Create Interactive Tour

Analysis Report Odbc.exe

Overview

General Information

Sample Name:	Odbc.exe
Analysis ID:	430001
MD5:	063771d5573448ee6a271584a4b6a26a
SHA1:	e23637ea81751e558fca17ef1a54b6e39d2e83c3
SHA256:	69775389eb0207fec3a3f5649a0ad9315856c810f595c086ac49d68cdbc1d136
Tags:	exeransomwaresigned
Infos:
Most interesting Screenshot:

Detection

Netwalker

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found ransom note / readme

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Netwalker ransomware

Deletes shadow drive data (may be related to ransomware)

Modifies existing user documents (likely ransomware behavior)

Creates a process in suspended mode (likely to inject code)

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Odbc.exe (PID: 7060 cmdline: 'C:\Users\user\Desktop\Odbc.exe' MD5: 063771D5573448EE6A271584A4B6A26A)

Unistore (PID: 4600 cmdline: C:\Users\user\AppData\Roaming\TextNotepad\Unistore /go MD5: 063771D5573448EE6A271584A4B6A26A)

cmd.exe (PID: 1320 cmdline: cmd /c waitfor /t 10 pause /d y & del 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore' & rd 'C:\Users\user\AppData\Roaming\TextNotepad\' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

waitfor.exe (PID: 5708 cmdline: waitfor /t 10 pause /d y MD5: 9509EC0B3D20348D129183021BF38BBB)

cmd.exe (PID: 6156 cmdline: cmd /c waitfor /t 10 pause /d y & del 'C:\Users\user\Desktop\Odbc.exe' & rd 'C:\Users\user\Desktop\' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

waitfor.exe (PID: 5664 cmdline: waitfor /t 10 pause /d y MD5: 9509EC0B3D20348D129183021BF38BBB)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: Unistore PID: 4600	JoeSecurity_Netwalker	Yara detected Netwalker ransomware	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

• AV Detection
• Compliance
• Networking
• Spam, unwanted Advertisements and Ransom Demands
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Virustotal: Detection: 37%			Perma Link
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	ReversingLabs: Detection: 20%

Multi AV Scanner detection for submitted file

Show sources

Source: Odbc.exe	Virustotal: Detection: 37%			Perma Link
Source: Odbc.exe	ReversingLabs: Detection: 20%

Compliance:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\Odbc.exe

Unpacked PE file: 0.2.Odbc.exe.2520000.1.unpack

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\Odbc.exe	Unpacked PE file: 0.2.Odbc.exe.140000000.2.unpack
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Unpacked PE file: 2.2.Unistore.140000000.2.unpack

Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-0016-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-0018-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-0019-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-001A-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Proof.en\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Proof.es\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-0044-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-0090-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-00A1-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-00E1-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-00E2-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-0117-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-012B-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\Default\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Desktop\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Desktop\BUFZSQPCOH\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Desktop\BWDRWEEARI\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Desktop\GNLQNHOLWB\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Desktop\IZMFBFKMEB\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Documents\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Documents\BUFZSQPCOH\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Documents\BWDRWEEARI\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Documents\GNLQNHOLWB\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Documents\IZMFBFKMEB\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Downloads\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Favorites\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\MicrosoftEdgeBackups\backups\MicrosoftEdgeBackup20200930\DatastoreBackup\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Searches\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\Public\Libraries\PAYLOADBIN-README.txt	Jump to behavior

Source: Odbc.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Odbc.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: Odbc.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Odbc.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: Odbc.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Odbc.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: Odbc.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: Odbc.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: Odbc.exe	String found in binary or memory: https://sectigo.com/CPS0D

Spam, unwanted Advertisements and Ransom Demands:

Found ransom note / readme

Show sources

Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt

Dropped file: The network is LOCKED with PAYLOADBIN ransomware. Don't try to use other software.For decryption KEY write HERE: #1 rickhood@armormail.net | #2 meredithpatrick@protonmail.com

Jump to dropped file

Yara detected Netwalker ransomware

Show sources

Source: Yara match

File source: Process Memory Space: Unistore PID: 4600, type: MEMORY

Deletes shadow drive data (may be related to ransomware)

Show sources

Source: Odbc.exe, 00000000.00000003.674532644.0000000002033000.00000004.00000040.sdmp	Binary or memory string: Low\CryptAcquireContextWOpenProcessToken%appdata%\GetWindowThreadProcessIdadvapi32\BaseNamedObjects\kernel32ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\REGISTRY\USERCryptReleaseContextCryptGenRandomConvertStringSecurityDescriptorToSecurityDescriptorWZwMapViewOfSectionStrStrWWNetGetUniversalNameWWNetAddConnection2WShellExecuteExWCreateStreamOnHGlobalntdlluser32shell32ole32mprshlwapi.exe\|.dll\\?\Wow64EnableWow64FsRedirection%S\|$$$}rstuvwxyz{$$$$$$$>?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\]^_`abcdefghijklmnopqFloppyMicrosoft Corporation. All rights reserved.system32\REGISTRY\MACHINE\SOFTWARE\Microsoftcmd /c waitfor /t %u pause /d y & del "%s" & rd "%s"osk.exemsconfig.exewmic process call create "%s" > nul && exitConsoleWindowClass-5#32770en-USSysListView32List1%uvssadmin.exe Delete Shadows /All /Quiet/user/prio/path/uac/go%s - %u
Source: Unistore, 00000002.00000003.671158877.00000000028E3000.00000004.00000040.sdmp	Binary or memory string: Low\CryptAcquireContextWOpenProcessToken%appdata%\GetWindowThreadProcessIdadvapi32\BaseNamedObjects\kernel32ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\REGISTRY\USERCryptReleaseContextCryptGenRandomConvertStringSecurityDescriptorToSecurityDescriptorWZwMapViewOfSectionStrStrWWNetGetUniversalNameWWNetAddConnection2WShellExecuteExWCreateStreamOnHGlobalntdlluser32shell32ole32mprshlwapi.exe\|.dll\\?\Wow64EnableWow64FsRedirection%S\|$$$}rstuvwxyz{$$$$$$$>?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\]^_`abcdefghijklmnopqFloppyMicrosoft Corporation. All rights reserved.system32\REGISTRY\MACHINE\SOFTWARE\Microsoftcmd /c waitfor /t %u pause /d y & del "%s" & rd "%s"osk.exemsconfig.exewmic process call create "%s" > nul && exitConsoleWindowClass-5#32770en-USSysListView32List1%uvssadmin.exe Delete Shadows /All /Quiet/user/prio/path/uac/go%s - %u

Modifies existing user documents (likely ransomware behavior)

Show sources

Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File moved: C:\Users\user\Desktop\IZMFBFKMEB\GNLQNHOLWB.xlsx	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File moved: C:\Users\user\Desktop\IZMFBFKMEB\IZMFBFKMEB.docx	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File moved: C:\Users\user\Desktop\ERWQDBYZVW.png	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File moved: C:\Users\user\Desktop\BUFZSQPCOH.jpg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File moved: C:\Users\user\Desktop\IZMFBFKMEB\UBVUNTSCZJ.png	Jump to behavior

Source: Odbc.exe

Static PE information: invalid certificate

Source: Odbc.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Odbc.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Odbc.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Unistore.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Unistore.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Unistore.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Odbc.exe, 00000000.00000002.679761729.00000001401E3000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamewsqmcons.exej% vs Odbc.exe
Source: Odbc.exe	Binary or memory string: OriginalFilenamewsqmcons.exej% vs Odbc.exe

Source: Odbc.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Unistore.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.rans.evad.winEXE@13/229@0/0

Source: C:\Users\user\Desktop\Odbc.exe

File created: C:\Users\user\AppData\Roaming\TextNotepad

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4112:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6176:120:WilError_01

Source: C:\Users\user\Desktop\Odbc.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Odbc.exe	Virustotal: Detection: 37%
Source: Odbc.exe	ReversingLabs: Detection: 20%

Source: C:\Users\user\Desktop\Odbc.exe

File read: C:\Users\user\Desktop\Odbc.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Odbc.exe 'C:\Users\user\Desktop\Odbc.exe'
Source: C:\Users\user\Desktop\Odbc.exe	Process created: C:\Users\user\AppData\Roaming\TextNotepad\Unistore C:\Users\user\AppData\Roaming\TextNotepad\Unistore /go
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Process created: C:\Windows\System32\cmd.exe cmd /c waitfor /t 10 pause /d y & del 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore' & rd 'C:\Users\user\AppData\Roaming\TextNotepad\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\waitfor.exe waitfor /t 10 pause /d y
Source: C:\Users\user\Desktop\Odbc.exe	Process created: C:\Windows\System32\cmd.exe cmd /c waitfor /t 10 pause /d y & del 'C:\Users\user\Desktop\Odbc.exe' & rd 'C:\Users\user\Desktop\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\waitfor.exe waitfor /t 10 pause /d y
Source: C:\Users\user\Desktop\Odbc.exe	Process created: C:\Users\user\AppData\Roaming\TextNotepad\Unistore C:\Users\user\AppData\Roaming\TextNotepad\Unistore /go	Jump to behavior
Source: C:\Users\user\Desktop\Odbc.exe	Process created: C:\Windows\System32\cmd.exe cmd /c waitfor /t 10 pause /d y & del 'C:\Users\user\Desktop\Odbc.exe' & rd 'C:\Users\user\Desktop\'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Process created: C:\Windows\System32\cmd.exe cmd /c waitfor /t 10 pause /d y & del 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore' & rd 'C:\Users\user\AppData\Roaming\TextNotepad\'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\waitfor.exe waitfor /t 10 pause /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\waitfor.exe waitfor /t 10 pause /d y	Jump to behavior

Source: Odbc.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Odbc.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Odbc.exe

Static file information: File size 2003664 > 1048576

Source: Odbc.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1de600

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\Odbc.exe	Unpacked PE file: 0.2.Odbc.exe.140000000.2.unpack .text:ER;.text2:ER;.rdata:R;.data:W;.pdata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.pdata:R;.bss:R;.aje0:ER;.rsrc:R;
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Unpacked PE file: 2.2.Unistore.140000000.2.unpack .text:ER;.text2:ER;.rdata:R;.data:W;.pdata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.pdata:R;.bss:R;.aje0:ER;.rsrc:R;

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\Odbc.exe

Unpacked PE file: 0.2.Odbc.exe.2520000.1.unpack

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\Odbc.exe	Unpacked PE file: 0.2.Odbc.exe.140000000.2.unpack
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Unpacked PE file: 2.2.Unistore.140000000.2.unpack

Source: Odbc.exe	Static PE information: section name: .text2
Source: Unistore.0.dr	Static PE information: section name: .text2

Source: C:\Users\user\Desktop\Odbc.exe	Code function: 0_2_0000000140015450 push rdi; iretd	0_2_0000000140015451
Source: C:\Users\user\Desktop\Odbc.exe	Code function: 0_2_0000000140016A50 push FFFFFF82h; iretd	0_2_0000000140016A54
Source: C:\Users\user\Desktop\Odbc.exe	Code function: 0_2_000000014001A6B5 push qword ptr [rdx-5E7485FBh]; retf	0_2_000000014001A6C1
Source: C:\Users\user\Desktop\Odbc.exe	Code function: 0_2_000000014000E2BA push rsi; ret	0_2_000000014000E2C2
Source: C:\Users\user\Desktop\Odbc.exe	Code function: 0_2_000000014001911A push rsi; retf	0_2_0000000140019120
Source: C:\Users\user\Desktop\Odbc.exe	Code function: 0_2_0000000140018D68 push rdi; retf	0_2_0000000140018D6E
Source: C:\Users\user\Desktop\Odbc.exe	Code function: 0_2_00000001400181C8 push rsp; iretd	0_2_00000001400181DA
Source: C:\Users\user\Desktop\Odbc.exe	Code function: 0_2_000000014001A9CF push rcx; retf	0_2_000000014001A9D8
Source: C:\Users\user\Desktop\Odbc.exe	Code function: 0_2_00000001400169D3 push rbp; ret	0_2_00000001400169E9
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 2_2_0000000140015450 push rdi; iretd	2_2_0000000140015451
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 2_2_0000000140016A50 push FFFFFF82h; iretd	2_2_0000000140016A54
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 2_2_000000014001A6B5 push qword ptr [rdx-5E7485FBh]; retf	2_2_000000014001A6C1
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 2_2_000000014000E2BA push rsi; ret	2_2_000000014000E2C2
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 2_2_000000014001911A push rsi; retf	2_2_0000000140019120
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 2_2_0000000140018D68 push rdi; retf	2_2_0000000140018D6E
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 2_2_00000001400181C8 push rsp; iretd	2_2_00000001400181DA
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 2_2_000000014001A9CF push rcx; retf	2_2_000000014001A9D8
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Code function: 2_2_00000001400169D3 push rbp; ret	2_2_00000001400169E9

Source: initial sample	Static PE information: section name: .text entropy: 7.83285728264
Source: initial sample	Static PE information: section name: .text entropy: 7.83285728264

Source: C:\Users\user\Desktop\Odbc.exe

File created: C:\Users\user\AppData\Roaming\TextNotepad\Unistore

Jump to dropped file

Source: C:\Users\user\Desktop\Odbc.exe

File created: C:\Users\user\AppData\Roaming\TextNotepad\Unistore

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-0016-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-0018-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-0019-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-001A-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Proof.en\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Proof.es\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-0044-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-0090-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-00A1-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-00E1-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-00E2-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-0117-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\MSOCache\All Users\{90160000-012B-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\Default\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Desktop\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Desktop\BUFZSQPCOH\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Desktop\BWDRWEEARI\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Desktop\GNLQNHOLWB\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Desktop\IZMFBFKMEB\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Documents\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Documents\BUFZSQPCOH\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Documents\BWDRWEEARI\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Documents\GNLQNHOLWB\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Documents\IZMFBFKMEB\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Downloads\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Favorites\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\MicrosoftEdgeBackups\backups\MicrosoftEdgeBackup20200930\DatastoreBackup\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\user\Searches\PAYLOADBIN-README.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	File created: C:\Users\Public\Libraries\PAYLOADBIN-README.txt	Jump to behavior

Source: C:\Users\user\Desktop\Odbc.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\waitfor.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\waitfor.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\waitfor.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\waitfor.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\waitfor.exe waitfor /t 10 pause /d y			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\waitfor.exe waitfor /t 10 pause /d y			Jump to behavior

Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\Default\Documents	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\user\Documents\AKJIMDEQMB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\user\Documents\ATJBEMHSSB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\user\Documents\BUFZSQPCOH	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\user\Documents\BWDRWEEARI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\user\Documents\BWETZDQDIB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\user\Documents\EVCMENBQHP	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\user\Documents\GNLQNHOLWB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\user\Documents\HYGZTMOBZN	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\user\Documents\IZMFBFKMEB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\user\Documents\KBIFTJWHNZ	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\user\Documents\WHZAGPPPLA	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\user\Documents\ZUYYDJDFVF	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TextNotepad\Unistore	Directory queried: C:\Users\Public\Documents	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection11	Masquerading11	OS Credential Dumping	Security Software Discovery1	Remote Services	Data from Local System1	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Software Packing32	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection11	Security Account Manager	System Information Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	File Deletion1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Odbc.exe	37%	Virustotal		Browse
Odbc.exe	21%	ReversingLabs	Win64.Ransomware.FileCoder

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\TextNotepad\Unistore	37%	Virustotal		Browse
C:\Users\user\AppData\Roaming\TextNotepad\Unistore	21%	ReversingLabs	Win64.Ransomware.FileCoder

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.Odbc.exe.140000000.2.unpack	100%	Avira	HEUR/AGEN.1142992	Download File
2.2.Unistore.25b0000.1.unpack	100%	Avira	HEUR/AGEN.1142992	Download File
2.2.Unistore.140000000.2.unpack	100%	Avira	HEUR/AGEN.1142992	Download File
0.2.Odbc.exe.2520000.1.unpack	100%	Avira	HEUR/AGEN.1142992	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	Odbc.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	Odbc.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sectigo.com/CPS0	Odbc.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.sectigo.com0	Odbc.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	Odbc.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	Odbc.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sectigo.com/CPS0D	Odbc.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	430001
Start date:	05.06.2021
Start time:	16:23:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Odbc.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.evad.winEXE@13/229@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 84.1% (good quality ratio 44.3%) Quality average: 27.3% Quality standard deviation: 34.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): backgroundTaskHost.exe, svchost.exe Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.78868317226822
Encrypted:	false
SSDEEP:	24:eW553G497mVBXg1MUNZR0LUv6xhuFFKJn3eT+UbylBPgMW:ewJOB9UHEughuKJnONkPW
MD5:	79968731DCF1A99B9489C745FDAEFE84
SHA1:	46A43530D823B6E8574808FA340E2DCAB94C34D2
SHA-256:	0E00CA51ED129A7D3D60B960851204B3220E3F83DEC14F857E3A56E42EB15086
SHA-512:	14389076415A06E1ED42C754305E86936D35DCFF08863F632E6E90DA92178A6EDFB16C20C1556C25AFB0FAEFAD543FBB1C093A9FC91911E3C9F0D4159ACED9F8
Malicious:	false
Reputation:	low
Preview:	....{ig....e.}....x..\}...gk.Z......P...s.ky...O..v.a?O.R......&..-.E9.U.a../..N...@.C.x..v1D'.2..L...Qo..`......H.-......z..8...y&..K.x..M;sf....().SB7....H..s....r@0o..........^...^.c85n5..eO.>."./pB...X....sv...r(..3m.....T..:..9l.g..q...g~.@..xR...\g{...Z....2.W......y.@rB...(...u!+.].4q.}..p9...U..0S.W8T...L,..J..{xr. QR..]Lk.H...c.[mzo..TB)...<....>..+...?.I..}q4x<.r.._...k..S..2.&U....'P.%AV.Bg.%.G..........x...}S>.?....{k.Y.[..4...\..n.}0..C...f.HNl........5.....7......9...8.L.5...CXnX.\.Cy'...%.CC..5......q,..h^.....0...fUC...V.(...Y.^....`..1.V.B..b....R&.......c.m..y3\.rSy.9A(~5.`...........1\|.Zl }.y ._Z.R7...X.....wp...(.k.5.XZL."...]NI$..:...I..'.tVU..W.L.CWLj..V.c.m....l.l.9............\| F..2.z9.Z~....].Dc$..V..,.<....R\|Y.qO..3..=..Vu._...;.>W.IT...c...H..)Oe.%5........I4Qa...5.\|._.D.=.G{4...G\J[........j...dR"...`.Jg:`...v......m. sb.xV....H.*..<....5...A....}.Jlj...P[.OC.q.y....b./.T...L.$/...G.q/.z.LV...tC.&Ho.W.#

C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	true
Reputation:	low
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1068
Entropy (8bit):	7.76736287121917
Encrypted:	false
SSDEEP:	24:a90cCyqhQjgoE+lJvSJTwY08Y/btbr4tRgaKDmouw0yYNim9b:D7loEvS9T5mRfvyYlb
MD5:	256805B20BA6135F8940869A1DE3E097
SHA1:	018F1A1E1FF7D230E3E0A62FDDC320E520803807
SHA-256:	FE0BAE2E05374EA8C73CA46CFB29458B49CBECAF86F9F63B89649A758230F435
SHA-512:	696A4294797DBDA5D9B4C11FE9FB376E9450662676554900DACA0DFC04409839AC57FD7A81EDA98DF3EF9955DC99D391851882EDA734A573FFEEAFFD27030CB2
Malicious:	false
Reputation:	low
Preview:	..{...%..93..m.:g.....@...C...[.DGs[`.....R......!.M..E..:.F_.(cY..g..=.qi........U.K.Y".-+._.......g..x.PJ.I..O..T......i.k.k....]..t%..&.=o.+....c...d...=....)..3...e1_.....r.Y.?....B.`...Z...,....{!2..~O#.$;.."..m.L.9R..A...q..S....@A.l...g`R...v..{r,..I..T..x...3.N7..d1..C....j.8...O...&..N......j......F.....K...i.A.G.ZR...)nl`4.....TluA......U.2..5eR.w}......E....{..U..n..Q....k..a..../..~N......K../.Bd....}%..u]..E..h?\D.....n..Fu..Wa.....RU..'D..{o..4/...6.d..rz..u"...(d1/..`.......X.&....H..n..%3z...........%.CC..5.........;....U.s).!&.Tn.`.kOO.......o7..0...y.d..e..i..2..N@/bD..De..`Qvu.k?F.8...T...!.RC.......(\|..."...'.....3T....c..C.r./u..o.D.T.~[...V.....Ou...$..[d.D.W.dZ.\|:.h..."..m>..&.."c-........8.mc7..6j~..L...G..9.Z...f......G+....z.k........(.&.Q..p..C"Qu..L..iv...H...YB$R...p*.........8......h}.j...#_7].Z."?...f.!x....l..{...S.$....C_.^.2.t.]....k......&.d...oj...s...).,e;.'+.rX../~A.J......cI.7:.T..j..L./Vq...Jj.G....~..Ia

C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1066
Entropy (8bit):	7.782290200363567
Encrypted:	false
SSDEEP:	24:P7hiGHWfjrnb6KV6nvNlJEd/vg+BgEQAPpEuudMjJd1cHR8elC:jcGkBVIgpBxTMMjyHvC
MD5:	41DBD21903FBD1412CF9B60CF5036F2A
SHA1:	E42549B50CE1E427D1A7092789D997FC37C8D8BC
SHA-256:	AEC00A39728DAA957A4662F8015DBA60A35F364B63A89C18E1FDBF1EA50C1174
SHA-512:	4E00FA7BCE03379A3C22F66D5C43A2FA2521550BB4DF07DBEEE4DFF01BFC07DEED87E2748FF32258EA7ED26F0240DA2E9E5FE922B0B102DD93532D59CC7F83C1
Malicious:	false
Reputation:	low
Preview:	.cT..GP.o.4.d.;).G".....T....M.;_....,%.bk!0...Y=r.p.f@....@....@.k{&w........?.S...@...U.rq....XX...G0.S..~e...!hz..8n....S.\|.B.10{[.3..k...(Z@~........9.[.f...2.#.."...K#..m......4.F........K...Qo.......6.r$..{.U.(.."..\.5..O.91...i.Z[.I...$....w.l..:....j9.\[..T........Tm~..W]..P...`...C......3...@g.B.[.8F.M;../(..f......%..&.V.v.xL..d....P[...E..,o.x...r...t.'*.....'..!.6.P1...$G.E_M9D.U\|<1..c........\Uh.!..x..9......#./..b0...KH..JLQ.R.N.].}.y..f.".......g5].;..O..J.Z.<..s.....Md..;aX'.?3...BC.~....%.CC..5......h.z."E.y8..9cdg.O....V......!\|..........-}..r..f..si..P..9u. ......b..f.......^T..&....kM.....?..,..P{.Z-..0A..9...lG....6.8 ........E..B...@..YEW..........1.Q..M>.C..ZK"....9G\....2..}.q.s.%...x...i.@P.7 . 3l-.U.}cE.+\|{Csv..3<....]..1Z.z8( ._..d......8%....lb]_I...n@.h.j.RD6M..S......G.....j.S.c.&.BP.X......l,.\a......U..<<.q.x....E..-k-.da.....U?B..p.....1t...Xe..].......K..u.@j..F..2........`.. .j.;.v.-q..nB..-.i.=.P.

C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1061
Entropy (8bit):	7.8300204833374005
Encrypted:	false
SSDEEP:	24:2dgUPUYMuW3QL85h3oNQrStuXoCP/BipMydu3s2pzn:6gQAQ0hXrS+oCcw3Dzn
MD5:	A0992D0325C62D9382ABCEC2EFC59830
SHA1:	396F4635989928D27D1FC539B4C9271FFC5CC2D4
SHA-256:	0DAB7E38DC285BD2AB17186CF6F1127B389904BFEB140082FD022A651E2CB5AF
SHA-512:	21311F8430EB150D825B9F93D22556CE18BF8B9A228C543D1F51CBA424F3BB9C144E0F94A110F7EDE28BAA586EF6261A393FE66B8A0F89371E4030495576B3F0
Malicious:	false
Reputation:	low
Preview:	..a....P...O/2J(...\/.......YI/H.n7.:.1 .FN.}22..'."..).WA.s.(Xn....'._..#..92....N....3.s<.2..`.<o.....$.Z..H....[ll1i.......V...J.p{..q.=..'qs-V...3^1,...n[T.-.....Jo..}'..Q........&.+.r...F&e....ym.....3....~..x...D..FK..&.G...g.kGm.-."....&c.EuG.g......_.\....-V. .Q....(,X.,.....2...Ic.(.....W..}....c.W.....dL.]I.scM......+......'$..B.CD.j.e:...)Z\|...&.c[#U.W..C..m_m...8...A....JX..........Z.x)H.........o}..,;.Sr.M....)..$K..[{..#L.7........q(......^U..;.P./../......<..k..U/.,F.....i...mn...s...%.CC..5......$...Y$.5.B.}L..z.U.\|.....$...)..^M....8f...8T@.../XV....fZ.... >....z.N.A.IB..qL...7x....CD.....S.R..w.0.y.%.g..m.......].L.n~..."..t....s.y.......0S;;3v..OE..m..o&B...O.\....wi.)...U..(w_.....{G....._..H........k.L>{.:l........q..>..>..j.2N..!......>:..L.V;f...'.Ha...-.s..]..l2..6O3....%.f.j..~..9....#.z....-~..2m.$O..k.r.#..J.<z.g..;....K~..........,jn....."fXs.t...c.mx~..@..9.......&...R....M....`..I=.Epd*.\|o.^G4.>)8

C:\MSOCache\All Users\{90160000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1068
Entropy (8bit):	7.800295859837736
Encrypted:	false
SSDEEP:	24:mexWGUlq22K9FEmHYMreXtweU6Un2IpdHPL0oGIjPJb74KH:RUk22qvHYxXtL8F+lItb7l
MD5:	64ACD4BFE500A5CC7966CF3E0F0F97EF
SHA1:	E0E8E116FF4E12646DA4A902B96E8552799359D6
SHA-256:	D28F295BE500436A2973227CA9C176610618889F5B76412060EE1AD38D9884EF
SHA-512:	4485317F1AA5750744618C6DCBEEF4B730FCF03368B1E71286937B836BEC91038A4A2970C8CC161EA04DE48D4595739D8D1F1B745D7C0EE96BAD96C213A7E0E9
Malicious:	false
Reputation:	low
Preview:	<YLj5}...i....M.4#..q..(.GI...$z.m..d...2.C...e\..c17.'s.j..[...,......&t............. .j.9#..Ww0%...:0.Eb:L.....3v..\9.5..#1=.o.I...'Rd.L<.].K...c.....G%+.^}.....Q.."+.w.y.-...PB..R.}1l..d..[.i4.3xq.L_}..E."._;..%Nc.......2.aS2go!..V.~?..._._R.vj2~.@..\.....Fl.l...7..s].Z.....ab..'"......Za.._.lHqu..m.U_6l.Y..g..TJ...4..1?. ."..@..X\.vf.~.).&.ud.T'..NJ.Ax...I.;.`.....]...y..\|..9......'k.... )......j.~..."..>.yU.q...G..$\......'..3......ZO@.@l.V..w.k~u.4.j.+.."...I.,no5.n}...........1.k...x...x..H..S.z)..l...%.CC..5.......[W..!.m.$.~.p@wnT.>.E.....-....]...&..9..{.<.E?N..GCU.Yzz..)..k.R.8.cH>.L..P^.M..."..6?.4...]..s,.....D..dl;q..c..B-...It ....W@.?...51..ur..[2....I.PuD.+..lw.....C.G._.yo....e.{r.y..E...+_..Y.m..9'V'.$`...,.U..BY.":..<G...!!I.......M..}A..g....BB.@..E8r......T.j..X'q....w.3..C.Q..jUy.....)....c>.}_.{....=.[y~........q..k....y....&.2......VM..n.....-.......&E..4..H.m..)K.}.X.a...P z.....Ed@`..=W....'{.U.>.8.ad.v._

C:\MSOCache\All Users\{90160000-0016-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Reputation:	low
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\MSOCache\All Users\{90160000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.817275775905312
Encrypted:	false
SSDEEP:	24:ZGSV0OPgt7FbW/tNcT/yhWj64bKXnv3Ih609SXPDOqiHvZ:ZGSVDu8SBbok3MXPDPiHvZ
MD5:	D42AA604D0316504592BB8B603BC6044
SHA1:	B835E5FB08C6B88FDE6D1F677D20F5BB7160998D
SHA-256:	6F3FD8A06619FD7B59D313CC805134E8B4CC2C778CA3C3F0372D70B44D341798
SHA-512:	B8736061A2CAF92CB2075BE0429FC30D468DFCF10C008A7AA3BFBD89E34B2E983EB096A04D7DE22F1BDE5C7F2EB6456AF3C0FA5BE2D7681BB82723F8618A1B82
Malicious:	false
Reputation:	low
Preview:	Pu.8.../I...oF....D.C..WSKT. S.U..X:.E.cl.."...O....M..R\..s^@.A..........`.l.......@M..E..J!.{f.\|Z.DZ.T..Q.$.Nb....).....S...i%3M...`u..;..p..e....P.a.`...>].......)..:...\.....,...,[..O...B.LL.OM.<.EM.X..b1. I..t. Vz.4.a....:k.L.E..[2.........-......7.E..P. .x...lj.^......={.`.i}b<.?.p.q..8~.......x.....V.t.`..8V...'jg.U.S..+..&....i../.../$...U2R^..]e8$;.S.D..6../.w.B.;I....;(N..v.r. )>......F..c.n...e....;....V...>^..5u...Q..E._..Q.W..b\=.......(.-..h....ET....../?..9..~..}L.?....Lcn.k...X(P..7..J....%.CC..5......_....w..4.......<Z\J.G.4.B...u{.>.to.3.....g2...&..r._(.y.'u.a.!.K....lqu>z.....T@p.N.....<Hk.t......"{..p.....+.u.....)'u<9.xf.bh......U:...>..._&D{...kN....<..Z....Y......].'..,.....C...........t.l.s..-.g.Fe &.7.#..:"x..?...e%1.....,..eB..}...5...4~....[.....o`...<K.C..E....}.......j.;d.....8g.#..y.6.4...qt..W..Ue.k.~t..*G.g...........H.....>..a......x..cVV....E.AF.(..}R......[..j@\|.........U...._.a.V...2w....ey..

C:\MSOCache\All Users\{90160000-0018-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Reputation:	low
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\MSOCache\All Users\{90160000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1059
Entropy (8bit):	7.831539642037214
Encrypted:	false
SSDEEP:	24:OmT9CDErgHZCMZ0DapBNTq/a/vfskKl0yil1/R5XYoiW:t9CDErg3oa7NTqWvfsc/R5o6
MD5:	E746B3A180F09D71F2E6F808EFE1361B
SHA1:	4B04A2CCC3E65008FDA3831BB4F95E14F7488DA4
SHA-256:	06529B1E02BD3D99C18D7FD7384104B766D3C2B83F2F9A7FD470F5A68C18DFC3
SHA-512:	DA37C46E24644E63DBA41770A743A012B8EA9368CDE0747AEAFDFB8B2622739BD8DCA3EE2C61C593E3D47CD89893641B4B3E0905003632DD0298BB1F290515A0
Malicious:	false
Reputation:	low
Preview:	... .JI){..X..]`/...8.^../T./.@y..n.... S..{.6.v.....~m...O.#.._...G...^2.c...C..E...ry_.ROKy\A.id...(4.<wt.[H.Ix..I..."N4..c.w.;.E.....l;3.O..~...1.m.....N...E1%.t...8.j.._.F......D..7.eK.........y.?k.I#qG...&#.m....+.....;mOq...<F'...<..T+..W.rY3.oL..H..._3...k+.7.F...(&.c.F..H..H.....E..x...i....Y......+'.\..P..R.....^..r.".....2.H.@...q....!.? .X.].....v.${[..(..).......4...E...n'.V.hK.x....Si...9......Q>....C.7.L.zJ...d.....Mw?....+..w.b.]..U...b .M.....a}.K.u.#.5......E....^...g0.0.z.....fdm\....%.CC..5......`X~{;s.0.......>..........Q..[....z....F2...h.....eT.=d.$.....K.%..>.K.p...a+.....h..P...B$.+...Z~d\M.9;U.l.^1.K%vU 9..j.....U........fsb.Y5........:.C....HA..D3.-!..r[..m......W.O]..>)0......d.=..b.o,.....v..r..N.2...P.7.FX..N.K......7[..C...LI.=\.I..gD.Q:.t-.^z.jE...}...H.a.>...'/=.w....\...I.T...K1F.h.'..?.dH6D?.Y..Q.F...xM...p.../.2..x.yM.j...m.y....%.....nS....E..s./.k\S.'../..9.J.6\|R...R3Y.Pw.;!...AXd$.W.}.7...+.!.z.p...E9.>t.

C:\MSOCache\All Users\{90160000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1064
Entropy (8bit):	7.8246224332784005
Encrypted:	false
SSDEEP:	24:BxkLgdes4lJCh/ZtXEkjbZYu2sJhmRDytoyDj+r8pfkaNk6C:M0dGPqBt7PhmRDINn+wpg
MD5:	1A0C6386D31A3F1EE8A47385387A64B2
SHA1:	D4F909F9F1F4FA8A3C808A691267B30F7588521A
SHA-256:	6D5D6769EBDF2933A319921EEC23AFA18462E8CBAA78F1DD214B3572E2760329
SHA-512:	8D13B5EAC7F272417AA1E4F05EC3B1D2E8B94A7FDA7BADB104D3C41DA5CA7D5BE671C86A6102663077C77E6F99CA05C89178036A5E36007AE9C069B5AA9ACDDD
Malicious:	false
Preview:	.S. .,......#tV#K.........pgP...MZ....B~r...1J....<...M.b........V......mv?.D.5....u%]........ ..zW.X...^b.W.#M..d.Ip.9..d..'..h..}............DK..7..4..8.7....C.f.;.^.......f...7...p.Q.\......R.e3n..Z...H.L..&.....a.7.:4..l.<...c.O(....@."./..P-..F...2vG....<i=.s..7P.v..J..i.....!C.&pT..,7?.k`'...k.-q...Q......~..T.!..e....+.)G...wF..Bx....O...E.=VWnJ.7Z./...<..7...;k..Ih...e.%.!.f.:..t.....gP......X.Vv..Z...x.?...9;.........]....._.H.~..G.[.:........z..o6...o.E...j.........&.W%...........#..M....%.CC..5.......G\o.b.$..-....{...w....+6...C%...l8.V2..G..W[.m..q......uk..\Y..S..ik(...c...C.A...&Zuz.....dE.a.9]..=/..j'k&.8 V.W.kj..P..c.jM.j.......g.0..^@.l._..D]S%.4..,5L....;..\...$...YY...oq].PSN...... ....n...T.....~..ay..%.....*.X.N0..G..\^k......S...:......[.r...J......>.8..f...a.xH........:..O.....M.[.,...7.K..QT.......sS.@.k..!..u......La.@..c...2b.iC......B~h..eA.~..9..7&.H).^.BF....h.L...`8.b..xu.+.........V\....}

C:\MSOCache\All Users\{90160000-0019-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\MSOCache\All Users\{90160000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1058
Entropy (8bit):	7.8350746383975975
Encrypted:	false
SSDEEP:	24:GEJ33X+J8atSQQNDcrL5c6Cwo/8zEPZyV1AI6xvXEKhc8i:GEJ3+JoR7Fr8zrXAI6pXg8i
MD5:	A3840EF97A91DDB011AB1B5AD70CE063
SHA1:	E9CE18FC9E6D081664BE89FA84D3D0D71EE40DFB
SHA-256:	EA3CDB21B7A84997E355FD9FB422343BBF911C60C04DB65C601BC210C67F4FD1
SHA-512:	800013412AADFDCE799A94C5C9DC84C856C6C58002A96A57045374358513088D34C85B47411514920376A1DE59997AC29DA2D566F0097AD3ED06DE050579841F
Malicious:	false
Preview:	...;.Km8...?.OQ.]`J8...`.2....e&...p...z.`.B.....6{..e..a;...=~^.e".J..p9M]..h9..<..d..?Sx..J.HM....\.....vL>L.6L.m.R.]6...P.8..OYz...Q%..Y.#..KP=u....5xR.`.v...+3.Z.NZ.sS..K7..l.......&.$r,..i" ..}.Dfy.<..y.\...m.....u......sF....VAp1.0d.d.H.mE.m.k.#~...2WK.../o. ..D8....6.<....i.-.g@c..}........O.....G(..o.nt..>.v.#E&.OY.f$....\\.............4....),&>..^..}..n[ .R....l. E.>R..E.j.N...p...i..+P.>.e.O......+e.L.B....v\$#v..4.B=.!y.........no.J...j..}....p..IZ.2.r.......jD.....9vS..t..~...8P.<....%.CC..5......w%..N..3.>.`E..S...; ...Vn....K.JUw..........O..# 7...va_.m..n.}G(.Z7Cf5..0.N.....P..>..w..q.L......=.X.A.........>_..FLQR...<k...@x....D%.#[F\|ek..K..^.oF..r.K}..^..a...3$q..... .ifsR...m......j..d..q.g.J[LU>.~..6..i..?.Kj...B+=.o[....m...Q_..w.BS...h&.........)..[._....Z"...&.G..s.lI...=@=...q.b..8.....j.a.....>.nS9C.(.H..,...}.D.EN..)o.B../...#h.....Z0.=.+...H....(C..!.i.j.g.Jx.!'............,.7..;..bq..;'..........m2......u.;.

C:\MSOCache\All Users\{90160000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1069
Entropy (8bit):	7.797731178691509
Encrypted:	false
SSDEEP:	24:cV4DhpecZ1EERV70DE/VlNgQ1qEgckDm2bJxzC7WJmiRnbcwx:w+hptZ1EYtcE3GQ1R/4pPzCcmiRIA
MD5:	4D036D75EAB307C8225B8E2C7A90E05E
SHA1:	CA65E9CDA18FF84FBB586D1174757FB513A6DC57
SHA-256:	48534A3BFC2CD78447F14F52DA8E90776D5B94DC73970A3E9BCB3DBD14766510
SHA-512:	8EA05052D9A96C8E660EA0BBB136D04E6BF2283C7E8F193D2629983919E061B3850053DBD52F9E35C2AC216FDC1439DD90A3038AFC3BFF54F96079B1E1A653EB
Malicious:	false
Preview:	.36........J\|.....r../.!..r.7pF..TW.i.:0..Y:..14..Y.u..o....x........@.....N.....Gs...........7...%R.o..jU..8.M..V..v..........;......5..V.....r..G<....C~.z.dG..}.@i...O.;.N.....Z..g@H.Xui..9~e.1.........;..CF....ZI...........w,../4`.[&......E..;=..<\|k.<3.xD....JG.........G3...1`.......J.c..-.s\|...;..].9..R...H1.z...(8.>4+...y..h..M4.>j]/{......V7........w...g...Ip.j.K+...[..PJ.T....m..bYR..-\|..p...W.+....O.`....'K..\|&1i.aa.iZ....6a.W!.[........ ..........g)..l..M.&./5Q.4.....].B.......i.o(........}....p#.....%.CC..5..........x@..\|=..-P..^.T._.:..~.W....p...z....P...J.....5.r8.)........b..a..?p15>.#.2......b........d...h9..}..<#..........P.l..%.;.T..6.V{xBa..........I.....6.P.J.!.W.r..."..hp.?...).&.d.d.Mi#....I.y.....\|.f...sG....=...W.K......Y..>...l..........Np.3.....,.T...b..,....@#...7FMl.w.Z...^I.9...g.ZQ.0..v.@'....^.........m\|.F0.^..O'..=....&..V.VyO.#.o8Y.{.U.+Oc.....W...j.@~.@E..@.y.q...n.`...._.qo...5.O.f~5.....7t{X...

C:\MSOCache\All Users\{90160000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1067
Entropy (8bit):	7.799823176965707
Encrypted:	false
SSDEEP:	24:ROPNRIkwBpgqDSVVILoBsKtSBRHiPIn6kVgs/VMZKlZR+qaEVE:C3wHgqiCUBsY4CPIn6EuZKd+qW
MD5:	6F5D578466FD1455B2D3EA7F18F04328
SHA1:	E80DCDF775C82D968C885090E87A0E4D692DDD42
SHA-256:	D1237D1E331DA14417A82F738535274096406BB98C2B48FD6FAA631857B43F54
SHA-512:	FA612F2A2B695F0020764278C0FD967CE3A1258B9AFCA50B182F746A6EAC34C64FD41A9D0C65814677E2D70B2DA9838DF4BDA0390112FB4D02AC3E03DBE37C97
Malicious:	false
Preview:	6..._T.q.\|.2r#v.eH.[.....U...Er!.....4\|.w...7...(.9.........^....f..P...Q.Ui.T..lo.8.d...W.L0kt...`....8.....Z...RT{.G..BK.7....c..E.Z..q..J?..l.63.^$.....w........+..xK.MM....1.m...5..T4......}..'?b_.+...x..,......q;.U.........c.A$....3.b..f..;=.M@.i.S...T.M.-.F4.Y.T(df-..........q. ..^w..8)rA.......8Q.M....(.<<%.(2w..ew..F....2.v.4z+....z.<.qO._a.`PD.F..~..<.w...94M.......}2b........g.........nz...6q...JqG9.`.;.I.G.......r....u.Y.....s.uW....WE..;%.W.)0Y..+....+$.l.....U)!.....7.../^~.am.#..r.I....3%....V.k...%.CC..5......e.KY9.Uc......O..$q...k..^....4.. ....l...:.Zwy}:.!:..1XN...)3.mG}.dxl~ypQ..O.....1.0...\.....yR.......(.X.{....x..Gh.-...?. .2~..=....\|....e.%.@tEP2..OG?.q3..t..n.......\...%..n^{K%(.......5.I.-...>.>.....\.s.O...E3^.P..Qu.B,m..o..T....I..........t./.3..L..Q......:........v...J.c../...r'G.I.L[.@\|o.H@T{..{\|...\q..K.._e{...[...p.s.......}......%Q`.P..K.:2..?2..g.G...DK..i/..]..\|.w.eU..\|.o..$..i.........\|.&b.G.=...c.#...t.....V

C:\MSOCache\All Users\{90160000-001A-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\MSOCache\All Users\{90160000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1058
Entropy (8bit):	7.823773388403396
Encrypted:	false
SSDEEP:	24:wL5Iql4ViTihwok1K3nm0HF/UqCAdziyC4qqMOT+b:i5IO4ViTkD3m01vzid5fb
MD5:	367A194925A12362F866FC251A82E9D7
SHA1:	3A80A89A24029E8DAF035BE92C968762D94FE702
SHA-256:	3466FDC9406D90A4D95E78FAE13734021EE9D288E4884DF28FCEF77870F97E4D
SHA-512:	96B5EF59CE67CD52E92B36B7E532CA71142454D95C8C2429F7259BA2FCCA179EA7986819ED8B7F61413AFB581983AAF0078F49358548A9FA8A90ECD18C06F4AF
Malicious:	false
Preview:	.{)....^...JE%.DdI7.s#k9..b.8S.Q.....\.1..>.TF).{...)(.. ..W.Q.\...Y.Fm.l...8E4...YR.z..`n?;].\...Pb.k.......&....N..2..Qf..e`...M.L.ki.6.$....4......b...1w..}i.F.5.y..,..RV.H....D+..E.F...H.j....\\{\....<Q~..a..A.t..X..n.8.....Go....5.@.%....C.....p...YcU./r.l.H.K9..":..I.#..(.7.n..w%/..]9...._..d..ce(...U.;...-d.cO..6U%.,.O...$Y....p'...{.i...@.3JE.@a..c...m..vc.....Q.P..P...M.fnOX.Y..s..[..=h.......<.h.{N........mTP....D.....g.<..[.........'.0.k....\..m:.._f.j.(./..BC..~..j....}.....w.....%.CC..5......V..."$.5.s.K{.'5;w.gL..A.`g..[QZ..#Ub.M_24...^....-!5.s.e.24...s.$......R........:X.i59;..W...".00..~.o&X.>2.1&4j\|.zz......{2..\.......&....bB..W.^LN....9......S......E\.q.n...z..I..".+a*...&.Y.T.T..fD.t..6w.."%y0..}...f.......G.A...I.QX&u$..`.x.q.-.S(...w.... $...x~N.......=.)k.$8..F.c......v.z.fc..zRi_Z.g...W..n...bF.PH..]J...x.E.....h_A.....nsubP.ik.g...X..p...9?-0...v...q.`..G<7+^.~......@.o....j.@..5:3\.f.h.=.P2-m.W.T3.^s.n

C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1068
Entropy (8bit):	7.810058558223876
Encrypted:	false
SSDEEP:	24:MgsqOUfcg55QBiPzS6AEtrREy1eQcl6hSIFRuxVZtdfwRVB1MVAp+:DhTcggivAGR31eQcoUI3aL/eVB1It
MD5:	5AF9E424D1414AD1E3B72D12D7378189
SHA1:	EBBDFA4E3EDD4D086DB186D4C43DA3F81074570E
SHA-256:	3910DA7B806392E2C4EC7E5A595D6CB9D1260847F3C09FD3934F6D9114552222
SHA-512:	94256C051449DE038FB6D4C63A098E2B0AF5C7F9C4B915DE3FAE457C43B91855814AF04449DD31522B6CFC25417A3EAD7A923C44B359B3F4E22424BC96E22072
Malicious:	false
Preview:	.....m..W...v.9V...`.l@..;f.]....Q6:P^.@..;.g.0....L...C..........^V.N......&z+...<<(....v/... ..2"..1lv.m..M.6..wP....6.t.]..x...g..M8..........h...x..7.D..H.t..D.."...W\./l.!..&N.St...Fb.....U.7.'1.3)...6.p)Y..x+..\|..p/.M.....]b......O....k.(@.w..mm=.:.Zz.x.Y.wl"m.._.Z..rfI...........A......9...0A..f>.........M...Y.8.......X7.).Vm...`..-<D.J>....9+..\...:.7.r.)PXh>........O@..y..$..,.I.r.F....4..aV..;<.<.fX...7.`...K.)n....F.....=<k...5...R...71.4"Lm...b_..MIU.%.;U.U.Z.e....9....gp{...am.O....&@V-kHT.Z...%.CC..5......$.-Z\0+.Wo..`.2h.)..:...$G8sY.....A'=Y..m.....K.0...R.......:.M.q.%..1....Y.=7..'h{hWh..@D..A.r.......k.az.BQ.:/e..n{.-.."\..n.`.I....\|{....Wt.u.d.......9.N.......@I..6.\|...0.( .2......ys.....Z..S..F.>m<...N...B+...w.7..^.......<KC..[S+....^.....D9.u>6.....('.nD.7..1.n...9I>s.s.}.&(o.Rl..7...)_\.FEK........s..%...z.....'m.=.....E......,.yD.fd..B.:.C.....J....\.A.r..l....[5.UQ.b...i~..l..G.&...#..!.....i.*....l..

C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1060
Entropy (8bit):	7.800705445055043
Encrypted:	false
SSDEEP:	24:w5FDoHy4ru9Kut5uaPiunfQD1CHxzT0sacfmmTqo14oF:AFsxr6pJnIDQHposacO0qo6oF
MD5:	3FD436A504C4267125BD9CBB66198FA6
SHA1:	E5EAB0208A1D928E34B13217ED5A4598F534A8B5
SHA-256:	ED91ACDE26732489BA45A00FE650EEEA420190D8318747EAC03AEE8783741086
SHA-512:	956B93D5A4C647693C5DFCCCA4E597FA1A39BB7930CE4386B79EF3C1D98D0F8363F89585450DA368FE693F42D6820E32BEA29B3122DE5DC8EFE366F6B4606A63
Malicious:	false
Preview:	~.....S... p0..M..}..w..k..\.:W.m.S..\|........+.7...vIF.x.A....xO.q.R.m/7...(.%...1...,.:..LS.D.O.K...1..<.Ep..}.,.....PXD....l.....l..E).....4l...c...X..yS...j%U\|..!.<.6....{~?w..8..Cb.k..g....RWz.'X......n{...U.....sw.....j......0.2..E.-_.Q..b`....@..>`..9.5...3..N. .{.3.._...0......L..h.j.(.0...~.`.)9..N.lz...N`.......R.>.Jb...6...p.@W..1.@...\.x.d.s...Xv.B...}..yq..qr.Y.'y..SK..!a.@...ci......@...f.jM..z./.c..t....a.........x..t;...j&.X..o.LS\.6..c<...Z#.....%..+...H.u.(:.X.>B...K......%.CC..5......:.........P..&.ZPj.p.....6.z.n.'.,.#...E.4...r;...._\|...H.*<.a.]..z..\...w.........P......wT.<.>......b.k.e._.q....7.k.0>>..5......D.b..j.~h ..<VX.Y......o}a....oJ,.........Sg..\.{.Bd8Qs.1..JZ..a...kt.03...W...h..o....]......Q...f....~v.oxJ..{..`..?...o..^y..j8K?.g......;..I...tI..P_..5........3./us6..&l`v/..~.=...,...\...`_..l.}5..OV..T.........N....7}...o.K.R;...#jq.S...'.d..`\.-...../.d<.&.0A[.}.....=........5..........5.g........

C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Proof.en\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1069
Entropy (8bit):	7.832494332239345
Encrypted:	false
SSDEEP:	24:8ye/6++jep1v44mLpZ9MIDC9+XxnUj5Z83rIaBtZoyG+kl:Sl+ik4IUgxn0erIaPZBGv
MD5:	847D7757656068F3EC72126AD67FAC5D
SHA1:	E7FFFBED6A0200364FCD56455C614E7A85AE3C03
SHA-256:	A819CF2EA7149AFBFD30EA0A25057B7AE00608589301AAE4B079B97E361C3EC6
SHA-512:	550713F5528F6840D3CE781B4D46CD4938F3867A1682A655C4241451573C6546A47846C899E66F5733D8D83145889CBD458826263C51C213A2402BDCE4924E6B
Malicious:	false
Preview:	Lxw...n.......-G%;.1..o...R?...?...c.X7...m.c8.#.za...J..G.!.^\..bH.o<.Vc..?l....w<...\|..;........M.4...o.y.,.H........sL.Fag,UB..NVgOo...{.h...@2.s:..I.5#B..U.<.?..o.c.h.............@.[.`pj............i.k....q.&..".ab.KCQ...N-...%h....-...'.:F.....m..{.....R..F..rkvr....65bbg.=.ex.>q.I..!0NaW..l.WY.%........y3>..&.....'.:.fUx.. ...........W.aT&..h.I..lCl.U.$....k-.l....r.> ..5...4.9.Z..1..-8.E..d.m.D.Sp..VT....W.p..1.....%a#K...f..........~U...0.q...hH...]......\|D.=....^.7.s..:..:.).N....:..L+.&3x.v.;....?.....%.CC..5......Ak.L.x.0.3........V..q.L-3...........On.I..~..U.M.eaP.5{U.[..xE.'i..i....fX.g._)s..uKmX...f..P....U.. .\J..s.`.4.Z.0^..7:N.T.`.!..Gu.[.A.N3.....]K.L..Jh....!..;....4%....n.5.G...E..:SQ..E.E....4..J<QIl=.Q..Up%..3.1.w.9.t!>.G.q.+..."..jXdE>.;..(.[k.I...<D%7..,_....\E.S.z.g.....q.4X.;.....0....UT]P.....?.Q9..Pi.............S.............O........6).~......9vn.@N./=.3..#..*.S..x......>5x:-......;F]U..ge........F.b....

C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Proof.es\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1071
Entropy (8bit):	7.81581164918835
Encrypted:	false
SSDEEP:	24:+mwNnZVfNGrHtjviOqymQqnPDpcJBe3qPZm2rdmEoVe9t9XEcTFJ:90nTNETqymQqnrhqsYdmRVat9XZFJ
MD5:	D659606C35BB99D2D54A516E5C798DBB
SHA1:	E3A60160D7860E7B30FF5D173849A7C6E45DD13D
SHA-256:	3777B0945310DAD47B4E4076B93DC959146A2F6EDA577A5571D6CAED65113B39
SHA-512:	75A078D3A3F5813C15BDF69D75244FB635722E90AB200E68B3E15DB2A40DD3B6E948B7D8E9C10EA274ACD4B99C8BED1370475A6AB7FCC40B1AB6121D828C4968
Malicious:	false
Preview:	;....8.....6...&@..K......i`hk.f...sy..%2.\|.XA.Fk. ...iJ.....,o<.l.......QP5../....<.L.1...z{.{.!..7n.e..O..)&......^2.x0.i....=......[..@G...W~n.o.....@...(..%..@...~.nc.Gk..Y..G..9.r.3+...2..AF.(s.(.'.A..w...R........1"..2.e..1,..}c...I..w...R.#..`x..Fr..B.......}.G...r......8.XP.L...O....;....-....1.hc....t.cV..,.e.{...^cn..y/'.g2.G...a..q@F..E.n.....4..[...<...r..J"../LOd .d..O..#..&...1.e..o..:.F5...&..uE.....b.<1..[.{[...[..b.....0...I._`...q...4,:..)..H..X..\.....L!R....`..l.z`.$..9.xH.lU<........Q.m...%.CC..5...........Zq..!.V..a.9z..1e......,.S.....^.].!....P...+E.O..%..#=..`o..{.eY(......WE3hY....t).........j..2x~k..5..h.Vb../$....&..>...:...%..A.].JL..$]s`La;.g.v9.....W...K>..T.M...<.`..3...0JE....)..G5..{.f^R.t....@o.Z;..t.#..g).>...0.-.b....2l...t...........d\|.M..1.B!...\|r..k.....q...j...+...v..%.6.a.d. .=.m...*.......K.Fu...#..[.G...9....:. .qx.2....^Hv........e4..L.$.S....c.......J.._...v.=n%8C$.8....'...e.9.>.....

