.I@...r..K..@J..U=.H....x..87~...\|..2.3....q.....H.U..YZ3..Y.:.. ....'f....#.C..2>v....j...N{-r@B9..R/...I...2..!P..3.....c..Mw~.t."......0Z...eO.:.....4'....~z... 9.-..Z..-F....qL.q.i...;D".2...U..V.B.,.E...i...cs....D\|.....:.M.....ff.C.[.f...[L.h..52O.@.....n.{.R...]n.V>.a/.Dt...&3.o..p..8.&..2PQ.......J.p..2........uF....{?v.i..S....o].......!.0.....f..).?t..d...Re.5..+.-.H..m..'?"q...)8.%..J...q../........j..._a....n.\|.R......,ma.5.[.......h.g...fk..2..:x7..3@c.!%!.i.m'. .KqC.^..g2D$...ve..B%B~.n....z.K.Z6a.......Y..N..m.y.;u..]^..&...%%.0.`'..`.F....).....k{.N ......J\i.&8....n.:(...a}...C..J.D..80T.B4ZC.[+.g..]......Y....N.^o...S.{A.......\..q...I...c..@.....5=..50.4.Y.].)8..0..u..5..:..<r.ya.....c.8}..S........##.Q.....b*.]g.n.,j.....,g.(."6.<.sJ.3>.u.A....`...Q<....`\.....0E..xU.9.p...F..7......j.N[y.....",..wk.~..........N......g.gx...=...o....

C:\MSOCache\All Users\{90160000-0117-0409-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\MSOCache\All Users\{90160000-0117-0409-0000-0000000FF1CE}-C\Setup.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1064
Entropy (8bit):	7.800866020742052
Encrypted:	false
SSDEEP:	24:FGxic+J/++p6oOS0LKy0jGFpVk6KXsjjLzF:Yoc+k+P+VkrsjjnF
MD5:	438E9F0067C529D2D11A1211545F2419
SHA1:	EB4002F1BD7FC612D4069630986BF09EAF7D6B90
SHA-256:	D883A5424B3741A239495640F270DC6EB9AF0648DA7005BD1E1FE806F438F6D2
SHA-512:	FF86901ED5A8F0AF80B365E074E2F5D45EF8A65494075BFE457B01E409B67471B1AD3E6C0EA3E4CA4CD87DAFDFEC96FA04A4D46CDCEA54A2F7857B1CA41419DB
Malicious:	false
Preview:	M.d.R.1.........L..w.<pQ... ....@..9.c.Sn.O......{0.....}..y"......h...5....PD.k^...p'.o.}. a....&..b..K.@V.............8n.....)Q.+h..=n....T........f..s.W.8\. 3.D_........m.........2<...y..Kh`..]...?=h.hc.a..%.B..._.T7...`B@..t.......Bl.$c.Q.......2..)R.q...$... .J.....]x.'...$7j....#e4_O.....<>6_wF.7R...q...PA_>h..Y.9q..d..N.........O.z-f........_l. .....BL...C..........8..G,..?...ge..u.\...F.0.9.]}.R.....].. ..."$C@.".....e.-...w~...b..:=..v.....t.V..6....`K}.CW.".9....\|.<..iJe...`..g.,.t]Y.u^..;..i..5.v[.....n.\|.R......,.a...r.{u2I.>2..).... .V.......5F\|....'k./.S..<....>.;....N.....g........./..w]..a.`-.<.X..YG7.(.^.MU.]R.yq.K._O,..4eH...Gp<8.........k-...Pf....Yg..I.(..#...H.k.j...}......M.E....C.3.7..y).lW....2...r!...?YB>1.>hG..q\|\|v....8........i...v.7h.x..."...'C....l..hO.k.&S.{.h..H.S..G...dn.......h..L&..&...i....N.Q.X....aPB.[[t=..o.....W..C.!b....2.sb.....a.e.a...9..g..a.H"b&......j.....C.6t..s...1..K.......k.7...)..(6.

C:\MSOCache\All Users\{90160000-012B-0409-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\MSOCache\All Users\{90160000-012B-0409-0000-0000000FF1CE}-C\LyncMUI.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1061
Entropy (8bit):	7.795361884441152
Encrypted:	false
SSDEEP:	24:Myay0J0wHaZ41fLR+qAuO3cpZf5aT2pdsZ4W6lwvJp:1ayyH75t+Xc/f5C2pdCp
MD5:	6970E7D990D6E6FD943AACE5D3F3B1D8
SHA1:	61919F7F32D7E75C4591D55014C9E5F82D724343
SHA-256:	F00AC96439913BCD87DA4B6B29B5639D196763D59D09C3CA146AA00C92F72594
SHA-512:	0AAC0D9090A09EFE482FBE9B58A0A02597E60DA059035F8FF4DA05BD77C8421FFD9220FEF5EEADC2B9F7CA3615E8DBFC39D52573723F8CFB0E2C54169ABDD06E
Malicious:	false
Preview:	i.8.`....PV5...f.2.u.L....s.q6}..<A..^S.....%c..2.3...b_>.....m..d...s3...ka.......d.._.......3b.mT/q.8-.>..xx..P:K..Y.~J.......?K]...0.....q7W^cs.....kJ.....AL.mZ...........@.FtT..<^...[...1._...+...n..Jo>..k;...J.@.....BQA...fd..A...LPM.!.cT.!.#.].l...]..".6.6..?...;.^...o.k....S..c.L.. ..1..p.ol..u...Z.0 .^...c.P..pc..Q.#s..B...........N]4z...5..x.KG..s..X......4...~9..[.M7,....L[.........C_....(..._!%..a..k.\.Y9.[..[._=/.W.JB....DV..~.y\.V.Tt..p..j.j..!..l..F('..5...A.e.^?..V..z.......-.....}......n.\|.R......,&%..."37?./...K:3.W3..x..]<....U...._gX..}...h4X..+.`.QP Gb..m..%.oI`.T...M'..$^...n.#L.<.CA.......~..p.VA.'..jN...[.-../....r..?..C..}.;..........h..Kb.7 2..\...H}H...m......).....R..... ;...T..........P.....C.Z...d.._...Y......wG.P.R.....H)Pc:t.\|.....C...o.x1&....2.OW}a..2......\....2...R.}\|.q.3D..amVE..!.w...EQ`.....t.Ra..<.. .U(.A.......q~.g,...+P+..j..+'.............6..h..,..5.......U.rT{=).}=.p...!rV....xg..

C:\MSOCache\All Users\{90160000-012B-0409-0000-0000000FF1CE}-C\Setup.xml.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1062
Entropy (8bit):	7.808196536863701
Encrypted:	false
SSDEEP:	24:roOdYL8asSoIjIYUQseC+2W12WD9TJPi5tI/IivJxeiQtJmPp5d1ultl:8Odm8aZpkznB+H12Wja5mJxei6JmPVoJ
MD5:	E0B6014CCA5546BD66182B9B6C19AA0C
SHA1:	B9B94CB12E791ACAB0FB61C505FEA40A8864600A
SHA-256:	4E6A5B11396EE1D56F87895CC90F335D7BA07D4BFAB893FAD79E12C6668C1570
SHA-512:	CAD93F9C0DFB70D2354E47A7B46008E4BEFEE0FF7745477246C08F56E93A66345A0C23AF1933A0E477141291A681FF8178AE1557F10C3421B5F57D173835F5E0
Malicious:	false
Preview:	.H...`2X..M.......;....L...Mz...,...........O.Ks...p.(.?j..n\.....Bf:..y.k...i....F....#....M..AB.....e\`?k:...UF..,...h..:q.o....o.1F..R.s..y.......'.N..@......V..q.$.\|....4Q-.20.F.k.mAS. `'#G.@.....(Q.PKx{U[...V70....v^..K.w... .tw\|......ENo.....'....<..8.M;T..4em.$....".W.....:LX.D.q.H ...-.v..z.._..Z..e..?...........9...e.F%g.U3....a.E..x....8..7..u.z].z.......pt.....Y.\.#..1.J.-..(......v....3....N.H.D.....^P...c.?..L...NE3..^...X......,.....x....m....l&...SYB.7...i.`\..O.Z...ZP+..,.Z.^..Z...@...o.<E.....n.\|.R......,.Z.Y#......0.Fp..sS.t....@.j...4..G....-C....=...Z..n..... _..I...v...~...~A.N.....^.a......N.w.'....z)..N........?Z`.\K.$r.../O.fHj..J..MOzo.[..n...i...... .. ....{..Z....D]...Q.+{.s2?....c[z..9.i.V........9vR_....>o9.3\|/...Fl.......`.\{....7.5.........IA S~....R....t.jh...n.O0..:h...GW.....aOl..^..f.....B.m....w.]7.t.A..7.eQ.X...4.._\|kPe0VRK.C{........?.F...O...N..&g`..8]+.%U.l..d...c./m[.Q....v..p...<sY*..X.n

C:\Users\Default\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\Users\Default\NTUSER.DAT.LOG1.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.835645688465146
Encrypted:	false
SSDEEP:	24:EaTjRy0QcfFYZ2tEQ5AMjY6CaEgosQkZkz2fK2S/Dro5mLUUpCmdEKzqo:tlyNc24tEQ5AMQ4Ch2S/3UmTpCmdTqo
MD5:	B6FA910556DA2591B9F9E1B30D7A614E
SHA1:	8539A373476BAF56A68C113A1658AE3B53CF6093
SHA-256:	C12CB16B36C89857FC73E50AD7B2BC988B5C4929A4C589C0BBA7B69967CAB6F9
SHA-512:	5A1033892AB75574E8490F94104D8C36E5538D547581372D05FBD343B9FDD45F072BD1A02301702ADBC3699BFC307001C02618E4A0BABAD971E0E5B4F2B20149
Malicious:	false
Preview:	..bx.h.1.....3.SA...jv.H..J..4...G7.r.(..M.A.q........X#>.....,A&..Od,.q.!..L.....4.L`m....B..7H.>.UC,7....jb.......=.U.[N`!Ox....Z.~.F.UF '.._....je/[.b....][."Z.@_.....s..^S..G.....a.x..Q.rq....[..'m[..2<S.h(...B......J..".X..b .4.GJ%.J..O.m...,.E.a&.c.@.X7H..ni......%Q8.k.`.[...1...Qi=.ix.Cs..k.....:..........F.J..!:.S.O.k.I.....t'....j...&.-x.!.....?..9.8...z.).&.'..n.%...8....P{so.DLy.e.r..2..NQ.B..............d...=.. .r7_.{......c...if....."...[.UE...l.0...\|.d>0.......{.......Y)..W%%...dg....n.\|.R......,}.}....%.....A?..H;'.\|v...>+..FR..!T.s.M[@H-.N=..._:...,3TY...M..v C1...R........Q..j.;......s..T..b.C......i..x.!...!.b.`.WU.p#D...I+o.......w.A..$..C../.].#Wk...?...h\Kw....C...U.e.\....!..f.. ..VZ.....H8.I...#.H.6...-.b.C...p/..Ji..Y..zN..+%.<."q.:.0x.U.VIx3@a......_9<.=9.N. .......l.^.ow.\.(f!H.Q...V....p......+.} <..R3_..i..w."....B[.......n..L.f..d.....A..G.....W..>.6.%.dD...!.~z$n$T..6"..]...x.....Wx.^a....1>.......~...k.y..]..

C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TM.blf.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.832966629277186
Encrypted:	false
SSDEEP:	24:62RqS3biCVh7riv7q+B1t9v/B0RarO0UzOunW1xSVgOYQ:6Cx3bjXivl/zv6RA9uW1QVgOYQ
MD5:	4D432B23F99066CC737877DB2B8F7CB3
SHA1:	D5EE2B62920C9CD13821D98214667F9D3B22EEA0
SHA-256:	0074A451E0D445C21ACD1CCCA0EDFB12EA75D21033CCB76AA53144B95CC40B06
SHA-512:	77A73988E851EB8A062686275DA100F9B8702EFA41B64684852AC3E08FD260C475628872B06275FF94AABCEC21DDB9EDA5A59CDC3134A9DD9F1D1603A68AF4EF
Malicious:	false
Preview:	Z.........uO...i.T......./bK.L.c.S.........U.".U/g.{..L.f9+...S.h..Y....}.fu..?2h-....d.i=.7m..U..IetE...n....3..@M..E.....r~t;d..ZiL..;.....h..pvM@...v..8.r.y.....7>.3.gZ..M..i.%.I.X.......g.0..]I}...Q..CEg.NW.z.l\).x.fD?..}.s.E.p=......K.St.".y..f._.k.s....\...;.J...o...[Dd^...M.E'.....+._.i.-..[.Nr.5.).;w..y...G....1...."...e....Gt,>.......lBM.....2_....m~...&..W.Q~g..4.q).o.....T.dim.q...=.A...).W..y...79<.I....1.om."..CB.JWGj'.8.....&.\|.!..s.q}..J.`..(U....zC.m...i......(....M....!.....qt.T;P...X....n.\|.R......,iY..K/.g.u....c.......'........\|J.>f.....Tu...N ...6.s.......l..]..z..V..Ri.fh.?#9$....._..3...{.}....c#d..A.V..#...E<1.N....$....a..SY.8..A..e..,.%. w...J..t<..2.X..I...t"D...K=9.R...2.."..1.E.b6$...E..=t...r.\|M....wH$`o..Y..c......B...)F.......S ......H`b\k...f.\| ....6r......g.kU....9.>)..P.A..g..O...ob..Oy".c..6.....GB^dVj.t..&....(....h.....3.uG....u.?..p,.5.~.,B...-.+..G.4mM.<?.FE....k.H.\..e........R.......8V(.r. .u....x

C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000001.regtrans-ms.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.803696693234389
Encrypted:	false
SSDEEP:	24:8XQkOdnU15vU13UPPohm5pB3xr2X759XB3GjonnbQCHuvYqfiXdnux:szOdU3vU13kPZHBSXXB20nnbZ3KiNux
MD5:	49BDD1BA94338D8D9AD06F55D3C7D76C
SHA1:	E6FBC94FFDCC371AD24F08F6F8A02928F9B7DCF4
SHA-256:	C35B396A2C32D961B2B0E9EE9289272F83D8F924C02DB93079188EF155250AFB
SHA-512:	E937F23B4D3D49B10BF130A38391CA847F3DE45E4BEC5486DA2B53D1F463B35BD6E074E25ABDDE11676E02F3C176CB2DA4F98FF12C216A9CE9DF3B3F3806FC5E
Malicious:	false
Preview:	a....o].....w.f(6.T.I7.GE.v..r...s.d........IU.....=......gr...%Q<.xv..j^..I..r......E ..:.5....g.CL[.C...+....;,<rr=.@..!..H.......S.0...H..b....)f..Z#s\X[...<.+3d9....FS.`V."9.v.........x .^....\.i...%..j.K.!(..qQ.i.CbH.......q....U{y.e.8..K.,.\|.Q....Y5_?.=L\....hFV..d..H.(S..%A.Hzz.2}.Q!i...xUz.'l.....V....;.]\|v.(z..?..Uo.0...[...E.k.......=.?..).....I....u.,...m....3.....'....k"Fv}..b.O...."...{n.....Y..]...e`.@.%...ag:.F..+N....m...2.<..z%7...............\.u...@...\A./!I...u,..."..."..^.N......n.\|.R......,p}j..3....,..p.9...]SZ...!.h.:...4eh.U.qx./.........\7..<\|....E..F...h.....P..sc^...xU]....&>..........6..e....1.5...H..T7.#!...p...#...+.(./.].a\|..L.G...`.6.IFhP.._.OI.. ..N)..y..I'y.kB<..<.\|._-f;.Z....!..qmC@. .f.5..z..A..6..n..VR.a."CB......<...-.A.pBc..g....f.:/1>o.*...F.."....o%.?.....pd...W.?.(...e.2(..\@..A..B..3...M..u\.`.q.q....U../P...e>....R}...h3"..<....t.{.8.....q..l7.\|q..[n\v..2.....t.zDP.....,-s.[[.....3d...D.W

C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000002.regtrans-ms.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.821549551379307
Encrypted:	false
SSDEEP:	24:Cw6QesEEZe/1UR0tjJeL9xgNOcDcG76JE62y1xkop:CwT1vZe9W0vEB6cGKx2yHNp
MD5:	2B62EF5610F71B94C8D8FA5DCD519779
SHA1:	F6A722324AA3DCA5EA20FFA09F59868ABC09F511
SHA-256:	1B058CE748772679C4590DCB8D0B1EC735BE63A2629EB7389F4B4D4566BB36C2
SHA-512:	8285CBA84A6A80FC87DCE0422D5DEC3C64BC26FA09118820F7023CD7982B09B18154D47EE052AB8F5BBDFC96E6C834CCF70CA4F41EF41B9A533C665030227910
Malicious:	false
Preview:	.[..@<...T....5.."....~...IMW...`j...(.i#..h..Q.....0e.....p..x.@S...... a.Q....2..q....C..]..a.............+PVF.6..z.~...&$`...LN.-..5.;m.T>H....k.<l....6.Pd....}2$'...5.f..V..Z."c.W..M..<.\|..B`9...'...9.r..(.].........x.....K.=.g.<=\...#wv...=......(H.X.n..8.\.f.......B.G.\|Y..q..aY$...}.\|...g.N.d..q.3.....XKt..N.\BC.S....2.W7.zV._....H...n.b....:0..W...y..SA..\|p.K".....<..6.o{..u...[M..!......./A"..:\..\|.E..4....a.H.n....u....VC....JY......8.%.}.\0.m...aU..C1e.\|;.b. ...g..."7Td.n..3.....(.........n.\|.R......,.&=.........u...Q..c..F.....f..F.d..... S..?.....N.,...S9%I....R......cLl.<.....x4.`.....~/.+....!........c..v..o.t.".>.!.YHD.(..4....z.]....lX4.w..g.(f3.......Jl\.-[tGz.%...?.pN3w.z....]..w.<D..6..............~.......V...N..].......d]q...}.5.^.I...j>Q....Z1.....3E.......>..=.....;.....a..d...#..j..w.....}.2$`b.7.4.G.7._u.{.P.w^..F...<.L........\|..W.9.5...J..`..?.fa...n.....X...%._.~..\.v........g..5...LD...%.w...0.....?.w........

C:\Users\Public\Libraries\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\Users\Public\Libraries\RecordedTV.library-ms.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	modified
Size (bytes):	1065
Entropy (8bit):	7.815987507826387
Encrypted:	false
SSDEEP:	24:UvKr2gpuyILtFktOcHwk8euOd4FrwkA9GcZqX2ylJZYqRQp2J45SHD:UvKigEySFOtwk8e7dfkAQcZJylYUQB5U
MD5:	9ADB58A24DB4064A99585A3F8B533721
SHA1:	9587E1429738FD722997CAE6BB72738B67B6C6E1
SHA-256:	1342C45C3154C3E1A75667F6E63641787D48EE3A6B9F3A8B6EACF01787225EFF
SHA-512:	9A8C31442E7042916FAD1685A5C54C552FCE85CA444201DC785671C8E65203565F84383759148E583B69BE0D62EF377373C5B190F636524530ED99B47F1BB38E
Malicious:	false
Preview:	......t...xB.W.....S3{.y\|........d.......(....'.....Z.q...;.l.......%.\."...[.V`..,....B.....v...X.}n.PTAK9...P.Fu..S....4P..N..............._.\|:......u..,^XdC.].(.._.:...7.({.[.M....j..W.k..i....K.o.=..j9K..S4..^...2...;.+D...-..i.W6..8.B.4....v..~.B.}-7x....!U@s....F.T.^....u...B.J>.{..!.+.k_{...w...J..B.D.XN{........@lK..xr.@..2.y......bv?...n...5.YV,.,.]0.<$.)!^...L..2.......O2.#..'.$..g...0.vs..ohe...p.......~.......Dxjz.......K..jG..."b$m.&.2{...m..-j{.O...X.`...94c.i1D..Y..FR...SN...79.gf....n.\|.R......,.i..R.J...:..?#.plf..........W....\|Nq1no..~/t.J.E...qMc..gs<.<5c.S..EDy..%....#.b....zV..{#...j...'....s{'t..a.-...r.@.ro.....`.\|.L.C0..uoB%..I.y.\| ...a.C./....D.'..c.D.Cr<....G"...H.#f..-.._)k.......$.2...2w5....Q;.T......6.=.f.e...)v.BS.._..;.wyh....z.u.$)...+.(.k....`R.d].k..s.DY..].....s..kN..L.h..h.C.bdh..{..t.4......qi..w.X...7.....9..w/.a..bM..(......q.:.:."-,..x+R.....PJ..f .....(f..j..).v..g.kNe.[.{.

C:\Users\user\AppData\Roaming\TextNotepad\Unistore Download File
Process:	C:\Users\user\Desktop\Q1xEDBAmY5.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1915904
Entropy (8bit):	7.926339570961052
Encrypted:	false
SSDEEP:	49152:2HOalx8WJjq64Hv7OHxTAhEu5undVmB9dn5AI7EyP3:E/8WJjiPSRRu5undVmDd5VEyv
MD5:	7D4550DD4C6996057147ECC996B14E9A
SHA1:	D0D68281F8459B5558559FBBF8C6C8AB4DDFEC8B
SHA-256:	EA310CC4FD4E8669E014FF417286DA5EDF2D3BEF20ABFB0A4F4951AFE260D33D
SHA-512:	E0653AC9C92BD134FF43886B4A8A36016660294C134FF11C6CDDEFE50494923FDCF370C3D96D5538D2C7EF20D216B4D15B914D40002C982C69021EE8998F57DF
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 53%, Browse Antivirus: ReversingLabs, Detection: 83%
Joe Sandbox View:	Filename: 19BVpBUTg1.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........S..n=..n=..n=..F..n=..n<..n=..<...n=..n=..n=..<...n=..<...n=.Rich.n=.................PE..d...9.._..........#............................@................................................................................................d.......................................................................................@............................text..."........................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TextNotepad\Unistore:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\Q1xEDBAmY5.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\BPMLNOBVSB.docx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.815314613924663
Encrypted:	false
SSDEEP:	24:Ij3ppVowmmlkRxyBwlWQsqRQ91+fOQ1vMIwUafaw:q5b3plkRJBpQ90GQ10jf7
MD5:	0958B42038D2AE42A4A8312C28E3D0EC
SHA1:	5B9EC062A4B97EC3A965AD6CBF67738006B20CCF
SHA-256:	E1CB1A84765A97CA13BE3FB6468FFAB6A694D451D10502D3C77EDF42AF20FB24
SHA-512:	6FCD887AAB7C09A9F904AC75FE934FF96EFBE8127C9E57527B62797098DE705475771BE8EC02BB10D9FA0544D08C3DF616A3F8AAA875DB6E79190205C51DC7F3
Malicious:	false
Preview:	.....u......Ex.DR.......gt....0.5...f}..k.p=.#C..S..D..........G. !<.^..A.A.h..7K....\P8d.7.}...&.........d~.2>.........H..+.8@].<.0.].....o..A+k.h........?..K....$.I..........x..B.eEK"x..BJ4.]......!...DH......\|..1~Ce.l...5.....z.iw...}3.12.!..Cl..U.....tv+....^..../.......=.....?\...T./.:.....y..:.d.Qp,Q_.B. ..`........7G..9.. {."....c.s...2.....Cn.n..@4....\.....s.]^./...P........v.R.8WW.o..%D..L..8.e....<..V..l......W...\|b..G+.3&....hJ.p..'X...i.......!.2LV1.e s..?d.Msa3\|x+.9..o...9..C.]....+......n.\|.R......,.....]..[.....{.wil]......[.D..j.?KL..Tq.=.4%.8x..r.l.....4...^a....m....\R..x...!..Nv.J..I.nV..r.u.9.S.-..ob(j..r....o.5.R..5.o....P..E...u...gB..Q._.(..(...r'.. &f...W..].....4B.o..........s..@..z\|.$.C.4..%.m..{..7.....y;....==:.%....\............R.7V,.w\9z...k[....\{.....a.v..`.p.....H....6..z...{Q.J..s.`VH.U.......3......T&5..4.........<...+.*....G~bE{.U.h....F.2...N....4....,.wE....s.\|.........1..X......

C:\Users\user\Desktop\BPMLNOBVSB.pdf.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.819714764060777
Encrypted:	false
SSDEEP:	24:XLn5K0q+xbkuS2Om30686ZZakSLkzOxY/KZ4XfcRCqHQa:7U0q+muEm3067+kicOxn4XUpHQa
MD5:	9E84BF8795A72F67C18BE569167B7CE1
SHA1:	ED386D6A1067FFC588275DC5A47BD233CFE5A9AE
SHA-256:	111E94BB82CC68FC441D71FC1690857DF70DC58311B6E74E76C0DF46D10C71ED
SHA-512:	F18FC881F47566BC6FBD97876CC31B1223AB0C54248C4023A145D7F5C2BBB06C8A61B3B5684B51F625015BB7EAF03B63350562F6EAAB74DDE796F915C092376D
Malicious:	false
Preview:	.\|........{,......5..#kO....Z\|.K...U.Z.Fxsk.................Y...$..8.9%.Z....p.-...=..Z..]........P.M.+.uE...c..!U.U+...A.!.....h)..VjK.#.h.3W%.X.t.......<<"w.ac0%6......I..N0'.i.....29..;.K...]..I..~EK....u....B.v... #.h.......tO.M..X8.w@[.......=.....".3k..NE+../..C.q.2x.c...?....x.vUDc./c..~...&f;..U..vxKdq..],....k......x..cyd.l9.C.\|?.>.^4..v...u.e...8A.._......hw..5\|...-..f....+W..SDc.6.sE... .'.%....<m.O../.hen....).\6....0..i...H....f&VDGm.h....C.)$...... E.....JY.n..[.....D..@.8OU.O..Q....9.%..~q.....n.\|.R......,...@.p...=V......^.l^......l.h.0j...1;.........mYb.Q...+...E=&.....,..5....;}.(.R.iC.......I_.#..j.k...@.Q..$..~.?.g.V......(....;T.F#.g....g....%S.....T...i....D.$...<.\| ....,.."...+..Q.}.d...4s.....{.\.;...o.m0"... ....\.Z.S.)..F./.AE.!....4L..f.)....V..b.bh....9..6:...a...81E..(.?......Wd.\...!.L....zQh.)S...>Z..{.E>....'^.\|{.GQ&...y).Jn..m..5..T..,.4p(.6...[./...(...b-.P?>.8....T.q./...p.N.x...A,.b#..'.. ...%&.>.

C:\Users\user\Desktop\BPMLNOBVSB\BPMLNOBVSB.docx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.812378158011061
Encrypted:	false
SSDEEP:	24:38gY6DCaTISWX+Om+C9Ctq3/lIjDfw4MA6FtRubpaYT3uQp:38OeaTISWPC9Ctg0fh6hubRu0
MD5:	49075B912EF44C5F99A6944275E156FB
SHA1:	4CA610AD00F39700641515A0DA27EB6361B4ECB2
SHA-256:	15F0C8B4E99FA373CE96F25075A2EA4C0023651360D2DD1BB320E288EE5CA48F
SHA-512:	92CB32E6920C2FBD1D63D3880F37493C291D2CC35D7124EAAB4419A6F8DD0B2849A4ED117A8AFA9CDD0F51EB2FDACC6D2EE27F70505645E6EEABAE639C8BC275
Malicious:	false
Preview:	i~. .~S^."...N....3.(.87..>..{.....~>./..r..m..7....?..`.;.e.P..W.w.r84..iVvu.e..5.....A.Z5.+...Df.4s..z..\|...s>..W:....\......gu.\5Y..ss.A...a.d.r@.0.c".....+.\|&.Q ..c.y.v..r.2R....-.....b..Z....a.....ci_...'Y...\..7.an...+w.s.c.eh..+P66:....C.h.rm>...a@...b.-.,J.-}....Bz.f.U'o`..>d..z....C...............}.....x._....H..."b....... .._....$..G++..@b..8..w.vg..s....l....L.eD....VWFw.Z..Zn...EL=.......v'.g..6Vi^..yn..LE.X..c./..#.=.o.y..I...E..,.Y.....f.9G.n` .h....+.F...HMIP..E`.W{.X.......%.c....\|.1......G.!..w......n.\|.R......,Q..K.R\|_XF2F...Bw.HE\.,a.3q.]..].S...K]..f..1..?..'"..&,.....X%..X..ASl...H... ,_".....7.G..C..e.R.K.U[>`.....Dh.9;Y.h.....M.)L&.....,p.OR...K.Q.....$.X..Yt.a......45....bE...!..8....X.....:.5.y6..0..I......V.. l........y.Z.jZ..M.o.\....!D..v~3.Xf.m.rWy......@....4...wA..g......`.rSK?.......0~P7...].aFR#.y..}>.E.>....QuvN.(.;~......P.u.d...0.~a.,[].y>...........+.............I.D.f.k$......b,%u..^f<q(aC.=..<..

C:\Users\user\Desktop\BPMLNOBVSB\CURQNKVOIX.xlsx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.781994614785669
Encrypted:	false
SSDEEP:	24:wcjxBAMbqf4NBWZA7Hdh9vRtQFcBMrbyF5A9ep5x/ti:wqxBYf4sANTmcqc0efx/ti
MD5:	C1F73F142CF9ACE906B583CDA8F95EAF
SHA1:	AE8CFB9BCA00D73FADC01D77F39A1F43DE9D0347
SHA-256:	492EC8D88FDF3FF3073D33B8FE4D5D99F1DD7EBC479A4FDCC1347A743CA02914
SHA-512:	FA50B0652316D0A7F40B75BE6AADD53388DDF76F528769D8105927348A10D7C4747E4A342C217FAD2EAA754F8F1DDFDFD1E0A4F0B4C1D915D0AC30C9AABF99C2
Malicious:	false
Preview:	.i.$.D...;Rwc....=7..n.G.....f(.`g......L......-..............y.w...7...\..R-.....nl.......pF...5.J.5.Y[U..I.Jj.GB37L.2.2)...C....Ne.....UL...&.P....m.!.orM.f.v...hl..^.:h...@.......U..j..y..Ys...v-f..}].;<#.......pH..........6...V......9...;.9R.WS....@...T(Z.9..`..L}...-..uq.p-Y(+..g1..6~}[...7N..4&B.>.{.....~..l....#B[..dO.e@wg.....E.t...+.P.h."y.Fp...c.h.#........0.w..}[9Y....&.R}...2..B.P..h.4.....F[;.t.X ..(..i..0.....r..ca.....o%.g\|.$...T..*."c\|....6..O..q..:..:.F.....(#...0I.lU....%S..VR..o.....s50....M........n.\|.R......,^..#..K..;...8.VyN..m........F.....6.........P.9,.Nh..tx.#..,S..nEm..+..=.5q1Fg.NF....~.U....C..#..?.L.#.....kFK...).Q...'%.8..E...m+1`.'.Y....W.........c.d....2.3.h.s..cDd=....#g......nEFe....R.3......nI.w......O.P.T...X..+.aw..A.4_...@.`.5..0o@.nk......cH.[...$....G[...0H.....=.y...ZM..E..\.2..:..L0...]..Uw..E.N..k..R.,.....8V...\|_.B..E....,92..F1.l.].WUKP.jl}...u.y....{..s....s..y........(?..OwI..7...YY..o.y....Kk.

C:\Users\user\Desktop\BPMLNOBVSB\GAOBCVIQIJ.mp3.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.800243915835952
Encrypted:	false
SSDEEP:	24:ftT66iSIdKcS2D907ul9j2ZbnRaZkRByP1bq2vhVX5hqMDb5/Je:1TibnvR0SnAnRaZkORtPn/I
MD5:	00253AF56741AD524192487A55FF975D
SHA1:	23C205719F87CEF5B0C5F4FD730D00648AA3E8F3
SHA-256:	8B36433EC4C76570763832B4846F2747F6D21070ADF59FEEA0A895E10E942F16
SHA-512:	D7592D8D434AE56B79A3181E8132B0DA970CFC4E3D45F0FFEC96BB62C470EE15C75CBCA3A59FE74BF00328081CEB36A5CEDC41C44DC676568B2796DDFC9998A2
Malicious:	false
Preview:	.l.6z.K..-h.8.T%..~......X....T.q..;=/..+..`bw{..(.m.}/........Yi4G..6...Y$.xF..9o2s..O..l7..... ....'RN..#8"......lC_..'.......!...0H<.....K.'S.&~o2G.;........i.FX.s.X8.X.3..'.1..1...5.......>..S...Rk.....fp.......`...-B...h......u.$Z...{.h.....6.G..3.3X.F..Q.R...$....n./.[L.m....Jt.N.I.R.?...6. .....V....O..u...+.j.(....{vl.....X&:..-.Z.....;...<...&..R.Q.....v..}..]=1...U....U"......i.hZ.hg....j.8.@...{..V..V.........>P-S.Y.$..h..Yi.C..#r...K.........SU..........0.\|m.[......}.V'..ry...A.=..D.........n.\|.R......,.....9<....l,..J.u..p9I.....~. ....\".".^A.Y.....;..4...{..>.U..]......_.r...Ft<=<^.OU.Xv..;.....Ky,.I.m.........{Br[....ZGL...g.q.."....^.XD.\|..S... ..F...#...?.m..3..b..B=..hBk./.E.T..<.k....qV....r&..b5..)..aLl1..$./.FXj.....&.9..d...T{.....k..Y.....Y......".%i.o.x`.......&.K6.LmX..s).NT..B.E.lm.\..p:...mBO.y=.p.PU....F..P4.oK.A........0......+.pQ..V.W.}+.....2..._..W..l.Zi..~......r...jb.1..%.3........6...AoL....

C:\Users\user\Desktop\BPMLNOBVSB\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\Users\user\Desktop\BPMLNOBVSB\MXPXCVPDVN.jpg.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.818150104774821
Encrypted:	false
SSDEEP:	24:M72T9A8LsWRq49vVbyC0a3zUIwaKw2Dl0V0SptqQwPTstKD9hI3Frpn:99A8+89OC08/ds7SLQT9qBp
MD5:	BB9036E9BF842C8C01367BB7B991A344
SHA1:	CB7AA788C65251FFD241A9397EBBBC20F16F8131
SHA-256:	889C8340B2B66CAD3FF30ED8DC6F6D0A9EC13FEEA38E296DCBC16C6A31FA88D8
SHA-512:	5A7A678001E4E94A1D6325D59463EB6A19CC04D412D07FEAADF96E0B51F84603FC997DA8424F2A777DFEF4E8889D5ECC28A4277DE5E69E2FE53706C97DA41024
Malicious:	false
Preview:	....f c..B...3F.g..$..../....M...j.....8..=..u.%...G...,...jz..e,7.A..9.&....ZQ.....DB..{0.....].j..x..'....Zw#...]G.....z3..5.'.hEL....ak.N...qL4...`......F.0g6..IWI.kp..d.w.7.r...~....%K\=.?.l1..E.2....J..IC<..#C...eltE...n<.}........`..H...f.R+.....JA.0...i,$...8.....a9~."w0 h..j.W7./-.....r..................Z=.a\|..VO.H.-.+...A.Kc.g..p[.....2..b..v[.Q.:l.\|]....l.C.;_z..C0\|...R@W[.V.....B.....&x!.H.L..e..I..J....'c..\........> .$.1A.X..[.4...R.c%.ct...9.6..I....x... ub....@C.\|..4..D$E.~@.J.P...g.....m....x....n.\|.R......,.{..?.:A......?>m.9.F.t.... .-.dx&.[...c...ue[).7....C1"DOP..%..t.. ....7....(.Wg.`I/\..4....;.?}Y.1...h...0t....X..r;.~N......,.e;...w.O.w8..:<.. .d..I^..p..8U..n.b..qN.j?.D..<;....9...9......7.rX..e=/...d.+....9=....[....g..$w.I.0...\|..S...Kw.....C+.W..F:.\|jMo...(eV.......;.M...s0.t..1"iM8.......>.wM[.&..K.m....x..../.2:...k....t ..?....E'7m.%H.\|..0G.'...`Y....(.......Pa..QlNd..m.f".......@5..u.7..Bt.m.w......o.

C:\Users\user\Desktop\BPMLNOBVSB\NEBFQQYWPS.png.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8178275823661565
Encrypted:	false
SSDEEP:	24:xu/mKydOg7zyAQF6I1k0inL2CiPPkCP7pPkah5uwb:xAmpdyII1k0uSCi3P7pPk+uwb
MD5:	6FD080809F8A5D1CD32A0D910BC4C062
SHA1:	6E441456AF6BA8C15DEC7EE105317BDC2E2E2F6A
SHA-256:	DC46A90A0578FEC5A73DB8D3D37FDDA5D9B9F66DDE9E7149193023601BD70E55
SHA-512:	1E27EEC690CEBAD627CC13C71E48B073C00226C05F5B8258E95DA68F37B69070DE4BA9E6ECAF27F673BE956FDA4EB1D6F64655B984AF7F76C16CC8864202CD87
Malicious:	false
Preview:	..Odw.h..;@..hy)...>...D........Xd.....$go...D....".CN.t..R.z..+.rQ.o:z...1Q..bZ..W..w.Od..z....:.}..sNA6.E..c...m^.D...z...p.p.;....gcE..5...b...v.c.......7X.9i m;...2.E-.o>.7....r....T.3.RRo..\|A.fp....2B./.`.W....Jd.e7J...O..Mp.b8.W..q...2.~%.k...zTW..Q:C0...E......K(..v#..B.@eU.B...C....[JP....=5d.."."}..n..o.K'.}.WW.;\".:.>..P..... ..3..cL\|...4..f...d._....@..KI.....[D.$5.....oF...>.B......../.".h'.h.cr...!.;.....<}.. ...=a...9.WRrMO\....&0..@.......:./<.0.uf~.R...G.].a..'.Nv...F.>!........G.K<.}.Q4.......n.\|.R......,...O.}K%u....(..cD`E;.39.S..U`-...n%7H.......U.r...)P.K.}...G.G.h?'\.)k...ZZo.^?.6@.t..(.R3\.I.....HW\|.h..].b<.e......IQj....X...xw.W...M..^...-.....kA.?..#.....u.....\D.+1...?....J....bf.....?.....ZvV... ....7L%x....+#.f...C..<.4..+.C..8-{.C.JgF..k?:]..(3.....B.....L}j...4+.t.&`[.m...[.L.)..;.....}..s%.z.9.3u. .+.G)D.H/..@sW...v..q....J.z.......,.....h..>...w*..R.Q.(.j....".4..W.f..s}..pjW..[...y.dx..B..gO+....7...u

C:\Users\user\Desktop\BPMLNOBVSB\VAMYDFPUND.pdf.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.809226394742369
Encrypted:	false
SSDEEP:	24:aBxbo3/Fd6/GM/8nR2wdHv8xATImQ77rRltI7IyWk1FKcCcunU:apovFkNS2wdHv8xwiOjWkyFcuU
MD5:	448282DD098643EFC3AE10E65C3029C0
SHA1:	1D450A5977989AAD7404F45E42039A8FE388AF61
SHA-256:	57362DC46D2998CB81929EA569A1908F1DD742B9F4A4F6F0897A358120B66D5C
SHA-512:	2095534E0FAC99A991EFF94285BD7278BF386D5B46D3FDC8F86B1F1FEE3D42CA49D9FA899D63AAD220E05D25AFF52EFEA18C63BA6D4A0D488E0AC287612D69B6
Malicious:	false
Preview:	...?>liP.SZ.eIJ.O...:.\.7z.l./..&U.p..}...8S......W..0..q2........%..e....f%.D..5V}....R<.a.>K..m..W.d^e....../g...T.V..j.O)5............B],.E..e{%3.....N4..7.I.t...n.o..SJ...nK..=..(..4...q...X..w7......K........,J.!+.w...O...tC...Z.lf..P[.........eZ...$....\|.C[..5.G....R.Ei..T....Z......!.....;Mx....c>qf.H....f.M.V.?h.K..V?......a.8\|.M&..P..<..bq0z...J.E..8....5.).G..C...Um..0....)...3.W"....P} ...Y..!U.._a..K..k.(....h...F.^.......Oa+.s5J..w#.yO..~FJQ.q.?.......d....X\|e...m.o.m.]\|.....G.B.r.h*o1I.{u..H.]Mxkb...h.....n.\|.R......,\|.%...7$O.....UOk.LQ-...B....+........Q.s`.._I..k.....Y.{..w..(.K.s.s....S.!...:...G....b.x.U.......i4..$^.%../9.XF...JT2n..~....Gr.,.\|=.[...A.[.n..d...iIY$.r.Xw+.:.......2J-H:._s...I.8....S)..Cb...../.Zz......I>.L#a.g.O[......$..JS..0>.yl.X.xh..`0.tyv..-`....Q...w..U....B....-)...)......@N...6y..r.............g..c.h=........g...qe_./..?...a....V..%2..S...8..bv.....!..:5......v,.iWK.T"..G.4[......5..NiM..qV.`Q.

C:\Users\user\Desktop\CURQNKVOIX.mp3.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8110911878261255
Encrypted:	false
SSDEEP:	24:fCXWAAZqOGWMORKeAAvF18SOJYIJOMwcMN/dYFr1uo:6GfZwoK68SOJYvMhMN/dKN
MD5:	A7C7A2F1FB2A4B2F206780EE2AFFE08E
SHA1:	F1CDDC31C169A52ECD91D749B517A8D5D10A4419
SHA-256:	72DEBB5EAF3FFB6DC9D54B273E73C87B52D350F8DF6D1889B871737A0EF7825C
SHA-512:	8FDEF774F85A5EA5C432C20A9607D51C72CED3F21270038257B3F6A60AD6370C818BAFA1D1877BCA5C78956956BBEB3598E9066544EC50A5058E0BBE4441B543
Malicious:	false
Preview:	U...]........;....R@..p.h..G.L\..!.q#.t..../8.R.F.>.)I.m....s..<.T.`....!iAW!....{...f...?O..?...../Gb.2,:......8.9...}..)sZd).e.9.\|...H..,.`.....`.#..?..]..^.....H.{.)F{...^.?.0.>n."=C+.)..Y1'B.......;N/.....Qf.$N]T...........U'.3p.Y^...[.....o\|&tY.M.E..gg..3.m.r.D.....c...f.....3s..q.,$..K&k1(..#...(S...c'jn.%..G....@P.Y.....+.....=....._)\|.,.<..:.@.-..0.w..y71......#.....,.J...I.....f.}....r-.4..Z.G.1.......F....x..Eb.P.\|E......:.J..l.U..I.bS.E.."..K...o..>T.. .l,..)I..XN.s9v..`'{.nd...qT=O.O.a.e.......-J.RS....n.\|.R......,.j.y.../V....(..am......I.....;[Je..+...V;U.\.q_.d.<Q.{..4....01S>.f>.....+8...+...f)..z<....lm'3..._2.N.*>.W......,a.f^.o...v\..B]......Fb.3...M...C....\|.m..F.>....S\|.S....]#.hG,..f0.n[fl.rv.O..)....`x.>..".Z....Q.....t.;.]z.?:b....?]c#]..n.....Q..5.v..:..JL...]<..L.b+..B....)...Sv9..........a.p..0...Vh$.3.5. ..c..._y.........".....5k.#.@.W.:.Z...B.=.'Q...Y.K .^4-.....u..S....;..D.j..w..B,L.E.2....QU./.....>.C

C:\Users\user\Desktop\CURQNKVOIX.pdf.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.808543065690942
Encrypted:	false
SSDEEP:	24:2/ctu9jAPiq4bFyj0T0RtDqa5vr6MqlkcLRvZuUCLH6OnzRSwxDuA/n:gc+lbFyj0o7DxDRHcLRsUKoqn
MD5:	0D188BC7BFF054754217898E6659C208
SHA1:	8D5FF596832214DA7BE63A3AB575F9A0FB6C0B86
SHA-256:	9F2175856447269EC2DB058373153A9E2B21095054F9CB5148260DFD62ED7E02
SHA-512:	85E38313615CE751C05F14D5890854BD37DAB841A59D64232FCE95C1696F5C31417E964287229286EC72C1D23985F3E7C2B8BFACEC9AAA999DFA0F42AAAE9FC3
Malicious:	false
Preview:	\..0.M...%.uH...;_&..".....o%......_.SS..q.M.....<%.P....=.F...q.G.`.8.........?.*mS}.!...3o._...[....t.+}...%...O^..B.<....[j5...[.H..%...Y.6z.O..HS..}.C,&m....E.u.0.A.Y@..==.F".<.!.i.XT.R...x..l0z"Nq.?C...o. .E..au.U......#$..)VF.c.r...S.a..6q.....D..p.....{...P..u1.v..x.'...H"JXH....8......D..M...<..c.....IxDs..c.."<6.....dC..v..'.....Y!k....'.2/.a...D........KNFu......$......Bb.Q....(..4....v.........EO...Xo...[....E+..n./Y...)W...v5k...l.K_.G..!32.....^..a.N......\|......W......aX\|o.B....e.@(......F.;..R.G....n.\|.R......,7Y\ ..&e...:.2g./.`3n.!.lRZ.....L......d...0....[..B..A...nQ.....6.Z..<.]O...l...I...\W..x...pv....&.KIz_i..9..qlo..7.>.'..q....C..^%..a.h.[.U].v:~.N..........x.w>.&3..<F.$K~.\=w..j.=.d...j.....K.S....,..r.'.9...]..[._.8m....%...&....".o`..5!A{.W..i...'.o.{.+W]f.\...Uw..?j$?..P..V...J.v...F.....U............E.4.xM.h6.3...~S..%..1.....(s...h.).Z...Hl.......3..##.T.w.~.#....@......Z..x&......l......6cG.*..