C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1071
Entropy (8bit):	7.8342779988676705
Encrypted:	false
SSDEEP:	24:fUp/6YiK01t6JtoKVANu4wHJIN5Osi+zLq73E4+fNir3hgXa:fUpSYiK0bmmKVANu4ZjOsiVp+YFgXa
MD5:	5EE594D4ECBED13117CAE7299AC9A2A2
SHA1:	84F69CE2DE606762BA4BC7CD9B560DD8033EFA20
SHA-256:	44157C225438D6B20DA9562B535230BF98D849F0831BE0AACE610DF5FA022343
SHA-512:	8E60A695A3E6DCEFD6A75AB6A2F3D060F09ADF6B62DB4F999FABE7A8DE9D4B08E0E7EB26788FE771144DB77B0C33221433740813F7CDEE3475A0D7378C5D6A27
Malicious:	false
Preview:	..4..#....n.J.....\F7.j..m.....r.....uLJ...G.S...].>=lgp...1.......0.....Dc(4N{.G..}QO#x.:.8.../eM.....c.D...2....B9......hZ...POK)R,..~.....[..@I.m.o7.`4?.n.....N.`......^..`8.z4..>s.s...........2...Q....T..".9..m..Z..t.8.......-NK....\|2...H.P.f..#g5..3.{..h......~Rg.......E.U\|R..y.a...0.s.......^....Z.R......UrP..._Y.O....\}............s..L6.....M...{..b..V..N.7O......#i.hu.....}....'[XC.]......Ikg .n.8-.....U..Q....!....Q\5.<...1...).PG.i...r?$.2.V..0....?.../..f.e_.W...!6~...u.......dx.V..6{..}..n......%.CC..5......9....5/.#L.....,P~....Y%....yg..;.../.8...f...@t..L..*.F.......]^...rT.R....U...a....=9...oMx...9..).FH....v.....h.....@...a..+.O..[,t...<..&..X.CQ......g..DN_i.`...Pi...:Qf.7...`I.=q......d...m)i.;...{;..X/...y,}.nO......._G$....&b1........[p~!.).1../d..-R@.J..C}.}B.-<c...w...z...u.....T3..=.$sV...T..K.Y.....x......sxr.H:x.<@..-......\.G...M.#p..j.....}..l.6F.Y.(.[/BQ..zO..2.........c....k.>;..... C..X...;.....D...G..3

C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.7917906848560055
Encrypted:	false
SSDEEP:	24:ezXZLZJG2d4j5EUM1WKMQ03rM9sSYa5dNDVIGlgsxo:uJZ3mF87bvsZYNBk2o
MD5:	C11134D375C96F24D9429C8DDFC784B9
SHA1:	DA4FE5293B1425370FE62100F0FCA615BD7C9573
SHA-256:	5D30853723E41718DD9BA4999BEF23BA43A17140A744DD432094ED9B04EC1396
SHA-512:	FB756AD9E92AB0CCBB1882EB8012E106D5AAB900796E756BF98C13EB42A8A92E7CB74249F047AF6C55A4CF975838E913341C01D7AD0B2E93B276085924104473
Malicious:	false
Preview:	..&.G.....8.."Gc .V_e.b%...']...\|.4.D..0!Cv...... ..:.uJ...j..rv.X..{T..v6.....O.....L.Z....".YO.LOe>>f8.......e.iu.....e.n...Q..g6..Xk.jN...p.).f 5....Y....7}.V..D.......I.....)h../x.-...`.e.SOB..J.7l.D..^......N....e..,V..9b3r~....P.(.. ."l.}.Q...Z.....d...P.....lJ..B...OU.....d.WDz...#..A..."....v..v..I..f6.8..>U,u_..]4...1...>..<..KF...'......O).jAJz.D.{@2_.AX.K.n.]..._0)2......~......p........._....9{s...\|.f..}..CZ...M...U+{f&..R.KI^..3...t\|I.5..Vo.q2b..@.;..N.u6?...v..."....6...3-..."....%.CC..5.......G.).@.a]7U. .m,.v.(z.....s....`F..z(t...i....!4.l...S...Z..r..ZG!r...../5....}....`..2e......e.....C..^.l...k..u..+{..I..xmTKco.!2o......#....v.......\...f...^{. ]........f......0qj.G.O%\...Xj."a2....C..x4{.S(C....;NY./....e..].J....,N[C.K....d..Tw..Q...9..f.?'....I^CW.54....V,..o.i.....y....E.e..^2..,.......q ....2;...9.[.....z..aR.."G.........]........7zkO.].v.5.K....._b.kR._..!iW8.S..n.~.v[.....cDKEh.k<......d..^..9].....

C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1069
Entropy (8bit):	7.850215038208598
Encrypted:	false
SSDEEP:	24:Q33CBe4UjKErRg3siGwk06hjPuxDTMDw8aUB:CSBJUvRLG646CC
MD5:	A15AD850FA6AFFD8DAF211BA8F34F921
SHA1:	693052DC3073FD7AA560064C5E4FD00B85458304
SHA-256:	63937C3D7A87C04D2AB02FE34A4C6B7411FDD9B602DB647025CA671486DA6874
SHA-512:	B24B9A197DB3B28077E348093C9985F386356F016E1A92CB6BEA3554A22A7CE3DDEE0B5B5BC2BBB86E9C1A79D404EC55064C6A0333EFD561CAC918ECE927B547
Malicious:	false
Preview:	Kr ....'..&..ea..Bha>..m.O..q.i.'.z@9Y.~L+...(w...0./3d....Ms-.y...`G..}A.=R....C}I.Y,.....>.`.$....Z..SEK8...!..hoq.LE+..m1.C..4w....WN...........l..0...O......@.n.07..1...N..Kg.E..".Z..d.!\;...QU..-.....+.....5....Z......YY..c2..ZC.D_3..@.W..O/97E6B..............X. <....)I-,'....x.Y.T0..:.G.CJ........x.W.K.\|.SK...4..%e.I'q.2....T(.4.cw..A........o....@.5.....zN...\NVm.r$S?.z....,.....:..........+dS..Rd.........$..b...-....zK.,..._...O)..R{U.....f.7.Pu....&>....._......H....&H]rv..y.....5.z{.......'...%.CC..5.........{.....KG...tE...}0>..C..=.(;..ou..r...x...L...(....)..QG..(pu.......&....?.....0.~........].....yu.& .....'....j.)n.A.....y.$.D.Q.:2.%....I.i..1......d.....4...q#}.)>.W..... ..e.;>..?....Q.....kl.9..P...@..l..kg....?N.W.A.....2.....y...0.Q..H..nL.._:.rnQ.\....MZ}N.+..=../..7.8...`.5.m.".\|..{.A.6@..:Wm.,.z\|...cL.>"........N<.]...lM.....F.w..'r..[.\%.j..i/A.a...\|q...){.,*om...u..(w....%p..].....;......nq.(.r+

C:\MSOCache\All Users\{90160000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1058
Entropy (8bit):	7.838759831124104
Encrypted:	false
SSDEEP:	24:LGIITV7VOjEImP/+6TQ1oP0XbYAIxyQLkD/I:aLd/PpnEZwyQLkDQ
MD5:	A5E5835D0BDBAA5A3A082A4713ED12E5
SHA1:	EFEED4D7A9BFA350694C9026E1149B72662D7F6F
SHA-256:	EE402C268D489F54158336A6D7DFE4342D21326270E2C4D7C3D103F882737392
SHA-512:	C45790696CDC2CE3B548458869CC5B8FCA6BBB94F72BB27576408C7799EC49B6EB15DBC9D6D515ACF37B32183819172DF1CB9D0D7710FFB2A06628ED7DDF2DA3
Malicious:	false
Preview:	..Y.X....a.NdR...b....Z.m..s.........e.S...<..r.N..j.f............y_.k.m......V...5.n .I..\...v........A...1...`.....o.......}L.........#C.d..,..K.m....V@.z..Z)K..i<..Nm....u....96..]p`O.q...^(....s..TeG.O_.C..1s...>....QLV.H.h....Y.u....R[6...@.....{vT..g./..K.....Sf.y(.EL....)o...Fvt..S.V...)3.B...y..).~[.lDi.8.a.v1.........nu.,."~E.-H.Y8..'ZF.w`......I.s..I............p.Y..l..d."..'....Y.X~w..9.}X...n/.B.@....N.oo....7..[$[(....>s..?..C.../...q...R1<wh..B....n...+$.....n..FJ... -f0.......%.CC..5...........X~....D....u.\...;/...b..$.y.0>...&.aL.dM(.Z... ..v..G2:#.;...-.e"v...lyt.s.e..K.v...^..f..{....j1...e....#..O...CA.{Or.s........ .(.. ..-.w...<........n.,.^7m....%s...........2d.t....5.9.....g..q.k...;.D.%..?@*...J..V._..!..$>.0.,..c...4%N&...FSDq......Z.#.......7.d...z.&...X.\|x..q..G....N8..!....7Q.d.: .............."...f.X.c.r..h+..._..x......Nb.n.. ..`......9..@...\..\....JY.y.i...j'....u"....X..\..Pn.a07.w......

C:\MSOCache\All Users\{90160000-0044-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\MSOCache\All Users\{90160000-0044-0409-0000-0000000FF1CE}-C\Setup.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1069
Entropy (8bit):	7.824096723752531
Encrypted:	false
SSDEEP:	24:fmaIV8t6wCi2aDCJ9uerYJ5Ss7V3FsFkVLB4klkA3:+aVt6wCY+qekJr7V6Fk12klR3
MD5:	F0F2E3EB388A45C4CECEC3A2FA28D582
SHA1:	31701D544B68D31AA31938A57B2B2C57803E679C
SHA-256:	9A6DAAE0CC371F00FE9B8DCD4D3C711DAFB07426CB5EDFFB0AE272F83D7AAABF
SHA-512:	036E942169A12363B3492479FD79E8076B84A1EBE0C34986EF1705068F6B775E8644D3BEBF1990B205A41DC2F0AC835E2463F49003FC36CF4B2742F678D65958
Malicious:	false
Preview:	........%...V.D\|..A3D..+.....].F...kH....n...ku?'.(~#..E....^ ...9...}.q.S\|.Dc?.w.m...(...V...:..+...8..=L..5o..........##5w-cz.......o.:....F.,...e.j.r.fS.$Y....V9p...D....Ib...TD.O...4I...%[4..Fa.........-&.L.z...N.n....x..^.yP....]h.c..?.HYnI.m9....;.SX:4.O.4~....[f...6.W.2.!2MN<......y?.1.j`.q#.D.[].5'.....O.(....(@.@.!Rb.Q....ZN.;.^......l.g\|v..Q...W.W7J.!..l.5.t.l.......=.....SV....*.Z.M..LL2......K..3Jp...EH.b......G..+.3h...<t.FJ.3..:l#..1..Q4...ks....,..>..R&....9.N.0..K.JN.$.W.Z... O\|&.Ie-d?.'n.......%.CC..5........~...../TS.RYi..2)..2.,sb.N.il....XJ....d8...oO....=d.........T.+r.....\|.x..ckcz\....[]6.....0.h2.....O.P.....:....V...,^e>M..au7........%V.......F.V...s^L66....vcUY`..S=.vj....R....'...!..&.E.'/..g.....`.&U.!E..6...'.././%..,..l7eO)...k/^...@C..r..R.qG.e..$.CE......+R.....K.7e...WB.....ji(.R..&m.].y..v..9...2.....>.k...>...p.t.A.\|..o.....U......I.+NfT..h.`....d'<.......p..1...h.V...........C.H.HPC.U.]Y...../SS...48.^...

C:\MSOCache\All Users\{90160000-0090-0409-0000-0000000FF1CE}-C\DCFMUI.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1057
Entropy (8bit):	7.813006468620878
Encrypted:	false
SSDEEP:	24:DeaNv+PPpgVeSMpZKl4kcVXFP//9dss2WwQIiCyJNd:TQBkeLKi3PX9es2hQFd
MD5:	3987BB0E23783CA130113F14047F5F9A
SHA1:	21B4984B90FB035A24A5756799374E1909714734
SHA-256:	B96B6E9B6A74908DF31FC43FD8511DC8B30E6B0196E46F5C50CF74E836C965A9
SHA-512:	2B264A1A4A86964A227F7FF62A73F120FA7985B5EF5BBFBCCEF5E1C73E3B34E59B614FED933DBE985C1FA2C3AD9D14152C347C3334CB2116C0E6409B523965BA
Malicious:	false
Preview:	tYF{.;...E..........w.....G...yr../...%.b....%..k..]/..+.k....E. ..z:.?).F..>.c9.k.....I.......q.o.y.....\|.wtV8...=P....O.....!....&3x..~X...42...%.).@.{.;..c.....F3...;.......[..A....E.....K.`..?...auh..g.b...J.s.e.l..9.;......FG...[.......1.M p..O,Y.\|t....S..k..&...o5S.].).......(.........&....mRq.....jr.r.r......S0........o:._....AF.....f)..p.6..kR.%.+.4Vh9......c.....;.2}.x..P..N..;.p...fL..O.b..~..^.Xq.......w.nbL..\......+%s3p.u..(...xB.B.7...}8......j.#...=w..Ty..a.U..e.&KRn..L2..~.5.x.....%.CC..5......Aw77....F..0.A...iLn..zj..h....5...&......w...(.k..I..n............pB....;f..M..kum...Z......R}K.....H.T/..u.j-..&.....".zq.g.M...U:.G...q...^.,.Ateo...4.@.....]R.....;.f^....]6#\|...yzi...)9.v..`.+..."x..m.tdt.^.{.gq..;].F.JB...8.~:...H/j...".;..NL...>......Q...:Y......'...Z..:>..R_.dD4,`E(....H.y....@.."..y...5B..o6X.....S,."o.5..a..x9..f..U!.B.Y....F.yO...e..M..dz.W.T......S..#.G..)n.bn. 2.x@......%..Z.]V~AG\|D..A\.....TtZ =.P

C:\MSOCache\All Users\{90160000-0090-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\MSOCache\All Users\{90160000-0090-0409-0000-0000000FF1CE}-C\Setup.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.820795498219095
Encrypted:	false
SSDEEP:	24:N4M1HLl1XV0iWVje9tQhM+ReYY1FCsBOA0Z+YLA9I7ryZ:N46HLai59tQh0nCrZM9q2Z
MD5:	5F26614DCF23BFE082DD20EDA1D5FD8D
SHA1:	2F0135DC66111B6E0BCD754919145C3382665E9B
SHA-256:	ABD8E5150C6620BB9FAFDA6CC6CF2F626A9C1DC5ACD5DE3F88D91EE7B6CA2F97
SHA-512:	7B7A0F90564F9B9C27D347ECCA4CC3F1ADF35B3E694C479FCE0433627585C3C5FC5BCD5506FEC710838EB88322FFDEA36222240B9C189102F3B1B147059E0F0A
Malicious:	false
Preview:	.....re~OQ....iL...q>:!5-.s....V......}...[5iv..#ob.p$2.....+........%M..ld.jJ..;.L.. .b..@g....u...2,.6....'.L. ....b....@a...!...X.w.......ln......~..l.E../..$...........U-....-v.?.o...........`...W%..\.F.S.....<..D...i$.f..E..@r.......(...(.@........uzd!$...;..u.ZM-.....l...4.+...K..<".Y.H..s...@......'.^..L.....6.`.n;..3.c.ab.3.L?.&..<...e"-.............D..[.....$T..z.D..Y<$A.L.._.p.y....r!}.....n...k5.I4.".;n..(.w...G).......M....8..1..I..\!...9..H.\.Y.)....c,.e..y..D..3.7"..?[.rJ..3....s....%.CC..5......4......i.\.,.k.....+2..v.L[.C.. ....H)d.w..aJq.f.JA.r.}....R..y...1Pp@5[1..p..L.~.....(...?.r#.y..M\|f..:Ax..1.U............^.f...@P2.5.......TI..!Xg.....Xi..........F.....*!o.....7vL.._..Ce...kMc1..\|.`......i..1...o.F..Ch.....<zH.G.=..A..`...6...w...J.".\.?E)..q...1.S,.p..........B....f2qO.p....@.....T4......=,b.k..;...@."..cT...#A...[..0...9X@:u/Q.,.....x....[..W.X.\|..d.<q.x1u>.......a.......b.M-}...=..a....H..O.H.-...O...H

C:\MSOCache\All Users\{90160000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	7.81945785089096
Encrypted:	false
SSDEEP:	24:1sOI33EkFvEieNHUAkRsNw3PbVsCGyc35YLXZTuLs8r7d:1Q3Fmi0HBkS6fbeCGySiLpqLs+
MD5:	178C3BC48542CF1926CFF1D55055345D
SHA1:	CCCF0549825FC97762FA2D7406DA99B1C2552677
SHA-256:	E8595023F2267E7D2AF1B8B36E4C7D4B96EAEDD8F8E92C08D2FF4C27BA6347D2
SHA-512:	03C8DE0532C9515D32AC0EF4CB1EBBB91F0089B2481626BBDB3585BC44DADA20D72FE2FB02CF75F17C4F0233E56005A658B2C4C2016E18D0619AE4465DD2A3B6
Malicious:	false
Preview:	.!.+..a..i6..(.^".[Q.......s..V...C..l..>..H:.O."V........u..h.}e"R...w.{...s.=..l..Oi2...g..Qk.....g...~.,. V.rr..Ia..G...S._o..ge4...<.[(.+!\|.. ...x....X.8..C...l..qC.........C.....~..rj5...4.0...K..i...3...KZH%/..F....&[{..-q0..L:.C.s.=!..NS....2..f.id..i.H.#..b...o...jb.iYW.0..\|>2WQ...Y.8....jo..s...)C'..y....HP.z.k.m.t%.c.q.x4.K;.H.S9[.p..F3........\|.} '.Y......r.`.....s.a..`.....B..\|JT....es.6....(.z".U.5.{.....C.`._..g.n.]w.m.\z...I..U/.(c1/F\|..g.......G`TwNg....7.j.._.......R.C(.BF...11.....%.CC..5...........8....<.1j[$..........L.}.A3.+.=..<...N...Us..D.q....q.&.m..XPY.1x.5..C.P...VN....f,..(G#"......+..ux..Yt\./....ah.K)....K.0^$.%;4....U.j....Jf....+......Z.(u.....1hS.j).D%3..?.x.'.@..@[+.^^<......b..mw.v%FP\....y.....v.6:...w.9....FK...w..8S...q.&.....\|....o....0.......u.lh.u..B.x?...N.....e)\q.KF.\|.....V.....6...A.;=6Y..=.. #..p....a..;u.x.cCb.x)/:{..K...4..b.......+...B..Rd1....>Ef..u.U...V.Yww..*.9.1.....\)..

C:\MSOCache\All Users\{90160000-00A1-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\MSOCache\All Users\{90160000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1057
Entropy (8bit):	7.82534353601637
Encrypted:	false
SSDEEP:	24:DYJ3A62Ur9bZgpfdQ6+ietf9lHX+IfPIJ2XXSkn9kC7WQ:DOc494WFhX+IfAEXik9DWQ
MD5:	21081EA3B4C7E1B868D23B66D9D87D4E
SHA1:	D60E193C37B37987CF3D26B2F12227166D9FA656
SHA-256:	1117FEE5C0144F7C8D721E40BE4B469A58DEC355632F5E0AC5376E09469EA8CF
SHA-512:	667727601EC22F234D9BFFAB7AF33697EE5605DF57E54AC2E2C0E62FFB2758DC922A965D43E3D9D298DA9D53B7A6CE66029D4EC4A0FF4DBD50A5D4C00600FECE
Malicious:	false
Preview:	[;..."....gp.I._.rx... Tb.[.l.../..$..;..q5w.Z.ZA.!..R.Me.c..&.j9O-..c....y.Q......%R.cD..k.O.B...EJ...Fk..:$oX...:K.>%....9#.f>dnC'..H.....Q...d.S.r..UC}.K..N=(.;./.D......c-.....\|.#uu:..s.h\|t..I.....).\.F.!..s.Y......x.J..a..'.F.Q.!..7.b.c...~."GtH..d.%..<.n..}$.I.:...4.EW......nU....Y4...',......."...,...A...9.V....Z.2.p...#/....j..3q...9.^A.2,B......^..c....'.%..B 8......-..`..t..../.c...O{l......o`...,..X. J..r.P..$.e.+....C.X$...^.lGXN....k.....A+.....7LvLs.\|.U.y...5...P.:.{b.U..A..w...Kn......%.CC..5......Qd8......Q....#F.,G...T.AWC..r.g....T..o8...$,.....X....7...J.((.u...f....&..V:H...WK+...%n..R..17u..I"].;J).j..x.]...C::....8..w..@.l`..kYQ....X...Y.`_-....>.i.NR.............sf..+.r...rN....e...Xs...z.LZ.'.O.CHk.h......{.S]..C.......G..3...;.6....7 .&=..z..aN..F...b.5\|2..u....r.R..7....`g...O..4...xt.38..R...m0..9.3......T.h.}..K....8Mk.V...L..9U.'>$y.......Y.#....k....!.(....Z..8...../...%..Gr...eP....w..\|.....\|...

C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1066
Entropy (8bit):	7.781175066738347
Encrypted:	false
SSDEEP:	24:vimhswpW+V3Fo5AU16Mcb06EzR6LxhoVK3qoKMt:vimh3NbuAXZiqhoVK6Mt
MD5:	FA607B3C2EC050C4008E0DB035ED9D85
SHA1:	639CA89490E53942FADF3ACFD5C05A27919C122A
SHA-256:	B04D1041373FE96DD0E7CD72FC833CDEFF14B7EF05F3BF0DD5734A532F3B38E5
SHA-512:	05F0FF943E1D2F2882C9C9121132634E4956EAD60BF3860406898BF2825F27D7B9ADCDDBE54C446B6AE82630EDD78D711EAE9EAA66736FEB25C2C4D74ACCE658
Malicious:	false
Preview:	......+......UL.on."p.C..:`..n.XxS......F......{..+.....^.R,..P.Lod....\W,....m.u...._...P..........A.........$..I...}..I....D.JP.Uq....^_.......mS...XU.n..W....g.PW.dK5..Y...8em..U....o....v..mL.e.....#tQ.7\|.W1..I.OS].0.........3.}=.#..6.~R..5.y3rR.:.N9.?.7.."...@D.U...).8...w-.a......$.(.Y...s.V...R.-.R.&+..\:.E,......Y._.x...V.D.xo.k .d....n.&~.\|Fq...~`....'2..K..!..JH..c..5&............f..y.:.....m.,j..1.o.q...).b..9..!`....W~.(...I{....o.SZ1.....n.@.....j...q..Z.{...?...X.{?.....o5.N.Y.....4..s..U.C...%.CC..5.......$...^..!.Z}o.......9[......-......z.U.....Q..j....g...d....Zn.gS...FJ..<...j=o..5.K.......-R.= "=._8..... ...:o0..S&.6....2m_xE.%..B...D........5.....J'<...q...K...A..1...{.........K.H`X.....E..o....Vx...7...5s.6~.jz...7.....Ci.}.`..b..^.R.;.l7y.Bl./.6..dz....P..=e.2..t_..G\$..j......f9J....M..S.8.6<.+....t.p2.&...2.[...~.^.."D....M...i6...#F7.$...7.i..c....,.S.= ...do..*.G.\|D....4`..,..7Se..a....X..u.l..@.&.........:.

C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1064
Entropy (8bit):	7.797065029686056
Encrypted:	false
SSDEEP:	24:M7o0yTPElcc5HVw3UQG5vdfWXfbvlSc5J+YbTW/jCih1Dc9:M/yawEQM1f8fLwoE2ijv+
MD5:	621A8C8667513B6B9B25FE92DC403456
SHA1:	4742B063BC29215F58A7F447742529FD7C3B0304
SHA-256:	1430F670A03B39B6B7DA52430F7F45DCB2D16B10B9E64BFA03F876AF0ED2AC82
SHA-512:	E1917D3F1C0B29440577C0A19585AF5CC72CCE057A02C3D8D2000018799D0688EBC42DEF8BC62720D0149E7E6C2E78CAA7DC1400DFB6D805156A97F9E1BC40EF
Malicious:	false
Preview:	'..n.:.o .,>......"..l....t.>L[.YG.@..z..g`..XU....H..$M.........e.7.G..Y..5&.m.++....Ow.Z..........O..%l..f.n..b].$....R...#{K8..F6.^E.g..r......L...n-.....+......3..0."a/C....wL.\|..v.........A.a..4......Z7..Lo{."..yW..l.@..B....^;L""........X%!...>N...._ .]H..a6.~....7.i.....8...q.P8.).g.].J4.j./...wYJb.D.F....^..G.8.z.......A."7. ....7R...Z..V.i.t..\...3~...g8....y.i~.j]....P...1.W.-....H...U&.w...\x.4......R..**.G.N..............Q[."....5...y.R.....v.r....j.I....}..L...h.K....'..<..5.....%.CC..5......x3.V.....Ca.6.B5.....\|..rt5.tqi(.B._k...)...).6...D.h...0F..\.....b<....P.]!.$..=6.l.\|.nMP..9EGx.qy.)..\.o.8OA.../U.2.....n.K.......S%.t'0.%_U.b.d....p..:..:....;&........@.5...:.9.=w..-,......H..9..r{MBW3..L[.J.....'.1!.g.Ll.;8.=...........K.....Dq..A.\q.i.KQo..daQ.,.:k...."B.]U..?~.u G.._..R'..h'. .9....g.5X@I.a.1....5........3..T.6oj.n....Pot..0".,.e..K..'...(.kt~S+..>.......g.U...$%7.X.vS.$.m[f.t.='.LIx...0..........7._..V

C:\MSOCache\All Users\{90160000-00E1-0409-0000-0000000FF1CE}-C\OSMMUI.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1069
Entropy (8bit):	7.798990645086535
Encrypted:	false
SSDEEP:	24:YssETviahwIRBgmX30+IWE4KKPqOdodr+CtI/Qim:YssoBhwyVXZIf74bqdSCtI/7m
MD5:	FFCFA581B794C4CB8CF95DC34F5DD29F
SHA1:	CC52E960117888045BAE5103AE294C08E0D87F13
SHA-256:	3035A9270EDE3E7B213494F08751C38EB92EFF931CF1482C410E68A76D5E4C39
SHA-512:	AE7236D488C096A67069464B586A4DF61EF67BAE8F3D45F98D7DEE8CA7B65896CBB3CCE261CB2F41FC3868A6D4812BF8052598B4560A7144270188F429EBA116
Malicious:	false
Preview:	.<...dp"..HA..z)....O.F....M....9.F"].r..2.d.<...(.7:.1,.2..#0j...B.A...F....U1...:i../).V..@....@..Y.X}p>.u~.ZB...a..2:&..IC..=1I}..,f...g...#M4...0.P....K.n%D..]J...H..d.. .&Z..C..p./).4j7.,.WN..~\|...h..AC1b.t.: ...oS.B.;.&y...}Ab4Dzk2.....N..q....O...g....Q..5.~..~......P" x.x..............B...O..d.(..A...7....3..K..gX.m.N.1..._C.(.....C.......,\|....M-Zq.'.P.@^>G..5.W$...+.G...%..U..Jl.I?p.....U..+.q.u.)^..u.-.E'.....G..1.......3...6....5v>6.%.....t. u".....G>..qD._ag.1....`#;.......y..+...v&v....\.......%.CC..5......c....\.pq.....F.&...1.....Md......X.p....k&.g<@.2t$.3<3...:\..:1.\|.!F..p:..D..V..L....a2....A..c.<9.{A.j.......8W?..5...!...[`..k.F.5../........~.O....s..Iy"0H.<.~.wW..........6.$M..j..L~5.Ds...(..`..7uH.r.....w....j.%..`..m....C.........._..'.......d...w..5b...:q..cyUc./....`.0._..k.hV....}.j.DY.......!.Y....M...AXx..;R.3%........x...O..<....0...A.,.Y..Y.'...E[Mk..y...`........i.d.FL...m-..d.m......3..V.Ag...}

C:\MSOCache\All Users\{90160000-00E1-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\MSOCache\All Users\{90160000-00E1-0409-0000-0000000FF1CE}-C\Setup.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1066
Entropy (8bit):	7.781666212269419
Encrypted:	false
SSDEEP:	24:47usjwH3g98Zd2QsWZ3W9VIU/YL9vAJPyIVzpWy:43jwXg9q1skgVI/LFw
MD5:	C5DE14FF0F6584E61424F1CEFF4529F5
SHA1:	B75F9F585E4C0FFD03793A9EB65828954303CEF6
SHA-256:	D19A33BBFA664C4694E56D46D1E343BE96902B5E578CFC0ED838E8C6935DBC07
SHA-512:	2D2F3AEE389AC4E2097F7453892939E846C16EA8134D3E324094C6C93E8CCD9329A24AF31127599164E3D6B867765451CFE9EA75671CAB4966EE375C0336BF58
Malicious:	false
Preview:	.h..\|.3...hM.W....w......{.LON..Mx3...o.....r.r..2.......Xw..U.v.....4...h...,.W...b...4J#.7QC&.....v..,.)..$i..H%.{....\|[T.&..N.g.-OxH.RM..k...p.e-.'..\_.5.+h.c...M..7.z..zB..F..='...cA..........a...y.{L-..:b<m....k...x.[5%d.r_~......m>....w...?k....._..V\tn..\|`.!.U.....'C.....3.....;...Qu...........Wc....$.._`?....Cs......!.....a..S..N."..F....R@v.&.5..u2p\.......lUa..SH...:eJR.N.....+.c)..3_.1.0a.......R...i..#........Y....-v.....'..d...I.1..@..}.C9.s;.6._m......B/.x.Ow..}t.x.oY?..w.Y...b%..t....N.2....%.CC..5......i...I3.R.-..........0..Y.9C.....A;...U.D.Z..s....I.-.08u.A.d.......\|.[..C.A....hM..Iw.}........,....:..J.5.f.....0}...,.M.Sr....)$...!...G....P...Q.N=D`].:.....1. ..,.......U.~t<SsD..t...>.H.5..F)..-q.y...D.Q.-.r....n..T.`..zv.8........z6+.I0g..x..c+..$C.C.}.2X....m....7..H\|.0...=[.....@.'M...`R&.....dc..'py...j.MO;%......K)3.i>..X...-.z.]Yk&..W.c.KN.Gty.Gm!...Q..!l..m.....].]O..(......".%....o..(..u......[1..R-.*...

C:\MSOCache\All Users\{90160000-00E2-0409-0000-0000000FF1CE}-C\OSMUXMUI.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.812588086178744
Encrypted:	false
SSDEEP:	24:INFE5Ou/AgpfmvYKrC67EIbDgOnITQn2/NbpSONcJ80Igt:sFkOuPpOZC67E8D3kbpSOX0Igt
MD5:	2C48F90876D7BA1E8F24D85BC3FA613C
SHA1:	EC442FB0912DF5D8B7AFD24F46923D805130D4B4
SHA-256:	189A9739BE4AD8D008671F6707D01500A1352D9D79F8B6BB844471BC0E8389BC
SHA-512:	0DA4ACD34D3ECBFAF5B92697E0252EA86E79CA00FC443FA440FBC63725B641F5E0A11B6F6ADBAACBBF8C9886963CAC226620F78222F6B88CCD60B863A023F294
Malicious:	false
Preview:	[c...h.....{...a........VQO..\.r../i/...>7.*+.v..o.R.D...r...6Sk&.I......Op.....C.[...]....JP.Q...O.~...t.YJ.....qmx`..L1N].X...K}....ru.m.j..h.@.\5.2.4..<.'7.O....j/......$...... ).$......<.....H..gb....%......0.2,G...0s.......[U..$.`=N..R..&..../..,g..~.cA&U.V..K$....""...@....nO....C.k-....gC.X.4....`}p..?.^.p/..../.....5 [}..q..m-.+..?.....i.).R...e.....J....8.[Z...3....Pj...c@C...tK.....O..U.^Y..}.d:W....o..g.././......Y.m..0....'..~....VzM..q.a.......'.1Tl.Y.=.".6.2 ...9.z...........C.k.N:.6U.c....+...%.CC..5.......p4...!.@t.p....C.......y}.e.B.R.7.O-..E.o ...o....@.....9y...6n#D..J..b<..s\|..?K..>.=.j.!.$sM.7....[..T".)n.4m..A..Oc..b...S.L.^..v...).....w@......{U....F"F....]..y...f..@..4.{.p.NW...1....%.1+.+._.v_Gqe.u..;....a8...3X.A..4U.%...5~4.......)..sS!.-..u....7.P@.a.z..T.W47.\.x......;....[a...N..U.2D.d/dO..wh..^.)...R...W.x...#=a..i.!..L..h\Pd.F....~ST.G.:..Y..}.`npI..F..,(......6.BR]\|....<..(...!T.&.Ht...M.;.p.

C:\MSOCache\All Users\{90160000-00E2-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\MSOCache\All Users\{90160000-00E2-0409-0000-0000000FF1CE}-C\Setup.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1066
Entropy (8bit):	7.824759381331322
Encrypted:	false
SSDEEP:	24:5Z2x6L6DdBP97UKI7C9lTW9YiRH8rH9Grm+jV/PeauNh3Efo8e1BOcMyD6oDDWec:nN6Dzl27C9lT6Y19Grm+jVXR8ufEEcIT
MD5:	E7601C09635D948FEB055A14AE49042A
SHA1:	49D7319D56F26C0DC4D03B8E68D7C071C4E844F8
SHA-256:	0802FAC6AD7FF930FEABC5E70FE94827AF9DCA03596744E7BB48C436CB2BE759
SHA-512:	E3D442497381E9080FFDBBCC5DAC54368A60E8093040011A258670EEE4E9A81A0729FC741BFBFD6D59B3EA3EE5FBEBA4D85138F4F078A8F29C83FB8E495B4B19
Malicious:	false
Preview:	...V.{.f....Y...A.......@...1......2......$/.p.%.[.........s&.d....&.t...;.u..5.k....U.O..T/w.ql.o..U.6t.!....<.AD.fQA....;...0..?.U...._k..b.........Lx......<........o_...i(v...ov...3.~....w.Bt..BC..#O.....6.$...Pr..y.q~..^w..`.z..bI}".).8.inl.E..V.J......V@...O....~.w....[.2.])Up...9 .i..Z.T...G...o..{..l.. hx..R..h...,d.....w.P.....N~:}&....R .b.}O.......G.m...'..75."...j;tt]Ybe..T..ih.G..A.......1.[.!h] ..JD.6....N].....hnFA......}...-]..8...6..).:....C.R.E"...*..L.P....]..M.rP.v.`..r...S.h...%.CC..5..............@.J......[.Re.1.Q.8..{...x1c.........b#..;.\..!.dp.M..k.....'.v....P.0N.s.k&n.......B.I}..pa.....&..H.....v..sq.S.t....S...p...sF..!.-....m..A...7..3.dU..V.\|....vPx5\.0.@Q..f.p.<.^U.<....j.cq...}...-.....FOC.k.......2&.?7...4aS.`...:.x..Em.=......y...]..D.O;...H..)_..r..\|g..f.1...H>Zp...g...o....0..>I....?d#D.fL.i9.A........j.? .......)..H....p.`....c..>2H...Ls.`...n.}......A.....C......l......w..s....wLX.-I;a

C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1061
Entropy (8bit):	7.804891474947799
Encrypted:	false
SSDEEP:	24:EHls4JCXvpvyn0EXrtTqVWYChAktmnOZzrCxey1/:EHlq0n0EXFqVQ9tCOZHCxeo
MD5:	5881559341E4266B53A3A0170E150F24
SHA1:	52B7075928D22FA1D5C17EA4D7807958E8C5E7F8
SHA-256:	7219E00DA7BB41D76327643B87894A21622EFE9530278825164532859F37D1D9
SHA-512:	602758153FDB42DE6C25A8247A89F26D7DBE153205EB770ED488EBBA844BFAA64E1EA20606A1C781B0EFDA64962C6825D8E6F3D90F6EF66250D79665B1BFB5E5
Malicious:	false
Preview:	.c..\....-\|4..f%W...6x.....T0Z..;.FtK..FR[..RT..4...w%..&.....p.1I.B7.^...F.Z..(.$?..pM...~...o.8..J.x.+....N..(.W5......,.\|.........3H9I..;Zq.4p+......h`..+.\|%.0..z.....J.o}.~.U........QOm.+....w(]....mtX.6..U...5.'.......$pR...V...l.==........X.RB"9K.....}o.......?..#........2..q.N.#XXl6...M..Y&@zr.3..<..\|..0:.......'....\|T-?..x{'.....+7.h....&y..c... .9...?=.~.m.`:5.;../.\|...3.~">..e.psH3q+.K../h....z...x..H7.yH..%U...{. .....V....ub.,...........fxCX......W?.K....z..1..D..A.Bh.?.M.s..D..j.....%.CC..5......`.S..:...+...^.Y..m:}-...."...h..qp.K........z....[x........M...5q..y...e.$e.......ls....f.(..>.....2.j.......8.3.BE%..u.''.Q.]..x^.....\Q.....$.kZL..$..My..2. ..K..(.j.ZM.._...G..(S...............\.Z...d;/.6W{.......;i..4GK...'..g:A.J.r.H..iq............QF0...`;..Q\..w.rIPK.YG.L5.d.-.Gp..w6.m0.s.p.m(?......u..8.&k3R..d......$.......m.$......G...8. .<t].c..`.C."..i....,...wW{P..\|...c.2{....X...\|P.....Z_%.....Y{Q..#...e>8

C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1064
Entropy (8bit):	7.811526901057609
Encrypted:	false
SSDEEP:	24:a5Zs+QreGH56HhGtKSqpQm8v+q8p7Wq+yVxBV1q:ks+QnH56HhG4S2QpGqoNzV8
MD5:	CF2B99020B4EF105C86094A031C6B251
SHA1:	A695EF7B80E10EC1FCDB88039D3D037AF9D39311
SHA-256:	6F51561EE8CB1B3DFBBA44219BA19DE6B5616613025E640EB0FC983048DB4762
SHA-512:	96E36D0AE2513E6C846572DBA71146C5E5E2879C1E140CAEE8EC0B851FEFB82746BB4363534CD1215D63B39381C34BDE14205244470952C216ED99640412CE23
Malicious:	false
Preview:	Q.sl.I........".l.=..h...l[O...-.....,.#,.lE.>}.....~...gb.U.......7..........U...Z..}......a...q^\"2~[-.J...!qAy?.x..l]?..........r.......;..Q..DE.].....L.}..g....Lf&.\$j.....@W4....s.&_............<r.....5.W}.lj<...(...QE...r..l..}..k...M.-._.......N...\.C...{.;.mT...i@B..A......[..K.NR....jciY$_..^+...f.w....g.>.h..&)..6..P:..j..~..W./.aQ.+.._^.H...-..58.^..<..8.H..........}IhH....afLc..YV}..'%.?HGm[.D.:.v..;.,{.E.@.:...d....Vj~c..Itz.Sg.e.9....M.Z...0......o...O......\[...x...=.V.l....lo&..y.R+... F[...%.CC..5......a.@..p...\j.MU....2...T.;'.5.+Z..!.e........C.~...f...L.h...p....hH.....C..e.o`........bY.hb..J7...ga..1..@.../l..7.O..-..a..aS...0..p!._\gn...$......Q..@DM.f.'......\|.{.b.W...bO.F......$..Gx".vBPny....c.?...nQ..}/.y.c.....<t.x......g...x.j..Q.k......o.h.....`.pp-d....EC......T!....>..V..T.b..Z.a.=.....d.oxRP....!DP>.:...[..8...0.2....p.8.i..%.?..zF..%%H.}^.... I..B?..(......8\|.I..Cee.(..[.f....i.y?.s{...f.~(9..!...H\|..jY...

C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1069
Entropy (8bit):	7.828584668864205
Encrypted:	false
SSDEEP:	24:r15xrs/7j30InAhug3Xjqf7I4AdkSR2+kQbmpzFZQ1lOYZlWn:rHxrsPkDhTY7I4xSRX/bmpzb73
MD5:	1E6B65162BBA4CA222C3298CA2EA4F03
SHA1:	AC4590C38B4D47B71E97E1ED1A88230B34B16EF6
SHA-256:	4FA9C349FAEBDC76AF6F5764379E5F545E53CEEF59A5691D867F7B7E21499561
SHA-512:	33DE8BA8600CF942EAE7742C4FCBC7EA702EA08F79D614B73AEEBB8914C9A6EA944DF5B40EA73D212D6DF8CC57B63241BF70B79136C992E66E1AF7CBFFD54670
Malicious:	false
Preview:	.Ce..:....}K..s^.\|...Q...~.A,.j..N.%.@....f.i.7.%.Qx.g..=.d."...>P..?).t..._...p....U#....>].`..0Q.".....g...C.._..:..L...^.B.z.._V.nmk3..05..:.Y1Q...........n.-.. .....0....=.../..h.......g... j.K4.J.M...B.VP?&.I.....?s.;.d8...+.%..sB.VfAh".E.....8.Aa.;..U..........>.2.s&.....p...l.u.a...q..e......='./............>6l..1...O..[%..aL.}. .l..2D.7....$.R..S...2. .<..K.BtT.j........[..y..Q....iO.x....b...u.z.6...;v=v.fa....y..A.Ve@2...../..:`....>...{/F...k.........Q......0.=v.m.-:7......,..).C0.........%.CC..5......X.@.V...y..$0.w..'r...F\..X.....`)..........U...kXT..8.o....U:V..3....v.9.......k..V.v.]..g.-5....\|N....:.....b..`]..P"bC._n.y..8....1..<.!...,.....uM..r./.....<.....tzh3ygl.x...'..../..+....Yj.lc#....k...Eot.I.w...$/.\G.6e\|,9.-..j.....q.e.....3...x?.w._...lyD.....f%..ar..A.$M....T0.........aWu.2$.. .'.Y....gy.{.jM....:.64UC.P.!>~YM.9FQ.V..,.....D..\|.J.hP.w....A.....j...Xd... ...l..'k.GX......m..q.2B,.....L1"pr.-

C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.821805531976829
Encrypted:	false
SSDEEP:	24:/mmO97LC7lPfdX4lINFvLFAtqy9ZlAG4EzSg74hwxxd:/mmO97Lud4lKJqt59nAfE+g8hwxr
MD5:	9799DDC28296F9D6D36A279329A3C94D
SHA1:	3332FFB8B9F73BDDEFDB9868F751CA8586308F65
SHA-256:	1540F043DD60B7D6AB87ABF1EB7E19D03C0433712DF47C7B1F99C563C9FE8248
SHA-512:	0E49F3818B34399DA79945A9654DA47D2538C85272845F8039785D436EA2AE04E7C49DF1F4EDAE6DD93B66A211D5BE9E5B7C78BC4518A54A66850610AA45AA18
Malicious:	false
Preview:	?..g../.e\|.....5.....`..m.H..."..vJ.h7.E.G}..\|..Jg)....@..M......fV..m&9<]i...(pppg..i.u.0...90lG......?b.......8.vRD...m.C2.zl(.G.}.q.?R..d..3..........[.A.Wlg.Q>`...8.\|.7..Q.;96.r.........K..W.S....D.....`....6.w..7....:...;7..[..:?6.u..2.......%..MQzY..~_...F.>.G.2.^>..9P.y<...O..U.A~I\a:.......:....[..Y<...yk.._.B...G..m.X..i......\.[~......D..w.....;..C.&.&..I?..9d:.Y..Q...+C.CR!.j...."X..,u..'......v.1(<.Q...p7g..-...H...x..,....-.&U..9....<....!\.y.Q.h.(.....m5{W./.....C<_..........,.....%.CC..5......6....,.~.J...&.IK;.T.#..Q!.wh..4........s#=.[.....?.N.VA.......x..n..v~2;...{...fS.p5...K...E``..A.r..I...C.-.^...:;......l..A..Z$..L..\|.v...k.b.@....h..a....O_.b..:..q.*....k......"..v..2...s.>2H...D'.2tA5...E....S.....L.L...E`H z........6....KO...\|Q.6..Tu..D.,...H.t.RJ.....2.-../<a.p.l....j. e....B.{z..m.....3.. "(..../Dn.k..9..]..D...../.Gvw.S..]...m..Y.(K.bn.D:.A.U_..r.....S5.&p.].gjJ...SR.h...by....\|.Z.=.M..`J.t\|....f

C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\branding.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	7.781029568684154
Encrypted:	false
SSDEEP:	24:gdhTH0bgIewDUL6RtX2cm3ubzI23vtWXSazhn7UF57ihe4r:kHLIZoLqtLm3lukiazhu57ibr
MD5:	9C004F7A22653BA1591D1AF403A3D215
SHA1:	7EFEBB0F294AF6ED5DD6B9DEEAAF586D4FCD4627
SHA-256:	E935F3C4ED0E52C32C144B5B79E962CE9F26C9284A8647980551A1FCCCBE7BC3
SHA-512:	37EF285835D454C2796BA71FD58AC8667E0D1174D416F764A68D395599216536B6F4B24A05A0A35B3835753B35D0F1206AA715616C6EC200ECDF052DDB06090A
Malicious:	false
Preview:	..kg..\|..z.3.-.. ............P.Y.s..B.,.'...XJp....y.........!dy.4@....Y.%fI........(p.8.3.&.....U.........i..)..~.....B.e....\|v...<......_...u.QW........xW .F.:n..?I....L.._,....././z.{.Be.....A.FmX.. ..l......8...I.q.Y...''...v[bj.o.#..1.n+r.".f@......?4%..p.....]....A...Z.U.5x".@............_..`F,...G..H...s.j..;^.\.nkc..Y.....q......;B..26....2.y%so......A...0"wz.Q7`.L....z;. ~k\.y......S.k$.<..W.6f...........D.p>.m..y.B...G.......)...k.I...-......c....o..+n.9E..c...Gxs.....6X.)}ZuWX....<....%.CC..5..........9..t..H....e....I.\.T+...n......v.W....Q.Z.!R...=.~J..iCsp.l..q\|.....~.....A..aE...S....\.e:...Rf..J...l....yV.1..2._v5.k.<...............B..A.Q^..l5X......6.c.....wc..._...f..z..p.c.z..HK.R..Ij....5....i.,!.p^..P..#0HO..,\|...> ....I.G.D.Ud...>@.2#d$.!N/.LY.e..bZ...ZpM.>..e.N....13..3M...."nb..9...!w..Q>...../g.24\|Wk.J....vk...l.h...:..5.3.s..X.L....',..3...v[.^...n..Y..Q..\|h.]....*{..2...o..8v#4....."L....`O@.....Fa[%

C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1066
Entropy (8bit):	7.813678080148184
Encrypted:	false
SSDEEP:	24:ALdrWatxy51X5N/jYjizpTn+/JcV7c8iw7hdbqaPmfhCAh0:IdrjtgrXPaEDyJ+hdbqBf8Q0
MD5:	C03971271E3CF6D11732C1171DCE9314
SHA1:	5E68E9DDDE8C23022D55F5041E6EEAD6495C01D2
SHA-256:	375F5790EF691C4502785E250BE05BCE9D3935571AE0D73B0D432E8A22B7AA94
SHA-512:	F3D4D6D8AF5DE67ACC3D980013832B48315622E550DEC71B1EA0B4A2BF88A7408BE62902F81683E85F0AE21AA113A4D719515858242B935E50E762CA8265B2BB
Malicious:	false
Preview:	7..z..lE....N..f..6u...e......X...q.c....B.a.....'..X.a.Q.A..q(..1...+6v%.s=.;.w3q_..I.>)..O.kF....+......8js.a....-e..%<+hT..b...z......V........b=..I}.i+.ls.....?.....i4.J...-ar...\+@....~....!#..[...{.&{.v...h[..>.G{6.Xp...~...a.(.'..p....&.6../.e/..0.bN..]...0pSn)..[..7.."0..P..........&.7!........r7...(wm.!;C.@J.k.R..v/.oE.I__v...3N...M.\|A........$x1..G>../~8.T.....c..h0.....e.........p...n.j.M.....@i..x.A?.RH\P.3K........pV..{n:.........\f..N..Ip.\iQ~$X...g...yn..?L..V=1.....-.J..lE...@}.....r...%.CC..5........,....r.:....c..?_.v.V....(.8I.,;..\uX....Q.+.A..r..."..:...........p.57`J....gs.k....$.u..`v/c.3CA..N..q~)....LR..P....'k.F.y._!.......W..[....jW.Q..?4.N'.4.~.7......i..........i.Z.S...L..`...-..*;#.i.......u.{v..e..q:.S....CRj.~U.......P..[i.d.3u.3[ ........<T.D.E..8Q..#.El.n.\.6..'.../.@PTKb....8.`XqVf..N.,.s......Q(`.....,..GhWeO...[.hU.....b.A..........w.nJ..e.kZ.."..{JP....si.....4......7..j..h.w....Q....z.W

C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\setup.chm.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1066
Entropy (8bit):	7.861061039960824
Encrypted:	false
SSDEEP:	24:x4K0WCQ+xopwOq23hjfAuhJ3YWANGtXHDu6AZwqzMdAwt:x41oVxjfYWAuXHDurMAY
MD5:	DB1DE357D32A8EC952EB6DF4A1DBBB6E
SHA1:	93BA7A3BC4106BFC2C78392D9394447B127175FB
SHA-256:	535CB588896CAD192539704F25EC4E88135EF9CED1A1627BABC098C37B11E281
SHA-512:	649EB0C405249751C592B0642E5EA82ACE32DA1BF7C00C72A625498617D9F6EE81A81BDEC5CF17A0FC2994C75FE4465F1AB74A5A904BDD9FE5377B8D1E6F5330
Malicious:	false
Preview:	= I..v....4~......:\|..6.^..%...C..m...{X[\^.d(Zk... ..."..b\...rT..g4....XX.K.......b...}...9".3?..b..~..K...q5^...os.K$....h...7.....1{]V^.^.J..H..m..np.!.6U.F....'..5.i...}7..W_..x.<.R..h....Q.....u3Z#8R..S%.=.J2...)...(Q<..qo....... .wtS-yA...6..B4.l..#1.S..6....5o..D.~...n...G..%.r./$..MM..]S1...._c.8.~..e..e@x....@T......v&..og..l..&_(..P-..Y.0JnW..+.J.....T9..gN.z...."O-.e....n..5..~4$.)8..6.b$.f."t.....A..Y.....D...)c..[~..6."...v#sp.1.N.O.....4&+...<.~...KF.%1a.PI.<'.CZ..`...3?,.w...d..!b.....%.CC..5.............O.6...=.\.I.;......A.~g%Q...?>.ON....1.kD....E.u..H...V.8.b......L.:#.X.y..B.....q`q.s.=g..?...W.6..@'..'q~..-...16.^v...v[..d.N...V..)"/kNm....@...Q.p.{..)...Fq......?.t.]&.".=F>....`}...........i.......=LO??]Y(LU..4h..T....R.......~v..lf.h.....mq..`.._Y...-.D.5M.?.w..Y.>....!._.Mi....c.u...>.l&V....*..'...5....}..n..#..L..!t,.?;\.t..Io....>.......h..j...u2X.?.......K..0.I..z.Qy..k...Rd...kL...t....e..+i..7....A

C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1066
Entropy (8bit):	7.820776509817572
Encrypted:	false
SSDEEP:	24:hWy6DbGo9eC7rJXcXTHXlxY30Agm2kc/MnmqC4lA:Iy6DiZ1Bj/eDC4G
MD5:	20C1D487BA3FAA0187337C56163E0A7A
SHA1:	B7479144FD4E7B50EC78272A735959D3F0C3C529
SHA-256:	FE4F3C239CBE34738E13244BED068B7399122A9672EA04877F52E60842EE9CDE
SHA-512:	1721718B62ED0CC8E735C54FAF32EF978993A5C171A3B604C806C4C3FAB50D2553142B4870620B67EDBE76B74131F0BC118033E8CF9BA80E1919AEC3731DA92D
Malicious:	false
Preview:	.%...K.ES.P...b.!....@...w.nq}........?3.....vIKze.q.6>U........m..M.B..'H(#.b.].E8c.&..P.'......; .-C..NE.O[........w......s....[...{#..Ls......?"E..L.DHhU....lE.y....i}+.:.1.v..pO.).a......W..82..,W.`.9..q....d..R.+.............]N5.Y...r..7.%...S..<..dt..._..3,..h...0..._g......N/........by...T.7....I6=5.\......6...6..?..+..1n.T......Bh.>b.9...+..C.93...9...MuV.Z.YEgL!J.5xK.jy-....e...4...A..e.u.y#.\u\..C.....,.P..sE.U.#.N......._.A...P1=.....%P=...'..9.X.B5.._jI...}9.....pp1...Z.qv.A..WE......UD...L....%.CC..5......6..^...}..C\|A..Z3..+.@.....1...(......0..&..P..!....Y..........X..HZ?....%^]q.....@..z.".....S.}.@.E...w..C.u.ZC.R...;.(r.R...*.v.....s.!.Fgo.`.e.a...{7.}......Um.-@......'..P..J...-.pY;.@.. .%F...t.....K..........(-H.v....DUd..y\|'...#6...:.C.gN].-.\"...........$.B.p..6.b...........(....lW.t..1.9.._..<..R.C...kcK?.h..d{...#./]..T.n3mbJ...T...B[...$.!..sM..(L~.@..5....H...O.....@...w...6_.q..p.PG....^.6...!:7.O..

C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1060
Entropy (8bit):	7.818946006217239
Encrypted:	false
SSDEEP:	24:sbWJo9qQKsodY5/8ZUIyxK2ZQoyDlOANvdUNqODOUsJ:wLxo8Je6QoYOANvdUNfCUi
MD5:	9DEB349E2FDEEA5C598DCBA3D48740B3
SHA1:	9127F9A1B8F6FB5F5F10E6EA6A52F14A24941B21
SHA-256:	36031C3D6B65C94812C95CB5E0CAD6BE9EB69200D7FA28CFEC9E34A4149AC0B5
SHA-512:	A28886E656C28C4EADD6B3EF6528EB1EB1AD8A65F703BF63231D7E5E57920731CFF64071F018EE38F5F6315AAE4C8DE25041D8301BF0BE496E300B8CEFA0CD1E
Malicious:	false
Preview:	f.....+R.+.O...R.Z.vc<..{"O...g=r.J.......Gh.Rw...o..)...]..7.T.......m...{.%0dH...q.a...M\|-..g..`..Qq......H{..`5.....n.n...p./......hQR:#.<..../X..pnW..."7...S..%\|L..... $.(."&.Z8m&.udM=."p.#.\|z......7:.%...,........f.`z..>..+..^..}....b.....{..Y1.RdC...........p...K..7.1.....3.E...aY.)..J...TR...:.....K>.a.....F....)....t.=Bf.....T..n..tn.r.&1.....Iy..\|%p.U..o%.u.....J.:i~.KOlFr..k..9..\...v...K..~..9,.Tw..&3\.I..#.r%.........i...7D..N....AC..:..o'I...Cp.B.........rS...<..pl?4].[...[..ZU.4....o...%.CC..5......W..Y.6!-0.......Wx..k.r..k..y".g...B.....#.A....\|....&.s....;.. >6x.Q"....f....KVR..wk.N.1pfc..S.....1...U u....t.!....l.<..1a..o.e..4e.{.Q.%Po.YP..nW...e:i.OD..\|$.kb...V.ax..o..sx..^..\|?].o8#../..TA..p'..E....zHV.....~{j.H.Gq..Qci5.R..fy.\|......>....?^.y..2.I-..6......Bhv'.~.7B..p..B.ZC...Io+o./y.....S....r.....a.....Q...@.....(...c[1.....F.....H..&...].:.z.0B._...x.%..#.~-"@...}..n...?....l.!...I..T...P..$-.C.......O.....LQt

C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\Setup.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.793988649459759
Encrypted:	false
SSDEEP:	24:Qmulj0Li3Mqd4XdQ2Vonr6YPwT3jnT9k+wehTPT2NY58WJ:Cd3Mm4XSpbPon9lwk/qWJ
MD5:	60FF4023DC1473A6F7BFE89351F5E4A7
SHA1:	02CC4C02480F58E1695794B21EB536FDEFB9D235
SHA-256:	45207665081786CBC75332E1A6F69BC1769CE486AB092551F1E8A951A994E1ED
SHA-512:	7DA71E166CD700751509F0AB68D2C1F7E3987086493A4984E99607B9803FE93FDDE9C2D237FC78517B65EA676490CBD2A43D4EC574F191C8674FD25ACF6A8F19
Malicious:	false
Preview:	._.)...\.v.....On .0V.v .qj.;.....2{".GA.2.j.P..<..I....m;........{-;k...\....Y... #c..............Z..s...Cm6.....2.^LYY..WM{."..a....I.F..... y..a.Z......xn....[.@...K.H:.."cn..uk..HMJ....l.{A...0.H:"...K....Z.:..d.fuTG..M.Er....@..@....n..=a8..d..YL....mQ.x....}W4..{T@.a.....[....a..!..D.Y.y..?.... \...w.4.\|..<".(.=.........I&:..7&......{..]....Avi.>.(z>.....t..o...L&`.m......-.v.j...YY.~.Dx..4..9...M........'5tZ...Co.H.pH..q.....\.U.....Yzf..9..F...4[_.c..>o.4[....u..H7...~...@...e.6Ac.@.OzE.......g...%.CC..5......d......6..II.:....x"t..3.1...r..1v.LB.(!.M......[.Hi_.LMjR.c.H.F)l...".v.5\].%...O-wz.M......L_.J.\|R.z.:...m....(.Vz9Q..X......+ .!.A.(&.Hx..7.Y..T...M.U%......8..&..:..ZV.........7......v..j...A....'..{......A..,..vW..Q...z...L..J.O.U.qK....b...K.Z..9h....A.0.....W......)...\|.0._28-..l.U8[.}E.A..h..SH..=D..I/.......J.23.p!W.9V..)y}....F44...........}iC...L..A\&.Q)..X.X.=8...U...^.h.r.7....H.....71R..F..f....<V[.X..M..

C:\MSOCache\All Users\{90160000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	7.796501011316725
Encrypted:	false
SSDEEP:	24:7uuHHWU1NInwUUfETp7CwsdOU1Il5DFwkBjGCkTuC9imvvexY:7nW6MJUfE5Cto95SkBjG/SsvvUY
MD5:	61848FBA2A5990717A838AFE7A682B5D
SHA1:	FE9273A52FEF15C61B12AA32FAD68F00CE50F4FA
SHA-256:	6DBBB24449319B41BA01475C04C37DF06251E2FDD365CDDB9D52EB8C6A5454F9
SHA-512:	90DCD7CC7F5643CFD442FD645133B3CD64AC0AE57842D516DD60786ED533191EE196807525431A94F9FDB512D0FCDD70395970194B6856885D6907EECD68B464
Malicious:	false
Preview:	K.(...<.k=..6........@.......zb........mlM.\EHdp...>.dE.%........c."..'n<hI.....\.K...L......YY7......\n.-.nZ.S.EF........M^ ...d....pN.e.-....'.]4..2ki..V..o.K$U...?x...PS.6..C..H:..i...{.../c.R^.......x.MR].9..%..Fz....._i..%.v.:ja..._m.!.d...q,..DxiFMn....{z8hz>..SLU..J6..PU..q...x.hp.....(:..V.!..O../...JXpr8.e_.f.M......KP.z...k...o.X.S..N..>...l..=..... .}...q;uu..<!uz..l...n/.....!.w\|.H.O5G..FL...e;3p...L..c..:..H.......y.:.KV....)..........D....4i.D...!......f$._....P.G.%a...=Qs@..K..Ux...%.CC..5......F....."b.W..9..KCX..]3n.w..S.d$......1.uqe..e.~........+.8s...3.\..Wd...=6$R.7.....b!.s....q.K.T..k.R.O..y..y5...vw;.!.O.Q-...A`3i.zOmCL..._..J!.@..../\|...oh.S.a._.......h.Q:Xh..../...y6.7) ...k...n..e..<.K.....,..r..%?...Mp..!.!..#.\|..!d..,.HQs.!..Y.r.v.....w...o.cO.l.-.Ol..}.....q.....3#3.....<m:eo.pK3..n+q.$.)^.yD..\...Y.3...8.....%t..z.W...r............n....0E+..cr..7..?f..I.s.u.N~IBo...YE.b\[...l...{.H.$.uznh.3j.YM.m%e'!

C:\MSOCache\All Users\{90160000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\MSOCache\All Users\{90160000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	7.822931730400851
Encrypted:	false
SSDEEP:	24:cwei+qcurYQ74S3mNsGKJ6U5vwFjiCew7k3VaWUZM5yj+6:cirpZou5+j63V7Q
MD5:	3C43AA7E0CFC183CE4DD368CFFC2426A
SHA1:	420C794660674E3D621101668E3A4058C66F1F26
SHA-256:	B95E8A820226FF3A1CA77893A5329A586D050E3A8BD72062D93CAD0D61F2A73D
SHA-512:	FF8B235E355C7AE225379E103FD72E8D8CBA6C588AD672856093D0DFFCC3CCC82051ADC141FEA8BBF4D6B61259BB0F4270F1FD674D739012F2B6AE3D7092110A
Malicious:	false
Preview:	.$U.......{}.....?...F...........M....y..OE.._..m.t...19....y$...4..D..@..5...V......f..<..L.......xS.r..S6.IC.......i..<]........<.FG.BA....Zu..[..}.'........<.... n`4..#.Ch..n..1D\|.#,.p..J.[m.......y..^..[.v.R.f.....B.(u....9w...S ...B..t$.>.>.IQ.....l..MfW~o.....c[..aq.../....e..^..f......"3K_.5.>R.%..v..>........y.d..\5.5....s.......P.C.A..9=`..t..{...+,K...i4W03s.....,./..Tx.,^5......K.^....q...mc...G..d.g:.ZH...Rg.....2..j...x..K!p..l.:i.:...)`C...jJU.^....3XOi...dTWtV..F..qm...\...nX..wH.(=64.u...%.CC..5......._es.d...k..p..H....&...~........Ss.b'.....d.-:..3M.2.{.i...hMF.....\|\..rs#<)..........).A.@.9.l...-fl..T.k..Q....-...c.M...K.3.....d.v\|..M..f`..]fP...:H.....f....2.......[..S..6.G.'$.I.Cw.AOe....b.....)"...p.4<.B.$.../I...WV..D.>F.c........T.&Z.ybl/.u.i..p.......].A_. o.h>ZR..A.}.7...k.A.9..o.3=.4;i.....F[.G.l8.7.._.4p/6.2...f0..>AC..i&#29.$.Y....z.zj.L>...?...$uy.g16m...N..~..G..W.CTk4..gB.mu$.-..$......J9..M.=.b.........Qn9.O

C:\MSOCache\All Users\{90160000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1064
Entropy (8bit):	7.8370585723198625
Encrypted:	false
SSDEEP:	24:VqJtVUxB93Obin743nHe/IaZOTzYbqW/63cr:wJtY3T8OAaZO/pcYcr
MD5:	E7BF2EC93D488894346CC7B58A5E1407
SHA1:	F34BAC5444B81AA50D895662853D508AAC30ABFD
SHA-256:	793844CE8061F9F411CCB4C2450CAF2B651A3A550AED9C585CFCC076ED585D31
SHA-512:	37488869E90554CB327B0308977E654A2557377F37C7874CAEA120D617DA625D5F2B14BF4AE79DC75F55BF7B927C0DC57F35FE434344FC9EB2E91F305391397E
Malicious:	false
Preview:	.HN<.<.0.. ..9.':g..\".j..a%..f.x..........$.S.9..a}.}U8.?.gb..{...8...P_0....`.....E...._..v.....:.....qE.....0`....?'.-..O..%bSx.......G...).%....Q\^T...-.\A..../.5I(....4S".\..r....@%..B\|.....9.%d...0..8]...o.r%B..=...C..n.NI.df.,/... .'P#c..2.!...1X.G..J.W....F..... ...5.6;..Q..M...}..S..-.`b=..H...........D.yD~Nx.?^E........P..Z.]....... ..C..W.G.C+......+e.^5..0.W...CW.....s.nS...a.9{./...L..-.G.S.?..k.@..$..q....}y..C.IZ..3...m-..b..TZN".N./..L...E.H.sl>t.uK.2i...n..Qd%tN..,..=Vs.3a"V.V<....\|...%.CC..5...........hrpu....!C.-R.\<D.......-PDo%.-.>..f........$.."it...l..5..Z..Za...}#..t..%.Z...\<...3.<....0...rW..Kr.@.0.T.8....z....X.iP.........p............l........!.f5O..X.f..9]...jI."C......P.D..v..+"\p.x.>? ...p.....>.D).NO.....6st.p!"[e.r.l.TZ.....R;&.....E.lQ. #.0c..?7.....Z7~......YN..7.~.e.^4...J..j_.Y..ig4P/....M...^?(..\|{6.K..F.n...b..jW.H..%.......}........h.S.b.5]..../...<.(..T..$....lfy..n.......S.s...X.ET...r..c.../

C:\MSOCache\All Users\{90160000-0117-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\MSOCache\All Users\{90160000-0117-0409-0000-0000000FF1CE}-C\Setup.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1064
Entropy (8bit):	7.820611658864246
Encrypted:	false
SSDEEP:	24:apF6OfwSvW8aG6SfUM/jVYp7aOUsSec2SzHngHE6LhgVe2sv:21fg85fU7pDU92SzHgk6Lhp1
MD5:	52475E1345AAFA665B3C5896B67E73F0
SHA1:	4AAB4BA2385FED1F2E8F464C6694F7AAE6CF56AB
SHA-256:	AEDA8B303B2FF9A33D22D0E52F6CAD4C5E91FB86DE17FF65CA393BEB34B478C4
SHA-512:	977FE5592EED9A27FE1641D523E2BBD3EF67B9EC34A48763CB43529ACC0C7AC11A228AF55999571EFB27279D1FE5B2A5A4768ED45399E1726FD505A68A8F8A06
Malicious:	false
Preview:	./. %..C.<:\|.@...Ph..&....K.(B...s=.L.P.+Uq.a.}.+...}..G........KW!.G}..q..[:C..(b07%U.....C./d.T>.3.Q.:<..cWp....y\|.r.2d....O"\3.I..z.......E...$...]I..^"G.7<.y.=fJ.e;..,.Z.5.-........i?).......T.A.\|....EH...9I...q.?...... .M...tj<..h.}..72.E.#<.G....X.=..+0.+....0.:E..^Y:...>b.4K(.A.....$..')........3.:......h.`d.=8:9T....y..z.s.......R5...`3....t.td..qf)`.b....Q.;FP&.............k.....l....UpHL..&..W.w+T...cb.5...D...}.%.........q,.m.g..z..t.?......$}..8.}pK............n.wt8x.sq.u..#......h....9.(Mr...%.CC..5......@.y..s.~.E.'......T...\|.u..v..%.a7St.+"..<a..@..BD...[i...~..X.$I;..$h ..\cS.g.....@!..x.D&>....f.6.\B.5..u.j.R..W...d.h{..$.....c..4.0.....3"d.'.i.l:0.J!....mc.....`T..\...%.~..\|..@./V3..1.....o......-..1...XE..r.M....w/).,..%..%.2c.H...u.+.h..#T.}..^G.............(6C.;.!g.N..)_.B..I3)...:..6..p...tSe......0....c.t...N..@..e4..v]..e.._.....k..?.$.-..x^'...B..... ...%........l..q..T.\.`.mV......&I.\.g...T.v...,'q.p...f.,...5

C:\MSOCache\All Users\{90160000-012B-0409-0000-0000000FF1CE}-C\LyncMUI.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1061
Entropy (8bit):	7.811575619860898
Encrypted:	false
SSDEEP:	24:JEj86YwYolKkGsMD2+M/Cj7j5ZmARmPfon7ZtOT0Drlxh13F0b:JI863YolKkGk+2wqam3M72T0DpxhJFu
MD5:	EAA28F88571B3BDC1D438E4766E7BF20
SHA1:	2D9AB920C2997B5609F07BF6158446095DCB8A64
SHA-256:	48B1D21123BD24AF1E7576F97B0D6A02CCB7559D48107B4F54B7A761A2B6C929
SHA-512:	E9AAE79317D7DC07BF4499D29DE3951FA88DD906B2BF760B7EE05FEB583B07618485F1CE223E00D7663BC4B792067C7A01A2C87A60AAD4AEAD920F79EFBEC962
Malicious:	false
Preview:	.a......$..[...n.<.D.....7..3.......Ec[.Wl.....pYWN.W...h.%./.@..&..;...VC.....Yio.EOl.'Q]...\|Qo3.u.P...H..P1..4..m}%5@B...b...}B.J..L...mQoEd....m+o....4.]Z.........?#....=.R.3'.".....$....pT_.$E..$S"78(lhc.N);D......9...J?..}..#..-G...N.};..rE?\|...q.{....U.....h..t..<.?..h..B.......d.I..ZB~V.'.X..6..Wh.s..]..._...[.7.....SfP.E.J...B.0}d3L....&..D..C.=......b.;KVd..........e.D.n...L!c...$.1.R..........l...v...oo.G."K..7w...... ...F.P&....9U.^3.....U..&t..?.7.[.[u...RN.......Q..{B......,........%.CC..5......]...^'...\X.[Pk.K...=..-..tz..sfn...5=ab......4.h)..{..Iis...o.ma..J...t.............F.....7U(........B.......o0rU-#.3......h.H..E<..(!.).y${...]..i}...A.K.:c.....]..e.B..E.3...EI...m.e..r...E..0..e.F..R.j.PP..:..#:p......j9...6p.........AMs..O.....'&.yj...+..C.I(H.g..m.w..zX.......%f...a.P...O.1a~g..dybC.p..!--.c......X.O.Fr..;m.....5.X.[...XU\|.._yG....:...v...3.}...,.=5f#.b#5.Y..\|....b#.h,.G..t.....g8.....4.SH..Q.~T....@..

C:\MSOCache\All Users\{90160000-012B-0409-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\MSOCache\All Users\{90160000-012B-0409-0000-0000000FF1CE}-C\Setup.xml.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1062
Entropy (8bit):	7.815487813153199
Encrypted:	false
SSDEEP:	24:vYzDQZPlAGQdhSGpISNlggoizer0por09QLBT65uNN1NUIqbor1nJ:vYvMNuhSGySJCr06TZNN7UIqbordJ
MD5:	A40351904ACC20B3E50486E879CA56C4
SHA1:	A2E69AED12C1EB081678A400048325AB4F35E6CC
SHA-256:	3C2EC0E27AA1270C11ABFE6AA49ED70BC429B2A51C9105A8B2530698FCBF6B61
SHA-512:	4FB9A8EE8C77E2E96DE28EF04EA3CB9FDD651475397480BFA97834BD254FE74DF20B5573DC1E1DE7EF32D19AC60A613C9E1331EFEBFB0DDF53AF050C08557563
Malicious:	false
Preview:	..........\|......1C...&T....h......O...=.X...(`.....3.."....;.S...)...S....i...h`..w..Q.Q.Q...!...cT.{...ee..;.x..6}..2.gK...Kz(^..-T.i._.....@.E......{@~u.f......C...!z.@.....Wb...O.........T.......s..a.4'..g#=Ck.......t.nV$..=..N..{..$......N..D7..2..\....:........=...0r<......C.{.Y.+y.Xh.M.{k.5....\|.Z.....j..96.......7.:TH.c.3m.......z.Y......6..t..,Y.."..Me`........{.Q.g.A...B...k...<.<27HcJ.iTu...E..KV...,&../..../:.j.o.>.O+4.&......\|.w g..avc.]=.zI..2.yQ....S&..u.a......S..,.....D.........+R....%.CC..5........h.o...K......^..z.k:.o ..U..0.......}L....*...?......Xbq......UU..../!(. n.R..........c.\.j.B..uA..3.....?Z....G.<...~A..XR..l.H..,...c.,@s......B..Z....~.Tz.oLc..5....s.D(@Z.N+......7..9$..cR.D.(h.<.aa.?.LU.."Y2.>...7)...04.....=.1>.+O.c..w#.6.?.s........E....Q..z/e...%....#..J.aE.Y..SE#.C.M#...2....j.....KA}o......Y...q.\......A._.K...SNP.c\.[..X..C#S..+1.>.>.F.....:..A..jb.}..?.N0.4..p. ...F...._........o\|q.r?

C:\Users\Default\NTUSER.DAT.LOG1.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.806452835267878
Encrypted:	false
SSDEEP:	24:kKjQDbuKrpOMkEcgtXX3zn8dQqA5D87ZA1jgf9MOj2f3ngTLz6:vjQ5oMbpYdMB87ZGc9MOSMH6
MD5:	60FBC37B886CA48BF495746B6F235E0F
SHA1:	4D6747F6A2690B7A03436A6A158CF4E841FACD7A
SHA-256:	0016D4F2E0A2FCEC1C37BAAA7926B5697B1EDCFE383F3DEF5FF5E16678EBAE9B
SHA-512:	42D442DFC1FF5711978B509C45209EA9405ED12B09FA6593B5C346E654DA5F67A628D6356729875D8B50BF078910C3828E87A14BDE12D9B47EE692A723F31107
Malicious:	false
Preview:	.l....`9....o<,.B>..T....g..)V........(.....?6.}...]...hD.....SW...LQ.1.X(....:...K.8p.r..R..c.'.<..l4..4...X...[.....F3._........:9...2M...]Z...w......h....o.(.R..........J........[{........x+..{N.FZ.!=\|....j#Q.3b./....:.:....U.e......7J.uP.P...fk4h..........^`%..{P..z!...,.v.C._V..:gP>..z.K..6V.-.2..j..-..c>.....1Fm....4.....!...t&..D&...-Uhl..XF6^..s\o...)........V... ;.C..B.~.v1....3.!IdM...x..._.c...$..&..xI.,.._.;#;..g.+......0>`.....u1.O..W(u.t.jr.&...U.iwC..n\i8......H...Z.L.Z,B..4..]....%.CC..5......R..O.Y'..w6C.n...c/OV.2$..\.e.......y...u.i.}.h..........).U..b1.S.t.b%.@.qKS.f-.OrSJ2.......7C..'...9@.......=h...0.Wm......V..)..b2.....L.DZ_...._..D+..(.2.D.....mY0.{H}F.(....h.....0....\|S...B..\2H....88]...T.....O....5.Vr..d..D.PqnX......G..'....6.P....2...cL.....[_f.e..<....n..0..T..EF-}7.m%.hk.sa......8..&....&V.l...n.....X..D.P2.......s-..B..V/..[.Y.Z..D*...ty..x.J.L..Y.p.RK+D.....E.>..,...u.........:pNs.B.3G.DY..c.h.....2.

C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TM.blf.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.766386734763119
Encrypted:	false
SSDEEP:	24:ied/NHI9DJ7PE/W4GXvFlN1JJmsQjtPfbzpoFoM264BO:ia/m9DJcO4GDnnQjxPpoOR61
MD5:	87C7CED7EA8F21CED85BD8E70C94DD60
SHA1:	7764BAFCC9AA81BFDC828956DEE64F1D36051BB6
SHA-256:	5EABAB73F9B77157DBC29A890FA6B4E2EB836E92BA5C2FB211A63F48E4DFBC34
SHA-512:	20CE19392146A14997A57A8CDB29FE4C783730A58862F2B1A1AC5C2B659A89A880646760344FFB9520C24C428EE232794F7DECCE84C5A7F6E2B333CD999620B1
Malicious:	false
Preview:	q&.B&.Z.....Q^Hp.Muf...+<+f.y.j,.%.Y.Y.)....o;..U....G.m{.H..\,.mo~.....B{.m.9.n..:yj$.6q.{....gZ.A.....<\|.<9..........q.8..[X.....S.........unz........J.Y+.U.......bD.5..]..(N).........Z..... .`..1.J,..#.e.w.....v.`...y.7.Ws.......E..axH...]....yk\|..Gt..w@..~.].X.oB'..6z.\\......1............CZ...@.i..D.[..i..(.vu.Q....J.]..T..5J.q.L.L4..3wC..Ol1SKp..?-.I5.v.S.$.f.[.............../<..w..o. ...t... /......+........g..kS.m./.x...5J%.).........u-\|...:#..>nqp...y.'K..1.`.......G...'7bWa...q.l...%.CC..5.........7..(.n.F...ty`.M.@......>...t$..^0.......N...0\...\c..9.:W%...9....M.Hh.....=.Y.3[L;kVa{.-...8...X...[...z=4......to.QH.....x.g$.....B...B/R.....<m...o5%)......L.1q9s....o....#.~.(.t.f.....2A.E...h..[.u.N...sTU.....F..2....EF..;:N..u.........s...P.....y..H.\|.iU.1..=-3... ....%.S...~..3..b.-);...&....H....L..z...h.<,.....(l..O....DDe..?..Qn.>.`u.-..u^K.]e.^...m...2...Dc{..%.\|mW.u>...../R..{k^HT....fW......N-W..l.a}ym..n...R

C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000001.regtrans-ms.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.8159958520898645
Encrypted:	false
SSDEEP:	24:RoNgk0WYQT8rFic68Pse8p6H/jx9dt7xE01BSe5rU3mR227t:eek0fAG6/e8kH51BSSg3mR2Ut
MD5:	9255ED1535B8825589F238BE074ABC6F
SHA1:	6C1643CD69CE70E4A6BA906CDBB9E9F44EE361D0
SHA-256:	AB85A0FD41CB37D115337D04E574B118F60B5DA0046CD9BD7A2E57B79DFCFD37
SHA-512:	D86DB932E72D1067721F665A153990155704E0D89188FACCC6E603A948B0535554BEDB138BD9BFF1F553BFEF7C38294CBCCFECD99E5395F82A6948A10CB19BDC
Malicious:	false
Preview:	.<.n\|.......4.]..2.ckIiFv."<.........1..L..$>.....[!.......iD.`.t....O.{g..`.8...1.`ou$...':...k.........Q..4.(\.n...852..?c}...".Q...dD.....&;D..%..Z.....U..1.7.w..!.T..-h!.R`(.iD...6....<O..Q}i.T..H..;>.z..m..4.....9...G..bL~8..1a._Dz........M..U.........N....\|..j...b.Qx.....%...).x.........@....r.....VP..A.'....~..........d.....H..@..w.............+.^/...>0.yF..V.)?@/._.vO......g.J..>H.3.._g..;,&...h......>.X1^?...{=.G%n'...e.]!....uE.....~...WSN9DD_.H.y...o..zsZr....T...._....Y..=....%.CC..5......oe.Nm4&N.;.I`.K..>o.[8.J..fx..`.xi..........u.k.x..(.S"D.F..z.+s5cq...;ri...."p.$.'.I+..7.6.&u.4)R1.L....R..kay......9...m.35..,....<..`.{.:t=.SQc._..T..........~".....d..aG.1&.?.<.....DA5_.B...>,..../Z.5}.....A....".I.Fq...,$..k.D.>~k`..V\|T.. .t.]..\|Q.W...t.-X..>...Z..>..J....tM.....o}~.../q.Y.m.y.....D..I.]m..d9Rs.cC.......[c9....y8~v/5..)....O.d..]....]<...#...5.=G.Jx.+4hL\|.._..c;-@&m.......L.O.N...NT.l..........!...+.W..

C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000002.regtrans-ms.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.79226575822321
Encrypted:	false
SSDEEP:	24:riLIuksMR5zI0JxdVMXO2uIpturfiTvs62vWa:6F3kndv2vtUk7a
MD5:	2ED1E2253D408FDC9D50C848AF91883F
SHA1:	913884145D5953E4133252F5CEF3FAEB20535179
SHA-256:	0FAA8D19CB86550A66FE8D89DE19EE266A4FE5BD846B635F507AB3EE0B5C31DA
SHA-512:	5A2B118CFCCDC9A24FE58A38AEC500C862C6BEADCE7C2AFEFCA9F6E2A44B612260A4120A6931313EA077D73098A2E87060D9B8F17FDBA9EEBAFB02DF7361B53E
Malicious:	false
Preview:	W7..~u..w#P...[....`W.z"..l1C...=n..../....7..6...9...O..l.....mz..&.....n.i.......z.S....EP..`..{....U.7.~w....T'E.W...>.X..M)..b.g.....Wv7~.....r:[9d...@i)....x.<.z.w[...6\.l[[...v.X._....$.cL.&.P..j.....,....Q.[Pc.....<R..'&n;.w.~...C....3.....:y.5.=...&_....uz......*...j..P.t.x._....k.....q...d.q..Sv`5C.!..#b.K.....I\|;...m..Y..v..f4.......E..6m.V....V.Bs..TDR...)m.....z.-....R..AGU.v....4..$L.ri.N....h..c.f....h.~..x~.y8~........f.n'_......; x$).../..D...vY...2r.....h..9.oP.x.w.....Kk.Nr....%.CC..5..........#.B..$..!.......^.s$...0a...V3...Vn.y...dl..QZ.{..5...F..R...?.[.;1.,.t....ElV...;............5....s..x..v0~..C..:w.lOA.F.....g6\|..1.`+..=-4t.9.....!...H.n...s.....=...B.Ax8.f..,..&..Y.%....6...'..D-.\|H..q3,..)....7.......bn..]..."A\~......5..........,h...,I;.TG".......,.U.fw_.j.{TuqW.l.e...w....?....V$.....i..m7(<..._....\|.....g.P).1.8.'......"]..QM=....w\.....{h..C .R.....o.".Kuu......-.c..=n-..\..V2..fQ....GF...3uJ..

C:\Users\Default\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\Users\Public\Libraries\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\Users\Public\Libraries\RecordedTV.library-ms.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	modified
Size (bytes):	1065
Entropy (8bit):	7.815958526766648
Encrypted:	false
SSDEEP:	24:n84I3dUqD1hB7NESllp54MFDccmvdgISJvyW/C:JI3LzJlVYvOBJqaC
MD5:	9A6E5206C03404F0216D270CCAE1F043
SHA1:	331CAAF4EC20E72407F1B33CB8FC3D303DF8659B
SHA-256:	5D3E8061A7E4FA1CB369753E9A1AA6806E8EC68B32543D1B62534CD1695D5FCD
SHA-512:	B8777B77F4D26F335A5A45AEFF443EA06D548862FAE642A6CDBE7326595AE1F9AC39635C28999C681B2139693E728C406038E32B8CC8F74377C8F23D0188E39C
Malicious:	false
Preview:	..o?X.a...t.oL.....R?=$..K......../.........%4V"..I.F:..w.B..p.8..&.....!5....>...D...D@+t............'.C.......?.<.1....b.....H.6..3w.!M)..Y..R....8.O..k..B?..0......ex.r[...1.U]&viF/d9?.U..c{(\|.....X.,....I\........P...X...@9d.G..C.....l..D.>R..w.t?....&..5.zq..%.h).....n.B..,.:].ar.X..=. 0.;+...m......".-..6x.ZG.N.A.w0j.......9.e.C..>h...9....q....o8..h)-.C.....CpK.j.pN..q....<1u#.V...(..{.T..#..Q..BH..t..c........T...;.u\.5b..cg....%.S.._l...c...^..K...~=.....zE..d..;.cx].;..M.v.E...D....._.<m.=.#.4...3..z1...%.CC..5......6qq..xV."'.....(..%.{..........(...k.E)K.,.S...T..Dn.H._.N...Z.....G.AZ.Z...dLs.K..TL.XuL.#wh\|6.d:......7....O/).j......IX.2].....l......, z....9h.........;?.z.L9.X....D..k..8>....=..x......0.?..4....?.n`-4uA.!e..n..S..a.......}...E=..u;Z...$.rx......^Y..}..:.B)..:.9..a..y..3.F....S.<.$.%9$..+..E.=....[....$,..N...:.Q.......h.! .].T .k34ws%......I...w.....u..f..1T.&d.......,.:f........RZ.1s..Q..%h..j..=D....I..

C:\Users\user\AppData\Roaming\TextNotepad\Unistore Download File
Process:	C:\Users\user\Desktop\Odbc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2003664
Entropy (8bit):	7.824876497267196
Encrypted:	false
SSDEEP:	49152:pW7LRFK0GYI5iqKj9J79f6nSRkvWduwpB+:CO0VMC9JRf6SkWlB+
MD5:	063771D5573448EE6A271584A4B6A26A
SHA1:	E23637EA81751E558FCA17EF1A54B6E39D2E83C3
SHA-256:	69775389EB0207FEC3A3F5649A0AD9315856C810F595C086AC49D68CDBC1D136
SHA-512:	B17CD1310D4FD2AF4659E6E9B2A218C3930F5D1EC439939331C71AF789E39865D8AFDC7E1FC93B62311AAE4AE6ADEA1EB0D29BBB67427877A8EF60A19CBADABF
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 37%, Browse Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U.U4..U4..U4..r...R4..U4...4..Kf..T4..U4..W4..Kf..T4..Kf..T4..RichU4..........PE..d...1.`..........#..................P.........@.....................................2..........................................................P....@...s...0.......n...$..............................................................h............................text............................... ..`.text2.............................. ..`.rdata..............................@..@.data........ ......................@....pdata.......0......................@..@.rsrc....s...@...t..................@..@................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TextNotepad\Unistore:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\Odbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\ATJBEMHSSB.jpg.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.790499912050504
Encrypted:	false
SSDEEP:	24:XB9W4u0mSpJx3knPqZtPPtVAG92orADyNeAf8M+xXcuR:jr9xoPqfnti6CyNRf8M+L
MD5:	AC2750575CF7ACF71E2ABAB472571C1C
SHA1:	DC30FCDD5B842E39A0999FD451B0E424A2833E24
SHA-256:	87FF03E96CA81DB83B4705F59F1B15CF125E8AD49BC93B1158C0DA044A7EA8AD
SHA-512:	0DD5651F46F372D5029A672CC7B42761D6B53A98AE945BD3A0B221EDB4838E23FCD70EA0BB60347BFEBA44F4E9BB49450225551C90B53B3E1648FA213FB86705
Malicious:	false
Preview:	...%.:..A+..?...z7. ..8..\|hZ.[...N..65.....4L....\|..8.t.d..5.x.8.\|...p3k..~.>...5..xh.....R...N]...;..".].9zDX.b...p.N/v..?..!N....x.z....yX.e.t..)...A.N.f..\...%.k.n....x..(.....S`4....j~...f2.........1.>..f.........Y+(....c..AXY......[..G.WY...a..r<.^.75.:.A...Y...iE.V..Y9...WG.qZA..]...c0.......\|...O.QP.3..$i2.86.;J...&.R.U(G.Ru..t..,......?f.Qu.#b.v....y.s.... =.mbA1WSn^../...d..U..K...../...%....d\..\|E......".jb....b.o}...r..Z>....U.......i;eN....>.=...k.ja{...A.xW...!.[....p.R.d...._.2e..Xf!F..v7....t.O*....%.CC..5......:$.0.R.5.J.#u@....(i+..k.5.M.l.Z`.K&.....[.......$..d...\|.....9..J\|.b.i...qh....Mo.B.....,{e..z..9...,.h...`.c.8.m..T..=5nt....\.....+..\|bm#.Uj..~..^.]qAmZ/.....V.&...!..+o..)....V.!....nG.n..B...)T..E.$...,V.lA..d.Gz.s.x..J....B.!...k...m...n..@..[..?.....9-t.U./..=..L.....Y.....)..dQ.L....~....Gd...........=7^m.l=..A.z-[.R............x.. .=`=..a.o..2..1.$........!.H. ....HA.'..h1........M.)3.Ya,...i.\.9O..{X

C:\Users\user\Desktop\BQJUWOYRTO.docx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8554399470450855
Encrypted:	false
SSDEEP:	24:LC8H5skd5LKaojrqFuzVPSdwcHKFStv+TvUrCRJP:zH5TrpFSZLjFSZ+grCL
MD5:	00DBFA4FB4808415944FFD2DBAEBC4A4
SHA1:	3ACA1B45DE985646040F107F43119E7C25053648
SHA-256:	17EFA173D853B75A308372F527641E6B8BBA8992A32F332CDCF3942EBC0D6165
SHA-512:	6D9C618B8B8A4E523B151EA55FD31E396527E4FA756589203F200ED1D686A929A090A56DA660F366D64D34B8E36E1B0CC21FE76EBBA44D9097D42410A10EC090
Malicious:	false
Preview:	...C.2.....[J+Y.@..G.....N`..Z..so+.6..PJ.]'.iC...v.P7(v...C...0.UU.M.... .K...\L.GW>.....#..../.?..o.le.NoV4..w............y...WOdA.=...Wu7:....Sk..x....bs.rtY.F#....,p.=...3g0NwK..F.".t#.....Q.W.Hnu...2.EET.Ql.U"v.N.!.Lm1:..(C..!..s..Tb._....:-co..s..~.ZdL.......PH.c$n=..........}.U.9b..j...........\|.}..n..K...Zc\|v.....>..0@o .L.....Y.0......o...t;.g.....K.....a....e.r.....Il.{G......w.yPz.6.....p.".......%Ks..._..P.EJ....x....DY.UI.%A....s9UY..g... .0ml..u$0.n......xb...x...H_5(...nI..H..4.........R...GHw...%.CC..5........1)'.2...V..;.b.6.._...v5.......#.~.:.8:.B...q...].Tq..p..\....`.c....:."u2...i...v.O.........r<...y...B\2k...k?..x...?.I.....`.b...F....y:)i.".....#.f.]....%.w..=..-.Ho..F.H.ay..-R.1..-..sz..f.w...h..,...}..G.#..g..n.'.\|x ...u....d).I.F...k.B.BQ.t..-..p.....a.^U.....\.3..,\..>Z..a.l..X..~.R.'C....i........r..C{%.D3W.5.&..+....$~..$.`.,...d.....l..CZ+.X!.U..<....+.+.!\|a....,....$..Z..m..^.."..ST...a~!y.C.O

C:\Users\user\Desktop\BUFZSQPCOH.docx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.770448289080139
Encrypted:	false
SSDEEP:	24:mhv7FZfVWqklDXL657m0oFLMKP7KOw1/eEnn:CxZtGDe574MKPZwAEn
MD5:	2A17020651EA898656685AD6351790A6
SHA1:	A8CDF1A1DF9E82F6673B5579B2AB12AA5EFCEB65
SHA-256:	553879E889B379F32EA1353CAC7929307A6D7EA3609DA48A048429E56CE552A7
SHA-512:	074588890DCF37CB17D636C2FCC508C0E70BC4568FBC0D244830D84F0FD2C5A77C51676C9189ABB7B44829EFBA2EAAD7E1E0130AE7D561D2D56D16BF8A7CE1CE
Malicious:	false
Preview:	...p...\|.c.<.L...+?eu"-u..\|....nZ....$t~tE..T.{...UDj...~.....z..o....o..2o1Y./..E7..;......7.p.....>....j......1T...t..sU.n6......^q`.e.....y.5....DR}.".P....t..}..z.../X!-........,....rd.$..D..Tm.0.j......X..8. ..Qh.U.~.e.9}..~e.6.w>E.=<h....V...V.9[....m.L....f....T.2<...y...!.8...w..+....7.v.....9{7.p3~..9p...>.@.\|6.,..'...'..T...H..@f.-........n...........<.......{.lA.....@..9......Gix..#}.pp/.&.....%..V..m..d.H._..8Rq.X.D../.@n.?.....6.........q..6-....2v..auz..p-...C...E.....)2.!.Q.~.<....d`.......L..I....%.CC..5......O.06..m/ \dl...u.r.~r.....X..X#......./..{..v..iY.2...g.q.u....%.....[..9..$..g....:..J..X.~..l.Q.n...9n...........o_y.....".{<l...r..x...B.....\|?..+..~..i..E..6.W.].$....#9.{\.[.y.Y.y..d..r...[....}g..... ..@J...6...{..H...J..p..`..A.4..Fn..~..,..=X.A.y....O..p.+[\|...&..M?.I.8.?....t.Wn....8xs\.......nd.B.w.7......-..8.%.d5 ..H8......qV.<e....L].".3...n....v...".to.h\|...;..... .n......j...p.T...".]..2i..=Y..t.....P..

C:\Users\user\Desktop\BUFZSQPCOH.jpg.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.7731611465411
Encrypted:	false
SSDEEP:	24:QHZrpJw52rh/pfBeE4Z0iMT1+36K9ETSfw/1TV2Wn/MSVZy:QBwUrNBxoFMT1+36K9ETSfS52q/RZy
MD5:	D3B8B60D804D13FC4AF4133969D31FB3
SHA1:	CF863FBFFC85F7751057CD81FF339675B0594BA9
SHA-256:	1352ECC0BB6781AF49194D40AC116F0925314D92C6F4F66EFA7F137277495806
SHA-512:	2B020F7F0AC2366395DCF26C9867417A4B29D954734625C14C19BAA94D4EC2B5193A72F7696F3FF365401F54027573EA11E2EF65A762C72C1F01E14BE3916C07
Malicious:	false
Preview:	X.....y.Jnx.B.ms....%....U".8...\|.F.'......H.%.:.^(..6.H.0.0...;..t.V"..3.d.......z....`...V...sI.1...5..>./.R.../V..u....\|..A..>}.].OzX.B4.I..0e.... umF}....y..#.#=ho........#_0.w1..J!....fF...s......S...Q3.....-...w...8>z..B..I....x...:@`#.K.L..J.U-.si....q....c#Gz...{..0.5.Ka.n...r.u.p.....$.kv.X..=.......L6../l......v4.=.h...n..9.1...Q`y..{.\|Q}.. r.F<..cVy.3.?..o..M.@...3.R..m(...h.../.....3UJ.Spj.'.t.Z...S .d..<.......\..@._i...]....n){..............5.u.'...".Y....f.+....8c.S... ....l.6....A.&.y.M$3..'...%.CC..5......IC.\|....-.@T.z...P..+T....F.^...%.#.....+.h.N....qs......). ..z1.z4..~.0o1...D?...Bi%K/..L,x...<....!3.......L)AEw,..g.V+...0.:2......zo.0.y._..(x4...A....Ih...g".X.%...g.W...{?.N....Z...U-2.kG@....@..;f....."...6..}.e......IX...2e..J..^\|.%=.U.-.U......&...eg..%=.$...p.... h...}...Q.+Z..@.z>.K.......{,0.i....$}...W.c.(.m.K.$OB.....l....i4.s..P....N. ..).....H...%.....m.)....!.mZ..E.B....4.r......"V.HK..:.[W.>...Qy .o[...

C:\Users\user\Desktop\BUFZSQPCOH.xlsx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.829604464775174
Encrypted:	false
SSDEEP:	24:MxsCyHP38UObuM47ZNJKqB5or1YDi0MkoPS0y:HCyH/yuM47LJKi5UjI
MD5:	63DFB2FAFFE033824CDF99565C19A12D
SHA1:	07BEB5F24EF0CFB34017C43062B05CA8F42D6F88
SHA-256:	66C71ADB54A81F052A060A95B80AD019013209BC7DC27E243AB9E5909AC6E37F
SHA-512:	1489C22CFF181DFEB74C21BFF417FBECB7FEDEF98A5DA902CE147C25080EE49FA59DDFD647ED30C4879AA468AC63D1B2BFA608D4D73378CD5C14BA9BCC5A9769
Malicious:	false
Preview:	.M.>.O....'...$Ewf0)&.g...8vD.2..\|.P.Q.p.U...T..z..}.8..?dcp..R....!.5.u......qBBC.E,...V.....#...41~....)..\..m..L.D.N..'S..8....+...?......a..K+....^..........:Tz.y6A.r._]Z...A$.3o]E.C..k...i..K4...M...)h9.h..PT.\w..CR....J.<.7...m.....Y.N A'L.8.....}y...:..?..r.j.@...=..YH."T...o...m..x~.t}...0h..1.i...n...I.......B...X.mx.%.f.t....-..K..=+...w0....P..L..0G._.. .5U?.E../..X...RlMqd[...Y.....T..dj qyB...)...a...=\|...\.hg.Z...<2.>.QX..niAz.q.Pb(...v.lL$Vdh[.+."3......\$...k.4...~zh..F.VG...8....%.CC..5......).b.l..k....^.L.va...x.....T.#<..6#>.t....C.@...!u... ..lRU.dh....A....v...@..X%.W\|.Gvk.....]...s...j...ic..IX!C......%.DM`...P`..!......I1.LR.s^{..rR.#;..".5....X.....d$~.W.....k8..........p.u......O...H.T?..f.Uq.p..[.7.<...;.H...B..%nx.9Bk..g.^[..,..f.".....T.Jp.[.dzFp........QC....2.]..U\?...u/+...@....B.8.4..[..^d.G$%J..9C..0..O8-N....&.....).<..7G..z.........Xa......L.kmJ..x.1....n.@..aK.:P.Mg...A..0.....Ke1

C:\Users\user\Desktop\BUFZSQPCOH\ATJBEMHSSB.jpg.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.795229704082142
Encrypted:	false
SSDEEP:	24:UJqDg2Uefashd+XQV1xlecUbClBqu2DkmKO889v7Tl7y:UTmasScU+O5cSvVy
MD5:	8EFCA8F03FA0FC6149190CA1BBFF466E
SHA1:	993026B33D342E4F231559F698B5D21A90F80084
SHA-256:	F280666574DA01A9D274E8ABB78D3DAEBF1EA0EB6E78E52BE96A16DD1F4CDBA8
SHA-512:	36CD9A1E393417B0024DC9750C5875EBA6817E8CE6582476CBACC8207B9640A57025A8505B61795951FAFC4A09336EC4CA78717B5D165655D9A45324AAAA7300
Malicious:	false
Preview:	...lra....Rx8...Ef.....V....>...._...]..d+.;".K}..l.5r.....w.^.DJ^F].").vG.?Q.1...ak-...y..nx...>.."..)^............j..\...%n&M.3.....!..TO.(.....ls.e\{..n.`.F..4.e.[.....9..0I.....f.$.MZP\...?..)......L..N.>d.~....2-...y9...S._=....<0.I.....B......bg'm..[.....o.9....].Y.\|.....x.c....h.:..(:.0.S8.M...&.<.g).....*...K.....{A.Gl.......\|.....4.....%..N......H....n5U.l..4xy....@.`....2..#..`....k..n.....%.T..j.B{...hU.....Ba.-....q...${&.d.?i.....?.+1..&.\._.,.G..(...8.n.......!.".y9...h..;uw.v.X6.LY..Wd........%.CC..5........z...A.x.a...;......h.1.....7.qV.....!.._....8.M.RV.[v[ ..u....{nFs(\|.$.....P.y{k8B.5...W.#.>.v...'.....5...I!..X.....ujhe.H.pD`......LY0..9.,....U.._9..C.Y.?]\|..N!..:..8..1P....\.h.-..+..TO.!....A:........&...$....P4.6...b.[..9...Y. <..mS..M.-R.C....T.Z....^t..elel."h.xF^.%....B......T....F>..[.SH...#....e.........R......vF.......)......8..T./v..w..$.6...D..w8.~`.(.!.!,.<.wJ......nT..]3...p....%..P.V....u0.e..`(.K...O..

C:\Users\user\Desktop\BUFZSQPCOH\BUFZSQPCOH.docx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.810210440970944
Encrypted:	false
SSDEEP:	24:J0kh3qqMmS+W0hvvEWJamOMDydWZ49LF3RHtJxQRo8Wdn:RMqu+/hvjJartdWy9B3ptkmzn
MD5:	AD7BDEC68B67DF1E0D2F95B1651D0AFD
SHA1:	7237C3580A59CA1B0F24E9F187341878B3212D2D
SHA-256:	5FDD89A58C3EC425537C8CB7B576260A6414E64CDC9A45DC7F69B241014CDEBE
SHA-512:	C1A63293FB52B1E723366A98ACBCECDD86FD91A8E380912CAC6F55400EC1F537300B9768F8B56C51D83FC1B12C466A51B85DABAC13104C30EA67A49C271535AA
Malicious:	false
Preview:	..(......9.Dx<c..5hX..\|.>..:....!K.t..<...1.&u.]U7.p.\.;...N.Z"$I0.....U...Q;)c`.r.(..E..l.R..f{.F...9I"..w....1.q.H.....w..M3..?....L~U.h.+g.@EgW.Y.lq.........Q:.....od..>...,H.....5.......q:q.45;Ba...6.p..U..\k..L.z....^.tl.&..Yg3..KN.]A/.....l.5..V.F.j.%pL..i.+..\|.LT.OK.....-@......&I.%...*..N..w.\^...5.c.....A.).^6......n..Y<....q.]...Tf..B...r..b..c.h.7[.v.@hL/.....9..F..H..m...;..u.9.h..o..Z........O..d...P.....\|.z[...f.:.exi..F.....6...M...cx:...\,a7....b..._....1.gx...`..T.&......G.X..,&.......<....%.CC..5........gG....w.T..h/...o..7.......i.........}7..Lcp`........W...2.......AM........m.%?.. ......X...3(f.7Kd.R....R..1.9..95T.O......S.,......{.r..q$.0b..2........f.^.@e..Q.zJo..1.'n.w..Aj.kW.~H.]..}....A..qg...I.6[......p.9z....\. .5d.IE..N.Rm.`7...b.......P/.(d.]Jo@.....C..Y,..^..r.,w...jD.X.z.Kl.F.g.V..@..Q..u..aL..#e...p..M.._N.~.q..N.&v.DV.~.4.............Y..m..#A...[......FJ.{&Jix.....s..0K....k.l_<..%4X. .v..b.R.

C:\Users\user\Desktop\BUFZSQPCOH\BWETZDQDIB.xlsx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.823414952733993
Encrypted:	false
SSDEEP:	24:eVLyjZgXqs3m4TrWV866k7w2IgZi1lS0PBC:uLyylW4TquOVoBC
MD5:	BF74E09F215FE662628916AFB79C2E22
SHA1:	42911E136504E7E4EB1743DE91BDB8ADAB070B9C
SHA-256:	7050F7F4328800FDD6AC9E04FAF2FB23D909817609C056F8111AEED4F2707A42
SHA-512:	139E6241CB212256A7C50E05357D34598281ABF5D290295E55E4882DB6055AAAFA9535D142B4F6E8CD73D8229A3993DF53BABE38F81812D8F557720508F20BEA
Malicious:	false
Preview:	g...Y..u....Q\.^q..7....7.,..w....L.....dw........c..J..q..Y:e.7u3i.l/.@Zn..7...,....t.'...o..S.a.?{.......&<.5y-...\|..D..{ (B9v.$P.....2....GW..w8.]].P..>.2..F..>....sp$.P..... ..q]..?8..j.6Pn2.....[<..e...\|...21..COQ7.O..q.'BP......(.....x.....#:.N.k)/.)>f98.!G.\|D.tc7......?N..DJ.. .J...YC...:...9..H.=..s<..<.N..-....g`...F.Ko.72wOK)..}....a.~...V.S..+.A$..!..>..tR?.h5.`#.^0.k.._^...g&n.>W..K..........F,..3N....cQ.L..u.o-.F.....U...P)&........;.P.F&U.V.l..a.).L.....r.qY..z...q..y_.K..k....q4.T...ph......=,..m0M]..i...%.CC..5......g5.....m4.&.W)@c.}.R...t.....A.....CV...3w."...........a...&K.0.m..^....;E.....#~f.......Y...L..+U.......k.a..qA..m.n ..-%......x}...J...H...\|..>k..n....f....yM].e..446.Cc.....v.....6.7UG@.....23.....@.0W..........~..eAd....?..l.j?..3.d..9..g...F&rQ.....,..>..*....[.H..\|..k.}+..H.(..a..z.....Cx.&....9.>KQ..j&.:7W'.yd.U...^02&........{.A.3.!....L.5......S.\.!g.#...^.-...`..".4[GZ.&.....01.!.'.R...............\|

C:\Users\user\Desktop\BUFZSQPCOH\DWTHNHNNJB.png.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.830756378025305
Encrypted:	false
SSDEEP:	24:QI6psA9rV9jpiB8FO6SkShRw/0lQjdNiFJJ5byCZKjRy8Es8C:QI6ph9R9jS8t/S9GjiFs068C
MD5:	3AEB6E9077EE293CF071236B81C5BBD7
SHA1:	317FCBF959E63271883A875B6163B041C5FFA44A
SHA-256:	5E566D714D66FBCFE9F57AEA6DB44EEF795847B4501D49C6CD9A27F3AE4AC81F
SHA-512:	3070716243118E95A5C108264AC65AF0471BF4DD024FDD785F6DF94957D47F636137B56DC33B855F66CF6D408837B1F6D075B5EBA49A37C0CF4D4C7E8D5F187D
Malicious:	false
Preview:	C.X.R]..`....1.9^*....-...j.;...;.....K.W.M.;..n....8E.......#.........U.G.....2..o...5.?!..R-g<.........."..U.^...1...oPY.FJ_;B........XF..(....ho#`QO....2CL.:.&.a_.-44...Y.]7...>...S....cSJ.y.+O:Z...4...(..i......{l...>.+."..k;.]..w-.?DK........P....=.D..,..).g.S......!.:z.`.Kc........^....H.....y..F.\y.r.7D\bwm.......rye.......f.$........#.Ak...I5.L.[4..Z}..&-.wy.%F.E.Z.........b...V..-..}W..T...4..d#.fPy...{9x.;.=..^..t...u.....s.V.6.k...V...y..aQ'.7....h.....a..............K../." ..6(Y...0. ...F...X...%.CC..5......s-i@..$B........!..p_.Q.....cs..Q...IC.t.)K.!Ec#+c......8'a..6!.._.......hczx....>M0..".^...B1YZi.!.B!?...A:...T....E.n..>...c....D?.......'../t..DT.......s..qr..hX.N\./.l..{.{&.M..JQ..o.~.V.\|X.V.....m..I.wO.../.#....d6...k.....Vq.g..u9.cQ.t.....s.)k%........!.~o...n....d..'..8....#../.?.0...$.H./.....7].Dov~..'<...Mk...=.q.....=#j....g.l#..ZO.o...3.02W..To....t..%.L.........H...s....$....S..P..?.P;q.m........

C:\Users\user\Desktop\BUFZSQPCOH\KBIFTJWHNZ.mp3.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.7958390617001445
Encrypted:	false
SSDEEP:	24:eDHRnnpYBNoPqsPYS0pkI3XWjynu/2xmXQOjEJSOfy7gISPQgYhT:e1OBNSPYLpB3ienrLmgISPMB
MD5:	684FA60A83F6CA5B5F1769EFE02D3F79
SHA1:	70C0B58FB5BCA838EB264EBD8C83899BAFB1F883
SHA-256:	026BC11610033DAF1630DD92D65CF6EA1550375962213FF9171955D7547DB8C2
SHA-512:	07BBDDE1358CFD702F34C2E242F6FF6DAE6305E0D1DCB43A4B08A273C2C609D0CC7CFF20EB30AE45C39C106EE352A193FEFB5C4C366281A5B6F3C9C600F79D5A
Malicious:	false
Preview:	(..#.#Gq.....tW..tL.....>..b3.b3\.............{-.i.u..4........??d.m.@~.,.\g....4..4 .D.:........_...Z._.=.U.$.[......k=&..9...y\|(x...r^.....i.."..O....0...r!#.[..W...F...z.E...6..;.%].GDo...9%....i.G....=.8Ql..+.....u.El.S.FD...;....7E=..$.e.W..@;..p.0}.~q.%.`.:A.DR.<.aFI.P..>.N......T...G.DW ./.c..>Z.c.Bc......H...a.,.^.@..w&.y.\|.d..#.<.0.;.[Z..A.{..oO....\|4~........a.&7....].d..'..YO.O...O..g..p...u.6+..wN...4.."5.T.+..+...Q......A....<[..HvL....u3...r....z..AU...x....v..F\|[?...TF,.-&...\..7.2..K...e....F..6...%.CC..5.......5.;.....r5.$..I.>...h.I_,n..W....i1!>.9+.^.....r.?...P.....\.s^......7...K.....)D.J?.s...lkn....X_.#.<...].L.#..f.O."..L.._+..........BnC8.. ...&s.....#q.y.'....._...6.F.....!.....=........w......'....B/......}.1......H.HE7.9.=.....6J.....rX.Y....{b.x.......T.D#.(...o..`.....Kwlu.....\|#.lD...vG...g.Z5......U<b...Bd.2}&i].cA..........].)...[,c....m.X.......2..Y.....QW..... .ca.d.p...@..ve...86'J;L..F....H..p.L.h'.4W

C:\Users\user\Desktop\BUFZSQPCOH\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\Users\user\Desktop\BUFZSQPCOH\WDBWCPEFJW.pdf.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.824711654499648
Encrypted:	false
SSDEEP:	24:oFQtZGW6dhcdvC0PY8g5uHD4XkyGfLrUkWEb:QQtZtjvu5u0hKPUkWM
MD5:	CE755976CF02FE43401BE547C71B24FC
SHA1:	B55785F9482765555F2EF8E33E4722AB4E793B98
SHA-256:	91DC3DF70C7646E9228B9B1802A36D163AD41F1EA74963A9ED231B6EDB0493DC
SHA-512:	DAA86F9CDB6A9421ED1987ACE7D41AB0B74A16E152101A934AA744446D98324A4F8F15812E884CB76DBCCF6C3BDF105EB4B5F75BA5B3B0A975AAE802E832DD5F
Malicious:	false
Preview:	y...+.ps...]2&.#....K...W.>i.6...7 .R/G.$-...kv}.F..5_..2...e..9..5?c.he..N.)..S6r:A0..`.F?.z5.~p...us..u.....W..\...B/E..Q.]V..l.n....3.rO4..#.K..7Q...q5...7......-.%E0L.r.....\|.....#!..Dr......V\|.<......q..Q.~....$...!8.y..g...Y.<....0.h..f..^?Q.T.<.5..n..^.w.....X!?.t2]`..=....s......0r....d..B${.......=..Y...<RX.2.7.+..3.....:....U..k.h9h."2.N.Sx(........[.0c0.V.&.l..x.....Ty&...P.LCH...Q....b....M!.....;..e2...I>.....n.+.~....&..h..K.M..?.Z..`^i.G3L.p_....2.x..#.e.K."....x.s....F......"..R.x..wvK:F.....%.CC..5......=DG....G.......w;z:.t.N?...g.....>o".0..6..EQm.i......5.._.?...C;a..ww....oA...:...q..cs\...n...(..Y..S.bX.d..V..q.}.~...6....&.R~.V.k.....3.H.-O.(..Q.C.........-......{.....i.t]Frc...N%.....th..Tn.G.b.0...?y.....9S.P.......<.#!.P..)rA.W.. ....%Oy..V.a...K.....QN..J.....xG..7......4...R.4..+n.X.Fa"..i....=y.!l.jr.q....fwA../C.::.........@/.D.d.Pr..H.U.$sr...Z....N.@.0...._..0d<..N.x..tp.")=fH..).@..0.1..b.....:J}.`c.