C:\Users\user\Desktop\CURQNKVOIX.xlsx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.818989529244191
Encrypted:	false
SSDEEP:	24:d15tntL2Fm1rPrDRz8hKwz9zkWRPgZnIsVX82DC/I9ItT:Pt1TDR4KQ9AWR4H80uT
MD5:	D45390FA458CAB011507CE94033664F4
SHA1:	56D4AC6081694F92802304C8DB30462E375DFE5C
SHA-256:	BF4DFF1E7E94A5A182E6322A67ADA740B0592FA8145F99CD0DDBB7C049B1AF6D
SHA-512:	41364EDF831A360744229060085160CE65D96245F0C36B267AB6FCEA91A032FF55EA703DA133AFE747FA6C16D385D58F30A31133491F1D1DEBBC8D95802D8F2A
Malicious:	false
Preview:	.{.....2.gA.N...h"..........a4....r........7....1....6.......s....v.Z.......;C:....._.$>...u..hY......M.....y.?......S-..+...._\|..........B.M:.....m.7........R......x}c"..E..t../.I>.....uK.BCf....I.....`o!ltx..}A\|z.IP...F..s..O?t.S.,..A.v.....HlQ..@il.?..@..^h>...EB.8G.......>......R..!...a.>.o.8.V.MEGM....@...].....e.VMW.......qc.%rQ.{b.Z..$.m.b.o..y..GV]..N.k...\|..4.2C..'..,..B.M..9O.."..'\"..z.R...A..V6......&..(Y.z5.A..%M..... e.=.1..U.!.R.....@..\{6.T.U...........h...J.\....s......a....3...5.[..H.....n'........n.\|.R......,...\|.......V.+..{-LW.v....!...P.h.t#?%..\..;hH.%.V..C+.....C..k..J.........e...PjK.........".8.-.2..;.?>%8HR.\|......QD.T.V..(..TPJ......A.'.8..U".g..wX....eP.....m. ..[c.%^.............Z..V.1.>^..q..PQ.q..y.vl.E.L.........u.3..XT.....No.N6...bS..&..._[..r.Q.\.....Q_....1r...;..T..C.hP(._D.....:..Q!.V.f.3.j..3L......./.>.....(Zy:Q.../.....I.e...K....`.u.A.....W....eY.k..5.\|...Rz.+.4+.O..u@.._....j.m.q...g...v9.

C:\Users\user\Desktop\FENIVHOIKN.png.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.832099778141575
Encrypted:	false
SSDEEP:	24:m5DPRmSzxXqM+wPwTAH7JZJhljW/Wf0vJFj2/zZ3x83bbAc3TmYvFKN:AdBnxwTAFZJTK/E0RFOZ3xiTbvAN
MD5:	F1406F4B4F85A8BCDBC6214F5584F0B4
SHA1:	14746B67F0DA9424BB887D0F46DFA1ADED89A18A
SHA-256:	ED89580CFDE2572016FB8B95770D40C4693FD58A20E05A60D923094737F23E5E
SHA-512:	6C8FF83F229E3D7A592C70D2ED284FD4E0110EF357A82D50BA2E188EAD0194EAC2B3039696D3E4C4F7C4FAAED65E2F6641F56F171EF1414EBD3FE31BF65468B5
Malicious:	false
Preview:	u-..c....R.....u.X..cJhh.}........P..._\|.J..}\|..+..~.<.`...\|l/.zd...'.....a1..c....[...`..e.V...G......e.9X.....O."....&......+....C/..a..^~P.P.#.<=..^...I#..._..M.&wx.Di......l..O]8...z.sI.,_.As_J..=..f..^.K..)>;..6...6..FTp...f/xj.0.B...m..7M.t..B..k.....>.mY....;....p.....9x!D.@.#...DKl....a...........'_.Kc,.Xv.."....-..:D.fM.C....q.x5..sO....-..&.sx..d.Z..j..yj).^l'...lG).)2J)...@j.>...6....S.p.....y. n.H@...4.}..?..t\.4..F{y2r..+.[.oG.{.&J3.......P]....R.W...4}o...7o....Pj..z..]z7>.v..an.h..\..mG..=......n.\|.R......,>d.+.gx.T......Q..b.TpB...y.:...l..9..\|w'R.,UY.........C.. .;....we..o8.%[p7t.e..%....e."L.,2J1v.G..tD.(..g1.\....@.7....G.[t..!..7.P"..3.`..R.{.>...>......k.NiC...5+ ......4..e....Al.i[.W..-.JT6.fC...gET.ja..x.m...d...2......<".CpW..........W.3Z..~....p.T..sQ.....B\|dH.........+5I.B....m7.la...2.Ej....o.....A..q......s..6...:B.q.1......Xz@7E..,0L>..uV1.&,.8.{..c\.#`...[..\~>..;0......r..#/.:./...'.,g.C..o..u.;eV'AY..7j.

C:\Users\user\Desktop\GAOBCVIQIJ.mp3.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.821256929023766
Encrypted:	false
SSDEEP:	24:G58yk3lHF9tGE5H3j8iiU5/omXWxaBQlmchBY4B7cM:g8yk3ll9t5H3RiU5JWxa+ziM
MD5:	98D449290561EF5F844FD33DCE962BFF
SHA1:	73C07829E0C132050A7B94E17DC5D62C497C39C0
SHA-256:	0B140A75DD840935C6E848858B8AC7A929185C8022B3651A90D8AF30BEE87A64
SHA-512:	961859446D26B9D87CEC6BD0066AB3395BCF4CF35ED6FF643FB0DCD73CD819343831DBC64BD8F9ECB196619B92DE5207A35642A856E17839736D5779F419CA6D
Malicious:	false
Preview:	/....2.wr9Z..?6.]x%....F.K.k..n...d...g.....ns..w..(0.j.C$.nRZ..A.#...\|..N#n..,.K).&=...S.b...7.5.....{..Mu...QVJ......d.A..y.......t..#........t.:.r...J.!.>!(....$..K..m/${.3.f..L...%..;A...W......... ...&.:5.t.Y.{e..."........O$..N'."..d...2$.(...\|J.f.ea..ezY.z`....W....G.7..i.(......;Z.}...P....E1.......N..6W_l..P.2..R_..w.......O.....-5...-......H'....X..4..`bD..W.W#._.8.._...e.Wh....{G..d.&.g......=J.y.4._...B?........d.......x.......O.<..5......W.U?.\..7.h5.h..~...(..fD..i.&.({...PHd.>.`^be$....n.\|.R......,r..a.E.z2..w../] }....:r....id..U....'.....m...G..%..n..:...o....>g4.o.l9t.G.-lG.0.y.@..@..U..i...`....)h\(i.4..u...H..6O~WU.?../...B....>F..O.).........N.i.D..8...Vk.F..S._.pHy{..2R.........1..TD....%.(v.e./.R...,.K.f@..y......O.+...A..=H_ .d.E...Wo...d.a^...g......#..C9)..5.B...V.y......$.?y&.G....Bq-..:...%qT.aD.....t...!..;.i.I.8..pR.^O;-.t.&..vEU...'...........N....R...x.e. ..uj..i.c.T.rh.i#..<....1....AX...Nb.C...

C:\Users\user\Desktop\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\Users\user\Desktop\MXPXCVPDVN.jpg.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.835340989453288
Encrypted:	false
SSDEEP:	24:nfPkjFjjsA5ot/tnXvRF7S848RjyOGDa8QQGK7Ktj:fPkjFvotpfRn4zQuK
MD5:	351D5A8BEB1356511189DA5707FBB2F6
SHA1:	0816D1B91144F5DC3DD0CC72A66CAC05E1682E5D
SHA-256:	3C4671BB342D4D57F755B4F1BD1195719E024114A6C7A1A55FA6D4C8E71FFDB5
SHA-512:	6882FD5C405A32B7D7ECA94D56EDC0D03DE8239198E27F7AD68608A483DDD9E15D45B49D0FCDE5822D7155732A771BC3C99D9E8B948CAE23595586A8AC5F0991
Malicious:	false
Preview:	.X}..r.T....u...Wp...".a..d4T.&Q`...r.k..4..>..$..../.%...W.V4B@..hZv.N.p}u&.!.R.e.;n..:....?.../....s.c..H.<Q.x..x.7Jf........"Y1.9I9"..~..(3.21...Q.n.i...... ..L..;C..f}.7.aTqE.:.,.3.L..r...@bd.....jMf"l45..}7..K..}...e].8..Feq.....6...8I9.j...b'.pS..lR.3..!....{..U..%f..2..Q..B.Q..N}........L.@k,...U.........\|..+...)..7Z^.L(..p..o.s.r.....\....!.5.6\....Zp....=x..y...B..^.v"W.Ml.I.w.q.>........jZM..C....4Xdp.cYr.CC..........._..q\|..u..7i...8X..q*/i.Kl.DLi.vj..u.mVh(.8......{[B_..s.h..V. G........)..y....S.G.v....n.\|.R......,0..G.u../........H:@..c.#....Z.........q.....~f.KHu....Q_..d.....&.k.c..}..{.1....5......o....>........m..qD.,`/v,......5.hi..q...D...Q...o.a....j...1...jV..k..../......?o....ZQw_..$A.86._&.@.t..N...V......r{.,N...!.u._{.C7..!.f....x.@.L^.R:....[U....I.7.F....N~.Q...^.....W.PJ..t..c....~.u....z....p.b.A..k..'........+Z.....bei`"/$y..`..W..y.G...'.#./......d.S4y...~U.t..'.{...{.\T..y.}z.b ....s.A].Mr@...X=..H...

C:\Users\user\Desktop\MXPXCVPDVN.mp3.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.835291122257427
Encrypted:	false
SSDEEP:	24:ZAk67pdYnaDYfZ3339LaCgz2n6m36HqFFbIUk9bfShyKkRqN:ZAJpd0aDE33RanNm36CFbIn9bfLBS
MD5:	6EB38F55D40997B8930D21D65F2610AF
SHA1:	EA87D19906575201E1E366C2FACB870902E41368
SHA-256:	50A40F9673A35C2349552AE57E15984BA19987E3159EFE0DD999573CE1807959
SHA-512:	2979446DE802978505700A5DF2235AB0A01A5BBFB2AD91290295CA2F14D919A8EE294A8E09ADECD1783A2D1F985678D28C4CEF2A0BB058872D986E59AAAE4F7B
Malicious:	false
Preview:	.....u....pN.G...k.......r.BC..".....Ybx.z....gQ....?.JM.6....~..<......1.Qt.Nj].m.J.=$.Rm..C....yh..TL...PU\....$....\|~3..]l1M.#.8k...2......C7. .....f...K...8....?..nn..N....1.>.U..H.E>FD...?.c...9....&.G&._NPB...h..).....]e.0I....V... .9}... ..0J(L&...y+._...\|.8.".FB.h5Z.ws.i.Y.....#..TJ>?.6%.O9..a"F..;......<D.h]K......@....C@.].?.\|.....0(.r..7j.:OR.>..B-.yn.v..N.QxFH...6#..a...D.f.G.>.......n.Y..Y#L.?\|<'..J.zN!.eV.^.~....e1.?0Z...M......pM.q.u.S.........l...?$.H...c.T;..._....R >}..kE.%......n.\|.R......,..LA".sV.B...,.c......R....j...U.L.X......z>!... ..2...\|.5.7...,(:[6qR`IS......G&!...e...C/..$d<.3K...:.Za..p..\.;f.: .f./Y.!>M.f.U$b\|M.....+..o...+ReN..y.D3...f.."L.+)Q.#....v..u.K...v..{.%A.2;.&a....j}).g..yf.E..M...vk..6=..N.okH.g.o..^.9.T..{....q).Vd.yi..>...5..u..2#..d .;./yj..z`.d....zh...bD....r....-KkV...x..L.q^.2...gs.8e........f:g..H...0.zS.....\.sI.,j.2=. '2....t.h.......:...H.......-.;.].E+!t.B.S......'.......

C:\Users\user\Desktop\NEBFQQYWPS.png.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.833743990218276
Encrypted:	false
SSDEEP:	24:xHHVfp0wPuKXRFRugJWphjbRlvGcqWelODALUM6FF7vtp+YC/0xCd6bUNzLcw8D3:pHNLP3X1qjRlnjels46FJt3RG6b6z4wg
MD5:	9ABD4C012A681FC502010EE39478A225
SHA1:	C86106A087E9190301A912DA0B44FC740B734FFA
SHA-256:	F8756FD40E16BE6D9A15AA6276EE2B9C43F471A9F13A84C0443AC83FFE5B34CD
SHA-512:	834E2EF530E99862B5DE37DC75058474EAD7BD867FFFFDC59E12ED2385824C889D44A8479DAA76BF98A1515307364B3836D00C43F9DDD2105E24229411D71E51
Malicious:	false
Preview:	...1......z....#..\.J..n.pq.DTmn....L...A.......,&Y..q...fcD.A..p..8.,....4..O..b..H.3.x....Z.h.wf.......H`O...a.i<h.!H.b;M(Y.~8P.....;..A....[K5:,....:.W.[s.{\|...=.B.b....W.V&.d(.?....4....=..>;...`.1.&.....#....?.J....w..4..6+.w....].....?.\I...Eo..=..(.d..q\<4......"...........3..N...G.~.F.&.L.J&...L.. .cc`.....{J'f..^$.tI..\|17.....{..9..].....H..e<.^...a..w......uZ.b....u..ij.P..........2...x8.......Gs.#~lx....P. .....s..P.N.K.z...Z...vO'..U.s..77[....>.....wg".FX.v.4E..=S..N......F..k..Z-..D........n.\|.R......,N..n..l...\.#l..'.....d."76.._...?cI]n.R.j..;s.....7.(..8Z.M..c{.c...t8.s.dj..8a..)...:&.^...^...E...%...j..`0.]..i6.a..#&7XC..M...r...G..\........?...>.......#......-Wfi..b..._Z ..v/ .^.!.=!R....Q...-.;`?.-....E3.._.j......!.wU>..$J.J'....ChtP>\\./.1.%wP.3oHD.Y.i.u.%...N.e..J..O6!....._....."X.E......T.aw.........-1...j4.1.....>.....}.zX..}.-...v3..V...O.X..b..(.m.).T%jeg...,.o..(..._N......+>.o.[6.........Q.

C:\Users\user\Desktop\NIKHQAIQAU.docx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.837671847508744
Encrypted:	false
SSDEEP:	24:kQ3D4MDNMDL8YAWBO5OmlylvwycqzNEE70RzYk/GfY0ACAQZFZyTD:JEMZMD4YYJw4dQzw/FRCAYiD
MD5:	B3C435D3BB30A1650E83DED1FF550869
SHA1:	58FF8B5A5E19EC3F2B75F459A66057B849F49245
SHA-256:	06386A7B14B5D981A4A1A5D8B25347B0DBA23DAC3B27B6382270F8DEA231FEFE
SHA-512:	A976792484F57290E3A118D9C286DBA19EFFED5964871D1C044BDDAF613DACDC39EFDC6CBC66B1A9693AAFE7EB1F3E2D7E92F65A70FD244A91ED4B3108DE28B2
Malicious:	false
Preview:	...E..".$....l.D..t..C........T.~.#.<..p...h....kO.."X0M....K3l.A.s_".Y..I.F....;.EN.........K..$.8S...p.1\#...]J.....A.....;+]+.(g)....8X..-"..}).1...B..:..s.G...-....d...\.X.B.=.l....g.\|.mv.. ..+.\|..\|'.."....px....o..l.......s....P....I..:.F..h..j;O....J$...N.,.q......4B.C).......x@..i.t.72>.>.H..g>c]uI..!.&Q._......G.v.....@x.sf..ym.n.......6M(rQ..r]....,oL.\|...M..).).1..V.md...`.h..- ..\|f]8...<.t......R.F...{.@..<.T.g...m.l.sM.=SKr)..`...lgzV6.+Ut...\Z.J.:\|...L.....q......~.M=f$B.M.T..ZS].......5.\|4-....n.\|.R......,.....b..."........zB_.w.T....../.S4.`.{.h.:.`7.X..5s".d}....n.L.<..F.J.>?*.==....hZ...v.....k.L..~...,..`9....qtP..q..a.'.^..L<.C..N..LJU^3......7..c.......5M.Y2.D,j:r=..;2..F.....V..._...h.....T.....D...9....W.%........t..#$(..8.x...[Q.KpY...I....+.f.._.........^0i.S...O.EW...D.v.."do.......[S\|.#W...U..&.........a...$..A.B..A.p.96...WF.....;.un.....J.Uv.......![.....)}.%X.2G.]..8......2]..V.[.).U9.y.M...7<..&ZRt.t....S..

C:\Users\user\Desktop\NIKHQAIQAU.xlsx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.83044398977881
Encrypted:	false
SSDEEP:	24:7Qqib9Wg/kav9NYrlrrpX2D2wIdZ249pb80GaySa5rOMkAcWvgdwDyddjhb:di5CqrYrttXS2Zv80g5yh2D8B
MD5:	829D42E1BC93A9D21D051632B8A6B2DB
SHA1:	1E835181C3FBD9BDB2054336FB4395725F053FEF
SHA-256:	AF2600B1D06AE68F518E911E74C10294838291911E76C3EB426A18539CD0C3C3
SHA-512:	6D7C76BC1AB7E9059A5C54C861E760D0C13ADA22F18120C968F99049F16B10A51983C86043ECE5CE34F803A472DAF8FF85082A720463FCD542A8CC99F4FF607D
Malicious:	false
Preview:	.....`P=....a~...o....f.!.J>.'i...aC.1...h............ ..."DMsd.^..W.......Y....f?n..&t].P...A.K>.y..7..G.iS...h.f\|....Q.:....0..[.oBt...,8...aY.{.h/T..J.=&..i..3....<.h.9....z.....[..vcA......1E..s.S.d.......X$\...$......'}j%<..Nx.M..{E..1C..r}Q..MBK........O.v.Ty.h..;QO.%..Wi%Z.R.Hq..uo...c.A.....{...z.Ew..*..\|.T..+_....Uj.N..t..yU.#..?....w...>...jtZs.}5./m7].@4.na0.9...^..I.~.^.Gm..P..%o..B.....#...ya...s...#...y..........o..%.X...MiZ.D...]-....\Yq.Zhv..U..x..i..{...."].nJ....b4N..T..a..k...'x..Y.....n.\|.R......,H...On.V...a.."..i..%....&8....i.k.SF.<.....Dn.5SB.B...2.b[...O...B....._.....&#.+.........:g.!YX......-]...;>.9Bvw.....9P.w...-.@..\..Z...9.o....U.r....j.%.V....!....c.I%....#.Sw..%F..>g>.Td4wg.........lK..a.z.{..e'Cx...v$.!.P...sLi..e....+...hBl.......D...&. p..=.._.h.y?k...y.^.n.&W.i...0...[..<.6....}......6..q:..E..ea.!g.......U.p.......:..Z".7\|...l....;..z.q?.D.s.Lb.........,.i..u....T.]....v.w..Q.D\|Y.5

C:\Users\user\Desktop\NIKHQAIQAU\CURQNKVOIX.pdf.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.825328490686426
Encrypted:	false
SSDEEP:	24:RcEft4GV+tyh/7koX1tGu5d7iAgRhTF3dJhzcJ1kUktMvvaE:HtjV+6/QC1p5d7JKF3TO1YM6E
MD5:	181FDD9CCDECDB554D684928E36443FD
SHA1:	AA5C1EE34457A274DBA7899C8BE9944FADD30E0A
SHA-256:	290CB71D1CC371B5A43F2779B5EE3A10B2444E3926B5EE013F206D24297A01F4
SHA-512:	5E298FE9C2ABF115DA60D2249CF81E524330AEE22F26875D2AF783006E57A7686B362427CAB54B5D90DFA2EB68E70EB7DA28D8249C00FC052688142ED57810CF
Malicious:	false
Preview:	~7..........Z.c....z.....X.`j......t..u..S..\2GJ.`.r]...`......8..x...D..%...:<!3[.Ad....(......T.z....d..d.Ji.yU&.y.4...Cp......+.uw......@..0.%l.;L...F...UW....d.)................ ...Af..3.. {.I,&.$...c63M...%...r..3kA.k@.....T..'..-.P.h.x.)...,V'..]b[!f..T..=..e..w..iK.\|.T...Wr..yN......l'...T.{..h..73."..r..Dj`..^...y..=..tz.}3..y....{0...A...S...S..G/...>h.4....6......d.....y%;.7......=.0.~.....\...oi.l.t.p.X.#...pu.b.PK..c.H1..['-.F.8....@....% ....N.....1q.\|.E.CW...Ht....N......'.L.....Q..g.{l.....n.\|.R......,.x....AT..r^.:k._A.....{Z.$....Ai...'1..v.....O....c"..-..\|~........D..D.-]...d..r.^~E90,.......A...56.s.Tj....-.)2..:^.Ng.\|_E..[.pp+....w......m.d)._5C.$8.\5..!2.8.wa.p....:5...k.......k.K..d.....c..1..yZ....?8.....>.(.QR...&..{FE......TC....m.L.OC....=...7>_...7F.)W..\|.....FC]p[..#.5..B.3..e.j..'yk..C.r..'.G..[.a%..O1.............B.&..:d.]".,Z..w.!..}.M.....t....+M,.."....9g.=?..~.2L...t.....y.C........IY...1u.'...

C:\Users\user\Desktop\NIKHQAIQAU\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\Users\user\Desktop\NIKHQAIQAU\MXPXCVPDVN.mp3.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.82440322419365
Encrypted:	false
SSDEEP:	24:ZsdPKzeg/Z084rPBNwRduGo5eYkwHQEhh5BXBCOy526HhaxhvqFKkd8q7k:ZsdPKz//Z0zrPBNeuGkeYZzIOy5aFqVk
MD5:	BB1AA6443C71D9AF172C32F15406CEA2
SHA1:	C09F09174F7AC65A33B84CB69E85F848CA081817
SHA-256:	685C1AA48C84AE299581B8508CFE82746DAD9A9DDD951B97BDF71D60652F4B85
SHA-512:	6F2C2EB76AF1F8DCBF70E4645E326C877991028590CD2CDA1E13AFF2F0FE0157BB67E65B3BF7D4C8AA8233C3129665AA58CC466C8E482582EF542676724A3AF8
Malicious:	false
Preview:	...cs.S...bR_...0..;.w....O~...L+O....FS.v.....Wz.Ay..U>x...s.&.0.r.."2.y...`H...SRa.<.....6.I?....L.w&....m=._....&.Q......'+.%.Y...S.as...0.L.!yo7A.h.f!..........D&K....xf).,F...0u%.i.vR......}.1g..-.X8s...q.[...5M.h\3..?.......33..Z..V.S.+P..d.1.^./..:f'.%.\|\|..L....xh.h...l.-.z.]V.y..y_+B.`.;?.N....!.~...r\|/5dn....X..;A.+o...g-7l....B...=,J/.. ...>.y....`.M.S+..l.F..2.U<.<}..cD\|...G......n.7.&..fc.+..-$.......3...l....6....7.G.i.l.M.1...P..3.4.h....p.....G....OB..-..we.I..h.?...LK.0.7.C..)~e;..bG..0ke..........n.\|.R......,2.....eL.O..Qt%..}.}.d...(..w...C..A....=...B.xA....~.!....R...+....)P.l{.^^.h\|5._F%....^i...R....0Gv.?..}...9}....S_5...s/.3Ki.F.!.pW. ..-.O.2.z....#....`..UI.[....]{.-'..u@f.W$\........R3;8._g.:......S...0..:..\...3.F.v=.......rk..#.n~^K...1.K%..t..0....Tf.z....w{.4..Cl..Y.`...v3b......xQ.!T..!....t]@.#....d.._..6..^.....+..hZl.1s?.'.v...X.R.>..lj.....:..,.......PY.H....{.E.nB.=.V.&2<....n....].. .1M......\...+...

C:\Users\user\Desktop\NIKHQAIQAU\NIKHQAIQAU.docx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.802098330574841
Encrypted:	false
SSDEEP:	24:ZH3Sr0rVlv+zrzdjS4qxThH/AGaW9LWAgtPHxM1gY:swrVJ+zXdW4qPfA+PgpHxEgY
MD5:	F5B96664AE2D6F361445349B48B3A1A2
SHA1:	192A83C2F45F8D37A3508D705F15A2467A70D5D6
SHA-256:	A05F4995381D6A4579C2559BECA3CC43E349F9914C3A1DE3896BB7D17A77EF80
SHA-512:	006BA801F3AE4B8840799E13984C9F6F038328C98AE65DFA55BF50190DB6675182B7B90C4928B759D0BD00AF589856A3DA1EB54E90E3789CA361C2B511783FA8
Malicious:	false
Preview:	.>......JN.........-..9}....`.)...].v..=U.T..~.(c`5"<9.ze1.:.6SOf.......T...^....h.P..A.......u.x(.'.....W....g.8.:u.........C.1^G.....U.......:..7.. ..uV.pU.....z.x...l~.}3...3.B..3+....q.3..f......^}...i.d."...H...sB..TN.....\4d....&\|..{ ..h..c.......RK..........e......G...A..HSC.....P....k..7......a.....u.5.Kj.....b...O..>:.w/...!...).<.q+t.u.kW.v.e.c.j.%uB.}.......[rX.......m......%muw.....`..6.W>..".).9o...CH......q.J.g.t=.G.^F.$.-.....B ....>\|...XA.,...9..>V...........A........\|U[....4Q3....G..m.t......n.\|.R......,..0t..F ...i...m..T..1....2.#)#.}.(....W..........\|...]N...l ......Z..smg..1.6...%..8j..k.*.5O....\..H].$........f...u..`o,.&...pgM..._U7..R...X..ws.eW..A..Q..@.';{._...w".v....G\.Q.. ...h....\|....^~...P..58w......7}mX7....C..~._k..4...b.y..K..`U5f./..o../....]..Z..#`]H....&...s..7..b.I.. .`K..8<0....O.8..,FU\7..8=G.h...d.............%@...,.`..IY.f......T.....)h..$l....A...FQ..1#.)S..O;..!G...k.........OH...A...%.<

C:\Users\user\Desktop\NIKHQAIQAU\RAYHIWGKDI.xlsx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.802951464914178
Encrypted:	false
SSDEEP:	24:iGm4YfMQ616oVkpwDT0qLjwtZmZnEZQojY1Z53d87OqLCu:iGmVF+vvjwtQJQjY1/dnqLCu
MD5:	F2C35DC31580E54D39CC0069830AEF38
SHA1:	609555DE85FE3F9C974D6B3484044B7B3BA2BEF4
SHA-256:	C57C18AB63545044F8CCFB92B5232A5A8F5D750117AB133F55D784D5DED9ABC5
SHA-512:	1CB70CFFE457C88FEA885605FEF1F0D96C1CB480947C5FD2C99F3926A623604FFB1CA1E588DABE870543118F9E0234CA5865F5BF678C26520C6A4E3BC9AC7C51
Malicious:	false
Preview:	.G......n.W.1......m`......g.j$..>c?+..+G.`.PA.....^..l.Wc.L-X.<h..o.C.3^I....+......N..AlL.!..........x.....8.>..C....5....?.VX..N..f.xp./..)..._dfO...3F..J<.c..q.4.C..h.Z...'....FT.....u.^.y.......D............xb.g1._.B...h..=.........d....4........!.F..Nbbl"O8.?=..j!....-...O\Q.=m...%..m.Ch5...h..Z..}.=..e..l.....L0.E\.....r...)...Ez.o.yh.d.r..brx.....0p./.Yp.7.....(....c#...(\.f...T.L.nv..3\|W...}..I..r...g..%.6.....Z.......9.,....,Y%......\..u....$.?: .~........"../.,...5......1.FPB...`%/.....V...{.E....n.\|.R......,.W......}a....V7..g.aSF..4>V@...<...w....+.....8`..H.......m..K.#.D..),.s.)....r.{....>..d..] .JQ;;Pv.o..@.....4. ..<.h..,...S7X..O..K....#...[.'...h13_...(...r.!......P.3.Y.......N.....>..618K..........HX+.....{.....(.pI.#...f.....4t.?......#.u....^...+....I(f...^..)......j...;r.f..r.......f....\|...H..G}....).H......6..0.U... ....9.[I1.U..lm.\c..`.....,k..\....?G.......?..:..(4.B.E.z....;].i..['`.T..T.g..6..Z....`.;..

C:\Users\user\Desktop\NIKHQAIQAU\SQRKHNBNYN.png.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.817270182071277
Encrypted:	false
SSDEEP:	24:jDvIHCv4GIGFFvvDfXCdF0AVWqZUNuBJvXmn:/vIigzKhfcTEqZdBV2n
MD5:	5C807F96356B5306C0CD9A47FDD058DD
SHA1:	BB06F37DCA16C43A35D5BBE7CE79161E2A36B226
SHA-256:	4127D04BBF961B16F3BA67E8E6C5A138C87A9EF43416315DF0DF339322D9C522
SHA-512:	8679134036777E99FFD543F709DA31704245916A644A3D36DB00628BCFBD0921D8888AA6BC44EA78D42E2F0170726D7CA7656AAB1C8354CDD8502F3C7E6555BB
Malicious:	false
Preview:	...8....^.z..e..i....\|&......<./N..&....E.....`.CH..3i..$M.u.#.0....6......w<H...M..L`g.=.\|/..OxJ.Q........... ._._F..E.z....,..o.)w4/.9...^.#.2..-.......e.\|.$>.AbA.._<....}..t.........yT..@.eR..,.0.e.h.D.u.=P.n...z$f....\|....4....9V=...~.F#...P.[..v...v..A..S.J#%....^......O.}b.E....5...mL....<..l...s@.?..../..<....lxj...g..1V..!........iW.....x..N6.z4..w..@5.L.;iu.e(.jV.io..W~.f.x....q.._.I........A_...H.......Re....#.M... ."..D..i..u0...t.nH...<.-....1..YY.".)...`2.xQ0b.J..y....GQd..R....`.g.>..b^.....n.\|.R......,...a4.....0..{.....Ke...NA0\|.Q....C.......0.7.....X..b................16J..z.....).c~.n.O;...x[..U....H...._).......lu......l<C2.\|.m.%1....l.D.~B..\....L..x..2.Xx...3Q.uK4..<...).w3..<.....).G.kgw.Q.....T..l6.R..a...^u>.b<o+...........z.U"...].F=.....C...D8.0...Pqk......OT.44.M..W.Mf/.Yq-...S...i.....('...e...3<..=.vT.,J....]F?_...=...AF...kb.[GbP.E`.$...!..AP..I. ..Q{.Z..z!..l.c..#q....%..9.,....V....t..G....a.?..M..

C:\Users\user\Desktop\NIKHQAIQAU\ZTGJILHXQB.jpg.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.840499903691166
Encrypted:	false
SSDEEP:	24:C84xag5R2aiC09fHhBf+kFPYJuvrmgRCeVNNNjX26sCX5en:C84xlRHKfvhBmUCeVNXQCXkn
MD5:	72CC17CD0E8B622D20CB3AB72D7E691C
SHA1:	014F112CB451492EA60504E731C1A74BC0A87FBA
SHA-256:	D18BBF509123B08F50571EA10D744BCA6D195E4AC9DF89D9655C79983DE2B645
SHA-512:	1EC2BF43893588CD6E4FFF050F48B81C688A148F471F123D69B67D71475DFA50EB38E79F259CF12D64EC682EF86E28489C898757952B02FDA6A6DFB0978EDE90
Malicious:	false
Preview:	..&.N..^..T.S..To5t....x'.z.P....f//..q.nv._(B...)..~...dL.Lz<.D...Z..%..be.5...m....~....SO.8.3......k\|R.0.N[7....~w.]..>&.?...Ig?i..d.....q..Sw...+5.....^^.....@..?F(.V...u0.b.CD.0.!gF.Ti2..oA..w...i....ag.M]...1.?.2%.zw..=..;X.u.....6..f..'....p.....+...l-g}ko.P..8...+.!v.TE0..Z.....2..AmA?..nj5..k.......X..Y..#}%.SVh#....W....`B....1r....$0><M..P.0.Y.5.H#.1H...2..+.m..-...r.!..^n$T8.Z.g.V...t.Is.-..?.7a.....@f-n....Z.S..TG.K~L.~%.V.....[3..o+w'..V&.sU..t.5.5....x..+.B.....O.M.]H5..6C...a.Z.. .\=...z.#.R .c.....n.\|.R......,.......d.f.....A...U.H......V.)....6u..Yg.....\|.N'I.-.q..%z[..d..@k........F...t..15....[..!..[..0.c..!..Ub..w.v.Z.rK...R...m .ev.m.?..v...l.cT.. /-.......N..]..[..E......NP.....X9.J.n._9......Mz. B4K..j.E....k..2..qX..`.X.......:........s..X.`A./......WnxN-.o.........K+C..W7...V}x~.....0.:...K..C.......spp.qZ.........{.s)E.cy7_o....}.$4/.!j..w.@J...,....\..].J...>..E......n....#...K_..i0....qM&c.i...3.....)..q..d0N..5

C:\Users\user\Desktop\RAYHIWGKDI.jpg.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.831665005799423
Encrypted:	false
SSDEEP:	24:e0Nf0R3FrdgFQLe7IljNVrcXZsUorjVReaEtcru6Qg:Qri0e74joDorjVk/LE
MD5:	047688980336011090FB1022F147B37E
SHA1:	6AAC98879EDB5465D1671C8367947805166794AC
SHA-256:	AB19E1EE97EEA1F1ADEB90F89E1F6A4F50096861060E0185B1E93B42868DE162
SHA-512:	2AB2EDC63915B9585027D2FE2F7650D5D4C8F1C37F15C94132E784EF116163460613BB59CFC206327990820CCC92EB483903E7EC4130F88F232721515DDF5DF9
Malicious:	false
Preview:	...{......J].........../.@..4.71.....F..\|k...j......;P.......h.......n....w....X6........Y...........#v.r$2i.D;..Un.F....\|"Cvk.....v.....(.\|.h.q.=...Wj.T.0..qw=e...0..1ay.+^..z.w..xD.Y...;..".Rdz1..t..Jp...k..{..A.......%.>-...u-...)..zf...8..d..z+...1s.LQ.0NcM7.C.B..T.'.v.X...(.n.^..+.\|.+T%,..#.k.3.w#.).eU.$.f....C.v;.[.crr.>z...@.O..O.&........&..F..{....OMS..t..n...e......).....b..YI.P...../...m...0l...1..A.._.....=... ..$.....&U<vp:.8......O.s...>.!Z:....m..!.U...(.`.<]@O....K...`4.. .W..4[... .7.C...(}......n.\|.R......,Ve&........5cw/../...Z.v...)"P.jF(Im.B#...\|.k.G2Z.#....>u(}\B.Y._^.X>..F..rmk...1.-..<..\.jw5..).1..z.u.....}.P...............A......u.x....!....I..qV2...~....r...".T...=.b.I.vF[p.-."G...Hd+...&.u...+..{n9j..I.3.ag....T.B..k...\|....M..f..qF..$...".5..{..}....wa.:......F....o@(.. Hxk..W..?...v..I.I9B..;fS..].2.1.........:..N.n.s.%. bl..3..G.q".;..&...z.........T....u...k.].RH.,D.K5.W.[.....`....1.(..1~....b.....:aA!.Y.!

C:\Users\user\Desktop\RAYHIWGKDI.xlsx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8113847039039
Encrypted:	false
SSDEEP:	24:6jvz5Y4PdC9U0frKMLgRPV1mo1Tak9Z70MF5pzCeNHoJPbtzV:6hvoFJgz1miTa8Z70MDZFMb
MD5:	97B44544727B414E7E9D21F83FE50B9B
SHA1:	30706F5B4A9C5209B1A86A278B0BC1650F45D9B1
SHA-256:	31EF54EF33BB92648916411B2F84B06D82C770F51BA66491EFE3951A5B9A546E
SHA-512:	35244DB863B6DD69D3CFCDF17E64EF8C7FD4823B80304CDAD53F561976D7A6371047BD16A3285A4C2B4628B35987D91608B04F0A54557E3F85F498385BF6DC43
Malicious:	false
Preview:	.....F..\vS H.iR..\|Ju.B?.2.%`8..+M.2...1...T...E4...~.dL.....T...?..-..hT..\.X....p@. ....X...Ce.... ....,.W/.z..V......H8.....E...d.....Q....qp...U.}....._D..;`./.L6uY.#.=Q..A...+P.....(.8.V..m<.U.3....... 02.. ..?_......b.Q.$..L.....H....9....W.B....e...Mr.y..T..f.....3...lth.'&.8._"v....>.....t...h....0.D..@...&.!!b%Y...&BD.1..:.N.5...W&{..OY}_./..&#`J ..b.~......(....U.vb.....~...0.j.5....(..>4\|.I.Q6U.-.[V.$..F\..v.~1I..G.y.h.`#f.s....HKj....i[.S.n....u.......3.-.9.[...U8g.......".U....v.lDm..VWNM.6.o....n.\|.R......,F..P.x.e~G...2.r.Y./....Bzsg.2Q.L(.^( W.Gx.v.sI.;1.....'y....LR.....0..Y.r._G...6z)xT......}]"..+qs..."..fU.1.M..U&_<..e^._.k..]U.....-RZ.......%........ ....L..c.Mef..[.K...#.q/r..K..`@!........B}5.e.V.......U....<...AN0(.~.O.............W#\.5.... ..[.,.~.+.8^....a.1O...{..........+O.u....y.s."...Aq..}.!SG......5..).FP..4....d7.r"=P...o......+..\|.0..p.]._4.u u..#......R.....(... .. u...&Y...../6.\|5...F.\.q....8..l

C:\Users\user\Desktop\SQRKHNBNYN.png.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8362539736302
Encrypted:	false
SSDEEP:	24:DtwiQoK3TpOYjcd/zc6fXoKaDGmpjucKkKgEvr9u0cVB1Xay1J0NapaeAHyGA:DG13TAh9lYK+TXKvr9u0cVBEy1oapVuK
MD5:	BE1CAF4D7C2320208A41768573D0ADB3
SHA1:	F4EE780701C0F1DB7431A60B85FC2B590DC82F25
SHA-256:	E4DA23758B4D7BF7DE2D5F2D67D2953FAD99A4B9DD9D4B88F7CB1A3DA121F498
SHA-512:	A018588F84652E1990DC7BE96B800B4021918978135FCB3A34E2212049A738301BCB0C8E74F7615AC5724317ADAA4038F9B7029EBBC30868AD649CDF6C9840B0
Malicious:	false
Preview:	.6.....i...G$...P.M....i.f.dy_(....b......M>H.....H.:Kr...V3.%.T5..F.C.LB.Ej.6.9...b.PSGH..;.K.....=..m.&...../.@...W...fL.......]...hy..}\.:DL.7..k/.@.m...xGHv..0.p......Y..(.K."k;~.........AB.. ....i.a....da...bM....]V..1=......jiC.$..l.ZB..g9.tB.T..5..\..[kJ..J...@...m).L......&..v.y.CW.s...K......,.W!..p{.\L..BR......N.I]y".Pcd..3.,.9?y..........)..A.....p.r...2.X...~w.A./....5....e...l.M.....SS[.l.__.S.u9.s.Q.._4.n&.&.5.td.1..='.-:M2;...8H...[n.OL...~..7..=.j.4....X..`]....+...g..h...]J.Z..-.`.........+z#......n.\|.R......,>.u.&.\|.. .....Q....n.ct/.9Z...Qj.d^.4I.by...<..).s#.....^..(...a!P..{.ho.v.I6;..Tv..W2.q{.Q...).Rt.........Kb.i...Tq..t/DK.."..=tt.....>8#.... ".%x2[QWu.......e...<...~...E..^...3............k;.i....y.%..p@..&...X<......ye.`..i.em._=....S>.....N....m..X7...<..l.>..T.".X..vE;.\|..xC.e.(../.^.(/.Z.v].vW.R.@.f..#...'...Q....[...&......s..[..a.X.e.`..k..o.r......k`....*..#.R`............d.)l.=..@...x..).jL...v.U.E_/..b...d..

C:\Users\user\Desktop\VAMYDFPUND.pdf.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	COM executable for DOS
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.826933234926955
Encrypted:	false
SSDEEP:	24:fN7iBkDf8fwu2RwsrmpMJEQU3RCdl/mZuw37a5bMlDFrG0qbAu:fliCDqrpaKQUMX/8uKa5bM5FS0qbx
MD5:	2D3BE8186530E3069A7BB4FC5A3623E3
SHA1:	64AD047A27018CB23D692D05AE0041FBE61FA831
SHA-256:	F265992EC4C49819C43027B24C11E1807D9F8F2D2E3257287516913BF78B277B
SHA-512:	E57A99AA7A36382D51C2EA3248027DE8A734B880496E10A71E414EF3868985091870553D1CEA44BB52B6AB68F31070E082E29D512FDF2FC98201D8C76C10E5E9
Malicious:	false
Preview:	....KTT.\..y..D.b..R$....]....Cz.W.......7 ..^W....gin.....u"...'..(+..-....y^......x...}....6.K..S.]....qaX..Vh..7aR...9v.n..F...Re]f.dt.1wO....B...B...EW....wU.......&.....s_{.O.#.-)...l...Y..N8.....[.......i.or...(......T.<O.+.o...n...Qn..!z.xQ.#.@R.].&...!.YY.1.. 7%.._.A.It.^....r@.sR.../..t@.U...aA..qWiC..(-6e...O.G.NM;..W $.8...,.....xTx.... .3.gUa.\&..l(.>d..<........_.l.5..V..(.....2.._...J......d..c.........Iz...k..X..`.9.....%.sPJj..k.K...o.n>..?xv.O.X..x....E.'.W\|N.....`....t...o.+.u.+.....j....n.\|.R......,.=..b..u....&.."u.....P0e_....7.)]..V...!8.\...w<....u.....p.{.%{.W.1.P......)..L.U....H$z7...k:...;.....V....z...&..0.1....w..6..L...f.&.NcT....W\../....>.x...y...+.v..7r[.../S.B6....s^fV.....Z....]z..k...h.dN....Z.].,r....c.c.....&.>7-2.{.>QH2.e0u#........x>.C.U..U..<..D..e.N..Gi..5f.Eu.2....H......*........).S.....@..dZ..?....ms.p.B.#..3l..E."...)dv...6h...n.z..$......1....yr.(..+jf_...?F.}.&"...yet..aA.\|t.24N...sQ

C:\Users\user\Desktop\ZBEDCJPBEY.docx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8096601761765525
Encrypted:	false
SSDEEP:	24:YcyG64mQrykt0oXOykKJFahdZygLQDjfzqVTZykdH:Ycy4mkWPykNygLujfzqtZykl
MD5:	BCF5FF37A87CE0ACE542B97DB4BC0325
SHA1:	2577DDE2E80C080592C66F63B4FBEF343670B01F
SHA-256:	CE60209B11CC4A4BF7A7D3A62D76955A23800B8CCB2937EF6B5F09A192F485F9
SHA-512:	BB9E1FF6CE5DC7328D5B4E97D1C6E14D3CA7E398F94FDDFF3A070E08CAA57DA839B2298D53F501B3DC984819158C89C74A2C1808C0D037B111A33AD36E310076
Malicious:	false
Preview:	nx.r20..!A...X.]...5D.eS...h...R..\W.X.O0..b:....:8..xjh..9.AI.Q..}c."1.FD3>...K0..V.e.W;.\.T......R...?.j?....\s.....3ME.~..b.9c.N..X.O...........N>..#....5Z'.Z........C..3H.....q..wI....$..:>..<.3.?R....@[w@..(.....Ov..E.a..(.......t.^D.h........}.M...a5-...%aOG...h....D.H....A.....Ph.).J...J.\........Ar%.D3....z...f..q...)..;..I...ui...>G'f.....L.`.8^..O.B.C(.^.C......4.@.j.T.@.%@...{.rP.w.p.".../.)..Co;.4Z.3...._....r.\|.;..b..k..X....../..k.e:FiX...H.Ct....Az(.yT....@......}.c.C.A....*...5.O.K.mO................n.\|.R......,R...\|4...c.....^?.27F.EE...X:.m... .b.J.-._L...T.Wa.RQ.L0.L.az....}'.Q[6:7,rq.a..).......^...a..H....D..gR.[....R.x..y&.b.....Q@.N..iS...B.p.GU';.nj..@...H.;d7....D.Q.]'c.0..I.@.\|N..h.;gaF-.=Zcv:..XC...d.r...~f.O@Qt`..a...4?.6.-2...J...^..o.h.W........No..X.s.k!....lV....K.UD./..@&.]...\..Vc..U.c...b/.........l.g.B.....;.......SD...(F.G.Sj9..k.c..i..u09.\.Z.:E.F.j......b....R#.....2.=?....Y...FC...5.z.zqFC.$C.;...UE..