C:\Users\user\Desktop\BWDRWEEARI.docx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.830591601430924
Encrypted:	false
SSDEEP:	24:wRxKpX4G8CsUTKS5CxgjRRN9Mu1da+yENorCT2P:wRx+XJVsUZcGjRRT2uP2P
MD5:	EAA2529F47CB5270FBF9A3487AD71621
SHA1:	801589908281FCCD15FC17B5D123056123C4D807
SHA-256:	D355E7407616BE3D344E5C187ADFFB7201BD0DC708C46FCFD6C6C24B33CFFEA1
SHA-512:	B4C6401FBB3704FA416BBC568B4949F2572DFC2118193E75ED717CB4CB918F862EEF3BF2D0790F71E0F43E12BF60D36198BE86BEDE22E5E0A44B15E2C483EEF0
Malicious:	false
Preview:	..bK.1vG0.....4].....f.1D..~.4.J.6.p...>..=. ..~p...........J..Q..0...K'..(B..m}m..Y"..mp7..E....j.rpU..# \|w.b.....].Z....%.....S..r.......Q.34R..y5.L.+...&.1j...p.tq/m2YWzl.Q'..@....2.Z6...^...c..P..1S.;H..._..].`.'.D.&z..V+.w...Q.K....k....<.k.J.....a.._.a.t.m...>....vg.."V7C..B..~../.z..M.nzY$..@=..zuY-w.n.v..FM.x..&6=/........}s.@H.Q...b.....V...-b......."...M.........[.8m...zy.+..q...&#dg.....!nY?..p.c....zOn>.]..7.ee1PX^c....U..yGei..l..C....U...\f#.P..v.5.D......T$..U.ZU~..2.p..pM..Q...'.t.......".....%....%.CC..5........F9....I.....Qe...[DfpDB..'.,...K.D...'G!...2..o;\|.^........`0.B.ec.-.4....t.xZy.C.3.Xd.B......W.k...8.4+-.m...\|.IR.c...0...Y.........g;..xd.j.Z.m)..\|.c..q..!<U.L.\.a.m....<.[...Yp.[l. =.j.3[......\|..W.,1....X.+S.1M. .Exg@.N.....}.N.......u.(.n.!W...}c.`Z8z..>.)..5........KHE.&..!....\...n6...E.f.o..A F.....+...~..?....x..pN+s. `..~....H...p.......z../.d...g.E3...w..e/JDoZ...S.....K"....DvC<a.:.$.....2S.... ..m.;......4

C:\Users\user\Desktop\BWDRWEEARI\BWDRWEEARI.docx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.795082258194651
Encrypted:	false
SSDEEP:	24:a8g7nV8RCEY1zrewvMoZ9t00MfLBmN3SLtsstphuVyUKk0TnYiBSH:a8g7S+JD0nzcCas5DTYiBc
MD5:	D2EC9A4E0781A60BC16DE157374CB5F4
SHA1:	8CFEFE6260B9CC149E27F34DA80968C903245447
SHA-256:	FA0A1D8403920F2C5835C03FCE5E04DFACC899EDED9F2FD876000317F17C2BAC
SHA-512:	507155E5B619A31603B68BEE17656F83858DE6AC39B4C5EB0D8388D18DA5B1E019514ACB10E8224F1DDF460BF6E1EF85DCEF0C9F27F2D4FBC2CBD795EB8A9862
Malicious:	false
Preview:	&..Mlp.) ...W-b....14...b(.]eX....Z(U.....KQ...\....)^...........e...1E.....h.d.......>.E.MP...n..e...6i.i....;S4d.iz7\&s...`.Db,..x..\...{m.H...u.y.8.[..7.m..h.-q.........f.)O...!o...[6(........+....O..D.(`..n.._..3P..5....".`>.IP..8..r...u.u..6.O.Z...+.J.f..A{.6.......`b/.....!.L....1.%. .Z$L.[..K.-D~.u..u.....I.R.".ND.....q\|..j..._...@}...@.....Hl:..%4....]...?.Kh..............az*.5Z.O..m.....D1.m...X1qX.).z..qi.T.[.].............i.0a-....m...u.u.%-...R..%.......w.R1.E.\|(.....\..3..8....<d.7\|.?...'.O..U.zx.1"j...%.CC..5.........1..I.U..]b.. .=M.`Y$.2k.l."5...........8r.B.^.E.`7....8.m.....n.3....I.z....0......;..m..X.\.......e...........K.M.b..3>..... .n_r..Y...1...MVS.\|..n..1\|...........V........).T......^.C0w.m^...8RX3..=.!\....v..e.:6..Q...w.k.']1W..m..F.8...p&.....$]..r.j..xA..s.5hQPA...A.J.s.r).:WZW...FI...r.Q...qX.}.....)..k.B..H..._...1a...Y..P.J.o.tJ....o.....r..=.n..~..}....Bwk......8,t..3.x&Y...'7a.v....[..4.S....1.....x.ru

C:\Users\user\Desktop\BWDRWEEARI\ERWQDBYZVW.png.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8019407696776
Encrypted:	false
SSDEEP:	24:2czEY264CINT9v1psHf0r3yBETMt+nqB0vuoE1flVQC:dEY264hNT9v1psH8bT6BecfLQC
MD5:	D27A3A7A4DDE74D086BCEE04BCEA16B1
SHA1:	4F37CF7DF9F5FB15873CA6A39609A2B4D1CFE5FF
SHA-256:	9F781B99D3840B07BE1E46B6B677649274AF3EBAEFE26ABA11741EF70DF4F767
SHA-512:	D873D2D53A67C01A695BEC9B479C256B603DCF814C496A20887702792040CA2C30E6E009A6DDB3561A41037C16F2E2254F60997C9C97A60BA4EC6DBDD0E0983A
Malicious:	false
Preview:	.....J.....$.$......={..L<...=.9..p..\#j#P.#&.l......>.....b_.5.v..S.I..n..+.-.......n..g21Z..e..............?BN%.h..........A\|{....,.!..:...T.uT<W.Z....1..E..I..0....G..27.!j../p.0........O.@.HU.1...).G1(....M...k....P.f}n..p.p.=no.....p./^..[<t..Q....U=..[..jtQd._...a...;.)Q.5.Am....{..........tR..._6`.......h"..E...T.$...f.o.:...?c%.....Ea.8........L.j..x....gC..A..-.p..a.....Q...Q...Up{n....dj.W....>..H%.r..j..C.K~...^@....I.B.I.....\..y...n.;....wW1o.qc....`3......T...<.l...%.>Y....8.W.&....6....%.CC..5.......4[.H=.>.kW.....T._..m../@p..[,.P...)....<.........N........6o.....vP1...Q...s....(.8.....bH...._.....Y..#...@l...@s....x........c&!F.}+..P.I....j....5....m..a.=.6.4.._.gj..\|......n"..j.J.u....zJ...S....j2S._Vg.m..\.......o....B-F.5..l...=lJ...q........C.+..W)...t.A.4.(8..M...\.a..h+.5......._..../.Y<...6.]...L.p.Z8.......H..z6...8!.N..Q..n.Zn.....@...S...PG...lG.z.x.....GUb......c.~xm......P]z.;..k..Kms.U...L.T.

C:\Users\user\Desktop\BWDRWEEARI\FAAGWHBVUU.xlsx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.836256383801681
Encrypted:	false
SSDEEP:	24:pedZL+V0s2a9QulS+GZUo2mWsQBrWdIvCe9yzyhmq:ped1+p2cPlS+GZ9ohaeIkD
MD5:	40FCD7FE4C322D48F6144E176C4F8BCE
SHA1:	D699ECF60191B4F72884E597AFACA790F229EAAD
SHA-256:	C79611DE39E5858D72778C0BC3D4E6E713109A3C99CB719E2113C831A16B7EE4
SHA-512:	0D42582A96576B76A086E667325A7E71D031FA05EC9613A9ECEF0CA52967F7C7C0F09EC9E16A3C3FBDC6D6C3038EB0509A328B233D0D00F2710BFC798C5F0401
Malicious:	false
Preview:	ya6.....9vQ~:\.M0.S.=......39..9.Jc..................G#..,e ...!...hz4.F%..(.i9......B..KI.1..A.A.f6..F8.f....'.[@-..Vz!....B......u`j.".....%..qN.j...k.>.i..9.......W...n.........7.....c.\..=6.t5hP...[z..&9J.;...~(%.r..a...-..V.._........uM..Z8...</b[$X.o.....%.H..IL.F..:S....e...x}...~.-....,$...<.u........l.9.CtT.nz.'B....5.=.C.P...".%.....M..9.J.:}>8..:...................Ea.`... ~K..Y/q(3...j...."...r.....>....c.q=..mS..Q.v.AK.k..k4..{..1...F".p.(L......>."....R.u.8...'(O`.F.bX.3.?A....r..;5+.u..gQ.[.)......%.CC..5......H.L...........OiMa.....Ixf.T.Af_..t.c...0[.dw...s......?w3.M....-.z....q.!..8O6.T ".~.^...."%i.6....;[...n..[..R&.r#..:....g.'.C4v..E.E........*dr..\|`.`..uu..K..k...skh.J..Nq...dj2..1.eL..]..3Wc.<..j:[.........F.(.....]zS..n..kep=.j.......~.,\..M..<.......c.'`........C...V"..0"8$\..!T...t..&...]..(...8....R.^...I..x.uur.S..1A!f..z...ek..#h.xb.'..."b'>.nB..C.GPG..lx.^.}..3.Ne.t_.u.$....(7#..]....><........{..D.i

C:\Users\user\Desktop\BWDRWEEARI\FGAWOVZUJP.mp3.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.789802854440161
Encrypted:	false
SSDEEP:	24:iZNV9m+cWXjsJ48ZaATJ64QvART38RNCppYvng1PIfiD:iPnt8ZaATZRT3aCpiQPIG
MD5:	61F2D83F443048A6EBA25F3B7912621A
SHA1:	454A9E600B9204B0EE5BD3F314ACEAF6847FA435
SHA-256:	76902E1DD78CBDC110BD4AA7A4CAB105C0B8C3EF7DEB3B3C46780FFD6EF91E98
SHA-512:	AC500F5A68ABD1E12DF99B0EC193BBF594044DEB93246B631DBA89C52E4AAC8EB0C19A7C3E2D7312552591287BED39370E5EACE23A7C19599A0DC2141DA0E83E
Malicious:	false
Preview:	G..r/..t.m.....)?f_.qz4.c..Bx.@l;.....a.[...x.5[.e......JfA.I.;\|.w..S....C.)...L=...G......18.5X...%.x.j........N..Ie.n.cn9.4...~.......`N.Nm..\<....Z.S...s..........Q..@."e..o4...x...5...H..y..h...E.4..@=.o..v.0z..]VJ.......o...~.....\|....{acF....e=.<.V..f.x.e...` F...k..8.-p..>.......l....c..[o...};..5....h...... .4..M...d...........Q....r...{SrD..".pbA.].....<.b...y..h...I..X...2..]..D03...(..b.l mx..\..2..g.R..kk[..cJ..Mt.My..$....[JHPRG.N...\...C$..z..z..5JO3...t~.........].....\|...A[I.L:.....%.CC..5.......YQ.O...p......,.#a...3P9.....$..;..;.L..-{!..]&..4.O._(...(.}kw....>m.q.../}R...c5...I....nq.A..r...\|.>Mm.].-n.....x.aj\|&.UB.-h..u.."p....l..Rh.l...P......j.x..!1-l.x...E..j.X.#i...] . .3......_a...Mx.......Z..W...v...x.j..3-h..M.`.v..DU...............p..>.u{..c..f.%....V..c....Fk....4U..[<...(f..8.0O..1C.X2L.hF...e.ei.....LD.M.z.....Q..).<.R_......W@.&..i+.<...G......nL:....I......j..w..*..u....f...1..O. .DF.

C:\Users\user\Desktop\BWDRWEEARI\OVWVVIANZH.pdf.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.800946093948206
Encrypted:	false
SSDEEP:	24:QVZer50N++1M6fPqwfiSXnKAnZ+gdyXOVjefjAeiCQ3q3aKWwgL3g:br50l5yY7nZxy4yfjAeiCQ3q7
MD5:	305DC33D031DFF56BF732AD860C2DE8A
SHA1:	9E4CC9351C2A6D9EF092E6AA6F3E373A76CE702A
SHA-256:	5B3468FC98E188F4E01CCB508481D5A9FE8849DD57A7383FDF6473B40B1F876E
SHA-512:	86EB3426FE24740559C16FB0FB94A6883B53E7C1E7838B470BCC31910DBBCDE274FEF4DB78A000E1843198E00B9EF53BFD14955256AB79DFEECB47A7FC93E264
Malicious:	false
Preview:	.....L.U0:Ct......=..W..Fm..\.VS...P.&..#1.f.s.jTQ.n..j9..n....?].......Y.T........~...`-.}3..U.b..X%.OU...8(.>.F,..ni..m....f..X.E...o{.w.w....u\.."...L......V..A}.@.....<.Fl>..z.......y.h....l.EH...+...1.E.N.A.b.M.2..2.A.xd3.J...................L.SfV.V....\|..eY7.$#.Z.....\|...\...Sn)..'.X...&.gt..1j............vOX...9.]....e..9..l..GP5......8.........l...0..wK.`g...$.5..L...j..=....,...0....{......=".u..!.O.....q.x?c...^.....=....k...6.....Z..~5x6.J.O.r..k........A/...d.j.......5.V...O....Ta`...m10.j..FA...4....%.CC..5.......'..7.'..im.....f..?.w...E.......Y..T...Tb.Hw.].>.....i...Sr.j4...Z.k..m,w.......eT...K.........S.}..W.\|..-F...fjN.5!......4.....J.s}.'.P..[f._..uw.x.g.P.dc.y`..q.&.<...wI.8AS.. .".w........t....%..u.X....3...^...x.N..\|.%.."s4...l.8hd0..OF.^.&.9....q..X+.=E....5.!.+......n.ZW...{n}.`2....r..=,.E.[.....a.P..#\Ge..k.6t..6..........M.PS.;x..e..h.A.M`.5..4./.;..[f......c.Q..tn.X.~m.J@.SU.w........Q..a. ..EI..d..A....,^

C:\Users\user\Desktop\BWDRWEEARI\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\Users\user\Desktop\BWDRWEEARI\WDBWCPEFJW.jpg.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.814683893907665
Encrypted:	false
SSDEEP:	24:k8epohlkDfw+Yf4de+lu6D8U/4e2RkBnWmwTWlDKJG5Ho7s2ZxXK9JpSO9tb5iE:be4lkDfw+Yf4d7u6DfA5RKnzwGaGutxM
MD5:	C76DA3634FE34054799190E4261D6A27
SHA1:	9EE7BBDF11FD5A633AF29F3467CC4881223F9EAD
SHA-256:	DEAF1A191D62FB55CA84BB18808BD6742A5A3F581AD8428EBF11FFF69E30F4C1
SHA-512:	B25EFADE2BAC7F6C58E1E0E97BF18903E22F840CFF2F87105CB8ECCBC88610FD3ACD16282DBBABF20C7F791E9E736377EBE670F62F5F4BA3C5B07211EAC76FE2
Malicious:	false
Preview:	5.......j...>.(.a..YY9.$.R./V.&.h.(Sd..Z..L...D.B.%p_ewL.jL.......3..j.r..8gW}.K...7.......-.{.S.0.....-.ZTG!.u.im.%.T]..D.o.0=#.f.7.2..M..7A"..yd.;..\|..?..F.\|......L3.OP....:]..&....X.$.n.fD.......m.%..==...5.F...Q$.........2......w.-....H<&..`[.....,f.....K.ie..U...[.;.K..`W...J......<......:nP>.q}....K......;Go.hH..-C....S.5..f....l ..;s.x...~:...B....q.o.V.]..v'2s_/.....T..!n.m..eV.U_^@@...s,M.T.bk-:..x.7Zr......'...6m..Vy....9{..X..j..a4R...L?67.HRf...I.t-.....,...$.}+K..\|....nr.@.Q._...5.p..9.......Q]...%.CC..5.......j[#w....&@.r.@.%...N,.p.?.....!.$k...]7..0...]..4.(....=.^.6....c.u.7...?.MC..2.m.(BZ.e...l..X.....As.6d..N.B}..NI33$;..X...gG_..>a.q..;.n.j........S......Z..J...Y.I.[..D[Q#~1.Gy......@B.w.........X........:d...d`.e'.y>KpX..c...........X.8..N.X...f.b'Z.........9F.Q.Rr......E...q...6.V...\|.NA..dx5 HU..i...u..x_..v^..5....d.c.......^..3.w}!.......6Qq$....D...s..9WPp./.m.k@TM......[.........D(....:..5]S6.DY{...V..V....

C:\Users\user\Desktop\BWETZDQDIB.jpg.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8251573077292385
Encrypted:	false
SSDEEP:	24:G38MjW7PBl3kbqW5VIv1zQFs3QxMEiFf5nVLWQCPcefmQpqu:pMjABl3jW8UqOMEcaQ2mQpqu
MD5:	FA776997B325254744AE94CF11DD182A
SHA1:	3AD2F6A541EDBCE39AE8301771E6A0EC3758971F
SHA-256:	F605BBEC37AA82A8E59C96359B6C721644894DF1C300DE03F6C66C75CCC9D920
SHA-512:	E2312751D9EE61800618ADF54CBF480B0007B29B0ED90B5EC469A74F9006AB2B4A6291F76DE0560D37C80B656670AFE880BA0C22605B68845C8D971EE49C94CE
Malicious:	false
Preview:	.QH.......8.I..KP...S...M.c...1.."..6....lg-W...w. .%........<.l.".S.pVZd...F............!....Qe./..v9.....=...............R.N...7S.4.#].YQ......n..>..{GK)..n..3...a3P\|...+...'.....;..!......m.).H.?...ag..q ..jr...O..D.+K..\...Rv..zb....Y.Q..k..WV6:@X\|,} 2..:I.1..9...;v&.h.V.F...P<."..j...m.h.....2 .N_...-.....(..HN.V9....gz.N.IOh..P...-...ns..u..A......F.6.d..UG.U!5....\.r.0.x.Sf.m...s.\8C./5#.J9nA.._..+...._=.D?nn..lTG.x;8.!l..3.o8...El.".~.(....T&-..W.p# .>..5.veU.....].b....D..f:>:z...z...j\|....&H.E<O.b....%.CC..5...........Zi.............../pH.+.s.......[...yP.H...#..c...7a....vDP-....n.,nsM.f.B.E3....M.;%.g(.._m.:."....{.+...S...w`..AH.d...c3...).b...Y(.}`....~Gm..i.....A...8..K.D..{.$.N......^..y.)w.#....."...b........[.I.Fax.h............`.UZV.H...o..<%!..fn.'.,.E7....J43$......I...,.t..:.g`:9.7G.Fg..?I\s...(...[....< A.&#....m0.I.....UF..EWg1....[. ..9..~.{..R....<.N.u..j...^.Il.w...$.O[....~.7n.G.`..8.(..-Y.m...,D2W(...m.m...p.m

C:\Users\user\Desktop\BWETZDQDIB.xlsx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.828308832335558
Encrypted:	false
SSDEEP:	24:oGcjF8VU26IWDvl/iKEyXMzmM3QTiNPvHpyND8dXXG0Fn:oGcjF8VnfwEYMf9ZyND101
MD5:	0DA718F8A3ED4445BDAD083460AA7400
SHA1:	E2480FEF8B32722C0B2E0E0E3386C50A1ABC140D
SHA-256:	CFA3872A9CB8B75D2F878564FE0FCB0A59AC14D58804712BE0B6B8472ECC6877
SHA-512:	BA9C2E74B53E240D6A66CC0A74FB3E373B2EF76758C339EB5F20DBD202BEB2DA8BF6C727DF1B849ED9D1A6BA089D2818231BC177657428E431FA38B68064BB9B
Malicious:	false
Preview:	..3.,a...Vd..}.~....Af.......Q......6"'........D..O..l...5....Z.cc..=Y_...Cw......a...H.p....b6..b.Oe.J..........s... ..e.9.U[Z........./?..{.....h.8.-.....m.....m.r.t..M.E..jk..~...+.X>Ef\|.o...ri.T.-'MK.<v....\.....hf..E..R..yb...>.5sW..&.Yj#=.Jc..SF..........$.\|A3.PS.4..e...)....,..}FR...vT.y._./Q.p3^......`...].+..#,..!....+......bm..A..Ka+..o...[....m....wc..C..~...5.,....Y1....Fs..pj...n.,x..6.-)..F. C2..#...A..B+..?...?..F.`2..6....8......(......:..^...?(.-%.......8.............8vW...9..,U'.....d.t...%.CC..5.......J..g..m!f.5.6.S+&(C..........P>..qx...R./r.;.......%!....%u..5O..Na..(...)...H....4.Xi...!..=R.F...3..... z..b...;..k......>Y)r#K..k.T...w{$<}.......o.._.cd.9...rv./...."b...'u TU+f>.2%..o.....^w<...S7mtOvo"..+^..U.....HT...4].h...M..v^.....c....\!u....\|.OC......W+o#../~. )!$...\|p....@..O..........\m.Y..[.i..R....'..mj.x...0i..b...nt.Fg.D....._..S..... _y..%...B.H.\..V..I.Y..D.{....*....L.\|.d..!.V...>.}.\|#.82_.. ..Jg.g

C:\Users\user\Desktop\DWTHNHNNJB.png.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.815769544434273
Encrypted:	false
SSDEEP:	24:1ACyTVYFv33X/5OARle1TdMkPiVM8J4D1WrEn:1tGVI3MqGdMXMM2MIn
MD5:	A9C52E48E514A7BC15EAD2442E6D2A19
SHA1:	8A49B6065184CB08772388598466F12FDAA5197F
SHA-256:	8282B48AF61F69E82FDFD0D7C322401F606F01EE75B4CFA5D073556A90CA831A
SHA-512:	A2992DDA4162F77C061A2B3C5FAE7959B010A356EE4E38A5D4454426EE3749643FF0F98F04200FA44C473DA8E6AA80C2D4996D6FF9142321FD2BAD5DF6A12344
Malicious:	false
Preview:	c..O.d..X\|....B..dW..K.J....7$&..g.R...;f.+;.5..+..m./.k........_...8......./.....A.{....#%....h.u c.P,..c).....:...p.64F..3...\K.9.J..^.c...V....z...u..q.hrm...(..6B.....vh..l{]P...D$...B.#g.x..c...rC^f..T.y-....7..i..y@.^.m...).#...C!..._$......7.._bjL\i.<.3.3..g#...^.(.%.I...]...~O.....4d=$y-b.r..<...lx.....Vf..c.A...w..D..b{.......2m9H.Dt>....,...+..g.Kx...e*........2;W........).j...b..../.\|.T.......C.....i..<..9.y......2..yAM2.L...0.......9u.G...........E..A'..{..i._a..^.Rw..sp;s....i-.o.:.u.......%.CC..5......U7...O..~..I.B..s...z.....3.=f..'gI..=.A..t.J..`.".6~/T.....yzG.....V$N0.[...8].o...W.v.r....=.F...Y-...-v:.I...\.JM.U.\8..m.....x...-aK...Ra....~^5,^....r..o.......[.?/w&.ul.(9......hd0.c....$......WgBp]v..B.'5....t.c.bl....gl>....F.........l..1)g<i.A.T.k.+."@..tU.Q...e3xf.4h.\|eH..H.,c.r6.W...~V4...w.G.o.dO.W.s.V ..m!.......4".\|....s.......1....In..6...bT..+....x.,+OE..Rk........*.....U..<...-"F..n...<..=.P..8

C:\Users\user\Desktop\ERWQDBYZVW.png.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8194659294465945
Encrypted:	false
SSDEEP:	24:SpDAVZF/ChEgmIiTE9KUN4mJu04MGFJa27vPYs1Gwrs2C3w0xui:SVAvF/KBiTMpNtunMGb1GusTr1
MD5:	2AC1E138115DC935DF7D95C293C3DEDB
SHA1:	212AB7CCD8D18EA247093AF45E49A41CEC6E892C
SHA-256:	D40638D1AEB3552B7B44EEB0D773F6A38B951BE1DF468434FA41971D4C009E77
SHA-512:	AE048605436C98F0C93738993A60597EC71B7F7C949E69CCD38B8911D32457602040BDAE9376181A17CE3CD50C123532F684A92A451C73699348A086F228F7BF
Malicious:	false
Preview:	.A..?.c\..G..../.r.U..aTa1.3....8.f.:.H/...Am.l!?aa&6..f.....)cE.D(.$t^.&..T.C.xz.L9^..........f.-IgU~.~...0..&%{.l......6..:..Z...)....GQ...X...5.c..V0....N...:...3.'....`(..Q.b.......i........#.qgt}..YB...1C"..U3;J............h....@.p.PL3}.l+8...;swr&q...)K(.}........1d...HH.o/..@..Qh.../l..:-\.._-.W..e.j54.YF.n....Un..o.5.....j.E.D)...>....Ot......Q.qt.....\|.....z../(.U.g4....Nf....h...@..".l>.V.Kp...s...]).....'_,...y.d.m..e.. ..}lf...Y...?.af...R...Qk.9..5.>...(w#.M.xZ.BF.....W...@.U.T$.""}>..Nv=...6m....%.CC..5......8.'.URO.mf.o.P..........v...L..vs_i..3Y...A...:-.m.kC.k....M....,...O.......g.T.vc...a..L..%.."..-..._.Y.h.`Kb".t...M...O......."......E..~Nt3aU.h.....}n...MG..7b.........YL.~..O.$P.._.G.F3.Ma..f.....?..yP..;.."...f..k..2......s../.^.<.A/F.....(..0...m...2.O... W.........`.T..Hi.+....."&$+t.L."..#g.'.Ijv '.p.Nf...VZ.".Z...AXOV.a.i. ..iP..U)....%x.V..~.Baf..l.....KQ..e0P._l..y.T....J^g..<X..........?.bJQ....\

C:\Users\user\Desktop\FAAGWHBVUU.mp3.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.845311160097936
Encrypted:	false
SSDEEP:	24:HVi8WxIjTytpkD7sRjTatmc42COXWzeFlZaDtF3dN:EysOD7iWr4WXieFLapFz
MD5:	ED044A39DC60A5ECB4CC55C22C14C255
SHA1:	58A1C608AAEE9868DFD1E9D3D50B45DCA2589105
SHA-256:	57848DFB235C2D094613017A06A35E8B1BFE06CB98A16FC7B22766761F8F00C2
SHA-512:	1163DF423AF22050E733AFC6B36C261CA3FEC019EF1FF401E4FC4E2602411F7C8101C99CC305D52C3413FACDC230A05CF58004BF6624505A99DF40B64E0EAFC5
Malicious:	false
Preview:	.NI........V+y_...L.8J7..cK...\..!;..Bj.....-wV........A]g..#q.es.An......Gp..[t.3..r...t...cJl........C_...lb.......\.#..\...W;.W...p.T.\|5....@Gx...HZfN6..Q.Xa.]N.A...A..H.=....F..w%...k.=..$..b.r.J-Ig.iBR$....<....s~=.H4.p...VS...;.o...c.o. .Sr....'..fh..T.7.wx@t.'...9..$...?....i..u....E"r."w..f....M...g........a..`.X2..0n.H^.}....mmx..&..Urt....t.j..o../2..pw..}..E..?..9T.a......"Ca.l.:.8.i..#..z...+.~...W..lJ.4.5e.s6g.g....Z.^....Cy....Lf...1..0....L}V..A..4b..."C.t.f......:m...m..)$............Ay...%.CC..5......kZ}.t.Br.9.....`.A....Z..."..xV...o.Q.L...Z....r......B.gJZ.......Ftx\..1..P...=s.j...%.$.6"gv%(.A...)..4..`.4..5..~..a&.S.......U\....iKh...vk.+.D.])........Cq.u..........L..m7h..(...6..n.+........Hd.$...[.....8.I...X..G.M..NKY.>......G..\....#y{2V..o....7.%.)...U..W.E....S..,Y..K..xqB....^P.s.~.\...l.!.....i.b7...*.a..Y..d....A.}.#P..pd..,?..(l.'(.t.`..?}...!C..K!......s....k.h...O....>...'.......q.4......S]G

C:\Users\user\Desktop\FAAGWHBVUU.pdf.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8161851497644435
Encrypted:	false
SSDEEP:	24:QV9FclTeVXtQAD4J+pzpDOmyEMfl05sa/I3c7:QVbIT29QY4MXDO7EMfq5vGM
MD5:	B48FB4620B66295F2C3B5C9F6B9B96F4
SHA1:	5B162DBD3BDEFF2F23464CB3D2387282C5D98EB9
SHA-256:	95460FE9F18A88448BACB59DE93DEDFFD9D36ADC055D162CEA9F0A4CD4945BAE
SHA-512:	6E214CEBE41432A465245517B032825B2EF41FB2951BBEE9D6C136F7E1F3AF2973B63FF7A2C9038B5FCD5689E37A34B2995DFA3625FB6CD29410B4E29233BB1B
Malicious:	false
Preview:	.jE......0..hc.W...R.%...'.u........A.M.....f.Y.h..RD.e..O.....O...5.....n.s......Q..xG.N2....,.L..A..c.i.\|vz".}..(.<.1....m..0.=.w.....O.&...a...1l..nHo.....6.K..bv....t..#....#pA...Q...>.'k^.a.....GeevZg.n..4HX....N^..J.....J.Fs.!..V.h..s~......zM/..s....<0..=....,...S..^.R. =y...n.....),:&i.....pH.$7.)d...!m#!..)..{Y....\..,G...5O..[l...l.Z.Yu.^A.;(T%4...b<3[N.S}...V._P..'.{..IS.lP.S..."cx.{.......a.......P>k.D"...`..'-X...e.4[...S.....p.X.jwX...D0m.x...B#)m..k..z.o...L......'a'...a..Y.\...6rT.....%.CC..5.......t....&....I.vL.h....t....z.L.v...:.4....0..F13;.ih&9.0..BNdY.....mVx..AY.j......_.#k..v_=.......}B...C.....Nd3.+Zh.5s....4e.R....."02.J..>.b.m..!..;.t......4. Q..yz..r.....R3zt...[).~.cC.T...q...^<...7%..$Z...x..2h......P....j.^u5Z(B\.Y-.......I.g.zU..2...oFz..1.xa.;.we.0..".(.No.,{.7T .z.s....Y.i......7...Y.Pl....w.....!.,.]~.BC..j.].+rV.@6...)=.[...v.T..../*K(.r`[...4U...pH\.....m..^W.0..w4../Gt.%Rx.....

C:\Users\user\Desktop\FAAGWHBVUU.xlsx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.795824240459786
Encrypted:	false
SSDEEP:	24:iUSLNGkeuC48/FWQ1UhVHuxizeLxMsq0bIIYJxjE0SrNT:iFAkzC48/FWQ1U7OxizYjIIYjEHrNT
MD5:	3796863871BE3B9BAC1D5D6F8F0A915E
SHA1:	320E990BF8AAE1A797BC4561E2EB8CEDB29D6DFB
SHA-256:	1D5692966870309FEE34487820B8A52C9E1DF40A27E04F3470334A20725CA5D4
SHA-512:	D8133DDA4434027B8EC6BAD39D359FD18FC71B2984A3F2FE25E9EA650BA7DD16A132BC7CEFDF21AFACDE5B02AD4EBB46F71DFA1D6DBD98AF11590E9BBAB0A3FB
Malicious:	false
Preview:	:2...g......<DjO..:..D.l.^f.F.}...{D...C..-........@J..Y...i.O.......%..)bqg.........sP.,.........u.%.H./...s..%Y..m..R.<y+1$. .w..r..s.Pnf...rk...&...3...{C..V...a."..../.w.c..TR.cd.fK.......K.de@.ef.>,...k...xA.....3.\|u....?.......3.....R..1....(.b7..+.&..oF3...{z.+.FE. v,.I.s.........R7....D.A.k..0C.../......{.k$#Y...g+.+.4t.@n....7P..W..Q=.L.X@.....!V..cb....T.}@....y~...H5..F.v_...ez.......^.1.>.~i)..h.M;..C..C..a.#.X.=.`.3..V.~{.\.IR..~.S.1N......1[PWH...._2..$.......-u.G....Z...]\| A.....{.BbQ.F.....<....O.&!...%.CC..5.......Y..[F.O....hAY...n.H.n.X[....>{.N6.}>g..V.:_.5.K....^}Ab..f..b..Lq$Q...$/.....z.(.8.}n.W\|8.g>..Z-5.fqi.[G..w15.mb.a..d...,..1}b:na.a).5.k.ki^..'.:..@l....om+..:..r.:$..y.M..~/.j.}.s/..................x..l....I.qh(4..uG..v..Y..&..,.h...z.A....W..i.}~.r..+H.5.x.8.G~Y.Kz.3..q....~......m_..k...".y.&....U.s....R.&.M.@N..U..Z...x.<,...ki...O&..K.[.P..[.+.G.n.Z"n4.7\|...S-q....g7..#.7=vU.Y....Y.=..<..$..b..Q.[.R#.&T24x*

C:\Users\user\Desktop\FGAWOVZUJP.mp3.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.822007480308206
Encrypted:	false
SSDEEP:	24:ixj9yBtZOPwbAyatoXukk1zI5oGyJqgMAXgXGPk1PMZXo:AeZOPwbA9GendOiEBr2M1EZXo
MD5:	C9BDCAF4F16C9FEA60F7A26F1286CF72
SHA1:	DE0029EC02AF0D2C1A2F0C5CA5D7A1CDBAE1795C
SHA-256:	A2202EF73C398DC700F101BD293D446E4B9C2E8F19318BE15BD6AAB5E22FA4C4
SHA-512:	ADBC0D336747AFC495B60D77F26E0943E62CF7D2161763534C5FC7FD8CF7C6CE3918DF6BBC718AA867D79E2A439F50F40F52AC685FCB8A50667B7199D01274A0
Malicious:	false
Preview:	.6B...aj...............y.?...D.h..:9...h....H.R...hZ...j.....X..8..........S.5.>=....j.....e.A..[.\|.k]w4S........$.%.W/.'bL.p..P...U[.Q.1=.Q.%.. .\|....d.a.....t...N).E...,.RxIO<.vD]..?...[.T......@...^...U.C..J..!.2....`].8.4.;....C..sT.]....Z..>....Yz.M.\.......g.f.1...Nl.G.t....q..k.u......R..M...34w..~}Q..;.B._...<..PZf..<.H..!...;.M...R.h.z.!..W.~...a$.s6z.:......S.^....C......69.{.eV......r^ME.{.s../.Z#..'..1.k.!S\|..../q..2..X.'.../.^..a...v'............}i....\k........w1....j..]\|........r#J.^>..].N3.$.%.f...%.CC..5.......\.fEA@..v.s>.h.:...N..J./.HN..d.@..5.n.....Ct.....GD.i...eXY.t.....o.b{..28...Zn.5a...Bm.!.....n....:v.k.EM......%]..3..@y....._r..k....."y...zZ.6)iT1.{t....s=..=.a.%9.f..`....dk.n....p...dg.W.k-V.s...#L........u..H./&...q..9.#....r.....g.O....C..........m.~m.......co\|.......:.*.(..^.H...M..........a...Q...,.B..1D..........{OK...).b{2zP.ih..3...y..AO.1..ld..'Z....cWZ./.$.TKf..&.h.;..rN.........6......8...h"...B.

C:\Users\user\Desktop\GJBHWQDROJ.png.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.815500619113904
Encrypted:	false
SSDEEP:	24:9LNVBG0w7oAZZLK6DrxttXB+IxYDE0lMldNxMg+4+w83D:H3G08LK6pbeEHl/xBF+tT
MD5:	C4BF6C0B401BE0AEB966177D1A23B1F3
SHA1:	5891E069218BE7638AF0C32DFD9AB7487927C04D
SHA-256:	358A7A24251ECA48F3683AE25BB2B8F29C64B3C45D8469A10C6A2E759BCD3557
SHA-512:	B2A753A8EAFAE5FE896141FDC725A66A8363B8EDCCA8B033C78039E705A285A43B684637D54D53453B8AA83A2192912119B4360312C967FB532BD082EBF7F420
Malicious:	false
Preview:	Y.u..30.0k.uf2.....me..S.._-.3YU.$....E.^..1.V........ir.w&S..B..r.....>..............c....,C.4S..A..../.....En....8.....t....7.y]C.....+._...lY.U7.).M........m..y.".O..#.J.}.....Sy.k3.~.p..`j.`.Z..go.#B.%r..X!.=...X.5..2./.S...:.4...M.5.P{.>....{.=..J."BV)..p....._.NC...f.i..7....3...d..A.#T......f..x<Uc....S....z.."...V..)P^.]..L}@.%..7x..g.f.1jy.....>.+V..0stq...`ib.;...a..V..[dW\|.5..\|+.4e....... ./...Y.Xhd.T.....Z......c...b..U#..O..\|lA.......P.5.8W.a.@<...V.5e~o.r.)........G.....2.(...&.X....j..G.......%.CC..5.......P....$...u.A.2...L.yx.[..{hH1P#..DL...1...b/s....Bd......78<n.Y.k....e.\|..2.w.....,.............4.......p.H.m.....G+l.n...K.r.B....f.c...I.Y.W6~}b]C.r.V......O.........Ke.G..T.v....}m2oO.glg...qh.t.....r!.1.O......G.z.....u.&.x.~$/.../#5o.0.]sm....P.iL)Yg..#......#.B....b...c>.D=....&..Z....."#cg.p.gg?F)*.....5\|.d.h..:.S.`.K.........w.I..O..k.....P..4......5.....#.Nu4..zhn.k......H....ztJ..=...jFNU..s..);..\|.O...v'..).

C:\Users\user\Desktop\GNLQNHOLWB.docx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8471829772022526
Encrypted:	false
SSDEEP:	24:Uh2DX7sqeQdiu89icDmxSIIR6QuBh2jxxvPRq+5Fzyu:Uh44qnv89Kc6dvcPvPRqezyu
MD5:	2A063DEF2CFC329A6ED0F0096A389547
SHA1:	4D99D6F912568CB6FC211373F3F8DC9604088B8F
SHA-256:	9C5DFF929073A7522263C6B1C09D022349353E4F3119F88D1B927DDBAFE11546
SHA-512:	4B670444D8FA1462BC18C5B685A87E32DBA1679E26974C402E37EF66506ED399382EB9C5FF3CEC464F50B18F558D30A22B0E2379C435D9C733A1E8AE5D67734E
Malicious:	false
Preview:	e.\|....gd...4I..3Q5.._k.$#..3Y..L.....K....OE..E..O.....X9<...o....s.n..).G..........S.;\j.h...W3.a7...c........3....O.G...U..l4...t..]..f./..L7`.~.+?..$.=....$L..Vd_.z.....M4.,!_.RT....\..I.!..#{(.f.RI.#7W.b'....%....Xl[.aP.....:R-b..V&.J.Bh .o....G.[{K.5G.........0.oO.w.F6.,..^.m..Jc...q..?.n..=.&b.......&...v..b..<..z?(.G.09h..rfn.q..iMq..s..<.oW<..2.....h.K../>.......'.. ."..`1...y1.Z.Nj.A&{.g...e....U.5...w..6.a...=,Z..4<p.o.c....a..r....;.......{#.6bP.Q...W..l\|.G.......!P.T>..G...,/.b..O.........lbzhCd...%.CC..5.......v'.~.qR........~......2{..R...Ej^......K1..O.....,Z....K.Z.3?....#.h....5.0^...f.a>.W.4...p..%.$....X..M.>Y...mJ.S...C..je._.J...m.sC6s.8.v.,.P.k.E..=..'...o..k.2...o{..m.e.Cb..X.%:..=.U-q.../&..........M..8\.YUlt..]...A.pd"..!j8.g#p..>.=...JN.t.....R.;.. ..+QP.u.........&.z %p...JAD.....6.. ".TJ.........=...r..r.a...!....fu..i....(.(......\.......'...1.\.@Q..j...0uY.}. .o"\.n..]..#i.m...9..>..,'.nA-.wi.....[..#\

C:\Users\user\Desktop\GNLQNHOLWB.pdf.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.825165351764155
Encrypted:	false
SSDEEP:	24:1NOtQAV2LSEipu95gw0HEd4c80eFy6xSMrC9XW9IU7c620Q/1:ytQAQLSFpuw1U0J46xSMrqX9CKd
MD5:	5BCD6AC0A6790375F877A543871DDA6C
SHA1:	041E23E23280CF9CBC1F3C185EEC24BD0908A743
SHA-256:	122FF276A9F2B229EAFF199A7AC6AC8032A2C80A19049CF0A1EECFAC43F54759
SHA-512:	ACE2713D2AFD51C3F509794DEB771B19BECF1CBFFEC8F798A63DCC9D6B38F7A22C77C03F3EBC9C56667A894D88D889F5D1CC4084C037576A0106D8ACE9F5BEE4
Malicious:	false
Preview:	.ulW.....v.r?..e....e.k...!Z........>...q..zj.%...leG..1.I.8"q62W.....-.B..........@..o.........y.&.5{..@.{f...K.^}t.6..lNW4.+6..9./.=...J......8..a.....ax.&..J.......`M.7l...fn.N....3.7...uE7...W.X..X.....s%.....l............9m.`../M\.p.0..=....S.Q......+.....vo.th.+..4.....L...\|g...5..?....MB=..p.}.Z...\|.....q$..h..c%s.&..y.^.%9;.N.s...s.S.X...".Q..ew.b.`\......8]4.3S.r.Vv..SS/?....q.#.mf6[T..~....;..E.A2+...2.w...;e. c..,." ..R....w...K.......0.-.....e.Z2U...&.A...T......y.....%...H....Z.......%.CC..5......V..YS&X...F.vR..2..,H..-j.d/.A......@..g.D.l=b...w.}.....H. ....7.....wV.,.s.fC..aD`.........V.]^.wB%\....LZV!.."F9:$.'..L.^....~.EW.-.i...f..$..d...r..:.G..B.$&_.,..H....c..Ta..v#b...?.\|0.%..m./. D..:.....S........P..)\|"...6.n..qYR]"nt...]`"..q`$.D...........V$.,...{..m.*Do}.)n#.q.~...AB.C..[.\.......E...N...m..j/...$.J....l..V....u.7J.i;K:=....F..\|..&...a......]t..B.{HUI...,1.i..O........=Pf....l..m....A@.+.....F}ID&gd...1

C:\Users\user\Desktop\GNLQNHOLWB\BUFZSQPCOH.xlsx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.784639886838374
Encrypted:	false
SSDEEP:	24:7Jp++8UpaSRuSDH8t0SC4FFTnUOVivk6d/QGVva5Us:7Jp+zUpaSBj8dFDURjQCC5Z
MD5:	5573FDE2C859A8F9D58724388FD59857
SHA1:	3CBBEAFF1D65BEAF37688146DFBBD6D7417650A3
SHA-256:	F05109E3B987DB452E01803E22A6E4C6D38C3BC54DAB1C391AFF27A9C2C44C60
SHA-512:	98CF2BB0E3C7ABF15BF927C1E8FDA538A358E803EB7EADCBFA78D9E3B5935F1DA84DE8F5286C3CBEA1A453C1BAA8B8FBC88DE86B5CCF416B37A92271ED097EBB
Malicious:	false
Preview:	...~....:Z....f....fQe.....Y....l..e4_q.l.K...[.]...C.}.6$.vA.....5W..w;..qy..GLg8....t..-...S1E......"......m.....U...<}D...w.4..z..-.......Ri.h..Be..J.......ar.....e.e.).......!;.0>.-..\..i.o$BUqu.......k..?h.cV:4hF].z...j.......)3...H0.t0..\|..:.a.?..,s..r..ev..... ..E..R1..........V.^8sB>.....g..R.P.yc#@.?A...B...L..}.....5.........G.h...B....uJ.....x..K..{1..p.1`..'...V(.s..>~.X.;.g..,.._R7d.i........P.....]9..g ...iiY7..\L.Y)](.z..~L........DU..>e.^..&a./].(m....^...k*........4.n.I........T.....%.CC..5.......O.(K....Ik.....C.u...-n.U.@.6.Q,.t.q..ti...vr...G.F.......5J../.R..o....a.+..J...e.3......&;.,.Re.......z..k..#...\|~}.\|.2b.>.r.I.....P.8.............(.6......>z..n.....k.1R4..HW.Lks...7y3..J.V%.......(.d...@yf.&b.w7B.?R....7.P..o..W.@o..z(..qq..b.F.)...F..I.RK........./K..d=...^.o..t,w...8..-.//.../.HTj.w&q(+.\..f{8m..X.>y.......r....E}..,.a)o......K..n.aaQ.........>...8w...(...t...{.$.y..PR4/[6.d.....b.b.PA.Nj.z.

C:\Users\user\Desktop\GNLQNHOLWB\BWETZDQDIB.jpg.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.834595940860576
Encrypted:	false
SSDEEP:	24:hroqAadcd433wMOQ7ot7+KGO3TD/nQJEAouWQmjePNzfjYIICUuqB:hroqAam+6t7+pOjDnQJiQmaPNoI8rB
MD5:	3CBF5DEA0A6E6A75237D800A14C8F4AF
SHA1:	9099C40CB923B4C6E9FBD329972AB758DD1B7589
SHA-256:	6B3287F7FD49361E71663FAFFADFBEB910644FF03BAF789755061A62B022255A
SHA-512:	6FA1FF33687D071845DDAAC16515FFEB29FC116501F971B220658D090FE36880794909485F09BFF54A1A469D762386FB760672DCC2CF9A1AAB25D2F3666E27A0
Malicious:	false
Preview:	QS...~J..c...ch..K1r...P.k2.....:L.% .9+.d.....f..g..9.eN..H..dJ...Vl.8Q..mHv.....E../\|YLU.{.p.Nj..c.."d:..ox}o...c>[.~..BU.].8....0..{.h..U.....I#..c..N......:.i...P]N.....f-.....m.cN&`......#.g..)../A._...d.z9j..4.ln...p.....s..A.2.s...K..e...x.y.p..au.S....1..D.....+..i..7......[..J.Q..P`..6e.....D...(..K.S.....G.Aq...?.rY{..Rno.,........t..fs..{..Y....c.....>..;x...`.s....J....D...6S.C......q.d.D..n.V.&.W.LV....)z#...^..;..3TeT.g]?ip.9.m...6R.L#..V....O.!Z5.n......Oo.G...K~......,C%..^.i".1..I...{..8wvL.W...%.CC..5......3c]...F4....wq.!......}...#"."-.y....fbP......3.t..wFE../a.m.....ix./zc...."m~...d.1n"..+p.F...D.K.l.S......+.M...l.S...y.....<....k.M.2..b.g..,6...#D.bD$[.@..9..k4.L......s..@.?....?%q..[..=.......1'.y.[4.&`.&..`.Ll.;.f....v...7d.0.Py6#.....K...<G.6-_....`.4.&]....I}.".;../.Iv..l._.;-...C.2......W.\|..PsF..p..%.uu..'.\sL.P?....w....W.Kt./.a .7'kk--...AG.u.....\I&.zt..{tt$....U{#..+..._..L..6...I..\....:.KH)...C...Nl..

C:\Users\user\Desktop\GNLQNHOLWB\FAAGWHBVUU.pdf.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.806416467875031
Encrypted:	false
SSDEEP:	24:elfGvk2mEgoD+sje/3vAIrMW5X2Y2HakIydz/pTyysMJ3:quzgjb/AKMoX2JHak7jW7Y3
MD5:	3281A564ED5CDA6B631A82D4FAE17D95
SHA1:	E60CDE19FBBA11C5C17D3CDB5C244590F3BC0D33
SHA-256:	3D3BB4F8F5BB3E6B4730300AFC1C50DE780CE4BA799CA20B11D05383DD59748F
SHA-512:	A14135B6FA6E838D5F17D7EDC4D9E3F3884405762B646232D72599A9E47486BBF9DE3C8B63851CAE461DD2B1AF987E9400B269C7C2CA667B2C64FE788E46765B
Malicious:	false
Preview:	..O..a.>.B.D......})R^^p.6..U.. .......Iz?)....g.H.a@..wy......\.8;..w...P]...3..f....5:..F.u...v.....=.....=.........Q^....:AC..7.l....4K..$.^l............4.\.p.X..<......X7.]...h. .\ZUi4L.[..p.w.......#.b.....@{L.............m..#A-..,...5j.\|g...H#.....7.........v.1."..&><K...FI...t.....#x.b..4..N,..4.i...f.\|.....4.w.h..bk'..r.b-.....X'.WGl.]R..U..sj..v...6. .....b....s.kQB!..O ..].J.e.g..[...B.[H 2\|;'C)"7..%....n9. V...Q,Z)...i+w.C0........8s!....V.o.D..ila.........e#.=.......K..H$-.?\|..Ev.I..,.......2....%.CC..5........z.?.O.x...#Z.f..J2...gO.....#..Q...Dr..Io..R~d...&;...F(. i...F-Y.P. ...Y?...9.h...IWq.H...2.T..[..p=w.r......+.......,...$+#~.V.wN.q.q.2.%F.M..>.....k......`.w".chh.r..F $.[.1.r..crI.v<...^^..#.y.Xp....UZ._..T9d.xv..V.u.;..I.D...W9.[..N...c.@.....c...kKc.}.x)g!q.J.xElir....j'.G.n.".Z.>.6[..Z2._...B.....\|T......*.$x.K............a.%v.Q..:'C.f.......]....L".>...b.._.\A5.12...R../.Ui.!I.+~..<v#...mg.6...%..2.:(!g..u..m...

C:\Users\user\Desktop\GNLQNHOLWB\GJBHWQDROJ.png.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.84100808146126
Encrypted:	false
SSDEEP:	24:o5FxDLiuNwlrxouFJeKjOifsAxJXaXfRd9PSMD2+znOBqnHDVkjgpa+5:sFBL2lrxXFJvsAxY5rKI2yOInHewa+5
MD5:	ADA941B72F1F18E86F6B8F1AA6DD34B2
SHA1:	2779170D9DC5059E758D73878CFEA1A305D2D661
SHA-256:	B7262955C521703AD6E034DC3101A1EA5CC184F9319747FE55645A455BF7FC16
SHA-512:	402E99973171A30BB8BC09106B5BCD8DAC25B347E1721D5168A0B97392B1DBD5C1187EE2BF51A18B0C6ACF55B9900BF0DBFA11413E8A9B3B923321B2DD240B10
Malicious:	false
Preview:	.f.QI.X...mg.g^..C;yo..\6.$/:...R.B.=.....5......w..}..N.Q......9......pj..~..........RR.s.e.Q.,.[#+p..n..........(....T.N.).V.e\|....V3x...A...._.xPb...D...jq(..........@...u4i%.h'....Q.}bL.'.k{.m...w6b....j.._..N.h[......0...v....@Nx!x.dU9.l...ij;..\|0..%UK{9....v.W.....7.#GH.Mn...@w..~.Zj.w.R...)M.LO7.$....\.. ..X.M.b...wB......!5....'Af.MW.=.c......8P..d../..d. Z.y.d~W..8..l:@s.n......9...ItIR?...-.:-..".,q...pUj8.8p.....q<.#7.8 Ldl.:...v.OYI......nm..R..-s..L............T.w`kN<._...gj.M..T{....+n..qp...%.CC..5.......`....]2'..j~Y7B..}Ek;... .......+.........C.A...<..Z.Yqhi..+...\|d..p...h..m].zPG...FMv..&o.;..B#.....c.O...f.[.]..}......&...wK......K....F.o(T..p]u.m....X..J...=.C.[.%f...M..v.7.\....t...!.-..0......\.......%..#%.QU.......S.0... %Z..T.?,..S.].a.{.S$.+.u.$9.=....9.. .^C.d..M..J;0.hGw0..B....>.F..(06..*...R.,H>.A.....Q-.>..[.x.Gs.LM.........T.'.m..`.....g.&.fa.rrp.....'..{.Qp}...........$@.m.\|.n....`....jx...-.E..p

C:\Users\user\Desktop\GNLQNHOLWB\GNLQNHOLWB.docx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.786888684619759
Encrypted:	false
SSDEEP:	24:C9buOWrorIadBGiR7knV2jxVeeS+vfyNhez56+h4o:CFWrorIaZR7ukjxVv63ezM+hZ
MD5:	BAE4A07AD58C29E2F010EE2ED006E032
SHA1:	43AE93FDCA711696BB3A2DAAF791DEFCFC7DC7DA
SHA-256:	7354A349038EDB94F169F66A06B4E439B6F333E1ED0416EAE4D6098455D1C806
SHA-512:	1FF3FD3CCFEB86949D63626FA4190857A7FFB5E80CAEE1ED02CCD68B83907B8B3A7D0AC48C407DFE816CDEC2C7026D50ED2CBD2DD40E9CB49FC31EC0BC1F3122
Malicious:	false
Preview:	g...)..\6...!c...&.&..Na..p.SMf..tc[k.]............<....N.D...R...K...).M........k.fn.......Qt0.I..")...o8.........@"....P......h..Y9.).+......'I..)_....k....?)V._kz.o...\|q.v..^..u)yb-L.............bB...z..1H.^...>..q..r......).c.{...Q..}!.....$c..e.......d..5..V..Z./xUWY. ...w.$+\|R....h..w:-..T....4.!........=...).[[...n.......-..F[.....F6rKb..\|>..r6.8..c....V....y$.Ei#.z..}...._c..+..."..p.#.z...O..z.......;...p.....a.3.../Hl......S<............/.B-..).P`..g.z8..B#..THP..N..........a...)...).<.w.{..nH..8.. .......%.CC..5......Hb.,........V&..C.0..t..N.sl.\|.e..4^5j...O...../n....!....M..{...".......s.f.YH...U..U!.v.&G_fIm7 Te..q.1.l57......a...r.....?.p.._...H.-t.1...j...!/.y./I.z.>....P.....e....Z.vw..j..d.7o......exrJ.:.]....R(.Y...3.n.Ro....6.5[....2d:....0.....B:4i+<;.v&T..).x~........h.c. /?..R.Jx.@.+....}.y.b&n....x..[.[.y...jJ%...p..&....yJ.S.n...uK.q..5.`.b.......$..2.x....c.H..........I. \|...^a......>.:..\|....%.. %...,...V..G.}.5...*n.;T.

C:\Users\user\Desktop\GNLQNHOLWB\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\Users\user\Desktop\GNLQNHOLWB\WDBWCPEFJW.mp3.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.817500372025451
Encrypted:	false
SSDEEP:	24:eRQfwrSLYohm3gmoAB676hZgrV2hUjdoY5lMKwdU:YQ4rSLBhm4IfhZeF5j
MD5:	2C1F5D9FE682412FE607B2C430079A47
SHA1:	D07A33964E3C7AEC900FA3F4DB209A41510CAFDF
SHA-256:	BE55B8B1907F7424462B21A8EC6FE71202CAD1F6C2B455A2F0E8B6F530E50423
SHA-512:	901BC902EB17676F3D7C969C1E35361695BF57636EAAAFB8D3EBB521AD8D59304BDE4597857D7F81D731B88957622696ED935D8932343F138ADB1AD099C9F82A
Malicious:	false
Preview:	..........$.....X...0......?.........rO.....k]...l.........R...Q.m/......r..vW-....?.8X......i.I\g~n..d..2..@.n..J..'........<.M.D.mF......O!).`.Z.......Wg.......v!.D.-.....?...+g.{..k.......N....h.O.t......M...^..+g..+...0.3..Pi..e.....,:.<.....\.....po.....%.....(.E1.....9.u.^..fhC...$F.}.6..........A..B.4Y...@.`.....w6.^.N.w..rJ0..Et!..p.8.]9..k...e..>...$...y...Z`%..y.........T2..d.-....b.Zjo...].\]jO..~.........L..T\|.7....q.........^&....Q.u=..`...........m.....Dzw.GZ.2ZD..K..$)X...O\|...e..k.J1....fv....%.CC..5......t.....$ah...F..\..4.;..3wA..,...,#.....obv...G.h#..q_.P......i..J....-..A....'...6....]t)~.U.....].-.S.VS....9W.lB..8.....g".?!.......:yx...XGB...9...{..B.>.L .!M......>.Y.EG.79..Xl..9.s.j...^..v..j....9U=... .O*H..J...AA/.bP.W2.d.@Bms...f.r.e......l].....-.z_......\| ..... "...f=..f..hG.Z9...t..)..=..I.f.'..O.g..A..'....Q9e..7h.."..~!..R....`.5D..f'.K...63aj....`......\|3m.~+..J..+'...n{,..!.1.....;...<Z........Y

C:\Users\user\Desktop\IZMFBFKMEB.xlsx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.828597077955805
Encrypted:	false
SSDEEP:	24:53gtyOP+XR262vS4Pe7yjBxK+48qbgGNWbfgp8:5wy9z2TPywo8qbu28
MD5:	0D17A96D319100BBD7EB2F4DE9328A2E
SHA1:	E7E9EFC9E15AA89F5E5BB6CC4B2052C241B35A87
SHA-256:	B6C01DE1509014B31ABF5400FFBA82BB337BD8E33511D054CF9CCE695565DBB4
SHA-512:	86EC1519E3C439120EC532185EBE09C65E40FD0FA3BD6744BFC9DAE72EC4C8F648872E0DC1AA6B24AE93A636BBD3ED838A3310225AABD4DEEAE65DC068F21814
Malicious:	false
Preview:	v.1..luS...4].<{..................)..Tk..0.K+.S.{&9....[.........--~..Z^U4..q..sB..U?"i0i"...i.s.bu.y..X...aY..7...d.2.=W.-5s#.z.3.gBy..$..D#...!w.x..U...[.......v\|.................^..P...I.a~..]'...o^?.$Z.=".....7.O......d5}.qD..)..i...T6.....>.....1..G.s.TE\3...il..f`.u..(N..R.`.V..:...p....d.9...ub...).j..c/~(. c....FM....\...U.Z...JX.R....4.........;....[.....[.V\..]..R..$%..B...FI&....7E..=..T8.?......P.(..+..XT..W....iI.Q.W....n.U..c!....Zz.P3..62..^.......0.F...\.B...j.9a.D.....(..tU.f...t....G....%.CC..5......0..jW,!;!^1-.........lh. M.....G.......i.m.\|.....C0..24.I.P...m......H..+N.~...7....k...'..$..&n{....y..M.b.\..=.?..%..8@.$..4G,P.8-......\|t..F:....P#..ynlx...L.uX...8.4g'....5 .....C.....A....eGGw.,...m$..O..Pg...8....Gs..."..?mZ.....R....G.....%..D...H@..b\|..5j.;z...)W8.....~........t.....G,....W)....R..s.._.../5.....?..dC.l/x.Z.\.&..h".;.JI...F..Hz....q...K.z......p....0..GD.....F..C[o/....x....&6g.h....

C:\Users\user\Desktop\IZMFBFKMEB\BUFZSQPCOH.jpg.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.789846655571229
Encrypted:	false
SSDEEP:	24:8dXsrpj4I1ljP0G+BXmus1URaubO9FpFO0nzLCvxS:kAdHljP9s2V4aoO9owKxS
MD5:	A778AB7AA2647E21E33CA3DC90EEBD28
SHA1:	CB38C1A004D75674F1FA1F7BCFCA98DAF7A82443
SHA-256:	74C3DC613D1EF501CA13DC7281F77084A3FAF729E6A8B8B65706CE2B3A02F048
SHA-512:	E4A74BB2A5B8BEA11B25056D2C6FC90B266E0B1E4FBABB0DEE1EC83BCD9075F5D8D113297D3F3D09B6F3F19BD18142B2499CB3E2EDA2381436441DBB906C2AAD
Malicious:	false
Preview:	....<.+r....n...Y..G.U2..DZw.y0x..81...Or..k9....../O..?...U.{...`;.\]..y.p....J....F....$..2~8r...I.I.{..X}...?n..{j0....V3....l...:.........A...iz...].7....1......R.Qd..Y.R5..1k.(...X..y.wY...D.[uE.w........f...O...j.{.r..\|1Y...5..t.BB..T...x~.6. ..(......2..?.'g..%p....<\........,..o.X:(U.A.'Y.;f..(.G..!.2.2vqV5mg.g..y...q&\|..o0~......Er...K$....'0../..>...q.s..t.A.5....g....~...X....C.) ...'8l.-.l......,.....\?.\|Kd....t.....r2.}D{.gz....?+..<....Hsu.-..`....?.i...d...w.hc......=.......e. ..~7.9M.......%.CC..5....... ...)....)....B.J....<W....d...{s...........gR.Ax.D....]...q.1(Xj..g@^..?.b].....y.....E.qG..z.Z..O......)...e..L@..Aw..A.=..3..O.B..5.x....D.<.}O.~.=Hh2..\/......K.B.$....Um.....j6.X......G..6..wf.C.5e........8.s.{.....kK8.$.8.ok..~Y...u..).65.t....2.#.GD.U.....@G...~.........X.4#.'6...c.....X..=.K.z....z.......j.cHxk..y(.A...".V..X...'.}..j.......v...U......+L@......6..}..>h".t....TEfF....lM*. .3...X...8....zf.....S..

C:\Users\user\Desktop\IZMFBFKMEB\BWDRWEEARI.pdf.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.827170800822576
Encrypted:	false
SSDEEP:	24:HYU2JfvidEEHU/QtOJlEOFoHILOziAi6w1/4DGoYk/NHBnlyCToAv1:wsdEE0otmTFvOzi3t4aoh/99nv1
MD5:	9F17D4F6000FB4A0765DE3ED83B2DCBB
SHA1:	AB89AF28A5F6431E4AD563A8EAC93F3A87AFBAEF
SHA-256:	2FEC3CC277EF384D33E618F0D8CFCA99021E1227A05C44B270D3971E84E3A27D
SHA-512:	032994084E3572CCEF9822F8ABFA25B3FABA3B6ABEC2BB60B34D037FA93A06E6B1875DF98289474C069705FEB0CF2A58BFD5B0DAC65BBC5B8135F32AF79FCD94
Malicious:	false
Preview:	G.`.7~....~....~6z..B.4...!._...0..x2J...RyR-d\g..-eM.....S6.h..&.b.....51.{........MC....._...#....C..o=....@~#..r.'...Il.........\|&.6.V.^..Y..c.{..M..Vw...{Pt`)._.....'.,.d.5.._5...a8..q.m...v....`.W..2B.;..s!.....\|......]...@..~oRu....3o.mOw...E$N<..{#..w5h.L.V-....f...]@:J...Cwp!...0..o...?K+..<!.7..."...........+.n.>.w....1b._.rj.(&B...).$...:...9.>&E..>.C.#...D.D.H.(V.~.L..@?......k..2.....g+..O...`.n.U.M........MQ`z..1.GH.$..~...sR.E..x.Q.Y:)%.>H..W>K..3..h~7.........BO....g...).:h...0..._\.LWX.=L....%.CC..5......{.B"6.<.G.2..}.I...^....j...TF..L[[.E/y.{..k.*..5..G.?.N.?...gn..lZrk....#..%(.....%IxGz@...u........K.... ......5.v.r...`!j\|P4#Jy..6/...y\|...../l..p>.t......[By,>I..lx002...P_..,}%....&.=..7'..2..A;S\|+.\|U.e.A....@M#.e.........v.3.8....u......nD].6;Sm...B...-..8l..n}A(...d...\.?...5......&.2.3..:.I..`.c.b.w..N.d.u....<.m...)..<.4q..3r.E...w".z.X...%....$ qa....'...;..b,h..u.Q.n.Z....2=U.5. 3...s.ky%..(..M..W4..hn.

C:\Users\user\Desktop\IZMFBFKMEB\FAAGWHBVUU.mp3.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.816543567481213
Encrypted:	false
SSDEEP:	24:0MyDQPTMw/w35Co7ty9TNxk68n8CiIS0LTmbvECleIwOJ:tkQPTMk2Co8xkTiISzrz/J
MD5:	DB534BE09B4B9F72AC6C912B18027BAE
SHA1:	2B4E886E4BAF6BC00B94C933F66A003B47FE6DD4
SHA-256:	63B39A6FA474C9442C8EDBA9B08D1E80FE53FBD643A95E513D45AEF53EDC2289
SHA-512:	DE75267829B624464B1885C7DE75EF642FFAD6EDAEC1C98D1ABCF5666A2D64D608DEBEBFD2B2B8B9857F9AA74C2E95B3128856E8DBC662CCA72D75E5278F3F31
Malicious:	false
Preview:	.8.4Lr..g.=\...yH.....DI.nR...'c......)=C.;.Y...m..v@a.i...\..}...".....Gu.P..l..',S...B......3.c.s...62.N ....,v. F.q....\4..@Q.....cL....f..w~a.`%.h..:.7.)...]r...b.Z;.0..g.Y...s..5..N....o1g...C...o. ...Sm.cdB.Dt...._[..;...#.z.....9.f Q....'^....dvFfH\|....T.`...$Xo.}.....W.}....-..u...+.R...2...V.....S.?..)..b..QE.f...O($.g....]2..1w1..0M..+.8>Y"H]..%U.%.....jEj..'ny._ma....Cw..:b.......h.\|..6.2:.H..x....WE1?.`.n.U.2..cF5.d. O..<;..v.].j"..fYx...P...X.j,sLKy.._@W4.&O?2.{H<.q"FwSs.....J..O\.9...`c+...%.CC..5......x(..OBE.....v..K3\..u\|...p/..Mi.......6.c.}......R..\.C.y].i.7.H.a]..A$#............eq....qU.\u.L.b.m..0.C......m ...9..x..E..@....._.H..@..n.I...I.C..H...^.l..S.`1.BT..Z...;.C../...J_S..D..6y+}WzN..F.....74s.......Ou..Wi..5..!v.2NMr.. g)s..?t..O#Y..CNC......Y.,%......eDu......(.. ...A.u...f..A..g.G.9...=..P..a ...(...{...J.N.`.e=J,...!?.(9...D..f.Cg.K.C...A...o.:..j`.Jj..i...CE?.)...Z......\=3.....C..NyM.UmrrB..

C:\Users\user\Desktop\IZMFBFKMEB\GNLQNHOLWB.xlsx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8353785089650785
Encrypted:	false
SSDEEP:	24:A2cDb22K/ap73SuvkUV4tt49HXXQz1OECFSjCH+I7g3O16:Bcu78bBkUV4PK3XkObeCH+M0
MD5:	962A0523DE8EE7AE0A8D51041ED67E57
SHA1:	8AB5356491D75F408CB2361B1CB33AECADB3F5DC
SHA-256:	6EF3C43B6CDA2BBE1761549105D767E0C4D08854787F9A98495A9D2F1670BBBD
SHA-512:	CDF1EB312D2583371E38BEE0E3C0D242633F029D80F81C7192EEC24AB98ACBC9E328C147B2DED5771D9969885C915762E249DDD863770D15F3934562D789ACA5
Malicious:	false
Preview:	GJ....Y>(....I.\|..i.?.B....?l..B..>...1.o.1.6.^F...=T...........g.?k.O..l+...Q4B........p$..w..6........S......,.t..$~..n...GD3....2.......!(Y._.S.....dFoz... ...n..."oHW..."......B.I.~.<b.F././....6=.K...-.hL.~.E....V.R#...^.B P...........Ba.U...B.....v..c.$...]%1..1......8..3C.J$..=f.).......`..`.f.f...7m'j..}z.....\&fs.%....<..Z....>..L...}.E........O..-..........u\...k...;.2..Q.Rd.u4..g5...vT.\|..=9[...u.........8.g..D.;$..x/..U....^....vz.V.o.5aF..."...2...b................{n.~$.....G.(e..t....%.CC..5.......L53l.v.....+...gG..r.BL...L..-H.8T...v.w[u....9..O.........,J....5#7...Z.iA...B....w....p6...Y].d.c.\g.d.ej.....X..@.&MU../wU......e..z.?.5V`p.pT.I....D)c.h?.2...xK:....F.3.d.<e..Em.i.#!.d...SY...w.g!!.2C.+.yf@e..........0K.18+D.".?w..Q...`.,,_..u)...?F..5..K..@G.....K.y......7.m....d.A..XM5.q..:?;).c...........Iu.}........>I.<6^TY.!...Co..5.9.n.S.R.......q..B.K.2#v.=......Hs.Z.f(]rz.2}......E2.......3.[#.>@{.......E...

C:\Users\user\Desktop\IZMFBFKMEB\IZMFBFKMEB.docx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.828054252692502
Encrypted:	false
SSDEEP:	24:dFhuA818OyRt1Cb0TEaEJOqHelwfHl5QU8hwD1h9B3oUuQPbqK9JEeYTYo:dxu8OyVcBkWLCrOn+KcT
MD5:	CC97727B9885C1B2BBB2328C0444CB3C
SHA1:	65F02E674FA51B70997B9916F5648BBAFD920313
SHA-256:	A0582672CCC90E48406D7E5687FB7B88D0FE96C8121746B8CFD944E018ABDA87
SHA-512:	C2D630BE6CFD6DFF6A4E0330EEB2688B230811B6DC099F683AF2E7F125521192FB377E0403C6595F0959F6362F1F350DDCD0FFBE0AD42304A82781E2EE4592B2
Malicious:	false
Preview:	Bs...~..EEc$rqH......IR.P..........lT...Q......^..dc.....DB.Y....ZI$l.-.o.\.G.u.......N.........r..TWW.j.`....{...........=.........1......v.......e...7..1....i..(sU.........U.J.1^O+o.:...?Iv..>ya."C.....y.........&.'.$.....l.$...Z._.D....[...).D. ......0...:bn..1..).eI..R...L(K.K?pV....o.Q..h..v.{..D.\|..01.4..p.(V.......3..9.ee....-.ZVn..........=...xC........X_.9....aa.fZ\U.....fh..R..F@g.Tn.OH..."F..,..u.....u ......'r.<..4C!..%.8......;.O....Ff>..iE..O.mp;(.B+.....(..{ .{.U..j.p.2...."Z.u%..e.<..p...%.CC..5.......+.<..!..Y9.S...U..{.......L5?...[<...Q...w....sOq.........QG.R.%.JopqnI.P..U......}]......r_..6i.q...y.P.l...g.6.J./.....@...7)...J.n.#..3......jQ.Rz.*...hl`A8G....CW......;.-`+e;.M..p.;...~Q.d.)....wL.J.O.......<.C.3[KA\|.E}.iE.fa...\|p..y..J..;?#.]....Z....j.....'.<.'M.M......R.....z.;Ec.O?">..a.(.>{...1[...v-.....^l.".oQx\|.V.Q.bQ........=u.......pg^B........X.....{..\7..~/..,R..(...t..A . '.yH.P...l}.q..Rb

C:\Users\user\Desktop\IZMFBFKMEB\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\Users\user\Desktop\IZMFBFKMEB\UBVUNTSCZJ.png.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	PGP\011Secret Sub-key -
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.810552410406414
Encrypted:	false
SSDEEP:	24:GxNsCcjm6FZA7J36vkoOlhhO0h61VAlujQ5X10er/H3nE:GoC4Z78/nlosXKerf3E
MD5:	4719D34D8C7B6DFD75C6E638693EB619
SHA1:	6090AB7CC2229E379D9E9ECF00489C88D895B5BD
SHA-256:	5741B584EEA32F714A3697F700D14EE4226ACB27FC6164403B69453D1A7DF4CB
SHA-512:	3CD520EEA0D81679DD5ECB802C7B052762E78F0602673465D13F2268B1CF5289A27211D68FE6A597A27C7C332487C73ED8EA193317495449EF2496DA0F53A58D
Malicious:	false
Preview:	..m....E`....T....w.Me1Y.d..B.....8...w...y.....s5.g.!....l.f.,dv.o..I.B..aoN....'Z3C.....A..L@.......s..F..,.......S.......D.(<....).4f. ...y...Im.._8..5....=.i.5M.5.7G..RS..x..._.U..B%.K...vl-..jgco.....o...q.....[..s,...k ...4.k.....c..)L2..nRC@.<2.z.S..:q'......:b..O.[....Aub...\|O.{.....)...Y..(.m\.S,-r..pw.........~j.,K.Mu..u....F..v...k.p.~.W..\./{I... ..S~.....G.5Ia..........s.i...g.6...-/U.xGvy.LF..y........,3.8..>.i!...i....k......>....F1.....i.h.Ym...i.\|.j\.v.=..k..^...m..L..d..K.S..f.l..k......%.CC..5......45JC......#.._..i:...].%iP.$........{.kX.].P..-...?.S..3...8<...U.T..7...y.q8Y?...".1..5.[/^Q...=..&...O..w..hD...u[..$R.;&...]....s...v.x.T.;y.3....F..4....].f.d.....!.!.5qYS.!r.......^ ..%..)y..j...L[..}..n...Sq......GWg.A?...3........p....Z_.D.T?].,.....2.....-.>.>..!.......i.......Y.iI.y.]...w....<gh.x..F.9..t^.,2..{C..{..;.......y)(..m=.n%...w(K...N{p.....Jl\H*.Q....^...._.G8.L@P.L....-..Y.ixWX...b.<..V\.....8..

C:\Users\user\Desktop\KBIFTJWHNZ.mp3.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.819586835013082
Encrypted:	false
SSDEEP:	24:OTtUT7jvqBJg7TBuw9rXmAYye7Cclp5U3RB00a:mtUjn96AY1zCG
MD5:	A62132861E1E24BFDC8A7DF6A89B3BBC
SHA1:	B56043BF898EA369D4D1B737FEB984E2E69A38C0
SHA-256:	2600FF0B006E32E4A4FACA1AD10AA170241E92943B0B6660BBC68AA82EE54438
SHA-512:	70EC5572B6AAF38DF2A807C8D8A00EC643FA781029287DE25149606942F14E3BE0EF1C1D15C005D55066FAE99F2C2963D4BFDC294B97E7091BE1812C5FB15DC0
Malicious:	false
Preview:	.5.%...A...rin!t...?\$I.Ey.f....f..P...o.Irn..X>.P..<vR.....#.....W'..:..4.....4......!.....Q..a....UD.`.y......e.\.g.,..Cd...]N...o..].I.u.E..1p.....Z!..G..'n1Z.......I.6...x~.u{.^.~..J!@..!.x...\.\|..~..0z......E<@...&.US...'6.:..M!......~S.V.B..N...6......`...$..........]...Hn.I.B.`.^.x.....T/.....%E...v...p.D#.YhD[J5.t7.....y(G...u..^.9.:l.uF8.rN2.N.S.B........]..H.#.....`x)Ay.).d9.,.......?...".^...q`..B...uF!H$...u.5.2...p..a.M.N.d.P......../.k...g... ..t...K.1g...v.........U...P...9..;....._.Nk.....nc......%.CC..5.........t.c.X..._...SK.sYn.m..... Z.C..."..>.PUd.Ll^..?..P/...zWD.\_..7.......C..U..(.....R..F.vu.9.. .%$.=..J...Q/..z.....#E7..~\|...%....PA..b..:7.._....WZ.B.EAuw.0..._..m..q..R..~7.>..r-..B.;"oU.X... S.aoRG).O....:i.+.I...,>$.p.9.......168..7..yHR..rZ.o......5...G..q{...8A/2_.Dd.yV.f.,d.....9.v.../.YF..u8xN.J....<.6...!..$..h.Ro.(U..0...s<..:...I*G...\....P.<.3..&<.0^U..\|XS..W.\...g@..,...}4...S.....It...9..j...SE1k_.3.

C:\Users\user\Desktop\OVWVVIANZH.pdf.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.823179178790084
Encrypted:	false
SSDEEP:	24:nlLc4doFYLm4+25CiXoNGlXnd1fqq7o0BOm/mql:nl32Fa5CiXownP7o0wql
MD5:	E8D9037A3D2A59EBCAB73CDDC2F1181F
SHA1:	84BAE0DEE56AE2410EB16F3EC3C388746B4C1EAF
SHA-256:	53EB55C3929E299C31809B325E18CAFCC4DEFC2CEFB1E5C812853DEDBEFC6613
SHA-512:	02FE6AAD3DC5861511CE13A3A6F2332DE9CAB1EE257046A6F178F6D1A72941333F2D7E94256ED3440C068F211581E6E4F0349E5C157D24169E6EE86A908F7B49
Malicious:	false
Preview:	..;....3..1...........S..~..R...K...WZ....(6.../..t.\..........Y".Wl......`#.u.$q.L:-{V...8....2.../.t.QTu.C..I^.H.d..4.Q.f...(.%Uk....[u.r@.Zo4i.,..=...W4.U$w.......>.]0!{P.,..uk......#. wHm.].-.E...........tN.....w.,9+]..IFE\...w.kS.W..8.ue.\Z.."?....72(N9...vN.2\|..g..Y....g..Iy...fyU...X.vR..%.Nw.....GY.....h.Rt.....?...W~.D........}...D.e_f=7...6..Ux...^...=3b.4.. B.dK+.yI....L......_."..y...7..Yy..\.]W/..N..x...\..$A.....GJo<.K.....;.....<<..#v.."b.&m......\..\..F.].........%.;;p.....Vx6..S...8....e....%.CC..5......P...(......)"g..T. .'.4'..M.9f..N..[.H.......xw.<IN\|....r..\|...?a...k.....!..3.uO\s=.....". W.f....\........Z+.A.,+.j<.~.C.wYl...../G..1..Sl.....R.)...Qb +#mo!.k.....nl..z1A.g....~..b#<.):.eY.....Q1Z.o.......Y..`.......#...*..8\?8..6.1.l1V..iT..O,...FH...L..Kw...'".R]/...s.....<Cn.....3.OJ.{w..R...N.3.......-4...../.4\!.0.t.#a...}....._.P...8.)9.x.R!.qk.~0&S/$..Al.O%.. _.....UY)..oq....'..2G.~.....^......QjgK8qqK.

C:\Users\user\Desktop\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\Users\user\Desktop\UBVUNTSCZJ.png.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.840175062253329
Encrypted:	false
SSDEEP:	24:Y7SvgH0ole2Mf2ntacbuJJOHQQM+WFHkWQe15mjVrXA:Y7FH0oZtacbuJZQpMuHVrQ
MD5:	99F9F7AFB79F49308D9D30BA9C7EF450
SHA1:	F31A50551A8B314E6996F51C8D12BDA9B3C7A00C
SHA-256:	602DD04D2B1B89FF8D5E1A3452D52CD344DBA0806E4A95E93A7EA8D1EDF980EE
SHA-512:	F2B4CEF949CBCF027D827FB90CF1C8646F282472627F7A044F66D03EF3D3DAED450D7F72C31FACFBE2B0AEF729788E09B1B545EB1AF3C55378F3603F34126528
Malicious:	false
Preview:	}....w.QP9.0........kR.Qe.d./s...<.B.4....T.......e..V........vR..uM.A.." ...W.I..{x.$,`.z1:A.G.._....`..'.et..J2.F"..+...o...!.{.f1r...x...\a.u......c...j.,...'.....;..c.6J.. ...]....c.0.^..\|y....i..(...39lR@#...?.p...j.GJ.8T.S.d...DQ.<z.EJ;.0..$S/.A......,MI._.....C..H..zPl1`.[.........).%){&;......E=q..zU...J..'.^......,xy\.N#8,........v.....S.T'..DP..O..D%a.6...s....D.Vl.8D.&j.L...i..z..Z....k#.t.Z....Ca<REK).....P@}.....e..\|.H/c.?.0Jw..L...'. ]0(....:...o.Z.bUL...^ l...@"..K(..5..lyu.H..{3D1..x.xY#.3...%.CC..5........PDy{....mBT...\i..I^.p.. ......5.....+...m.....M.M?..{d.<l.c...G....-Ul.c.q.$.....[.v,x..-.R.....Jt`.{.O.....C.Y.....FxN..7'...\..Y:#....YA.m..i.....a...e..Y.A5f9.,.c.FW...b.FP.+$..\|.$.'..X.R.........z`.>..x..q.........gc.(...y..."....[....-fN)........>..@o.m.k...!.,.......n.k..>.r...........s...Y9.TL.Y.u.U.%..X$wK....k8.g.9.r...x....m_..!.2.\|.{....P.2/..n.Q.eJ..S).h...O..?.c.9.L...R.w.F.Q...e..8.5..5...\{,.]...

C:\Users\user\Desktop\WDBWCPEFJW.jpg.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8125309337314
Encrypted:	false
SSDEEP:	24:LgY/vnoAmp8F3vdsEWIOpPx0IC1A1lKnwKBnE:LgY/wJpGvK3RuI71lKwenE
MD5:	1F1A7D65E9092BFD5EF458C603E86F00
SHA1:	F2FA9FF181EC8981CDDEDD787A445F45E90512D1
SHA-256:	C344FC5AA04764E8BF790CA325568A136F633D275D8B75344D805D7B25DFAA2B
SHA-512:	0284FC43AED5A29B91E906AB4E664D7EBD7B2F970C45DAF2D1D2BDA0D14C6DBDDDF1E80C0E5399EDAD99C379E62A2312E6BF6025D4349C9B8D36BEC2D0309752
Malicious:	false
Preview:	oyGb.E...8...=Q.E9Q.....=d.^`.(o.[.73......a.p................_...?..x.IS.A%m.u.'.x3..F.].k_s;.RE.k.\|t?G.....,..zf_.}.....7L....Q9>...qp...!I.!0.(...V.......W.d...X.EY>.]...k.Ef..1cwG.%+.A.o..L..u.....$.K3....._~L^....\...c..L......za.{...=..:.n.6..c...N..bM)CV...t......~..c.i..`...H.L.n..8I.......)...u_.\.7..Y...A...i..L....R}..?..37.a...og.R4....<..uw.......`..5M.).q..NtS.}....l..'D.85.JE..... .Y..E{c.^.!....3...N...-.k.9._4...&~......x......z>..b...Z,&..p.'..V...;.pMN~.$.....S&........I.4...?..v.0.!...%.CC..5..............qoo.;.m....d.m..U6.{.z......ay.....E...`..... &.?...2.U.NYX.i..a...].9.$.w........V..4Zy..yA...\|J...S....L..ugK4.....s...N.]n.6...d..`.u...d.D....qh.X.T.....\.........2Rg+E....1.........3Nzr.....FK..A......2..6..M..g...=..K.A...T.d....xh...a.4s...p..h.....Ef.]../..........."....i.?....}..i...v<..3.C...l.'7t$..n.9...G....Y9@h7..bLsQ..&eT...F...K\|..AH.......b.....,...A.)..:#.*.D'...h.`..l .F.k..t!<E.3....:.

C:\Users\user\Desktop\WDBWCPEFJW.mp3.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.816991420764285
Encrypted:	false
SSDEEP:	24:AaSVw8yigo2V2yKjKUlvDlbBx1ikOj6MRuG5yQHnjFLimyefloTaJhpn:irHgrVhKXfbBOFuG5/EN8tvJ
MD5:	321C237AC9F9CB2F4DE577F602D1241B
SHA1:	68A9A521697382BE46526769BCE967A078438DDB
SHA-256:	8DD2984FD2878B942424B0C32B22BEE70E7739AE74DEF9EDA8593FAE2601194D
SHA-512:	74F350EE6FD6E18003B5AA163CAA9746B9F566CE6063A835209A923D703B0E4F0D4BF20C57EEEB0B534BB7DC86E8D7F44B4863616C5E21B177D20851E3A97CDA
Malicious:	false
Preview:	Bp.LbR-\|x.l&...aK.7.`ma.E.p.s..t...Z..._........2.M..k&.7V...S.U....&2......7..[.......eYU`.K<K.H.r.`.%.t.k...\..U.Nle....Q.T-..........=E..%.%...(..m,.....pa.W.5../@.D.o...O.Ci...v..k....^.R....;.}.."z+.c..i...E..s......\|Al..5...d..K.[..nci/.j.......p..!..%..3U#.jZ./x....B..Z5.Y.......O.....y...0...i...\xi........9:........G...8.3.....d...R.@Q..;..z.;.%...t.8..X...c..4...e(...>._.~.2..Dh..6..3.X6.".E$.{.<.s.^.2J....DK..P...^..\|..........\|'.x..:.@....Rf.KP"8..f...u...........m.k.....c.#.[^...6X[9iE.....%.CC..5..........,M.p..\|...H%p......Zn..uiP.......~.... t.O....w.s;Q..m..r9d....0v....5+.r}.T.nW.H..rT....S.....!e.\..k.e...N.M@ZN.I.x..7P..a..Z.L...z..T..Q`O.A..vk!.l$.O2?..'W..Q..U..E...w..)q..b...6.E..j..}.......DC.N..'.GB...-]....SC..D/C.i..!..v....$...~.,......U.....(..-...~X..Nl..\X.K...<....$.\{_.....B.3..Rql..H.t.R..b..X.(.......3\|.x..Io0.4......H.d..S.MV..T....:...6.X.t....{.5...3ci.^Y.;jy......+N:....L...A..."y.A. .f.>..{.

C:\Users\user\Desktop\WDBWCPEFJW.pdf.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.813344489982721
Encrypted:	false
SSDEEP:	24:j+E1tLfB9EIqWL0PorZVuY1sI0Oo6uIdYOp3TM932G2cVUEITV4n:yMIzZPorHkOroHm9cGun
MD5:	BAD6BDF5CB86E4383B99FC40C674C0C4
SHA1:	455B233F1320B79A4ACA8CBABA60B0F6CB0AC8B5
SHA-256:	F5E02FB1A9F9A43FCA3B11E2335306526AD5000E8D61A60A8AF626989A2E0B31
SHA-512:	C5937CA3B44F3CFE2A9423310BB56852F02D575D5E10C0347D31F0CA5E00FC3F0B712B828B704A597DB9AB9640D90694D07A48E3E4FA460E68E1A85B72A78BEF
Malicious:	false
Preview:	...v..AMa7.U..C.tjY'...d...m6c ..&........}.<Y5.....{i8.;.QQw..4.`1....J....H/r.............9...G.".AxZ.H.vJ...qG..KJGY...W...N..B{...^.c......G.{o.....f....'..G........-..N....f.8A...F.1......0.+X`eF....Y...bs.__...+......d.^.Q....iS`.LT..#..]7+4...E"?....P...k.H.s..1..r..T.=...~}...>..^.W.L..Dm....>.@..FY..o..6.S.+..-/.PHk....",Xh..!.>....".....t.....X[i......(...<.9....8..'g.M..tp2+....@e4]...H...........xl<....Fk.....`.....`. .F......J.t.UU....ey3.{.. ".\|...@#..3..U.t.s....\|.q...c."T.......%.CC..5...........Mq.5..G..rB.g.a.....b...t.5L.sd...x..bR.F.\..#....P.cR..~.3.....MA:8.=.#... ..KBcb.7mD..D..^.]>#3.d..Z.ym...Y.C".1/..&....q...K.b..%..x.j[........$gy\....{........05G.8~....!..(}.......W<.s.1../..tI.c.I[....SJ.i....}`Jp0.d!v.H....~..~..F....8X.P..^..}q2..qA...j...Ao\...>t...Y.........-....^.*F:..yH.'\|.7..q<\Bg...i..'.a1.....s.2...._..f#.U...q..S.'...F.j.z.7..Z.."..l'..h...B.(y>.K.......r...r.~..iyJ,_0w;%.U..

C:\Users\user\Documents\ATJBEMHSSB.jpg.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.830487352170668
Encrypted:	false
SSDEEP:	24:zziuoBCwg8ywNzxcoLGVYqb4V8G7hWs5fy4X/U5ss2JXn:a0hwNzSSGhkV8G7c2a4X/UyfXn
MD5:	C2242364817349264EFD09235B3BAB29
SHA1:	8A735CB9D5437DBABF265F6D3F95B790EC94E30E
SHA-256:	97BD54A500EDB76C1E575DAEF3BCDDB8C24D607328EF82E1139085E8CF19A636
SHA-512:	A733CEA25471F1A4B3F17F37D7FD73812492F73052234B7109FB4889FCF9E92AE0A1BEF007FF5AF9F0651F3D0CBDF815DC45DB368B15E1BB731FEE2092C3AAF2
Malicious:	false
Preview:	B:..^.;..".V.e..<..X.FF...5...1.~.!...B....@.y-..N+.@Q...u.<..p.E.VwiK....,F...j.o5hd.Q.zA..H=.......&..._z.~..$G...^1.G..c...-:.].r......n.........u^t.>.3O.U...w.I..j..b..>...1..wiFsz......N...I{..x....J......TEey.5.....2...L....L...ev.3r...."o.s..4..o...y..{.4f...........\CC8d...e/h#..../.B-.H.3Mru..[...2.1.'o.OD.(.Z..r..@../W.^,w..vnY.V...,.].T U.u4G..............N....nC.aT..x..V..#[....V{n..7...V.,n#. _.8>...r..i.v..J..^......_..t..TA. .......%..k;D..D...z.T.s.}......[...5Q..S....p...2.%:.u.j.q\|@.45.......`...%.CC..5........{..g...z..&xe...n..oU..?^.(-)br0....W.4..$......`.....0T.[.$.V..b0.%.^...l..n...!.U...1./..qy..f`.:}=.............2.\.........@.21.....U.x..hao...-.....8.o..AD....&..".....hi....z........O.....6HM..YBM...Xc?..%......n(.).M....2.#..e+..\........P... .....[..\6.l.W..'.W...s.t.r..NA.q..RL.....u.a.`..pn.+B].T.#>s...N.B"../.PX.YZ5..c7+.7....L......L.h..?.....D...ja"....T.2.....&.'....._...>K..w.&..l..v.X5...I\.)^

C:\Users\user\Documents\BUFZSQPCOH.docx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.838579133445724
Encrypted:	false
SSDEEP:	24:dnPz7m+91W4LDxZSTQ6IJjiII9dPBG022H/aIIeqB4g7c1:dnPzJ1W44IdiZB3Hi/4Oc1
MD5:	5F4EEEFC811357F6DC70AB60F6A69427
SHA1:	B050F529B97A9D53C70D6B1EACA6246901EE3698
SHA-256:	2F50869D766914CC7765CCC4EBB5F3FC6ECA0E80C18687BDEA34B41B540C62E9
SHA-512:	A48168E4F755CF96AA99E99365B0303414F20A0BB844ACC98EABEA24C01AAA14925562073B9CBB7FE9C84E287D00B0EA3D118EDDBC059FCEBAC5EEE3832FE2CC
Malicious:	false
Preview:	\|(.F/h.kFMC.........t......K..0.....c0...r..(&..c..y. .....l%.l2....yu}5.P.9\H.W.m7j....y.2.<[..!.w&....\...R.!..,..8...x..v_.S.<..7.=d)..\;r.....k....k.c.T.m]..<.O..$.Li8.....J2.I...f.YY..X..{..^}$0.....^;.@..x......}...l..F......#P......>...;..uE{@...T..re.XE....!....o...M=E]-.dl.2@.z..9.Z5zvh..?.8....W.#...b.....@U`.8.,%.......H`.U..Mf... .1...)h3j.l."..P.K..u$...O.V....(.Hj......vM.-N..<5..X.../n+CWC.F.._....a......Y.}.0..x._..PN......YG>M-..l..9.........\.h-...z.P}.J.w...<..B]....C..L....gA...UoOH...%.CC..5........2I.~.."t...b.&..Fo...a..Z.{.T(...W'...-../....7m.Cs..}.~..0`.._.\|i'=`.?.KR.V....X<..A].Y.w.zr.B..#.4...UW.:.......R.d'....L.h..l....-e......a...A.........B..1...b.2..3...nP.=.KG.%..G.KN=p....x.B.^.t#.y...!.g...nm.=2.J...Ak...5%..F.......).d..yI.=..v(.L...Kx......1.zhq..=.^y..G...e...O...+o....RO...q2...].k=.R...S../......U.d......-.-..fbl.G-}.N....gt.#@..0R.B..$[w..O..L<}.X.w...0.W#.c....'m\|...`L.`vD..q......l...&E%._

C:\Users\user\Documents\BUFZSQPCOH.jpg.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.85158343490587
Encrypted:	false
SSDEEP:	24:xCBwScYfOtph+zJ2KYLzhdkqANeKENsGm490egYeRwnMzSJZ5vRM7:lbo2K0z7kRgBda6eIMyVI
MD5:	6C67D35C37F971D68E5308A380C81466
SHA1:	048E22E49D7A55EBAB6443E8F073E726D3CC2E31
SHA-256:	71BEF5B7FAC07E235A8463C3E620E7DF2926CFE1FA78190B2DAAF5E2A67ECD3B
SHA-512:	51A55782C38E98491D9D32C66E30147FEBDCFB5DCB5E67E5DAC7AC5B478CDF3927815A9633A8D4B2B290EA3366DD1629D3384026BD4C8642C437F7A38466140E
Malicious:	false
Preview:	......4.O0I..5c.L=$sE6....I.h...k.....R.......+W84.p...:6...Gv.[.Q....4w...A.4...J.9....c......A-.).&..FN...O.2.k...w....!q."H......-v.i.b..."G...)!.r"b._..%..Y.{U=.O..{...L).d...w....o...5&.........\|..!.X.^.3...... .\....-....Cc..$.t.$d...4-.....5x.`'....2(0K.)....:'.!lD.<.<...G......Ac..A..K.)M.....8..7/L. .gP..............`?..o....U......mj.m...7>...).......swK.>..s...46.P[.RJ...&u/a@..C.~........l...^..'!6^>........=.....S7....ps.<S.aB-3...Sk.6..ta...F1.^u.5r.><.V.....S..k........N..B.n.C$.?{...V.......%.CC..5........e../.m...ZO..x......=).Y...3.Y......F.T..pC.jG...WG.x....B..G...N...P...P.m....=0...i.UR..u....5uv..m_h.i/]ti.[..&M]..r....g..,v....S]..B........n.=(R.\v.Fq.]..GOZ]=.@9.}..E...y...v8.$..;.'..q......[..?7..s..;...Q.:!...aJF& ..}....QV...\|..vR..{8m..m.C...hi..X.wd.o<....+=....#~}. u.s.yr-...aJ.7.\|...n.X.o7..........+]p....,.~..e..a.U...;.J(.9oG......(.....).>..O."2............m.u..6..I...\.&...[.y.0k].......}.o .v

C:\Users\user\Documents\BUFZSQPCOH.xlsx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.7948315193619555
Encrypted:	false
SSDEEP:	24:swzHZRdub1nGZl3RQz0I2b1xUuLGzdZFm3bZus6:1H941n6lhQz0guCzzO6
MD5:	506A3537D8FD6245BB4DD27C83D6424A
SHA1:	31F82F4F9BEF7DC5C583C7FD216997D18C24C30B
SHA-256:	D3474140AC0A930CA093CC852BDE9D677EDCFD4BEB0A4677CF8D8A43EA21C46F
SHA-512:	704BCED8BBFD6820A0557C1403AD4207E2DBB393CAD52C7422C12C7488641659E9432A7DA6A93BC18A46FB3109CD0993623EC041FF9A5467BA4E54BB1BA64EBB
Malicious:	false
Preview:	.Re\|..\..M..a..L`.....[.....9.....l..7u&=.1.g.i.K[rAQ...6......u........)P..?$rU......c.V...($......O."...~.-..^DUx..Zd.....\|....kw...7^...ca.n4\3..>....\|Xu`.\....G...e(N.:........<....".8+...=.s.e..n.k..f,..vz.<3...B%.e...6....#.t......L....1DDYs{n.D.y.\|.....Z.K.....H..."...E/(~....\|..KZ <.p".G..c\|?...?...?..P9......TE.DpM..t....E'.h.....{..".......xX5..7+I...m...?....sR...'../.5.s...o............dv1......Rp...[..Q{LpX..r.Y._T..?+.l ^..t..vY.......=mF.V..x.E....q....o.+.>.(a...ehq.aL..R../.#.Yd&...%.CC..5......\|T.).9..[g.8e..Kl.._(..=r5...x....7..5..v'u....h..#....Lu....T0.:..1D+9I....(.Ja.....,...\D..Q.[.:..8.._..+..n\1..Xr4...Y..\|.7...~..~..w...p.ZC.T...b..7..H_W...g....a.+oD.D..6....Mt....8.N.I7v..i..o5.)...u.....9.#P?..X.0.....%Y.zo.J.H.b.....B.M......o.>b#,@.Q......8..BC.r(,...`ED..\_.;):tQY=..bQo...f............x......L..Xf-....%.2....W....OV.p...<..y..D..-..J9fF./..'...C.T6.a..m@...}@..d..5.......y..X{..._(.H~%>

C:\Users\user\Documents\BUFZSQPCOH\ATJBEMHSSB.jpg.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.83979548241127
Encrypted:	false
SSDEEP:	24:NC6k6pwLrm/GvY5UftLdmI8FKAj6CB2wMv6sCe5RlF:NuLyWlLdmCwMSeblF
MD5:	9833FE0C94A75DD148DA1B0046CCC38D
SHA1:	A81BD92C41095B824B35A870B648FB10CBF17072
SHA-256:	0EBF0DA8FC2CB9657793F1EC5A1A3C2ECFC8C654462FBD422BECB592C0C445A9
SHA-512:	8C3920BB0C3D733A28BF3DA14D81650FA1BFFBBABF74B11FEDC7AFACEF7AFCE7AB473F3EE35CE83B6FD8C616EBAE62B262FC7FE66F66D22F20152A256246B6FE
Malicious:	false
Preview:	..."......@.^./.....<...v..p?^.(.....Ub....\|..o.J.7.:.....{..p0.t..3...?..O.t~.U....M.......IF....uZ.E....}x..Z...3.S...".J.......]S....2\......$7..'.$j=1"...>..w.m.....:.;..T.x...Y..T..M.U...S].}\/j$...I@V).=<!.I...mI..1..t.....mu.TB....G...D...t....k_..{..o._[-..u......v..../l..F..@.H.~5ZI..%.K.#.-.....R.s3.{.P...@-&.~..6 ....]....0.?G..R~..t..T.%.%p...M......a.......,.]ZS....2.'.{.7.-.......\|..A.s..tbF.^%(`.Jmv%H..9.~1&.X\|......8k. .ng.mP<.....}5..:Y...R.t]...l.Ml2.....M4..!8.'....AY7....@\...c;{ .!...%.CC..5......c...6.N..?5.J.$..zk....t.a...aV.)M......o.;U\|.F<gNb../.L.-.j.\O.C.'~....!..p..:..T...fm6.M.S.........1...)/..C<.8..?....b."5..t/..u...1+...V.r..E..O..".1:......(.T......JI"..AQE.o.W+ ..T.j..PW.J#...j{,yI.......7\5.....G.....He.^..F .D....2.u.........<]...3c5<@..l6."Dno...U.I9....:".W..R.R..7...L..L.........l^..v.B.R.mT..:%..P....+2C.......=....ww._........(+#....(=.x....."..,o$eE#..\o.@..#.XD...`...>....;4.z2...(t..T.

C:\Users\user\Documents\BUFZSQPCOH\BUFZSQPCOH.docx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8142569448512536
Encrypted:	false
SSDEEP:	24:WdWLWAHg1wKHLDLsFCjfGZDRFf08R/cxhf6c7RF10k5fgRuB:DLWZdLDLsFCjfYj08gf6sRF17rB
MD5:	18F0503F01D98B4B1858D14404EC8898
SHA1:	3068F803A05A0B42ACED5D7603E7E1F41439754F
SHA-256:	BCAA24F280EFCE0A6010F8EC420A2092D69E01828A851513A19030114C7A1894
SHA-512:	6F437145AA719B4DEA4EA0184F71B7E522FC5004DA43A19DDD39D59539E4114BFE38F9A434175C80A04653EC746AAEB2A56A44E08025EFAA075762F512479615
Malicious:	false
Preview:	..[.5O.J\|V@..`c..h.....hk;z^..0....T.. .....x7u..I0..fg.0......1,.L!...b..a..8e...N($.7./g..}.qb4..g.....4.s.,.b_J./..w.$".;'..]..q._....~#<..i.N$..z...9...<..?.8.-2...^\.......[.G..=H.2..].P..j.<sF.k..>D......N.kE.3.v.?.W.Q.....z?..$.7Dr.X...4..=..O..&.d..E.}..W....M.w..z..._.3..r...3.^c...?O.F...c..9.)...3.v.8.~[......Yfk....d>.q.c.U<.6n...AH2lX........e.?......X.b.)/...;.C.n.I...g.d1...........y....k...U#...<g..;o......\FP..<....U.uY].1.q..p.X..\.(.~U8B.%gwK....Do.i.....,^_C.f...V.u...v.z..;..a.3_.#.k..t..-Q7...%.CC..5.........s.^..Qx.0./.....1..........}d......$7..B,.7w5..t.u.aW......P..bR..G.N.W.C.U.j.3{.7.1l...dP.!..F.........&{.2<....5.fT.....N.d^.wb+qg.).........oZ....Rr....%.p......G....y...W9.b.. .;...(.7b.[._..w...#".K...&..s,...\|...........L.@.t....../v5..,.pd..G.........e..` F...cN.Z.0.%.1;s2.r.c..c.)..W....i......O.k..mjC[1kX.....y.l.6.R.7:V......+...0.6w.ov[R.I...g......{H...T........7?`..C%...".V..S{...x9.q.)..-.go..-^Fz.

C:\Users\user\Documents\BUFZSQPCOH\BWETZDQDIB.xlsx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.832398128278254
Encrypted:	false
SSDEEP:	24:QunicoLhfVry2RXW4bf4XOA8W2yVUdleJq+2O:TnTodA2RGSYOK2yVElOqPO
MD5:	EF1724681C0C5A9A3FC2CE9FE1A8EDD3
SHA1:	CE562A2907B956DD1986F5FB90DFA02695FD49A6
SHA-256:	3A4EA33EEE454C90C962DE7F0A6173C67302003A9664D39DA762882E5960FB19
SHA-512:	FC879E54F4B90027140411036627B76987631B7B0D007E49F51844A33C4B558E94B74A1FA3B7EE2EE2BDF2FF856D3C6F07AAD9F3104EA31A100316C7170885F9
Malicious:	false
Preview:	.........u....3\|nl.Z..,._..>....H..T7#.........x(.D.....2...T...s..!!..r...{.,..~.r.zJ....J..<..~"...b...2.........L.L/H^9.......1`y)..@..b..X02....Y...........:/H.k,j.>.Y..a..9..=m..$..N..ss......}.\|..W}.-U..bm."....L....xc.U'....C.......".z..Yd...C..$....yV...gm.{.Z...9..Y....d....f..:.....z].g.._..7.=I..u.8...Kka...Cd.Wj..p..t...U.#0!\..\|.~....(......y....3.a.i.jL...c...0.I...\.F.t....a^...]..b.z..p.\#0s..J[..t..x.Qd.wZ.f.;.'DuZ.......YK.R.$...aN...m.!EP]IW..D.p.......-.J.i2.;.f...g.+.!4\......0\|1~.C.o......AZ.....%.CC..5......8..RL.A....0T...0...-....u.G....Gho.Y...^.].......[.....A.J...'W).{6N.'.1..gQUUP.F.....u.....hE/..@.A.Ly.....3B0.........@........A..hj4......#....GMfX5!..sB[..<.:....l.^". S..8.0..G.....jP.....z.6..Ez....#V..P.....u..V.6.nB+.......l.fI..c-..I@t..U.U.k.g....X.M?......?g......'.f..Y._S.O5.\n....=pU..a..3.$......!.=.......v.~..)5.4.^.>..U.V}j..V......m.9.y..K.....3..7....`j..@1..=.\|...(5... .....3../....<....H.

C:\Users\user\Documents\BUFZSQPCOH\DWTHNHNNJB.png.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.81964219550871
Encrypted:	false
SSDEEP:	24:U1V7YSWkK66Mp8y5b1BQsSXaw6o6C620YBeEYemyqg467:U1dxxGk8yzxw6e6TYYEYeQg37
MD5:	E728046C688863E3256CD4776FF8A845
SHA1:	3E9E9EB385A70CA4F214F5BD51A72577A3391197
SHA-256:	825C52DF5A6F72C796C76A4CCAE1833C859FA88C05D5ECD3EEAD998AADD13CBC
SHA-512:	76B31D09F8BE681FCE017147448D191017C81423C8C86D082359CEC1552FE3EE6073DE2AD5C030AF09FC3F7C5FF840671E710063DBB9D66417806F07AC611699
Malicious:	false
Preview:	.g.......R.z..@MR...$O>............E...@5..;(O~@..OZ.../......0.r<...#....M.....S...!t.v8.tp....I.!.wYj6.&..gy....V.....u....on ...:....+.X6E.R.O...:.Dg..5..A.n.}A...;,.."r....&........."....:.@....R)C.K...b0.FP..T.n...g....7...l......S........Y%........~..<;....I.)KR...W.).VPh.s.!.]"/^&X9g../....s.\|x.)-w.nc._+.._w58....4...l.t......<.Q."c.\|._.&J.%7.j..m...+......;.i.m.....aZ'-e..-{..]Z.3...p`.pw..U.Pq.>.lH}.D.N.;.......Pu9.k....={0.If.%pT.w(..z.Po....8.].$.p..L.\|..`...D....+_.g..\.!...>......$.2.M.$v.EBz...%.CC..5......I'.I....r!3fB.E.!...F.E(.Q...._=.....W.u.w.+....D.?w.....C...L.^..3.^wx=NgB.c..kr]...u...V.n....u......&...x...h..........1%.$..\....n\=r.m.&.B1.l.-..*.!.d.....8....B8..?J......U.F\|jj.j.C..6ZU...a.k_.6.B..i........\|V...c\/.f....J+._..-?N.=..4....A...2r.l..R........9...vM..v...h:w.......-.o[uT.,o7.w.@..&_..l...........$.....;.9.{.C@./,&.(.`DC.s.@....J=......r9...Ln.>W..\.......8./:R0AV3v.......2&]...K7L..!.%..ZM~R^

C:\Users\user\Documents\BUFZSQPCOH\KBIFTJWHNZ.mp3.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.815377447024363
Encrypted:	false
SSDEEP:	24:vsa5Yh39TkYbek0uo3RqN147aiTxHPFQ3RgH5rXxC18n:kqM3lkYSqAkNG7rxHPFQOZxC18n
MD5:	7FF4FB63802CF03342DFFFFF26435CCC
SHA1:	9E1EB25222E34A9294198733C37E178340E6C2EC
SHA-256:	4310DAEB1EE14CB796F49D7C191D9F6E72DB175D344E0B2CF64E6532F56ACA0C
SHA-512:	34FE031B2825388B1D2962E486B595A3698CB7A165D1AD4F007866F98EBD9745912547BDC38B1C8F66D827E22412E935F089FFC8728BCB09794192EDCBC842EB
Malicious:	false
Preview:	.Xk. .n.dc[.>OG.].Qn.I..n...U....5$...4a."..r0Ha.si...L..k.i.Q..9_t.8!.....4.+9.....g..i/...4E.].%........(...S.....KE..=..n..hF.c.~.`.}&..V@..?(.]]..-.\b..m.wn.)c.....}..i...C.b..QJ...y.i(..b.-.0.........A.\..U.x.`+DT.G...w.t.......#Rr]..i.B.;...?...l..m.E..\".._/'L..}.r..N.F..].. %&.1.`..<..w...Rh...bO4.....N.....;r...N...._.{....p.}..^.q.6~...a.N...L.....(..".G..(.dpt....Oy.!)..]K..g..bG'.}..;n&...m.Z..M.NR...@.....'o.......) ...B....=.L..........}.V..(&.Sd..).)..".n.0f...G.4.....4....P.,....t........j......%.CC..5......R.h...!i.o`?.(...8c. .E...u..i....$!.Y^@.....>....$.E.+9.C.kP.ow.9...)......r.k.R!4......A.L.".tt.2.......]..7....b.0...Js.8G.....6..@..d..v.C.f.'.#_.$yt.}._..].v....q....O......JUJ.@=.$.'.f.l..E@]<..].cP+.. .g..+.R....7BT..'...F..Ag....V..Re.....=^......sQ.F-{..r.F"7.....<......!......7.#.l.G..YZJ.P.......Y..pmvQ.T..z .R$.a.....s.7....t....L&..'P....6...MZ.2.^.b..e+li...+.?n....A3.f......#.....5........U"A...".....