C:\Users\user\Desktop\ZBEDCJPBEY\BPMLNOBVSB.pdf.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.823382305217434
Encrypted:	false
SSDEEP:	24:riSMYcJJUlPVZ4hqmePusb6R7sZKsdMwknzkn:rNeJqltZ2qa7mMwEk
MD5:	9C4D4439E5BB55C51DD19E1E64D936F7
SHA1:	CDDE1D636D10FC4E1755866DD06040D81B93C976
SHA-256:	FCE52B6DC698369EF9DFA689F40B419ECC6A49C18E2C59396145458F73CEA032
SHA-512:	33BBE7138EE5B316200056EA5D3BEFFD17851F4153EB2FC16661F7F2DCE578BB8AA96E83A10029A0F508884348644F2AB38F487F87A60D6688181658BF33BCBD
Malicious:	false
Preview:	W....vm;N.?&..\....z~..c%....)za..m=;.].....%..mm+;...foB.)<@....m)._..m..5.[...D..=bC.=....! .4..8.\.t.T.....=#..&..`}._...Rs.D..0.S...`..........x&T...$....ugf.A....?..]..H....q.k...?&.C......u.'........}C........V6...n;..U.."......R.n\5.......7.]<. ...IS7.\|=.....a.B.4.....;Q.}.v..@\|z...<....#A:B.nS..."k`.~..R......l..Z..>.W.#....K/.i...j.u`C...B...d8.)....Q..?Z..'.....PS.T....s\.^.BF..^3..Y.......dM<.`.Gd.._F@N..I/..A..g.p...3.(w.......n...9Ef...A.v...H$..._&J@.....?..7...O..-.Ns./.g..&eL.=..A=@......n.\|.R......,.r....q5....K...].....--\|......r4.....{.......J<.H7...n.....m9..E.2.J..sZdr..(1.......3......zc... (..DE....@..j..9........[...U.M_>..gw.......U/..4........y..A.v.....vF..+......["t8!....#.X.P.`....,..&...#..{q1........a....>NZs....5q...p..Kg...0n..[.-.Yw......O../-.g......^Cw..z2&..).h../.qtoP.N.R..B..t...M...E9.+..,.......boS.8s4ut..i:.......z.k.M%.g..}Q.....l.....{......l)-.V..UP...i...c....^+o&..7.......".yZ..p...]

C:\Users\user\Desktop\ZBEDCJPBEY\CURQNKVOIX.mp3.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.7731117834526495
Encrypted:	false
SSDEEP:	24:X1Ts9NsbG/01GpgkjTQwY86ZDPcOafCj6ihDf7uKUcR4zpaO:Xysq/01GGaV6ZPcOT3pS3g4MO
MD5:	21AC11E2BAF2CE6D2E8102281F6B2FF4
SHA1:	95949115115F86D297E7FFA2667FF00F91B237EA
SHA-256:	B5A4A696E6611A3CE78ABA30AB69B17398903D328343A3AB55461B230D0E07A4
SHA-512:	4CF54644F7A670544D955482C619D1EFBD863E15AF238F55CA0A9F596C79DD2E5990D969C973BF5F43505232C18A2D15320EF8AC5C452F571225367BBFEB2095
Malicious:	false
Preview:	}......g.......Q.2..&.....t:.} ~...F[.?.8..je...W44.D#r...b.j.+.._.........?Q.`x7..$S..m.2J.k.\...UCU..Z.N%." di[.Pr....3.a........hs.O.+..Q.....4...A7.Jtw...33..O.X$7.J=.sq.>.4 :.I.M.#.....g...........u..c.d....<..=.....O...?....0O...I_:zP.[..F._x...[..>.M.).;.u,.H.8[..I... .....[}..@.I.I...i.7~u,.;..OQ..%.H:...O..e.qi.7..u.0qF....e(.6N..ww...F..n[...8.k_...a.#.....\....r.Lv\5~..dG.....M.M<.e..)VB..~..._I...{.<!............j'.?F`..."7[.#<.B.<C...L["b..:-v,.P...K.Fu....; ..t........s...0."7.z.V.....].....z.......n.\|.R......,qx....+4....^.SR..f~..E.+.%]..,...V.d..+..m+1-C._qB...R.`;m.Y......Gs.....F.Qz.U...cd^.$Mh.....H.A...s/.WZ...Mp..s..o.kT.V...Lx.O.P.+...AJ......b.$..=.20.1........1........./.Dr.zM.=..&."..AR.....,..]...g.h=.2.F...o...UV.g.<.1Q^Z.b...0+.B.Y....&...3...r.=G....?~..zK..O......t./..F...-.(RZM..-.....Y....xG......gv.><.. ..d1.....h.(.d..........=.fs.}1..b.N..,4..H.a....2I........(.toFK..=......5U^4j.L.o.c.....;4. .T....q...

C:\Users\user\Desktop\ZBEDCJPBEY\FENIVHOIKN.png.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8243366879673175
Encrypted:	false
SSDEEP:	24:HX7T3/3eNl8Gw9/2erE0b18W8CH0MW/KsFP2t+5:37T3/3eNl8J/2eLbJTH0P2tg
MD5:	7F1A2A8C43B3DA014A51392283E5F346
SHA1:	F78DB204ACB20D48079AFCB060C48DEA868B5C6C
SHA-256:	BE6143B6D5C6EC95FD6A2590A93773DFF115FBF42513AED9115AEDCBDFFB8D8E
SHA-512:	5F722A99DEA6DD0FE17550CA74E488D7454984E2F7E73BD81E7E64620C3C66B1C50B86374AC299556019682CD296CF6601A1E24949EB4A3EB527025E2B6A6785
Malicious:	false
Preview:	.HaD]..LKB:..IC..&....3...v.=..KP..DS...Q...H.c..P8..p.1nxf-0....Q.&P...w..A....@.......oj..L.[I9....p...n.KT..AD.\. ......V...x:M.,.!'.9[..=...&.3.<.c+'jl9\|1.h....-.....y.pP.sf.[....e.Q...g...."O7..^... .\3h.t...4B-"...tO..'..sG.....S.c..W.CZ...........G...O.S~.n....$.@<.fe/x...Qg3..".\..6.J..i3.....0z.U.p&4..........IC..W}..dY86Z..M.#}......R..d..V&.P....Y.,...1...cH...S.%.)Q..~.;iG.F.j.......%..T-oa;.D:....@....l=...IysT...)`.'..zK...?.o...+..LYq;.-.2...,W.;.V...).#oi.S.D..hi...L..@K....~......lU&.zp.a.KJ..=....n.\|.R......,.>{...k.....C.....N.'...^...u....q.#.....C...=.5.d...l..H..a7...Czz<.6a..X....R.X..^...."J..d:O...{z..K..2...rP.9o.ej.......jE&B.w`>..Y.u.J..U<.h.Z.....U...5....-B....._.o..Qx....................9.,u..G....$.I..........s...xj.."..*..}.................\......\|."7l..E.9fI).eE..1Y..>...Q.&...K@...;....e-.Gv.Ji..3Q..._a.!..0..u.6S..O.0R.$.>Ie....S%.Z.N..+Kqt.{.K.d.eF..$.[3....g......z.v.9.9}.5c.1\9....1!....?h..OH....5...Fn..

C:\Users\user\Desktop\ZBEDCJPBEY\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\Users\user\Desktop\ZBEDCJPBEY\NIKHQAIQAU.xlsx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.862232814768468
Encrypted:	false
SSDEEP:	24:TvSaJKAp/SH9CbEIWYOQddqTj3c3+8X2XBDEtj0JYMzhGn:PJKAspt+6BwOxGn
MD5:	DFD3A612023EC86391BCAC5C85BD4905
SHA1:	C26EF842E117D966C805452C2D888EFA0ACC65DB
SHA-256:	CA1626BEF240DB6E1235D0A4143369863EFF1DB1D2208A2B425899BAA24B17F0
SHA-512:	9B744A7B6030741ECECE40397986530E49E4AAD060FF80CB3B7B4EBA84261EBC7A1D450CCBCAB40622E6D74E97F1E14FD4444124660BB440A1350E7AA9448191
Malicious:	false
Preview:	j.t@...ym.=.Q./C\...Q.3..d{.ae...Ah..FLi...L0.~e..vs.}-..XZ..E.\2.n-..e.1.lQ..fD.+}M.Z<...`.kI.^.....u....\|m.%.S..]/..>npe$.x..........k2.2......D.............f.lP..x...A.w...oE.h..S.k.V......4.W_!...FV....u.H R.........x.;.u,....O..T...1...._td.^"...F.b..g..\p.T.....bD......;t]...KLI..t....?f...78......'hV=.Z.I$.7{..+...i^..2...).?.....1..`B9.7...Y.ad.z....6Z..C.)I......&..1...P.y...J."....'...?....>_7...n..+..[Z.f.Y/...{...qP@.w..%...M^$q......3c.U..d.... 8.>\|z....\...S...gc.f..h.h..woc'.]`.?..h....q)..cS...Q...z~.......n.\|.R......,ku...8tU...n3j.`T..........N....~..r..}.l.......{.....%.....!.&..C.K.;'...E:.....3..$I..g...>..a. .a..xvWp........i.7..AM.......s.5....m.....3...].....,.....#..es..X.<..........^.._.?...`U.`..s....Sa..4..hV0l.....[.}`.t..Y..$..B...IQ..=P......M...B..]J;..\..P4.....c.{.?..M.l))N..j. ...W1..v.6.F.-..=;AW.)O.ls......._. .m.D#...y..?.$(A.y.Jw.7...B.,..Z..@.bZ...H......./.ni.....[N.3.s..^m:.U.........%....L....ktQ

C:\Users\user\Desktop\ZBEDCJPBEY\RAYHIWGKDI.jpg.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.78330356086388
Encrypted:	false
SSDEEP:	24:1jRuq0fEt3T42ufoQUMpoBxHtTaCZvMBCXP0SBEifXuvpOo95f:Nl0stD4JAQsB3OC9MBCXJBEISpOcJ
MD5:	28372EFCB41D712AB918C7EC9177ED0B
SHA1:	0F320C64EFA766270DF6A0AF1EDF674A13A75D1E
SHA-256:	D877921C64AA6A6425E337A803AD623F19A0360B0C9A715B834F7D6F0CB0285B
SHA-512:	499A9B20B1E52F301FBCB99E76CDFE15A950B50C0688080138C3E50652CAC9AA7B26FF3C94BEE11D95736050E8A2D6AB485519D01C06BD7C3028DE0D10F14EA2
Malicious:	false
Preview:	.X...KJ...sq...x.o[........&Y\..=..}......Y.I..P.....5(..M.$A.A.....I.VN.....ciD.VF].._..%#'........if.....}e..ozo.m]_%.>.U..f..#p.]n.....a.S.=\|^.....Ow'...p...B0..&.....=d..aN....7..,9)..h..q....8..1mT{..Y~.... r...M.+..Kt...,......,<....0......Q#s..fmB.1v.U.o.,q..vH.a.]..q)..jh..K=\|9f. ...L\..[.i.eB.B..'Y4.L..m.Js..0fU..d........M..\|.i.a.g...].z7^\\|...0....7...."Ve....]N.C.1..BU..zy..ZD..._"...'....P.R..+...3.oV......U..0.h<...no..L.ns>.."Eo5.!.B.Y.>..[.Q.4.7.....M.O..h.6........\hP<.......e.Jxd......b.ro..O...WT.y....n.\|.R......,.U>.....?........e...[........O..p`..X..55...u._.!..U.?..6...Jecol.7..eY.#O.u..l.2.I....a.Zd.!./R...`/.+S3.......K...H>{c.........arXF.......N.........(..@...+-.;]..:....hN.#.M..#._;mB.X.e..Z.M%.F..S}.CvD 3.+.".u...^x......f.Q.......5:..e...9\|.."F......T.................32.M.Y...T.....9.Fl.....l....Z.Q...4....fn.#8XpTH..4.I.tQo.Y..Y..f...S..\v7._a._.....}.b.IV)q......D..ER.D.e.y...R.....5v0.../i......a...*@..H....

C:\Users\user\Desktop\ZBEDCJPBEY\ZBEDCJPBEY.docx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.814492498045986
Encrypted:	false
SSDEEP:	24:WUBhmmZpueHjQdtb4a401+VOXWDTZvmhUvCzSY6qqaGUqG1:WytjH0dtbs51mCvaz9DGG
MD5:	029129423B122361A4112D741739E278
SHA1:	71F9A3D83448620DF68DB837D358AE00EE42FAF6
SHA-256:	FBF2DD92CFD9E9513DF22620C31B9D6BE014AA2A67EEA1DEBEE6C0691E9F3003
SHA-512:	BB5B6BA7C1A65610A685CBB4775BE623876DFB6A17019516AB0633DA8253769AB6282E28E02CF5A71B378DFEBDBF42AA2579A5AF99679319FBF230B4D5F38E39
Malicious:	false
Preview:	.a.~$ZZ=.Fs......n.I.3........U`[.4D..h......dN@236..1/.U..d`g....$sS]..7.o...ce.B...vL.......+t.g.Z......U.x..........'.....`..=K{z.\|.)U..G\R.+..n#z..C...i..y....../b..\.Si.....W..r..G.H.E........$.......K.,.T(V..3..+D.._......A+....k...s.dC.......p.z.@../.5..T.I.U..........B.F.q9?P.d.#...X..bdf.!..9l.h..G.....0.v'.w.<....=..8+e..#..w...m.K..."%g.. .w.>...S..fZ....e...C"@....Zb......(....G..CX...2.T.F]=.....m9.K....j...$..!..!g.....\|q9a..w..[..!. ..U=....g...L.g)..:.qD..o.. ..#.g:.Gl.r..2..0..,to.E....Wv.......n.\|.R......,...U.....E..E/.S[.K....b.Hf`....K...........O.C.....8......,.~....~A....nB.\|....%....+h((.<.v...z..O.!....v.F....v."...0...$..S.....I....{.8........n.+.-z.5.g....\l.7..4...{...y%...r.G.CQ.V+?.T+..Cf.B.C..<$B~..._....@.t..ZT.&n...(d.XF....P73....,a(.....6.b ^..{....O.Q.1v...0NM.v:u.tx.........5d.Y...........n.]1.<..[...u.....G.(.^i....o&a.xZJ+......&.t..bx)...\|lu.3.........=..kYu/.?Ycb..cc{...ceyy..5...r...=q.0.

C:\Users\user\Desktop\ZTGJILHXQB.jpg.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.830596265401217
Encrypted:	false
SSDEEP:	24:gXcuV/1fiUW9FhzFV3vkG2wwsM3x6s+Uw6+SOnbRMu+8fvg:EcuVdfUhzFVMt5nx+G+DbRMevg
MD5:	00B306392A812939EA894D96E73EDE1C
SHA1:	C93F382E6FC373C176989FF4C24C6D0C2C4EA25B
SHA-256:	205D88B5DD6BE8F4B57C6000A04B8ED0C259E129433CB1BA804DA3D94F792D2C
SHA-512:	143FDC725D2DF53F7585260F3AC04D2D156DEC865366E9AF62DF785127C2378819A7A7B81F5828CC95C83D483034157C642C6B7528BBBBFA2E841DC0C84BC7E0
Malicious:	false
Preview:	.h.i...f.>..Fg..3A.r4.Wu:...n......A.=.2...{.Q.....C.U.$...^\!..(.x..G.iP.Y...DU....R....9T"O......A..o.....14U.J.....`)..k..Q.y$=C.......`Q..Oy.....}........ANp..[\|..9.....8...<9.~]....^E......]?63Vz...2B@}......OE.....5r?.h.....Z_..m.F....u~..u.k.&.I/ .xRT.M.7.tJ...@....p..6.!R....l..HA.>...e.8]..@.!JP.!..X......}S.....4.>..N\|..Q...i0...n..Xo..epI._...m.t..x.....X....^....:B.}..%!..D.jJ.....',w...LB...P.i.7.(.KS.....R.f..Y;.1.U..tj.@tB.0.>...Z....&5.._.U.oQ}$...O~..{.<H.."W....@+=X.#..fr...JQA>I........n.\|.R......,........J..!7....#.D....s....S....~...Rr"....@J...X#<t.......n...e.Fk)..u...a+....+..$(....^.#..n.>?.D<J..`...N..<P........>.......[..a......eS^...H....).Y%.R....F..S I+.v.].....hm."3_.E.2..j......6.n...i>.8N.....8.z.^..E.@\|..Qx..8&Ef..8X\|.Ca....h:.[D...!.......Ft@..8....W&.~.....<..Jo+@.mN`.......n..+6...h.~..m../}?..=*u.~..m..04LQ.b....Qs.c2q.......1J..d..S:W..1...G.Jj0.l&..c.T.l....b........YY..%. ....`l.C4...q ,....Y.

C:\Users\user\Documents\BPMLNOBVSB.docx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.821899956695435
Encrypted:	false
SSDEEP:	24:KtHA70OZjwXmHgw6a2mh+RQXU8P5vUbV4Z/CDZYo3n4GDUl/N:KtHhAjEw6Gb5m4Rup34GYX
MD5:	8E2BBC51D9E4A18088A73E178FDBA3A2
SHA1:	ED05F0DEF833B777A155041F2C8E64A192830184
SHA-256:	E17F5BE2799F825432CF671A236C19BC2449CF72277912A60F97F4A0BD55E310
SHA-512:	1085781D4873AEF5B0F46C58FF8CF302BF8A02B66D1F5FC9DED2962D6935F23048A1D0A210CD4E7962DCECA5B47A30F0432FFF4D014EE3644ADE60CC968D7A9C
Malicious:	false
Preview:	Mri...G=..]..W...L...J.W.....N...`.<}....6u.6.o......j7........nDT....._.....w`.<.ML.d...g..L...".....'...>.'..Et%zG......gLj.K.S]..b.T...j........c.....]jc.]....hroQl....L..B.....T....4.......=.\|...;.D...6.4..z..#C...W......b...........{....,K.I~.q.OP......R...._...;5..r..=..f....A2`.1.k?..N.X.5.......F.....F........f.i.M.....f.?.{M....?....n.{....roD#.......HW.+3k..cJB.....i^....QkZ.'.s..o..Fv..h.....r.c8.v.l....-.4.) .........!......w.....7..j..'B..z......vt..9../.....T....D#............<..y.ulk.........n.\|.R......,L.w;..V......R.,....j2...0.. .2.....f./...F.l.6T...k.Z........@..l..L^..."^.r.x"2.... .7mh..p.W9z.[^.6..].oO..C.J.g.?.I}.S.&...I:.s5.Y...A....f.,.OL.h..=.C...5&...........s6O,#.@...X.q......(.e.1?.x....Jm(..lV..n..gM..p..Tk.).2...Tj..5D....u.&\|......%.8..U..#.Hw.X...ko.yJX.o....<..B.B.T/4g....._:;E..A...4?.5j...}k<...VN..m..],.....v=..}.`+...5.!SN......V=3....u.+...%..G..Ly.8....h.t.a.H..s.x..a.-.r.&..@....@...vuD.4+.

C:\Users\user\Documents\BPMLNOBVSB.pdf.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.830826910442958
Encrypted:	false
SSDEEP:	24:RWFq+ugJkyL6rIuxI17ThzWTLyD/gepqPaBqnDI7nV:gFAGRuW9hzWSD/gepqKqnEV
MD5:	95BD6ED6E6961AC6048B809CF4511860
SHA1:	24BD784CC6B466EB1E72091128177984831C6CC6
SHA-256:	E9738033E6A7621170B78BF45C1CD4C0AC3209AE9FC71F2307534D32C094BA11
SHA-512:	CD89D89F5B2990D5BFA0C20EBB7212258347229316E7E128718B2F69655CF8225C644478DE88E5C9CB97F17FDF9CD999D84CEAA609297C5137778CE95BEED652
Malicious:	false
Preview:	.z..EH.m...{s\|.[...u].$P.J..k...A..vi.p'......(...<QU=./..9..._.t..;..TxM.-.j ....o..,{....c.g.JX...1S.,k_.k{..gK.D..x;..i...gk....L.=..q.~G.a..8.....:4G....@{..3$`kv.G......W.9.b.....g!-)..sH=...n.U..CS..!.A..=.............r./..j..j.6m.Bdmg..D...L.o..n....D..v.D{o<nm._..m.[.u:. ......:.".........e.u.z..6.."}R...Kr.?..l......Ht.iN.%.=.T.+......;....iO;.L...O....x......./.$..z....qo.W......50..a.......j4.zt.'8.{.c..P...]i.Xs.....w...%[.d.Y..Q7...N$...1.P.TQf...^....d.......6+P......E.J.....s{..x..[...:.....n.\|.R......,M@.A.jN..;.....O...r6~F..U..........{..nexn.....i....n..7...KJ.I7 .....A,.@.W[s.R.0.;M.L.V.U.....O..i...f+wFM.t.< ot..=...v.#.dL}9/...\|;.K.s..h.wa..P...;.J.$z..D"\../X.,.!:.......%....C..l..{..........P.7..!l..j6...Z.r....4...=....a...$..~.\......D.q.]o...5.T...8..{}....W.F..xuz....j ...\|/......".-<.0[.......u..l.G..;...IXX5f.. 5..j.......iHl..k.~.Q......m.....y..........<$E.Y......l..B?\..p.&..K.<D..ww)4..z.j...

C:\Users\user\Documents\BPMLNOBVSB\BPMLNOBVSB.docx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.821621751010277
Encrypted:	false
SSDEEP:	24:G5+3wp43G5QlKAPerVRG2EeXTk2cd+xDsmB/sElPRpYZszNen:Go3wOWWlKAERGCxDj/Zp2uZe
MD5:	8FB1318B0850BD3650DFA2B1EB82539F
SHA1:	DD9E72F90D8DE2351F59B516F1E404A4F1E1CB6A
SHA-256:	9A5C971AA4108E8E9E272F179B767E75C7DF5B549E0AF225CCF33D0729B1E7D1
SHA-512:	1E1C95322387C7BB535E47D8C92EB3BB8DB88589DE8EA0D91B48358B49D848205CBC397468FFF3F1C16AC74F3CF739F7145921FF49697ADC84054677E5B9D500
Malicious:	false
Preview:	..!......\&..4@T....]W..z........N.5S.W..}.i.B..;{/}.Jw..u..[.O.9.Y..Nk..zWz_D....y..!..8..r..8CF.TA.-.....a~l......;..M.VQ..(.%l.:..U..%....).B.]...X...e...]:1....S..?..o.w,.+........>.0r....B..-3.{2..-.....Po..P.@yF.`...U:....[1a.M.......rG.=...i.q...@.....ia..Y<...8...>.U...y.69y.Q\|a..9/.{.A...6..j..2.{z.l..b.7.9.3.-...N...'........x....&.s.......,...yY..Kr.:....XM".E:.Qf.J..... ..ML.......,..vl.....5..2......U.b.S...].~.S....5xI4j..V.y.D........'..a.oa.y..y.BYz.$.....^nwX.u..\|._T..\|....D.oZ....R......$.a...U.j....n.\|.R......,..0<.a.q.u...M...-J.`.v.f4!v....b.?).F..3......m.....m..Xf...}FX...O....&.xm.2.iU..(.^{8Y...NP_;.....M..\CQ.........x....;?.l.F.TV.]..@...\|..&....Tq.;..~..V:..by5.J.&r.......la8.....o.....J....nY...o....:B.<.b...G.p..GB..L...I4...,..v.....E.".R>...t..G.....8...../...mrh.z)1...-6. w..)s.L~`.1<.8N.%.k.0.)69.N..v...T.g..c.c.2..[5G{.Or...w.a....!..%....\|f..R'..Q4/.y.V5.R.-......b+^.])5720E..l..e.'.......n.#.M9l.

C:\Users\user\Documents\BPMLNOBVSB\CURQNKVOIX.xlsx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.833112241896342
Encrypted:	false
SSDEEP:	24:1ewBsPqChuIqy4QWKC6qUlty6jXkPt8h2bITa4J/Yirv/:1ewBOq4qy4+CRGYt8ub4NbrX
MD5:	5E279E1B164B7F6B6E17B63755881410
SHA1:	D29D3B287EE63827EBF0A03074CB6890EAEDCAEE
SHA-256:	0DAC68FACEDD953C5CC648C59CD9211BC23C94DE3BA1F1F2DFA8C82D63E143A5
SHA-512:	B90A5D4178052CFC635303E20766C74B523E7E8CCF09E6F75510FA4537A2F7B7CCD3DCE196F1040AAF32E4EF713A23DD669FE81A17CCB41D96E96D85C0CEAC68
Malicious:	false
Preview:	G...fl.#2...@.Tc...x..+#PI..V......"f..S.x.....:=P.......1oA....7...v.8f'.D...3..Q1..4p./.w.y..D..}...PPS.{]..'[..".........F.v..7.N...D- ....H..dZ}._.n......G.6.6Q.k.......f.]...g...yZ..L\|.g........u..6.K?..G..\|...g....y.].v.h$../.. ...FP.......u.@....L.s.S/,.T......?F.....\|...M..f.0...;...WF.....gbQS6....i.f['..eD..4..J2.7j...^...8....Ku.'s.......A.,.P...F@4v$'......q..A^.o...kWT.a...E<1..c/#.30...I...bC.0...{.-........>.@<.U.....'0.`i..Q.y7t0M=U.D.>..#-g'+.Z..N.....N..:...r.../..Fs .....;.[..F+.vh..?78....n.\|.R......,V..t..T.L..`Nu...v.=;......-.\|io0..........I..[i.A$.%.j._%...z.7........%...#..m.i...h...<#...+O/.p.Z..K\(.1.O.=._.....l.k_HXs(_9E,^..06.Vvy..:.`.....9.G<o....Sr.x..#.......X.?.vS.."...T>f..W.ue........$...4v.a.VJ.i....r.;...%.I.~.O....E!E.D...l....C..r.:.`D...Q.................`h.p...g...r...%e...lV..,...>}U...Qe4.4)(G-5...7..1.2.:..{Q......adI./..j.......Hda.n...Zw......@.)l.J.W.~.}....R.?XF.+'..k\.T..#.....Ti

C:\Users\user\Documents\BPMLNOBVSB\GAOBCVIQIJ.mp3.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.802524134196174
Encrypted:	false
SSDEEP:	24:xOhPMQDQ6pHvFJTCe5zNyNxZRd2ly5QOy7cMCv8amReNKiJFnpJ:UFhLvCANwV2lsQOuNs8a4p+J
MD5:	4CFCFABA1951E05B217EA66D976F9AFF
SHA1:	CB04C4E3FBC3099F99FE2239431A3F62ED47B495
SHA-256:	AED73F0E79B7C0B1DFCFBB431AE303E9C88A88A28A5B9F2A44290BB3CFBFFB98
SHA-512:	97F81480CC718993634ADC79ED6D619358EFC87DE0756B21EC32CC76CDE4BC7B909D12AD7625B107DFD6DE9CE959E539FBC9866817D281142A9C9F6B98F3DD22
Malicious:	false
Preview:	G...Y.o+...W+}(._.N\|.3.}..'.U..E.f.....3s..y2(....{..u.+..E...=d.......d...Id..@..t.....?.o..?...P)..oG.P.....1A....}..j=Y.T\|..I..K..........B..c...X..p...v.s1.`,.c`..XO..........."....M..M.(...#.K...e>..(...l.V......P...b..(..3.,..8:..LMw...k........E.'..X..:.Ri...m...Z.,Yt/._.b.k.PY......F2U6.V...,.....+a....r.Ex+.'a5....c...&v,..,...a...]j.m9..9............D...]...Sr0.Z{`7..s....y.............`K.&..p......?W....(%.3=7...\|...@....q..W..d{.......>..{u...J...,..l....3~......>._..#..}.....m....hj...9....n.\|.R......,...>..Ec.....Qk.p...}.7..G!"....(.-Wz}..F.O.5@...&.O...]5nf'... Q.t...Sjh..I....X...Tf.ow..{..M_...R.Z.....d.ew}>."lx.).9.q.#Q..Pw..5d$(H.l..h2$.._i..,NJ.ey....$..>......sd.J....h.-..........g+...@W....$..T....o!.......x..Y#A..p..)}.4.=..8.\'.Z...RM.+.E....?...?v..y....."..-B.+.x.j....e.....7.l&T.Q.c.\|K+O.6.Me.\.........^....q....*;K..o.`.@.Q.._~.d...mk.Bn..!.b.....Nv.....S...T./.>)0'+..........gT\|.:'..p..H..~.5.

C:\Users\user\Documents\BPMLNOBVSB\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\Users\user\Documents\BPMLNOBVSB\MXPXCVPDVN.jpg.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.819938331875976
Encrypted:	false
SSDEEP:	24:znQYl7Wb6yVeHcpocCrhXxLX0foDM1udcZ6FFjsY:jBKb0HsockRxLkw/TjsY
MD5:	81E0576F90AF0744AC25D33AEAEAE28E
SHA1:	4BA62E074D3AD24B1716BECBF53776D882574E9F
SHA-256:	4DC128B3457394C2E876E499F1B5F50F5FAE93EB2FB5186FEC153AD49A00C9C8
SHA-512:	01C52ABC7A26E579F16F600BE3D3D4EF51110F99BD5D38C9D396950FD4BC86804F99E7EE6ACE62C7E8FA3479E309AAFA52F9AB3C0873427D8D0FED8AEFCB16C6
Malicious:	false
Preview:	..&.....e.u...m......N..l.kJ.VWJ^....jHz...Cb&..Fg.Z...n....d.0..a...wq@...h\e.~.u.^H.Ai ..D..M.j.N.Y..M......."!$..5HH...JVS......WV....wk..5W..w..b....Gjuu..$..d..S.........5F..65.h..O........&...Mz.....K......I..b.........x.._...9...7b......@.......K~5.....U..l...'b...Z....4.F ........js...N...%...........IF....eQ?+.xi..3......Mq...tt.v...U....9_Q..M.[...d.oaC-Tc.F.[..y.....m2}...........j.C.....kz...).t.....x.>..&M.3qp.. f.`.HD....O..%.o..m.....8.....,.a..lRV.....&.*/?...\......U..KW,`...n....z.<.J......n.\|.R......,M...-.$.u+.....v...22.....o...<...}..=.e..VB....w.$...-?....Y...^./..>.&."\.hn.....L$j.R.j........1..S....l.rBZj).t."...e....k.f`....r..,v.u......L... ..,9....kW.6...y..).3..k.]\BS.....r.3.C..C."....-...j.....i...f.,t..v...$._i...NV.A......K....'.\|v.L.Z..;..^[...\=..#..P........-w._y....z..jC$upR..{..awq..>NX...u..9...W..oG_.B.Ym.<.....OC.K}.(.........y[.ii;. ..Ei_..z......C....QR...(<..~....^.8/=...G.T..e......i......G._.

C:\Users\user\Documents\BPMLNOBVSB\NEBFQQYWPS.png.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.850939440425837
Encrypted:	false
SSDEEP:	24:w3pHPc4KuTojsjzzjYjU67quSojNj1r3S6KjPxiihqgm60TY:yHmuLjz3YHwU2aVgmrk
MD5:	7867A8FC370CAF18258A68AD297938EB
SHA1:	ED6433BC8F0894B47D8849C7C688074B5E0BCF53
SHA-256:	3596AD225C0D3CB8E2FBA47DAD5C7D6FBF477B1DAA4BAF7DF4AD7C33162849EE
SHA-512:	FE2157B086015263A2B9B854C2E8CFD98184F3407F6E1E8B72A60055621B78631E3C591E35FBFA9402736975F761885852FF8490B9EE06EA9DEEFBE96D21F4E1
Malicious:	false
Preview:	h.m3(...%B',n......1I..9i.Uc.;[.}.&_.b...#.JX......!..>...@.<@..k3L.8^....M1N.}(L.J..W...iq..I.7.g...%.)..f..2-.x....J.j...e@;U....t.%_....e=6.>.cc....R.......E.!...F.k....q< ..O.c.8. {^.y..........M.......J......G.......<...2.h....;.a.h.bz...qL..^...&n.}..'...<...E.\....{bJ;&K8..D...NU.e...D..{bE?..W$.O...o.g.._.6m....@!..F....M.!....:.\..FI..^.R...d9s....l.cPr.u1..[.Cd.oQ..&.i.#......,X...g......] rK.4.8%O.!N..<..sm....%.G../.].J..uFr.......P.@V.a...z....rt.e..B..PW.....b.D...R.;nx......0'-.I.~..O..J...`.}.....n.\|.R......,&^...p21.^.....!.5.t..Gr!M..W..G..u.<.>y.\|SB.......`~>...-.".....~.....;B1.......#.N71..D....m........o.....H.#s[._ .~gK..U....."..Xb.h.Sm.\|%,/s.D.;fX.....{L...'.[+....2 .7....7...8........9......5SZ.E.u.Ydo'p..E....lzY.Vh.T.$...A.ze....J_4..r".d..q..n.j..#B...p.P.(U.L....%.U.....!7K>..m.....b.%.1..].....H......A..x3@.9\d..QM,.C$2......B..\....B.[.Y>.O...m]\....a.....>...^...w.RC.....-.r:....";.../..v.T.I......1.U

C:\Users\user\Documents\BPMLNOBVSB\VAMYDFPUND.pdf.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.815881681356771
Encrypted:	false
SSDEEP:	24:TJ4PbZEmlumpkFB1lwe/5Ai7vOi4AWdsv3CPtTtKnxa6+o4BgV4fD:lgmgumpkJaeOifFWdSCJtPJQI
MD5:	289FDB583AE07E9B9A31594D4A600CF8
SHA1:	93E071D97307E14FBA178F5ED27CB77B2C312531
SHA-256:	06399318AFAEC8B8719A0009851D521EC230EDC1E4B8DB4BC38CC1FD151DDBA9
SHA-512:	E43C05D7D1390DD9F28A9F7F29534756D71AAF839A078C1748C75EDD3A5C4281FFCDF4731CB8FC968FD75CFE06444668845530B05307D84A2B2DBC1FEA3D8B79
Malicious:	false
Preview:	h..d.6%..!..H...~]...L.od.XYf@..:B.....x...-.w....~./.-9....[R.qN.....i.y~.i.....6a...$......h^D..T&+.......A...Fb.&j...g[$../2.@..M..I...eBuePv...>.s.i......A.O&x.6(R ...W.M. ....wf.3...V..."e..S7;...H{!).^...LvE&c.....4WQ.x..r..r.&..t@.W\|.....}...S.......5.......-.\|Q........9E..zr.%2.k....a.....'mh........."...F.....2.;..P.5.....U=3.F.....'..>..Gy.Y.....".6.#...:.\|.<...x.[8^.;..~W..B...=..I...yCi.&.....3w..T...~.E.....tD.O.\|_v.8..s."}./jpI....<e......UsG.;.u......B..k..hz7....H........\|...p.......e7b.m.i......n.\|.R......,..H,.M.S..} EG..9...P7&.D.Y.....,.I....x....)._~..-.W...U...........G.N.D.....p......a..w.(.G.,..:n6....^,.e9.p'...}..2..E..U.`Bk.2?..&j.k... .JQ..y..2.Hn....=.].2..1.T.n-@q"+sQmv...&..........c.N..&...d........~.._..3"M.3.b...@G...U....JY#.....H.<a......9....A.%sU.g.53v}.........d.6...g\.K...2.,;q.CE^.`.."R.r!M.'`X..\}G!9..&...WORP..(..-6.........?......,..Y>.....d.0.2...F.....[.....V.../.].2N.?..T,.X)..s

C:\Users\user\Documents\CURQNKVOIX.mp3.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.803426961103024
Encrypted:	false
SSDEEP:	24:IKvhxWyzzwSPZ49XRROrmGcuVOD/K9gvJ9vpIOZZEg00kynBDUh:IK5xWyzzw2uFCrmXbogOPg00ki2
MD5:	7E9FDBBC3DB9FAC71E0C4DB6DDDF51BB
SHA1:	1E37450ED6E013C8466A2BAAF906FFDBE9350547
SHA-256:	280DEBB06CE3477B2C2732A896E0D702CBF766E7D07C7ACCBDDBA0AC54F4AADB
SHA-512:	AB9363724649A2DFEEBBD8F2CFCD4CFFD4A28EBCCF9436260A2C923FA8CE383E4157EF9563975306D2DCE2739939D5C4BB4411607FB137331E39505832CA96C5
Malicious:	false
Preview:	Z..Y...'H.;e.w.....p.C.....pi...;..&.....9.J..z..k9.9h.......g..zn.X.u.j..$..raG...j...$.B.....$<...5...PCH.H.b..~t......h...S.Cm.+H..1g..V.#.......~.......u.z....@.7...1s.t.).&...IY...+...F.4..w...T.\7%......Q.....4.i{...5.r.X.+.....~...<u...HS .W......."f..a.."..}..J..Xgz..i...._.S....#.+..!....K...q...3......1.W0.../.d4..!.....\|2t....k.[...4.C..L....,.J.K..... ..7+...n.'PG5.....".[...i[.<....e....K....K.J.t..\%Y.^...M.V..."........\|.2.X.AM...Rf...;....p.:x..U.WQx./..T.R.R.D.h.2p.Cc.!&....l(.a...r.O.".u}....n.\|.R......,.? =........;...X9.."u..mg4K..M<su.E....z{.V.w.SKt.. ^B.a..Te..}..O./...a.....K..s.h..Nf9.kL.....7$.S..m...?nDz..z.H.E......zi.Dq.5.tIzw..)[....k...\|*..yY(.a.t.!.D....K...e..R....w......".A..I@../5..9.....nj.].@...n0.T...e._.__.r....{..bH.....{BL(J.....So..@...5........=..(.....':!..43.t.5.J...B.S8.#_.0.Z}.NTy~.L..Df)d.....y.F.p/.2..z.......V[.Z..4L.....).$..._X...N..g.1....q.8.i... ..\|.. /.D....N.B?.....4..%.!..

C:\Users\user\Documents\CURQNKVOIX.pdf.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	PGP\011Secret Sub-key -
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.856642351880384
Encrypted:	false
SSDEEP:	24:2sYc6R6TvObPGqbqiTDZgXeLd5YH4kzEGCisVglw9bsO:RTvaPG2mXC5K4kzLLri
MD5:	E307E3E35D66A81BE79F1F2C44DF9588
SHA1:	9B50A8C9E670CE029A5B7CE516A1268DC69A203A
SHA-256:	85E016721E1D0CACC958B1C1EF0727862A0E465538A2D07A8371012C4108BAE5
SHA-512:	1B854091E0539B06F7BB2F47393D18AECADA4F0AE5DA9746734FE69FD15FAEB8E0661C87FFF56422CF11405E6C4A633E775CCCAC43F5243C4A361D8D83634C99
Malicious:	false
Preview:	.5..PO.......ZZ......].K\`5.f...h.....i.n._.l... ....w'..?..6d.L..'...V....}.<.W.."..O#L...mk.7tp....,-/28.....,...n..{@.SN....+..Ht.2E@R:....\|.&.......?.Zs.....3...7...5..4.....Y.J........Qf q.a.P...fB%.[.0...t...E.W._....[..~}ud.atF..l.a.n..w.('..0?.}~}.Yo...... .a...A..B..r..6....KG[o..+...Ds......Ey.Hf._..ED\|L.6.X..-...._<..m..)>.....a...._.f..X..d:.Z4....Kc..=......ld....P.E.9.......a.3lP L....N.b..&.;Y..s......Fg..m.....H.....M~:...?.....K............d...q..J..Q.....K.{..D.W0..v....J^..II..(..s.+.i....+.<....n.\|.R......,;.T...t..Tn..k.M~..%qBj].-....i.M.(..{nG"..@2...Kc..O%..b........:..L.x...r.%j..>.(..ev....T/.FsD.Tr.g.....K`.)3I.....U\|..k.l...E\.?.i*R..d..]..Qy..3..\Pd.b.RZz.u.Q...fY(...}.q....uE..$..5p...?...HC.d.h2."...,%.a$-...\....].!~LBL....B.v.<J...<...f`..X...:.l....9.....H.....,....B..=.....P.{......o..L.8.5.,.p#-tO$.aE.^......%Y..1..f.'.....B..[..?6.'...S6.'N.....T.\|.y..0..{..2fc....l..h.PY/4\J....X...\|.....M.V<.(.}..........I.

C:\Users\user\Documents\CURQNKVOIX.xlsx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8228290268491065
Encrypted:	false
SSDEEP:	24:aj0sTo2cmJtomy1W6ifTHmoXLVTVvltafmyk4EG1ZpQEE:y0sU2JYdwrGoVYcG7/E
MD5:	B3DFD121088D6603F392E1857436E184
SHA1:	ADC1753E35F16562F7B29A07EBBB8630CC477463
SHA-256:	4402C529A93B8ABDCDFB9FD3B9E867D511D6C46425914CC76BD84F34A1E2E1E4
SHA-512:	35431AD06045DE269C3DD7E4B86F07B85C6CA1461A81E9005B478C5E95BC92383503592B02479EACD99501CD1490216146D60F42C76768D80ABECB89FFE3760B
Malicious:	false
Preview:	.8.b.].Vo.x`..W..F.....~.B.{9$\|..1......k...+>..3....e..t..4.cG.yl;.V...&.h<.O...R.3..@vH+B....\|.xxd.7W..S...6..d.WZD.....2".Kq+.Y0...@.b.>F.8.......S....~...3.H]..M..C.@.c.<.....!$V.,x.J...$.u.+......U..$u.:I'.../...\....D.k.e-y..3.4.{L.Vx3. .B......d...]J..G:..k.XC..._.a..C..Ty..F....O.tI..$.z..v.).CV...)......RI.......m...oi.I...gta..E......mQ.3.D....H....o"..n."..[....L35..gO. ...'..<...0c...j.A~.............g..T}d.d.......!.'.v.....`..=C%lV.....K.tx7=......A.SKdt..t..."..../..F.;1X........?.$........n.\|.R......,........I7)N...(..X1......Dh.^...L....Z;.m.u...b....c.q..j......v....:..~.o.cu.......+.2..{E.R..........5.a..D.;_.l..k.l+.L.De...[.[m..N..we.7....~j...T. D.kt.0..X.....Zm...0.....!...J$..[.6.....=;..y.......i#..*.V.....R.I...\|..........U.3...C...U..L<'.zP.#f.^....M;z...z.....<..>Z...-.p...b&._.E......C....xjS;...r...t.h..A..y.m....n1..ts..;..1........P.C[%j..;S.nw;...X)J2..y......&0a..p...0_.,...L...3...Od.$e..

C:\Users\user\Documents\FENIVHOIKN.png.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.820619033339032
Encrypted:	false
SSDEEP:	24:bEnPVTblHLmNadvdENRyAEI6flMTtCtd/NcXKlb+pGJJAaPMTlYYZxuQXIR:o9QNcdEfxNCtdFTbpjAFTldSW4
MD5:	6480AA61837837FA36E353A397209910
SHA1:	E7D2883A70488F534519E972476F190743F3A895
SHA-256:	64EC6CBCF5B319B9CD5A0BD99F9C58EC04EE273836D578A00848979CE978E66B
SHA-512:	5288284AEFEBD2E16EE9B4491AF8296261BEB31AC70246B94A5E9D090BC54784497E2147CE921251F05869727B961F493970953D4C8DE8911E03AB4B7F35DF99
Malicious:	false
Preview:	.k.P.Y..-2w2.....z.i..."cJ#...lq.5.<..UQ....4..KKs6.qN...URq)D.Q.<Os.....I...#.\?.[(..h..l..9..v.?......]..r.]E.)Z.\|.]Q..:l...4=2.u._{....D6#m.jv.^..ZR9&8....(........{e......c4Z...2U.K....SH...<.P)..Xi^k.^.Qm...@...)....#..D......E}..ic..N..,.....^v....R.f.3_.NQ!....S3....].t/.-..U?mE...\|..m.G5h.............#.....Z9Fe.[>..%...K..Fo..[.[N.1hny..^z}...9...!.D....^..-...UN.X..?.@YBh...p.....+..@{'.)..[...Q...>....U1<...}=,.f<.......W.MUa....L9....ruV~..7.b.B...B..n9R..8....(...N..\S..p..'X.:~..#. f.5....5..E;o%.....(....n.\|.R......,O..........\|v.F`j.........=MfCf.nSa4G.B.'.........Y.n....^.0$I B.....(.~.].Pp9.V.@v..Q9..!1j8....#`I<.I.w........!...cUN.....Y.o.m.4.6.J.$T...t..t...F....x6w..0.6..]...).P.xy.\...\.C.lN.^.D4\|a............+.@.i..r...TP..j.Y....R}.R.N..6..Z.0.4VD...8.A.~...:....p.Io<..`;.O.QI.?.u..w..6E....-E.0....q.2.....c..4[..6 *.5ap.....T.."FW....{..S..z.G.gT.2..j..{.3.S.zISHa...t.h~......l ....k...g....Hh...f......&7.....tzSm.S..I..

C:\Users\user\Documents\GAOBCVIQIJ.mp3.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.833824252123585
Encrypted:	false
SSDEEP:	24:kz83MH+CauCO2juv3qWXgyJ5so+HXe18wl/M60I+K/Gz:kCw+P8MwbhsXv4p08k
MD5:	CD36873E1D14C5B98EC21194CF104906
SHA1:	04E7612CA30197B3D6E77C9A77A5030DB67C7ACA
SHA-256:	704801E7FCC0F75D508D4A6033CC987F517396722F66B48CCF797B8788B5FE6D
SHA-512:	400B3DC0735452BD739EADC9493D1AC97510B7854D598A9AAA19142602C2F72E0261955CBC9390FCDA043524AC2DF9D582ECF540790C8B54F398868674080602
Malicious:	false
Preview:	N.?I5.p..`....;.H.4}WR......I......L...8..P.......s...>}....;..M.....RM...?g..P.GI\t.K..x..,..O.Z<.\|..nC.M2..r.....!.C....Q.......-n.8 .0.[4.0.b.\|a._..._..s.b.i.q.."].........U..UP..,....P./...mc8Uq.......t..:1j...W........../.......6..h.=.R08.2.&l..R`L...b...a.......iS..J..$...\|vt...f.3.....-\{S%.G.(.`i..s..D :......N.u.....(.0..9.p....+....;..i..\.t.6M.v..E.]2.:...O)..vx....s....x..K....G.O..W8.....F@.../h@...e.]..Z.jV...v....G...6Q.P...Q....#...%...]PF8.)o.0./3.J..m;.f...JJK[......X....8).....Yl.....#OQ....n.\|.R......,].#....._.x.......bV.."i...4fQ..1......p~hG..(....l.R2M.wj.}....T.`.E.b8:.k.#q..>o.q..}^.}_........QC...1h..6j...H.pZ+.0g\|...6&Z.".&.."3.G.H....&iJE0.:B8......J...W...w..P.'./........k...........y^..oFk70.H.:(.a.:.g....$(..yug.... .[....ubt.......oH2^+.w.".w.4G...>W...p.q.....XX..YB.Kz......8W..V.g....1.3...o ...Z....C..1.x..J.V\|'N.x."...U=k..^.k...\-..M..O....Z....?H}.Y..].%.B.@..D.......h2...j.<,.;.j....dS./.