C:\Users\user\Documents\BUFZSQPCOH\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\Users\user\Documents\BUFZSQPCOH\WDBWCPEFJW.pdf.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.820590338899635
Encrypted:	false
SSDEEP:	24:ljpF2U9pFFZ7fwaCGaKfYOlRcUmV2SMFNkrcqqn5:5zdFFZzCGlhw2SGqq5
MD5:	8421C61A24B57FC8B878187534607481
SHA1:	82E9F91350EFC9618611D362C33D468A07A9DDFB
SHA-256:	FBC08D78510FB2746E5750F6B2BEEB4B27EE4417AA5BDD125B1DD9D0CA7D1E6A
SHA-512:	F5402A4DABDC1DCF997264F20D2FFF6CAF8D311E96D4CA22E94E9A68A6D9E62BEB23692EB223D658C820CA421374B62B71F3AD32FE66C1F31ADEDE7FF56A4738
Malicious:	false
Preview:	..]\r>G.&U.....z..v...^.7c...."x..b.r.k.....y1n.g....z.z\....Ztm.!.l...H.=!v..vD..[..._..=...d,gy.....y.b$F.D.H`e...xC.........;.x........B.]N..Du.{.......$....!..fI..uZ&Xn.8'..$.Z..k..V.E^...`Z.&~i.....q.........q....p.E.'...<..k..b.....j..:.\|.....o00.{B...C.}.x......A.,...K?f.}jq......36v.....{.Y&....g.}........Gv.97OomL.s....}P...e.U6.l.}5l.....-l..O..^..;..N.u.OL...C$J.a...!..,_:p.;...T..[.....x8.{.L{.3&j#.@.$........>p..P.F....i.:S....B...NI...!....w.5`....I...<..3..xk7)S).{..f..%X.E@.#...@.>O.........%.CC..5......Q...k.FX.H..B.....'...W9u4...+8..........V...d....b....D31.@........,._>.Fw3%..#...6`....{.._.,...S$.q?..'."..\.....v...-n+....=1P.3...2.r...{K..=4.[..p9.+..!....Ib.$.:.......k....E&.t.0....L.`;.7.........I.-.{..G..E.e`r.L{...(..8e.3..o..$he.....=..6....H"u.!..O..z6..~..\....n,..OD`.;.38.. ...D....A.J.nA,..a......B.8^..a.N..8........k....-.....'Q......H.j.\|...-.3.y.V.=.[t/.........`.....fAV.....c.e.?..z{].tr.`.

C:\Users\user\Documents\BWDRWEEARI.docx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.848169607905033
Encrypted:	false
SSDEEP:	24:MBUdM78kH7ad2CxcdcOuO9g5DQZ4cJsoI/Mx75BBvi:MBB/76/wcLOW5oHurEx7zBK
MD5:	0003865107A266ABC717731CEC1A4591
SHA1:	4B79436389D6B464B5BD3EEB32F33D9180C8B442
SHA-256:	270B523F4A488EB49D5837A5F92079AADF4B6067EDD62E4A4D80BF557C51DA2F
SHA-512:	6593C5FB8DE3C2C68DE32ADCAC1DBDE7A7D2D73D6453DD3244D14A23DBF1D90A08628F321C53C69D5AA1888B65649B8F1B293575C890FC3320F685B2262E26BF
Malicious:	false
Preview:	N...S{...i...(m.X.Fm..1w.F.F.}1R..>D..). .g.....c.i.;.......L...CMh....ZKW.....zT7.....b..g .s.....S,X.....V..+...\|.-.xXq...4..}5..Q.x\........._....,...d.....O........4y....2Cd....;.7...2..f....1.Y...m....,h.p.B....<C..C:t!.F...0....F.".J2....T..@A..^\|.I....Eg....Z.k....)...)d87...m-...j.... b...7e..?.`8B.h<'..N....M.....?2e^.]Zn..'\|..F#...86...p.../=.b.G...'..TWp"$.>.j[m......f...k.r.F.`.\..2....F....D.....Q.sa..c.}..X`.R.W..M...th...WTs..7t.P}....H.i..E]...p....1.!............l.O+..]...)<p0...4...i.%.3..V...%.CC..5......u...,!I. .@...#........YoJee.#.%.z..z...........=.EM..........3.olJ?.....$A'6....%....&$O..2........K.!;..Y.+..........^.1...@U..".I.cB.6\|[..ZjT.."&...\].>.`..>;uQd...........B.E.....Y\|]Qx)...,..mk4XFo..\|%..Z`j.~._X....D..@fu~..z+.cF...\|y..vB.I.......T.....B.....I'.dt}...{.%...M.._#_(<TR..l.x.n..o8..8.j.!...$..B....`...&Ctuy..~...w.$k.uS2.....A.m>YYG.B....Q..t.r.O.........o.wz.j..2.._.....9...HwA.Oy..,..K5.. .+.\!\|4.

C:\Users\user\Documents\BWDRWEEARI.pdf.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.813290769252266
Encrypted:	false
SSDEEP:	24:4Jm0dY3Cys7h1zz7Mt9/36ibpQXcX+VoxBfPM2A0akMjQD24n:4JXh1zUXqibpQPujfPM2VQOf
MD5:	A0527EBE6F12633556A4FB98CD4ADA72
SHA1:	020A09D38CDBA6A36D894A8B5B232E1615F41F26
SHA-256:	FF36A900FF0E3E08447A3EBAFA38A8952F8CD7FAEBC23C3F97645939B394E676
SHA-512:	4538276CAD534E4539BCE71AA722B1B971496FBE184C5E2370D0EC00F91BE3EB886717D32C0DE73ADDEDD6250889F5B8C5207AC398B2E76749E4AE6A252C110E
Malicious:	false
Preview:	.iiV..D.VD.8...d.....X ..?....e..\6....i.._.H.g.n..!..3...U...$.v........Z.J...t.;....5A9.....?.v.a.1..I.k..."...n....y.r.@15..L....j...F..........]....$@.tF...U..$2.e.....].....U....F...1.G'!x...].B;..Z..p..,.F..\U.......t.........t.zD-.m~.a.......Zd.}!...u...=kJ!.%..4....GB.5........Iwf.h..c.-.7....^.......R...=..$..<...d1......<9.j.<...MlQ&.......S8.&.N..S.:....-..s!....U..F.........s..mG.j.-...Aoz..eP=>.A.......N.x..2..u...%.G.j...........v.e.9..,...`.kXb......nUj...}7s.1.....Fa2.+Q...IK`8...i.z.F.^I......%.CC..5......3.....o5.I..$.H.rw. ....\|..x#..G...3w.,Y:...$8.Dw.s"..cQ...#....X....;]...e..&._#.%..3Y........0.``:+ b..@...h. +.7..A......]c1..........).3..nYEVS......Y`.G...d....mv:.....~@-..z.C.-C....F.....-Y.<.>.3............o..g...X..Q.....0..mt.&..9....?......=.x..m....D.@..Y.A.......{......`H._...1..~)B$5.Y!..9m$G.......m.k.6..h.&/14...........C...4.. .hz~.th.IB.].k. ...`a.c.T..-.qhJ..'...\|.$.......K*.<..)..k0..._.H....{.

C:\Users\user\Documents\BWDRWEEARI\BWDRWEEARI.docx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.803099916526944
Encrypted:	false
SSDEEP:	24:Z4Jgdi52XiXQbXPVzxmBho2X3soIZ1dCuZtBgwzv:Zc5Iiid2bXcos1rXv
MD5:	DB11F9D89837B15AFC774D39560AB95A
SHA1:	E000B60F660C96348B3B40519E0A91D44351E376
SHA-256:	C78F143B545268BA7C22C73FC4AA7F2460C694D86757E5133144CFCCE2279159
SHA-512:	8ADEECAD71CA19C3D55E78BCBAAA6437AED72D6A78D1E8FC841DB18FE8FFF0B36EEAFD82876CC78DA7A91A49FF384BA29294BA572B2B47DDFB3089826E8E5D34
Malicious:	false
Preview:	0.#[p.X..Kz[K..f..-o7u..S5.1!...9.8....A.v!.._.Q"QoN...[./t.L..L....[..:...\|..3..F..P~.......Z.M...5..t.Rh.4...`\|.....-.T.)..:.}.C...P?...6,.^.z.S.}.~..G.M.].w..).QWyl%{\...~9!.dr. ....f.$.L].7.].'..:>..O3.k.0.I.:..G?..1..:.....U.S.w.@+....y..i.....b..g\|.v.h.7.{..J2..3..........Vu.O.].....n..p...:...SN\|..'./F..l.;....b..........d....Eg.x.D..d.I.....m..[...~.j.!..J.......}.6..../-.{J..<.'.>'.V...7..-..V.U1........7_._.t.............<...T9.Fqz..kxU#.M....v%..2..6_....mV.....NAP?~....K1..M^Z\|\|E]......%?............%.CC..5....... 6."f....j....o.S.NHnm....gVz.,_A.+!VC..U?.D......_ .\..o.V..a..s..u....f.......,.u....O....%... ....[...#C.........n..".!a.,..O$..egm.;..iV...N............{k\|.e.....:.....1........E..'.=*g.-..Q..K.......&.@%..\|J(..D..[..s].T...V.Y.w.....6.LP....{'>..H..C...xOk.....3F.% _e...)\.....^.....b......S.G..A.C.m....^o.?..P..2.S......o..n.M.ch.......l. b.et....].......t.....5Yb/..{%....2n.yyg.)...Z..H..HAB(\.y..A..F.....D.eF

C:\Users\user\Documents\BWDRWEEARI\ERWQDBYZVW.png.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.801850199307392
Encrypted:	false
SSDEEP:	24:8cXr3uQn+ltFgqJPrMWVCmc4YWWbYqX87sS1IbSpVszg0vk:r73LIVCPXWW8w8/Nv0vk
MD5:	B534FBFEF3B5684CC0F2DD468C57BBF8
SHA1:	AAD7A0ADBE8420747760564F191FEBE6A23DC63D
SHA-256:	2E7111DD4EA4E2FA618FA2840764C96DF6760DA03C7908395DE02B6127CAF9A5
SHA-512:	A5377A9B2DBDBF7BBF99EBDDD73F23173339F289BE23257C3A26D3BFCB276B87C6DA32C7CBB875FDD5EB326BECE0AA2CEAD1CE497D1E1E6E99D2899759283A9C
Malicious:	false
Preview:	.!z.~..3..Q>e.,..7...\|VjC....X...)O.b.....Av....s........9.....K.L8=...,b..Em..'.....@2..9Q%.:....V>.....64.l.....LS...tdb4.mr.f<.d...j.?..T..G+..W..C^..p...e.O%~..QS..&.............5.w.....8e?.6..>.Z.S....e....i.....G.fm:^.P..b.M..8._.e...bo...09..i..w....XX?&.>../.X..G.j......KM.....Z!.....X.....4"..3.R...&N......#x....&.........."Iu\|eW8.,.W w... ..siS....{ Bw..i~.'...Y..c....^yn.....~F......O.6...e..J.o....3v...y../....~....I00,.7.P.....;.....:e.E;xY./..4r(C../...../.L>.R...Q...pW"X..C".f....<c..en.k.eV.....%.CC..5......G_........2.../+.k..2C.S....<{...$e$x1....S.2L....O.F^n..$.`O...P......G>^..cH..C}...SqC...D.l.._...9.......;.:`....b....8n....Ry.Y..(..z..)..k......y.a(...b.{R.....n.z0N]..N.uf..k.9.3..-ie../...w.t.._7u.}...k;^.I.......?Qd.A!4p..D..n..t..E....>&.k.`i=5.`gF....y..+>g..Fz.<3&..2.Oz...r.d./.?...b..Q1......6P%..[..kH...yi...?\+.>r...#.'..(.-I. ..>.P.nV...y..............*d.p.X..-J...j...a...&n.x.m....t...=.F(...Z1WM.....

C:\Users\user\Documents\BWDRWEEARI\FAAGWHBVUU.xlsx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.807325183459182
Encrypted:	false
SSDEEP:	24:8qTx/h5aqbEY8GTRFRUjlpKSXNYlKlXDLDArOii32S4bbLtYW3fUAn:H9BZ/UjlpJNYeqOi42SO6WT
MD5:	26CF3AB3EB1740A4BE85FF3FBD918C52
SHA1:	1E96BC946E1D1221CCAFCDCBF43085457D64F18A
SHA-256:	042BB7E2E28420F21351CA3716AF560762F2030B2FD2A0B8CB1FBFA20B3EC508
SHA-512:	3986561706CFA7AD4DE8B710E25AA3038B396FE77B3FAE7B726EC534712F49221F3E5FB2E3720574D70EC9C0F7DE850948CAD35E33546115CDFF3FAE07E1ED04
Malicious:	false
Preview:	..,.L..m.......y..........Cp4..gkk..(.CY/.7~.[.......0k..Q.'f.).....w(..F....<!...!.3.._...r.BLhm.U.../).....Z.../.9q....lo.&...9...])...<.!_R.H....&..~....1u.\|.....(=FP)6.N....e4.R..+,.==.j......[...T.?...\|B..%.Y.+..KWb..U.,r.f......!~X`..5[.......rB..H4..wrp..d\|%...W...P..Ky}y.T...&b..?.L)/?s...W.+8A#........./ 3...R\|.w...IB8..7;.O..D..../..w..o..Y...CgtWw...?e.....$_.6.$....ym=..L...9h.N,2....9...\|}.[.C.]._.s.o\|G.dP.Ou.....u.(SL.U.,..ko..6...m..AQ~.Pj..+hD3._G....z5.W..[..N....Qc.....7.qS....mb...EX....%.CC..5......dlwA.V.r...k..poV.eV...B\|s$......N:r>.......2. ....U....zlh.F..1...V..n>f.V_'/....."G..l.1t$.0..OYc._pK.5...+(}..6.u.^=%.-C....?uZ.].vD.].@.V'..r/.....0RQ.E...j..."....yO-zu......D$Z.......RG..#...;.A0.s #..}rj.ST..x.y.K8e._..EY;.....Se.t.}....)_.G...........5....%......P...&.X../TjL..sL_?+....../..F..U..B..U.>.....='.........a._u]..]\.F..=...L...f2.Q...s[p.\|...#*}.....SYu.5..Z....'K..G5.<...F$m...<.b?.....0xD..v".v...

C:\Users\user\Documents\BWDRWEEARI\FGAWOVZUJP.mp3.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.816730540470526
Encrypted:	false
SSDEEP:	24:KDYRfb/k4Tt6l70JeG/dbC+2Zr3yZxHqybKKoG/e1sbx7YHp2iRj:KDqfQ4h66Jx1bkmZx9bX/e1s4Ioj
MD5:	04CD80D57F42F8787C8210FB9994275F
SHA1:	9C758308CE6A120072F32E830405421C218DC500
SHA-256:	BC623F6C5500419CD4AB7FA09A145A3DB981F6D2843BAEEC7CA76E84B8788DE5
SHA-512:	1C4B233D0DA7E34E50BAE37BA12E6A88A0903A3F3EB3B8E1A2FBE144C36BD9105C4667A422B4C1182A45C0C0D5572FA72D5FB894F48AC073CE9E975A5757A89F
Malicious:	false
Preview:	.-#.c5.^4{.3.0Qp-..I8.o...(.z.0[z...\....].~}..#.`...%...F...sOB..(7.......9..R..<.QI..a...a&.+.V........D.V.]....o....[8.w.....Q..8:d..8..g.9}Z.4/.L.1e..m...-...........zC.@...'.TN.E.U..%....Q...../9..]:`(.3..;z.....~@...8\.)..l.+Y.w..P....-^GH.!.O.?...c.H7...Mh50Z0..'..D......j.&e<{X.}....k.1."4...m..6.]~<.}.".i9.\|..&......(....u.(.'m....4..L..{a.V9..5.V.\|.\|.=.p3w.a..qe.........-.^.t..n.PC..iN..u..^..%...6B.E#p...K.Hq....z6...n.....&A...n,.R.dO..........c.j.M.o.#..{.:l....q..D...^g.%..U2.O..hZTl.....h).....%.CC..5......Z.:....Gm...L..q.......u..`.....J...c..u.0Z..+-...}.\.".......1H_....T....={.........h.K}...G..V.{lo..!'.$-.y....CW.P.[k..T.'...vl.j!..j.....#...3.9r...OE......-:......kWI.og..#.P...yk.G59.n...#.S..2B.1X..R...!.F.+...f...DB.....9Q....O......&<F2%G.....G....x......3...x...(...\|.'...(...........eR.o..R..h..5&.).....x...f..#..AN....V;...&{4.....0..........%2...f.r.\3'..4..<8.i.<?.w%...T.4b^...S...a....:

C:\Users\user\Documents\BWDRWEEARI\OVWVVIANZH.pdf.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.811745996724029
Encrypted:	false
SSDEEP:	24:v8uDCGIYROnkVrsPl33it1hDVXER0axj85/CXLF:EetVc3y1dVXK0qjQo
MD5:	233E289EBE2956D2BD1DA8599D4FAC7E
SHA1:	271A2C20F63D747A17A6EBBA4E8C95AD06A4F080
SHA-256:	24AEEC57A017AA4EDAEA9D7DF6D661DE484F671670145874F70DD3FC10D8D03F
SHA-512:	9B5560E0541E309DDA6606C72765228F9CAC56E77B2562D0D4D08B309415477916CE91CCF2041D5115ABC5AE2578F8C722A417DF54C31A55F02C1E9F238FCCBE
Malicious:	false
Preview:	bOI...%F.J..-.hn...2...I.+B...i...}:.....${...j.6...M.u.b.,7y.......^}.nQ.w.w..4\\|.L~.b.,.1).r.S..O.y.c.3.`.I..90......gr.a.{.,...ThZ..3BF\.EQ..X.^..j(... .........pn..i..a.....Y.},....V...I\.......$....0p..5.{`...C\|..v......2?......$dX.. .].Q....t............Ts-.....xk"...\|.\..U".E..H..,..;K....9M.:.P..i.WN.St.=1y...o.8.g.W.......w:.j<U 6....KG.k.3.E.....EK[h....T...D..=.....x.zG.....p...@.A,T.4...I..t...DC....5.i...,M...\8...D....#. ....3._...3)..x[.2....X...S0.k.Z....Y..0a..Yk.....3....O..ZF.y.. ..o...~.>H...%.CC..5......g..#.p..0....C..y.4ZB....j!...Ok_x.&P.)... ....G....-.u.F.....49.K...d.8.I...S ....!i..R.~)....I..H.\|.i..o..a...w".(<.0..!]>..\|.../....I.....5...pE...u.<..g`O...;u]..MS..)+G/.../4..u...X..rqa<......6d,z.Y%.i.:2...o......Uy.:@.e..\|.@.!....{;..M..tH..'b..T..Ys.....3..Q...j.!.4..g.0..g..g.ZA.Y.....q.....u..(....=.ze)4:..m........'...O!o.ox4..?.;.B.....3....\..2..L..9.x1.......s....p.Cw...m.1.... ..z......6....65..

C:\Users\user\Documents\BWDRWEEARI\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\Users\user\Documents\BWDRWEEARI\WDBWCPEFJW.jpg.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.811927377972372
Encrypted:	false
SSDEEP:	24:lDtaahEWK1sHKn0BqTXP6n4e+9lEk78DjYAc8f/eyGy:lDtaahEWK1dnXj64ekEkIjYGvGy
MD5:	44AD13825D1AB3364924C405018E0D6C
SHA1:	B5940C68B42B196DB3951DC194757591D56301C2
SHA-256:	AB507C7DE9F4A01763B969B9AB08194BB7AB64BC8AB2A94235282A72A4B8620E
SHA-512:	A0FDECADB403677526DA6660B3F634998F1B30B4A5163FCF889DE4F1F843462514CB0F0E788C583BD2C4B36326030D9ED842F607FE8B0ABF6B37032C428AFDCB
Malicious:	false
Preview:	.....Th?.S.....YU.....W...cJ.>+.{....S....g./&...(..$......`.je.v..\|...J'^W.......LT..+zGw....\@X.8..u..!..~./.+.{5......!..B+.`l.U...6d>}?g[.y.#.\|\|....C..Y.T..g=.l7>......u.$....N.0m..$9..z...J..\|..s..H..a.gv....U[..O..#...1....dn?..G...x>.BYR.lS...2.G....O....m..\|_./.b[)a.D..?<3CQ\.l..>.9D~.....dRe.Q2(n..W.=...yR.^.....&.tQj\|..Z*..x&!<s,0.+....c...O...d3..V...s..o.l..2b....@..{....WR.5@....&..<I..x0.%/.r..w@..v.%i[V.V!1.I...T .l......;....D.........M. !Sd..NF.7J..n.~....np.BY.....2.....M..L........H>....)#...%.CC..5......&1..\.e..[X"....O...<...4..K..W.\|!HmV....&.....:.....f.....Sh.t.h.)...'......C......S.!<.{...y.Z\.q)L.'....L(.\...HN..9,.%.d7.N70!X.:...)-.v...mt.'W........T,;....%..g......,..l+.`m{.E.Z.b....`m...tv(J."y.i...W<......t(`.....<...?.T.+..z..c9xH..K.+n...a#..R\............z.9I.....\{eX......[..\.w..3...h.S.I.s......g.B/.t..g.S..z1.E.U.q.:..2..K2.J....B..u..N....-.+.....ur..g....Z...].{./Z..,[..n.O.g;O.<.].7PY.R]..u.....-..

C:\Users\user\Documents\BWETZDQDIB.jpg.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.798892373243568
Encrypted:	false
SSDEEP:	24:SyQf0T4sTh+JHYmM0PpEXG+hhTNVwOA7g6uwfncKs7:ShUGSnKAhTNVvFmcL7
MD5:	0F61F977957F872A7E54FC851841751C
SHA1:	1A0A75D48399B0118B8FEB809503C35EE879AA88
SHA-256:	6AFD7E46D9D02BCE551053091259FD9BFFB9732081CFB76AD51E73A80BF5040B
SHA-512:	2DD3578D8BAB7D5AB3BD7C67FE4A49EB9A48642A2E7CA72EC0AAD7CA2AD40009E3D11A74B084CA9A3B6A85A1D4E6C6F59A3A77A94DF02DB8592CFB9001399B8D
Malicious:	false
Preview:	......%..9..J.y.=..B}.wt.b.....cD..2.C.E\T{..h(7B.?ESTYU...@..."m<...NBN.>..H=....q8+..C=.2].4d....SZPM....^m.r...8!...._yJ.<9.mF.9.-.&li.!.zw1.z...w..b;[a\|...8....tZ.>...i..R.....&..P^....(...t..........U~.7...I!.oC...x1..'=..e...#..:K5.vlDP..#..9V...".K.F..^.^.ld...?&<.....TDR1tql.9...r...f^....t...z.......-...."o>.SK..(t.\|..........!...J.,y...$..N..m....f3.{..VC...#..H...L..{...x.........."....T....N....._[.=.W%t.....Y.G.X}....)..m..r.Y......}.(.z......[cS.S...8.,.kv..:.a...Q...d.Dd.hA.oE5^3V.].2A[.v.......%.CC..5......9.,...x.j?.n.i../a.k...qP.A.<^.X"#.....2..9.qrO........OaMFu.l..r{..K.....2..l.K.....+K..R.....u...j(.....C..F.;...9..?...4k...= i....]....Yj...)...b...U..W..v.....=:.<....).7.......x....%.,..vo..K...]...._..6...T>vb.2I...'z..y..tdAY.W.^....\|.28..<....OEC...b.R.t.#@...QQF.-..\...<.{.C..w7..UHV..T.%vn..@d.x[e[V_.\|d.O',.P(.E.......\89.=J........q...D.I.d:....3}..3...&...aV....V!....(....<..:...C....I.Rl-.Y?..Lo./U.

C:\Users\user\Documents\BWETZDQDIB.xlsx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.821944498449216
Encrypted:	false
SSDEEP:	24:Ljm7JzIELrIoItsE2ERkwWY289y7cClB3VDXraLIyNZHcg:LkJ0ELD3Z5Tmy77X2HZHP
MD5:	8799F6763E59F9CBC4724337973AF3FB
SHA1:	DB5DAB908A5AD1D561756CEDF3EF776109C11004
SHA-256:	B8992F27DF79F73B4A6834B71089B725B0C82CEB472B84D18B705856E26318BA
SHA-512:	CBBAD8F1D86C2D20534E3CE75B7ADA52D3AEF110A7197D0FAEE2B1FBBF23099335D8C3452611731FFD0D5EB6436C3CB7F4EA1C9C3E34FE5F301B682B344AA3B2
Malicious:	false
Preview:	......Az].........m!OKJrO;..YO,D..j.x\|.=We?........o.\|..XF...\j.q`L..}..)...q/~+.N..3m_.B.=.2..a .`.0a...e_..c.X1b....t.c...HSX.._2..........CZ....._@...R.td...].....p...IH.l..%.#...Y..M.~.3..P...(...D8..vQ....u....H....._qE..G.xk.n.Z....uVF.n!'.\.d..}=...eo^..a,]j.Y.Z.`]I.O.....&1.#.@....+..H...4P...$.>...7.=..4....1..x..>..9..D=;...t.:[h.O[,..z..~4.5.Xjv.1..c...$.+gWfh....s.Z..+)..m....:......2.\|......v:_"...Q.....".:.P...1..u'...[E.._0..i...J-....E...}....A@..V.'.C.e.Sf...cNO...P...Ffh\.zd..D..U....%.CC..5..........f.A...O.IF.T.I}VU....+.....9...A.Z.b..B......DS.-...8.].y.....`......W...o..K.C..Yl..U.F.../...XY .O.Z.....?..T7\.>...zQ60..D..t..5..."L..r.?6..o..CVP.....x.\..\|.^<y?z..C..P...WNj5..!t.X.eB..y...I.T..L1R.'.o.\/.y/...O...f....<....Qez.O.}....\|n..s....H.....q..]o...24.....Oy]"~.\R.....\...,.&T....9J.p-...9..G3.6V.67b.o@..D..Os.S...yY..{...p.....j..g%.f.....n...+".......*....8V^.&o..`.5....-e.v...)...+......T.b.

C:\Users\user\Documents\DWTHNHNNJB.png.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.810848336655677
Encrypted:	false
SSDEEP:	24:iukFsB2tE/EkgXycdhIXNury0XL+ECXGZijhmWLq:FkiwE/qI9P4CZGC2
MD5:	5509046B69B5C0D9F46EC6881A2409D3
SHA1:	626AAF1F9C27CFEBB068A558EE49BDDF7877BE18
SHA-256:	1D1956189AC30D1348A7676155E272CA78B6F64993CE8ECD201CA5EABDB69844
SHA-512:	190A713FC1D6D9F0F5680986EF841113766188728772B266ADB8178A85CB11B32FDC19A8C94646CA40FE9C4A53C62BDBB9D7FB8B9A87FAB468052D34EFE97AAF
Malicious:	false
Preview:	..Q..:....V.yMG..,...I..@..RX.,...D..G.m.....Z+...cFu..`.M..]"....GH;C....<z:..92.$1Y.a...]...?A&..u..cT...5..W...2..{..).@....+/......03tnKj@.....=.j\>o.W.......&.w".T....D.....h."...~.M..^f.:-.mC.3.~..;8K.0;.....&..}..yN....9..S.Y...[.T?...7...\Ak..M.r`7f..Dk..ZC`$.k@........ .0\f.r...c...?#...Z..\|.s....X04...j..<N...h..-..X.k....Dg..[...A]+v?j..X..cwwkV=."-0..R....T{o...L..}.Z8`. .......gU.lD}!.C._...x..6...e......r.k:Y.......8L..7..^.?./cV.-p.h4.lc.b....{O%^..!...^..i.t...Up.e..ph(.N..=.<.^O..hl..=\....%.CC..5......k.[.A7.O..#....U{....$.n.Uf}.l.uMZ.e....s.M..zz4g.-=..=(...N...._....ox.?..$i.L....z.A8!.\.\|..+Q...<S.&..!?.h/..)...jS...o].".4].....i...x{.......3Yg......6...!.r...].}.........\.8.........`.<r.....9r..v.A...2..G..+>k..n..l.q..\b.C.........(........}OL...........z....-PW.Z,...=F...y`.=.....\...\|..X.F7t...^....u.O.V...D.......~a.vwGl...._D..v2VIG.d!.....Oj...`W."....t{.-..SN....A=6....^n.M...f{..j......%.o..#@....

C:\Users\user\Documents\ERWQDBYZVW.png.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.800976937780516
Encrypted:	false
SSDEEP:	24:G2XTutEYmw1/Y052id+A5CP58e8z01Z6xKhoqd8YG8LVkVEGoe:9XTutEYpQ0N6ae1Z6xmZd8xHVhR
MD5:	5E7D3439A1B2876828C31B0AC668C6C5
SHA1:	7A5D3C8F30297FA41552DC46E1F16FB9076631C0
SHA-256:	6F18B24EE6424F25D57B20E245E84DDD5FE56106B6AFA0F8F6E88B3BE67A28BE
SHA-512:	7EBC084D5DE6F6EFBE6962D792022BD7FEC48AE674530BE53B040967DD4298E42B7EF655F04D37F38F6AC8D82638598450EA88A3D9A68CAD61221F5770C3077E
Malicious:	false
Preview:	y.?.?e........G%I'.]:..(0..B....../u..T.....r[I....\D...^.B.......=>..F;......LD..##w.&..i'W..'{..6..X1.;L......a.At.\...<....n........z....1>..e..J....=.Y.n.j'...E.....A.oFv....P$....i....z....i.:......~.....~.p...l.%.a..W....P...}'I.G.!.(..Y0...G....._NQi.>...1E(u..A..#.\|{.W......L..\v..$3./.....F....x.d......U.4..L..b.K-g...PT.....GW.l.......%C."1j.(..R.8;,...vL.&.8.(%..:.{./..[e....2.%.....lvT.I(..$.x..hv..@XN..r.....^......l.r....C"D..c...17...."'..vU..9Y...br.....1.mfZ.W%......6j......=B>. a......%.CC..5............R.........n...NW...K5.Y....N..).[...V0...@.!...c..m....gu....S..........@.xw.$..[^.0..........\^5......i../.X..$...a,...,.c.&./...@....l.7y....".+\N...xO>yTCw..:..r..v..DU.3.....3NLw..`/....=DH..]../bp...._..7.#..&..C.9(_v.A...)EC.6A...T.....gS.x.06d...'..=....!..r.c.[..C....'..T^.Q.3.i.Y.).`...B(.(.z....vo.`...Z............{..#..p..g....Q..%B...>wu.Y...KY9.....r...v.\|..T*..3......#41.C.?.d....)...V.i..p.j.._...

C:\Users\user\Documents\FAAGWHBVUU.mp3.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.803031331441959
Encrypted:	false
SSDEEP:	24:su5d36XwSnR9vVOlM1Lg3FJa/nq8CZsFgYnsyHpig94PCayA:su5dirnR9vV2MRELaPqpGH/J3eQA
MD5:	FB2BC0D5BA9FE6172E738744863CCA1F
SHA1:	3A9BC4A4F7FC22B7CCAA45C6D2CA94F2187672A1
SHA-256:	2A48BDC8F9E0FA36D5627220DA7476C3A2BBB6A59338508D8644F44816133900
SHA-512:	F453C7E5154BC62E833A94CD7BA1C33707789898A574CD61B3368C6CB6A25FA4D35950FCE3BF437FD41177060A3FB5E627E43C1E681B30B1E49B59F266F51E02
Malicious:	false
Preview:	.t....@+...F.......lS/...I\;...gDfM.d...3....... ).H.V=....S.1.\'.J..}..rrE..E...&.r.!.......>........&.R_..{..H.4H.W.&..z..P~.u...f..(.......\|.q=..B...d..$.6,......f..UI...Dk..K....1............n..z.h......./.V..[.....+.}.....<..WW\.!h+..w.5....H.?..\z.x.."Lf.T....L<..z...}.'.uR.....Q..^....ch=&.@.q...6o.~ZE..sa...`..NcL.g..C...0%.../. ....A...U:...t.>.R9..I@...Mo6...le..J.^nU]^.].~.....Q.".)W..U.8..c.t.XtU....oM}X;."}...DV;<.o".d...R.2.W6..G.n.%.~...._.9........Yk.j.......qY..6.....F,.'.G..d..^...P..........%.CC..5......~..... @.z.A...........G.=R.;L..o4$..v.>.N...d..[^.....I{`..JR......A.l}.\|\|..+..'7^.2K....R.W.}z..a.....5.....R.[.G.Mp.+.H.v.....PL......{..z.d5............q...L.fca.Q.W........g..E..D.../..].yY;..T07....`nHq.f.....v.....z......{.t:.k..X..q.;C.WT... KqF[u...'....YB6B[.fZ...Q....1..q.V..Q.%.=kX-...I#.C.5J.....y........f...).#...S..:....YG.D... ..:.Y.o.,=q........fxV.}..T.h._'.......:i.....{..c):O\|..cu....>.U.....;K.l7vRj.+

C:\Users\user\Documents\FAAGWHBVUU.pdf.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.839954925163315
Encrypted:	false
SSDEEP:	24:LobJqPkj+nRdKA7/wM10T31l3R5Ycl16m/Fec6Tu1kK:mkzbLwM10T3r3R5YC16m9ecvSK
MD5:	2358127EDD955A9683235EB46EB4FE18
SHA1:	CB9DA8837448E82BF0A17B560D0F9686BC26E996
SHA-256:	5A63BCED2C6680C10BE6C94679037815AB979678B11EE88BB95BB8708BCA5689
SHA-512:	CD15A6E1C773F4524911A698B7B3FCD9B34C9B487120C9615878A8F1077EC23EC5904C86B1FCD16B6E7C6D583A46220B2410EE191EBA85C15C763B1BFDC28E33
Malicious:	false
Preview:	K.X)....o3K.....a.\.3%89..`._~5.^.s...{.)S...O.....W.s......~.n.Z.....H..._3];l.j#..Kc.\...@".8$bk.\|...`..E!yLT.Aq...h~:C'V....<q...j,n.X.........Z1.M.K...?...E.M.... 9.P.u.I.X.?.f, .......i..[....q.....kfA...x.tRf..WP....?.h}x7.p ..wX......v\.+.m....y4-..^.........r@.Y.K....DefW..O/dd-...9..k.`..:......../I....I..N.G.x.aCM....r.sNu...gc.7\|q.........1.X..dD#N....EF'....O...D..Mx.bP.W..^.c...Qt....Z>..3W..[...1.-..K..2......1.H....LL........-$.5.<...B....1...3.S0..IZW..yQ...C.?..a...]..e...Ml......,q....+.+4q....%.CC..5...........#o.Ho....n..e....F.&...#Frb.t.;.CU....R.N....+.,.1...v.....3...~F\..Zf...0z.o....6.].......J&..4~.. ..[.J....,SF.).J...tNZ[....G;t.AEt..._...!3..Wbh.h..m.......(kU.....W....o>+.uzX.. M...Nf.x:..A..Q...s.........i.........H......T7........m.*tl..K...<.a..g+.!...q.E..R.....=N....wi:..0r..\|..u1.....3..dHUt.G.....5.o...Z...X.9........;t...a... ....u...j=.TJk.=Z..k.(...{...I)R..E>..%..J...;..E...&.....g....M=.......

C:\Users\user\Documents\FAAGWHBVUU.xlsx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.834860909479662
Encrypted:	false
SSDEEP:	24:QcnS21Vla26cKcEuDcRO/aelvmu7vjkE49qRuqmj5GUgfV5EETMnS882NaQA9:XnS21RKcEac05jd49quvFzgVlTMnS87g
MD5:	7AD606723DC8A8B1F0297540B816DE97
SHA1:	BEABCA2C06619279BAD6FAFF04497C11F76F1D26
SHA-256:	7999D92993AB29F2830CBC53A7E0E701455857F285D399143E3EA3681803E535
SHA-512:	C62C410E59E1A236B591F28826FCBAB8610804AC78388FFB9FCE2DF0CC1F0EAEBB2FA074A643F4264308AE9EE430D7817D95602346B7F1C3AA46A5696305D0D4
Malicious:	false
Preview:	2.IK.T.3.r...U.....}..O.n.....n....?.{.b...U......K...c1.)..]...9..m.....^..Z..BI.7.)......>..V.sX;..N.).%'...h;bj.>_..V~'m.7....by.H.>,..C..{.G..+....^.A.O.,...=.T3.).i..l{...f.....z+R.f...D.a...4.....v#.Y.T.......B...:k.F.U@..$.h1.[py.......i-.........w../.-...v...\....E.v).._....z...u...w..H....a\|.4Ll..v./>..FrG,Q..#@\>.1o,R....a.++..........y..?`.l..7.M..F...&.,^.Mk..=.].J.T..Q..Z.".>.c1Z.........y.._.b..iP._.t..q^.....`....8.....\....n].:...qap...6....B.l^.S..@t,5P..C....<.\.7Jt.......O.a.F...!..gQ....Z<..Q$...%.CC..5......h&....At3.Um.....b.4..W..9........T..fC..lC2g.;..Z.........x!!....Tle....u`7....M..KR..^.....5.n..k..-..F.#L...........{...#a...@..)...qcX...I.Z,g<.W.P?....<....-DM..OLOoR......i..T..}>......E)^.p=.Q..^.......n..s..J:p....ZW.W.B.o. .....[)...L7..!..2Ju.8O.R.....!.........*.'.V;6.w~..rp.q7DLF..f...2......q:Y..x'......B\|[.Yf.....+....be~....}+..{.....a.4..`..2.W?.M..7....Y...e8.1...o.......z.....-....a~....o

C:\Users\user\Documents\FGAWOVZUJP.mp3.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.844074305163191
Encrypted:	false
SSDEEP:	24:pXBRHMbDEfoBBqEt4dQTbYvTevPyjt7fGll+6OOD1mg:pXBtMbDEf0XBT0vT4PU7fGlML4
MD5:	45BF7DC44644CCAFC4C9570518684D99
SHA1:	0F282D87D54B61BE89A84C7861DD2975DE76F1E5
SHA-256:	7FDA5E29F4A108FBAE77EEEC56E3DFDC3DFE82486CEBFAA29BCEEBEB21B7D13A
SHA-512:	B562A58EFDE4397B8EBC7DD8B3F230A87B9BAFE27572419654BEC7AA108520B67FDD63790FB2D8301F90B0A176C0C4CCD93E67172D4266654FAFF175F7C71508
Malicious:	false
Preview:	J..."~.U.#>..a....ZM.I.mN.b..R.....@..W...Fl..."....4.....{....'.8%.h.d$......g..dL..8..W.!..R.8....K.tW.h.74T.1.%&....^Ld...l..b/ Oe.....@q..o...W....-...a6C..0..A.gU...fd....z.....6..YA.g.".4G.....<..8.>.k..gu..d..j..W..g....t....z.W.k?..UF.\.(~C.RD.y.D.....xH..m.b...D:.!.rb.......UJ]_..?r...f&.&}.N.c... Sh..O.%....&...a.")......?<Z&..P.iV......ht.."......mF..9....G9C".c..H.......U}$...k........\..M..\.d..._...qUT.}y.bn..vg..+.o...........g.)..7;_I.Rj..&m.%..>..H.+...D..A_sP.t.ct..c...la......JF0..2k`p.[....%.CC..5......}.YO..tM.>.8....l..=.EO...,W....Y.f...L.}.`....z.f.1._..%.q.t....E.....&T..g.D.....U.Z...AKd.?BP../.2B.s+#.<....<a.f.^57..C...\|..........~T..@5..(......V..$j^el...uo."....P!..]......3I)..?..1hb...v..}...........b...Fj.5.\....9..UD.H...9.....Y......Fy....xT..Ll..WK-....d..5a.d6.yQ.(...D6.O....<..6..%.......S`..kv..9.d {jN;@b..,.A.0..dM.!l....)F.SE.;....~?.$!..O..........7.S.........cwf.U..&.!.o./%....{.m..+..]/.

C:\Users\user\Documents\GJBHWQDROJ.png.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.811543078321611
Encrypted:	false
SSDEEP:	24:mJcjFOUDOX0iQoG2kXEKMcouYg6Wc2PWNwlogG8Oh5WS4R9:hXYQoGReckg7ceogrOt4X
MD5:	856E16D9496AA91178473136EBE8C714
SHA1:	91420C618E90156568EE25BDE4F00471B4ACFEE9
SHA-256:	1124EAA44B39433C0CFC609656155D26A1A80D335F9440CC1518EF9F6CC70109
SHA-512:	D0EA549EDBEBBE02F42D7B34E92F528E7C25DC34EB2036E2340B1D0CACBAC349FCE4BC136E3FC481F453BC5F18D2E61BE3B82EA1DE03BB90FACB905D4D086B1D
Malicious:	false
Preview:	.7D.j...\|J.=..R.LB....v..g=....Yaa.$l.8.!.:..{...S'..3.)ZY;U+.Z...q.[.......f..?:c.=...V .M.%.).-....]..r.d..&....A....t..>..X......l...".6C17..K.K.V....D+}.A-k.0..W.........>Gx......%5..=...2%.w.I..0.F... .....Q..]d._.O>.l.K.P;.F.flI5N..M0......yl+Y.C.@_. X%.c7.`....]{V........i...Ra.0..$...J{..'4..w/..r./<{.F[@.'.N...s.\|......#..R4.(...Vgw..........S..&...>.l...).!..9;vf...v<.d.S...,......sw..@.a.`.k...%..bS}..f..,....j..4].;~v....:[R...#.).Kut.....\|.O.?..GAN.%..Y..\>1.Y.....D.......MI..s...>...Kq..K.[VIPX....%.CC..5........&....Z;.F.1.Y.....u.;..?Da....s.B4Tc..f.7.9Mc%.,dW..(.U.'.K....eAX...O..\.3......}..;wZ,..A.<....+.XO.T.-..S...l......e..^6.YV..;...8.9.u:..a.....,..&t.A`.*.Gt...q.L.._.$..{K...?ZXW.......6....P..E.........W..d.O.cvh0V....q.Oq.y",il...... ..4;w.-.k`...J!...o9OPW..0R.}D.6?....-.x..W.......:.vP..x..+.~F.KE.....!.'0.%..m.V.^...C........&;&...0[J..B.b...QY ..I#+l.....uU.`oO(...>......Z`...N..+.....Z...X..>.H+....Fz_tR....T.WI~.....

C:\Users\user\Documents\GNLQNHOLWB.docx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.816969227454118
Encrypted:	false
SSDEEP:	24:QJ1p2+SPZIiVei+B18zG6m+JVhpXE+M9tqLU58:QQZuT6ZJHpsuT
MD5:	5FB9BFDABFAA8E9AC6B8F70A9486C6FE
SHA1:	093B896D91D3A3527B65034E860F8B352AE09085
SHA-256:	A2B29A9FF8FC2E7D70F11AABAB89557CA27F4A95350F894B56AA746C65D6EFA5
SHA-512:	1A433E18C8EA33B00046947B086E79C70E5285061CB89BCAEA3F1528E6D3BA55DA0A407436353CBFEC64C3903A82B35AE81754B90C95946583BB6596B25722D5
Malicious:	false
Preview:	...O.x......l...i......`.....l..O>.....f....@E.$.u..r....7...$.6z^....[.9.+.8?.L..oh.;.NN\F.n........_Gp>.H......./._.z...a`t@k....]...-..c....t)W...5\.d.L.u...r......&..<.[<6..P.c..@..2US.gsZ...^.B..1.f%...M@..v...Zq...#Exn.....\|AL.ky.. ...OGtPi.V].}E/.N..?E.Dei...n....../M.;..y{S\..[$...y=5T>.&........2..y.-9Cu5...W=L...q..:..TQH ....a.V..Q/...Ac+s&.o1.......Mb.!.]........J...p%......aqD.c....[..=...x.XS..8h.......p.{..1..x-.GqR.=...{/..J..=iU.C.....@.U.4...\a.hG......v{.s..:..J.7.v.......l.c.....`..;......%.CC..5......K`.hot.12.gY.szz_Ke.OX..N.e...z..`.V..P...C9..r.7. .O.....?3o!MW.....P4T...=...#...G....o.9=.x...5...Kv>C..q%.{...Uq....l.....8........A..l\|.tO...5.O(zj#.jC....0.R.{l}m.....?..,:..X.,.x..p.......`..S..O...D....`]sR%<q....=...,..C.0kV..;..r.uM.c1rR..lz&....]0.]..\.e...kr!C..nj.4<x.k{....U.gu..^%._(W.e..h.].OW....k+.z. .v@.3.G.....X&.*......Z`..MP........?..iN..SioLfX...?e.%.},y...kv......Aj..GI.o...P3.k.z-..l..93K.>....

C:\Users\user\Documents\GNLQNHOLWB.xlsx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.797639070027531
Encrypted:	false
SSDEEP:	24:4/AvsGsWZQ8HPS4zNwezT21TPAOWMe7kicHiYrMUu6jigF/:iEzvtq421bApwiCiYrMUBiy
MD5:	690385AB6BD71492037AECE312932DEC
SHA1:	CFCDAA001D0F4EC73D4F1568FD50D8F6B7BB70DA
SHA-256:	D0E15DDF082DCEB131FCC5762F774A1A0FCCBA06E2F1DC36E373259EF775F445
SHA-512:	40690EC6F4386C58322FB39F957860CA18BA40014F78AE80A97C3B1F9FDA951E8FDD134DC3AE72E58EC201062076C9A7CAFA67CE4FBE8AB759AFD9DA282CE00F
Malicious:	false
Preview:	J/u[0.".@..&,..JE..F(......[3..f.=,t..Ar..X.. .....0]....<.f\|W...;T..1S_.6^..]........{_....S...iq..,...Qy09...$.+..TiM....{......L....O..>.............\|_........f5...(.T^i..em..."R2..!.."ZAxk. ....sTO......b...^.eP....G.o....a...:m....?j.k8....NIV...DB.q.C.O....1gcw[..)...2)..Dc.8..d..=&/.la...D...b........v#(....AfR...:...\.k..g.H.......\.\|.z..MFM.u....cE7........f.....s....V:.j.....o......U...#b..l.....Np. .B{.....................I..H9o...V0.}P......[...I......=D.{..9...U^?.\....J...e.1G.r....I....%.CC..5.......6.YA.[F(..s#r..K.y....q.p.y...Kq.0.Z..4{....T..n.D.4W..i....aU.x.=Zh.\|W#30u...\| ..?:1m..?~..phY...`..;...)......w.....y7ra.(2.=..L.'s..s...o....6.n...3=.....l)..........ud.Ff]..M.\.u#,......}WF.>..ni..E.6.@.~...3....Q.4g..j...kK...xu;,.82.b..(.B.,.K......Fc..^ 7..S.xU.#.5".).<...x.53.{.Wr......#...w.$....!....m....{a.........F../.0.......z.cI..;s.'._........ni...fS158.......bf.h..9.....@..#.t..G.....6....~-?.L..15a&.\.iu..gF

C:\Users\user\Documents\GNLQNHOLWB\BUFZSQPCOH.xlsx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.821715548157201
Encrypted:	false
SSDEEP:	24:46w6zGaFT/5oEIW5s36ay7U2pJODMeEFVPQ0fjEXYiAn1ogyN1h:nwmGaJ5hBey7RpJJ7Y0wkryN1h
MD5:	4CA40DC53072D28375663AE7DE266358
SHA1:	ECDBFF0C98AE69D09C1034403D1DCF6EFE04E05D
SHA-256:	1F616927A79160529DCF473A522BEB8F667115FDA2153C5B6D2B77AE186B0E44
SHA-512:	B297076E5A3144DCE6EFE5649050D0DB6451AC52D0C95643E7E2C4575C74397DE4EB575F65F9794CDC7471586C73D859F9640321614332A8AE391FC69B00C0DA
Malicious:	false
Preview:	...l.].ir...H....Q......").y.].D..k.f.dK.......?V...-KH.H]..0.......i.;.Q..]..pJ.n..}.v...d.4.F..\^2V..8..XH. Rm.s.#;Y...]4...%..zS...A.mH.r,..S.....$$.QQ=K!.....^1....b.k#.......3\~...}7a/kZ.s.....^\|.9......r..8......!..`)hd.H....mx.V7k.'..]...g. ..M....G..a.1.}...i.....\cF[v;...B,...5.d..zAQ~...2,e.........@...).{].M.M"..W....q.....+..C.u34.K...).1s..qvH.....4r..P.\|#.P.jST. .=..q;....R.w.N2..qJ.&...A......,..e...o.P....[.....4.......zU..:.s......f..E..x..r0.5.I...[.&?...;.K....2?{Lt..-..>.s..T...pC..#IHHX...eXz...%.CC..5......)....=B....%..?..V.=.w.....O...X..VN.x.0.......r.64#...D._7.-.....6.Be!..-.T...)V.....N.f....Ds ....P.{.._.....j....[........<...[...+ .$..IPr.y..)...w.......<.B?.~.\.....4.e.Rb... ....:...{..3.N.7..z%(..-7......O.Z6fZT!f.....<.q.V..;NM..Q8..`.p...~\k...~T.A..A..x...l._j?.5.p..g....*.._$%.Ty.M.vv....I...h)..._(T...$...lC....$........Hg!f.c..0.....J....).m....n+.O.^..... ....D1E_?l~.......y.d.`..U{.z.../V.S.Y.~{er1..

C:\Users\user\Documents\GNLQNHOLWB\BWETZDQDIB.jpg.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.838771121086994
Encrypted:	false
SSDEEP:	24:MpfFI4IZ6hxoS7HnnAbq2yvkfHEmyh8JZkyKYLonhklkIn:MxqeboS7HAu2ZHEmK8JZkIL4WkIn
MD5:	E2FB87326AB4CE78F19F2E3ACC56691A
SHA1:	BF6079190B019366C69348B46526CEE331134333
SHA-256:	939B467AF16E34F584F48B9CD3152378DC529501F47B1AA8376B9292C409FF9E
SHA-512:	7A15CC96782E46C82D01D0981F8A844520C78B8E8ED3407A1911DDC7E9717E60F0C6177DFF4E8EA7591C61F65B908EFB2E409BCD82735DA364BFC07BAE28271D
Malicious:	false
Preview:	........'.)Z-F....6..G....E.7...M.m.h.#.w..85.:.$....J%.!..0.......7.i..\|.t.+......\.............H..H.QQ..i....:ZN...........:I......c..q^......vD\|....o.ir..:.!. .0~H....<.Eb./=.!..k8F..s..W.,{2.^.....Q. .u..;..e-.f....4.q..5..T.4..np(AK.B7#.ry.4..`.!Bq..N.....,e..;oo.k.\|.X.v.f..A\|.5... ..{:..V2l...!...P.h=....Q..U.u.iW.)...........M.....6..L<.$..\|.....L]k..s....[.C..=.nf.xr.[.m....'..i. ......v......B.4!...6....N....i..~.v.K".I...../...h.K...>..&........X..%+,\...._StyG..p..^..Ol.......X....t...%.^"M...%.CC..5......p...+c..1...@x.......l...;Q=...&q..j...)."?....".....YO.=1..O..!_.({.Y..k^+ak..j......g]@.J.&l...S......7...dd..h@m....._...1o..T_p..p9.G.....%#J@......,".....%.&................g.}......6.."7N8..0..P8t...J.8.)\|..%...0..0.>.Q.A.E..I.O....]{.........5...'V.GF..`5^..$:4A6c?.\.t.~.4/........~.k~..]P......}f.`..8+..-..J\...V.M.g....-."...3............g]M~ax.TT...6U.........Se.....'...^d..$........I1._.]O...gn@...,.X.

C:\Users\user\Documents\GNLQNHOLWB\FAAGWHBVUU.pdf.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.814345405071077
Encrypted:	false
SSDEEP:	24:UuAqjCAjrFWB/ujP3VCzdOhOME5a85wBtdelELuU5i:JCAjrFjj/VNh1YwBPelELuU5i
MD5:	5ABD8B74B61168849096D1D74C566D64
SHA1:	2EA202B5F6D3DDC840E608DFF725A4B419C6484D
SHA-256:	39ED9629C7C519D72AAE0BE36450F1FC5377DE4930153561AB6DEBD4DAD5F030
SHA-512:	1773EFF3ECFE6BDEACE39D699F6B0D088EE765F29E7A7A636619CC0F0DBAB7ACB12894E6B0074DD2CBD497F41792F0143202EF9546B92B126F427CB6CBBBE733
Malicious:	false
Preview:	..p.. ....W...r..._.t.e.x.c.`..v>..z{:.nz....tdU.Fv.-..C`..-..Y.i.=".g..-.w........tAj.`.-.-.6.....r.............95..>"KZ.4Z.o..y.zI..uE.4..."......../.iqj..^U...r.\|%....... u.Im......yz.K.j.......?d.C0....%+.-m8I....z..:=u.H.;......}hcf....bGA%.<g...?....c.]..sX.y(-.T".a.....4\...\;.+..Et..AF....6.E.a9......d....G...#..X.../`B.l..q.Wt....5.\|..1h...$..<y.....}.J..tt...O...;.R.q.D-..N.....e.B.D......rjj......"d_.h.W.F8.l..,.."..\|...L.M....D...s..l$..e4.Z4.n....Y..TC..ww.!.=..U&.h.E=&.MR....\|Pd.t.......g.H.g....b....%.CC..5......K.nw}?..o.y.B.s.v......z..O..!.3y...&...e]Z.......(..o.YLN.#Q]6....K.._...p;d...R._...if..0...Y..(..P.!..IV.J.$..?G..>....8....L........$u_..n..+UQ...^.#..x..v.#..T..[.......Mjs..ww..e.x.&K.....bPN.an.D.p.Nf....;....:F..n.5..N{[.8./0.e.....5-i.A\|.......$`X.ZC.D....{...U.1.O.9W.b2....S...<O.1.O....*...J...97...H=.k!0.Q...E..do..Y.F.Y.KrYhG...M..f...J.....p..#.^.._}QNH. ..p./...PI.Z.^..1m.)....x.d...\(..48.F....f52....?}.