C:\Users\user\Documents\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\Users\user\Documents\MXPXCVPDVN.jpg.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.821285583433773
Encrypted:	false
SSDEEP:	24:30F4SERAm/oCkN9iNCuxpaqTLHxGy7E1D:jSERA/H4xpn2
MD5:	12938CEE4BC87067DBA70AF128953E53
SHA1:	56D07331133D728F3F71A80F0CE6037B0CCD6BAC
SHA-256:	6EB6FDB0275D3D4BFB798245A47417AF7E8A8EC98485947A985D33DD36291FCC
SHA-512:	CFB3A72449A4D6B31BC8E8722CEDB845CB59F438340D1A80A84B8923B22F068EB0CF2C902C75EBA7DA12257105D6039F0F332583D0C01ECFC41C62A50F6334B1
Malicious:	false
Preview:	.q..B.Xt..~6/U......a.-[.9..@.4F...=/..Mm....5..8.>.../.......$..\....%Ka.Io.@.....j.%....'o..c.`e...x.g....R...."...H......N.....p..}".r....Bqsv.K....J+.....o..K.,...[..'...d.....9"'.{[...J.U....1.L....q....n.%.]@.p..>l...;...i.Mc......N......l;.__>.....%......7...{`.s.O[...j;..[....'.C.W.....)d..i.....!....0Y}..#ip.c.)(^...7Z.......D.s.w\K!n.w...rf....ai..L...F.h'...iG....H.0i.....r.UaR...:.g\|.....j..cKs.O...h.G:!.P.m.........fgE..5..c..r9x.^.\...i....5to..<.'.j.0...q..U.....i....).?.9.-.'__........Q.....[I....n.\|.R......,..?.....`f:....F'..,2..[WIR.W.,.m..q..>;..Y...a'...7..F.\....K. ..k.. .7 .Z....Y..W....I2<......2!..:4U.1g=....;?...m..b..C.4.%Wo).....y.0bZ.d..UE.c3N...rs....h...,.N8...e.......5..SW1.fl..........lF..S...)K.,...T......8..g.D..^/d=...&.....<...$k...NpB.Y....\...Z.J.y......C...x..J..;.V.x.+.a..E.5.c?.r:.s..aB..c>)wG742e.:....)....Ha.x..p="...5G=F.@>ZG...Yr...w..7..\B.D.S..._qnN.2-.1.r....+.....qVy.0*!`..8.^.=Od.......

C:\Users\user\Documents\MXPXCVPDVN.mp3.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.78360544534478
Encrypted:	false
SSDEEP:	24:SvVS+9R7vsd/ukLyvQjRrjU3VEmAHRuxSDStuAYAPr:2XkLyYtUKmiuobw
MD5:	F15DB6FD5A7F1FC1EF9E250016853700
SHA1:	671ABFB5C91B1BE673EE282B9387EA7A5D2C40A3
SHA-256:	755C377BE83597C448F94DA70DFE0AB6B3236170CC2E6DBCF1C531DC9146B70D
SHA-512:	4079E7A0B48AFB95054ADE0DDA9D416DF0A12C2EF1BA2F6C81A3519FDFE80C9172A893E215FA8AA3D5C3C68B1CFAC71EDD1EB7981E8CB6AFC435296508BECB43
Malicious:	false
Preview:	."E....u.._..(x.U-o.........J7...Oa.w..,#3.N:..j......7..0^...b......,..xl..x..q.....O.H..a..z....`.5.1.].I7.;..........U]_\..vf.?uD..,>DB....a.YbiKG.. %.......!?R....x......X..OF..i..a.<........p\..U}z.......\|..=..o]._$}Z.B....V..E...PD..\..v.s..S.e...-\|s7%D..&..H.mP.G..~q....p\|g.....>~........d-.5...@.".'..=L...) ....L6.j...............N...'........#..b8...qQ..j.9.Nu.c..\. x..V$...9....!..v>d....1..4.3.Qa7.Bx.c....O../.@..+.C9/vy..we.....`v...x.Rr........=..8.6.>..[......./.a.n.{../.~..U..~a....................n.\|.R......,pq... ....5...W$]C..W..u.%!.....Xi....p)h.B.#f......_6.!Q.I.W.M..K...2.[.v. 1...8..."m.../v...r.6.u....3=A..t)a.."r.K..<x;!....c........0.2..0.F.#.......e...v.C[..M.NY..........>-.[....ua..w......#H.Fjr8...F......Q.K74.cq'9%F9....F.e_/M.)Ow...N..l....?u.....i...N.. p.;.R5.U...%..T..E.8%...i.yNq-<=...INi.1.......>......NV.v.i..._.D.b@....V...a/...:.A.K..pM.........?........\|U.,..X.r.5.U.....8;..e...I.....Cf..R.:.

C:\Users\user\Documents\NEBFQQYWPS.png.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.820979291889512
Encrypted:	false
SSDEEP:	24:mwI9Cam7/GMVNw92adnfRd/pwdq2fPLGR+YZ48:T+9mRVK5pbCq2fasYP
MD5:	474B75CB160B36577745F06F9CCBF9C0
SHA1:	F76842E941B1F4389B5F9EA9C56C764688CE5388
SHA-256:	28DD67D31C7BDA6E305D063233AF60B58F064246D250A1E672D1DC9F215B341B
SHA-512:	12952505DF1530E29DDFD63A536632FAA2914D91EBA262FC0711604C6E624AF9476DC5ED9F111A386CD25E65CA0E97A3880C1F6022C86E10247D6403AB8D8DBD
Malicious:	false
Preview:	x.!...K..b.....@H...;.....o..."...].e-,....W..{hc=.nH{4.M..Zy...i.......G..J....Q'-.....Zy.P.D..p..%...e.8.....`?......W..f..t_.3}.V%%2m.....I...}o...-...l.5........'2....:.c......."........;..x".a.w....P..8.]P.E...A._w..Fe;..F.F.....-D.... U`........Ci..........T.c..DIiG.g.W[x......8f.#E[......^.U...Y.`Ed:.(...k'Y.i/..k7....Z.P..jS...s....L....\|....M.R.Y....h.c=...y......ZI..j..n.?KR;...C.Ew..T~Z@.PHD[.U.7....\|.....q..7\.m..r.....}..Ms.\.q4.....k....%,>../o.)........mI.%..;..f...q....L..L$j.7.m..M.F.4X.i.V.....n.\|.R......,..(aG..<.C...}..m......\|....$.u.t..N.A..h.&.h#<...6.....B.<./\|MI.vr...O.X...Y...."....e ........\S.-...{ ..L.....0.E.B.,k..N.`........=...c]..X:B..b...d.K.8...(Ej....b..i.o@...(.x.`?M.._C..J...#....>.f:..@..I>..d..X.M.D..n..2..\.x....<.)...Pe...\|.......S.Mq.j.Yj..!...j"..c".n...H]......s..o..Df@..mP.3.R..^....dn.1.d.5...?~*.q....J...^.m#I......R....WE...+........C...!...H~z.....[..,..!..PRd.!.la..;..QA...B..

C:\Users\user\Documents\NIKHQAIQAU.docx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.819672741412994
Encrypted:	false
SSDEEP:	24:ZLSynXGn2UazGPw7EwccaI/zRGuvVPFAs3kDXHuyZLPBd2pbDNyve7qnh:ZJsPai8EwfYyAs38XhjCpPNN2h
MD5:	DA6BA3D5CA21BE1D7731D4D8E2739554
SHA1:	F480BDCBA025223749A67FF637A8D8A1677686CA
SHA-256:	5761458CF9BB7808FF3A09E08026AF265150C029B882EDD81931B65B83E228B1
SHA-512:	0FFD06BDF2D603661A2B19577C760901E5497A680A7B56E0DD878DA2A4699D87EF3D2B8780EC0C13A6D8D4BC5B51493E1A3D351BC4D50671E76674D93E79C5E1
Malicious:	false
Preview:	.._.1 .............Yt.&&P..i.,..k.eQ....\|.ui../:!.J..{......f..L....id`.,....\|.5..S.h7...7q........8.8.d.....}..l>../..S.Ve....+..!...V..V.!"...q..b.r"r......._....7!i."...R..J..1sA...&Vk..x.....BaY-....nJ...Y>.B.=.x.ck.z....='.....g.w.B,..D.l.\.@.K_.A.=.!.".@...u.$.Q..d.Wh'!..2.V\|...y...m.o.%0./..UE.Dc.\..i..N............B..C._..`....~.b<Re...y(<l....@..wf.nb....R&....y[.......a...hg......d..3..I...<...z...)...u.....G..!."[..^.].s..6.I.+;.3.]....]N.....9e.........Ir.........#.E...U....p.....5..m\m.`..qp.'..\|.......n.\|.R......,.m..t9^."[....NO.^.h.4..G.......j.h....).K..:..Z....R....G..[..vi}:..j.g....J)6...DlRKi..;.." @...MPU...!........69w.=.^O..i...BNW...-....>X+...S.jf.!....4..n1+#...U...&].7.]7@o...5C....e..(q.Zr..2..s.G..l.^..!...).......p.#...E9.<{\. ..D..U.D.H........JP..vC.n...B0Q.\%.....gc....i.V.x=... ..+Wq.....e..(-.g.S.v.PD....R.....tp.rZ....L..l..Yg.....I.1...M....Xd.n)W.o.....C.h....b.g=...\|m.X.N<.L...I.<.2.......@....$3

C:\Users\user\Documents\NIKHQAIQAU.xlsx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.836085598315094
Encrypted:	false
SSDEEP:	24:l3w4zrSs96clftVGG7uPL7d2QwWARWBo08KkyjEbZUjAolFQAohZgN:l3w4aTcBTvQwW0YkyjHjAoBOZK
MD5:	3CE2884866E49401BFF99F6B9D6AA8FE
SHA1:	C0E6CC20E89428156BF2691BD4068E8D7B21F325
SHA-256:	717BF099202861B27FCF0262C86DBF01273D8B68FB705604F4E9B1EB9156A0DA
SHA-512:	3D4D16C18725766DEBD42BA375C1B03BEAEFAD3E0C5E0151966A2168A135E3874F9957569254D6F682714C516F94C0505F861717705E868174230E0E733D7275
Malicious:	false
Preview:	.'.'..$&.Mk+Ew...(.......k.LS....L....._..~..j.....a@b..5\.."sFXD...L.@..g.............)eOe..T.......;.!7G.y.eO.~U!H..=.d.}....v..[.....(&....z.K.....#A...W7.)p.......n'.3.B.Qs.P..:......Io.G.z...64.......*..DX...E.`.<5..D....?]."..W.T.L...)S.: .g.}... .u.e.j.>d).h..I.D.?.0:.....l.0!..7t.BI.a.......Y"d.....VS...&..M.......{.}\|I^.9.R..../.Jz.....M5...E....(......h....+...z..s..%\..<{..4NC+.y_..m;......\..........<........z....v^...3Nj...z^.......t......)@?}&.S.(z,.7U.J..,.45V.E._Q.#..^....(../..]M..;z...........n.\|.R......,.....Jz....;jBk.5.,.>...e..7._.J. d..z....;.k.u.y.Y...se..+......b......L..\|-..8...)..w.!.Y..F3......}......A^9.'G...B"u1}..mS..P..Q}..I.......h..@....1x...0.3...1).........YR=.zs..JE.._.I.v.S....w....].....?[./jlI........GN...._.......1.R.&\|'>2k{..>.P;U=..........}.......q..1nkm[..E\|k..TT."... ..m!..Q.j..?..U.Z~.U61......,..H.G.....U...P....A0.Jq.F./c.F?.?...\..........}.~.{x..E^Q....Ga........f).SH.1...4....$h.f.

C:\Users\user\Documents\NIKHQAIQAU\CURQNKVOIX.pdf.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.831743373125687
Encrypted:	false
SSDEEP:	24:uJFVW1+G7yqTlntZt7xlaNg9aKolPkTkFD5irKV62W8ctWceM96:z+G7NRTt7Ig9aNPkI82/BG6
MD5:	B78459914188F6557EAADA2C49AAD2C3
SHA1:	FCE068C89E07C69AFEEE8D123D65878BFF3CCCBA
SHA-256:	17AD64269A622F0FF9673220541444977564981D430060D6B31CD99FD6C88CFE
SHA-512:	8C5365E3C45A517D645EC31FDE6A74EDD750445403F00CE65398FB89498B8F8397AB9688C46E54F0F476429E088E085158695FD2BEB4E67061E47B97DF4C39A5
Malicious:	false
Preview:	.QO9d.j'.}...S....+..s...y.e...fv........9...so..od....y}@.l~......Z.....?..'."...p&n...j.B....Nx'./..-Y......q.....n./..k-..d.._M....b.....-.z.'..23....-.v.B.X8.D"_F...Q(p........z\...r.C&.J.(...W...E.F.BkV...0%l..c......lg.t.5....[g.r9R.yp.r:.....1Y\|...{.....A.d^..C.9.;..\|.w.eE\0.....Zh...K..,.Y.\.....S..#}Q.......L.....C.Y>..%.8.C-:{+7~X.+.....l..A`..A.^.a[...~.P>..r....J...G.>...r."U..G?d_........&,...)Xw..~....PD.....n....O).............v..D...<..l.E.&&..z...[K.@e&.H2Ml1h.FNl]..{~...l.;.......Y..'p.<.5..u}(.....n.\|.R......,W....y'.....G9...Z1.3... ...:V1I.^c4#..-o,.p.L`a2.j,....h........#.)..@....:..\....QB.6..25..<.d.Z...:C..<:#..(.SW..Q..j...........8..R...mhA...i5L....H.2...q....]U..9.&f&..)TB..5R.....r.\:..m....2..BwY....R..^o.9..pU...I.DA..1....V..9&..J.-.]\...._...I...\|?...=[4_....e...R.......7..C..V!.,~...qeN.~..l..........1..4d....]...V...$....}.c.w.;T......_d_.......iq.,....g.9Lb.B..T0.E..0s........Z.Y..+6..q3.....u..

C:\Users\user\Documents\NIKHQAIQAU\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\Users\user\Documents\NIKHQAIQAU\MXPXCVPDVN.mp3.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.801002267964306
Encrypted:	false
SSDEEP:	24:ggDdSkJTCSQism3T9RuIAzhbNA70IEYv7qnNa5eUpoy:ggbZjQLkBR9AFpIHaswa
MD5:	911B8C072F88BED279DE933EDE0390A6
SHA1:	1E4156989257A4E172FE965D611D2E519FAE8805
SHA-256:	873FA9A0A927441FCE273C3C0EE1D5C3CA9EC3834448800D59FD00FD5F5D5ACB
SHA-512:	E397D445A6F74D04D153F5CF8856B75146876DB06002E68256D3AE75B5F5B9E3B967A9E8D396E10245E26D574F0AF4B695D186FFBCF100687ACF00087D4DCF6C
Malicious:	false
Preview:	.O)...K../.x..F.x4.<..'7.U.e73......p4.i.t..H...}..c.a.4+)..._:..T"...r:.o~..w...2$o......{.}!..........L/..J.......s7._?....9......(...;2Q.d.n."Z...2..P..2>...7...7.R.....u..p....a2...x..}cS..w._.....zn!.K.......u v...V.._......D..x.B..a_.sP.cH....qykoEY{..Cr.}\7.\|....F3nZ.0C.>.}..$......o......v..).F.7...F3U....w,.6y.H..Jw3...!...\|..T.@N.r..r.@4.)%&..~}..b.:..\u.d.L:......)$...rh@..).IY..y..rA%...i..s9..r:~.....+Cp..CT..2z..Mz ...M.Bl...._..K.Gb....X...D.D...:W_I..W...e..0.f...s..".}......B...pV@..HOP.......n.\|.R......,....#....z...q".l.2;..0..d._I...h....f.n.t..<..x..{...}..N...A+,]>.d....W.D.{Cn....O...RF]....0.....X.Y..8....p.H.....2kc'>5O@..C.\|.'.y>..P.R.Z..d....c.......0't..b..S.Y.....4)..n.u#.r..K.e!1...ur...u[...H...T.;.E..+..8.JJ......a..fY7...D..%<x..j.E......'.8.K..C{a..I....u.]{.@.K5....y.K..>E.\.@+.f..'b0...V...o{.:.1...N..-.d[.{](.!..u.l.........<............)V7...,.......~.....fTb......{..^.G.{....h..x.}. ..;.rm

C:\Users\user\Documents\NIKHQAIQAU\NIKHQAIQAU.docx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.812131776682524
Encrypted:	false
SSDEEP:	24:bwgs1PYcVFwpXXFCOq7EV1rHApWfBsctFXd0QDbLyK2y:bwFPxVFwK/E1fBztFN0yyKx
MD5:	397B1D0699D0886F11D4397B5B8FD8CD
SHA1:	C473876AF46125683D5FB460C7D7722A1C76825B
SHA-256:	4B54EFB1D876F43F6E271B4898CD075CAD930CA757A5A9AC148BD4D7F0282541
SHA-512:	DA325ED205BACDC45ED3B78EE082CB2D08AA77ED561054208952E4F9B3188A6BCB61CB195986FEDD8F3B0F249284C59B00B118F230F74EA7303D44161BBDA71D
Malicious:	false
Preview:	Z......@Wn..a..].W....e.g..-B.#.).$..<..A...:.G...C....}!i.N..3..0.....Y...B.w6.Q......s6Y.0..9 ..ir..p.G..,v........'1.?<b"g...0..Aox/...._.O.m.qW<..Z...q.}....b......iQ.X..U.;...! P..B[.5v...H\.....Yt.9........WI....?...9..>.Z.u.6.N.............m.....O...H..H.N]2..z7..{4...2.....bV..b.j.eb...G.:.>...c.$.......}..{N..s...@...A.[....@....M.D...^.T..N.0.....?Y..0...,...p..j..rX.pag..j,.. bC._.n....^b.SS.W@..D.uO.SE.Q.,.........K..w.;.....zf;9c>..4w...5N....O.OL^7?&....6.>+f.q....o.j.$.".l$cqP.....Zc.@.`].6..........n.\|.R......,+.O.I.z.0N.jB.V(...).'<.......kU.....OH.#.8..i+T.E.H...`..a...0.U..SWWl54..v<>+...Z....=.B..NR.+.....n..';........Z..].s..+..u..XS.."G.T.E.t\|.jf..H.g...K..K..j....Xw..8....q.^.U..oLC0v...6Vq.....dh..;.Z.~...i.]..9c5...Zo.".<.B"aF.q.&........!C.^.&+~.N.>u..6....!t..\|.ov.I..XK....(Nf.(\.z.a.V.U./.}.'............e.[.ht..VwQ.?...L...az.Z...G\.).B...I.c.. %.k..@....J.......4.v..J..(...J..\|......v.'.7..r.g.r}QZ..........?"B.3

C:\Users\user\Documents\NIKHQAIQAU\RAYHIWGKDI.xlsx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8232931234733
Encrypted:	false
SSDEEP:	24:UXPHfF6D2aUakm9EzHBn2E3nhBEL6WBYZNnh6/FJ+lu2iq:GPHfF6D+akisaFBYZph6D+kFq
MD5:	E893FA193967AAD58EB118729C9A7B1E
SHA1:	F5FBE078B0DEC4382BC7A1943C0244B330915837
SHA-256:	FC7C237A43BFB9F4E1A2009C7B0BB8B53CF93464B24310BC9C7C83B42333E3DC
SHA-512:	323FF70FB6FA02A611AB4B8043B0105178EE9A278F29C406A3B77CDD3CF312F2F90B69446FC7FFE7F51EE55C50A2BC98DEA1C6B010321841E9BE7C965208F798
Malicious:	false
Preview:	.jli.V...^.-S9....HDH-.U..c....s.:....".vb.c.{..OKk...#.J...u(L.NP(.:/.....pS...d.e..r..G...+.....9s..Y.qr...=5..(..w.$.#.x....I..m.Hz...[...e.w..Ure.....2;.K.K.FG.c..~5..\...)..Q...,.=.jH$.....;.A......L............(jB...%D....aD.....=..Z..W.V{d!..Q....@..4.n....j?...."..y.....U&g....J...&.....q.%.+...A.......]..........u.U.I ....oI...B.eU./.......l{.%zN...F.I...@M'..2...\|.fXM......9...7..#}.?...#...5..%.f..y:.?..e...h..v..3...D...DLw.....f.L...xn...D2.q.V.L.......3P.C5u..g>&^T..e.U....;..0......gjX.i.l\....n.\|.R......,..`.N.(.q.];..8)...0.2................Y0.l\m.\|..?...7ie\|...-P$.n...M.q..r..(b.4........k.kN..*....B.#q...../.O.C...j........8.L^.....3..K......`..k..v.P..U.e-t.w....->..xo..#.....`..,..:...y.....9HO.....q....S../...W.H/s.B .....R.P../..-...i..e....f...eU.N+..Ub......).sU.8...r!q.!...So. ....&.9u.U..d.......i%A....1..q..dl.....u..8$_.=.(..gBB......%.s).. .....?\|....L.U.].0.9.h.....C-....E\|..1x....R.u..ek5..PPl.o.^o.~.1G

C:\Users\user\Documents\NIKHQAIQAU\SQRKHNBNYN.png.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.822356125175644
Encrypted:	false
SSDEEP:	24:9xXsIW8pkSg4hLz2QWsoiDOfUcjcQLDQvORsYaoW8o1D7Z/wWNiNlf9JG:9xId2JdlVwbYB1D9/9i3fXG
MD5:	225E24F0EAF755C8ADC5B491CF6C9E9C
SHA1:	12ACAFA0B10E7EE79C7A24FE1660D3A6BD33FE16
SHA-256:	0A3B63DFD1EC807EFB52C55C3A3634A915D1E61CC03C1F251A669C2A0E2661ED
SHA-512:	04C1DB367CFB4EF5761C1AD18685D62A7CA552515CC3AF3E91619AAE9CEF8B1B342FF9E8491B7B016668EB4C4E5E1A3AAF2F4764E7A9E92FA52CB0842F814C23
Malicious:	false
Preview:	g}./..VD.B....n..9.8J...P.P(.....-D..S.N....)Y{..X......L.^t....Mq.Q\|..{....,..%1b..\.i_.':..R.....t\|..w:.".w4..g.....u..t.y.S..6....._.^t\|i.eyJRM..!...2.j...U-..+".Y<.w..."....R.2....t..u..N(......e ..I..A9..\.....(Do~.3..'.......}.-.X...eA.@..\|...t.ky.Z..$..T.Ep)4....+.Q.C..J..T.P.......L.![.^.Hc..i.....D7v..5.......!LdA:......S.[?u..E......V..-j..q....=..._....8.H.f....q{Sb2+......ky......~.qJG...F.........5._R....p,.......n.e.>......t9..q....`$V'.hc..".p...(.X./....u...5..J..=8G.o.h..X.0.9.T..>E.....n.\|.R......,xz ....XHX..=.".Xv+.\........\..,.,f..wsT.0..rc..+bM....Yf..F.t.Q.k{K.#^..u..UL..u{=v.?F..$..........\|P7.+..'..Wd...Puq/Q.s..Zj.ib....'...0.PAFm....r.6+6.E.]f....^.3{."i..0.U.u".......^H..2.&..yF.~.c...X....{...".R-=.*.!..A2..&;P..>0.N.'....-2.<<.../.rR...Q...i.YN.e...<e.J!Z...nDb7g.G.M.T.~.......!..;..l$^o.x.9..Gd...H...3k.q.).-.....3f.+....O...C..."..a.v..;s..f.....(C.)a\|../.5.MjE._.5N...X.$..x.\..f.o...N._....l....

C:\Users\user\Documents\NIKHQAIQAU\ZTGJILHXQB.jpg.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.797423095031313
Encrypted:	false
SSDEEP:	24:/OQqEbuF50SQ1+E2a+MAS777kDH+n0XGnlh6:/lXbuESQNEqgzVeC
MD5:	9E5DEFAE4D51156782FA0F7DF9E4FD29
SHA1:	FA4BC4D35E9C2479E5174FFFEC3DD15359DCBBCB
SHA-256:	F1BD09DDE0FDF83A3F555A8E7B8EEAAD75155917443266A5C30FDAAD122AA28D
SHA-512:	A42C25FC9214B5D48833B011554D9B7E4D2F984A9ECC8F17FE89D93F107E39F3F1B16779290352E310D080D114B9712F69ACDBCBF28615633361CFC2B187E709
Malicious:	false
Preview:	.5.k......n$...z....f...~?1.....s>%../@.D.m~.bY..F..E/....$.,.>.z...8...t.n5...p.5..Y.....V_^.y..(..t.,.{.a....n..f.K[..)&.d.T...:W.$...=.3_.H.T.X..K#....&..Y...do..o.....)^......l{,.&.H?.._.......).....M.s_...?..5Z...HF..p<.I.I...,.dmGp76.X!. ..b.,jm..@)./ .G.A.....I...j^..u..C..+i9....j. ...;E...\..9..c.H..].v6...@.A.UK....]./......m.^.uF...{\|.{.f<.Yq..#..+."u..W&.i.e....s...-$.iT...].b.MW...?.y.6.U...g..E..l..Fm......U......`...y..f...L6.?...-Z.Mc.Y.....\|....a..e[.O....H.!'M..h.z.n..~Z...^v.5..X......n.\|.R......,.x.....#Z.....uJ.......Y...B...k.>...+...g.~HRg........g......-.\|].II..T..N...(e![jk.....g..U.{.G].....w<.."..2..o.J.V...f%'....<D......!?#q......r..[..)..T.\|.k;.C...cBE..$[............B....\W..&.~.....6J..7...T~...SW.e....U.5).."..u.]l3.4.l.c(<...+.......!9.....y...M..g.Gjzd.cX.y..<.@M..4?o.o...x)@....-'.Z...5................8}..@.[3+.&h..../..q.......y.............wOc..........\|.B.....g?Eh..>i..vk.....j....

C:\Users\user\Documents\RAYHIWGKDI.jpg.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.836794080162817
Encrypted:	false
SSDEEP:	24:Ub6TR5U4AbmxCHmq+avCETSheHYKX7RLGTCfAaQlwD:c6To2CGq+a5ehEXfAP2D
MD5:	7E0577E9537E8EC1BAFDD37A1E18BA83
SHA1:	69A36758B7BE0D2664BF4640394AC7A8A288C208
SHA-256:	C7DA4997A8C5EB38CD9E1CA243A3391237484EDD10EA42CB879B526875DFDB00
SHA-512:	87D9402B979AE8B998B53209AB5E4FD91882739BB24ED49814F03A33678D2EE39394DD9B427C55340F60DBDA5D4A3EDA8FCFBBEAFAA62ED344245115463AB9C5
Malicious:	false
Preview:	`.%......P...........7...(.L..N+..6.n:.."..L.[f}...........Zi.........h4\b<T..k..Vx.....E.W...]...nwmZ@S......(..T..<$Y.8fQ.....~c...\......9.....\|U....Q.R.M..9.i.,... ...{..%......u...k..?..?T.......;K...Q)...q.l...8mz..L+...O.{T.j..e.<.Q)L..q/j...A..O...er./..q.......}vU.H....l~....A.<.5?...C.+.....c..N.U.T.R.'....Q....o="R....i....+.,..PA.. .7.5....D..d%%......HF...)f%/.2/2&.RG..M....l.%...m..XJ..3...k.T5...n.(.x..;g...FK...l=..iCf.g....k.Y....5N..J#.......].mH+.K.NZ..j...,].43`.g.....Ro.-H)).}...V..Kwi....n.\|.R......,N.....j/.2.2..-....../._.`..../I~9.%.6{&.....X..._c6-..T..Q.e..r..]p~..5......nEO.XI...I$.....{h..........<S...-..._.{....x....A..@H.-T.3.>Qr.UOd.K`zz.d!..i..[2G..(..p.J.B8{.y.U...Y./.Z..#\......A.H.. .....;A..\|.K#.....\|.......k.\|O.R.%..........&"..{...F..1..].N.NE.j.."..(..WL..48.@.=.....&..f./...9.f. %2..G....m...%..L..P.2`40a\|.yDD.[..P.^.'.!.<9.$$.}........u.4CP7.o.Yf...!..Sz$.^...2...O.I...r..X.6`o..J.F.WW...7.g.

C:\Users\user\Documents\RAYHIWGKDI.xlsx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.813276628515116
Encrypted:	false
SSDEEP:	24:y9XyKDE2p3HmLCMASYuBmbuDx1ZotXinM28zi7LATY4126ypn:AXyv2pX8CMAhucqDSx928+vA0412ln
MD5:	AE83F2F133521A9D1AE0008147CC25BC
SHA1:	0788F2D2E7055149D4F84EE69720F26DCA12A21A
SHA-256:	353F8E799A612AC235CA3A0ECBAEC9BA70DFC910B512B9B85D5DC727EC861BAC
SHA-512:	F6BFBDC65A302164FD4505CE2539B04616F666B6FCFE3772A1EEAB2C8B747D7162FCB0EAE535AB7EAF7990EBCB1A00A87B548AC5BB944E0BB981F2BAC69CC6A3
Malicious:	false
Preview:	..^."..."t\|..5...Qz.K."E....W...9...9..;...-d.F."U..\.&h,y..M..x...!.Z.Y....lcHicSUY=...[m!.......H....4[7..&R7o\i.n6.0..(.^...p.a.0....x...C.TR..?_F,74-.a:v..y.N}...n`..SH....g...>q.)...........D0.C.....dD....q..7.Y..t...S..`R{.AHO..H...#Y......_.W%....v.sb...d.Z...]=.{.\'..]QS...y.H....L.Bj.d.G.......,/`...'..U.....c>.@c........NJ..'F=.....mq....:q.........X.b....c......d.\|}....o.S)..@\......m.{ )........e...K.U..B..4AWx.......s..W..Z.........c.......+.....&..}....K@..@!..{O..~.$F...m]N...,Dm..EE..T..U........n.\|.R......,(g....<.oya.KQ...X.B.....uS..-[.1...P.........B..r]..6'....@.j.t+../..<.....B..U.....Z.F/.b...!.%..A....A..+].tE.!..BD..D.....L+S.}.....L7.}.o.gIF.uNyE...Y.`'....'1....5R....z.,..Q..Z..{..G.U. .g....#..._..Xu..-....Q.:..hU.\|>.&....}...}C.+.e..v...z.Y..[&...........0.,bn.bY..-.`...1....=Z.M.:.ha.v.5..ap.....x.!1..?..N....&.]3.I....(3.r...z........0.F%3..wl...{.l...+.....V..9...a.H.1$...6G..".>0..}....L.&Ze].....*!...p.

C:\Users\user\Documents\SQRKHNBNYN.png.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.819751976005069
Encrypted:	false
SSDEEP:	24:ZH4slbiMP3DruAqedWXKrQ0CSOMhH39iOIDgRaxRUS/kFcK3A9Zfn:ZtfP3fuABXCSOMNXIDgRawm2l3Arn
MD5:	B9AE0B92518C966CF3D6C953765B1478
SHA1:	2EE2CC91C66F52DCCEAB31B20F3FEBA6B0EF9974
SHA-256:	3274EFFDD3F84FB8571ABF2EFCA808B37DC637306E14A26E9F5B358C90FBE591
SHA-512:	436EAB194E2682F693C6EFD6EA6B4AA6DC89DA4A6382083645DDD103F497845DE6E85637AE05B1D9E3C877ADAD658CA828EEF65B897436A7E1406A9596FFF4AA
Malicious:	false
Preview:	..}..Cz....JDq........la....w<.....P.].....:..@."gy..S....D.;..%.....7.v.....M.Q3..v.j.M?..@..B......+....u...A...V..Q.OV..`.~.W..@...k..L..h'.J..^.h......P&..\|z@......)._...Po.k...l...q.8....^ nC.7.....D...m.O\D..zWZsb....@....U./.Z..4..%'..!..H..Qu.....n.....o....?..A./.\|.W...f.}..z.F..5SU..UU..q`.>..F...U<9W.!.=..u..?x.-&. >..)mh;.A...). .u.vBc.$.p....l&;d)...8..l.;s^...f..E..=.r..~T.._.....Wb...E5N..{.so...h....x0..k2...f^=.<.?.../.fi7.......%....9.O.J.a.Z.....4..'.Z$..ifjg{q..3O.!.vC!q....]v.h+f1c6...2.Q.....n.\|.R......,iW.......v............5.=.q/...(j.y...H..}o8..m.)f..u..........2..>.\|Kcl.-.TD.......8Q8w...9..W.u..a.s$%...0.a..?....O._{(..Q.#..g.....\|Y~.....E7.k..Z*...b...q.R..>Dy.C4..1.%E7..;..;.c.l.z..Z.....=..R."M..ot..i..f.\.g.3@{.8..N+....(.b.P...b.} . ../c..m.bM.ue............(.e...A......QZ.^w.U...\.E......wyC.J.E...[>..S.U..h....^.4....-.v5b..B.@>NG.j........A..k...Z.y<....B..)0^R5...[.L.3.459...I..<..'...>..o.{4.O

C:\Users\user\Documents\VAMYDFPUND.pdf.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8476037758110975
Encrypted:	false
SSDEEP:	24:kku++fjnu5/eYZG377HQZx/YBOgkR7eKxRwNP/Z0l1ME5zOb6Ps:kkwfjuFXGLKAYgYyIRw0gE5zq
MD5:	0FFB42E0B1BD5F3A04B88150B7EF0905
SHA1:	16A683AAFC3F6115DB2D14BBDE1331EEF195B2AE
SHA-256:	756D5595E38316C89B663B674B7CDC39EBDE71F1005556F81E3487569961D320
SHA-512:	71BF22458C52BBBDC78D87ED0E0B6EE4AD7C92F3FB79D996E593D451090A67B7DBE1AC32D9CF162785FB91511B4F714CEE14B8C97ECEE2BA481479FD74F610C9
Malicious:	false
Preview:	.4q.`......7>r..v.aM.O66....}.U.....I(.8u#.P.m)........Y".....f'..{...Eb9..E..$Co...#.^.A.\|../.<....v...)....m...I......^.A...U`....YV......!.....h.erGG..8U.I.q..p>B\|D?......4F.z..r.z#QI..e.;..9l..=.....Qg..R.Ub....{.V....wzm.....&1>B..<V....oH0.+GXm.L3..h8CA..\..,..N.A.\|.m.Z..\|.[j....2..j...Vh.=......zls1..m...\4...).\|... ..rDqV.....!.....=..X.lf.4.g.E?D.}..&=&.~......2j.y...L...4.8a.\..@[.Td......!@.`I$.`(.4...TZ.<.7u..w.f..1wF`..?R.$.ji( .2.-zC..C?k,.L9.F...\av......#.......(.c........N}.....1F......F....n.\|.R......,.A...x..s.....O.E..._k(.>.......B.<....I.P.....6.......[...a.."j....c.. ..w....<.feR....k]j.cl..v.go...e2D..........;T.0.c.......S..J.H5R.!....e{..3..v#.i.u.a.Y.&.Z..~Z.... ...O..]..sk....i. ....!..E..;.y..R.$@...j...cG.....jn...ZV1/.KE...$..X.e....5.....,^..<.....W..v.$...T.c+F...Trn..D...R./2.J..G........8....#..h..D....&...B..."..q..M.B.IH...Phkq.o"".~..p.../.Q.....2...~^..0.. .m.s........s.Yj<..0.M^7.

C:\Users\user\Documents\ZBEDCJPBEY.docx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8523094440004
Encrypted:	false
SSDEEP:	24:OuobBrUKZLABwjTz/h4C8GDCtQS16DQPSLDvVyu86cPvtR2+HE0uzdZ:fUrVRpTz/yC8GDC2SyQqLzw/6cPFUNPj
MD5:	DBACE6C38A7E528EA883370258E1059C
SHA1:	AEF62C4BE84177BCFB79B936FFE992D89CD76C2A
SHA-256:	3AEB6D49477ED79FBE61E4C9E1CEB7C69597FD2308EA4C5E9FE85E83D8F17D3B
SHA-512:	C84F137586946E8B164D0B73B6351D7F14F90F7E19139812D4E65F0C1C2CE389EB97609080B389BFA7E179F04F4780D83394FE26A350ECF3C55F5B011FE3544E
Malicious:	false
Preview:	K'.3N.j_.xD.....R7G..p.....rp.....;..^....zv....c..O..g5 .P.U.}R.....:5)..i..$.......w=Z7.........mn.Y..k.p=..Z.cp[.o....6P..VFL....w.}...l..6.~.. F....bWqRV..o$.....UB.....T.<..G.6a.(.m.6yN.+t..KA...~......N.^#..Rad.....O-....l.5.....O..6..\.P..........(..w...Dm.....8...-<_.x..A.s.i...G.T%...wB...>h.m.Y.G.,.(.M.r..T.S.T..>..5..$.......>.<...+.Oe...^.^o.:.[.hI..]u./..U......M/...R...P.hS.d9.r...ok...z<F.C....Y..+S......:...H.4....}zm.G.....9.{..l.K@D....dq..r8.y..?2.2h.O..K...~....G.....~.')...w..,..2G.!0..U.....n.\|.R......,Gb.t./}vQ.l...z..`.;..?.O....D............6.5..Y...~Aa..B.\...Z.u_.]ktO.w....9."k......q=....Z!Lg...ZOIWr..QQO......}.F.DXW.a....F....j.<.#..KK....qKz...oXH.C.."#.;..C/s.~,..s..+.F..._.g#.V..$v.......H..'r......rMw..QR.....1.`\..m5nB......n.h...@..n./.....Mc*..3...r....f......{...5,.W..g..g7..dJ.N..k+.IE..{.......T~.31.u....w"...1>&.........`.....#M.}.........' .......U..N......n..L.......T......U.'...a3.....t.U.z.0

C:\Users\user\Documents\ZBEDCJPBEY\BPMLNOBVSB.pdf.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.805506202428807
Encrypted:	false
SSDEEP:	24:dur58YUUg88m2ZyWPqWNo8/6ZiK2krXQtcNbJmwE2ul/V:AV8bUgdVTPZNo8pKvc4wbHV
MD5:	E4405BBDC0961AD50D1DDB64E6724ADA
SHA1:	E10FD2E46259073A2196FEC7A5D522A2AE1AE61D
SHA-256:	65226E4865060213A654EB6A75BE2B1B5ACBC665941126600D1D8FF418E7463C
SHA-512:	CCBB5169D429AC9EF9778DDF679CD67FD25690087BA2AC51564106D9E781BC68851BE316AEAC5600235079944AC2B80E10C565948E91E8802061A4A8E1F482EC
Malicious:	false
Preview:	.d.Q..'...O....../.4_..6..[.....hm....k...B.O...\|.i.t...T..I3..!p0...IjP"/X.c,.n.Bx....$).....\|.D...c..6.;.`....F....C!>.i.E...h...#.Z...+....2..Y.~^Z.......g...@...A_.jV//U.Z/.....zB.~..k1....\|o...I2.Xt.b..j.....Y.aj..t.v...x....../..=...J..M8....2S.:..v.,..t..2.\|.0....J..(.\|.3.F_.Vo25J]..7.g(R@d.&....H...e2))T......<\2.c.s....0.....z..>~'......lk.X$.J'...Z...N.\|.&.tUw.a.O.!..i...L...Z...b6[F.s...@I".....)6X....>...M..j.z=%..0...X..\y.v.\.......g....o....&.~....2;.../...H...0g........N.<.....k..'.....n.\|.R......,Q...Z.T.Wo_(}O.\8KR.v.d.$N..W..g,.w.8JFD.^W}...=.B.........[.a..+Yf.....0.....M .q......5.........Z.ui.u....T.+GDNb..b..B..i$......l.bj..2....c./..#R..kk....vF..t.EZ.....W.."_;."..[M.K.s..&7.p6..v...&6.i...w.szU...Z.n..m...=O.?..j.....l..{^.Zr....E.N.v....8"..VG:.f.e....B.[.Ub..)..D..\.n.N.-"..m=...\|.Zz.j...F.$v...t ....Gq .X..........].>Q.Cg..o..@A.;....R.s...no...0.*..C...Bk.....R..Ls......._{.G.yl.$~...H..z....L..%0..

C:\Users\user\Documents\ZBEDCJPBEY\CURQNKVOIX.mp3.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.821292854969315
Encrypted:	false
SSDEEP:	24:93s9cxkH0C7oby/gDwBS46E1KTGucKszMw6f67DXbRMja:9MWI7oBwvg7szpRXV
MD5:	A61B7C49C6E6E6D4805E9509525A4774
SHA1:	DAEC2C89D7684F2B34342DBE0DC183A6DCA9A2CD
SHA-256:	33EE7105060DEED9B0FEF22F19304BC59BA74E670741C8FFE2E1FFD90D56AEE2
SHA-512:	C5277495EF7BFDB670D72D3772862E74F2F955696C150D30BA632C1D9143FA74159BD251C8014EF48CB0E21E775E84FCF79611DB777DE528112D0751EEC88F2A
Malicious:	false
Preview:	O..~........d.....~t...-...k.......?....`.!.Gk..N...4.......;.9dO.\{]..)e.:.?..#d.....g4_b....d.....)..Fw...V....6.'....@.a...BKB...6.&.....kO{.^.io..k..+&.N/.$(.>.....uj.Vv[..P.....N9.p)m....$+..'.....?..w}..$g..[.$.%....J.......oR........}...zMI{.eM......&Z...i.V..C}M....u...{A.%......B8.\.......y...u....%fZWE..#wB...z..3,..2.)J.&.1..E.s.M...~G./...`.3.s.Gn...X1.......;...:..{u........v.;.R.y...x.@........J.1.X../.......y...L. .7..6...R..r9..hz@=..j...........B...~TY...G."b...A.o..a..z?..V[..-....n.\|.R......,s.b..kG..y.\|>...<..C..g....?^.D..0...9.....w....`6..A...!.U.k-......6..D/!m(.l....>.)..._.........C.)...Q.{.....H...C.._...HMkj.)..0....."F..C&...j.......\|;6&.s.}.....H...j....L+.... .^.g..f.B.....D.8.....IY...W..I"{.....[.:I.md...s....B...'..b...~y......!a}.pD...3..sY..S..K.n[.K.D..kvU.....ztF.J.]o.....x..F.........XoT.2.d.../....p.U....?f<<32c...}.."..]@).....e?.t.Y..(}..1.,.=e.."\|...b.6.%^.........'%+.m.O..i...&V..._..+

C:\Users\user\Documents\ZBEDCJPBEY\FENIVHOIKN.png.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.824409012336686
Encrypted:	false
SSDEEP:	24:wfyIRP8lNP0I4hfWPMtaHwo1VklFyMxOVy4a/6S9EigNGp:OYNP0IV/ZYyMoYl/6Rpy
MD5:	D1952207D72E59AC39ABE79A9C48E481
SHA1:	D0F3D8EED2A89A2E9AAF12999BC1B77348C9CA15
SHA-256:	4389D209B63F3D8208BE264102E23D9B7C72152D9447DF67F81630DEE3F923D7
SHA-512:	F65A0B65360FDB780CCD5B6B8F73521DBB6611DFD21A7641F7F5B2F8162A2F592900EB07E9951A00142F37D10B5F8779777FD991DDD5B1BE4B80305C0BA7138E
Malicious:	false
Preview:	.....YNd.DJ+XB.........D.p.@~.../.....K8x.......L.I`..n...J...?\|..j.,.18:.......!-............;=...t......"Ba..Y......9....i"%.X..gS.E...k`{4.}z../...Pg........2.].:.! ..&.r.,...-.=b.....g..oxE..q..n...M.-.xDR...+...9.}VSwZK.ihdu\.0..S+=. ....j.5.......Z...K:...[.\^..;...\|...p..O.$.p$.f<...Z........zk.Q\|.5.NN..4?.....v...7..o.......Z.P^.o(.Ji!..1Iz.....I.cI.gf-..F...1...M5..... ...Y.9..\.7@7;...\c:.;.A.\|j.<{n.6.x...)...C..q...@w.F......./.\|...$a..=.L....j.?g.6Aep.S........!._.o..P.5y....}.~........n.\|.R......,-..O....u...`..@!..7.T.M$`t..H6..bNh.sN...b.\...88...V0&..C.Xk~..^.~.4.&.s....N .QS..{(...>u...1.K... ...d....^...e.([....GC.V.d.....I!..B...........f.^.xR..h&.5W...!..q.K....}7.9...........1(.b........w#.}H.ok.k;..,......g.....i".q=....6.....I..=v.......O..,`.D1..t>X..t,.......v.=.=..\|h....Tg.p.[..@H.K#F8.j.H/..ZS.O....F....\.4.t.0.Kg.9. ....1l......>...__.`K......V...6..V#6V\M;Q.$.Z1..a&..V..d.6-.Bw..,.1.NrI>..m'.Uv\..^e.

C:\Users\user\Documents\ZBEDCJPBEY\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\Users\user\Documents\ZBEDCJPBEY\NIKHQAIQAU.xlsx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.818319326683389
Encrypted:	false
SSDEEP:	24:8tiXVuxRFkm4+3K+jvmHKgeHZdDz10tq/gG3lw9qx1ZILZ:8sXOFkx+NjeHKDXz10tq/dvI1
MD5:	ACE521B582F7C2F75A19E13BE115654F
SHA1:	CF10DDC0CF8DE3CB2AD1CAB40257ED72341A7BC9
SHA-256:	FA01223808242782CA6EA6D03CECE8C458CFBC8BDA7C2B8F5BDFB8DA0D3A55EA
SHA-512:	FD2DE7A889EA0829DBCC8D298C602B337376669BE00EDFE210F467152ABA63231411564A046633F6997FBA71AD9F8DC4223422C93B263FE07F0FD849E2E868D2
Malicious:	false
Preview:	.....R.A....9.....h..H..........L.I.....A.t.M..r%o..-..=.&s.n&..l.V;......9O..../..N[`O.v...l...d>.r...V....@.I+..."k....-}.b..!/....i.t<rk....-.....#YK.&.C..0r..V.T...!.7......Q........R...W.VN..N..3].....o).....j.n...#.0y...j.]....4.H....u....,...r...T."1`.e...8b......,.XT.`<. .z]..yb.R....mb..n.(......Q`...%.z.vL,.l#..T.;Ox.......s....F/E;.<.....r.......}a..1.....i...^.B.x..uf+@p...z}/...kE.;Y.\|.I..H..b^E..H.+.s....fu.x./`r..-...PI.7...P.h@-{*].-..{[.h.s....`....k!....:.?Y..2....R%}$..R........n.\|.R......,~a{.f....P..R.4...l..A\|.....u.;...)..5...R.0...mi.I/vRU..7..+..[....@.n.W...g2Tf.>..@j.e..=..k....eHS.%."uT..p]i...A....l..,^6.d....:..q.r43pi.>..fW."q.`./..Y.....L.....W 6O..5..nF.f...ag."..=Nhc."....w.VpX^I}.g.A..PSW.;.eZ8.....N...S.&.H..}..5....'f..Tx"........;e.?c..{....d.....h..?.k....f.C........J9XJ.....v/.....>r):b..9.-6YGw. .}.{.t.!..hZq...5.b...<;&yp.$..m.VU..i...+V.T........w..0.[\.1.n....lc..)..o..[.....R.

C:\Users\user\Documents\ZBEDCJPBEY\RAYHIWGKDI.jpg.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.799527496452283
Encrypted:	false
SSDEEP:	24:GZGJb3aEK0M0iR15rTe3WKhmv/4JUMlux2IQ1T:iGJraF0M1BTgW9v/Px2IQt
MD5:	81556B0E8D22B5F790448CF56ACE7B5F
SHA1:	06248CFE3B9035AEDCD2A7DF81836177F02A914B
SHA-256:	979AB3B62095243CDA2FC09B482EFED1DDCD4DB5045DB57365E63FB7638AE0AB
SHA-512:	F957D9AD32D19EA503C32699E8C4D500776C0E2014A671A6A2D3B7C7F38F1B6895E4667E3DD068F5CB4B0FE7571D373F2CCDAA28FD09D40B3AFDCEF4AEAAB81E
Malicious:	false
Preview:	j4\|.[8"0_..@...nM@..5.i..U.9lo..:.q.o.s......k....vnk..9.o--.Q.Kz..p..L.B..%,.i.w...-..A.I+...U..8.1 ....lw.E..:1@>.q5.r..5...2g.2...:.c....ze..ak..h/......b1C.....[.U.Ml..A.....K:#.#e...GLy..U.1...P...f9....SA..b..~M.(......M..6...I...$.c=..\|.7...1yE.a.,..e.E7.w.%....f,c..?0.!......2.k...;u....iQQ./.-...(....{...nX.<...U.?l.....pu..r.....2=...L.....3.b{..n..7h.9:.C...c.#.]1/....Zi ........./.t..7J..Gk.-.%kF..rj?k.O.>..#...`.D.:...`.....~':....... ...........B...^./.c..Z2..?8....IP...'.....k...5.1 .[.5.^..........n.\|.R......,/.0Zb..W.v...Fb....d].r.5.W..;$.."..}.j\|...Z+K.N.-usx.@....8.8.sT.b.2w......../.m..'.*.b.....V........Q'r..f...Q.+.y.<..a.I8..q...3.s..Me...a.kI_...h......k0\|O...U.....8.cS4_p.v.....y.mp.....". ..r+.5...<.\|Np.a.Vs.[/...a.7p&F=O.n/z.....s....dA6uX.(l.\|i.]L..A...v...O..o=.!..........w.3.d.yj![..@.F../8.cL.....R....s.....I........o.?.....HC.....`...-...N(.V.~^..O.;0.c......R?...x..$.b.Z[oV....<I....?.X.P.(.3q.GV..&

C:\Users\user\Documents\ZBEDCJPBEY\ZBEDCJPBEY.docx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.821236784572247
Encrypted:	false
SSDEEP:	24:GTCEz5AqaRmOfpPbh35x+jI/9P/U9DNP0HfiUetGwGLHGXDn:GjzebRmOfpwI/9P/QDx0/i2KD
MD5:	BC926FE1FDE7785F3A4C1403ABAA7E7F
SHA1:	FB9C86C0541EEDA37AA414EC30FF81B59EA49FBF
SHA-256:	7870860552325A649EE9398068B3F51ABE8B34CFAA96228D0A0B6DB24103EA5D
SHA-512:	23F47619098F94797A86A17E277BE3631A574EE86C3EA92B03111C82F62CA7C175D85543001ADCFC42B0226859ECE83C68002A5839BFEC88216AAC893405B479
Malicious:	false
Preview:	)J.k.'..I..A...0JZ.M9[.}N...z....gXu.3....m.....s.61..x.?...F..a.S......(....].&G.#.Y..f.(.]6.......3...r...l;.H.+._..}....d88...Q..f....gC...f....S8....a..A...i..E._T@d......K]>g.4..?..>b...c..Z...9.S.:........V...:..^S...e(k.@.....'.1QzCv...X<qG.%..U..b....,.Z..u..D.`Q....b.e.mP'..T=.v.xQ.....N.~Nq..h... ......._..q.z.5.;../...4Q-.8.pbG]."..,.o\|).. .j...8s....p......Rlj...'.U...K..dq GG.n8U..1..`...mFm.t.s8t+.n.>#..6X...G...H..... B..X.?....V.........`-....0..wY..6....h....V.^..Gf.....R7.,....JYzL............n.\|.R......,h_...z-.........AT....a....vv~..`_.K<..@.l!....KG...9u(7.M....(....T..wn.E.}<.].v9.g...F.F".m....2.fXq.i...&...a.-...)...=.... .u._.I."..Amn{l.S........p.RQ$......[.(.f.!.@~...y.....al.D....Mxk..;q.$.hw.f!2..&....:i..=r..A.jqF...2x...i.x.UK..o.YN.....d.ZWi...$kQ8..=~"..'..J;./d.4......P.O.Y?.....U.<..P..t.jl......d...{......mF..f2....?kys....HU.0mP....'..K.y..Z ...e.i0^Om.Cz....X..P..f..".?zJ/EA".E.^.8....d".`..-C}l.....\S.y

C:\Users\user\Documents\ZTGJILHXQB.jpg.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.831212883923585
Encrypted:	false
SSDEEP:	24:vVBsLuShkg8EHYb1YHld3Qpq1TC82mSR3kMiMpXGZQU:vILumkgjYeHHjTPBaklMpNU
MD5:	D80B9A2203F7BD5753E749859912C32A
SHA1:	3C082DA9E51576DE56C0475639C2015EBB1FD6FD
SHA-256:	DAFA76BB048795DBCCDF82A1D7C6D2A6B76666B57CB079CB51F7E2BB00F8E21E
SHA-512:	DA2B4530EFDE333BF677505512BA564364BF5D96B0580DBFFADBC9CBD6CFEA2CA19D6484ACA5428B1923A10E63A482E975A0DE0C25A64E8093772A5C3A5C5D01
Malicious:	false
Preview:	W$_b.5.(.l....U...$..3K.A."9...!...2......V-6.o.7..A}.q.!.Z.p...h..u......Z.o...2...........w..k.S.1&....^.....x.y...<n...(M1&.{.q....Z.j..w^...}w......E.\|b...."..d\9.r..t......."Z.P.E......8X.....x...5?x.m...}..t.....V..k..6l.^v_7C.1....1.....yy..O...o.N..AF....eb=.\p....J...S+...i=-.`."5.h...........;.n.3f..T..v...+....T}.%...w..Z/.Vi..<.Q..1.Hs.. .n.fU..;Q,..'..."^lygF.. ...['.t.....CO.2..[.vR.....`........[1.w...-.O=.....b..t@..<oI8.+8t..q..c/.B.z.^8D._..j.?=.i\|D.s..Z..x.../.W.#.f.[..'N..,Q9....\Y.R..>i....n.\|.R......,i....M.z^.C...a.A.6..L.q.\|..W6.n..fm..B.y..<..5 ...s.\|...xhZ...%.}Y..5..'..&....v.+.~C.g8...m..+..1.-$.;Q.h....K........6.C..._.T.-K.4.d.a..d.:..<.......>w..T.q8MO.l....F\|.{U..G........=V&.g......!:.....A.~....0..u..@....eo..e......'..oE....=CV.L.F.b.....lYz0...C...5Vdfs......v......E........v.hR........%.;>...?....p\|.q.L1[/.S..S.4...D....fi........^...6\...i..\...R..S..k..xxx...p~`S.A...k._i3`..n.)...........

C:\Users\user\Downloads\BPMLNOBVSB.docx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.783839968141503
Encrypted:	false
SSDEEP:	24:pZbo1W5uhooAS5Q2/PxusmQgNKAb9HoqLvoMZRYxaUA3yvUt:p24GAS5QwupQ6J3zoMZRYQbLt
MD5:	816A4D1F8AFB44B733E89D838E3A6F7C
SHA1:	B20BF8016EC0178DDCB91B1E602C53A2A4CE03AD
SHA-256:	ACDCFE7481F610D475DD87907D3EEB7B60448EA4784AD472D0E3492FC7CB9357
SHA-512:	90DF93B8597B817869E8A3E5B654F95D7400AA4CD3463D9BA276F9146C50D19CD000205E41296EA677BAF6582CCAE7304D161A763726DAF7511E128ED54484CC
Malicious:	false
Preview:	'!.f..IU@.Z6x...S.Y..SO...]....J..f.j3.0....=H..E..J.=o.Q.?(s63...&......."d.X.l...hE.p.M..(..........._...C.~.Z.].#...W.B..7..)..y.?...P.V.9.....k..Dd.P6...."ky.ct#r>%.....<....b`?...Q.D.,.......IuI.}Z.0w.....S~#0x6.........`.Z...\X.17.V....K...\..7..6..Vk....%.B..=X6...Pf1`.e......b<(t..Nq.k........!...._.n..k.t..$X.`M<4.....$.Iu......k...J..l....1...'Lc.....SB....8...iY..2..j...N@.3.4...../....>..l..:7.&.O.oeH.O..E._...1..........1.J.e.A.[.@#...g/J?O.-7./..kTK../R=....BzC"O....6..v...' ...5`...Q...t...*)..]v.t......n.\|.R......,L..`a......!.+.^.j.n.H.H...,..Jtl..&].7<.....[k...;6l...:.i.....p....F..p@.........f..E.G.XBnHW.=..cp......E.Ov...N...........=G......aL....Br..d..Q._.....6..zA..AJ=..`....<.>..=..?@.f&2..L.....NL.g.U.....@{.F.<..E.R..pa..K.....2..<}........}...a....M.....k.,.....[..H.!X...>b>`../.....t8.z....H..4...._R=..z.O..[....v)..C....5z...6O>......ou.x90....m.6<7.....e..l.z_;.k....3...Y.j..C............v.I.F.1j.-..K.......=..

C:\Users\user\Downloads\BPMLNOBVSB.pdf.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.778960806366096
Encrypted:	false
SSDEEP:	24:bSLxINUZFm9YzBSEMWdhiyWUZZFmFiDj0GVUqOtrQ8:WPwEMWv1W4DmUDZUqOtrQ8
MD5:	E238421A7E82EA940DEC1718B5706DA7
SHA1:	D948D60600903F67A10817D90F92BEE622B58B79
SHA-256:	883EEEED51E1C5CE0696555196FF9B24909B3A1D8C05F610921E0F51754B99D9
SHA-512:	142D7C35C9D9C021605314AB0AC2868129488B70138359C2EB3356CB3C4CD5D57D1201B91A873BE209D992AD185646DFEAB3F79F1A28D3FB0610844E6652C3EE
Malicious:	false
Preview:	.).}^.+........-2.}..k=.X.3.M...TJ.I@}...9......PT......=D.\T.._}....^....h...J.-....F...v....3...<.5k..e......79.}...{.OHs)_._=.t&....{..ip<..P......~.R.O..R.Z...n.<5.<t...s. ..@..U{.D6..-....e...!...l././x...Ir~.K...N.. .....3......h...A.......XdxE..%t...C;;.....;.fV.....j....-W.~[&...9P...{I.[...n..p.R5.wa.X5...tD.J...S....8......p4.Z.,..K..I.$-P..'..-.....3`5../0.t:1.Pe.E..;wT.......m..;D.P.IZ.g=.._9...[.t.F..&=.>.V...,.)CCE..-CO..6.V.c9h.q9f20.p.6...&..v.....&..X........>.a'H...n..W.X"...k..C....b..}x...^....n.\|.R......,....m.tD...S.z-.........P.V?..9G.D...].........,%.T....5...P.>\|.._...;.....;..\..\.T....@\{A.s.k..P..Vf..n....b..n[.wm........7..c..Q.,...`....kV.Y#.C...E.a.^..7b..........=..^....=a...wh.Z._.v.E...;&Gq.s.8./I1}....r.7..a.T..f..q....3 ....O_@.y1..l..U..4c.-X....<.j...d-.=./t...w..5.4..>.P<..E..jc...[..&...[4......I?..e.%4...'...].w...1q....z.........K3.Pd.@b.R....Tu....MI..]J.E...V.c#E.b..~...-...........f...(...r....

C:\Users\user\Downloads\CURQNKVOIX.mp3.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.836652939002498
Encrypted:	false
SSDEEP:	24:Upqec3YQ62hW7KOlRoMvEBhbX8fVDUIYeZXD2MWn+:UEw2o73DoMvobMfVDUcXW+
MD5:	90EA6513EAAA8A1EAE1409CD4C4D12C4
SHA1:	56CC4562BB168F7E3AF57AE0300809200FCB359B
SHA-256:	B9377E0B83B2151FE33B68556A77D20BAE70F9A46E5361867979673DBED98B22
SHA-512:	2B53F3EC8B822DA6D13701FBFD0AF7AB5796B536C28081AC0CCADE084EF83BC1970B2DE1E65BE73C56E45080811A7FB4766F8F121B2795320FF357BDF2B3762C
Malicious:	false
Preview:	.......<..c...N.K.&.).W.....o\|.d..+...>\...cZ.............h..V.x.C<._Q.g.w........6..M.\|mg3.'.4j.z...q^...8R..CT.X.....$..\.;)...\|{v@8x...~c.H....>..l....K.6..,...,..~..s........-.<./z..7l.-...X..Tu..E.r..u!..k.k..8g"6.:....F..$=....2.=X..Nn.7c:...gb..U...&..h.....R.. .e..ew...#.\|..Y..i...xxl`.....(...+.E....9...V.MR.Qn.!Pgq...]...k\|El3-.B,.7Xw....l)aZ.!C..S.......A.8y1.p....Ox...q.._.E.L!XO..Ka.Ce%);...#..7V.....bj/j...f..q]..$....Q.V2Q.K.;.h....m...q..3.uR':.....@Y.!.jq..I.3...u.]k-..}...6..#.....S......n.\|.R......,....9.OR .'A.9.MR....P.30{....IeoB d9Dk.c....R[.....x..%^... .[$.......&.g.....A5.tvE%c..a..C......e.q.e+...e.."hAU#.z.5......0.+.sH.~.B.}m1...\|..^.I.t..kBc..Q.u..i..8..\.[.[.S'[.....j.%.1......KG...g..k.....\L<@,.am......7Dx..WO.xr...{N=x......u......X1..K.5.w.8.pmf.KUmp...gd\.i.(v..a.IK$y...!b..DN.n...8...;QYo`+.J[.Ms0..v...e...k.y.`3...n.ktX.0..'...v.L.k.$.T`S]...1!z..c\(..].......M....f..."....$.89.F^......

C:\Users\user\Downloads\CURQNKVOIX.pdf.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.842090444911107
Encrypted:	false
SSDEEP:	24:IXEuNRzlbm3N/YYzxgt6CgmKGsXNmAQP2ElE9q/VKe/+Jv8:ItNRzlMN/YSEjmXNmvP23/8
MD5:	4D8C1F5D75ACA7D0C8AB7F33E5F95BB8
SHA1:	DC0285C164EF57B83EA1CA6C42BC010F2E5CE7D0
SHA-256:	FF4CDA55F149BD82BFD67ECAF28363AA961890037A9AC41E8E4395E700F3213F
SHA-512:	D6682E2FE5D7FA397821BDB9574F25639E231C4A983B85076787890F097EA47C23CF431D574AA5314CE5A2201DA2B9B837679518C572F3C81D013A10FB306254
Malicious:	false
Preview:	\G('...o..l..=...f....7.)DX._....Y/..D9Y...?.]fr..cGEo2s...{.FO...I....{V].A.u..r...d....y.I.7..3.J5..O..w.7-..z.Y\..r..J.yo.Z..H...6d.3.......3........P.....b\.$}V...N..V...'B.._.A\|..q.#Q....O........;.jip..g.n.o..!p<..9;?.OF:...w..s..-.z\|NTY.?g..C..V Ld.K<.xo...g.Q...Et&)..<.....4"^C.p\.'.{$?U.c=\r.J.Rl..^.2.....h....3......t.L.@. ......]=...w.).'.5#Rv.pw^..=0.Jb".It_...jP..>......C..OV.....}.X..x....h...8.}x{./..K... 1.RAv.O.Lae...o...".v..w~@EN-.....}.~.`R.]...h..d.s][3g.......Q...}.p..+0R....X.Bik.o.FO\|........n.\|.R......,..Z.....l^na\...$nJ....Yk.. -[.1...q....,....RG".....3.......0...I2M.:....iM^.a-..A#......}k_.....P.=...\|.f`....@Wz.A."....x.A.(.lTh.....`.&..nv......8.I...-..@..\|.....{P.m.{...Y"..u.Q.H..q....Z.....w.i..m$.'....U..{...L..]&.:.F....$M1..".../Sr@.NC.......z.N.../...[p...?..E.{.S^..E/F.i..K.Od.2t.....0....:".$.....3..8...H...:Z&...".....n.... ..y(;.{.I..-..Y...\...R1.$.8..(g.n.......;...2....ue]...o4~....g...(.

C:\Users\user\Downloads\CURQNKVOIX.xlsx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.821996873915278
Encrypted:	false
SSDEEP:	24:+hdO3ta7oNkHzymeLCkDFghD0kIOEreqp8AKRwmAalMG:+hdO3taUNkBykErP8A4wmBlMG
MD5:	14C6E529F75BA902E958DDBEF2D909CC
SHA1:	3BF7982F97061B44B0D7DE35A14230B1630BCDCB
SHA-256:	2866AAB3B9DA1A48B226BF3C33CCAAACCF2012AB228B0D16A49054956C8642A9
SHA-512:	6731E74809EC75A2323E65F342BB1402A7007055B48421348C3C28A6BB5BC0F668AAFAB6FC6B0BD018FC3005945D79425C465AF1F111F484CE51F817AD9F12A9
Malicious:	false
Preview:	.E\|K......:g.].{...J.Z....}... ..bU.........Yw.<z...P..........@..........j.".^\|..p.J.a[sj."g..q.....8;...l....w.,...N..B...n.E&%....-$s.M4.-...p.=>5....!2r...O...^.N..M..JI.D.^n...'.C..;W...o.yK...2.H..c7......m..]8%.W.w.......' .a..K.....2-`T~.q..dW4..).....?....7Yt37.@......Vt..bl.<\..#......`fw.&..,u@.F`y....?.r5a......i#c...E.....;..~B8.jkX.".q..\|..6.I....;..h....-........o.p..T.$.y..%j..X....^x.w..q.......~....6.....S..C.@.7d........&-..]..,"s!..."../.<....&$A`....]x..r.2.h'N.I.?"g....=.<..X.Q.r.o....n.\|.R......,.(..S...x."..!....D.&..... `..]........(.v..PO-.oo{.O..$n.....$......h..N:....52..D...'.W$...r:z..;.v.....y.6....~:...G+0..$JNs).)...Zn...6~..?A).z.R}`au.k:_r...K+.X..i.b.Z..'....P.!y....q.$K...~.'l......n.....C.../....$.<.T.s.{..m....J...=..-..X8......K.(..N.L.Y...g.......5e...t..~...&.B....G.?...........P..f.h/....>-?..n6+8.!.(...\|.S...W1.B.+.L\....[..W....\|.u...o.....}.M..n......0.b>.^.D..l.jO..\.Xt

C:\Users\user\Downloads\FENIVHOIKN.png.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.838014011253218
Encrypted:	false
SSDEEP:	24:JbLQwyBsNW6o9ysd+zlz2ZwNZdVpAtVOQs7oNr:VL2Bsy9ysCzHLSVOmNr
MD5:	DE372BC17866572EE8FC8CF83022944F
SHA1:	1E8345606A4A7CEF7F8554EE21698E65FA4BDB3E
SHA-256:	8B78203F4D0C8914A590BADBEF9A29D770F3DCE4B218123883194B8FF57332E0
SHA-512:	2F15CE0858671EE0EBECA2E09501892644D32868084983F576FB444DC8C1D62E4577825B594392712C0218EFEE04149C4A10ADC77F2811A3709F2D242583C021
Malicious:	false
Preview:	...x#.........>e.RE...A...&E3K.;.^..2..$.\|.).;V..}1x.v..........ev.r..u.;.+i._r...(.L.AZ.[8Ogk9sB-..Jazy.y`t.........d=.'..F....T'.e..0.u...]..P.....Yv.,._.M_.H..!.So.P.....@y#..k9.X'.V..h0.Gp.;c......;.c^..C...%.a<@..e..".@..Gk..O].,..D..h.1E..)...7.r..4Z2A....Q..U....[E..j...{G.F#?.PWd.....5.T#.qVn'.eH#~..sY..1E.....RB....]V..(m.U.T..I.@...j......(...>zE....j%.[...).{............H.w.....B..G'<..~I.Z.8.iZ.%..o^`NG....c^&.b9J,K.....%.X...>....:..N.b......]Q..L.Jl..G..D..K.wt..".X.]......x7Ai...J...'.S.ozz...j.....n.\|.R......,....,.!+..c.....-.,.......@x.......3...l..8L.l....a.X.........r@...V.:..3...:.?..a.^..Z.K4..l..>..R.z$&.6........e].0.....l.&.E."..`........wE.......N..4..G...T.u.j_........m?P.f...w....iOb.mg.....3..T...{}..r..4.x....x.kh.[.....Z..;.v,...[...y.L...W.;.XY/7..].r^.sC..UD..y.g.......d..H.].\p.._...........F.9)...HGU..NA....A..<Q'...W.<>..0....j.46.;.{.q.G.t&..u..Z...\..^.C...o..9....z...k...#G....`=T.O^.2/3(..u....I.c..O...

C:\Users\user\Downloads\GAOBCVIQIJ.mp3.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.823862809101833
Encrypted:	false
SSDEEP:	24:eVGwinL4JBH7lcapMKE0eg9AemnVdL0TDvlcCfki:eGUJBHBrpMn0/7mnVd0TD9Ffki
MD5:	9E337763E28376596FD95D9B2D359FCD
SHA1:	38C9D9C4F44A9A0BE9369F7320B8E232721FBBF5
SHA-256:	CB817103A9C75C58A3D0329AD37BD4D17E5049B10806F36B942214017DDB2B56
SHA-512:	E6BDBF7AC723978516906CB2C9386A4C50D94E2688D54504F5749618909D21D11065D3A36C1EC570F9BC444163A114B823869F33A966A2AB98F5113123F5D897
Malicious:	false
Preview:	m.=..j.........{.Wd.5.../.....D.X..V.6..X.0.@...Q.^@34.7"Q...UIN..W...p6\1. .:.X.m.)^.A........V..t..PXb...Q..lM.....5.,.b_.?..u.i..sV.+.....8..\|h4. {.C<...7.\L..!.~..kJ.G.C.:.4..?.jG..<....b........\.(.T......k.\|.=..a.Mal..m..,..0....b\|>..ce.v.n....$.5Vd..N.\..f....x2.A.}].`..+.f...U`.....I..:...9.^.D..k.?C%Q..~g. gt...~.N...1..h/..8..%\..\6N.l.g..vt.... =LE...Wa....@Q..K.3A...>.P....ReJ9......6...ve.gN.....v.9J.....E%....[..K.xGe.^.`...../j+...R..R..t!...?fR.lc...r{.......i..!..tpY.(.p....6.F........O.wRz;....O..q....n.\|.R......,.?.h.9zP>:.t.x=....\...3....Ta....-..............}.L.\S2Q.1.q....Y...../\..~$6.3o...."[f....C'.......h.].....72v..k.H.....r.\|..G.\|3.........k.<`.I......f!..l.-k5..S}....cn...u.O.I>.y...Ls-..J...y..&5e.G...u...)N.{.d..e.....7Xh.LH.i1..2.C......;r.j..:..y......A....}.xV.o...ay>..}(....gD#.\T.M..'..@.X=z.%/Z6......}@.l......"...H............*...-....z....\|..k%8.]h.7...O\-.y...."...1$.....m%.iU=c.C..H.{2.5.&HtC.....k6P.4[

C:\Users\user\Downloads\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\Users\user\Downloads\MXPXCVPDVN.jpg.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.819558591789611
Encrypted:	false
SSDEEP:	24:ZX+7hixL8MGtEy/AsNZqoAGSNhkrQl0CXSGj3dVxTK5b/pn5:ZX+AurH/AoZqf0CCEVsxx5
MD5:	FD6D1AB95BFD8C07C94A50A5DF646BB3
SHA1:	9802BBC1BE9A1CFD1A974E3CA82245A089936A50
SHA-256:	5867A33F28534F3A2436BF4FB033F48F116CB3036BC5F58898BCB102E382D632
SHA-512:	B838570CD40C4755AA5BB85AF3019F35F322130AB2004311900759718C4A69331B512A7988DF94CC9F3F8B7E6D1E90B00B5240F3C298BB6685C5930456A17D52
Malicious:	false
Preview:	.Z...CY!.."._.EoY..+..uQ../.GNk.E.K... .E..].....m.y:....T.H..Z.@m....V?..o.q."k.%...d....}..1....,...O.Zj.Z..x.i...N.)e.J.v.....U...+?.......n...C.....i.2.Y.FW.'.}....wl....9"...('}!<..,......l.9:..+. ......1.-.~U.o..6#.F.f.=..@...a....W5mkp..0.....mf..g.5.b..w..Z0..s.Ed..gU.......g.....j.6..........9..t..j.1. e...!.Z..YHY...=..:.b]...U..F.G...\|.wak....5.a...(.%P.N..."F..D....e-?.H&.R......1.l"=.)....?o....3.jq.eY,.H..G.pM^....l4.X&...+W..9LRT.%FM.g..Y.f.4??}.'.Z.9.......m...DT.}a..#..{..F......zd.s....91..#..S.2.....n.\|.R......,.g~.._../.....#..d:.2.S....u....g...~.1.m.Q.r7.`..Gx........s....Aw.@.?y,..#..W}$(Jq)..w.e..Aw.#....Hm...=...T].B.b..Xq....c.H....={zIB.B..[., .K=-.p.A..2..6.....$....J...h.j.......K..Zi..9[/.>..u.0O.2(a2V9.j.j.[..R..7..0.Np....f./.../....3..3x[S$... ........+w...S..4.....z...1..D;fD.K..&"...P.\|.....U.3.G..H....y....b..&.L..SepSY...i.j..$07...... .`{./e......r....u.F.Ny..qW#Uq2.m6..;.@m#......8V=k..;.kyX::.....?..r.9i.

C:\Users\user\Downloads\MXPXCVPDVN.mp3.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.816207562584567
Encrypted:	false
SSDEEP:	24:Nmt9UWVBRXLFXWzUTtLZ6vD25T5yUL8IF9E:NmNn/JWD2558su
MD5:	88CA6D2C5B49D67C1EFECDD4D84F499A
SHA1:	785F51675FCC0925DEC82DFB63C91EB813101BF1
SHA-256:	D618F01A04A7B1FF1184361D749BCBFE1429B89C791C93CD6DBABB22DA21823D
SHA-512:	7CD26773539A15D21A91183F1CB6444AD0C65835ACEBEB720A042C3F502338D98D958F04F9B8D27BB02118D12E90447EE0003A35C46E93BBB4E66C505D01A317
Malicious:	false
Preview:	..k>O.(.q..;<m.?..X.A.\=>.U.9._....?].....)..e.@..E.?r.DP\..Y".....Nz..7VV.S...p....dn..Qb....;....R.e....I.....c.b.Z..v..EMxX;SY.....yA.s.......)....aB..qt..f...YH.H....%..+.......X}.M'a&.{....l0.....]..-.v.:ya...hu..f.(...._.S..u.9..\.........N'..O.A..&z..$_...P.B.X..?..;."g;B...._.....$.V..OBmc,.z.....]Qu....-"A....ba.a.E...h..'.B...Sf........I,.YJ.l..3........`._)..1....$..-..!.t..........v..{...m.e.......0...AL.]...20a{.&.q&.AB.;&"wDS$...t.tL.SKA.......D...#h...e....,B..4.<...<..;.../.....0....X.h}......n.\|.R......,P}.n..?..@K..YI.,T]w^.O<ht.orw\|..VxE......'6..z.U..i...7...&.,.....*.P$...r>...r..D..D.`.i.f1.^..T...\|.bE4Y....AW>Wh.._..F.a...s..t.t.iF .g._P7.{4..U~......r.+....S..1lBp.....b.~}.[,o/.@.O.......\0.P.....V.tZr...Y..B..?...8.C../......c..D..t..24..@.n../.N..x...M[...0..%..=D)..Gp..V..:.B./1S........'.u..a_,..D...V0.t.K-'.'.......P.U.U......Y.....p.o..O_...U&%..l#=..4..P/...r.r.-_#.j\NwQ..a6...4...Z..i{..<.%...S..[c.U\|..

C:\Users\user\Downloads\NEBFQQYWPS.png.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.80806205893834
Encrypted:	false
SSDEEP:	24:s1DXiwUKkyOilp7KauE5CkYE62OodNzE/yPsHZZnBhmSP0M2s:UDX9lZpluYvYE62RzWjZRySP0fs
MD5:	3C116EA82AFF85057D8944DE4F8923D5
SHA1:	88676859440F43FD82AB76E3887885ED2510F439
SHA-256:	0F2A108488C7F63752218354FAF70A29EEF85DF713ADCD557580AC61DDA71931
SHA-512:	76FC6B359B33ECDD3E7859477D53DFCA8C41FD8502978C3369C3566597299A73D13B63D7489A7583458FE5165ED3E164ED35418352077AFBC0F8F6E657A949D3
Malicious:	false
Preview:	....G\|...wP..5....!.VI=z.H.8Dv...(.S.B\..f.u.....K.3V+..q.$.$hd-.N.......(N.e?W.PX...k#...../.V.23...q.t.u....=.b..b.W.O\|!....I...A+..`.BX..M.[..E..'3..{.c_.0oq...r.3.+..D..Q.n.l.......X.........8.56.G[.8..-\|....ty ...Uq..S..@0...^E......."......a.......y.....n8..R..,.n.h.....@~.h..'.?f..:..v..GN=r...F=..0{KsFx=u..4.>'`,........&c+..o~V,\|Lg.c)..........!PF..a..ni.Y..<.\....#4s.K~.V.......T..th.~.3.F....<W.}.-.?._......z0...D...@...A..N56....v.;.u.3..M.k.`.....v3..9......O.To....N..IS..s...&T..).p.=....N..o..k....n.\|.R......,~!.u......l.0 ...6..`C<..U.o..I_.xdT..M.Y"...Ln....u.Ej...o>..`y!.g.~..@.W...y.\|l.n..?.'.<.....=..u.......ypVoD....O....yO...L..^r.-.Hj.g..L..K..n...$f.j.,=..AH..M..Jh)g..;.........R^.;..Y..h..1.3.4r.U..M.........U.n]..)\|t.O.............h..&.1ZN..O..d...rZ..o.E...>..=.G~(..>....... ...2....z}..P(D..._..5j`F9.._....\.xb.j....l.AN.G.....I.9$..Jw...l...&6.....P.........,.\....(.T.I.N`.jX....I.+'..%i..........P...{....[.

C:\Users\user\Downloads\NIKHQAIQAU.docx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.841158512378322
Encrypted:	false
SSDEEP:	24:f0nd9oeG4ufpcCVaM0wTQOMaPA8944hraWejntc/DRx06GDN:gEQufpcCVNRzOsrUztcDGh
MD5:	DC653F893CE6334FE3365ADDF09595AA
SHA1:	CD703F5D96DF16371A871AB837ABEA70A923EB1E
SHA-256:	2CB13904095D5ACE4C6601DBA9A5164C320FB74FEA4BFA57487C6475862FF165
SHA-512:	B622ED389179187330ABD3335F52986A817E2615790AF82991FEDB708096F2D755FA136BE2092A25E9DC7306FE2C3D004F3358D282B155C5148A3B1575FD7C5B
Malicious:	false
Preview:	T....J....o....u...O...Db%.c.}7:q...0485CA^.b^.../P3..WKfQ?..$...M....KM..C\|r..A....2..._..x36....."\|.zwd....cV.........`.......n8`;<....{K....L$.......{.X.A~H.V...wH....9.#.kk.......R.Dk...H.O\N.x..'K.T.....m..]..>M....%..ORm.1QP,..T..<Z......\-.G.D..u_.1......I..?1...P.3.L...@4...WG.{....-..c.z...2........ .d.i.....6..;DM....m....Tk..5.p....%. .(J.`qN.R._2./..Z^.Z.r.....SG.Z..............jI.q.@.....5..W..'.....j%...{..^\PLe..o.....f,...`.U.V.G.H.$...G.....w.?n.8..c.,i-.y..=..V.~..................QGo....n.\|.R......,n.R/..4.......s..-.....HNOO........O.y.....i8..s.H.~...(..f....H.$.0......}...z.X+WN{5..,Z...7.mz.d.....3.#..Dm...*..W\.a.]....\..\|.}....Wa..?....pts{!.G..(....Am......L.\x..Bp~.-...w..n.9....?.9l....>B.-..e.).(.E.}\|'p.hK{...;de....F.y....s..y...;...a...p...)p...n}..himY....+.X.}.1..{.tli.73..W.z8....o_.+.0..oy..=...2\|. .X.]H.ck.y.. ...S.?...{E...J.n.E.....%.#........\n...Xtc......N.5P.].F...#aK96.\u.....M1..8.

C:\Users\user\Downloads\NIKHQAIQAU.xlsx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8414788402538305
Encrypted:	false
SSDEEP:	24:uDvim8wi++BBM/GQArKIQFp0U343/dlsPdFgcz:u+m8wiLK/rAKvp0+43H0OM
MD5:	CFA08D366846D67960D5BCF7EA802BED
SHA1:	CA622A0AF33E01959E7E58148D30199D3CAB8744
SHA-256:	030D3E41F5CAC1E3AA35A1254670833C0549B846048A864B65C0C19DA9B0F41C
SHA-512:	58B7E365CB9EB64728031B1D9EC8A8DBDE61DC163B936D8A69611285F9465164D9F58C0D1447CCC7441D891D25A9782BBEA45573465959B62F4118CC1A9477C0
Malicious:	false
Preview:	G..."..\.o!....k.,g...I.\C.VHx..4A..v=.(\=q...q.=..'.Pg$....6.h7PHc..N....yC..yE.2....u.?v.b..O!.Y.C[ i=j...^\9.R;..>&ruN.uP.X.~...zs.PM.h../.T\|.I..p...s.".(....:-..).%kU.&.0..`..X.m`..#8.0...C.#..+.,.....2FiO..?.L...H.2..#.U..).6.<...z@.!N..P$...o.n....$[...%.A....p.uI......%. .=5w+wA3..A.FsBKu.....o.zW..2L....?...&.,G...l.....0i.^u.v...!..(WoF4.......l.....&........V..1a>..Q....c....._..J..1.t.}._...).D......A.'nL..\|C.....)y..4[........U.!.....R....M.W..F....[....p.....%.j.V..K..X.^...c.4.....3G..T.....n.\|.R......,M....7..o......d...ao^gMB....o@SN...dL.(^..K.L.3.b...I..Ff.....Q........e.-..\..........y..,+..,~..a..uf!5J..L....xf...w.,..rJ.....(].B1....t...Y\.........@.....H....!.....g...c`2....>TK^..\|l..T.8UL.Z..(.l^.c.....t.A.J(.b.C..P..."$?m..(-..`.K.5.fY=...J.#.[..W.N.a,.~<9...+m.hEH....ll..E..9Bi.1]....$.uK"...,..^....)..'.%.Q<.......S.3I...#.t..+.W+...X..Y.[..\.....N.g.9...68T.TI....l.n.\M......h_.3..q.6..b^..:h..H#

C:\Users\user\Downloads\RAYHIWGKDI.jpg.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.81243684174121
Encrypted:	false
SSDEEP:	24:74/73o036U1NtfsJSoGgEfCx4CP79rzr34pXFstv1ufJ1/Dt7HKdHUTD:KoE6UlEJS82Cx4iJrz+XF0v1qJdtDn
MD5:	5690636840D82A99E4908EFA9FD40D30
SHA1:	345CB64CCE138133E24D400DFD39D20020015862
SHA-256:	3DB08D784641626C81DA3DBA5319AEDFAD7449ABAA10575311C03AE56E9E4010
SHA-512:	0EC39F0F2821ECE2349B8477B067C5122FCDDD7EE297ABA4E7CADE77F6BB692E712BC364DCA612CE3F37CD40C1067AC5ECF99CF5B9263CEB59C6D1EFC78F4EA9
Malicious:	false
Preview:	..t...c....I.$...X.z...+.5.)......,X.V.Z......l[..}........p.2.......P.oU7....u..I.X!iA_....t0.v.E.A.41J..I......(...u!.'..G..s.X'9........c...!....a.....a..._b.+"...~l...#......j....U....]ut..J....:..z...ik...\^.#L.$...........s.x.(m....&.."C.s....(68.q.Uf.....I^..~....N..z..6.e...L......J....}.).i....T.[..%}.#3e:....f9-....}..,..<.:N.@...{.X.."L.b4h.,m..L..h.o!g%.....?....~....bJ......[.aTs..Er5.uf4.....f\ME.T.U\|....'>..::.6....Y....W....,..q..j.R.8..?.!....8..,...Tj.s.(^.Cx.m......zpZ?.."G..l.e+"......n.\|.R......,.....+Ht)P...;......a... .!>.`.?...{{.bguj..^S.....;....t."d..u..[..DW\|7..6......ko.D...qCL.V..?fc.^_..5.-c.u.....'c.,.st....nEk4.K....>..Y2R...QS.hc".j...R....3.....X.t.2......N...v......{........V{.ZP,..5%....h.&X...5..y..Y-.g....g.....I...&v.......V.K.G.y..._L.Xf.._.3.U.UW....{.y.t+.....fi.V(...=.Y._yu.......\|;..\K...M.a....@...E..K......fG_.]B!..q[..G.<6q.....kX.-.k...>..7...l...w..sS......R..[..4m...TT.!.....

C:\Users\user\Downloads\RAYHIWGKDI.xlsx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8241599239003365
Encrypted:	false
SSDEEP:	24:jqPREPr3P4ISnIy6qY5S4Q80bx0ZXg/dkAqedB+NUQ:j0R8UN1rYSS02ZIrqe/kb
MD5:	A95A021A257C1EF5F069188BC54E0386
SHA1:	D9A0AB0A012165E61706F643FDF4457F59F681B3
SHA-256:	CB182BDC1B678FEB9E36FCE2B9E3B073F8CABE0EF324FF6B1D32264932E174E9
SHA-512:	215F05CF4455107C3E4CFD787F2AF33DF18F8EEF67485292817DF3FBBE0B36176F3250D06371232DB2B9F4E8F66F9F27EC731D00B8DC9B8730E05386D798D9C2
Malicious:	false
Preview:	.a.=g.g=Q.....m9...)Y.!... V...........Z/M....?....#.c...#4.,f.O<..t.f.XFU............^.BF....;p.........<....l...0v4F..L..D....TH.i:%.i..C..tQ...#b.`..2b..w...Y..J(..F...lAd.t..D.O.c.b.h...r...T..o.9...&,y...U._T...SmhK..m(...Z.F"{w.>...\|Bs.Ct..J.1......./.\2..v..9.<...Z.B.+....<..:p>5.?.'.R~....wF.9L.0.~/..J...?.-...sd....h`...V....W......2.k.L.o.R.Pa...q:.=.YUu......y......\.h....3.!..J.....%.XI..Q.....Y.'.y...O)D.3j.&_..G.e.b1[0.8.....up.#...U.c9....G...j$....-$....D.P...5..9.4L...K..f.$.......[.T.......n.\|.R......,Z........Gv.W.......j.......Hi....YC.Y....[.Mn,/.t...;.....zF....C...Kv.E+.\|.n...:(.]+b.D2.`.ve../....m.$>.bW....Xt...-rs..}.QK.y.Z<)./.....,.S...A.....F.'..!.}u.mKT......Kfws..%DG...G..../.xj.i...qA.+.t......*.b....._...........A..S5[2...b.AY.D.^...t.-_s..W.....T.]...U.H,..X.,O.qm.$....}..O^..@o...).Q.@...jmKfM..F...qR)M..@N.._...m...U.!.5.?.f..Xt\|2...iR.w%.F..ls.1.6.S..[.U.......{(;...].i..0(%j.j..-..a

C:\Users\user\Downloads\SQRKHNBNYN.png.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.829303340069409
Encrypted:	false
SSDEEP:	24:TfqLLivhgcfcd9s2ee4EK159fzF2vkq9doeUvcQgoelxMVvgh:Tfqy5gcfcdT61REhQ+lkIh
MD5:	A63A7367788EBE6BC576A25E30D1F85B
SHA1:	2AB2A9A195CAB02C72896EC79835249C7A406695
SHA-256:	C0EB15CDA75E90AA1E892D719BAC9B9EBA6AA743F4D2F25373B39F6212E0F2E6
SHA-512:	2C5647063C5260A9865FF6346750BBA08D8AD1CE1CA78C68B94571C534450594B04DA988986D8AB073D88A40ED5671AE9A30BBC6BD4B55D50A352F0817958DC0
Malicious:	false
Preview:	..KEU...A\...abj.l..\........d.G....@.....4........z..if.....p........;....\;.0.[...b^.a.".....y....D.w..5......j..&.L3....pz...N.`.^..~......g2....6a.d.(gPe].I/#....E.)s../.39...7...u...._.........T.g.$./.\...Cm .(...\..}. .....#....}..e.M1\|.y.@K../..._.A.$.......\|..q...$~B.0T.).A...S.%M./B......(%..;..L....?./...,!vc...DF..I. ....b....\.`....ZM.}...8.{...R..W.......E...g..k..N.w.0.8N...f.........\|.S..Dh..[c.u.6..k....(\...w09.M..Vo.w.$.V...U.?.U<Ot....,..1..H3.o.i.".+k.W...n..ED.x.%._oW.?....+.I`.,.....n.\|.R......,.9....z...'.N..... ..+.}..[a.%....$....*Fo..k9~Q.S1<....#.}Q:{O..8..<f."{......!&z/..f.".f.L..,....y$o...w.....L...tE..n.`I..,.r...\...h....'SJ.y.q..r.J.a/+.y..b..!k..J.io.&.......bO.M.[.r."....u#=....J(#....,.J..(..C..,.smr<Z./8.%..pz.R4..W"...j.7..Z..2Q..,wm0]D.._s..j.~..J.%9&..I....L...\.Fvh3..<..=M..I2H4..W.K.@p.aL....(~....7....}..o.m..H.n..J..VUV.!G.....Y...2.SE..F-w\.z.U(.....E_e...M..b...5X.DN}.E#a...e..{..