C:\Users\user\Documents\GNLQNHOLWB\GJBHWQDROJ.png.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.831883338213483
Encrypted:	false
SSDEEP:	24:XsmztXW4rJO8+V5wp8L5G8hPbxMuuShPLUmi1ihKd9:cCtXW4rJ0Vam5XjMJWhKd9
MD5:	D7393DF043E2BD0EF22B55A2ED8809AB
SHA1:	08BAEA29DD4B51B36D0D4E9B32E466108AD00414
SHA-256:	230F7E2203017CEBBB71059C245679540137A4C44CCFCCD1F9EFB7755E70BE4E
SHA-512:	D18B04AE48F57801662087ED44C57B7604B57A8EBC3BB674041DDFAD262243B7AC1C6E395854F08712316E255B8B40F285BF470D8B9D25174F41CC513EFDBB18
Malicious:	false
Preview:	.5.e_..M.%.C..xc[h6./..2k.?K-..(...{.h.B)\.].....Z/..#R.........-...\Du.F....K.v~....T..G(.\|u$:.kf.!A....ds^.d.....SL..e~ox..V......V../..o8E..,....m..S5sk_s.? ..B...[g..T....Qe.C..T]...u2......u......".&D..(N.....:%..}...W.?..:.t!:V........B..$.O.N....9.\|...(w../@8<.....:.....]D6..g...3o...D.P~P..{]kl.0.d.@..^l.....2.Z2...`.j....e....h....[..=K~s,..3..`...}........C..&...%.&=...`.H...bpl...[.\|...>..l..#v1.%...Z.B..W.o..e..o...A.&...y...(.QV.a.M\\P<.C..SX.......0.J.FZYF4........bA..v.R..n........x.,.;^.\...m.-...%.CC..5......0...V._.x9..4.........f...;3._.....H.%..c.8...\..H.D4k..u...}Q.3.M5b:.^,.. ;.O5..ym......V"%......7.6?......Q.C.b.....E/..bcw;..5....=2..V.........J..m.I=g?..[a......i...?...-...,J>a.]+......s.b5.!.7.. U.x..3.........Z..H7.c[.P..Z.m.w.r.0...<...`R....J...Y..]h..}..\|.@.OG..rvO'#.Kgy.u..G.U..}=........"..%%.9/...o.u...`L...'..@.=#V.\|.9..z.%..xx........um0.....l,..z....P<.."h.@ .?.../.jA.....l.;X.,....u.J........BQ!$.

C:\Users\user\Documents\GNLQNHOLWB\GNLQNHOLWB.docx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.837784038176579
Encrypted:	false
SSDEEP:	24:i36Tl25BEmdGZztITwIGHBzkulGYfFBcY9eCK7y3aL9lzRbhQyq5+3:iy8/T4ztcWzIoFBJ9e7y3aL9l9bhP
MD5:	8A8EB113E0D558AF3BB7998CDEB860E1
SHA1:	BA914BA2B29C6E7635DC1D9C0F0A914323C4737E
SHA-256:	DA655636EC668EE2956F7A5F9A6504123CAED38A206A3BA30379799905A91B43
SHA-512:	C955FDB5528AADCE4A2D1ABC36D36B913C36771DE83821576FD476DFC8240F3259F6D5DDC9E3254535C42BB3D7B3A8452484F4C86D3816033AF67AC763F77108
Malicious:	false
Preview:	.?..uI`...7.A.......Baz..3........NU..C..h.....W.SL.....a.T=.#b..2o...-I...... Q..3.R...?.^.N:em..R.x..v.@_....w..P.H.1i..O..^.....h..b...c.vr.V..l.koPd...F.5B.dW.b...z...{}.. LPh......7....?'..U.g.b..?...H.pG.Q~A.y..1...v.5Y..V.o.&..U..-.l.B7=.'..._.<=.h...J=.m..E.8..........8.AX...._v....6u.V..>...P0.....dfx.._].._.W.-..d_pDp......ip..q.......Uc<..=)......w6... ....Qn..z..R(0....w <..BaQI\|:.Z.`F...(.d...V.2..g.@~....)..U\.....L.S........9i.8.....f+........~..[..90....^e......l.!.dR.....8s...+.'.....c.u.P'5t.@^......h..-...%.CC..5......p..\v..'Oe....T..........9..D.?.E.......-..&.Y]..^.k....,......J.......'.=..8.w.<..R4....I?b.."I..p.L]..ZZ...x.)E../...4......-...=.....I`.Z..2.c:WE.TU^.L..{..pS.=6..F.............78.G.....=....[......oq..Z.c3.3.b.%..T.&l/.@F{...8..#...{B....b.DPI...C..2e..p.Qw...i.......V7..U.....QS..Z.J .Y.)\.E0.M............h.d..g..c:.....t..?.Ux.D...2.R....8...b.2=...}.hR..j.d.....563.#&Q7)P...).......+..X..}...x.@6~Yv\|.QT;3...3

C:\Users\user\Documents\GNLQNHOLWB\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\Users\user\Documents\GNLQNHOLWB\WDBWCPEFJW.mp3.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8127987379637975
Encrypted:	false
SSDEEP:	24:webVolXcnaUxxcepZSKdvRg24OPs+s6/QCaosDrWEeYa:wuVolsaUTzpZLdvWs//QboMXeYa
MD5:	81CA49D6AEC38F8029E709658DB81054
SHA1:	B7271C8D24FBDCD2BB01A2621458CB869DBB7E34
SHA-256:	1023E24C4BF49828D3B601786C91ECDE0EAC421BB8A9F06C9F5A11A820F669FD
SHA-512:	EC70C02A56BAC454EA7D52D163ADE49F07BF0629546F89D8BE9F1D72EE4911EE1D5FDC8B3F710E1F5BF09CD14E3DA7136DBF23584DAB7F1275343C08DCE63D42
Malicious:	false
Preview:	c<\|.^.<....Q..,Lq..L.Y$}81...Eu.:.h.)Z...?.....H}7....2.U..Z..^...j}..@.....m.,T.k.{.$P.U.. AUI..+{....-.b...&.R.+.v]3..9.N..t....w..~....f....V...iey.d.;..v..q........{.......$...a'K0h.7..U.e......_<....5.&X....X.3R...u2....0.I..L.J....^.c.....';H0.....Z.j.......z....BQmp...].......&$.5......j_..K...<....g.J......c..g.<mp..s.....(2.5.\|Q....$k7ye{,mP...&MK..E.......f8.....Y,..\|..^On..g8.r.....YMy....u.../+8...).m\S...`.P_._....T.={b..\|6...U.!..p.C.....gMd......1..;mO.37H.Ia.AUe....8V.t.....jX......"[..W....dk....%.CC..5......u...{s&...]....i......^.B.[........qR....L..Z.'...df)..xN.).{D.u..Y...;8.H9...=...y....1q....xwP.0..\|...:J..-.B...;.}....g..p.HX........z.c0....[..=...5.=.`......f......_-.......P..Ro..\|.f.D...A...).u.....}...>.SS.{0...FA..z.."!`.1..!....b..b..B.m.;".s.....1.(.*.........8...Npd{T.+.%...6.[.)..N~.. R^.3..g.......4).~.p.........7.....1=...+..k. tQ..r...g7kRtz-lw..hN..at.<S...\=..z.D.?....U.\.w.I.A......`.)..........-.

C:\Users\user\Documents\IZMFBFKMEB.docx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.803443201359383
Encrypted:	false
SSDEEP:	24:TFJ/JllimnNZ50N+hBlqgr0vmNPScpDN+tuHV2OeU0tOCFSl:TFJ/J3fv0mBlDr0vmNPxpRP1QUcOqSl
MD5:	737511E849DC11110FAD69D68E32C9C5
SHA1:	7F2436BA99CE0B8DD40B14A8D0DE028ADF9FBD95
SHA-256:	FC88C4D8A9FAB2B8DBCF3FB4FE4B885E74F1E7BEFE5C37648D7A49C344BE54FC
SHA-512:	FFFEC7E9B3865C0B75A4BF4E8241F4CB438239D527FE99242244D4B37915137A5A6FF913C7F80221A7FE3807AB2AB6CE71377ADB10221736A7D2E9CC23DF471F
Malicious:	false
Preview:	..d..a...a.T.!......6s..d..k...+....y..x&m.E.kq...c....i...^Q.z.R._.+2......1...=..U....5;@...2...N.........{=uKb......E.....K.~.......O9.pnG./6...>....+L.Z..)./e.....~...y.+.$u.X{...e..D..M.+..e..^^..5......df..[.:...,u...1Y..;d`.X...6N8.2).j.%x...CB.>.s.s:t%...c...Q...4.......5..l.z.i.'t.../".:...L....J..nP..1WX.#...@......... ....3i.L.M._.F....!=.%...B.L6.F.$.....[.....#... .nD/!).....W..M...NvY..y..1..5s..6.....d.)....;)O,.]b.8.........:.....p...<s:...D217q.@..../....]....MC.q....B6.hQ..y..5.@..Z....%.CC..5.......Z6.......p.......'..8d.L...y\U>.P..u.fh..[....:..L9.'o........D.....&.U...L(.^.+eA..L..:/.. .N.}.)I.o.......o.e^.Y.....'..:.d.p...,,8:....4.PWm.....c.X...Z9.<^........._.U&GSms.?..)>T.`...Z..e5.J..b0V....U...`.4..y...c`..,.9......$tP.B...@......n..q.,./k...N...;J....6Yl.......f..JA......yS.....i...p..S.7.B:pD......O.3f...u{...wqw)H...@{.2...'.O.{..E.}..M..\|............^#F.}.-i....f.....\.l..~-/..dD.g...Q..&.0'.t.zU.

C:\Users\user\Documents\IZMFBFKMEB\BUFZSQPCOH.jpg.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.822577785148209
Encrypted:	false
SSDEEP:	24:OeJigaXjwT4ZWVE7OyLPTazUxC9REBYzP7YUEGPfxx:cwTYWqq0PIUxWEGzjYUln
MD5:	AE6FDB83C856DC3BF1DAE211F8C0EC2C
SHA1:	9B935882B0845889FFFD7CB0D60ACA0F6DF2EBE7
SHA-256:	3902D2BBD45F3166D7889ECA5F71E4E440806E353908A3D7FB3052CAC66596B2
SHA-512:	D94F0719F608A7C83055485060B7FCBF33A9DDF8344B539C06C09C082A02169958DB3D58C82967DD736B896EBB8B37E48290659C87213C0E42838E795F9879AF
Malicious:	false
Preview:	..w.....A;F......qBv.Jy.J".3..(...,`........"..2.a.R..k.n>.:.&Z)Wl.a...wWn..6cA.....j...P...%.pt.....:.hu.IY,.....\|.".N..4J..R.......D..7.hM.c<..Qm%m..?K.....B...c.../.l3!'......=$..._...d.-x......l$}....W<.6X.....-.\..MN.M...PH..W...T.....1=.^N.<..$O..b..zl..GY..........C.0:...I.-3.....u....X.!`...).Q..B.HI..2.........sR....K0.. i.lJ..ag...w.UY.G.ULi....ubI}.~.V.....f.k.....[$f.SR...26.y..#o.L.\|z/P.Un..[..~....%[}.M.Z.......<.w..~y3...Q.e.m6.\..9.JI.+../..hB..C...N.Y...n...$y.V...........'sW...u.<.?Y..A.......%.CC..5......s....[......2.....@......../>..6.T..J....-N}KS....a.=.aM6.m.br.&.Up...........[......Rl.v.m>.W.ng.$...xtS8 -B!.yg:.q....' .p....B/.0.K7.u.....D.1..[...K7.j.B...7...........s&...8s.i.b....H[z?h.@R.pp..@eP.8.m..k...d<..$.r.j...+Q..`...VV.........b.?.a..X........Y..w...?...A5@D4'.......3v..4..............q...a.}.....H.t7......X....-E.?......`.gjzS..}.....Yh-.y.....i..b.(.sbC....~..L.h.r.Qfn.........D..E..dc.K..Fj,C....&\|.pn

C:\Users\user\Documents\IZMFBFKMEB\BWDRWEEARI.pdf.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.788322404368841
Encrypted:	false
SSDEEP:	24:Bp8ZUniqULBWgKLBYQL1dL3ey7QBV60djczhYr0c7UBX61I2+5:Bp6UiqUavdL3GfldWhY5g7/5
MD5:	70A016ABA60A9ADF0C1DEFFCA6582DE6
SHA1:	ECDAB97FE4671A81A1F7CA16D0205D0D4CA48C0A
SHA-256:	993524954A8ACA50D8868D8183F3BA8647384FA9EF3D3FAAF8AA950C162D1BD9
SHA-512:	D7FC312E45AF24BD77811B2250B4DFC7C49FEE8AB22E2174E72E697F8525B33609A07B4AC6F22E07552F4CC53D3D07EE5B93B13A92B9CB2645F5E7A73F13FB6E
Malicious:	false
Preview:	.S1tp........y.,..0.q.S....u.*V..l.3....5.[..i..Ci...,.Ru._.l[.......~.<.-g..u)^W..u5$<.O......f.....DKz..P...$9....xRZ.H.. .....`]Xqm.w.~H.....0..8..\|E{.B{.q..).;{...-.u..4\.ixA...6.o..F3.p\|./!.=/..0E{t.\|t[...8Q....$...;b.qWc.......5.f0..O...'!.E.......x.N..4.<...h.8....u.J.Z.g.n.w.&;....v=:A.D1lpt.X.#\|n...q..00.X.4.YV....W.&..).=oKl..8.L h1...J!...UU#.y.."G.zR.\Uk..j...!w...U5.6.......-\.;Q"ozn...U.PC.1H=S^.....i.........o...F.......P..].....J..<.s.2...f..#....z+....>.>.....H.0..x...7.j...(._..@.!..F.....N......5....%.CC..5......P.....t.y..D..7.B4\|/..1...o.+..Ngwd.b.\|~...W.(q....T..k.u.,n...'.....w../.y.Nb....h..........gDN{.O8}+'3...2R5L.8_YL...,...gT.#Wf.2....S.hu..(.Tgg...L{.."..9...o.s.s.Q.S.............B...a.1.}....W.$.0.y~....ve..u....-./.t...o..-.z.v..b.5.1u]H...q..y.}..adn..{.,.z..].n....~.Z...w...W..1...)T..WJ..I..Y....{.. ....`s.......Q<..&.Jb.@.2Q..>.X..u..R3.."GQ.>.P4...4..L.2.S`.Z...GBc..5.. ...SR....>.-5....2)#.........w.."Z....

C:\Users\user\Documents\IZMFBFKMEB\FAAGWHBVUU.mp3.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.787632691070803
Encrypted:	false
SSDEEP:	12:RBFOiB9XaEhde6YHpC212B5qLt1d/TKmllEh8hGd5+J/0k1lHiM1e2q5Q+HZSXZc:RjPJYJXz5vR/lHiM1e2q5We5368D
MD5:	457C8D4C0B54B337643AFE45679B2D9C
SHA1:	6BB031A904C4ED54446BF676D0A5BD464E414179
SHA-256:	38371BCF4C5B8676490657C4481966E45E64CCBA565993D2BBEBD472EAE2F865
SHA-512:	4ED9D504A1952AACCC96C0E0C37E0FC952C4DB5378A3311CC38B995C0D37C2377E72DE0CE64C9A0AB44543DEA0FE826BD009EB2CD1497049B2D6CEDAEAA32C3C
Malicious:	false
Preview:	E...b:..&.ds.....^cN.......v.}...o.y.!.u.C.."ki.'.>fk.]..>.T:M.5.j...mL...)k.r.........`~....p....`.P.......F[ZP......x..@...2.9..2.../...l4.2.,...L.IpC3..U2..U.9.}.?..Q.c>....0Ky...8.+@.....e.g.........y.!.w`......f.N..2A.../.l....DV.!1..X.\|p..7.1..CEy.././...M.nhh4v#...c.a.=.....q..l.....}.G.......o[..%....3... ..V{..X.%......E.2...........o.\..m.........Lk2)....^.j~...y]2...<.8....J.d.".{.wk)J.M_:.;9..L...\nm...z...d.g.0)....lj.m.....H....P.....m....."pC.pg.. ....[...}....`O.f......)..A\....x.ZU...:....=Q....%.CC..5........A.`.%_.M\..u.Gvf{.f..:.....P...E..[N-..............%.N..mf. .v..5x...F1d.\|.4..4E.kH.Ll.5._.....b.I13.....O..f.#Q9..J=.F..`.......'.O..Zl..z......../r]...t?. X.3sv....>j......Q.HK.\|3...z...!..pP.B.9L........t..[.lK.\.\....\| .....@..-I~."..4l.:...6w>o3..:0%..s.....q.l.D.O....r5.!Uf...bhH..w~.]........\|a.x...s.r.<...=..8../]...W.vf<.x...3...M5...v.hn..B}.Q[.q&E..2}.A.zP.83A..P......K..Va.....}...H...D.e@..n..?.?....F..\K..I

C:\Users\user\Documents\IZMFBFKMEB\GNLQNHOLWB.xlsx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.830938894077555
Encrypted:	false
SSDEEP:	24:Eg+xcUzi5hadz/3nqt69zkeWRCbYa353TgJJsu+/Cx:Eg+vkWy09zBbL3TyCCx
MD5:	C0ACA1B76B43B2476A02753BFB9A10EF
SHA1:	3A35E36A8EC9FD9B5182A01B9C5213BB535256B1
SHA-256:	2E90E08D076DCC04A64F013679AAB43B15477AA406A5160675542E328A585B2E
SHA-512:	B4215E6B945AE19C565F7E4447A73C248E454506633ABB411B05AEAF60EE4B3008DABD7A6D469FFF47530DE167D1F37995C889409759A43B93F50D50A4BB3A6B
Malicious:	false
Preview:	/w.[-R.O...J.4.OQ...+....7.a..p.j.V.Yy.FCX....3...v.0d...oxo......}....nn&.St..%.$....x..4..g/."h??.\.C.4.;....u......C4uD.!Y.0....0...)..xL3.wA...f~.....&.4..[u...'.$.i...V:....z.S.g`...u........C..S..!KA..x'.......S./p.....6.-f....P...p.=..Y.L~...8a...h..:..W...9.2..bV#e.s.Hu..;/$r....3n..\|...P...".....]O.<!N.R.3.e.(.:yt.....8...6....`}...H..@.....Xk...'p<L....k..!{,-.G.......;.K...M.`..q,~5.H.v:..J....U..y..&....'N.....@..XM..]......&.13-.UCZs..6Ob....Re.O......,B......B.w.Q...xP.\|;......&a..\|.%5b..f..O\|g...\|-...%.CC..5......w...;:...wP...........Mad.s...d....C.. ....h.&..+.X.^.Y.%..SK.[.......yIF...Z.......o...'..P.\..F..D..W6k.X..Uv..._...N.....<.`..\|..T..'..f....9t.A.COz...f.......Mjj...M(.e....=.....Co.:......M...^......eE.?\-D...].f....6.h...u.y.n...=..}3.nf2Gd<.{.C......4..'........Y.!{p....L<..>i<d.7..2..+.?:K...:em..f...q...AL1..A.$.]..r.....[fp..k6pk.....O.../.4.M.$.EC....\'.l.DQ.~jM.,W]gx.=...:.i.^E......^.hu~.3*..l,8...`..N..

C:\Users\user\Documents\IZMFBFKMEB\IZMFBFKMEB.docx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.82789178364227
Encrypted:	false
SSDEEP:	24:jhCbNKQuB+TtOAGXBgslCZ0+CcbAoSklTq4ab:jhCxbuB+T2BgsQG+CcbAovJY
MD5:	A0097B7DDB329FF2CCD2DA0370E4F13A
SHA1:	E29168AF2CE27E3C9E39F7E4A38D4C0A3F10602B
SHA-256:	66213DB5ADBF901195A7EBD534A576F2F2106C6B71572E637B0043DFC94133A4
SHA-512:	039D07328C2480DE84F197BD18D3710928943E95C9FF2357A4CBA73303FFCE1AD3D986A6F68C195F78A2D8FF1D41BDB8CF286E565BB77D4C8F27CE2B19637487
Malicious:	false
Preview:	.#^.F/......I.N....c.d.O^.l#.._H.>...B.>.c[..c....71..+Ul...S...AV.A.KD.`..l...N..`Q.....ZJ....RL.1.6Tt.V......7.o..T..$.....a7......N.........W.E1..&5Pp..9p.P3......w.l...X.X.....;..f......e....P...t..5.Pq.......Z..8.j.BF.....g.....g.[lK..f..\D.x^V.@>.@..<.....A=B.;.b....~3....!.......1....<.M...Zr./bn...`.#I.A[H..[.m.g..V.8.%.'......[T%.v[.....A/.~....I.#0.k.<.V9..f.n.D.z.........K:G.I.1Vt.K.C......O.nI..^.....n........R.......W.c-\....u.8......K..u..S..k....qca...[8..{4[...b..9.U!+....W$W.Sd$.@d>.....Z....%.CC..5......M.N...Wn.`..l.k..p..P.......fu......N..G!....].1.q..I.9C..\Z.~..[.#.Fyw.x.\...G......;q.....N(.Q.k.o.!..h..\|.[`..27...6... .g.TVcB...D..2/sH.l.H..x.c...3=$..[c...^^.I....)...$.......C.At.j8...=...}.YI(....SjI....H.. .......(..=tYM..u.......jg...)m.R.....P.{.....WJ..b*y..^,.CTi'...k....{q#e\|.1..?S.....@]+.{..S...}.b:...W...%.z..{..{..@..l/...EH..x.........s....S. l`....IQe....M..a.........g..c...Z.....\|...S...s{R.a

C:\Users\user\Documents\IZMFBFKMEB\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\Users\user\Documents\IZMFBFKMEB\UBVUNTSCZJ.png.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.831553420627118
Encrypted:	false
SSDEEP:	24:A2ZG0JU1YDh5c7bCwwrPhjJ8xDyTEifKE9vQYrA9zKPmWBxtC50+fFY:A2ZG0J+YDh54s5jUyAEKcIcA9zKewHC0
MD5:	5F35591C16C91F4E4DFDDB134ABEE33A
SHA1:	B3A1129B923CE5CECABF909CD8F45DA7AF7F362C
SHA-256:	C81003E05A58AD644764CF517A0BAA9E0305ACFFEAFF50DDD60F8105B829739B
SHA-512:	255F38D1EF02370703639F9CC776A860D29CBC772ACEABC056AF183B0A6C5862A0A31A999E5A058C8A035DF5442F4F8678AA47C2236A93D0171C183912AF12AF
Malicious:	false
Preview:	.X.\F..+..k&...T.!.....,B..C.....M..8.K.\|..1JQ.~.Z.X.......n.....(...]...u.....A...UA...,.k...d`,1\|^o>..wp....X.0.k+..8cc...5.-...b.8k......\..Alws..d.\.....%)..%....;YYT.D..J.70...T.g..............\|.5.^...Wp.O8..y..z}.@........y.%.^.r88......x.....7 Fi$...j]GR[$s...d...T..V...V.4.L..K.?...3......5o.h.r..D...}r=a......V\j...[.Hs.>.....X.L./0C.W..........1.R..D.:..^.&.p.}..._L..L.!....../.a...J...J..A.N...\..M......l.#.Ou...X...Y.CiZj.Cwa{X&..e>.../&.....F...dMO..o.K..v...F...%...di..e)+YO.H.k.\1..Fk..x.....P....%.CC..5......yO.Q.R.%~5.."=(cz....5o..P..B).7?2...tk...Bx.:.r=?.....g......'...9R...r.......A..1..4.....F..E..[U{.-.jt..]V.Am.t...+]..9M..L6..pX.......P/...#.JN{/...P.......L. .N.;...~L.B.4.:.T....C..a..L....9.}.q_..p..wx..P./ _.@7..&.....8.....ExP-`.9.s;.\...H..5kF...k.6..{L>..Z..=.....X.{.*R4:...8....dQ=.......UWE...K.+..S..S..A'<.`.w- .C'..lB.e.i.A.v_..1^...K.......P........c.b+9.[.e......?0...../.s3A.....p....33..LS>.J....

C:\Users\user\Documents\KBIFTJWHNZ.mp3.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.849053062859729
Encrypted:	false
SSDEEP:	24:FhSbBEmCpwEF691G72I1bbmmc5tCnx92Ts06m:FhsEmCprCINx922m
MD5:	E7DF57F67EF523B6535BBAB3643077F8
SHA1:	E6DA0ADE5B8C3C01211A91D4463B732841453DCC
SHA-256:	893492D1298ECEA61260848E17D4B1F7B2B5E4AD1841F7D656087C9AD8114774
SHA-512:	EA6A8A6B06236F976FB580E74424503BF6D4D8878BA55CB1D65F5F3AF136BAF30095F27C6DD088EF302445AB47F214D462BF2C374559D15F81104DA8977B7620
Malicious:	false
Preview:	..%...t....W&....\|...M....`V......Ew<.f.........<....?..$.P>.Ue.7{..........\|.../5.j...x.1....:.."P..U.%#\.a............\|...T."T.V1...Q.jX3.hDg.u.E....<..asp.Y.yV..q].......r.%.2U....,.G.b...C.hdiy..`.<.y....%.G.._...D^.....?.6.....!........;9....d`.......9n1'.2..............,.sfQ.M......J.H.LU>..U;..<Pym1...$Q..r:..D.)..H..M.oh...q95h......r==..O..8.p1......Q./;..-Ryef#h...E..}B.@..q."x{.Q))..jE.....y.....s.>!.t.b\..%......]=H7v.....,.`..>v.!M....ra....7q...`.\./L....t.Hj.:>.;:.......{...7I..7....#iu........%.CC..5..........x.MhLI.\|..&...#.$.u..9{R..agB..Pu......A.w.\|..0.........7.....P{..-....^....h.}......].......zO.q3...)I..P.TT..RnF.Zm..$YG.._.>.1...S.p....l.z.!.......N....J+.. .J.>>.T.4.B.._.....?.Zc].l....?.....G.........k......ZU...@...]...R..Vk.Zf1u.. .....2..=.u]......6..............Sq.a.c.a.G..q...nd...p...n.M..j.....`...1U...[.@.h4....Y.>pH.....U+....F8.I..+%.6.......v..t..N...."F.[h....^..#G....iVS......0}.\|s5..f

C:\Users\user\Documents\OVWVVIANZH.pdf.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.832467218324499
Encrypted:	false
SSDEEP:	24:x6IVLs/6FzQH7iZJrAs9aZAAYzA22ScFJx7S8MOM1XLiniQ:XVIC2biZCs9aGzArJxJMAiQ
MD5:	DC0CA19C60814BA8F2B2134DE517C3B3
SHA1:	906F32A9C00C91B60A7919F14475F04D43F0AF4A
SHA-256:	E552B1325158B1738C6A92B737B9440E6009DD0E8D0873AC4F19A1BCAE4E30BE
SHA-512:	45CA0BC130A15C2A83EDE08C9A2EE9C621C047D9D18B8B8AE0EA529D0299F6E97EAE9891046E16947AB0FD4DFFA0AFD50301AA27105AAB073E2C77D01AA46525
Malicious:	false
Preview:	.?..HL\|...(....w...h\|....q..=.O.]vr..u....~..0..."..^..}.aj....5(?..u.. .)..+.C.3..T..;.b...........f.....U..@.y...Ro..i)j..I.8k.D.&.aT.B..a1.G..tK.V[.......Y...m......>].."......h!....Px.U.]b .S..Y..>.....A.....sW\..wUa.........9:.h96.."..BTe.....W\.,\AW.s^..Wc\.j..S7.Q\|...#..Q....<.f..R....@:.0.8G..5A%..l...O;.Ok..X.G.T.A..U.f/..D8.O.c........F.....RKZy.=]..Yc.U.Y\n...cl5...=.m..{.,..zBi.Ot...Y3.{\|.@.qr..?...O.9q .C....5.PRe.F.E.....a.......O....wG.......\|P.+E...9.....1....>u..tr.o..i..J^s}\|.[.D?......%.CC..5.......V..:.....M@^..9y;...^.&r...]...!.cD.v.g../.t,..O...@..R..y%@C.B..R....... Kh[M.A.4:D{..M,...f;......{..}Y..2.....Z4.2...W.:..h].y.^........G...T.k.....'d..o6F]...z..BAa.e-..9.j.....!..T.o.u.T.2D.d^.>....W....'q.5.i.VD..r,6.qn....e1S ...W.7....j.....AmF.s5..D..@A.....A3..Z&k.!..Gq....(#.,2NT.'.B..%r....{......X...<.....0..."...M..c._2.FxJ..(...$..h..,.v.d3.7.w.3+?sX.xoE$R.+P...:..k.G........m........L.$D.V.Z........

C:\Users\user\Documents\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\Users\user\Documents\UBVUNTSCZJ.png.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.838755087863871
Encrypted:	false
SSDEEP:	24:LWwZkIJIzM7laXCBMnB1kmyNNhErlWSUaUQL3jVdqft58pweJCt:ViIJKMJrWnB1NyNNhkW+L3jVSHQ+
MD5:	3FB86B767DB2B7A67E16950FE8F94542
SHA1:	F4D20055A21FCD43D0DBA5F8E3391CA00E34C8EA
SHA-256:	94F995A1E2ECFCFB435154988A69BAA8623D25B530251DEFB3D048AEBBC4AE27
SHA-512:	FC99FAEC725585CE9F5F18C07B9AE1CDBE751C10CF74D784B717EE71B502A9EC9E786A9489251E5E407EB2EFACC6D347E72C3A6207668F0263EC0A8C18107978
Malicious:	false
Preview:	..Z...U..qD.~Oz....+.?f..H....v....<....2~.o..C...Gyj..1C...!.f!Q...(........e.5.l}..'?~./4..)...),...&.%...}....W.7..S......^.i5/.s$....7...B.....!.....z...F....p.LfDXr.Ew"W......^...l.o;..`... .....c...h._.f.w...1F...............Q.O....q.x.w<.... L.a.t..........&M. .....]..$rt.o.g.v..E.?..F......#.<.T....q..S..tSU......gq.Q8...m....k._..4..3sMHXU3...L\|....[.cD....T...<&..z...5b7..J...%...F.D....=+#..."x..2....g..te.....H.....Z....).Qxa....r/<E.3..".~..'l..H_.)..K".9L..N..yH..@.E.4. .4...v.w...A1^C........9...%.CC..5......b......(.c.pU..n....\|........_.rD...W.63..4.5..C..=.P...c~hS...)..5...p.ok.....6.[.Zy}Cu..~...e..&Np......v...7.1...U....\....z...L..^.8x7Y^<&........R.....@.c.?.F...k..R.O,>..Z..:>..\|a.5).Y.A.g.5.c..q>..2.o..R..7..GjV.%;J..0..$......e....$.,..e....xm..O..r .w.].$..5us...?...V....u..6.+C.......A.Gv...%m..v,....O.s.....y....p.......x....hOWJ.).Pk....(..~\|L.$IZ\1.R.Rb.h...;6(`..X.&.TXc#.X..ke. ..EQ.h....J.;....Wbt..).

C:\Users\user\Documents\WDBWCPEFJW.jpg.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.85642816784418
Encrypted:	false
SSDEEP:	24:bzOOjemixGjqkIjCrz9sPRtnanH0zQ7Xyh43vE1nAb:bzOwjYG+j8z9mtn60sXeQvE1Q
MD5:	39B435537B4C85826DFF96095AF43105
SHA1:	FE483F40699D59D7A43606AECF5D2A695360D5E4
SHA-256:	79C58F7A1D9802F946DD65A7C5D0B7EE24A616D556DD0F9194A7C913197A4147
SHA-512:	B89317134F5C509377FFFD89F6F2DFF4FB28BC6DE2EFFDBD64A3AB365A02244E8B5B87745586B3E03DC31F9E5443C4C22FAF9C7E606EB0E9A4BA6FEEAD4566F2
Malicious:	false
Preview:	.IG..h.Ef..Q08..D..dEA."V.]..,.<..@.I...j#...a..f.xmo1...wZ...Y.B..t...h..oB.. .q.9...W......\|..=t.3.:..n..q .J.Dy.y.\O.Pa-..,\|..VKX....\..{...Hw4...~Y\..'.....f.:N...To.M@..i. .5Ba@...T....'..O.>y......b.......ZC.8QV..2L.l.!0.....{.'k.9i.G...R..9...3zvz..u......N`..9....%.......4G..X...om....e..J3.:.(@Cg=5.`.K.....].3c..A.}....3+..l.,.K..O..4......T.!..Y.i....}.......a....H....).....\|9/{...r....B..O......bRS.._...A.A.K...zK..........b....~...JS..6P.yP&Zi......e.Z....xjCh.L....fU.yKw.G..mhD....,......!...%.CC..5.......+J&..qs.......T.....0.@m.+{..;..p...j;+......."..]?..?...jTV.+.P...AB.Wv.s.,%..e..)%b3.....U..]T......<).5.8...y... ....sn#......9n:..$X......&._..w..p.V...F.Di.....TV/........$?.......(..b....L[..lSfF.^.U....t.'q.Z.....v.1./.Tk.I....-..w.6.M-.>...KP\|&kM.vr.S.C=....7.y...Px..q..Dt........w.s.......z{.....4.>-J...q.N.......]...\|..... 0..7.RF..Bc.w[..}~.V..g1....7...;xH...Q.r>. . c...w[.v....\|.....$Vl.".3..+.j.......

C:\Users\user\Documents\WDBWCPEFJW.mp3.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8122598600098225
Encrypted:	false
SSDEEP:	24:AQLnNd7pMc/CWMKqIPgUgq1+11r8nDGpkD5NW32iCrhzMB4:Nhd5dMKzX1tnEkf+C9MK
MD5:	6435E685B631251B35F0107F0508ED1F
SHA1:	E377A83ED9FD1F297088FF79D21C96DF2EEEF005
SHA-256:	2D29C59AC8661477B7D6BF89B64695E3FA687B4D9B64CD1AA8DC57F183E7BB33
SHA-512:	CAD602D0C931F11793AB2E9BCF3EE495BEAB4078F107E4BA58A7C8CFBF7E3E232F907234213DE96A5DBC8CE8AEFC321A79C33A93F602E841672C91A341535522
Malicious:	false
Preview:	.Z....?...b.W3<e.R.W...... ........v...n...t.....\|(..%.....'_.N..........M...p..a..Hx.o.E\...H.T...3..;..h..J.r'.....r\Z...J)E.h.W3#).!..~../J.O&.<.\#....K.-K.wP....d.j. ....J.Rk.a)..Z0g.d.+.../.....p......H...uC3.......hS.8r&..ohE.@.k!...m.a3x....@e.7.t.\qL..Z...i.\o{..T!.._:p]BZ.z.Z_.}N>;.]..+K.&..a~.K90.(DR.`..[{#......@a&0T.k..I....2.,..............m..8.Ru..]...D...../..7.E~.:..5!...@w..;.J}..v.t..lY)nhq/..r...2.H.M=^f.....f.....?.z<o.[(...=".........vf6G..D.F..9.I]#_......F...I...j.Hm...........).F0{..ym.p"....%.CC..5.......,.0.zi.^`.R..p..`!i....Y$9.7......;.-......_)....v.J.w..$....n.R...a..~:.e....D.y..n...Z....G.q..s....vglt5...s./..!w....j....#........mc.'v......n..C:.g_Ds...r...3.....%....(K...h.....}.Q.4./<1J......l.(.-...[.].\|.8z88..........3.R<.(...x>...>.....n6.G...Op.....w.bi.G......bc.....b.. ..!O....;....H.Bi&c\......Z.!x..M.gk..\|kU'6w' k]...5...G...gY....@......W,-.Q+".H..W......._..fcK=.F...>.X0g/j<-.M..../....I..../...

C:\Users\user\Documents\WDBWCPEFJW.pdf.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.8133402878595275
Encrypted:	false
SSDEEP:	24:aQ0h9PZwiThPVRphuTdlvjNR3pgVDT9c3ycLk6q5T2gFE8:aQ0XPjVXkNR3p0Nc3yUk6q5qME8
MD5:	242F39B8CCD940597075BBCE1F85ABEC
SHA1:	3211BB047D63952B1166AC4D078C7ED9BF6FDB53
SHA-256:	9E19D1157F62EC6875A756960A433D57B536ABFA58E070D3521FD06E8DBB6456
SHA-512:	C31DF056198A81A7EBAE2E1F593C8528DCF35DFA263BDCC824F8B8F980725A10554B8248E9C771D1BB9B5047347BDD7A2C61199DF921940F5B1AE35FBF509CFC
Malicious:	false
Preview:	(..8b..............3..o.\............{/...-eb."5..U.."8.}._.e...eHA0O.;..H.$YI..J...<!.R7a."..S."2.....^.Vi4+.RDh....LN.q..< .472...L,0.....k.q.N...?a....q.....3.e... fxG.~...+....Xz..T.pl5o.s......T.....@.."..........$;...qd. ......;..X..>Q...<...<.=..#...\%,Zy.We....u.U...r].e.FM.........s..2..u....W..l..$.h.?..KmO...0@-eK....s8by#...8...M.....A......(...Q....jTRb...p...../..;f....tq.......n......5.. .um?-.Q....h'...%....w..W.. ..\|..C.qIJ..t.($N=D..{.ig`....{hyZ{............B6......r..9....d.D..;.....%.CC..5.......[....../ ...(Og..KY.Fe...%...../[t...Y....bo..v .&..)...D..L..${3.x..........gF.....P_..yj.I....Z.W.....5...I\..."....7.,.........NZ.J.&.:=.{...z....[.Q.g..2ka.w>o.$...e.......F.@X.Q._. .P$...u.I...(?)...2.V.^..T,X.xu.....%Q7.......k..%4..D....P.o.V]..u.b.......\|.b.("vJ....o..~,...$ER...Y.....M..[......#}".0.....Gd".y.86...&..`.!{...+..i......X..>T6.(.9....C..u....\|....A.b..1t....;..8.....'...yW..%...:.......(....(...

C:\Users\user\Downloads\ATJBEMHSSB.jpg.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.821611750112878
Encrypted:	false
SSDEEP:	24:5XwnHFZfrZ5UpNCeItt149tAi4rzUhBazBHQzr4sSk4xMvyT:6/5Uae9r4VtfsSJxU+
MD5:	6FBA9FDA90936C8B382AC987FE6B6E17
SHA1:	FE04B455250F82DFE4B1D659389F820E2543CE85
SHA-256:	724ECCC0410137BD3E8A210DCB4A23CF1A8E85E53DA7895D37771E1E0EB27942
SHA-512:	B601F60EA40CFA7CFD7B7611784B0718C66C4EC2E88B036607CCC8624605875624682F7462A9B259869E1D12E04E7A33EDE02F9EFCD59D80E1CFED93A82A3889
Malicious:	false
Preview:	....c.Q.....~s=...N.K%....y..{......b..b.H.\hB.(...J....AW....lv.Lt8 .+E....oN.....J!.Y.1....C..ZOB4..SF(...2..<`.......%e...).-.oCLI.....kw\|...a..p]Z.....^...... Y.a.b.F....{-u..P.)...mL..q.0..F..]...(dtC......d,..p..3.8.Q.......[..t2..t.. .~.}E..1T.9p".3;.&8d.^Bv/..!d.V5.J....=.}.L...x,.yd.._.P..;zG.U..sTZ..a.hd...v_Go=.,b...QS.G..([.....U............t.L.,..2W8.=..]Vb..~C.U..w...W.u.'.c.....vt...sQ.1w..XFP...~......K-.....z..M6....!.f.nQ...cl.~.nl.......MS.j.....oy;.Y.N...I.....#..........G..N..#n#..+H..[.......%.CC..5......k..{.tkFhm.dr.kOD..H.K./.....u...zj...K......6..O.{...0. %...S/..S#...veO.)...\..O"T........^..C......dM.......c\.'.9....u.........W.(...g..1N.=.....d..<..........:...6.....F..6...EB...9..Q..r.#+......5......p...Y."k.....8A=EC&}.Y.ds.u]V....}.F5N;..i..K..!UJ2^..y h..I..'.]..~.H.../c..t}#......n\.:.A..6...b!.$..cb.a..U..*.&.'..vd..p(."~..R.1R..b.......n...u...K.......[.^)c.#.A.hvl..>1...<.....&..-.X.7.i..

C:\Users\user\Downloads\BUFZSQPCOH.docx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.826903565927946
Encrypted:	false
SSDEEP:	24:H5uVGb/fK3APZoxKKy+oR6RT4OrZIJFGDQ3wTfS5InpjT6KRxOh:Usb/fK3ABoxKK04R4jPMiQSgjNTQ
MD5:	85DE35D54E5527D38B4F404050952C35
SHA1:	5B0AB437BC80E54A3C882A6B72E22863E847E8BC
SHA-256:	5A4C2E0FBB10718040C21F620D6860052C0396F9C821C9E1B4C6405BC5DD6705
SHA-512:	97291DFF905DFCFA2171AA4A13387D2D9E556617BEE4B9AAE0CA6C59981584135A9DB8C521FEF71E22D4DCBD167EABCA951372F4F7E032F88D87546DB32BF287
Malicious:	false
Preview:	b.1..)..f(..S.p`.@.u...P.....X$.v9+Nv..6......H......i?Z..S9.Lv#..^.c......t......Uj..~......2@.v7..Bw.....w..7..}....~..sD].K? T-.S.a.K~PQ~........O..G..XZ8v1...(..S......I/.O..G....L.K.".@E..K~.}...X.W....b.MXYT......v..0.uZT....D.x5.xD.sk..wO..........T..xG4.........B...q:...z.Z.A7m<.d}).!Gh.7.E2d.O&.-......g..>..{).........`1.m#.G4!.:..!i....>....sh.QCl.;e.......u...m..e.uu~..8.Q..X.....B...x..!....S..).....:..rJ.b.PJ...p[.. }..f.Q.U..9.....tV9...6~.K..ky.C].A4q.O....zr...q .....>o.......j%EG....SFM..L......%.CC..5.......G-......0..".o......Y.......<o\|g.......S....E...t.%p.'.?1zZ.....5..t..?(J....i2..z/3~.jN..X.=)....H.."X.........RAJ....X.n....I....3.....e..r...,.....$..idsGL...y.a5.6...z..4...'q...a.BA..v.]8r7.D.n.%2-?.C...p....pP.{..b..y.KxWWJ.B..T.GW\....$.Z".W\|..C..%.;.{...D..VR..........z]V.....?..q.}..0....?y..)..F$..^k.....K.kg..QCE_r.....V.3)Q+..>..B..8.?y...z.<....4.......M~\.>I..vb_-{.m.j:N...Pk.Bi.....4:F 9.N...M....

C:\Users\user\Downloads\BUFZSQPCOH.jpg.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.836135829908556
Encrypted:	false
SSDEEP:	24:EvSR0OjwTgB1CgGzJJo7UMawijtOtzWMICwhrDqdi8owoCBac:EvSR6TgBmzJq7UManotiLJeQjc
MD5:	ED97E63E1B5731B36C72D87AFAAD8AC5
SHA1:	AC8C03B91AD062099CCF33851B9EEB2EF9717708
SHA-256:	E5A879073725ADD7A2E9ED6BD5A94F1F4B054C4267A829857AA6CC178E8D2F34
SHA-512:	904CAA5CBB2D5A918462E9ED8A05F53524E7838BEDE924F6F85EFCBD92BD383B473713698E1CE3F8A25782E02916284839E823E5F40CDCBCEC448A85566480B3
Malicious:	false
Preview:	....W.H.z.\}r=-.....<........,e7:...F.q...;c. .-!k..C...>...Z...U.S1=5A.b..^.S.,.B...O{...A.z..pMK.Q...q...$.B.....6.;@y....H.d..4......m8.F./...9_V.Z........M[...H.I8^.....R:....t.\C$/.W.9..%.....x..M..."YzNY..\>.^_...4.DN.......u.<R...`....UZY.;k.z.T$s...4...@b.)..s.@I.r..t.r$.3y.H..H!..Qu.)..W../.. .g.......{O.SA.\=4V.....Y..n...b......E.WR............J.k....`.{]....4.........mW....O.pd.........t.K.O..........).F.w+.A-.vG9..(yk.H.M.w.<.....B.1......Bi.....%.h.<.>s...}.Z..%.i...A.B.d3.O.N}.......Mq-A..s.i]....%.CC..5.........p.&.iObY.y....~.r,....@\|.C....\|.$X].....k..BJ..L..n.:..49".....B^#...=..cTb^l.PJ....j..[.YI..bMY...pT....#&..t.k.j."..u.>ei..]....n+....]&.p.@......9.BP....4.{.....;..X.}.z.5.P.g.....ae.<\|......F..K.!.....,...............al..^)w?..+S.g/....c.5k..LE...S...E..q..6F.O.hx...._...V...L...E...SN"../<..T.X}.'....Y\6M.~..).....y.up.#R0h.x......1F..Bc.4.Fs^.P[E...}<U&H.O.}..5...[.nm.{....j[.f..+s....(...1'...]..

C:\Users\user\Downloads\BUFZSQPCOH.xlsx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.808339798699928
Encrypted:	false
SSDEEP:	24:d0+Jmy+pWh0Eo58sxi+Sw5xJ4amHF9JlJ8sZY5D:q+cy0582iJCf4amHFNJ1I
MD5:	8049C75E34219491FFFEE802614CEB99
SHA1:	FA9F53364A9C0A1FF1D48E8BBEA59E20D5A970DE
SHA-256:	3EC3957D65FDB47A16B0D411E619B5871D31D50D84EB0C1FC77F0EBEE2985C1F
SHA-512:	27A73DCFDB311BE6AA567D604B8E7C9010A925391379A9F00F873341BA88A3998C2D33F3BC4B8DE951D38F8654091DA18A610546B936024FFD070B70ADD0B493
Malicious:	false
Preview:	.RBT~.a"wD.v...ye1UOqw.F....,=.b..IH..sNzYmS.....pu7P..'..(.il. 7o]..f.W.u..).`o.&K.,I.Pg.....&.e<.c.Sl.F3. !....d...r#....5..R.t...l.0f..J.y.r^......B[...h.R....(.r...f..7)......,..K[sG..p.(V.0..]C.#.h..!..h.D.5...(8.\a............-...:.x...y..\.Qx.B....{g.',n..x.....F..V.._"....sS$b.X... `...(........cJ.Q.$._....!e1.OJ..B.n....;<[..<U.V....`...).....Y...4.;o.......8.T.z..4k..Rf.).Z...A.I....(..n.RB...(.....:.F......xQ.].m..0..<.S"#.....K.N`1.......c..`(7q..4...O.i.A.x.;.nV.,.GWxR[@?<....}.....zf.H.$.W...%.CC..5......jr..H.2.y...DZ[...B.E..A..)...o..#v........O:\|...9.(....\|\|..B.0.......\|%...\|.....[.2.$s.1R.......Y0...n...v...9....f.tM/.\|Z.....$S...^2.x...;.?Q;.;3"..H..9.<.-pc.....)..O..f.na..!.:pTx..Pi.]..e".......t.[...)......o.3...g....B.:.Q....(..sF44.#..4&,0....0#q.t..vhNh...w...;.zi.T?..2<.{X.7...0.....yOE..q......E:u.N..(x.".P.X.....Zl.T.x. .8.....,.'.f.,.c...>\|\.q....2Y.i)q.$.1R.."<.\|..3y%u3...zuBi3...Mc...\.Y..K.o.

C:\Users\user\Downloads\BWDRWEEARI.docx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	DOS executable (COM, 0x8C-variant)
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.815833771877239
Encrypted:	false
SSDEEP:	24:YlycrYl5hTYaX0462cHlI7ojaU+I6dTl/f7345bHAc:tGakswp7+I6ll/f7o5kc
MD5:	A5CC9EC3DCC1AD54AA6C354E619D3A08
SHA1:	CBB1030B6D5FE3E39206A02680F0FD41825301F4
SHA-256:	8BA08AB85EED4C3E279284F9A192C18D80388021D2390383539309B4DE2C1138
SHA-512:	4F3C399A45F9B4A650A469D3E292D8076BD0AA901DF0A925AFBFBFB9D90F1E4597F429BF5A7741CA18513377CEBEFC379098B52DEE10147023B2911BE6E36D00
Malicious:	false
Preview:	.xC.j.9!y...v.......EgY..{.dD...0..3.$.Jt:.....XD%.......t.5....=...D/....Hh.6`M..b...Q..a.a.=.#.2.vn...%...qz./=Rx...@...^iT.........V.y.0N./,....S..i....G.2.{...y.wD.#.l....q.dN.....%..c.a...../.0+W.h.).......h...D;..Nn.......V....3..:l..98@y..".W.!'!v.n......D....c..I.c...>H-X.pH.6-.F.....c.#.>Ut}r.c....=Y\.A.~....h..g...w.v(.....O..SC.yy@HI`....,i...L%.g.U.....t...1..s{....".{..M3H...e..xb... .....iY@Ll^.:..~.x!..`Z......S.2>.c.F..F......).j.h.QR6.f#..T.\....Ot..7..iUg4.08T.3..s..z"..%.b...-..Db.i...../..C...%.CC..5......?.L.CF\|..n..;/6<B.....I..I .-iu.J....};r.U3&.?O.-f5. ..".....1O.\....:I..l...5Z.E..G..cE_8c..]Z..R..@Xxs...Q.,.G.?....i8m.....OS...uq..H.H..\|.,_V...Z..v..5...+....2.L..N...R:...K..,.....l..G.....w. .n..m..7.OM...B}Xy....T..Zm.#.\.5z....X.V.3.A..8qU..Jm..p...F.......N.@....T.....y....H.(M$/....=.`.`........:O.%...\_9....=.-U8<X.B<..;."..'.5...X...'R.=.E#.Oop....tPQI.....Y.=.#f.@..JJ...4.V..t...w............!?...}P}..

C:\Users\user\Downloads\BWDRWEEARI.pdf.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.808891854454324
Encrypted:	false
SSDEEP:	24:/+4VbkzIxc7YitWUx/gabBkTrxQDXVfBrczFum:/hYUxc7pAUx/zBkB4pgRum
MD5:	D380044221E67BF620E3BF634E31FD48
SHA1:	6083BBDA50006C517BDC62417ED07C2A04C90CB8
SHA-256:	8AFDBBE39FEDF36BC61286C4243555412D2E3D585721044AADB85A8AD5DD5428
SHA-512:	570F8718D622CFC036C86E347E11184FB7ABA4E0EA7C098D06B1B205D3F0664C869818F1A10664F5B9E6DB7D0D1C16E228C80C33AA24DDD688EA4237D940FCB2
Malicious:	false
Preview:	=cI.0.\.........~.oxg....A&{DT.i..L..n...5.b6(.....;.)lC.q>J.gh...nS.0y......Y....!}#...I....$....v.{.5...._L.<...n.r.A.wd.....G.X.....Q...:..(.!.u5...uz.)..v.%....9...i.<..>q......&.&S.y.._F....EH......j... ....NtoiI.;.Q.O.1[n=..`..e..w~..R.).E.........T....e.9.@0.....l..)k..s.L..'..[.....qSav.,......?j.4{.X$:Z..9?.....p.=.X..2.H]6.ZT.,.#+i..W....i-....N0].'.ls...m..G.S..,...,h.C.#.!...0Z..~m~m....OK...-.X5'j.c.....L.436A.M....A.?.J.pH9..ee.&..^.....<..O.~.@.].....#.d+.....RhqP.W.Y.P...$..y. .:.3.......%.CC..5....../4.5=...em...>a.@.b..0."....s.3Qw.....r.[..1..`.....XNT.v..jE..5e.Q...N.m..;.j.#.G..G..J... ..@...NP.[H:h`>@.`..i_...l#.`.@]...L..,...4......T.?.P%(.s.-.(.X...0...V..%...K.X_.8T@.?..e5...O.uW............T.".......`.[.`.D[l..L..k.t.k...._P.P.Y...Y....F%.F..Xy.y...3.4..?sEp..'G.6..,...b.$$.}...I.......^-}.t..r...T.p..X.^.B.....U.5.S..[.....t..).8.....g....Q-9H.k..X.8d#Ge... a.{!c/e_.K.j....^.....ae^$S."[..{aF.....><r"..W

C:\Users\user\Downloads\BWETZDQDIB.jpg.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.798532360968854
Encrypted:	false
SSDEEP:	24:PoMZ1syw02J9S/TTuUmiX7DUSBjf7QCqUYYfjoyLmN:PRTnY4yFRAsTZ9gmN
MD5:	54DA570CF07D890FE5B0523E4780CD01
SHA1:	D75BE304A478F6328413148FF606C11788B3BE2A
SHA-256:	4A990E4FFE31294C58453D53772AC0949110EBE80F3F7054BACF7A32B5F01920
SHA-512:	8635B5DD1BEF55271B6C95A8D58000EF9DBB32B852189B6A1AE17269D16FD2F44EDEA33B149DF8A9EE4F131B733E6B16F4070F2338DC59195B8C6B33B43E5076
Malicious:	false
Preview:	...M...Z.....'.g..m.O.%..I.5.\|....rpW....\.ak.$.@L.......].[.Lh.....qQ.F..~....%.v..'..L....b.l3..9..@tg....q.B#)o.\..[...Z.=&s.~.8.y%./.]:.vo.......$..1..[yq..b....j..EZ!._..]..yS0.....a.6..;.E..G..z..(..yA.....8..Z..."..wE)..9=....Bs...ZZ.fr.^.....I6&Ku.P.......ID.d.v4}F.S.=.I.")..I...8B......LkY...:\{.......Wjss.UF.{..Knb...M.W..1xe.....l..AN.^....-T......yo.....D..7..Z..H'.O.-u..y...........0.$2..~]4...u^.NAYK?^.....rE...a....,@....UB.u...T..%.,b..F...uY.'.Q...,BBY..F<.Qr........"....}...}...UEo......%.CC..5..........m.\..JH.F..........h..&..B.g...O.b1G?.....U.R..9...B...M.Fd.l...=....8Z...Q.s.GUN.....t.J...@..z...~[.B.%..!%.`W.~..;..iD.KR+.........$....U.g,D).#I.o..~...0..D..............&..."...c..n......KB]..W...`.T..J.......4......#^E..w/Ny.$..g.3..q).......K!......=-/25....~F......X5..g;c.!..0W.QT..R..0...-.jR.>..:B..8.m.NK.8@j^...K.^..`/..a.b-.T{m?.(.E......=k..g..UE.f0.....lI....V.....SB.s4..tS.n..u\o%40.