C:\Users\user\Downloads\VAMYDFPUND.pdf.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.823373964108341
Encrypted:	false
SSDEEP:	24:6yElEpKLlHuKNkA+KeprhpdoSm0TgZxUnyUr1gJY0sOVYP:6y8pHuL3prxoSmBZ8JaOP
MD5:	5B4AE0E10953711BF0ADB11A83175A5F
SHA1:	1457EC580B964CC7715687ED94F3A716F0EDFC03
SHA-256:	05357507D54D3A767F272B39559341BDDDF0544B080F16FC84F3A327EEB7D1F3
SHA-512:	C368E2DC1AE1AE6DD750E0F3A411CE9A321D61401520C03E4BE6736A0251D8C6DB28531B472B807A6EECBC2450343482326853DE2465067C66543B2D51C011C9
Malicious:	false
Preview:	.....].g.....r.m~:)...-.R\E.h0y.S..?#..6.......8`.1....L.#R....<.k.B.{.DZ. .g.R ....r3....n.....u.L..Q.%.).\|.{..H..~.=<.S"".T...Rx/......l.^..`...:.X..T6.1}.C.F.......2...y.....Wo.M.}3P.e...i..&.8C.r...L..&......O..+...A>.`N0.\R.}.9...%.vve.9.^..<.P......_.<.#O]c.o.3).......p}be~............>3Z....t.!.e...`C<..D...?X........W..+..O+^.#.{.....]0.sj\.-.8....i0W..i.l{W...uO.S.Qo..p&.&....v.....k._{'.... ........%..p........^&N$--....30"pr.I!..R..}..+./..Te.gd......_...x..{f.h.....E.HB.."....j..D...'.j.....r...;.8.a.....n.\|.R......,U:=j...F...i.9....J.......S...a........>....q...?Rn..?...KV..G.gc...'..e..UP....J.G.....E.=:5.=>q.=.r..8i....:..8...N(..&.f].oC..[g.F.....4MRt.(kj6z..?.M.\|bH.Ip8/Y8...........U..hw....3_...CN.....Q.....E.......m.1~r.7LM,m%......PJK,.K.4.4p.h:q2I......y."(.R"m..aJ.H..+...........[.:....0u ..I}.=.T..~ UX.z...$x.{ry..ZD......q..~.f_..J~.@.'E.~.2...k.I-..hI......O...\.......$,.y..9..l.d.A.3H.. v.T.6B.F..._..0r.._OA?

C:\Users\user\Downloads\ZBEDCJPBEY.docx.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8095308743117915
Encrypted:	false
SSDEEP:	24:YO+QEJYIFh0PITBHAzXahU6b/zkhCw+vOVZ7:qQUFhMIT1gate+AZ7
MD5:	A7F747B11E370A1B41805B7454FD4C59
SHA1:	223830FD7C23847CE996C7A904609B70B7BFCD1D
SHA-256:	7FFA31F743ECF2F273AF0C80D1A28E3168820E2ECA797FC0519AA86582ABAF16
SHA-512:	DD8F11A9155BC7606E968DC4DDFE1E57CDF5DBAB699B469C1132CB0EDBB0B648417BD73F35B949F053A51E0BF08D972CB28A6620FC6AD4E5DE30F0B670C86743
Malicious:	false
Preview:	.U{.Mq..c!u.Jh..@.JQ....Z...^......o..}.u.pl..%...m...KW...O.[.V....y.....X...?...H..':.......r%.f.9....E...cs...=..q..7.......xw..".7Q.z.zC...{....l..".....X....%.f..^.......0..".\...B.........b:a..~.'..N.-O}..k......uf....V...d.<.7./~.O.[-a4...*.#;Qf...\|.\|.....F......:n.[..0#.D......I.c)...(....eu.gK.-l.yF .TK........T...T?...E.4Zd...3.s.....M.jy.ds.9`.lk...@..-....Eo...f...Lg.4...p...3.q7.2m.e....<...t.................m....5....W]..@.;~.ESx..0}DR...>.E....!.y.p.......5.....sE...z...;...R-..pFm..O..n6.i......n.\|.R......,..p.6x....UA..W..L...M..{....HM.~K..."!v.1.5..il].......#...-."a.$.4.\|txj.^....b.......yA.&...l5.cP..Z.k.=.^.....GL...7..c)...S.Xi.....r0..@...D#.C.....^........].JsB..J..1VngW..F4..".......s....sB.'.U+Tw9T....3G...]%.P~D...D.......l.T...6A.....+..I$.U....&i..r0J.}.k"..T.......>.m.....J....v.Y]......+..F.N.Et.@+. :.sQ....s..oL)..L.@....l...u.c...mc..............0g..91...g~%..f.f[..)8...N.....xY.N....P0.{..L?.......

C:\Users\user\Downloads\ZTGJILHXQB.jpg.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8377234950334485
Encrypted:	false
SSDEEP:	24:O/A7hlWzAY2aFxJGhlHD5jPYSSHimsuz/W+G5O:OsEWhNDSTCpT5O
MD5:	FCAD248D0A78D7E10137262B03BBD3B4
SHA1:	89989734D41C9EAA24CC2958234DA1C152BB86EC
SHA-256:	B75361C42B18E8542C1CD5664DA51D7E4D07AFC824CC0F85E9211096324C705B
SHA-512:	01F4BFD8CB27F533E64792E2DC717370DEDBB6727566700948ABFE96EA892A4490D69B52EE2BCA76BE9E1BBFE700CC65F95C094E8DF6388C35AC70FAC56D0E27
Malicious:	false
Preview:	.fW...VC.<.%.X.`.........(....P..h_..'..l....g#,..d........<.....N.p .&+...I..T.&......W..Ieg9.3m...A..>.IGU.f..e.......$.w.xey.z.]8g..,.5.b#._..l.....J8^Fhg.zh..tV..8TSA\.......I..#...4...... .h.Y..).Pc..#fT..."..PY.4!{).sx.W.^...].M..g.W.8."...._k;E.6d..z...........4..V...`....@..+....4....[E..=6J@.Z!..X./!..EG..nU%..f&.......J..N.......<..#...\...O."K..(.x.f ......GN.......~..&...>..`.F.&..]..6....F..6.....r.Q....z.-Z."..,..Z,.=...,.).M..gb.....).K ...`EA...#..j%..P......+.C1x..).{...,.l/..D.@.E5{OTF0.v....n.\|.R......,~...@MUk.z.vd....w..9Ny.D..9...OKE.6cJ..w.16..a.TO.../......,qYL`^K..a.J..q......w5.a...\.;..K5.-........+Q..R.x.....8~G5...u..$..E>..{..........Q]t.U...I..Rj.3.....5".......rY.A.....w.#..8..).V....Q..]C.hK.zy.F...j.l....R..o;........q..'^...i0..\|~).v...m?!7.X.9..X.....l..s..l.....61..$.I.....Dz.0.+]0...D./....p"............V.[..u......../..R.V..:....V......R.zW....w.M.........U.n....t&x...q...F..'v......6.x...N..i.#$

C:\Users\user\Favorites\Amazon.url.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1057
Entropy (8bit):	7.79670974265958
Encrypted:	false
SSDEEP:	24:OvdURRFBNX1tSrbOifUFfa3lZzzmruRumEdshaPQqKM2uIN:O1URRHNX1oxfUJa3PGm0sqKM2t
MD5:	B28C5EE99EF937FCA0C4916F33A81FEF
SHA1:	73A583998A88D30DFC205CF41AA083F8F266FED4
SHA-256:	B0492ECFEAB10170313071F5ABC6EE823F36F4E79B01339F67B10F34033608E2
SHA-512:	635A446B4A4ACC3592CBF8C4AA85E42984D6CCBD77B298C17AAC6F8C2CF4CD5C73ECBA1A58FDCAFA4396224BF1755135EE4D4CBF09F4CC2C83B377C8D47105FA
Malicious:	false
Preview:	J.l.w...T..W...$..U..l...63.D....#Xra..}.o.>E...=..u..+...p.......Q.....'...g......;.....r5..zT.X........0..6.@..&.5......H..H...^Z.c8.-......h... u....?.xb...........Td\|..uz.....i.[t...r.M.OB.U....m '.....q.&...-!......U...z...a...G6.....K........a\...s..SpZ..X./...}.71....#......s......`... .?..b.`..QX.#z.$..O]X=.....J.2.U...7..(I6.i.$......\|......N_.,#..".H .{...{.Cce..\...a.)'..k....H..@.M..8...zY>y0.k0..-.J{.bI.,.u.~.......YQ..'U....=Ur.......R......H....C.;..z.E.j.q....[b.....z.].!{0.9l.....1R....n.\|.R......,.Xt...'.`...#...}..Y..Y$k.......S...@.g/f......h....wzCW......Q.]~.>} t].A.u.V \|...J.....F..d.?...{1.%.1...WL1......-..c..#a......{.h....z.... ...`.....8Q..;A.f.`.Q%..#;...`.5..k..C.=\...B.q.~..v..T!.."._..X{...-q...A/J..\....X\|...H.Ghm....<Z.C..x6n...x...t...n.,RsK...8/ ........u..$P1..s4..g.0.t..M....W....(.....".` ..+..8...Ka@H.7..64..2.\......!..t/....@..>t..*..5..F........t...fC.O4..9N.=..`...Q. .K.. ...\..p.k.....\|.o<

C:\Users\user\Favorites\Bing.url.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.8359331968173995
Encrypted:	false
SSDEEP:	12:pjMWQ7cyBCg7VxfT02M6Kst2aRFqT+X3I3QQhsRMWhp4utmzCSshCU33ZHF:pgWWBCo02M6KM2v+HZzMWhp4dshTZHF
MD5:	7679477C8FB10CB9B189BDA7FE0336AB
SHA1:	E569D4D16DFDBE34E896F59ADE903AC4F76E3069
SHA-256:	7B98086A17DA173DF8448EDFB7716A76B2C021C97438EB500DE8DA049662EDA6
SHA-512:	643B28705EC311857FF08086C13069317B32367AB12AE3EDECDC5FB8664D1A812C9D4D3239177C5BA1284E8E8A9967E356DDBCD2CD90FDF77E5B25F4B79ABA41
Malicious:	false
Preview:	.%....?.Er4H:.g..zI.......b...........U..f...3../...K...@p..6h!yZi..)...pbB..%......c..+.;l/..Qe..~......d.V.m7....).......~."z)KG.D._J...'..._.B....s.../...OF...j.h..\|...-S~..Z.\...L.R.L7.{....@..5...(l.<...q.\|.N...+O.:kw(..^........ ..[...-^.F..,#...y.G....gt8..0...._U..,..6... ..O. .[..{b..OY.2...x.#.\...&.>[-.....M...X.h.D'...}1.&..N6&.>.2...........S.....(...tp....(.XoK:e.,.-.k....v~......]~A..'W..C..........o. W....c...i.S.O5]&~:.;#.{..hm.hL.~.1..b#I..s.E...jf.......%.XN1...."..I>.{a.......n.\|.R......,:...0..k.?.o.. .N......+y...N9y.n..q?R.B.....X.>..U..c(.....2{O...X....b.....o.t.......I5..k =.....t..F.c........Ny..<'.B..sf....r.c....,h..Q ...WL.V.0...6vpwkg...bR.{..G..S.Zb..I...!...8la.D.-.....G.-...A.0N.%U...Nt0...x.....@....2V...G..;.....~..n....&..$9(..G......O._\.....q.b,.J.O....Ap...XX......3?.X_!..e"".N..(>.......Y...<...L.!..DE....'..Z....tB.Ij..Pip.%q....$.....\|W.6.9.z..f5V.iF..7.W.S..*#-.T.V......y.e.r..A..U..

C:\Users\user\Favorites\Facebook.url.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1071
Entropy (8bit):	7.830856027236611
Encrypted:	false
SSDEEP:	24:LKrm9xlhJwVoaU9wDYZ7yBQLq7AHTKPI3sbXL5bcsRen:Ld9nhGVoa74Sy7HWPIGLxin
MD5:	F7119F5E6327435CDC977531392587B6
SHA1:	ECD314AC890CBFA9CABDC8648553DA4E8BDAA2B1
SHA-256:	3DFA7D2F76942802DFA2C44CC97614AF309495DC38C345AB11AD1858E17260E1
SHA-512:	A98C631061E25DC45602D88E0EC701106CF65ED006FAD68E88F25E486979385A6774693813C3A60D201E3126CA813CBF3204F903E3B52F8048D0C44A98BFDB6D
Malicious:	false
Preview:	%..?.(.-.O.......zC.......Q...B...(8...z.y..i [..>.I>....A.S....L.;.,{vj..Pm.....C.t.7..._.&,nH.Q..Z..c.L.PKQ0.b..6...V.....r.\|....0@.s8.83..<{.4^kZ..-C..k...KYG.~1...)e..i..r..tP.2.....u..C.r...p.NA<...!X.1.2\|f..,...\|X,...\..N....O......J?.{.<.\...0&.y...........l...=...J....R....&y/6TK.m........6..t.....&.t..(..;..(lX..N'....l..X..0]..$..<.t.t................<.#....sIds.3..-w.$K5].(..<..fC.U...D.g..9..c4:....;.U..}.}.'f49........2...?.\......}T..9..?...i.u..x.n7...C.p..{w..jM4..U..r.?...M...X....3.I.BK..\|..I...._.....n.\|.R......,Z...\R....Zq..f.....O.$..u.W"B.Z..K.g.p&...R.C. ..@s.....wN....X.....(.A..=.=o...o..3Y)B.....x..ah..ah...M.7.. .......!N....-..........&T.f.T..`..S.vw.k"I..!...q%....d.jF94..D/.[..3>..A.......Y....l V.....@.4=.Li&.[G.......?i....P5......X.....7V.\|"...:......K..=..!.P#..}.Jm...m.=......%..q....7..V.....!m.?......^.i..'.....).b....`#Z4.....=.b...k#.%+.Oj.o....]5.^./......4.rb';T..E.y.......\|.D.A?.n....J"..D.

C:\Users\user\Favorites\Google.url.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1057
Entropy (8bit):	7.823009076211164
Encrypted:	false
SSDEEP:	24:kwF+WXNoz0a8Jo+j5sIlYiu3icaf8/PbdRQjgAgzvSQceG:kfkEjgo+jdYiHfWdRwmSwG
MD5:	39965C34AE67543B4337CDBBCFE7F89F
SHA1:	3FA34E3E535E8804007EE672A3A46B43DFD0A2D0
SHA-256:	364817B2094A44A410DF54DF294D968BA139B0CE12644EEC8CC2AEED1FE47616
SHA-512:	57EA84735737E6389797940120B713FCD8E0247CC6381B177643C53A01BDFF7C6FFA002BD178188D9869ACD050923954E2AFECC998D848CDC5B4A17E72B26F40
Malicious:	false
Preview:	m(R.Z....\|...@4.......8Ks...)L..-..m.....i...\|.v..R.._...Gt...B4K.L.Y..]N..i.....F...p..=.........j......R-..s.qZ..N.....E...<...i...,.e..9j.....b..q...8U)3...N.I......"V.{.c..5.D9Z..Dx..kUc.6.....AX".......G.._...A.@.o.+(....&.n..Xc...k.Pd=.\.P.@....6.i..y.N........?...o......A.i/.vNL.]..^?D........Lo.:.\|.A.>..%._......2..w.t..sl.V.v...7..o.).8.U..R1.....f..Y{...[.......Xj.^0H...%..tB~.z[+.,d.r(..M.on;..=..]..%.s..x....L....?. k..Q.I..+........}...H....U..&.@IBd;z@G.......rX.,..........n.\|.R......,.3Z..Td3...^.I.?...)....}...J..`.h.S.G%dT.-..I.[...OZ........V.....x.f<=f.z....j.j...Xj3.)...C.B..q...mV........l...74.bi............!.z.`.:..3..F.9(X.O&..H...'.G...k...&JL..cts.....x..2.$W9.#.f.UM1......br5:>.[. ...U.Z.u....<..n.~...4x....G.N=.W.G.o.).3U:.%..}...#........&.j...s3[.....[.j.<.....I."s....1.2{..D.YY0..0..B..8.}./+.......C.J&.....j{rA....[.I.%...Sz4....G.7%9...c...rX[e(.vq../.....>.Ce..+:W.........zQ....l)b\..-..b.UqQ(Dzy

C:\Users\user\Favorites\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\Users\user\Favorites\Live.url.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1059
Entropy (8bit):	7.784964262236934
Encrypted:	false
SSDEEP:	24:2WPcelKwkFkpCtljgqX1JjwNK2CLwPIuB:bPCkpCAuJj6KvLOFB
MD5:	1A0A2334087B616C5C21CEA97FC77134
SHA1:	6D9AFFB3BAFE4B7929354D5CB035CD3CE98A38DE
SHA-256:	B34E9D38D13E30A3696DA8A79F01B6C5EF97756424248737879E9A7EC0020ECC
SHA-512:	E5001C49D070BE57BD8926EE940329D67331A07FFFF8082920B2528C669048ACA96AD11F495E8BFB19AF547719CC811A06649E0DAE71748EBC13263EA94A65B1
Malicious:	false
Preview:	..Y...0Je....=....;.C.........3\E7.J.@s..S.s..D..............)....VQ...]..n'..d..8.>...r`[...YSgvv...A.N].#..9.jp.Q.o.s..T.(m..........Nfr......[s..........6.9..0......MQ.;......-....Z..&........2....U...................v.K....!...cTy..7n\|B..!..b(.}..y!.....OF.=....f..C.I.F.P...63.U...c.\. [..Y......G!Cr.;...l..U...L\...........<s..C....8@.%...."m.IL2...]..)aw.`t."..L...\|.d....E......nb-R......(/7.....b(..4...V..A...y.~H.O+re.7............6#=..j1...F...!v+..a..E..5%9..x.t.....r.^........n.\|.R......,U..a..d...G.....\..3..Mp...M.m...L.1 ...$....s.....E.B....j....~j..E;Y....5h.`I.$..U..U........7.6..0i.......Z).[.x....=V.c.p....nZ..."B<+.;...6{...5d`.......{..).....9.G9...6.7?...6:<da..7.(...\BJ....#%.Q..PT"X..Q#..N..Xd....Z....V-...1....b....2..z....CC.U..$...?..}G..g.p..qH.<....xv...c.cCB.....F.U...@~...dk.N..WyI@i.y.MM.U......kt.Q..3.q._.@.(1.......+.3:>........w.B..7.....A.Gd1.u.xa+.(..d.......a.....Xd7...DD.....

C:\Users\user\Favorites\NYTimes.url.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.836725317442077
Encrypted:	false
SSDEEP:	24:QgMKrccJ3oLp984dqjAs7MJnUD1lAS5Cmeb5MxPnsXE4p9:Qd2qp982TnIlARmebe6XE4p9
MD5:	FA53DB3157C8AA0B48844CC0B2B7156D
SHA1:	3AEA1E0F35DB7658014CD2F0D086778067782712
SHA-256:	66DEEC891F1C06357BFB69C29685B0D9FA88CDADC44FB635B7460203CBAAE0EE
SHA-512:	A6F5F50546A277AEFFDBC40B254C57527204A12A4DD06CFE8CA0C9980BC92D73CDCC3F683105B6025C1A71BFB044515441207054B14D337E21EECCF84C5C21F5
Malicious:	false
Preview:	.Ry.VWl..@.......BB....S.`..'..<.....-.."F>.ml...P/g.1..o.h.c...J.r..3...<;}.h.............i..,..0...h.]\|..R.>.g..1.v.H.K....-.K..1G.....o...&nzi]^\k...)..h\Q+..'.bt4...?>......d..q5....o,.xs?....l _=...C...>.$;...gA..o.&.FX+..X.4...v[...];%hb.......#Id..........8}....M.......\|...H-..V....m..R...f.n...0..{..t....;t..oe..pb.v....<..f..4-.H..~......d..{.X..9/.;N......a..:U..u.2..U....\|X..Q...C..:.....&.q}.....$./...."..,@...jc........A........UUeM..fRv...'...W.N.A.r...3.{......2..HGd.:...j@......n.\|.R......,4E..?..G...D.&im^...D.......Vk.....P..L.m)l.s8..q1.1,5....Z..?h...I......H........f.).1...3..........T.{ .p..!..G9...;oN.#..~....a...kw....^!.....5.R.2.w..4<.x........2...ef.oL.n...A...........$..P.....7.......L6..B.o.......M..5.7\.JJ."j.?=....j...7.(..R3.M..8...F..VO...t.H.yS.o.U.3.\|.$u.7.....`./....g..A..q...(..R.<.H..G..... W(.....T..I..L....._<.Z.I.V..(.4..i...`............g.{......r..w.....?....n.n.q..6.6.H.R..R...c.>......

C:\Users\user\Favorites\Reddit.url.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1057
Entropy (8bit):	7.825763847377816
Encrypted:	false
SSDEEP:	24:vyfSrBfR9ZLEc74JY1Ts5spw05dpb4+YtE2k0zQW:vyKt3BR6upwWLb4+WLk0zQW
MD5:	EE18E01C407926B59F19699862339FFF
SHA1:	F7BF498850A301E23BB426E161D0F0301E003847
SHA-256:	5150A884837EA2CA31265644CB96494A648EF46C570AF6D8E89828E58CB88DD4
SHA-512:	ED7FC8839A32ADB4B352249448CD09AC67D354DB2746693798950870EAD0CC5258B6E5153E92E037D77F8C80CD1C552F7A8378400991EF218B301CCC411A5026
Malicious:	false
Preview:	E....c.....f..y.V.rm5).sh..5..T.t..u3......a..F....{6.......t.T.. ].&.5.?l.m..%e4.......{.........]!`..........99 A.5^l...M^1.?725%...9;A.~.C.[a.7.-Tu!$[.ejK5.l...u^..Z.....u..Wp~.u.H..........(."..R.)).9......saX..../{...:....t.....X.....GC..B.BZ...l......2.+.v..v...P.....g..2..c...v..S...3.Q.t....Rd....C.A.P....~....,.HJ......z.zm........y.......}.5;K.O..t..=../..1...5t.!.......2........d6.tM~.?.hEH.....n.....qs...V3Z...p3,.8......$ul...}..%,..1J .8..F..0.#a@.@b...N...O.{X....3..Vcg.$..ee.{.....n.\|.R......,^.4....-...M..].1...8.....6.;...6.Oc0-.:..qv.2#......"......^...W.qN.P..V7....H....r..".........<m.F.%gq.`.}..5.?U1..q.T$.(.,...._....5.xs.$N..Of.M.T......W..x....!:;...t@m@9...[..i...8.......3Z:.zdM.....=..P.U..J.....i..O.y._.hI.k.u.....W...t.l6..%..U....b......AC1J.@y. ....}..\......}`..]....a.s.."KQ-%t..u7:.R..+uz.=.j.L..q...}-....3{;...3..%.^........"Kc.....0$......w.O(.../\.'..$..}HD..0'.....(.xL.J...AD...s.....K.2...{......v}

C:\Users\user\Favorites\Twitter.url.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.817017467933476
Encrypted:	false
SSDEEP:	24:Hn82ZjisjS3ftM4tA7e6rPvZzGW6eWi2yOVlOqbk31g+6bS4vL:HB2sgMWANxySx2tI1g1vT
MD5:	73E3DC9A7BFF6E3484B89513AA8CD6FA
SHA1:	A84DE417EDFA5D590D1385CEE48FE4736A1D1377
SHA-256:	5BA959F73C47CD105526E8D2BCE8984540785222B8FD6C2D6C59C21BBF4EAF34
SHA-512:	0E12C81B7A1DF51F0FF5651DEEB6562F5061A5C5733374AE4E21C58B9F0F29DAD420BCAA8E413C4F526F3006EDFA8DF9D0E7326B1D3A61FBAE3197C2561EF171
Malicious:	false
Preview:	2...(..t>..g..d..j.i..w....N9g.?.R...M.;@.........eB..........L.b.....$9...PwWp.^qq....d...O&..c.(V.N2.y!......r.y....Z......ng..l=.......qp....L$.N..t.....4.^?....Kgn^..%...I..:.B...x...c....9ry?.!..gZ3S.....x..M...7`..R~Q...j.....V.;..\|.....9....\|.\7..!`..^.....f..,.B+.\|.<..R..4.q.+..,....../A..HUc..vt..VY...m.>...L..q(..V%D[......3...L.E...2T(._.J.L..gl......E..v...V.F........'....X(..5....J.....&.@O_P._....8....l+/.el\....N..p;h<r.K.K....%.~.y....(.hJ...r.^$.0.)7$I..`;.L....gs.&(x.k...59.0h.....n.\|.R......,....A$....[.DnG....:....9...,...BP...F.}B......7~.2.L%h..P.....v....38.>....w.V.J(.]....}8W...V!Wl.....G...-.{..v.vT;.oBon.-1.?96TiY..6#3.a..G;$..........j"[.7_..&\...:...<.W...3..`....h...L.8?S.<...\|+......DY...H+>..B..Z..+.3>...o6.a....(g.<.Y.s.\..G.f.`...P.s..` ./jS.........=...(..h....5.+.$........8'.7..."0y$M...4F.72d....B..;.J.L..\.9...x..\|......-?o....43. .d8=.$`.FOP.x].L~....Y0...z.5?...^.$..U..Cp.-E.{KLRn.0m.pKB.--*G..8

C:\Users\user\Favorites\Wikipedia.url.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.822375371707059
Encrypted:	false
SSDEEP:	24:vj38Wj0cmzSS8OkuAY7purkOlwZsLKz4QxQ3TMX0g0ItYa:v7xQ5+Ezpuk1Zhz7q38Oa
MD5:	18FE74133D182BD81D224620CBA268E6
SHA1:	152F8EFC53A290B5519DD73B3701E25476C37700
SHA-256:	8CE5B79524F636DAF2FCF1281AF154C5636C806A5B87A9F4698DB68054DFF367
SHA-512:	294245E263973FA8656B05BCAE680554E9BA817D6ED39D955B302AAB7F1891706E9CDB905E9207D27ACACF1D031CCA48D4FFDFF0229BCAC9BDB0FA5D3A9BB61E
Malicious:	false
Preview:	.D..8.)pvx.l:....U.L.UWc..3..:....~...]..<8..&r....z.&....3...Zm.....Q.-m.\|...e.]..,r.....N..'.j..$...{=Z..X..3.h.....l.c6k..+..'.Hi.....8c..t...v..}...]$...o..Ka....l."`.....[.%K).w0.L.C.S.s.B.........3.....rT./..T..}..{...0[.....b...XX..L...#)..\>..3..f.D.;U.'.4R...rC...V.}..L....qt..r[...\..:....1...S.t.".ji..........h..IWv...........i.j?2.O.G.O.v....L.L.,.....?_......)o_c~.h......4G..C.G..oY.].c..x...~..r ..)....~ .].0."F...~.. 0i!..<K..1r....E.N..{.....[K.}"...6..p.....J...R..:4...3.az.<!...>...U....E......n.\|.R......,.....S.q..-.....,U...$..j..o.'........q...Q....(..z.T?,.Z.x.........UM..l-2..{.Q.....(.E1.C.....%...M...Z... .<.na~Y..e......Pl.q0'@..9....Et9.e1..P..P...Nxs....T......0......X. z..U....h.....6....k !.).+../N6..s.^#...P.Q%..f.......N.x..1.......@.d.E..-.p..l...P.eBa.......:..%.....>......,.@.J.)^.f.....1..)S...7..(....6..G.[..].............[.tLJ...^.....y\.s..&...0..\...J...3.[..T.M...A[j5..2.8QL...$'....

C:\Users\user\Favorites\Youtube.url.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.817665756283738
Encrypted:	false
SSDEEP:	24:uhdNFULeIbPzBfZPGl7wvOVhou1bfa2izw3r7BK2OHh:lpbPlZPGlvLLbfay3PBCB
MD5:	AFBEBFA0DE3ACBA8DAD88180AB0CFD61
SHA1:	30C1EEBDC556EE15EBBA6072F3C405B8DAF22895
SHA-256:	2C7ACCA940D427459D3070A14F33F3001D542F8EF7D9F5D1C7F2FF7C5105102E
SHA-512:	22B916BAD0283E0A48AA9BD6481AFA2971C62AF15F05F10419C1DA95E7DCD8E43B72155A31943DC4A24E0D359F5CFD85DB1AAE805AD0CA595ACEAA4EA77C97CF
Malicious:	false
Preview:	..^.1w.N......d9...\[..E..>.#.0_.xF. $..[...C[.P...5E......^..D.r,u.}..-......<. ..\|K.W...vm.......gB..N...By.. uQX...y9...6].&..\|..r...q.d%Z..E..g&q.J.\.{^.h7..D.sY.Cw.T\(...2..j...M8g...r.%.R1.....6...).?M@v.....'..L@..G.r.~..a...).Q..f.=..I...R..1..H......1..w4.-ak4.{.>>^.'h.......S...@.y......^........nR...u..C.=.j}.d..<.]g.oZvP...k..-...D....7...Y+=..ed......h..R.U.'.r...UI..e+m....!WD6z_.D?.k!w.M.3E....8.K..6p......f..g..i.(.E?{\...........0.1..{S....^......&ER.Fm...;'.Q..<.{...i...%..!7.....n.\|.R......,.VH..2...mD.5m.4...!..oAf.E.R.U.#..p.....`.....T..%.B..."v.[... .UXg^e.30.p...n..+w,W[fpg58.D.J>V........f....YWu.5.L..v....Y...\v.H..^........j..zC...\..%I.5:....}....>B.`.<..RB....[%~..r.WH..I9..ZkH.^1...x..@.Q....Z<.l...E.D.7..~...1e.0.{nj.ua.we...T.n....B.u..n.8...rnml..aU.o.9.{...7..!w.I..a...".!...I.vK..t,ubO.o./..}.."...R=.....!"......w.2?{'b.........N....Xg9.G...Z...q&..\|..+/.;.../.e....+(.z.......E..R.j.1aP;....*.H,..g.D..

C:\Users\user\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	13096
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	192:DL+6FZQD7SL+6FZQD7SL+6FZQD7SL+6FZQD7Q:DeSeSeSeQ
MD5:	6024A3B4EBF7A790E899A5E739F3C820
SHA1:	85C3313A58BEBB96B18273D7138D66D949C31839
SHA-256:	3F65695883421BCA3AEC8532338CD41DC42A532D3F0D47B1A50E91AAAD4FB956
SHA-512:	4D9F7CB6A82C61853740B1E7CCF03837169EDB025CFAF5EB1B86FAD38BC6B9626DF27C137B744AE1DE6A2C507614522FA6937CCB94CD5CEE61C34B235C0E2C76
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\Users\user\Searches\Everywhere.search-ms.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1064
Entropy (8bit):	7.790654506089252
Encrypted:	false
SSDEEP:	24:jNbR6tJM0/cHl2F1ZSmba13CjXGxFeyATs20ntJz/F0mn:jdR6tYHa1ZKwX7DE/F0mn
MD5:	1DD11C4070E579F54C6AEE118D7892ED
SHA1:	1E778AC8DB7DBC924372DD109F43E6577DC38D43
SHA-256:	7BA80B1DE6437DF7A85F93C4B403FCC016446995D4E8F879A9A9767C60D52F2D
SHA-512:	2885CD8BDE37AC41553A61EC35D31AE5790E6304697EC882EB0701AEEC53607AC06795220AA4704E6C561F569957DDE3F08C5CC541456F3A3757E40914639763
Malicious:	false
Preview:	\.t...(...'^Ej..O....B.V.a...........u&...(K..e.k..L....2C7...e....=..........C..o.J>.\.cp.Z...f.).......@...'.a.IQY...p..F.\|.G<X..y..v...,X...y.y?...+(.6M.j._;(\|@.)jR.S....._9.n..?oo..rW..N$/..PJ.p.]......V_.J. MP@>..^...3......I.N\d&Fp+{...s&..(4.Q..TW...8.w....4.Q....1?.....3...V.\|.fC...L{....4.*..c[.\...s.G9>.......e....q.L..1...B..+....h./...,U_...........M...:,@...Fm#G,.X[....E."..0.....n.....j;.....`_..r.q.].. ....t.en..{..W._\..g..[A.....3..YJ`......./....}QN..S5.L....Z.V..43&.d..........>.^.s.~E..(..SZ....n.\|.R......,Z.d23..x.S@._p.e.:.>N.xURi?....G.4...j.z.P...v..A$B.t....`[Z#..M...W.....j?0........1.N..mo,A>4X..29..yV.....7[\t.E....i~...5J..v...$n..Vs..MS^TE.....KT..V..Z.]9((..Ic..)wG.=.3R......../..a..h[..#qnl...y..Xx....T..}....5...y .. ..,=.....p..v...5.e...0FY..C...J7a..W....a..wv.0$......c.1.u...i.I.1...K.uF..c..\z.J...,...q..N!..v.\|[.O.......U >X.3.+.....#...v=...s.........v,'Q.\:N...D...S.$/C..Af...V.d.....)...I.z[.+'8..Gw[bW;.7.

C:\Users\user\Searches\HOW-TO-DECRYPT-gn9cj.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	3.3969029202767174
Encrypted:	false
SSDEEP:	48:rLrZ6kkqzuDVm6eRU5oKDIBE2qxOzOwUq7ZU/d9PfDoIwe1Nn2oEdFdb:r/L+m6NJ6JOwZgd9PrRNQ
MD5:	0C6D0A67B942D06FE27F41C7C582CDFE
SHA1:	7E674CF6375B138CABCA2706583D4CED7A1AEF27
SHA-256:	014EA5EFFC97085B7832512B9AD2A5C4487265EB67E8D7B0920EF2BC8768400C
SHA-512:	53EC4509BC58F53419A8923D808C7DFDECF57DC203C37265D061AEBAB73147720D1C419E79578065A42C3B2A63504370F90516C3F0AFAD5D6997952592D3A39C
Malicious:	false
Preview:	..[.+.]. .W.h.a.t. .h.a.p.p.e.n.e.d.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.t.e.n.s.i.o.n. .*...g.n.9.c.j.....B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .g.e.t. .b.a.c.k. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.b.o.d.y. .w.i.l.l. .c.o.o.p.e.r.a.t.e. .w.i.t.h. .u.s... .I.t.s. .

C:\Users\user\Searches\Indexed Locations.search-ms.gn9cj Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1064
Entropy (8bit):	7.841396379441315
Encrypted:	false
SSDEEP:	24:uAHbrbrXPc1V08ZF66OCYr2zmoht61WOmje2U05QF5Z22okYPw:r7jXKLz1O3r2B61eje2H5QbZ22ok0w
MD5:	CC7BD38BBD4A7E7AFA59939E372F9A67
SHA1:	B33A760441481DC987FA51B21D14821D710F9C3B
SHA-256:	1DF1537BFDDB36BE544F4FBEF05CE05410DB0C58FA38FCA94774C2E310245CBE
SHA-512:	FDC461B9B1BDD533933B962BE992C0821E781236ED7A4DB720D0C5F8E1A90AA0471106214A4C87E1000272313C261691D0E78467BFB142F6BD85BEE8E9FFE1A1
Malicious:	false
Preview:	.w...uX)..'....(V.......3......sF....F...V.zPYz.....Da..cAum.,.m.~...(.p....F.:l..7,.Wz.........e.\|hZ.I~U.Sgi.E...#yF.T.q.'......a......z.,'........fs8.r..w`..s.3A.{.U.eR.H........L?...B...ZX5w..i!a....b... .......#.vl..7...a1.S...y........d...t..JF..G]g....\...-.<b3........>.~.....XV8.L.....1.o.x...k..g......xtD=.t{._.mL.!)~..:}..lA.l.2.....'e...E......%..a....].&&....K...^.}.....FS..V....?$P..=~..S..A..fS.A.'Z?....d.e.l...yd.#..^...$.M......_..>..l.(.).C...U.....u..^C...\|...K...I....s.J.>........3.....n.\|.R......,-....akj.V.U...O...!r...,....P..M...0(..H.BGO.Z)....+.F\...0.h^..#.:y...O'.....fYWK.c..V@_...T..~..[{.'x..[.....1T.X,.A......._x._..W...%.p+A...@..n..$iZ...qw.".6..I....U.L.l.!......1O.X...c......v.1.F./QR/...e....M!D...{..5. d.-.\..':b.Z.P3C.N..".......Gsm..`0.j.K*.........Jg. ....<.a.....2..8-fK.uHn....,.ma[9.U..Z.N?40p..{.2...;.%...L.A..K..;.pL..Es.+h.tA.$......#a..`.".+....\../....k.O.....;5.$.B.b...X.E..[.....<A..tH.b.

Static File Info

General
File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.926339570961052
TrID:	Win64 Executable GUI (202006/5) 87.40% Windows Screen Saver (13104/52) 5.67% Win64 Executable (generic) (12005/4) 5.19% Generic Win/DOS Executable (2004/3) 0.87% DOS Executable Generic (2002/1) 0.87%
File name:	Q1xEDBAmY5.exe
File size:	1915904
MD5:	7d4550dd4c6996057147ecc996b14e9a
SHA1:	d0d68281f8459b5558559fbbf8c6c8ab4ddfec8b
SHA256:	ea310cc4fd4e8669e014ff417286da5edf2d3bef20abfb0a4f4951afe260d33d
SHA512:	e0653ac9c92bd134ff43886b4a8a36016660294c134ff11c6cddefe50494923fdcf370c3d96d5538d2c7ef20d216b4d15b914d40002c982c69021ee8998f57df
SSDEEP:	49152:2HOalx8WJjq64Hv7OHxTAhEu5undVmB9dn5AI7EyP3:E/8WJjiPSRRu5undVmDd5VEyv
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........S..n=..n=..n=...F..n=..n<..n=..<...n=..n=..n=..<...n=..<...n=.Rich.n=.................PE..d...9.._..........#................

File Icon


Icon Hash:	31f0f4f2f1f2d4ec

Static PE Info

General
Entrypoint:	0x1400012e0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5FDFC939 [Sun Dec 20 21:59:21 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	7bb84c055e762f3b23509e70313814ed

Entrypoint Preview

Instruction
dec eax
sub esp, 58h
mov dword ptr [esp+2Ch], 00000001h
mov dword ptr [esp+34h], 00000001h
mov dword ptr [esp+3Ch], 00000001h
mov dword ptr [esp+24h], 00000001h
mov dword ptr [esp+28h], 00000001h
mov dword ptr [esp+30h], 00000001h
mov dword ptr [esp+38h], 00000001h
mov dword ptr [esp+20h], 00000001h
dec eax
lea ecx, dword ptr [001CAD55h]
call dword ptr [001C9CFFh]
call dword ptr [001C9D71h]
mov ecx, dword ptr [esp+2Ch]
call dword ptr [001C9DEFh]
movzx ecx, byte ptr [esp+20h]
call dword ptr [001C9D64h]
mov ecx, dword ptr [esp+28h]
call dword ptr [001C9CE2h]
mov ecx, dword ptr [esp+34h]
call dword ptr [001C9D58h]
call dword ptr [001C9D5Ah]
call dword ptr [001C9D5Ch]
mov ecx, dword ptr [esp+30h]
call dword ptr [001C9D5Ah]
mov ecx, dword ptr [esp+3Ch]
call dword ptr [001C9CC0h]
mov ecx, dword ptr [esp+2Ch]
call dword ptr [001C9CBEh]
mov ecx, dword ptr [esp+34h]
call dword ptr [001C9CBCh]
mov ecx, dword ptr [esp+38h]
call dword ptr [001C9CBAh]
mov ecx, dword ptr [esp+3Ch]
call dword ptr [001C9D30h]

Rich Headers

Programming Language:

[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022
[ C ] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1cb1a8	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1ce000	0x9408	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1cd000	0x9c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1cb000	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1c9622	0x1c9800	False	0.959732005635	data	7.93629055935	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x1cb000	0x5ea	0x600	False	0.442057291667	data	4.39028230053	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1cc000	0x410	0x200	False	0.337890625	data	2.11355728393	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x1cd000	0x9c	0x200	False	0.236328125	data	1.47356476501	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1ce000	0x9408	0x9600	False	0.403854166667	data	5.18022076174	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1ce1f0	0x4228	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x1d2418	0x25a8	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x1d49c0	0x10a8	data	English	United States
RT_ICON	0x1d5a68	0x988	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x1d63f0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_RCDATA	0x1d6bc0	0x843	ASCII text, with very long lines, with no line terminators	English	United States
RT_GROUP_ICON	0x1d6858	0x4c	data	English	United States
RT_VERSION	0x1d68a8	0x314	data	English	United States

Imports

DLL	Import
KERNEL32.dll	LoadLibraryA, GetModuleHandleA, GetProcAddress
USER32.dll	GetMenuCheckMarkDimensions, IsCharAlphaA, ShowCaret, GetDesktopWindow, GetForegroundWindow, GetLastActivePopup, GetQueueStatus, CloseWindow, CharNextW, GetAsyncKeyState, VkKeyScanW, IsCharUpperA, GetCapture, GetKeyboardLayout, GetDialogBaseUnits, GetOpenClipboardWindow, LoadIconA, GetDC
GDI32.dll	GdiFlush, GetTextCharacterExtra, CreateMetaFileA, AddFontResourceA, GetTextCharset, SaveDC, AbortDoc, EndDoc, GetColorSpace, DeleteMetaFile, GetMapMode, GetStretchBltMode, CreateMetaFileW
ADVAPI32.dll	RegQueryValueExW, RegOpenKeyW

Version Infos

Description	Data
LegalCopyright	Copyright (C) 2009-2016, Ivo Beltchev
InternalName	ClassicStartMenu
FileVersion	4, 3, 0, 0
CompanyName	IvoSoft
ProductName	Classic Shell
ProductVersion	4, 3, 0, 0
FileDescription	Classic Start Menu
OriginalFilename	ClassicStartMenu.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Q1xEDBAmY5.exe PID: 5032 Parent PID: 5956

General

Start time:	20:53:19
Start date:	29/03/2021
Path:	C:\Users\user\Desktop\Q1xEDBAmY5.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\Q1xEDBAmY5.exe'
Imagebase:	0x140000000
File size:	1915904 bytes
MD5 hash:	7D4550DD4C6996057147ECC996B14E9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: Unistore PID: 1752 Parent PID: 5032

General

Start time:	20:53:23
Start date:	29/03/2021
Path:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore /go
Imagebase:	0x140000000
File size:	1915904 bytes
MD5 hash:	7D4550DD4C6996057147ECC996B14E9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 53%, Metadefender, Browse Detection: 83%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 4844 Parent PID: 1752

General

Start time:	20:53:30
Start date:	29/03/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c waitfor /t 10 pause /d y & attrib -h 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore' & del 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore' & rd 'C:\Users\user\AppData\Roaming\TextNotepad\'
Imagebase:	0x7ff7180e0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3528 Parent PID: 4844

General

Start time:	20:53:30
Start date:	29/03/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: waitfor.exe PID: 2076 Parent PID: 4844

General

Start time:	20:53:30
Start date:	29/03/2021
Path:	C:\Windows\System32\waitfor.exe
Wow64 process (32bit):	false
Commandline:	waitfor /t 10 pause /d y
Imagebase:	0x7ff607f60000
File size:	39936 bytes
MD5 hash:	9509EC0B3D20348D129183021BF38BBB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 5112 Parent PID: 5032

General

Start time:	20:53:31
Start date:	29/03/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c waitfor /t 10 pause /d y & attrib -h 'C:\Users\user\Desktop\Q1xEDBAmY5.exe' & del 'C:\Users\user\Desktop\Q1xEDBAmY5.exe' & rd 'C:\Users\user\Desktop\'
Imagebase:	0x7ff7180e0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4936 Parent PID: 5112

General

Start time:	20:53:32
Start date:	29/03/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: attrib.exe PID: 3576 Parent PID: 4844

General

Start time:	20:53:32
Start date:	29/03/2021
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib -h 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore'
Imagebase:	0x7ff794990000
File size:	21504 bytes
MD5 hash:	FDC601145CD289C6FBC96D3F805F3CD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: waitfor.exe PID: 1752 Parent PID: 5112

General

Start time:	20:53:32
Start date:	29/03/2021
Path:	C:\Windows\System32\waitfor.exe
Wow64 process (32bit):	false
Commandline:	waitfor /t 10 pause /d y
Imagebase:	0x7ff607f60000
File size:	39936 bytes
MD5 hash:	9509EC0B3D20348D129183021BF38BBB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: attrib.exe PID: 5656 Parent PID: 5112

General

Start time:	20:53:33
Start date:	29/03/2021
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib -h 'C:\Users\user\Desktop\Q1xEDBAmY5.exe'
Imagebase:	0x7ff794990000
File size:	21504 bytes
MD5 hash:	FDC601145CD289C6FBC96D3F805F3CD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Q1xEDBAmY5.exe PID: 5032 Parent PID: 5956 Q1xEDBAmY5.exeCOMMON

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	79.7%
Total number of Nodes:	59
Total number of Limit Nodes:	9

Executed Functions

Function 0000000140008FD8, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 126
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitUnicodeString.NTDLL ref: 00000001401C2CAB
RtlpNtOpenKey.NTDLL ref: 00000001401C2CF8
RtlNtStatusToDosError.NTDLL ref: 00000001401C2D05
NtEnumerateKey.NTDLL ref: 00000001401C2D55
RtlNtStatusToDosError.NTDLL ref: 00000001401C2DF8
NtClose.NTDLL ref: 00000001401C2E16

Strings

0, xrefs: 00000001401C2CC5
@, xrefs: 00000001401C2CE1

Memory Dump Source

Source File: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: ErrorStatus$CloseEnumerateInitOpenRtlpStringUnicode
String ID: 0$@
API String ID: 1614393503-1545510068
Opcode ID: cefe9010a734a50205bc64eafaf39f00a44266cd455ab14de18c91e7259cd50c
Instruction ID: 43aab7de132ee3581aaf72cf9245a1ffe5c3a98ffdefe0118e2a4408a218dc0b
Opcode Fuzzy Hash: cefe9010a734a50205bc64eafaf39f00a44266cd455ab14de18c91e7259cd50c
Instruction Fuzzy Hash: 7841A13620CA94C7E6628F56A4947FDB3A0F39CF80F640015EB8757AB4CA78C945D781

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401B86FF, Relevance: 12.3, APIs: 8, Instructions: 252
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDriveStringsW.KERNELBASE ref: 00000001401B87E5
HeapAlloc.KERNEL32 ref: 00000001401B8813
GetLogicalDriveStringsW.KERNELBASE ref: 00000001401B8877
lstrlenW.KERNEL32 ref: 00000001401B8898
QueryDosDeviceW.KERNEL32 ref: 00000001401B88EC
lstrlenW.KERNEL32 ref: 00000001401B8903
StrCmpNIW.KERNELBASE ref: 00000001401B8952

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: DriveLogicalStringslstrlen$AllocDeviceHeapQuery
String ID:
API String ID: 483063260-0
Opcode ID: 489b5a3322a92875f793c37380596326fd1886cf87fcf36179fa0425e5c940d5
Instruction ID: 307088e11832c664a1a4c79a2800c12574c29e730166ef9093fe9fd9b760cedb
Opcode Fuzzy Hash: 489b5a3322a92875f793c37380596326fd1886cf87fcf36179fa0425e5c940d5
Instruction Fuzzy Hash: 4A816532700EA087FA26AF2799943FE26B1B788FE4FA451119F16276F0DB39C845D301

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401B7870, Relevance: 15.2, APIs: 10, Instructions: 206
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001401C2723: HeapAlloc.KERNEL32 ref: 00000001401C27AE

PathCombineW.SHLWAPI ref: 00000001401B7981
HeapFree.KERNEL32 ref: 00000001401B79A0
CreateDirectoryW.KERNELBASE ref: 00000001401B79B5
PathCombineW.SHLWAPI ref: 00000001401B7A13
HeapFree.KERNEL32 ref: 00000001401B7A3E
CopyFileW.KERNELBASE ref: 00000001401B7A5C
GetLastError.KERNEL32 ref: 00000001401B7A7C
RemoveDirectoryW.KERNEL32 ref: 00000001401B7AC4
GetLastError.KERNEL32 ref: 00000001401B7ACF
HeapFree.KERNEL32 ref: 00000001401B7B3A

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: Heap$Free$CombineDirectoryErrorLastPath$AllocCopyCreateFileRemove
String ID:
API String ID: 3800710234-0
Opcode ID: 3807c1a1ba8245745db85d83fddf9ca5a81f6203fe418bcd93b308aa8c531c16
Instruction ID: eefb1950c1264f0eccadc70191a2d96b96ce5fdc7b11f9ce93614dee2f1086ba
Opcode Fuzzy Hash: 3807c1a1ba8245745db85d83fddf9ca5a81f6203fe418bcd93b308aa8c531c16
Instruction Fuzzy Hash: 13612171708E1087FA679B37A994BFD22B2A74CFD4F644421DB4A0B6F4CB38C584A710

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401BEB27, Relevance: 4.7, APIs: 3, Instructions: 197
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000001401B6A6A), ref: 00000001401BEC81
lstrcmpW.KERNEL32 ref: 00000001401BED2D
HeapFree.KERNEL32 ref: 00000001401BED77

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: Heap$AllocateFreelstrcmp
String ID:
API String ID: 3727395044-0
Opcode ID: 6e0bd297a774ad971d2e68aba98fe4fd42e94893bd2a25a5e6530357dcdeb2b0
Instruction ID: 3904fcca3e121e6e3d0674ceb08fabdd155da1770fc9112b8f2d54046ab635ca
Opcode Fuzzy Hash: 6e0bd297a774ad971d2e68aba98fe4fd42e94893bd2a25a5e6530357dcdeb2b0
Instruction Fuzzy Hash: 3C612136208E40CAEB2A8F6BE4C03ED6AF1A75CF94F5846269B4A0F6F4C779C540D750

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00000001400082B0, Relevance: 35.0, APIs: 23, Instructions: 488
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001400032D8: HeapFree.KERNEL32 ref: 00000001400033CC
Part of subcall function 00000001400032D8: lstrlenW.KERNEL32 ref: 00000001400033FC
Part of subcall function 00000001400032D8: HeapFree.KERNEL32 ref: 000000014000341D

PathCombineW.SHLWAPI ref: 00000001401C19EB
PathCombineW.SHLWAPI ref: 00000001401C1A22
HeapFree.KERNEL32 ref: 00000001401C1A6A
StrTrimW.SHLWAPI ref: 00000001401C1AA4
_wcslwr.NTDLL ref: 00000001401C1B54
_wcslwr.NTDLL ref: 00000001401C1B66
lstrcmpW.KERNEL32 ref: 00000001401C1BB6
StrTrimW.SHLWAPI ref: 00000001401C1BD4
lstrlenW.KERNEL32 ref: 00000001401C1C05
lstrlenW.KERNEL32 ref: 00000001401C1C15
HeapAlloc.KERNEL32 ref: 00000001401C1C3A
_wcslwr.NTDLL ref: 00000001401C1C5D

Memory Dump Source

Source File: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: Heap$Free_wcslwrlstrlen$CombinePathTrim$Alloclstrcmp
String ID:
API String ID: 3559748661-0
Opcode ID: 52160a1d7593a377ff20addee7f70fa9f31049f6f67c4131dbd78adcc5db42e8
Instruction ID: 9462b773b900772d5c1c373bd5a9f0b8cbae344b0f6341caa20f4ba506632417
Opcode Fuzzy Hash: 52160a1d7593a377ff20addee7f70fa9f31049f6f67c4131dbd78adcc5db42e8
Instruction Fuzzy Hash: 2A12DB7224CA95C6FA27DB23E4503EE6361F78EF84F944122AF4A47AB9DB38C505D701

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401BFA90, Relevance: 19.7, APIs: 10, Strings: 1, Instructions: 495
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ZwCreateSection.NTDLL ref: 00000001401BFB9E
RtlNtStatusToDosError.NTDLL ref: 00000001401BFD4B

Part of subcall function 00000001401C0FD6: ZwQueryInformationFile.NTDLL ref: 00000001401C101E
Part of subcall function 00000001401C0FD6: RtlNtStatusToDosError.NTDLL ref: 00000001401C1042

ZwMapViewOfSection.NTDLL ref: 00000001401BFCB4
RtlNtStatusToDosError.NTDLL ref: 00000001401BFD1E
ZwClose.NTDLL ref: 00000001401BFD39

Strings

fJki, xrefs: 00000001401BFF52

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: ErrorStatus$Section$CloseCreateFileInformationQueryView
String ID: fJki
API String ID: 2474743542-4033025093
Opcode ID: 73d7b728d5ddf76775b2eb80935b564ecded23c43f25e060030e48655bbb0400
Instruction ID: 6cacc4daf11f20fa530b0a97631432ccf775cc059f95097cca47d00902830403
Opcode Fuzzy Hash: 73d7b728d5ddf76775b2eb80935b564ecded23c43f25e060030e48655bbb0400
Instruction Fuzzy Hash: 4A12067260CA90C6E6368F56E4843EEA7B1F38CF90F644519DB9A47AF4DB38C544EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400032D8, Relevance: 16.8, APIs: 10, Strings: 1, Instructions: 261
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002A14: HeapAlloc.KERNEL32 ref: 00000001401B9355

HeapFree.KERNEL32 ref: 00000001400033CC
lstrlenW.KERNEL32 ref: 00000001400033FC
HeapFree.KERNEL32 ref: 000000014000341D

Part of subcall function 0000000140002BF0: StrChrW.SHLWAPI ref: 00000001401B95A0

HeapAlloc.KERNEL32 ref: 00000001400034BB
HeapFree.KERNEL32 ref: 0000000140003521
HeapFree.KERNEL32 ref: 000000014000353E
HeapFree.KERNEL32 ref: 00000001400035AA
HeapFree.KERNEL32 ref: 00000001400036DD
HeapFree.KERNEL32 ref: 00000001400036F4
HeapFree.KERNEL32 ref: 000000014000370B

Strings

n{~9, xrefs: 000000014000339C

Memory Dump Source

Source File: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: Heap$Free$Alloc$lstrlen
String ID: n{~9
API String ID: 2960935155-1285555437
Opcode ID: 18a067246e184715129379d84bcdc50c2cdf1d37d9d1dd5e54e4f361c45eb575
Instruction ID: 8f9cdd0bc6f4abff456ae41303d2b60fbcb045be3c1a6f23a4601ff69c9a9dba
Opcode Fuzzy Hash: 18a067246e184715129379d84bcdc50c2cdf1d37d9d1dd5e54e4f361c45eb575
Instruction Fuzzy Hash: 01B191F13006859AEA32EB63B8447DA73A6F78DBD4F804412EB4A57B65CF38E444C752

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401B6AA9, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 334
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ZwCreateFile.NTDLL ref: 00000001401B6BB1
RtlNtStatusToDosError.NTDLL ref: 00000001401B6D22

Strings

!, xrefs: 00000001401B6B1C

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: CreateErrorFileStatus
String ID: !
API String ID: 3864118154-2657877971
Opcode ID: 275a87daf9f7a936a5ec19daee3884662f8bfb97dc069e23a4c0c26ad8b069df
Instruction ID: dff2eba309616e4bedd284aa11014bf1fe1f675aba5b9a92be41c895a42fe0a9
Opcode Fuzzy Hash: 275a87daf9f7a936a5ec19daee3884662f8bfb97dc069e23a4c0c26ad8b069df
Instruction Fuzzy Hash: D3D10E72718A85C6E7369F26E490BED67B1F39CF84F608115EB8607AB4CB3DC9459B00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401BA75C, Relevance: 12.6, APIs: 8, Instructions: 625
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001401B8494: RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401B84DB
Part of subcall function 00000001401B8494: HeapAlloc.KERNEL32 ref: 00000001401B850D
Part of subcall function 00000001401B8494: RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401B8558

RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401BA880
GetFileAttributesW.KERNEL32 ref: 00000001401BA90C
SetFileAttributesW.KERNEL32 ref: 00000001401BA93C
RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401BA986

Part of subcall function 00000001401C2B01: ZwCreateFile.NTDLL ref: 00000001401C2BDF
Part of subcall function 00000001401C2B01: RtlNtStatusToDosError.NTDLL ref: 00000001401C2BF9
Part of subcall function 00000001401C2B01: RtlFreeUnicodeString.NTDLL ref: 00000001401C2C09

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: Path$NameName_$File$Attributes$AllocCreateErrorFreeHeapStatusStringUnicode
String ID:
API String ID: 4130269024-0
Opcode ID: 3b7af53d72e4937fe5e2f2081f34c41259a22109ea63df594ff7d3c4d6e13dc3
Instruction ID: a221014fde11b357e50eb31c90b29b3f0fff55f0adeee81d003b42f1c28daa9c
Opcode Fuzzy Hash: 3b7af53d72e4937fe5e2f2081f34c41259a22109ea63df594ff7d3c4d6e13dc3
Instruction Fuzzy Hash: F3225932318E5086E6369A2BA4807FE66B1F78CF91FA04112EB5A17BF4DB7DC544E740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401B8494, Relevance: 12.2, APIs: 8, Instructions: 153
memorynativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401B84DB
HeapAlloc.KERNEL32 ref: 00000001401B850D
RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401B8558
ZwSetInformationFile.NTDLL ref: 00000001401B8645
RtlNtStatusToDosError.NTDLL ref: 00000001401B865A
ZwClose.NTDLL ref: 00000001401B8685
HeapFree.KERNEL32 ref: 00000001401B86A4

Part of subcall function 00000001401C2B01: ZwCreateFile.NTDLL ref: 00000001401C2BDF
Part of subcall function 00000001401C2B01: RtlNtStatusToDosError.NTDLL ref: 00000001401C2BF9
Part of subcall function 00000001401C2B01: RtlFreeUnicodeString.NTDLL ref: 00000001401C2C09

RtlFreeUnicodeString.NTDLL ref: 00000001401B86C7

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: Path$Free$ErrorFileHeapNameName_StatusStringUnicode$AllocCloseCreateInformation
String ID:
API String ID: 2397623940-0
Opcode ID: 430b56e4ca29756a14a1c6975e501c8467b3832cc703cfb1f0237b9fe915df1b
Instruction ID: 62f3d813f31e6db86065cee1a1b974aa19cee4a520246a008d9e7b907297db8e
Opcode Fuzzy Hash: 430b56e4ca29756a14a1c6975e501c8467b3832cc703cfb1f0237b9fe915df1b
Instruction Fuzzy Hash: BB51C1B2318E9583E6369B2BA4947FE6371F78CF81F604025AF8B47AA4DB39C404D710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140004DE4, Relevance: 10.7, APIs: 7, Instructions: 249
memorystringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32 ref: 00000001401BD0BF
HeapAlloc.KERNEL32 ref: 00000001401BD104
PathFindFileNameW.SHLWAPI ref: 00000001401BD14C
HeapFree.KERNEL32 ref: 00000001401BD313

Part of subcall function 00000001401C0D0F: lstrcatW.KERNEL32 ref: 00000001401C0D71
Part of subcall function 00000001401C0D0F: RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401C0D90
Part of subcall function 00000001401C0D0F: RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401C0E42

lstrcpyW.KERNEL32 ref: 00000001401BD1C3
ZwClose.NTDLL ref: 00000001401BD2C0
lstrcpyW.KERNEL32 ref: 00000001401BD2E0

Memory Dump Source

Source File: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: Path$Name$HeapName_lstrcpy$AllocCloseFileFindFreelstrcatlstrlen
String ID:
API String ID: 2698039886-0
Opcode ID: c8b611ea731ab03e0f5124e5b79ec21a802973ec7191f99e1c9477716043faa6
Instruction ID: d8eb7f02ffb4ce221d6e4d80c2b5821d6b3cc41ad9d7055eae6180d4ff680c78
Opcode Fuzzy Hash: c8b611ea731ab03e0f5124e5b79ec21a802973ec7191f99e1c9477716043faa6
Instruction Fuzzy Hash: E89122B1309EA086E62AEB27A4943FD76B2B34CFD1FA44511AB0707AF5EB39C545D301

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140007D62, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 219memorystringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 00000001401C10B7

Part of subcall function 00000001401B7870: PathCombineW.SHLWAPI ref: 00000001401B7981
Part of subcall function 00000001401B7870: HeapFree.KERNEL32 ref: 00000001401B79A0
Part of subcall function 00000001401B7870: CreateDirectoryW.KERNELBASE ref: 00000001401B79B5

lstrlenW.KERNEL32 ref: 00000001401C1157
lstrlenW.KERNEL32 ref: 00000001401C11BC
HeapFree.KERNEL32 ref: 00000001401C121B
HeapFree.KERNEL32 ref: 00000001401C1263

Strings

", xrefs: 00000001401C1185

Memory Dump Source

Source File: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: FreeHeap$lstrlen$CombineCreateDirectoryPathVersion
String ID: "
API String ID: 153938819-123907689
Opcode ID: 55497113508cdb6258097df451801b91d0ce614f17e50dc0195082890b2f9196
Instruction ID: 0d59463f523a61b228b470a64759f38acc10a2f598c6bfd8fb5593db2cb9eb02
Opcode Fuzzy Hash: 55497113508cdb6258097df451801b91d0ce614f17e50dc0195082890b2f9196
Instruction Fuzzy Hash: BA512136B9C68486FA23AA77A4443EE5260A7CEFD0FA84121AB0647AF5DB7CC5019301

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401BD6E7, Relevance: 9.2, APIs: 6, Instructions: 189memorynativefileCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00000001401BD738
RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401BD78A
ZwSetInformationFile.NTDLL ref: 00000001401BD920
RtlNtStatusToDosError.NTDLL ref: 00000001401BD935

Part of subcall function 00000001401C2B01: ZwCreateFile.NTDLL ref: 00000001401C2BDF
Part of subcall function 00000001401C2B01: RtlNtStatusToDosError.NTDLL ref: 00000001401C2BF9
Part of subcall function 00000001401C2B01: RtlFreeUnicodeString.NTDLL ref: 00000001401C2C09

ZwClose.NTDLL ref: 00000001401BD97C

Part of subcall function 00000001401C296F: RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401C29C4
Part of subcall function 00000001401C296F: ZwSetInformationFile.NTDLL ref: 00000001401C2A8C
Part of subcall function 00000001401C296F: RtlNtStatusToDosError.NTDLL ref: 00000001401C2AA6
Part of subcall function 00000001401C296F: ZwClose.NTDLL ref: 00000001401C2AD0

HeapFree.KERNEL32 ref: 00000001401BD9AC

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: Path$ErrorFileStatus$CloseFreeHeapInformationNameName_$AllocCreateStringUnicode
String ID:
API String ID: 852014873-0
Opcode ID: 7e33a34cb7d4c46a5441e1dd9e9d6b3db8d53815ff9bab756111011ffddd8cf7
Instruction ID: 7733fd4414e813c163f79a17e505c5c4fe6177f0c5f0daf362b1216a2046d526
Opcode Fuzzy Hash: 7e33a34cb7d4c46a5441e1dd9e9d6b3db8d53815ff9bab756111011ffddd8cf7
Instruction Fuzzy Hash: 43610531708E5182E72A9A63A4807ED7271E78DFD8F604121AB8A477E5EF7CC508D710

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000293C, Relevance: 9.1, APIs: 6, Instructions: 122memorynativeCOMMON

Download Yara Rule

APIs

ZwQueryVirtualMemory.NTDLL ref: 00000001401B9119
HeapAlloc.KERNEL32 ref: 00000001401B9152
ZwQueryVirtualMemory.NTDLL ref: 00000001401B91C2
RtlNtStatusToDosError.NTDLL ref: 00000001401B91F9
HeapFree.KERNEL32 ref: 00000001401B9229

Part of subcall function 00000001401B86FF: GetLogicalDriveStringsW.KERNELBASE ref: 00000001401B87E5
Part of subcall function 00000001401B86FF: HeapAlloc.KERNEL32 ref: 00000001401B8813
Part of subcall function 00000001401B86FF: GetLogicalDriveStringsW.KERNELBASE ref: 00000001401B8877

RtlNtStatusToDosError.NTDLL ref: 00000001401B9245

Memory Dump Source

Source File: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: Heap$AllocDriveErrorLogicalMemoryQueryStatusStringsVirtual$Free
String ID:
API String ID: 2121004382-0
Opcode ID: 384e2902690aef6859f302913b4d0d7abb9aac3256f7efaee4e2e9949058a16a
Instruction ID: fdee583891e31a3583d84b39cf969cdf38f8912567c68894f30adfcbf1df4d04
Opcode Fuzzy Hash: 384e2902690aef6859f302913b4d0d7abb9aac3256f7efaee4e2e9949058a16a
Instruction Fuzzy Hash: 89413571704E5183EA169BABA4947EE3261E35DFF0F604325AF6A07BE2DB39C4069700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401B8D30, Relevance: 7.6, APIs: 5, Instructions: 96memorynativeCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00000001401B8D96
HeapFree.KERNEL32 ref: 00000001401B8DF8
LeaveCriticalSection.KERNEL32 ref: 00000001401B8E1D
DeleteCriticalSection.KERNEL32 ref: 00000001401B8E27
ZwClose.NTDLL ref: 00000001401B8E3A

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: CriticalSection$CloseDeleteEnterFreeHeapLeave
String ID:
API String ID: 3958598305-0
Opcode ID: 41183ab70344ed0bbbc3d1157e2838102b67b9408123f527468f07482927bc7c
Instruction ID: 0ece5602bdc53c2ff112483b2af365f24d175bcab443965cdaf18fc666e1a67c
Opcode Fuzzy Hash: 41183ab70344ed0bbbc3d1157e2838102b67b9408123f527468f07482927bc7c
Instruction Fuzzy Hash: 64319632645E58C6EA269F66E8003E96770F78CF90FA98112EF6A172F4DB39C845D340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401C2B01, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72filenativeCOMMON

Download Yara Rule

APIs

ZwCreateFile.NTDLL ref: 00000001401C2BDF
RtlNtStatusToDosError.NTDLL ref: 00000001401C2BF9
RtlFreeUnicodeString.NTDLL ref: 00000001401C2C09

Strings

0, xrefs: 00000001401C2B24

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: CreateErrorFileFreeStatusStringUnicode
String ID: 0
API String ID: 1947615143-4108050209
Opcode ID: ee6ff86ba9fcf89f58ea2304b61282cf384a93a18fa5aae12a6f961241c0bf9f
Instruction ID: ef288eb9752d4257f5d28402ab127722a47a2f372646e169f149e5abad48fc1f
Opcode Fuzzy Hash: ee6ff86ba9fcf89f58ea2304b61282cf384a93a18fa5aae12a6f961241c0bf9f
Instruction Fuzzy Hash: D321AF7270CB85C7E321CF56A5443ED73A4F34CB94FA1023AD79A476A0CB3AC945AB51

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401C0D0F, Relevance: 6.2, APIs: 4, Instructions: 171stringnativeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32 ref: 00000001401C0D71
RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401C0D90
RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401C0E42

Part of subcall function 00000001401C2B01: ZwCreateFile.NTDLL ref: 00000001401C2BDF
Part of subcall function 00000001401C2B01: RtlNtStatusToDosError.NTDLL ref: 00000001401C2BF9
Part of subcall function 00000001401C2B01: RtlFreeUnicodeString.NTDLL ref: 00000001401C2C09

ZwClose.NTDLL(?,?,?,?,?,00000000,00000001,00000001401BD189), ref: 00000001401C0FA6

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: Path$NameName_$CloseCreateErrorFileFreeStatusStringUnicodelstrcat
String ID:
API String ID: 988857485-0
Opcode ID: 89baaef89725aa242ecaa14e7e954e46abfb61c5367625d6f378a5968d13ee3b
Instruction ID: b101e6fd296ddb627b81fb9a0d13ead78ae7c9c2fe99afe77ff16d2e07e2f7a8
Opcode Fuzzy Hash: 89baaef89725aa242ecaa14e7e954e46abfb61c5367625d6f378a5968d13ee3b
Instruction Fuzzy Hash: 7551AD3230CB55C7F6378A67A590BFE63A1E348F94F600529EB4A07AE5DB38C5549B10

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401C296F, Relevance: 6.1, APIs: 4, Instructions: 95nativefileCOMMON

Download Yara Rule

APIs

RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401C29C4

Part of subcall function 00000001401C2B01: ZwCreateFile.NTDLL ref: 00000001401C2BDF
Part of subcall function 00000001401C2B01: RtlNtStatusToDosError.NTDLL ref: 00000001401C2BF9
Part of subcall function 00000001401C2B01: RtlFreeUnicodeString.NTDLL ref: 00000001401C2C09

ZwSetInformationFile.NTDLL ref: 00000001401C2A8C
RtlNtStatusToDosError.NTDLL ref: 00000001401C2AA6
ZwClose.NTDLL ref: 00000001401C2AD0

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: ErrorFilePathStatus$CloseCreateFreeInformationNameName_StringUnicode
String ID:
API String ID: 3935821395-0
Opcode ID: 0ee0267f7fd7b3af215bad09630d7b69b732333c3ba9d2aa5b7b3023102a762e
Instruction ID: 3c10e83f379e31477fe6b0f773ecfcbed9a1c25e3a55598913f2579b8341790f
Opcode Fuzzy Hash: 0ee0267f7fd7b3af215bad09630d7b69b732333c3ba9d2aa5b7b3023102a762e
Instruction Fuzzy Hash: EE31A97131CA90C7EB368A57A1807EDA662F74CF84FA40125E78A07EB5DB79C6489710

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401BF96E, Relevance: 6.1, APIs: 4, Instructions: 72filenativeCOMMON

Download Yara Rule

APIs

ZwQueryInformationFile.NTDLL ref: 00000001401BF9C7
RtlNtStatusToDosError.NTDLL ref: 00000001401BF9E1
ZwSetInformationFile.NTDLL ref: 00000001401BFA4E
RtlNtStatusToDosError.NTDLL ref: 00000001401BFA63

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: ErrorFileInformationStatus$Query
String ID:
API String ID: 1857635062-0
Opcode ID: ada0dee1e524097acd5353b628942dedd96253e3d3bedc42575f9dddddebb112
Instruction ID: 5e6572c19a03d61ea4a3dd96380a3eb08e1d0e3d2c6bbb02374d793fc2153bf2
Opcode Fuzzy Hash: ada0dee1e524097acd5353b628942dedd96253e3d3bedc42575f9dddddebb112
Instruction Fuzzy Hash: 8121BA76308E45E6E62B8B72A5503FD6270A35CFD8F608019A74A476F4EBB8C948F710

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401BC979, Relevance: 4.6, APIs: 3, Instructions: 94filenativeCOMMON

Download Yara Rule

APIs

ZwQueryInformationFile.NTDLL ref: 00000001401BC9DF
ZwSetInformationFile.NTDLL ref: 00000001401BCA9C
RtlNtStatusToDosError.NTDLL ref: 00000001401BCAB6

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: FileInformation$ErrorQueryStatus
String ID:
API String ID: 1212993688-0
Opcode ID: eede84686d48efbf3d91ad75953e54407c9a049f776d668345200087cc863dff
Instruction ID: ebaa73aad86bb007732c9fd3458defffaa87b0a0acaa8efd3b21bb011e73e327
Opcode Fuzzy Hash: eede84686d48efbf3d91ad75953e54407c9a049f776d668345200087cc863dff
Instruction Fuzzy Hash: B5313976325E8882F721DB67E4987ED6672A38CFC1FA10015A75B436F5EB79C449CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401BBADF, Relevance: 3.1, APIs: 2, Instructions: 67filenativeCOMMON

Download Yara Rule

APIs

ZwWriteFile.NTDLL ref: 00000001401BBB6D
RtlNtStatusToDosError.NTDLL ref: 00000001401BBB87

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: ErrorFileStatusWrite
String ID:
API String ID: 3865071773-0
Opcode ID: 10e0a121e2d6ae3f9d0e0b4760bdb52d319d068acb6e4714df4cfeb761724da7
Instruction ID: 16b6d6156c2091a5e38c09da7db7184b3af8722cbd01314bb2e9d1d4b7d0a5bb
Opcode Fuzzy Hash: 10e0a121e2d6ae3f9d0e0b4760bdb52d319d068acb6e4714df4cfeb761724da7
Instruction Fuzzy Hash: 11219671719F16C5FB358A62E6D4BED62B0A30CB90F654234C75607AE8DBB8C691D700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401C0FD6, Relevance: 3.0, APIs: 2, Instructions: 37filenativeCOMMON

Download Yara Rule

APIs

ZwQueryInformationFile.NTDLL ref: 00000001401C101E
RtlNtStatusToDosError.NTDLL ref: 00000001401C1042

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: ErrorFileInformationQueryStatus
String ID:
API String ID: 3308321636-0
Opcode ID: 92bea9638b00d7a26cf5d953fb31fd6e5b3505f585360f437d5b2d616bc0c086
Instruction ID: 09ba2d315c600c72cd54e8b48493588bf0d3876dbb6a82526a5e7670d1d42b80
Opcode Fuzzy Hash: 92bea9638b00d7a26cf5d953fb31fd6e5b3505f585360f437d5b2d616bc0c086
Instruction Fuzzy Hash: 5AF0C27538D584C2FB3B4A17A4507FE1261A39AF84FA0040DA70A476B5DA3DC2D59750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140003734, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNEL32 ref: 00000001401BA37B

Memory Dump Source

Source File: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: fff109f2261dc96d7107dbabfb265170114391bda79e288f957f0014665a6337
Instruction ID: 72774e0c2dd6006fee06fe3c1145288b1a465944989e923f0ff7cb1b76b53f15
Opcode Fuzzy Hash: fff109f2261dc96d7107dbabfb265170114391bda79e288f957f0014665a6337
Instruction Fuzzy Hash: EF11E136324A5986EB26CE7A95D47FD12F2B34CBA6FD051369387076B4DB3CC0889600

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401BB247, Relevance: 1.5, APIs: 1, Instructions: 48nativeCOMMON

Download Yara Rule

APIs

ZwCreateEvent.NTDLL ref: 00000001401BB2E1

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: CreateEvent
String ID:
API String ID: 2692171526-0
Opcode ID: 0fbcfd443e231a00477f5bd50bac7263f26800a7ee9d5c5712780166ce3a4b8f
Instruction ID: d5a6954df107d9442cd0387daeef08dedef95e0764571c4d64c78c4382e694be
Opcode Fuzzy Hash: 0fbcfd443e231a00477f5bd50bac7263f26800a7ee9d5c5712780166ce3a4b8f
Instruction Fuzzy Hash: D9012677316F5CC5E712CFA2D5E4BAC26A4A398F50FA405288B1A477F0CB78928A8700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140006BC8, Relevance: .9, Instructions: 916COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 253f36ce60909b1e899caa05c266be883effa5b349ba05d90500bd34cc659d22
Instruction ID: 7df1a4cf66ade67121b56c1533775eb943107e024774b0ae81d7a0b9c64fb647
Opcode Fuzzy Hash: 253f36ce60909b1e899caa05c266be883effa5b349ba05d90500bd34cc659d22
Instruction Fuzzy Hash: FB726F73B302A88BDB50CF2E9858D6E33A9F3597827875205EF8897745C63DB901DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401BDDA1, Relevance: .9, Instructions: 902COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa32d11cc9db2c8b62436a8fff4b16b3ead6ace4c705061ace6c397e9b089efa
Instruction ID: 0a7e21b025fe47767afb5d8915e86e0173aed853cadba0a909beca9e62774a10
Opcode Fuzzy Hash: fa32d11cc9db2c8b62436a8fff4b16b3ead6ace4c705061ace6c397e9b089efa
Instruction Fuzzy Hash: 4052AB7372097087EB189A3AD8A0BFD33A1E35AB51F411229DB56877D1D73EC805DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140009754, Relevance: .6, Instructions: 616COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e22f3bce40282fe11e099c1db0b1c5fb4d2825a674946890b536f4ba39d9287
Instruction ID: 675418addc0b2e090357021b23c56d57521d2876a89d32953653134a70d858d0
Opcode Fuzzy Hash: 1e22f3bce40282fe11e099c1db0b1c5fb4d2825a674946890b536f4ba39d9287
Instruction Fuzzy Hash: 1012B4B7B784514BD71CCB19E892FA97792F394308B49912CEA17D3F44DA3DEA06CA40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401BBFD5, Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fb4dc656818fd68803ab093d34f7eb348653b8c560a0f4cae93be4ad90948c8
Instruction ID: fce8e4a20fa62805c9f8439e2410ac8e26c481a143fafad27a18399c300ea9bc
Opcode Fuzzy Hash: 4fb4dc656818fd68803ab093d34f7eb348653b8c560a0f4cae93be4ad90948c8
Instruction Fuzzy Hash: 30C19836728ED086F6369E2BE850BFE66B1B398F90F944114DF6A13AF4C739D5419B00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014013B8F9, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df3cee130343c495758ca55a082de2db00953073a535cb8780926f946024ed8
Instruction ID: 68b0c2e0692b2c229048b4ddab23dffb099134e9e4737b4edf007736383dccec
Opcode Fuzzy Hash: 7df3cee130343c495758ca55a082de2db00953073a535cb8780926f946024ed8
Instruction Fuzzy Hash: 961190A1F2147066F6518537EE40FEA5527D364BE4F5A6230BF2C97FE4C21D890A8740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401BB3BC, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 280
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,?,?,?,?,00000050,?,00000000,?,00000001401BC88F), ref: 00000001401BB453
HeapAlloc.KERNEL32(?,?,?,?,?,00000050,?,00000000,?,00000001401BC88F), ref: 00000001401BB493
GetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00000050,?,00000000,?,00000001401BC88F), ref: 00000001401BB562
RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401BB5D4

Strings

P, xrefs: 00000001401BB739

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: Path$AllocCurrentDirectoryHeapNameName_lstrlen
String ID: P
API String ID: 4008739338-3110715001
Opcode ID: ff05ce82206494fc8691d6cf8a2db60cf8b43dcaf4d362dba3c9795c604c5860
Instruction ID: b00598d431a369d2ebdfa74a6c074c4f74e793deeb9a5703906dfbe5e810b95a
Opcode Fuzzy Hash: ff05ce82206494fc8691d6cf8a2db60cf8b43dcaf4d362dba3c9795c604c5860
Instruction Fuzzy Hash: F1A14476604E5086E6269B2BA4A4BFE2271B78CFD5F554021AF4B03AF4DBBDC6089300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401B96EE, Relevance: 16.8, APIs: 11, Instructions: 251
memorysynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32 ref: 00000001401B9788

Part of subcall function 00000001401BB247: ZwCreateEvent.NTDLL ref: 00000001401BB2E1

InitializeCriticalSection.KERNEL32 ref: 00000001401B9815
CreateThread.KERNEL32 ref: 00000001401B98B0
StrChrW.SHLWAPI ref: 00000001401B9900
HeapFree.KERNEL32 ref: 00000001401B99A6
SetEvent.KERNEL32 ref: 00000001401B9A15
WaitForSingleObject.KERNEL32 ref: 00000001401B9A26
GetLastError.KERNEL32 ref: 00000001401B9A39
CloseHandle.KERNEL32 ref: 00000001401B9A5F
GetLastError.KERNEL32 ref: 00000001401B9A87
HeapFree.KERNEL32 ref: 00000001401B9AB4

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: Heap$CreateErrorEventFreeLast$AllocCloseCriticalHandleInitializeObjectSectionSingleThreadWait
String ID:
API String ID: 2169149918-0
Opcode ID: bcebbe1e3e4cc665efd90584cc7bb07e92fa168ca30119b4ca61a4488971bc38
Instruction ID: 80862a0e64a19df39044d1d1a80b6829d439bcf2cabf9401f2bd779f9838c579
Opcode Fuzzy Hash: bcebbe1e3e4cc665efd90584cc7bb07e92fa168ca30119b4ca61a4488971bc38
Instruction Fuzzy Hash: 84913071B09E64C2E626EB37A8503EE62B1F388FD4F6401129B5A077F6EB78C442D700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401BC650, Relevance: 16.7, APIs: 11, Instructions: 200
memorystringsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyW.KERNEL32 ref: 00000001401BC6DC
GetLogicalDriveStringsW.KERNEL32 ref: 00000001401BC6EB
HeapAlloc.KERNEL32 ref: 00000001401BC716
GetLogicalDriveStringsW.KERNEL32 ref: 00000001401BC760
WaitForSingleObject.KERNEL32 ref: 00000001401BC7A4
GetDriveTypeW.KERNEL32 ref: 00000001401BC7C2
lstrlenW.KERNEL32 ref: 00000001401BC7D9
lstrcpyW.KERNEL32 ref: 00000001401BC860
HeapFree.KERNEL32 ref: 00000001401BC8B6
lstrlenW.KERNEL32 ref: 00000001401BC8D2
HeapFree.KERNEL32 ref: 00000001401BC915

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: DriveHeap$FreeLogicalStringslstrcpylstrlen$AllocObjectSingleTypeWait
String ID:
API String ID: 969958243-0
Opcode ID: 4b4991d5e83f71d0cf1b5fccc88aac13a56846d1088cf1d548c20eadd6f648c6
Instruction ID: a95ffc96c0cd26768bb7bd7246497d1767669f423767dc54e61de91b6120166f
Opcode Fuzzy Hash: 4b4991d5e83f71d0cf1b5fccc88aac13a56846d1088cf1d548c20eadd6f648c6
Instruction Fuzzy Hash: F361E471725E8482EA279B27A4587FE22B2B34CFD1F699421DB6B073B4DF78C4459340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401B9C72, Relevance: 13.8, APIs: 9, Instructions: 262
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDriveStringsW.KERNEL32 ref: 00000001401B9CF7
HeapAlloc.KERNEL32 ref: 00000001401B9D3C
GetLogicalDriveStringsW.KERNEL32 ref: 00000001401B9D9A

Part of subcall function 00000001401C3057: HeapAlloc.KERNEL32(00000000,?,?,00000001401B9DB1), ref: 00000001401C30E4
Part of subcall function 00000001401C3057: lstrlenW.KERNEL32(?,?,00000001401B9DB1), ref: 00000001401C3132
Part of subcall function 00000001401C3057: HeapFree.KERNEL32(?,?,00000001401B9DB1), ref: 00000001401C31C9

lstrlenW.KERNEL32 ref: 00000001401B9E06
GetDriveTypeW.KERNEL32 ref: 00000001401B9E15
QueryDosDeviceW.KERNEL32 ref: 00000001401B9E76
StrRChrW.SHLWAPI ref: 00000001401B9E98
StrCmpNW.SHLWAPI ref: 00000001401B9EFE
HeapFree.KERNEL32 ref: 00000001401BA011

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: Heap$Drive$AllocFreeLogicalStringslstrlen$DeviceQueryType
String ID:
API String ID: 1397644961-0
Opcode ID: 7a2219bd495ef53acf292b4e29440e66acde5f98005a03fd2837f87533315c2f
Instruction ID: 66a300b27fc8fef35dea40be62018661b849d20b843a8391e6df227ab23fb4c2
Opcode Fuzzy Hash: 7a2219bd495ef53acf292b4e29440e66acde5f98005a03fd2837f87533315c2f
Instruction Fuzzy Hash: 5B914372B08E6582E636EF27A4443FE2AB2B358F91F844115DB4A472F5DB3EC446D340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401C0368, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 226stringshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001401BE9FF: lstrlenW.KERNEL32(?,?,?,00000001401B679E), ref: 00000001401BEA44
Part of subcall function 00000001401BE9FF: HeapAlloc.KERNEL32(?,?,?,00000001401B679E), ref: 00000001401BEA84

StrChrW.SHLWAPI ref: 00000001401C0453
StrChrW.SHLWAPI ref: 00000001401C04A5
lstrlenW.KERNEL32 ref: 00000001401C0503
WNetAddConnection2W.MPR ref: 00000001401C05EE

Strings

R, xrefs: 00000001401C05F6

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: lstrlen$AllocConnection2Heap
String ID: R
API String ID: 3090405159-1466425173
Opcode ID: f3fa5c583569bdb16a1d769cc9ce1c056f7c3ea0990e39c89afb95ab994fe36b
Instruction ID: 45ff903aefcb769747060c5208d61997f8bd677a58c0571048c0b744dfbed49a
Opcode Fuzzy Hash: f3fa5c583569bdb16a1d769cc9ce1c056f7c3ea0990e39c89afb95ab994fe36b
Instruction Fuzzy Hash: 6171853270DA7086FA37DA23A5543FE62A1A79CFE5F5542219F8B037F0E678C445DA40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401C12D1, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 149memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001401BD6E7: HeapAlloc.KERNEL32 ref: 00000001401BD738
Part of subcall function 00000001401BD6E7: RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401BD78A

lstrlenW.KERNEL32 ref: 00000001401C138B
HeapAlloc.KERNEL32 ref: 00000001401C13B1
PathFindExtensionW.SHLWAPI ref: 00000001401C13D4
_snwprintf.NTDLL ref: 00000001401C1477
HeapFree.KERNEL32 ref: 00000001401C14DA

Strings

m{4o, xrefs: 00000001401C13DD

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: HeapPath$Alloc$ExtensionFindFreeNameName__snwprintflstrlen
String ID: m{4o
API String ID: 3433634226-3599497293
Opcode ID: d4bef2a8d7d06e0ae880df8d08ecd56a1de24478be7940c2586d8577d3ec23fe
Instruction ID: c8960145af0ff0bfe0cfd358db55b3eb0d9f2bafbd1d96a65de6c523f26aafed
Opcode Fuzzy Hash: d4bef2a8d7d06e0ae880df8d08ecd56a1de24478be7940c2586d8577d3ec23fe
Instruction Fuzzy Hash: F451F27174CA50C6F62B9B63B4403EE62A1A78EFE5FA44611EB9A077B5DB3DC102D301

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401B80F4, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 132memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00000001401B818F
HeapAlloc.KERNEL32 ref: 00000001401B81D0
MultiByteToWideChar.KERNEL32 ref: 00000001401B8220
GetLastError.KERNEL32 ref: 00000001401B8271
HeapFree.KERNEL32 ref: 00000001401B8296
GetLastError.KERNEL32 ref: 00000001401B82B0

Strings

X*", xrefs: 00000001401B824F

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: ByteCharErrorHeapLastMultiWide$AllocFree
String ID: X*"
API String ID: 2267670476-2229822034
Opcode ID: 46507dc320ced16bb5a5d02146e607f6bf1b75f14dde582dc887c02b2c99cc8a
Instruction ID: c5c71a8fdb105415faa4babaefd6122501bca9d0c26e9cbe5b27e15fd27f4398
Opcode Fuzzy Hash: 46507dc320ced16bb5a5d02146e607f6bf1b75f14dde582dc887c02b2c99cc8a
Instruction Fuzzy Hash: 41412335B04F1986E2269F6BA4543BE6AB1B74CFD4F144226DF5A637B0DB34C406D300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400216D0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

StrChrW.SHLWAPI ref: 00000001401B69D1
StrChrW.SHLWAPI ref: 00000001401B6A0D
lstrlenW.KERNEL32 ref: 00000001401B6A46

Strings

:, xrefs: 00000001400216E2
1P, xrefs: 00000001401B6963

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: lstrlen
String ID: 1P$:
API String ID: 1659193697-847992444
Opcode ID: 4b1fc0fa3adb396d7dd5aee05a74b2ab3986e644f01b10274fc0a3e5ca911c93
Instruction ID: 53d58f5a12e9b34822b4c9ad0e4f89939d92cf6215970e8c6d1014161a725f0d
Opcode Fuzzy Hash: 4b1fc0fa3adb396d7dd5aee05a74b2ab3986e644f01b10274fc0a3e5ca911c93
Instruction Fuzzy Hash: AF312732A09E5186EB368B33A4543FE62B0F7ACFD0F998110AB9617AF5D77CC4408780

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401BDB4F, Relevance: 7.6, APIs: 5, Instructions: 116memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,00000001401BD392), ref: 00000001401BDBAB
StrCmpNIW.SHLWAPI(?,?,?,?,00000001401BD392), ref: 00000001401BDBED
HeapAlloc.KERNEL32(?,?,?,?,00000001401BD392), ref: 00000001401BDC3A
_snwprintf.NTDLL ref: 00000001401BDC74
HeapFree.KERNEL32 ref: 00000001401BDCCF

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: Heap$AllocFree_snwprintflstrlen
String ID:
API String ID: 872643602-0
Opcode ID: 91846e630bac47e29e6ff607aedef7fe362f9588f093bf8245acb8a7395b72cf
Instruction ID: af1704e199aa444b22b29cd56e100c9d64ea8d76c5e6fb5f194c0ad57ebf3467
Opcode Fuzzy Hash: 91846e630bac47e29e6ff607aedef7fe362f9588f093bf8245acb8a7395b72cf
Instruction Fuzzy Hash: 62413576B04E2486E626DB27A8807EE7A71A748FE9F954115AF1D037F4EB78C544C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400010F0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 144stringCOMMON

Download Yara Rule

APIs

StrChrW.SHLWAPI ref: 00000001401B69D1
StrChrW.SHLWAPI ref: 00000001401B6A0D
lstrlenW.KERNEL32 ref: 00000001401B6A46

Strings

1P, xrefs: 00000001401B6963

Memory Dump Source

Source File: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: lstrlen
String ID: 1P
API String ID: 1659193697-3975103673
Opcode ID: abcb5e5a68774213f2c873155acec27ef317f95e4e533cffc01015ceef2a89e0
Instruction ID: b548c23ff914356308929ee8140642f159c61844e701f3468d298b422f7dd2f8
Opcode Fuzzy Hash: abcb5e5a68774213f2c873155acec27ef317f95e4e533cffc01015ceef2a89e0
Instruction Fuzzy Hash: 6C416C33A08E5095EA629B73E8913EE6661F7ACFD1F59C020BB4A17BB5DB7CC4408740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401B7612, Relevance: 6.2, APIs: 4, Instructions: 163memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00000001401B7682
HeapAlloc.KERNEL32 ref: 00000001401B76AB
StrChrW.SHLWAPI ref: 00000001401B76F5
lstrlenW.KERNEL32 ref: 00000001401B7740

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: lstrlen$AllocHeap
String ID:
API String ID: 669319671-0
Opcode ID: 1647831e6ffa83d7cc6bd69b0e1cefb0ecd4e512e9f99000e2086b89f1bf8df8
Instruction ID: b2292756d10d5ebc46322d105017676eab25439214abc249b44c6d870eca5da2
Opcode Fuzzy Hash: 1647831e6ffa83d7cc6bd69b0e1cefb0ecd4e512e9f99000e2086b89f1bf8df8
Instruction Fuzzy Hash: 6B514439708E5082F626AB2BA558BBEA732E74CFD8F681120DB46077F5EB39C045D340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401B9AE5, Relevance: 6.1, APIs: 4, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00000001401B9B47
ResetEvent.KERNEL32 ref: 00000001401B9BAD
LeaveCriticalSection.KERNEL32 ref: 00000001401B9BC4
HeapFree.KERNEL32 ref: 00000001401B9C0D

Memory Dump Source

Source File: 00000000.00000002.353803636.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.353731490.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.353746197.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.353781911.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.353789545.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.354056099.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Q1xEDBAmY5.jbxd

Similarity

API ID: CriticalSection$EnterEventFreeHeapLeaveReset
String ID:
API String ID: 995024538-0
Opcode ID: d08db9d18e40cb5e7c32fe333a69dac1111413182cb8606a71f1ec142a59ee25
Instruction ID: c1139751ab1a9415f438414f0522da2ad2641207cae2800b065fb34e20dfa15a
Opcode Fuzzy Hash: d08db9d18e40cb5e7c32fe333a69dac1111413182cb8606a71f1ec142a59ee25
Instruction Fuzzy Hash: D831DE37704E6082EB1AAF27EA903ED67B0F789FD4F9850019B4A136B5DB38C946C340

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Unistore PID: 1752 Parent PID: 5032 UnistoreCOMMON

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	510
Total number of Limit Nodes:	21

Executed Functions

Function 00000001401BFA90, Relevance: 19.7, APIs: 10, Strings: 1, Instructions: 495
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ZwCreateSection.NTDLL ref: 00000001401BFB9E
RtlNtStatusToDosError.NTDLL ref: 00000001401BFD4B

Part of subcall function 00000001401C0FD6: ZwQueryInformationFile.NTDLL ref: 00000001401C101E
Part of subcall function 00000001401C0FD6: RtlNtStatusToDosError.NTDLL ref: 00000001401C1042

NtMapViewOfSection.NTDLL ref: 00000001401BFCB4
RtlNtStatusToDosError.NTDLL ref: 00000001401BFD1E
ZwClose.NTDLL ref: 00000001401BFD39

Strings

fJki, xrefs: 00000001401BFF52

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: ErrorStatus$Section$CloseCreateFileInformationQueryView
String ID: fJki
API String ID: 2474743542-4033025093
Opcode ID: 73d7b728d5ddf76775b2eb80935b564ecded23c43f25e060030e48655bbb0400
Instruction ID: 6cacc4daf11f20fa530b0a97631432ccf775cc059f95097cca47d00902830403
Opcode Fuzzy Hash: 73d7b728d5ddf76775b2eb80935b564ecded23c43f25e060030e48655bbb0400
Instruction Fuzzy Hash: 4A12067260CA90C6E6368F56E4843EEA7B1F38CF90F644519DB9A47AF4DB38C544EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401B6AA9, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 334
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 00000001401B6BB1
RtlNtStatusToDosError.NTDLL ref: 00000001401B6D22

Strings

!, xrefs: 00000001401B6B1C

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: CreateErrorFileStatus
String ID: !
API String ID: 3864118154-2657877971
Opcode ID: 275a87daf9f7a936a5ec19daee3884662f8bfb97dc069e23a4c0c26ad8b069df
Instruction ID: dff2eba309616e4bedd284aa11014bf1fe1f675aba5b9a92be41c895a42fe0a9
Opcode Fuzzy Hash: 275a87daf9f7a936a5ec19daee3884662f8bfb97dc069e23a4c0c26ad8b069df
Instruction Fuzzy Hash: D3D10E72718A85C6E7369F26E490BED67B1F39CF84F608115EB8607AB4CB3DC9459B00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140008FD8, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 126
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitUnicodeString.NTDLL ref: 00000001401C2CAB
RtlpNtOpenKey.NTDLL ref: 00000001401C2CF8
RtlNtStatusToDosError.NTDLL ref: 00000001401C2D05
NtEnumerateKey.NTDLL ref: 00000001401C2D55
RtlNtStatusToDosError.NTDLL ref: 00000001401C2DF8
NtClose.NTDLL ref: 00000001401C2E16

Strings

@, xrefs: 00000001401C2CE1
0, xrefs: 00000001401C2CC5

Memory Dump Source

Source File: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: ErrorStatus$CloseEnumerateInitOpenRtlpStringUnicode
String ID: 0$@
API String ID: 1614393503-1545510068
Opcode ID: cefe9010a734a50205bc64eafaf39f00a44266cd455ab14de18c91e7259cd50c
Instruction ID: 43aab7de132ee3581aaf72cf9245a1ffe5c3a98ffdefe0118e2a4408a218dc0b
Opcode Fuzzy Hash: cefe9010a734a50205bc64eafaf39f00a44266cd455ab14de18c91e7259cd50c
Instruction Fuzzy Hash: 7841A13620CA94C7E6628F56A4947FDB3A0F39CF80F640015EB8757AB4CA78C945D781

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401BA75C, Relevance: 12.6, APIs: 8, Instructions: 625
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001401B8494: RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401B84DB
Part of subcall function 00000001401B8494: RtlAllocateHeap.NTDLL ref: 00000001401B850D
Part of subcall function 00000001401B8494: RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401B8558

RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401BA880
GetFileAttributesW.KERNELBASE ref: 00000001401BA90C
SetFileAttributesW.KERNELBASE ref: 00000001401BA93C
RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401BA986

Part of subcall function 00000001401C2B01: NtCreateFile.NTDLL ref: 00000001401C2BDF
Part of subcall function 00000001401C2B01: RtlNtStatusToDosError.NTDLL ref: 00000001401C2BF9
Part of subcall function 00000001401C2B01: RtlFreeUnicodeString.NTDLL ref: 00000001401C2C09

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: Path$NameName_$File$Attributes$AllocateCreateErrorFreeHeapStatusStringUnicode
String ID:
API String ID: 491010790-0
Opcode ID: 3b7af53d72e4937fe5e2f2081f34c41259a22109ea63df594ff7d3c4d6e13dc3
Instruction ID: a221014fde11b357e50eb31c90b29b3f0fff55f0adeee81d003b42f1c28daa9c
Opcode Fuzzy Hash: 3b7af53d72e4937fe5e2f2081f34c41259a22109ea63df594ff7d3c4d6e13dc3
Instruction Fuzzy Hash: F3225932318E5086E6369A2BA4807FE66B1F78CF91FA04112EB5A17BF4DB7DC544E740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401B8494, Relevance: 12.2, APIs: 8, Instructions: 153
memorynativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401B84DB
RtlAllocateHeap.NTDLL ref: 00000001401B850D
RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401B8558
NtSetInformationFile.NTDLL ref: 00000001401B8645
RtlNtStatusToDosError.NTDLL ref: 00000001401B865A
NtClose.NTDLL ref: 00000001401B8685
HeapFree.KERNEL32 ref: 00000001401B86A4

Part of subcall function 00000001401C2B01: NtCreateFile.NTDLL ref: 00000001401C2BDF
Part of subcall function 00000001401C2B01: RtlNtStatusToDosError.NTDLL ref: 00000001401C2BF9
Part of subcall function 00000001401C2B01: RtlFreeUnicodeString.NTDLL ref: 00000001401C2C09

RtlFreeUnicodeString.NTDLL ref: 00000001401B86C7

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: Path$Free$ErrorFileHeapNameName_StatusStringUnicode$AllocateCloseCreateInformation
String ID:
API String ID: 2559230980-0
Opcode ID: 430b56e4ca29756a14a1c6975e501c8467b3832cc703cfb1f0237b9fe915df1b
Instruction ID: 62f3d813f31e6db86065cee1a1b974aa19cee4a520246a008d9e7b907297db8e
Opcode Fuzzy Hash: 430b56e4ca29756a14a1c6975e501c8467b3832cc703cfb1f0237b9fe915df1b
Instruction Fuzzy Hash: BB51C1B2318E9583E6369B2BA4947FE6371F78CF81F604025AF8B47AA4DB39C404D710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140004DE4, Relevance: 10.7, APIs: 7, Instructions: 249
memorystringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32 ref: 00000001401BD0BF
RtlAllocateHeap.NTDLL ref: 00000001401BD104
PathFindFileNameW.SHLWAPI ref: 00000001401BD14C
HeapFree.KERNEL32 ref: 00000001401BD313

Part of subcall function 00000001401C0D0F: lstrcatW.KERNEL32 ref: 00000001401C0D71
Part of subcall function 00000001401C0D0F: RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401C0D90
Part of subcall function 00000001401C0D0F: RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401C0E42

lstrcpyW.KERNEL32 ref: 00000001401BD1C3
ZwClose.NTDLL ref: 00000001401BD2C0
lstrcpyW.KERNEL32 ref: 00000001401BD2E0

Memory Dump Source

Source File: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: Path$Name$HeapName_lstrcpy$AllocateCloseFileFindFreelstrcatlstrlen
String ID:
API String ID: 1965623089-0
Opcode ID: c8b611ea731ab03e0f5124e5b79ec21a802973ec7191f99e1c9477716043faa6
Instruction ID: d8eb7f02ffb4ce221d6e4d80c2b5821d6b3cc41ad9d7055eae6180d4ff680c78
Opcode Fuzzy Hash: c8b611ea731ab03e0f5124e5b79ec21a802973ec7191f99e1c9477716043faa6
Instruction Fuzzy Hash: E89122B1309EA086E62AEB27A4943FD76B2B34CFD1FA44511AB0707AF5EB39C545D301

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401C2B01, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 00000001401C2BDF
RtlNtStatusToDosError.NTDLL ref: 00000001401C2BF9
RtlFreeUnicodeString.NTDLL ref: 00000001401C2C09

Strings

0, xrefs: 00000001401C2B24

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: CreateErrorFileFreeStatusStringUnicode
String ID: 0
API String ID: 1947615143-4108050209
Opcode ID: ee6ff86ba9fcf89f58ea2304b61282cf384a93a18fa5aae12a6f961241c0bf9f
Instruction ID: ef288eb9752d4257f5d28402ab127722a47a2f372646e169f149e5abad48fc1f
Opcode Fuzzy Hash: ee6ff86ba9fcf89f58ea2304b61282cf384a93a18fa5aae12a6f961241c0bf9f
Instruction Fuzzy Hash: D321AF7270CB85C7E321CF56A5443ED73A4F34CB94FA1023AD79A476A0CB3AC945AB51

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401C296F, Relevance: 6.1, APIs: 4, Instructions: 95
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401C29C4

Part of subcall function 00000001401C2B01: NtCreateFile.NTDLL ref: 00000001401C2BDF
Part of subcall function 00000001401C2B01: RtlNtStatusToDosError.NTDLL ref: 00000001401C2BF9
Part of subcall function 00000001401C2B01: RtlFreeUnicodeString.NTDLL ref: 00000001401C2C09

NtSetInformationFile.NTDLL ref: 00000001401C2A8C
RtlNtStatusToDosError.NTDLL ref: 00000001401C2AA6
ZwClose.NTDLL ref: 00000001401C2AD0

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: ErrorFilePathStatus$CloseCreateFreeInformationNameName_StringUnicode
String ID:
API String ID: 3935821395-0
Opcode ID: 0ee0267f7fd7b3af215bad09630d7b69b732333c3ba9d2aa5b7b3023102a762e
Instruction ID: 3c10e83f379e31477fe6b0f773ecfcbed9a1c25e3a55598913f2579b8341790f
Opcode Fuzzy Hash: 0ee0267f7fd7b3af215bad09630d7b69b732333c3ba9d2aa5b7b3023102a762e
Instruction Fuzzy Hash: EE31A97131CA90C7EB368A57A1807EDA662F74CF84FA40125E78A07EB5DB79C6489710

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401BF96E, Relevance: 6.1, APIs: 4, Instructions: 72
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ZwQueryInformationFile.NTDLL ref: 00000001401BF9C7
RtlNtStatusToDosError.NTDLL ref: 00000001401BF9E1
NtSetInformationFile.NTDLL ref: 00000001401BFA4E
RtlNtStatusToDosError.NTDLL ref: 00000001401BFA63

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: ErrorFileInformationStatus$Query
String ID:
API String ID: 1857635062-0
Opcode ID: ada0dee1e524097acd5353b628942dedd96253e3d3bedc42575f9dddddebb112
Instruction ID: 5e6572c19a03d61ea4a3dd96380a3eb08e1d0e3d2c6bbb02374d793fc2153bf2
Opcode Fuzzy Hash: ada0dee1e524097acd5353b628942dedd96253e3d3bedc42575f9dddddebb112
Instruction Fuzzy Hash: 8121BA76308E45E6E62B8B72A5503FD6270A35CFD8F608019A74A476F4EBB8C948F710

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401BC979, Relevance: 4.6, APIs: 3, Instructions: 94filenativeCOMMON

Download Yara Rule

APIs

ZwQueryInformationFile.NTDLL ref: 00000001401BC9DF
NtSetInformationFile.NTDLL ref: 00000001401BCA9C
RtlNtStatusToDosError.NTDLL ref: 00000001401BCAB6

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: FileInformation$ErrorQueryStatus
String ID:
API String ID: 1212993688-0
Opcode ID: eede84686d48efbf3d91ad75953e54407c9a049f776d668345200087cc863dff
Instruction ID: ebaa73aad86bb007732c9fd3458defffaa87b0a0acaa8efd3b21bb011e73e327
Opcode Fuzzy Hash: eede84686d48efbf3d91ad75953e54407c9a049f776d668345200087cc863dff
Instruction Fuzzy Hash: B5313976325E8882F721DB67E4987ED6672A38CFC1FA10015A75B436F5EB79C449CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401BBADF, Relevance: 3.1, APIs: 2, Instructions: 67filenativeCOMMON

Download Yara Rule

APIs

NtWriteFile.NTDLL ref: 00000001401BBB6D
RtlNtStatusToDosError.NTDLL ref: 00000001401BBB87

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: ErrorFileStatusWrite
String ID:
API String ID: 3865071773-0
Opcode ID: 10e0a121e2d6ae3f9d0e0b4760bdb52d319d068acb6e4714df4cfeb761724da7
Instruction ID: 16b6d6156c2091a5e38c09da7db7184b3af8722cbd01314bb2e9d1d4b7d0a5bb
Opcode Fuzzy Hash: 10e0a121e2d6ae3f9d0e0b4760bdb52d319d068acb6e4714df4cfeb761724da7
Instruction Fuzzy Hash: 11219671719F16C5FB358A62E6D4BED62B0A30CB90F654234C75607AE8DBB8C691D700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401B96EE, Relevance: 16.8, APIs: 11, Instructions: 251
memorysynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32 ref: 00000001401B9788

Part of subcall function 00000001401BB247: ZwCreateEvent.NTDLL ref: 00000001401BB2E1

InitializeCriticalSection.KERNEL32 ref: 00000001401B9815
CreateThread.KERNELBASE ref: 00000001401B98B0
StrChrW.SHLWAPI ref: 00000001401B9900
HeapFree.KERNEL32 ref: 00000001401B99A6
SetEvent.KERNEL32 ref: 00000001401B9A15
WaitForSingleObject.KERNEL32 ref: 00000001401B9A26
GetLastError.KERNEL32 ref: 00000001401B9A39
CloseHandle.KERNEL32 ref: 00000001401B9A5F
GetLastError.KERNEL32 ref: 00000001401B9A87
HeapFree.KERNEL32 ref: 00000001401B9AB4

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: Heap$CreateErrorEventFreeLast$AllocCloseCriticalHandleInitializeObjectSectionSingleThreadWait
String ID:
API String ID: 2169149918-0
Opcode ID: bcebbe1e3e4cc665efd90584cc7bb07e92fa168ca30119b4ca61a4488971bc38
Instruction ID: 80862a0e64a19df39044d1d1a80b6829d439bcf2cabf9401f2bd779f9838c579
Opcode Fuzzy Hash: bcebbe1e3e4cc665efd90584cc7bb07e92fa168ca30119b4ca61a4488971bc38
Instruction Fuzzy Hash: 84913071B09E64C2E626EB37A8503EE62B1F388FD4F6401129B5A077F6EB78C442D700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401B9C72, Relevance: 13.8, APIs: 9, Instructions: 262
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDriveStringsW.KERNELBASE ref: 00000001401B9CF7
HeapAlloc.KERNEL32 ref: 00000001401B9D3C
GetLogicalDriveStringsW.KERNEL32 ref: 00000001401B9D9A

Part of subcall function 00000001401C3057: HeapAlloc.KERNEL32(00000000,?,?,00000001401B9DB1), ref: 00000001401C30E4
Part of subcall function 00000001401C3057: lstrlenW.KERNEL32(?,?,00000001401B9DB1), ref: 00000001401C3132
Part of subcall function 00000001401C3057: HeapFree.KERNEL32(?,?,00000001401B9DB1), ref: 00000001401C31C9

lstrlenW.KERNEL32 ref: 00000001401B9E06
GetDriveTypeW.KERNEL32 ref: 00000001401B9E15
QueryDosDeviceW.KERNELBASE ref: 00000001401B9E76
StrRChrW.SHLWAPI ref: 00000001401B9E98
StrCmpNW.SHLWAPI ref: 00000001401B9EFE
HeapFree.KERNEL32 ref: 00000001401BA011

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: Heap$Drive$AllocFreeLogicalStringslstrlen$DeviceQueryType
String ID:
API String ID: 1397644961-0
Opcode ID: 7a2219bd495ef53acf292b4e29440e66acde5f98005a03fd2837f87533315c2f
Instruction ID: 66a300b27fc8fef35dea40be62018661b849d20b843a8391e6df227ab23fb4c2
Opcode Fuzzy Hash: 7a2219bd495ef53acf292b4e29440e66acde5f98005a03fd2837f87533315c2f
Instruction Fuzzy Hash: 5B914372B08E6582E636EF27A4443FE2AB2B358F91F844115DB4A472F5DB3EC446D340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401B86FF, Relevance: 12.3, APIs: 8, Instructions: 252
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDriveStringsW.KERNELBASE ref: 00000001401B87E5
HeapAlloc.KERNEL32 ref: 00000001401B8813
GetLogicalDriveStringsW.KERNELBASE ref: 00000001401B8877
lstrlenW.KERNEL32 ref: 00000001401B8898
QueryDosDeviceW.KERNEL32 ref: 00000001401B88EC
lstrlenW.KERNEL32 ref: 00000001401B8903
StrCmpNIW.KERNELBASE ref: 00000001401B8952

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: DriveLogicalStringslstrlen$AllocDeviceHeapQuery
String ID:
API String ID: 483063260-0
Opcode ID: 489b5a3322a92875f793c37380596326fd1886cf87fcf36179fa0425e5c940d5
Instruction ID: 307088e11832c664a1a4c79a2800c12574c29e730166ef9093fe9fd9b760cedb
Opcode Fuzzy Hash: 489b5a3322a92875f793c37380596326fd1886cf87fcf36179fa0425e5c940d5
Instruction Fuzzy Hash: 4A816532700EA087FA26AF2799943FE26B1B788FE4FA451119F16276F0DB39C845D301

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401B9AE5, Relevance: 6.1, APIs: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00000001401B9B47
ResetEvent.KERNEL32 ref: 00000001401B9BAD
LeaveCriticalSection.KERNEL32 ref: 00000001401B9BC4
RtlReleasePrivilege.NTDLL ref: 00000001401B9C0D

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: CriticalSection$EnterEventLeavePrivilegeReleaseReset
String ID:
API String ID: 1043278916-0
Opcode ID: d08db9d18e40cb5e7c32fe333a69dac1111413182cb8606a71f1ec142a59ee25
Instruction ID: c1139751ab1a9415f438414f0522da2ad2641207cae2800b065fb34e20dfa15a
Opcode Fuzzy Hash: d08db9d18e40cb5e7c32fe333a69dac1111413182cb8606a71f1ec142a59ee25
Instruction Fuzzy Hash: D831DE37704E6082EB1AAF27EA903ED67B0F789FD4F9850019B4A136B5DB38C946C340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401BEB27, Relevance: 4.7, APIs: 3, Instructions: 197
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000001401B6A6A), ref: 00000001401BEC81
lstrcmpW.KERNEL32 ref: 00000001401BED2D
HeapFree.KERNEL32 ref: 00000001401BED77

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: Heap$AllocateFreelstrcmp
String ID:
API String ID: 3727395044-0
Opcode ID: 6e0bd297a774ad971d2e68aba98fe4fd42e94893bd2a25a5e6530357dcdeb2b0
Instruction ID: 3904fcca3e121e6e3d0674ceb08fabdd155da1770fc9112b8f2d54046ab635ca
Opcode Fuzzy Hash: 6e0bd297a774ad971d2e68aba98fe4fd42e94893bd2a25a5e6530357dcdeb2b0
Instruction Fuzzy Hash: 3C612136208E40CAEB2A8F6BE4C03ED6AF1A75CF94F5846269B4A0F6F4C779C540D750

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401BBCD8, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00000001401BBD90
GetLastError.KERNEL32 ref: 00000001401BBDB2

Strings

@, xrefs: 00000001401BBD46

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: ErrorLast
String ID: @
API String ID: 1452528299-2766056989
Opcode ID: c41f65edd067ca08288f567e672371d5c9d0c13c005228723ac45508979d270d
Instruction ID: fe4761132710f47eef07f1c65d1d455f505659ecb00094403eea44613dff1d62
Opcode Fuzzy Hash: c41f65edd067ca08288f567e672371d5c9d0c13c005228723ac45508979d270d
Instruction Fuzzy Hash: FE312535704E9186F6269AA7A4D1BFE5272BB8CF88F644421AB4647EB4CFFCC2019310

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401B66C2, Relevance: 4.6, APIs: 3, Instructions: 81memoryshareCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00000001401B6740
WNetGetUniversalNameW.MPR ref: 00000001401B6778
HeapFree.KERNEL32 ref: 00000001401B67C5

Part of subcall function 00000001401BE9FF: lstrlenW.KERNEL32(?,?,?,00000001401B679E), ref: 00000001401BEA44
Part of subcall function 00000001401BE9FF: HeapAlloc.KERNEL32(?,?,?,00000001401B679E), ref: 00000001401BEA84

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: Heap$Alloc$FreeNameUniversallstrlen
String ID:
API String ID: 4170076436-0
Opcode ID: f248b6ea0348177667b3420b259791490377a3bb44fbe545d3c0927c452573af
Instruction ID: b551ea2555f2f6fa4528a3ad87b184cb53cf868e917ec4558e7bb856ff359264
Opcode Fuzzy Hash: f248b6ea0348177667b3420b259791490377a3bb44fbe545d3c0927c452573af
Instruction Fuzzy Hash: 78212675F04A5481F7569F33A8403ED36B2A7A8FE8F9482229B29077E8DF3DC1498700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401B6800, Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00000001401B6861

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b7b069d10d06fc26d7960511ec911b3a1eda2b29ef37c871f131eab02796893d
Instruction ID: 1a2957071d4ccd7346b1a1d745e637031b62f491f6978c4401a722a3de69a61f
Opcode Fuzzy Hash: b7b069d10d06fc26d7960511ec911b3a1eda2b29ef37c871f131eab02796893d
Instruction Fuzzy Hash: 570126B1F10F5186FA1B9B77E8217DE2261A35DBE1F5840242B0E0B3E5DA3CC0108750

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00000001400082B0, Relevance: 35.0, APIs: 23, Instructions: 488memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400032D8: HeapFree.KERNEL32 ref: 00000001400033CC
Part of subcall function 00000001400032D8: lstrlenW.KERNEL32 ref: 00000001400033FC
Part of subcall function 00000001400032D8: HeapFree.KERNEL32 ref: 000000014000341D

PathCombineW.SHLWAPI ref: 00000001401C19EB
PathCombineW.SHLWAPI ref: 00000001401C1A22
HeapFree.KERNEL32 ref: 00000001401C1A6A
StrTrimW.SHLWAPI ref: 00000001401C1AA4
_wcslwr.NTDLL ref: 00000001401C1B54
_wcslwr.NTDLL ref: 00000001401C1B66
lstrcmpW.KERNEL32 ref: 00000001401C1BB6
StrTrimW.SHLWAPI ref: 00000001401C1BD4
lstrlenW.KERNEL32 ref: 00000001401C1C05
lstrlenW.KERNEL32 ref: 00000001401C1C15
HeapAlloc.KERNEL32 ref: 00000001401C1C3A
_wcslwr.NTDLL ref: 00000001401C1C5D

Memory Dump Source

Source File: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: Heap$Free_wcslwrlstrlen$CombinePathTrim$Alloclstrcmp
String ID:
API String ID: 3559748661-0
Opcode ID: 52160a1d7593a377ff20addee7f70fa9f31049f6f67c4131dbd78adcc5db42e8
Instruction ID: 9462b773b900772d5c1c373bd5a9f0b8cbae344b0f6341caa20f4ba506632417
Opcode Fuzzy Hash: 52160a1d7593a377ff20addee7f70fa9f31049f6f67c4131dbd78adcc5db42e8
Instruction Fuzzy Hash: 2A12DB7224CA95C6FA27DB23E4503EE6361F78EF84F944122AF4A47AB9DB38C505D701

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400032D8, Relevance: 16.8, APIs: 10, Strings: 1, Instructions: 261memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140002A14: HeapAlloc.KERNEL32 ref: 00000001401B9355

HeapFree.KERNEL32 ref: 00000001400033CC
lstrlenW.KERNEL32 ref: 00000001400033FC
HeapFree.KERNEL32 ref: 000000014000341D

Part of subcall function 0000000140002BF0: StrChrW.SHLWAPI ref: 00000001401B95A0

HeapAlloc.KERNEL32 ref: 00000001400034BB
HeapFree.KERNEL32 ref: 0000000140003521
HeapFree.KERNEL32 ref: 000000014000353E
HeapFree.KERNEL32 ref: 00000001400035AA
HeapFree.KERNEL32 ref: 00000001400036DD
HeapFree.KERNEL32 ref: 00000001400036F4
HeapFree.KERNEL32 ref: 000000014000370B

Strings

n{~9, xrefs: 000000014000339C

Memory Dump Source

Source File: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: Heap$Free$Alloc$lstrlen
String ID: n{~9
API String ID: 2960935155-1285555437
Opcode ID: 18a067246e184715129379d84bcdc50c2cdf1d37d9d1dd5e54e4f361c45eb575
Instruction ID: 8f9cdd0bc6f4abff456ae41303d2b60fbcb045be3c1a6f23a4601ff69c9a9dba
Opcode Fuzzy Hash: 18a067246e184715129379d84bcdc50c2cdf1d37d9d1dd5e54e4f361c45eb575
Instruction Fuzzy Hash: 01B191F13006859AEA32EB63B8447DA73A6F78DBD4F804412EB4A57B65CF38E444C752

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401BD6E7, Relevance: 9.2, APIs: 6, Instructions: 189memorynativefileCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00000001401BD738
RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401BD78A
ZwSetInformationFile.NTDLL ref: 00000001401BD920
RtlNtStatusToDosError.NTDLL ref: 00000001401BD935

Part of subcall function 00000001401C2B01: NtCreateFile.NTDLL ref: 00000001401C2BDF
Part of subcall function 00000001401C2B01: RtlNtStatusToDosError.NTDLL ref: 00000001401C2BF9
Part of subcall function 00000001401C2B01: RtlFreeUnicodeString.NTDLL ref: 00000001401C2C09

ZwClose.NTDLL ref: 00000001401BD97C

Part of subcall function 00000001401C296F: RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401C29C4
Part of subcall function 00000001401C296F: NtSetInformationFile.NTDLL ref: 00000001401C2A8C
Part of subcall function 00000001401C296F: RtlNtStatusToDosError.NTDLL ref: 00000001401C2AA6
Part of subcall function 00000001401C296F: ZwClose.NTDLL ref: 00000001401C2AD0

HeapFree.KERNEL32 ref: 00000001401BD9AC

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: Path$ErrorFileStatus$CloseFreeHeapInformationNameName_$AllocCreateStringUnicode
String ID:
API String ID: 852014873-0
Opcode ID: 7e33a34cb7d4c46a5441e1dd9e9d6b3db8d53815ff9bab756111011ffddd8cf7
Instruction ID: 7733fd4414e813c163f79a17e505c5c4fe6177f0c5f0daf362b1216a2046d526
Opcode Fuzzy Hash: 7e33a34cb7d4c46a5441e1dd9e9d6b3db8d53815ff9bab756111011ffddd8cf7
Instruction Fuzzy Hash: 43610531708E5182E72A9A63A4807ED7271E78DFD8F604121AB8A477E5EF7CC508D710

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000293C, Relevance: 9.1, APIs: 6, Instructions: 122memorynativeCOMMON

Download Yara Rule

APIs

ZwQueryVirtualMemory.NTDLL ref: 00000001401B9119
HeapAlloc.KERNEL32 ref: 00000001401B9152
ZwQueryVirtualMemory.NTDLL ref: 00000001401B91C2
RtlNtStatusToDosError.NTDLL ref: 00000001401B91F9
HeapFree.KERNEL32 ref: 00000001401B9229

Part of subcall function 00000001401B86FF: GetLogicalDriveStringsW.KERNELBASE ref: 00000001401B87E5
Part of subcall function 00000001401B86FF: HeapAlloc.KERNEL32 ref: 00000001401B8813
Part of subcall function 00000001401B86FF: GetLogicalDriveStringsW.KERNELBASE ref: 00000001401B8877

RtlNtStatusToDosError.NTDLL ref: 00000001401B9245

Memory Dump Source

Source File: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: Heap$AllocDriveErrorLogicalMemoryQueryStatusStringsVirtual$Free
String ID:
API String ID: 2121004382-0
Opcode ID: 384e2902690aef6859f302913b4d0d7abb9aac3256f7efaee4e2e9949058a16a
Instruction ID: fdee583891e31a3583d84b39cf969cdf38f8912567c68894f30adfcbf1df4d04
Opcode Fuzzy Hash: 384e2902690aef6859f302913b4d0d7abb9aac3256f7efaee4e2e9949058a16a
Instruction Fuzzy Hash: 89413571704E5183EA169BABA4947EE3261E35DFF0F604325AF6A07BE2DB39C4069700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401B8D30, Relevance: 7.6, APIs: 5, Instructions: 96memorynativeCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00000001401B8D96
HeapFree.KERNEL32 ref: 00000001401B8DF8
LeaveCriticalSection.KERNEL32 ref: 00000001401B8E1D
DeleteCriticalSection.KERNEL32 ref: 00000001401B8E27
ZwClose.NTDLL ref: 00000001401B8E3A

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: CriticalSection$CloseDeleteEnterFreeHeapLeave
String ID:
API String ID: 3958598305-0
Opcode ID: 41183ab70344ed0bbbc3d1157e2838102b67b9408123f527468f07482927bc7c
Instruction ID: 0ece5602bdc53c2ff112483b2af365f24d175bcab443965cdaf18fc666e1a67c
Opcode Fuzzy Hash: 41183ab70344ed0bbbc3d1157e2838102b67b9408123f527468f07482927bc7c
Instruction Fuzzy Hash: 64319632645E58C6EA269F66E8003E96770F78CF90FA98112EF6A172F4DB39C845D340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401C0D0F, Relevance: 6.2, APIs: 4, Instructions: 171stringnativeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32 ref: 00000001401C0D71
RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401C0D90
RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401C0E42

Part of subcall function 00000001401C2B01: NtCreateFile.NTDLL ref: 00000001401C2BDF
Part of subcall function 00000001401C2B01: RtlNtStatusToDosError.NTDLL ref: 00000001401C2BF9
Part of subcall function 00000001401C2B01: RtlFreeUnicodeString.NTDLL ref: 00000001401C2C09

ZwClose.NTDLL(?,?,?,?,?,00000000,00000001,00000001401BD189), ref: 00000001401C0FA6

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: Path$NameName_$CloseCreateErrorFileFreeStatusStringUnicodelstrcat
String ID:
API String ID: 988857485-0
Opcode ID: 89baaef89725aa242ecaa14e7e954e46abfb61c5367625d6f378a5968d13ee3b
Instruction ID: b101e6fd296ddb627b81fb9a0d13ead78ae7c9c2fe99afe77ff16d2e07e2f7a8
Opcode Fuzzy Hash: 89baaef89725aa242ecaa14e7e954e46abfb61c5367625d6f378a5968d13ee3b
Instruction Fuzzy Hash: 7551AD3230CB55C7F6378A67A590BFE63A1E348F94F600529EB4A07AE5DB38C5549B10

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401BB3BC, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 280memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,00000050,?,00000000,?,00000001401BC88F), ref: 00000001401BB453
HeapAlloc.KERNEL32(?,?,?,?,?,00000050,?,00000000,?,00000001401BC88F), ref: 00000001401BB493
GetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00000050,?,00000000,?,00000001401BC88F), ref: 00000001401BB562
RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401BB5D4

Strings

P, xrefs: 00000001401BB739

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: Path$AllocCurrentDirectoryHeapNameName_lstrlen
String ID: P
API String ID: 4008739338-3110715001
Opcode ID: ff05ce82206494fc8691d6cf8a2db60cf8b43dcaf4d362dba3c9795c604c5860
Instruction ID: b00598d431a369d2ebdfa74a6c074c4f74e793deeb9a5703906dfbe5e810b95a
Opcode Fuzzy Hash: ff05ce82206494fc8691d6cf8a2db60cf8b43dcaf4d362dba3c9795c604c5860
Instruction Fuzzy Hash: F1A14476604E5086E6269B2BA4A4BFE2271B78CFD5F554021AF4B03AF4DBBDC6089300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401BC650, Relevance: 16.7, APIs: 11, Instructions: 200memorystringsynchronizationCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32 ref: 00000001401BC6DC
GetLogicalDriveStringsW.KERNEL32 ref: 00000001401BC6EB
HeapAlloc.KERNEL32 ref: 00000001401BC716
GetLogicalDriveStringsW.KERNEL32 ref: 00000001401BC760
WaitForSingleObject.KERNEL32 ref: 00000001401BC7A4
GetDriveTypeW.KERNEL32 ref: 00000001401BC7C2
lstrlenW.KERNEL32 ref: 00000001401BC7D9
lstrcpyW.KERNEL32 ref: 00000001401BC860
HeapFree.KERNEL32 ref: 00000001401BC8B6
lstrlenW.KERNEL32 ref: 00000001401BC8D2
HeapFree.KERNEL32 ref: 00000001401BC915

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: DriveHeap$FreeLogicalStringslstrcpylstrlen$AllocObjectSingleTypeWait
String ID:
API String ID: 969958243-0
Opcode ID: 4b4991d5e83f71d0cf1b5fccc88aac13a56846d1088cf1d548c20eadd6f648c6
Instruction ID: a95ffc96c0cd26768bb7bd7246497d1767669f423767dc54e61de91b6120166f
Opcode Fuzzy Hash: 4b4991d5e83f71d0cf1b5fccc88aac13a56846d1088cf1d548c20eadd6f648c6
Instruction Fuzzy Hash: F361E471725E8482EA279B27A4587FE22B2B34CFD1F699421DB6B073B4DF78C4459340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401B7870, Relevance: 15.2, APIs: 10, Instructions: 206memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001401C2723: HeapAlloc.KERNEL32 ref: 00000001401C27AE

PathCombineW.SHLWAPI ref: 00000001401B7981
HeapFree.KERNEL32 ref: 00000001401B79A0
CreateDirectoryW.KERNEL32 ref: 00000001401B79B5
PathCombineW.SHLWAPI ref: 00000001401B7A13
HeapFree.KERNEL32 ref: 00000001401B7A3E
CopyFileW.KERNEL32 ref: 00000001401B7A5C
GetLastError.KERNEL32 ref: 00000001401B7A7C
RemoveDirectoryW.KERNEL32 ref: 00000001401B7AC4
GetLastError.KERNEL32 ref: 00000001401B7ACF
HeapFree.KERNEL32 ref: 00000001401B7B3A

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: Heap$Free$CombineDirectoryErrorLastPath$AllocCopyCreateFileRemove
String ID:
API String ID: 3800710234-0
Opcode ID: 3807c1a1ba8245745db85d83fddf9ca5a81f6203fe418bcd93b308aa8c531c16
Instruction ID: eefb1950c1264f0eccadc70191a2d96b96ce5fdc7b11f9ce93614dee2f1086ba
Opcode Fuzzy Hash: 3807c1a1ba8245745db85d83fddf9ca5a81f6203fe418bcd93b308aa8c531c16
Instruction Fuzzy Hash: 13612171708E1087FA679B37A994BFD22B2A74CFD4F644421DB4A0B6F4CB38C584A710

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401C0368, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 226stringshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001401BE9FF: lstrlenW.KERNEL32(?,?,?,00000001401B679E), ref: 00000001401BEA44
Part of subcall function 00000001401BE9FF: HeapAlloc.KERNEL32(?,?,?,00000001401B679E), ref: 00000001401BEA84

StrChrW.SHLWAPI ref: 00000001401C0453
StrChrW.SHLWAPI ref: 00000001401C04A5
lstrlenW.KERNEL32 ref: 00000001401C0503
WNetAddConnection2W.MPR ref: 00000001401C05EE

Strings

R, xrefs: 00000001401C05F6

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: lstrlen$AllocConnection2Heap
String ID: R
API String ID: 3090405159-1466425173
Opcode ID: f3fa5c583569bdb16a1d769cc9ce1c056f7c3ea0990e39c89afb95ab994fe36b
Instruction ID: 45ff903aefcb769747060c5208d61997f8bd677a58c0571048c0b744dfbed49a
Opcode Fuzzy Hash: f3fa5c583569bdb16a1d769cc9ce1c056f7c3ea0990e39c89afb95ab994fe36b
Instruction Fuzzy Hash: 6171853270DA7086FA37DA23A5543FE62A1A79CFE5F5542219F8B037F0E678C445DA40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140007D62, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 219memorystringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 00000001401C10B7

Part of subcall function 00000001401B7870: PathCombineW.SHLWAPI ref: 00000001401B7981
Part of subcall function 00000001401B7870: HeapFree.KERNEL32 ref: 00000001401B79A0
Part of subcall function 00000001401B7870: CreateDirectoryW.KERNEL32 ref: 00000001401B79B5

lstrlenW.KERNEL32 ref: 00000001401C1157
lstrlenW.KERNEL32 ref: 00000001401C11BC
HeapFree.KERNEL32 ref: 00000001401C121B
HeapFree.KERNEL32 ref: 00000001401C1263

Strings

", xrefs: 00000001401C1185

Memory Dump Source

Source File: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: FreeHeap$lstrlen$CombineCreateDirectoryPathVersion
String ID: "
API String ID: 153938819-123907689
Opcode ID: 55497113508cdb6258097df451801b91d0ce614f17e50dc0195082890b2f9196
Instruction ID: 0d59463f523a61b228b470a64759f38acc10a2f598c6bfd8fb5593db2cb9eb02
Opcode Fuzzy Hash: 55497113508cdb6258097df451801b91d0ce614f17e50dc0195082890b2f9196
Instruction Fuzzy Hash: BA512136B9C68486FA23AA77A4443EE5260A7CEFD0FA84121AB0647AF5DB7CC5019301

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401C12D1, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 149memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001401BD6E7: HeapAlloc.KERNEL32 ref: 00000001401BD738
Part of subcall function 00000001401BD6E7: RtlDosPathNameToNtPathName_U.NTDLL ref: 00000001401BD78A

lstrlenW.KERNEL32 ref: 00000001401C138B
HeapAlloc.KERNEL32 ref: 00000001401C13B1
PathFindExtensionW.SHLWAPI ref: 00000001401C13D4
_snwprintf.NTDLL ref: 00000001401C1477
HeapFree.KERNEL32 ref: 00000001401C14DA

Strings

m{4o, xrefs: 00000001401C13DD

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: HeapPath$Alloc$ExtensionFindFreeNameName__snwprintflstrlen
String ID: m{4o
API String ID: 3433634226-3599497293
Opcode ID: d4bef2a8d7d06e0ae880df8d08ecd56a1de24478be7940c2586d8577d3ec23fe
Instruction ID: c8960145af0ff0bfe0cfd358db55b3eb0d9f2bafbd1d96a65de6c523f26aafed
Opcode Fuzzy Hash: d4bef2a8d7d06e0ae880df8d08ecd56a1de24478be7940c2586d8577d3ec23fe
Instruction Fuzzy Hash: F451F27174CA50C6F62B9B63B4403EE62A1A78EFE5FA44611EB9A077B5DB3DC102D301

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401B80F4, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 132memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00000001401B818F
HeapAlloc.KERNEL32 ref: 00000001401B81D0
MultiByteToWideChar.KERNEL32 ref: 00000001401B8220
GetLastError.KERNEL32 ref: 00000001401B8271
HeapFree.KERNEL32 ref: 00000001401B8296
GetLastError.KERNEL32 ref: 00000001401B82B0

Strings

X*", xrefs: 00000001401B824F

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: ByteCharErrorHeapLastMultiWide$AllocFree
String ID: X*"
API String ID: 2267670476-2229822034
Opcode ID: 46507dc320ced16bb5a5d02146e607f6bf1b75f14dde582dc887c02b2c99cc8a
Instruction ID: c5c71a8fdb105415faa4babaefd6122501bca9d0c26e9cbe5b27e15fd27f4398
Opcode Fuzzy Hash: 46507dc320ced16bb5a5d02146e607f6bf1b75f14dde582dc887c02b2c99cc8a
Instruction Fuzzy Hash: 41412335B04F1986E2269F6BA4543BE6AB1B74CFD4F144226DF5A637B0DB34C406D300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400216D0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 89stringCOMMON

Download Yara Rule

APIs

StrChrW.SHLWAPI ref: 00000001401B69D1
StrChrW.SHLWAPI ref: 00000001401B6A0D
lstrlenW.KERNEL32 ref: 00000001401B6A46

Strings

1P, xrefs: 00000001401B6963
:, xrefs: 00000001400216E2

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: lstrlen
String ID: 1P$:
API String ID: 1659193697-847992444
Opcode ID: 4b1fc0fa3adb396d7dd5aee05a74b2ab3986e644f01b10274fc0a3e5ca911c93
Instruction ID: 53d58f5a12e9b34822b4c9ad0e4f89939d92cf6215970e8c6d1014161a725f0d
Opcode Fuzzy Hash: 4b1fc0fa3adb396d7dd5aee05a74b2ab3986e644f01b10274fc0a3e5ca911c93
Instruction Fuzzy Hash: AF312732A09E5186EB368B33A4543FE62B0F7ACFD0F998110AB9617AF5D77CC4408780

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401BDB4F, Relevance: 7.6, APIs: 5, Instructions: 116memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(155CFD92,?,?,?,?,00000001401BD392), ref: 00000001401BDBAB
StrCmpNIW.SHLWAPI(?,?,?,?,00000001401BD392), ref: 00000001401BDBED
HeapAlloc.KERNEL32(?,?,?,?,00000001401BD392), ref: 00000001401BDC3A
_snwprintf.NTDLL ref: 00000001401BDC74
HeapFree.KERNEL32 ref: 00000001401BDCCF

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: Heap$AllocFree_snwprintflstrlen
String ID:
API String ID: 872643602-0
Opcode ID: 91846e630bac47e29e6ff607aedef7fe362f9588f093bf8245acb8a7395b72cf
Instruction ID: af1704e199aa444b22b29cd56e100c9d64ea8d76c5e6fb5f194c0ad57ebf3467
Opcode Fuzzy Hash: 91846e630bac47e29e6ff607aedef7fe362f9588f093bf8245acb8a7395b72cf
Instruction Fuzzy Hash: 62413576B04E2486E626DB27A8807EE7A71A748FE9F954115AF1D037F4EB78C544C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400010F0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 144stringCOMMON

Download Yara Rule

APIs

StrChrW.SHLWAPI ref: 00000001401B69D1
StrChrW.SHLWAPI ref: 00000001401B6A0D
lstrlenW.KERNEL32 ref: 00000001401B6A46

Strings

1P, xrefs: 00000001401B6963

Memory Dump Source

Source File: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: lstrlen
String ID: 1P
API String ID: 1659193697-3975103673
Opcode ID: abcb5e5a68774213f2c873155acec27ef317f95e4e533cffc01015ceef2a89e0
Instruction ID: b548c23ff914356308929ee8140642f159c61844e701f3468d298b422f7dd2f8
Opcode Fuzzy Hash: abcb5e5a68774213f2c873155acec27ef317f95e4e533cffc01015ceef2a89e0
Instruction Fuzzy Hash: 6C416C33A08E5095EA629B73E8913EE6661F7ACFD1F59C020BB4A17BB5DB7CC4408740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001401B7612, Relevance: 6.2, APIs: 4, Instructions: 163memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00000001401B7682
HeapAlloc.KERNEL32 ref: 00000001401B76AB
StrChrW.SHLWAPI ref: 00000001401B76F5
lstrlenW.KERNEL32 ref: 00000001401B7740

Memory Dump Source

Source File: 00000001.00000002.349810516.0000000140015000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000001.00000002.349744556.0000000140000000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.349749698.0000000140001000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.349769290.000000014000B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.349787358.000000014000D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.349792722.000000014000E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.350399760.00000001401C5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_140000000_Unistore.jbxd

Similarity

API ID: lstrlen$AllocHeap
String ID:
API String ID: 669319671-0
Opcode ID: 1647831e6ffa83d7cc6bd69b0e1cefb0ecd4e512e9f99000e2086b89f1bf8df8
Instruction ID: b2292756d10d5ebc46322d105017676eab25439214abc249b44c6d870eca5da2
Opcode Fuzzy Hash: 1647831e6ffa83d7cc6bd69b0e1cefb0ecd4e512e9f99000e2086b89f1bf8df8
Instruction Fuzzy Hash: 6B514439708E5082F626AB2BA558BBEA732E74CFD8F681120DB46077F5EB39C045D340

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Q1xEDBAmY5

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Hades Ransomware

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: Q1xEDBAmY5.exe PID: 5032 Parent PID: 5956

General

Function 0000000140008FD8, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 126
nativeCOMMON

Function 00000001401B86FF, Relevance: 12.3, APIs: 8, Instructions: 252
memorystringCOMMON

Function 00000001401B7870, Relevance: 15.2, APIs: 10, Instructions: 206
memoryfileCOMMON

Function 00000001401BEB27, Relevance: 4.7, APIs: 3, Instructions: 197
memorystringCOMMON

Function 00000001400082B0, Relevance: 35.0, APIs: 23, Instructions: 488
memorystringCOMMON

Function 00000001401BFA90, Relevance: 19.7, APIs: 10, Strings: 1, Instructions: 495
nativeCOMMON

Function 00000001400032D8, Relevance: 16.8, APIs: 10, Strings: 1, Instructions: 261
memorystringCOMMON

Function 00000001401B6AA9, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 334
filenativeCOMMON

Function 00000001401BA75C, Relevance: 12.6, APIs: 8, Instructions: 625
COMMON

Function 00000001401B8494, Relevance: 12.2, APIs: 8, Instructions: 153
memorynativefileCOMMON

Function 0000000140004DE4, Relevance: 10.7, APIs: 7, Instructions: 249
memorystringnativeCOMMON