C:\Users\user\Downloads\BWETZDQDIB.xlsx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.81554029110337
Encrypted:	false
SSDEEP:	24:IfRkpS4nGgOg5l6DNeNcXSHnuusqrt/QItAguUN:IJkA4ZOQlkN+ciOusqrKgJ
MD5:	9A7FFB9219E51FB4AF04BA23C61D2A76
SHA1:	E5C635698846A62AFEE2E902D07C1D114F29328B
SHA-256:	8E70326127F13CFD9689A5429513FB1491945F0203865EF7D585F9E10788FE1B
SHA-512:	F2BCA536288FA5DD0E9E50534A8B65DD7048B7FA90CC39C4333217D0DDB3A4CCCD05F59EE935E832B34154092D5EA12194A8E768051B6139F7820D19E4385F6F
Malicious:	false
Preview:	D....'.)..V.o%.V.+.u..+[i;..B...I.KG..8h..E..m.)..&..y;.\|..Ot."A..&.....A.E...zT.hm(n>.R.e.s.u.]..bd'3....k=.$...Q...He.......=F...z.M.!.jS...S.X.N......,...kq...J.2...AW,..v_u:[P.f......<ZN.q.).......`..o.O...x..e{...I..O<....SQ...W.-.....s$.dcr"..]Q.bXG.;&s.d.../...: ....q.H..L...._.#...".0..ad?..fa.$..l(K.(...x.iz....(R..O..HX46.5...d.,5...(....1=..AS..U....q.}l>...._.M.V......&g....1..?....r_SD.0.<....t=..B.[...8^.a..14\...v.`....J.SCV5N/.J.i.%cPY!....X........`..:........w.3.\|...vRgW...hO7..%}i....tw.....7...%.CC..5........X......Z........L...(._........t.cP6.C.<g%XT.......S .!B{.Z...Q......I..].w"EY..F..]...1..._..`./.....9.......D\....-lZ.X..n...<..4s..?+R.<.Z......v..........M..{L...~...^..I.=.]..B.(\L.AIu.L)Z..\|.........@...n5..03....q.S..aI6..4..q/.rC9...<..y..............]...V0.......F (..4......&9 .~...y.....,L.,t........Q...>..l.J..X....,...aij...3tGC.H.,dX.l.d./....-S+.K...X.sZv....y.. n....1......s..!....q%..4^. v..~..."n.v.

C:\Users\user\Downloads\DWTHNHNNJB.png.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.801703243811375
Encrypted:	false
SSDEEP:	24:QXi8cRIg3Bs4Q53iZAS+rAbCGOf0DF7pHuTP+916X:aQIgFQxiT+r6Of0DL+
MD5:	C44EB388B47A54B3DB96B01A216FD965
SHA1:	3C5709534B44F88394B5AA02041DDB99A52CFAAF
SHA-256:	0563BC78C78762DE63940937A063B3FD6196255886DB19F31B5A68ECF6A1D9CA
SHA-512:	48BA4DF0C81C2AD9EF51F7434ED379EEEE61DF7BF72D86E7BBE702758A3E56C92DC9CE53AEF3DCA0E5743622CE12204FDCBC5140C5D54BD6F1ABB94631C02AA6
Malicious:	false
Preview:	}..8.........c...".....&>H.h.Tw.IB=G.=..1C......}m.6)...`..F[..............f>\........`.K..(..+.....%tg.A.NZ<.b...j..u.[5.2..`..68t..62g.......R..5.'.1..I....1!+^...Q.`....`.....k..../.V.o......O.N.X..m...0.....B.....G...].C.o.._r..D.P..J.HYW.h.p.....J.,.y).......?.....2.r.X.%c....:...;Y.......X....<_..`V?......i>>E9.U.=..X[...W8...X..:wVm%g.s.J...v.......b.............F.2!Q...6..cw<.o.8..0$.z.....j.T.t"z..M.9..YE.Q.{9..`3f.A.U.o...Y.B.h1.L=.....orb...-....UW7.4......z.j.=..f....ow..Z.,.n.9..TV.}.ls@l6/........%.CC..5......7.M..`...f."..a.5....Yc.....o9.2..CH..KE5O.....6..5.Q.Q.D..%.v.C.Kj8"u...q..4,...6)Z&:..q.O`..>..........'.Yt\.../....uC.~)..3!......1.k`>.q...x.....h..o.H....Tn...7W.9......c.. ......^...p.P.j.}....GO..[....#...B........m....16.!....+.........X..5..D..#0.F..1ho......O..0.........V........o..?...[.RjQ4....W.1...j..'.n.:j5u.-..+:.._.d.V'...p+6...'.%.Z...*8.X>a^....]........!.c\wld..L_..Sb...$;....3.x.c...C.......T...S.>../.

C:\Users\user\Downloads\ERWQDBYZVW.png.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.794443975996121
Encrypted:	false
SSDEEP:	24:8sP4tU1r7PmzbcZSZyBseZ/TvurmLDfdg4jjwNW:Vg4r7PubcZSZyCI7hgXU
MD5:	0BAE20D4F2A1B0046ACEA64B6A001C92
SHA1:	2885A9F2F84A03D8B2FB79CB0FA68539CA94A70E
SHA-256:	A408C3F9037367DC2D7EE5A945850476F5C5D86C2B6B8DE5049A7D06D2E7F5D9
SHA-512:	40974AF725E11829D484226807148F953368BADA62642AAD82A367D34188762A76728824C82A248204B8B2BE5820CBD74E314FD8EA9A3990960655CA4167047F
Malicious:	false
Preview:	/mG.Y.?..NK._.cw....]T...[....K.j_o....P.....z__..6...U.:0n T./....?..u..._...."$.+....I..F.t..P-.e..).....h......R.>...).:..m.@.m.qk......p.a.8.$.........5...........@...\|..\...c.gR......mh.k}.....1q.O,cS.h.5.:.y..4.UO..B.......>..=B./k..&2hj!..z=[d......5.rr.?.u..$(.i.......3.d..E..........HB....^..W...Q....2.....).&eIF..:.\.(..y;.....<.....wk$.g)#.f,...h}c.+<...hG..'...v..L....>...6...v.1..m..`..c.........9B8.b.#...^.&3.%.u........T..>....<..........2..a..n..d0r.._....`=i....[T.#.o..\|.j....h@L.....%.CC..5......Y.......f"=..[...sigaB.-........\|.Qq.....kI.<h.<{y.>...'i.ce.Um..A.,e.c.a.........+vIA......M}..>...l...4..n..,7.`..:.:......j...N......!..WE..&.z....n{f[`.2A.6..Vq.e..>....A.a..(..jjw.H6......&MF...\....#..3<&)..Z......Pz....<......B..!........D.m...O.l..tL..dd..$!,..V.]b...#c..?(.%..l.ho3..9........[..&..%.4<..E...\|.^..q.X{G...!..e.!.m.*..4...dX.)wg<......".t...ha...B.=Q..rA.Q..la.q9....9...]{<..^.r.%4..P..1.".o...m

C:\Users\user\Downloads\FAAGWHBVUU.mp3.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.809377012669542
Encrypted:	false
SSDEEP:	24:TDuBapEdW9B7bvZuFkObyrVWoRnREbUiCwqgr8rTwZ0m4y:WjW37byb0WoR+bUiW08A/N
MD5:	64C02BC75B5F56B3F62BCB61B65DF237
SHA1:	428AF2009837F799C1463B4F4D54979245D0EBF7
SHA-256:	B7BE3D8C4F7C602F57E73CD201BED5022F23B03A0FD096ABC403A34689B9E87A
SHA-512:	CF09C3F5F5FB08DABB9B25B564D9A2A73280264C2B68ACA41DDCA2AA26714E62B416923AA723BBCCAAEEC94522C951A62A36A0F9D1107FFB22AA124C0641B304
Malicious:	false
Preview:	w.........t............l..;.@{..9.Af._.S.!S..`c.v,I.S.V.),...)2...!.Om.}......QK.7.PqK.........Tz...Uk,H..\|.4..k...#.......4... .V...zp...Rbk.z.N...Y.n.k.....Ph..mXT....uK..jv....tT=($.".9.....[e..........5..@0.....y....2\.;7..8AW..q7<Je...#.m.K..I a......SS$R..I.....7...\|.F..Xr..) !V. !%...`..VN...j....kD.._.....`.b.D..}...@G.n..w.+.s.+~\|....K........8.H-.5x..7...T;o....p..!...]...W_.S.....p...{..p.8.).............d.T.^U.......i...P\|Am...#.D..`......VT.j."..y...i...g."58....gSy..t.(......!...77....%.CC..5......l,..a..?..#.\|fTN.._X..H.......h.V.....'..>.. ..8.v4..v ..n-...Y1.}.4>.%..o.hZ.a.E..+..'.....m.....c...E.V.>....u{.We..>..2..u..Y.\|.. .........#(v..F...b.s.).....k.B.G.7.X...r.}...5..!..2..V...V..K..5c!.....j.$..&....b<"...\|V7.4.0(..N...f..j.#.ilg.=a.M.m*..s....lc.k,U~.....QQ.>...E.....J....c_.H.......,N.m.3..m..D.^$..K......Zx.)...,.r.......h.-L.'.UR.....P.\...J}.....o8\|1.l...:.ANvh.F,.....H....F.[.j..p..;..t6....\..]+..

C:\Users\user\Downloads\FAAGWHBVUU.pdf.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.831380188811291
Encrypted:	false
SSDEEP:	24:5lGCOaOds/LqZY/u2EPAAEDBToOkqSzQi1Jj618Z+YfFrkT6:nGJCcAYdED6QQJu18Z+kFwT6
MD5:	ADDBC0761890B62DBFB0E0BD2CFBB582
SHA1:	7BBAD49B41B86FE6DEB9FC960BD75B89B0E1F3B3
SHA-256:	E8048C4E746D52BD146204548414F6D0C42D0035CC849881579B97F80CC56B65
SHA-512:	94FDD41FC8E6A75C6BC07AC6218565DEE73DF29534710FF798AED2B4AE629F8B1A3E6178BC2B4713103B6CCFAF368C3AAE0FB7695AEFDBF5D358F6B63484FDD6
Malicious:	false
Preview:	.J.V.i..........y.p.JfJ{....{..U"f...{_!.t.}.........[..H37./M,3..P..:.DF.p..=iX..0.bA..J..)g~..+.s..h0.X...m..U..?3.<..Y[.D....,ndI.I..g.....AF?L.6....l.:.O.....P.(!+/.8,q>..=..ofg.b...X...$w...z...<.......^.0.Z.M]q.t...}.K..t.p..\u ..6....X.$...e../..O...>V..-......+.7..j.M.....R.1..O...%..RR2L. j.@...}q.<.>.u...t.3DH\..$.AuB....eRC-2n[C....W..X....p.Jv.A.je.`.A<...K..P...PG..B.?..$./.%G...ZML....2.J.0H4...]......E...i..........d.@. ..{y...8.!t..[.'..P~..{...%.o....5....I,.....I..Q...R.{.5)...3ZN&..n...\...%.CC..5......5....=0>.+qx..l."....E'y...O.u#.2....6..?!W...._.@+d...........w..7...[...Psm...Y..!}..O,..(.K@9...~.......B....r.U..C....?.r..v.....* .....Gr..b.2@.d8..."T....{u....Vuc...hr.l0.i.E..7.V...eo...v..}....R..=g<.. ...;.~.l\|)..\v..^w...4!.tR....Z./(.....c...kj[..`....G.q..Z{.k.7 y....w...2)....._yv..Y.J.?#........\..b.7.....=.&V.0.l ....gL..."..&.Tk.t.o.`...Z....'.......BB.".._...........]9m..n/.bZO.$.[.....J..}.{...7.m.

C:\Users\user\Downloads\FAAGWHBVUU.xlsx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.7900384498952056
Encrypted:	false
SSDEEP:	24:gpoAfR/q2j2OcHayaai5/A3MsnEJw21sSd+I09UqZP61ldLTh:Io9xaCSwESWsSd+J9UqP61zx
MD5:	705D3D8B546743070391EE34D697C281
SHA1:	B02F9C46D1CC19AF9212577B070FB50E03A70FCD
SHA-256:	7142197BE6CC87646D7543D8DF33998917B91F3F5B16565D192481BC8C43748D
SHA-512:	4CFCFF1312CDE6011475AFF1088EA109AD91FB818EC25E831F9A4EFB5A0DFA9E2A9E6A2C0A74FE7AB61FDB2541A423C0298183885480E29D16C5D9D2489A8380
Malicious:	false
Preview:	....,..>..Wq\..h.......>.......=R<....D..<5nA.oFb.5#L4lPz..U......I........(...D#.?eo...'..=[.[^..:....!.\|....f.H&..~..M..eI...do>/.E.A.}<@}M..J....-.k......[9...94A.....(/e.....y.c...QA..t.r....Ci....Q......q....\p....&...9........y.1i..}.....{f.g...@.:...l7.e..~..4....$.ZV...?....+......N.ra.#...1..E.0eR,...lZ..N..!....;.L.3.......>b.e.<.A..x..g....sb.T.V.'...d.=>Q...j.A7.D...!..=..)u...o0w.e........n.c...g.ie..}.q.0he...uFWK.{.u.E.../U.....,.7.<@..\|.a...)T....>o.SO.S....&....."...j..5(..]=9Dw...f.q.GC.;U..=..R7w..X.....%.CC..5.......{&2E...$...q......=..8#......<7..#Ssa..7...c...\|.r.Z..0..q.(g<...{../.]...!..<2cU('..zh"W(......a.......FX.u1D..PN.U.I..3.o..C.0...L.Z..N....`x.....w..i-:.M...E...:....4.p}.lV%`.O....&.Ym..G;k#.\|_.....)Fu...Z...Y....^.E.........A....4..@..K0.st..7..+...H.F.9...*'.b..}..IC..........,.E..d...BP25.>o......".<.........^.=.n..9?........U..N..}+oi.'.....<...........}........A2....d..y.<.%.&....x.f.oCA...duY....f.P...g

C:\Users\user\Downloads\FGAWOVZUJP.mp3.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.787633130801707
Encrypted:	false
SSDEEP:	24:0SDJlE3LcmQPAW4tiD0mmixOhbbE7nUdP4V1I8h:0Lcm0AW6g7xEYrWQVV
MD5:	78BB2BE06E0908871507A1DFA68A9185
SHA1:	5F1557D68BE812AC133E461957AD42DE59D6E662
SHA-256:	8DE7EE53BBF59773B617F92239EBEAA52E9CD2775F99B43020E89C76A9471628
SHA-512:	AF7737AEECBB83CB528C87AEA79911387CA7E625320CDE58EEA267A34925138F2D07B94EFE846A1006FAA02A1BC10B153EE0CA1F6912D63EAB7F0B532A62841A
Malicious:	false
Preview:	.P..[.........s....fk..r_.']...[.....{.....qH..rR..=........D..8...M6x...BrlTD..j.N.a9.j.@........<...(`.X..y..\|{56,.{`Q.#...c.7.$..8}F....4....^.U...........".0t.X...rX........8K..).G..?..k.jW.5..F.....G...h.k.\|..J.{.`w.=............bq....AH......[.jB9. .. n9.M<.[...eV&...J..p..b..3y...1E.>....i.;...:.l..:.zS.........rz7......X=(..W..........E~....~..3..\!Mk.]..O.......Rwvr..%..M.<......E. .......(.].?....V~.`xa4....d..."...E>.j..g.3.\|..<.....nL....:%-.b...c!dP$..w...5p..k...W-.........<....7.j...T.!....[....%.CC..5.......!.G%Xu.'..X...'.M..L-t........KF..P.K..?..`.!h.~-...N=.v...)...B........f..........<...C....i%2m.U.9..x.l.(.].Q(BS..[.......`....m..S..S.c..k.q..1.2.q..^..ge.-m0.u......6..f......-..z....O......F.#.0.8..E.[.{d$R.....k..:Z..G....D.`0...v.f...2.O.x...._.'I.T..~.=./`_..a........F(.v......2\......O.9F"3k..>..$..../.M......v....f=*..a/...7&..H......<.`.....<..H.wG(B.+.~...`.B...u.17..y..+..q'P...:.9).xY9.......s?'P.3

C:\Users\user\Downloads\GJBHWQDROJ.png.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.831806919211596
Encrypted:	false
SSDEEP:	24:9hdq8aBuo06QPNSu+L2czq9XF+OE+syy46XQTp6:zU8jIQSuU2c2r+OE2PTp6
MD5:	0003C3B49D785CDA7E7CC818544EED10
SHA1:	A9AE0D9DE34DA00E0D396DFB11A0347220C6E236
SHA-256:	7CB7CD9A666B90A4B4A62D9ED9BEB42CB550523514C213042A248CF782063F11
SHA-512:	B865922DACFA66AF643C8BD8034D6917A2D672DD345FBB888AE7423234DE580D90805F379D67AFEDFCF43DCA3F5887ACE8BFA3F92C153299DF152F084548F742
Malicious:	false
Preview:	......3....e...5...t.!.....y..5...K.8..w...$....%...F....zB....7..c#!..r.....B....=P......>cAr3}hX.n.N.....r........9.F..y..4.J.;.!..}\.....z...e.....q#,z..5H..p8LF&..+a....D].Y...V..\|.,..H....E.W.d...W....R,{.c.Ic!3.......M.3.<..V...uM<....g.j.......X#..fV.P...6....._.>n.?.T......r@..U........?.n$.-d.9 .]..LT...AG..:..!.1R.1APR.Z......tvk.f..+KR.n...l..i?%S..I..=m....X.....q..W\|23B..X...{\K!6..b$]..ky1Z.3.FJ.....D.(...$.....^9HN.YZy......VT.A.._. ......,..o...n.'$7.9k.......V.y..{.3hL.....bx......o.N.q.d....\.I......%.CC..5......^.X.2...T^c}.....7.%.;........r.v........s\|...4.H...X.&.#8..1.<:{c....\|...i.......$..51...E.n....R.....v'......!q...Pkex..0.....^.@.b*.J..cI..~d.G.6.u...-..k..n...e...&..$.....:ZkO......x........C.p......P.#8..+.M...../!y.4c7J..B.x...5......U.&d..V..w.\|.`....N."..g.-...P..=.9.D......9o...:....$..'..6......Z......z...O.......).jr.i=.;~.60.;.'.:.....e.0.......Q.q...Gz..!..\|...Z...Yk...Y.V..n..7b\|b.?..Q.^...Z..ei.g\|..`...T....

C:\Users\user\Downloads\GNLQNHOLWB.docx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.783526405061699
Encrypted:	false
SSDEEP:	24:FQ3CQFEd/7Iw2WOWiDp22ZA/LuadqTtCPsmmATEwoDGJvORoXl1Xl1:FRQFE1v2W7DSA/LvdEt0smmAJnARoXl1
MD5:	7742B602B4A2E3B31BED919378B04731
SHA1:	E385165DE1C67CCD8B279538D9F5C58CF69A4827
SHA-256:	13A3435B06133C1973E2FCAA789EE932D869CD43D05B022D48F7C7C8D33D9A70
SHA-512:	3E3FCCAFA246373574EADDCBFEE36F888BC4033B6FA51C4DD7C1E704A860372EABC0FC8C53B2DD3B30DB91390C057EF254FF74B0205C11B7DD1053A891D03EFB
Malicious:	false
Preview:	....G...(X...'.......Zc#...<....e...'..K..m.B..9...E..\|...........[.....-..?.....Z9V.>Q1.Tg.M.p....O..`.......<......Ld..z.y...by.`.....hu........;.;.8..9e&.~..x.....R........Nsq. ....Y.C.'8ui./....7.x...D.P.!.Y..v.,..........{g./.m.b;=..A..v.G.a\|...R...vf.......Jle...:......U.=.....=-&R..s$H....;.{@.:+..'...t..{.......z'_"]...+V3!..._n..wv.......e.,W.....!..-..X..r.L_]..mY..^5....eG...-.n...n.....{..(\|.&...S...qd8.....Y4.3...p...O.-.a.f4ui....^wX..Y...)U.1c....ibw...m...&.f.v.....0...S.9.$^t.W.[..._*..........%.CC..5......v.\<.Jr.kj'..."u.N.14v.XI._."Q...].....yY.R/..J.K.p..\....f3.....>.u.7.m.._..0........v9y..@........~......5.\|(k...d.....\|.l.L.....JF....9..\|..>.'.uf.q.u\|\|.=i.....?...0.W".../... .s.......h.....L&........qq...)i...^.Z...y.T.X....dH.{j...u.....o. ...>g)..\|.m........@.._....=.S.'.........L.6,....`lw_^.^.o.....(.MtIk...j..N.}.~....U.(.&.EV.a...)']y...'F..N.`..o...o.]4.H.R...P..U..).zc...w...+/.oX\|.%..f..ofe...Q

C:\Users\user\Downloads\GNLQNHOLWB.xlsx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.820980826934292
Encrypted:	false
SSDEEP:	24:J4oU8gwClp+17NGiKnUfjrK/ZtaWQ7aWcOMd05GTtrktAf:J0Pwe+17NGiSUqRo1cO0TetI
MD5:	A7145FD72A0139ADBE7C55A63AE22CD4
SHA1:	C9DD8220F3FCCEAD0ADD37B31669207F3C22CCFC
SHA-256:	B4DC805ED33A84588F7BA8FE8CC144F40F4AFB678D50A1026C2E47D21CEC14BD
SHA-512:	3681AFA512B1FDFB5A5F1338B5998A716EC5CD86B6BA5F6D7C8080AED60C106BED958CB9B31E54A97FAADA93073A186CBAEAA5B39CBE32BECE553B828818887F
Malicious:	false
Preview:	9\|......e..4..]..D0..8W...d...{....k.....X..aL...z.A..y.Y...Jo:...<U.....u..-\|9...S0...M..f2.....KP=..Ja.....X.Rr.......7<..&j.!..mzn.....\|.tj.t..d..pg=.%W..8..m.}.3...B.V."TB.@.6......Vf.$`Y5...@&..C.T p...:.eH..<?e...#=@.f(2.......h.....@...E..iJX..3...F../B<...-n`.r1x;.6..x...l..N`.2.y.h.._:&`.J.-r8V..E.$. T..=...%7.."yg).".FtU..S.SBy.$.kv....X]>.....f.....I<:w.n.^.p.!......)....Ik..H....eA..$..8Ff..R.TR...o..b.t.v.. .s..7._...TJJ....6s.%.........LP]DKh#..swg.&.%....H{.D.(:y9.\..G6..j.e....@..a.$R.F.?.'.s3zH#=J...%.CC..5.......:.7.E.r.........5.`A>0..p b;l.#.3.Q..J...'.M.E.......e..;R...$.P%.Ak.{U-_..Y$...n\....E..{.V..e...U8..k._._v2....M).Z.o......zW...H...hX....N?..?.m!.?q.0A..Z...b....V..?..G.x.\|..Y..=.uYMIv."3......,.Mn..X.u.......V.\|g...s..V...x..jTX.ad..i%.........u.....!7K.-u.m.1X:..~!9..~...r...`...~.s.......l.e[fE(..s+W#^B(Y\|F.......w..7R.o......`.........%..U..i.>o.....$._.P\|..W75.*z....W..Wj...N.g.{4.z1.]....4.d.&.....jc..r..g..9

C:\Users\user\Downloads\IZMFBFKMEB.docx.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.827057528104461
Encrypted:	false
SSDEEP:	24:ACwj5kiUJNvbixcScjL6J/AM0Lyb5IHL5FuMcCbiIgmybSTXQT6:ACwa/uaR6ZAM0C5k5YNAiIgmybSTAO
MD5:	2A6C8BB4B88869F9D9BF4A9B3CB7D2CE
SHA1:	5C3A6386ACB9F1ED3931172467A8BB731CD9343D
SHA-256:	F25801F2024557A63197A17AA4FDABD291BAA6D6E54DBABAEF1BB434C571C745
SHA-512:	7807854ADF58226E286D9049C2E528A5150FDD0A9B0EF1678BDABBBD93263217E37272DC3267574994BDFDBD71D80EBC28D79433EA8907DA166215034DC735DA
Malicious:	false
Preview:	..sw.!....Cf..p.Ki.\|.SL..o,&`.T....FFiK.../..MgYE....6..66....>..c.Q...J.#w...+.\|./n.LMv.h.4.y.T<.3..{$.[q....=..(-...M.5.......~.lF...Q.&.nhn...J..a../,....8y}..4..9...f.......9..n....P..W\R.y..{=A.^...i...w..#+.WU..@...o...~..%.Y....Iz...)....z.....7....H`.[.2g'......>...g..N.9....0.T.....Sy..<v..1..Z...?.<X.M....o.G.N..x.8.Z.Z..#lL%d.!..'9......d...r......<....5...m..#h.....\|6%&...".....<.m.....{l5...^?...&.'.LP.!......N..l.......iM....rZm.K."p......5..lU..Y..O..SBmD. .g..T.)..g...a.u....6..6_....V...%.CC..5......O.).q...b...Q.lN...j5..5w..,.9......(.0...<.n..8c.-..6....M.. ....r....f...c...sy:.....g..5......7.%..[6,D..B.2....o..YA.&&3T....G0.&..Q?...xh.R.f.......9...O....v.>. ......o64h..l+..SC......Z.U..`.`u9.e.....K.mF-R.....&<.c.#..uP..SJ..#.$E...)9dn..:.k...5..i_p.t<....Y).(..%fs..m.7..K...x._t..M.MI.P".Q....{{-...+a.I.....:8.....L<'..n..!.ZY.`8...U....;t..'m..i0H:...E..d..x..;...;...\|A...0Yx.7Z.x......\|-../..b[.,...

C:\Users\user\Downloads\KBIFTJWHNZ.mp3.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.814648638688008
Encrypted:	false
SSDEEP:	24:fHnpR4hTnv6NMkkLsDiIeL6kEONWxu41+kQteREwYTKBP9iGnr+TJPOhZ:/pRU5kJDiXMMWMNteREwYUPxnrgBOhZ
MD5:	DB3C87E7BE2121ACE50CC9B1CF1BB73F
SHA1:	A50B1D439759F56B4CE8B3311ECD3367C7DCD05A
SHA-256:	8E0A0C612F1AB3E75A3716FEABB6F3E0052C61B64CCE0F7AD6090019AB21DA56
SHA-512:	F62CF8E3315BC18E8F994145FE1902557D64023602042403E8170B66535881242A0CEC74C3A52997ABCBC2659448ACA9CDB627A64AEDC12A1F859D21230B1BBD
Malicious:	false
Preview:	d.j.r..V...l.6.......AzZ.K..c........ -....c..(&p..l..z....Nfi....z....Tl.1y.w.-..4h..X...nT..pZDm..OQ..R....j..<....FT.)..R....D.%Qe2.:u...7be.F._m8._f......V]h.K"..3.qz.4j.....4J$.....p.d..[v.Q.4..G..._..J...F.np..^AT....2R.i..D....A._@+f...]....{...w.vp....Fr.}?.\..~.H..5.w....J.!.F..4?g..m...7..'..V.f..>..z`;...q_.A......Zi?..........m..S..;<.?.%!K+...G.+.3s..CPB.....d=M...)..dhxf...$..<=(..,.... .3o.C...^j....F.R.]...bvV7..1WLO.IP.iJ..C....+.....)1.v......v..&;.<.,....Z..-.f.z6..{n.`.c.!.G\|..F....%.CC..5......~+.D..-O..?.;j%."NN....{..P..F&....R...1._EE...}qq4..Pw.6'.D.....k...I..2...\..W.....b.b.2Q............../...!........M.......Nzv......l..t._f.......F.....}7N...E3`%..,..$..phb.p.9.Q.~....i.M..B....n?...=b.6d..;.[@...a.3......et.U.xN%Q~C...",..A.:.......N.}.=G.fGH.Y_#.}.[>F-.m\|X29...G"..h^...X.. .v....Ni...H....%..l@<..Y.?Q.I....ain...P.../..@L.hx.X..9....Vo.&.V%....x.....#.X.r..I.K.+.E9p.....g..../4pS..J..Z...h

C:\Users\user\Downloads\OVWVVIANZH.pdf.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.836151464669387
Encrypted:	false
SSDEEP:	24:6k/qXwbruCMhKCo44fgNG7lM27aGQb+bSFZe4akqR0mdvF:ziXUuiConSNirQF9afR0md9
MD5:	6CB3918E1F3123FE6D0F9B801DFF5014
SHA1:	0CA371DBDB14A3BF2B91C9D89FB61F6C36967B25
SHA-256:	1008505782448FC9120B0F1D282A90185DED7622955568B236D27AF0ECC24764
SHA-512:	549E83C8F75E3D11E010A975DEA82BB6A0744D6AD3A62CB076340371489A4F391426991932D48F91C62F814BDAD7481B792D73F5053837BC44217901AA9D4C3D
Malicious:	false
Preview:	r%..^.i.^t..j...I.FC.$.....5a{..1...F.:C..ek.=.H1P....uBq.o.;.$.eo....5a#.Ur.S.G.j.g.M.A...o.E...J.....0:..)v.`..s9.q....eB..\...v.......M..j..%.._%.O....;E.Z.S\|kFZ.Q...+..]-b........./...+k......J `......0r..@..`.)W..5...mk.Gf,s..p+>..md...9z.A..B..B......~.08.s.Uj.=....h.....?..1%.?,<..[X....j.[qx."..]i...2.....H67...&..........R.E.7....<..(.......\.+..6F.).\...m7+:>...\|.Voj.U#. #.=.w...6....W...\|.j\X.vy....c...k...z.;7g(.]..Ej.Bz...<)X......#_.E.....d:).O6A...8h,.&.;.I...Y..Si.,C..d.....\U...d.[..../...%.CC..5............V(..pVP.(~..........-..~.)...lN.#@....h....0_..K..;.NC...E.%D..\p.3....c.,...{.z..n.CA.6^...][.!..tm.....&].=.5...l.....M2....#.O...M.I.g.w......R$.....I.\.....6/.~-.a...N...f.L.W.Iv`...%..7y......x.>e.l%...L7...?.I/..$P..=...0..F.j.........L..hH....)m.55p@BnK..6E.....R.U.!..3x.+.5........V...a...,.r..U.~.,..........O.".q............x..Sq ...rR..g7Ka\|j.}."cJ.^G....u0..{.........Sy..,z.........%...,.......&.M....

C:\Users\user\Downloads\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\Users\user\Downloads\UBVUNTSCZJ.png.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.836878490445985
Encrypted:	false
SSDEEP:	24:blS3NJ0rPnWirC0MZSHRtQojt5cXC/ZpBe4Ix9u/N7wpc3N+xUUxpajEj:blS3+Pn3MZ4/Q05kCh64IxoJUxpawj
MD5:	8701AD5C5ADEEEE253524B7A6DDFAED7
SHA1:	6E90AC48B2AEA37D1F770F42CC53360D48D2CA20
SHA-256:	8662397E67B5FAFB84DC3497202C2FE23F4CD1B182B1C2A53A8D8E0B4D4A7CDE
SHA-512:	E191FD582E65F282191C12DF73A870A71B6C948B2DB91280D3F87BD7AB650B3C9B77221A046D6F4444D91A5CA0BB843E1C3FCF17151BDC0B6DCE92FDE52272DC
Malicious:	false
Preview:	.Y}..s../j/...P.j.....wI.. =#p.....V.E./..ZX....W=Q.-.Mr...+...^..).n)....b..N...oy...+.$1...L9k..k...z7t..w.D..v.^.^J...Hv2........f.`....qy{a..^.wp..b......:q.\|.E..;cv...x....4Vp..H!.z{.Q.X..P. ...8j..5.PO........-....:..K....,=.C...6C...-V(Ir9w...I?"..rH.!./.!a.~...-UY.4dF.U..1U. ... ..........ijY...g........[.....~..8L..2E...>]S...x9........t6!L:H..?S}\|..M-?.p;.R..=..{HE....t&%.\|.8).:i;..p..(.!.Uc#.0^..Y..<.JL.....M.....>.....#.T.u...-$.+...Z....l..p..Q.OH......@$.......^tm..x4A...).....?....@.. ..8........%.CC..5......n.P[..7x..3,g.h..I..kX......oG.,i.L...A.<...C....a.D.$...s.z<ZS..Ou..;~.........a...n....2....>.Fi..CB...e.Y.u..w...&E.........3..#........2.x9.<....A....+Q../..S....a~X.%9ay..l40.(.Bx^.........;>..y..K......aRI8q..YP.A~.`]......(W.;Vq.4.q....}I.#...o.)....S.....\|.6u.r.>..6..CR.....I..7...cm... .h.../..QX..u.\|....:.z. ....Y.&.1.).......,Z.Z~t..mNk......D3S..f)...2T.hfO....] m...V.._2..^?.x.........'.....Fcs6..g^~.

C:\Users\user\Downloads\WDBWCPEFJW.jpg.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.820617188633687
Encrypted:	false
SSDEEP:	24:zPgamLf0fb27hcmT/6uZpI74hr4X5ugpYP+jQyc8QXzn:zgf427hhTLK72r4X6+jQx8Qjn
MD5:	C240F962B6CCC94B884BF2129D13521C
SHA1:	2EA264F3690A2DF26AD351BF6336DF9E82E17EAC
SHA-256:	1A43F916DAB398CD14410E3C423527C10080725A01AF9195D685638D3E2C141A
SHA-512:	F79232745ADCA392FFA8079720287D042FAD0DC0ADE5439C8801D14AA94E7F7FEC083396EB2E4AE50D1A6A6793F8831D5B6EBE135453758C357331024C042CF5
Malicious:	false
Preview:	..V..E=.~.f^..I.Sm....y...j>...[....A..8a\5..5...<.d:...=.....I.#... 1.....w..9....8Ze.+Uo0......+M=.6..z\S......^..!.T.5c.u.;J;...J...k...$<....F.tJ..w.?.5...J..Uwo(..u.k.1...".[....k:..>@.T\|.....&.Rz...V.$.-.D.8.......`\|.0..\b.J}2.c5.Bm...L...u.~...>.%..).[....`..O.... ..,...z...+...y...Z..$.....M2..P4).0.w<.....e.,....V.\|..h.YTs.s.bB..j#&.....P.=.,_.`yU.P.'....n%.]..c.Z.".l$U).^..:..D.$..w..9Ht=...L...3.pY....g.u.........?.!r....W.,..M..x...6.\..m7R..........^........:......G~..[....MI...-,.m.M..cI5.v~C.}....%.CC..5......tb.q.....L;2.H....V;..Q..;.+.Q.`...b..G-.?.8.....P...s..K..........\|...H..FvP....@O..!.C..0..`.1..S.7.L....{d..k...V-._A...!Qp..&......e........J^...h.0...Mg.K/J..5]g.IW..f....xW>$............@~v.Rb..x.z.....>,..J...Yc...LlY..M..'W.j....r.V...G3ls....=>.c..i...#......ho...8.j.,.+\|bS.}J..`B.T4.(:.<.........s..t..3.@.@U...6$y...$].1%....Y.0Z._.b.........w.Z..I.......s.".'+.....2...cH\,.#1..(1....._.uY.S0V..`......t%.:.;...c^..

C:\Users\user\Downloads\WDBWCPEFJW.mp3.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.843877858491795
Encrypted:	false
SSDEEP:	24:TjGlmJLF1jiVphiOPBZinIWrFSE5W/GCGs7SvA25i5bz:TNJLFYP7CIWj4GCl7SvA25uz
MD5:	A141E24163201D56C01BFE8A20307363
SHA1:	6F763C29AA21B3B2B2C980AE6C4C40230BEB0496
SHA-256:	8B46263D0B511C3E770454D7002A98BDFDD93BB7FD594049E828FABEF89612DE
SHA-512:	C2FDDF3951BE8389F9ED07EEA8A87E189ECCA92D33D5D3FF3D88F93BC8BFDB265AC88A95FE923B21A44A16128F02C9A04A716B4F84FEE993B299553E43837398
Malicious:	false
Preview:	.. .`.`.....p.B.......Z....c.3..:.e.........t..s2..<.Z........./.x.#.Q.V.9..X....J\/..$.."..m . F~f..D.C......\|.Sy\...)...i....A............`..w g.G.o.U.R.....m...o...{.V..).uz...S.Er:.....O.=0(...[I..;HyDi".9p.I..:.>..4..........ty.O..$LZzFj.......!...:..~........$....H..S.9/]..7...^a.}5.~%..8F......0o=..x...d....vAGMd.U(.......v,...HV....}w_....}5........i..U`...x..h....W..=.^..........g.2....k...d..O.....[mBdA..=....8.T.ev8j...a.;...Z....{.Kf.].Z.St.,.M.........7.._..$[A+..!...Z.....bW.d..../....%.CC..5......_..-.t...#.A.Y.B..\2.t....+h..Q..L.[...{U...Ezc...N}.KD<r.9..m.nw..j..\.T...j....'..uW..J...Ih......5d..f..?..1 C..w...W.N.ad.O...I.L.....@"..-YB..9..#...........h.A,j.$.F.sr......Y&l..."....._.B..gf.8..6.E>....@{..Q..p...j.....0...)/&Vn.....L.iy..UI6.+....Q(.......^.k.../.3..@}..=..y....@@..M...fiw..K..47........~..D....FJ...}...P...Gx..mek....y...G@...?..1..P].N.<>vFX5..%Q.&..\G..h.[.D.(..b:.....x.X.}!.<....._..

C:\Users\user\Downloads\WDBWCPEFJW.pdf.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.841183313253735
Encrypted:	false
SSDEEP:	24:pvgDe/5MGbdMwgOerDnqS3IMKL18Cdnke+9nCAcQ2vI11gqC:pvOmz51gO02SJKd1qCVYTC
MD5:	606477707A2BFF2076F492A2D619503C
SHA1:	D604DB11EBAE99F7114A9EA410E6CFC851A8FC54
SHA-256:	76C51A1548DADA0DE1955FB979DB58D0DAC792BBCC3BEBE88A5349CC048C208C
SHA-512:	1FDFE70D3628DB4159FF0F68ED50B92287EEF87C043BE91F40981A699617B7368AE844DED423424C1E652565B1D4A7E3A5E97627C6E4E572B009823BB1A1D05C
Malicious:	false
Preview:	.L.......Y.r...+..._).....4\O..X'. .!34...z..}....H.,:.7....a.....09d.2H]..R.A.q..5.....4".m.v...u.pj.(X.C1.....A.8i&...+1.!.J........t."x..[..).,W.'.qs.2."....w..n@Q..D4.....z..,A.~....&xM-...`.v.P.W?..C......[x.IB.x.V(..M..-gn.T..VlK.>]\|r!.t.....,`m,.......}...'.:7B.{..`..=..'.]...Kj..6x.gf...R.h..\|..[..8.!.y....ae......d/...Z..r.}...kFG..:u-.Y..._..o..#.5.7.....@..!._......P...%q.Z...k.k..c.....9..m....0.CV.1.C..~.49.lQ....P....S..qOzv">...7..3I#Hj.:0UA.....]X....<..n.^.+.J....G.5..j...?A...\|..F.....yU........%.CC..5........5U.r.~e....x.d.;....c..MX.+..}.Z..2L9.&5.u.'..b.S..S.Y..F~...[........G...........[...!..y..n.'.....;.P5...`$....0..T.wn=...m..8...t..{..E......`. .Z...{D.8.Ty...7..;.o5..k.b...}...M..Y...5X...'.Y...t..6..!<{.B..XU.`.j:.5.%G.........Q.E.>.?..r.H...p.t.?:.&..J.....)$....`-.P9$..0..L.I..&..'f.m..".8..X%.H.J....H.u....l,~....c>..6..[{r.....$....X....N.T..........ow&..==+...9..XQ4...._.<.....Jf..g..kr.\|.2+].m..:...M..\|

C:\Users\user\Favorites\Amazon.url.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1057
Entropy (8bit):	7.812155677033279
Encrypted:	false
SSDEEP:	24:nALNNIjr7OjDvggi3j5TXiWgHA0Xi02RycNlGkKwg:neQri7+h8ji+cHJg
MD5:	5DC6D5C62C3A31F24648693559068ADB
SHA1:	434D23E437B73D0FF7791F38F7279D323642848A
SHA-256:	F969F0019381D2545D5E130F28C1FA515667949BB12D683F8659BDA72ABE9CA5
SHA-512:	C9C45D57806C577A481A43771756F9AD7CBCC0629126B52B9D6F1F9C838E5468589D52244160246CA80C5B802FFD73AD6BAA621BCEE1F127DAEFD1D5338E6B26
Malicious:	false
Preview:	/..I\|..Y........WV#.U.u>.M.k-JB..4?M~.'.=d.)z.j_..M{F..\|......ZM/...........Xkf.n.....M...yl....C..^.".8.1...Z.F....B-V.D$........i.R..U^....y.}..2.X......l._.f..%.q7..-7[.....2.i...3~.{ktC...~7..29N-J.#...3g...7...d....X....z..7h.HP.q.B.\|5O%.QR......}E.-+...............gV..[....C.A..." S....61......u..r...+.)......../-.[:.O#.C....(Z.....Q.....n...... .........ck..:...xK.(.~.......R.3...U.,k{.-.X...@...J..~G@F.0..).,bZ5v.... ...j... ....&_./.@\...:.Uy5..y..EW(....6Z....!...K&. >.R..$.4N.#....+...%.CC..5........0J.l-.....%v{...;+^..Q6yh..%...7.^..<.n.Y:C..._..{\|.t..n..)op0.}...R...W...J.7.K.9]....#...c......Z.!....C..h...@..[H+.......H_.s...........z..Ra..a...y.......[.....n..Z...2.)zQH4b...7g}#....(..0C..wr....gu...2i.j..T'.P.Vr.Wr.hrdc..7.........#.uc....?F051...lyYi^.SI..l.Je..C.gK[...F.D..,.l.s....&.\|..4.&.....n.m.5.....N...~...V.`..[u.d.e.n.n......1....tT.yJNU..2.#Ebd1.+./.Gv.vU......%....kY.K..1.53M.5....66.h.M!........w..

C:\Users\user\Favorites\Bing.url.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.819804091063652
Encrypted:	false
SSDEEP:	24:KxsXq6HgAlTp5FQ4WQhwHKVx+iGLDU+HEntfTRTg6v3EQGmi:Km66AuTm4phvVx+iGRktfTRTjv0QVi
MD5:	68F6426DD629802A09C662DDA7F61560
SHA1:	7C82E4AC8860E06D627CADB1D5E4AEBA62093093
SHA-256:	039997C4F5C2FE72E3C74D795002F1B261F8B125DC89B3901E05D0CCAC59AC1E
SHA-512:	A6D555EDB2A1C7D896B17524042F9BF6EF805EF92478CF4D50A8C9BA1A0659E226D62C1BF713A4C7EA38920720E325E6C310920FB47EE47EC8588DB8A6E8DBC6
Malicious:	false
Preview:	N...+\|...5.........s.................(G..]}........a!..y.n.Z.y.. .T.#...(.O.....L...W.7..-i...D!..7.l..T..C=.jJ.Y\|,lC..`Kp..<...M.o.X..>.wV..f..}l:....u...?..({B(g..8..+.8..h.;)..>i..mE.\|K.........]g..".^G......\...BG..O>zUL....&(....!j....~.y....s.M......^.....E.....A..;...2.(..~..F-.&.\|~.:x..vI.?....^....w....DQYj.ja'.D.3;....."..$.....2.._....nuh`.bJ.....[..l.....a.................Q.{.;.\.5e...k.#..Jua..-aE..!.h.6...(.E..R\V......6KM>:P.u62.fP....J.2w0Iy[6.....\|b...5....v..7a.[.]6[.+.n......%.CC..5......?...y...x....W\ob..{lm-.%..,..,W..6...C..R.[jT/P.....V#..;...R..'jGn8.Y._{.q\|o'+...?..r1.......K(..g..r.\.@.U.R...^.qIE....wh....fw<b..&..j.Y...d...x......2.......LH.......a.L.)I...{.u..w..-."TH.u..PJ.......X.M..y......9'OQ.P........nj..GO..C.Yj7..1..{w..c.K6...R.$^.!..+h\\._..b........C...(...,@.,.u!..6~.N..c...j.&.Y...4.]c.Y.....3.....H...R.d..4{%.A..*..M;\...?5.{."JoK.-.........'...= Tu.DX.l#q..5.......X......c..f....`.B1.

C:\Users\user\Favorites\Facebook.url.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1071
Entropy (8bit):	7.812267974761776
Encrypted:	false
SSDEEP:	24:wJ4cJ4SulwfeBre4VAtXRwJ/nv6eXawHlRQ1FdkJyI22rvxR:wqcJWlwerNUgtnlK1zv23
MD5:	A2A518B5B081E416DDE4C323844896BD
SHA1:	1A8031921E9EBB761A616C35777FD9EB22A7123F
SHA-256:	61B65123110840851232F8CACE0C1C432BA6451D0FEE7C535116C79FE7134BCB
SHA-512:	FCC2FFC04B867A88A8A2581F5BB68B6BCF761BE53B0B3B0F7D32A23D1F461B28226BC783A2F402B351DC8418218DE50ED6AE495CB5F3D05740BF3B7EFA1525AC
Malicious:	false
Preview:	..sm....K.HA.u.6.RC...9..@p.....pP...y.X~wfG..K.;..f[....>.v..q-.S.e&...._.{c.(Z......$.]........t?...?8B.KkfM.......%n..Y.l.;....+6-D....w8X.^.Yu[>1.?.....%d.....-....H..b..xi.......9.}....... ..&.....J2z..1oz.d.4syy.4..E.H........Q..9....0E..z.D...b.n.I.x.IZ.ZBz..+K.s...?.!.M...f.R..Q.....[H..B....p.AgwyD.i...Z.P...N.C.[q../..;..}....]...".6..M.B...T......hdf.o_..m...b.......6.s%.Z.Oh....sH.Ri^...{..\|'.}a...%.V_.~^2.......B.8.....>..{........q/.$...3Ih#.j.CN{.......<bq.A.?..e.fz..N...X,...[.......%.CC..5......~..#.%u$..z..j3Q.`^.....9p.......8<.S{....9....2.%Jt..b.n.k.4qA.6...K....Ql.pt._...PK. ....)...z\|+..K..}nU.>A.y..wij.........C....._F..W...I..... .8..."t`.1....<;.c..{..z.......X..P2JG..1Z.\|...:VeElN.S6.e.d.&.....f.bZe..2...S)c..l..V.},..9..7.Ny....}x..w.b!.a..oI....=b.'ny.'S......4...r....n!R......V.0....Y@.....rOJ...h`7..2.....n(].6..-.....a.....9T.t ...e.[[.......n........Fp..B..9.a9.K.1...,..&.@c>....l.\J.a...

C:\Users\user\Favorites\Google.url.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1057
Entropy (8bit):	7.787397083261525
Encrypted:	false
SSDEEP:	24:GtpsyJ7mxh7zsbTHb0Gzrd2Voros9Cctc8+jxSr3dxW9pz38:G3QErNXAaros9G8xNxGzs
MD5:	9967390848DB16100D5771B001A92B28
SHA1:	C8C6DB0DD7E3F93F558FFE1771C0244DDE9AF565
SHA-256:	F6F3A8F5550EDF23E6E261075AE3B856C58D4378F9CE3ABF1110C1028C77EA3E
SHA-512:	3CC094E8DC98280338C5917CF87752B18FBB6F631FDE6C533531ED107C7DF25F0DF0DF6349E63E4C37105BA8E1D14CBBEDB16AC6475BAE32A7B05088B243D980
Malicious:	false
Preview:	...hi..w....5.pd.+.w.W...+.s..T.-....2_.}.9...$&._...l.....cC..Gw..l..=.............;k..2F..43.N.....,..p..d..!.......,.v&).........hBl]....5..wr..,6.-.....$.:#'wX.._Z.....ke..<s~M........^2xz..\r..........+c.....X....:...Q.`ba."A...1S..x8m..x.=nI.O@..f....3x...f...;..,LE..z'..m..........&....=.to...[..?.eo.b.TC2..... .Fktn...p5E..^.r.h.$...........Gh..&...H`.o...F&......Q..u...X.&.x.m.2..........uD.....i...Qin.......n.......e..d.I.4..z..f...G,e...S[..SG..}^..P>../...T..\..r..#A...Z..+Y......%.CC..5......}~.......q_'\n...i.O....{.e.$[.U...er.'......:...~..u{.\....^j..)d[.f5.._.shvE.`p...)..L...8.F\|..G.u.....<...Mv.=.....}......E...$i......V..`9.......yu....].v&f..r.'Y.Z.Q.g...-..?..XJ.......DOJz...8."....k_te=.......6....;.........._.....0.)._T}..}7%J......y..8..:.P.kvb.m..p....].(?..NQ..~...\s.6....1Q...[...9...........eR../E..1IK..........}..jP7K.w...U.EtzS(+.L#e]i.6.Fyc7M......L.}.i...}......c..B.Y..^E....i.Q.4~....

C:\Users\user\Favorites\Live.url.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1059
Entropy (8bit):	7.819996959913724
Encrypted:	false
SSDEEP:	24:8Vwc/0Ra3nomJPndO3b8Ju1uBsSscyYLL88daAC0:1c/yaXx+34s1ueSscyKL88cAC0
MD5:	E0A28AB855AD1921C2088261D593C9C0
SHA1:	F6F03119FABA0A69C01223344093240633702B80
SHA-256:	82F795A1AABDB5E3AC99B5BA0FBF33936CBF102B0808B06607BA1E83D5FE8D60
SHA-512:	F424A78B1400E9547164B83B07E48C9508C937C422A7AD7876AF7BF7CE3883B06913A31618D6683DBADC26386335EA9A28FA847ED2D35CA5EE9519805A9584E7
Malicious:	false
Preview:	.+}2........&.K2..!EP...O..#bY<...K.0K'J..^..F...7....~."a....#~.... .?i....Jm.].38{.....\.....,...[9...s..6..W}#...R^....@...3....s....m..-.paU..6.ZL.N12.(.sy.K..q..W..V.Nv.2I..5O.K.[Pv..>...x\&.q+Ge..4.-$...v......cK.......1E.^...>.LH.x.).y.....r.....h..x..^!...6N$Vz...C.>.,..AR.t...^....0.YTG..W.g._.-.v.S.)..q..m>i.Sj...76..\..\|....4....;..v.y....!...5E..K$."..a...W...........s.Q....V.....Z../..}..6/..$.B:[\.W".y.F.\|.......2.....V!.yD_z(4.<S..9.....=V~...'...p..4...!.E..9b...}w.;.8mTm.pv.....%.CC..5......p..j.M.....xq.e...`.,...\|$?...,...E....,..3..G.a..^/.~..s'..V.....oI....../.x5.n7..C...67G..gyaos.....#x.j.!.X..<.w.N.NUB.<.....Q...S..R.E5...?.6.s}.%,c...f..8Bz..>..G.)Cy(p.x.7..g.K...8>..^..]sa.....?.:....=N..........2.....w.A.......qh.d.I.Z..d }..C.F$..DvO1."6...$.`.......}A....=.}..._&.H.<...p3.I$.u..~4.~t:..?..$....+q.j.OX..w...:./k..J+.Ymz.5.t....l.....R.fa..x.Q]..e .,......m.g^p...6....r.U.".7.v8. .....i.d.......Q......

C:\Users\user\Favorites\NYTimes.url.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.854709154246602
Encrypted:	false
SSDEEP:	24:SVOiKhO7kfeYvPfQwwj2CEDW31Pif9gYRxALqqrLYv0Bt8:SEzh7eYIpj2HDkPK14LYt
MD5:	8CBFB7DFB4F975FB1FD1301E08F09683
SHA1:	30A5F56D27EB875C11E09FFE0A342054B05CECEF
SHA-256:	BC5832C3AC1A6AFDF41AD8EBCE13C914FCCCCB5BF63C296662A3728B21BF20C9
SHA-512:	F5122D27AF7EFE1B2618886ACF31E986B55B4D406834514F0900D3AB30713D1B2A2ACA2D2565132F7F49E2F294666DF45439CFFFFF210A9687083DCE4A3567F3
Malicious:	false
Preview:	.......@.e.5.....G...M.0jZ)B;.A..T,.N.i..$.i{.,t..g.A.z.-........>...)..6.x.$...nV.).4.h..>..Q.Is.......Tq.9.`....%.(....z....q2.._].........{..@..x..d.4...'.........y.X`DJ..([K4.l..s....Pf../o.8.=.;. ..e....C0.c.rD.,..i..s....dbV.Oe.1NZ....q...!U.D%kw.....x.}.#%.Q.r...[...5... L...#.<./O...y_.Y2Z.g.............{ul.t....G...+#.f.R....m=.....!.....F.......q...(...#'.V..a.9......~j..T...........R..p.."C.j...m}O./...9...zo...?.k..5....E..i.!..w.f..v...U...]F...[8..;.`....g...[_..U.@e.. .....%.CC..5........<Y.^...=a.........E...H\.&...T..C.P^..Bn.k...5.t.../.....5j..8.U)u..c..f.DbV:5...Y.."(bf..g..UrN......L.....=.b.s.f.5e.m.eT...T...,.e<.K6..[...a...z.."........9`..5..OV.Y3..W..b.h.:.]F.y..7%...W.9.qy.b...7.....K...M.H...p..{.&cnR..RP....^a..I..Z.nb..1..z....G.F.._.b..Ml...i...r,Z.XW....i._H:.a...2_=k.Fk..AL.+&......;....\s."]k.......$..3v.A.....Cv.n:0".LXL.,..7.........D.+.^..&.T....8 .t.K6U,?...0M........P._..+Y..O;.....1..s...^.

C:\Users\user\Favorites\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\Users\user\Favorites\Reddit.url.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1057
Entropy (8bit):	7.832145494286173
Encrypted:	false
SSDEEP:	12:i+18vhGTKITHYDnfmZE8wrg5PFdNaJbRu+097mseFlvIb3WOCUqM7Hp6tGHxbsOm:i+G69nj05yPHUGaO1L9TMX
MD5:	28D41C11EC5BEF26129DD8A32E4022C9
SHA1:	6440EE7D86E7E0098BA4A788C64E4F20A902AC07
SHA-256:	A7F5380655A67B81F12A548A378E5298CB5101B8AA51E841808A0A980CCF6D6B
SHA-512:	8006BDC090B504B10F081E40D99E4953F59249CE494FF65A08274178191FD9F9B118623FE1823B01076A3BB6A30CA3B9914EF8E2525C3A9E7A401E0DAFAE01C5
Malicious:	false
Preview:	.?w..Q..%v..l"..<..^...9..:..i.Fx..Y=0..^....Zy/._.{........./...fS........!.O.'r.=.........f.X;...t..80.....X.U.....$.&v* .QM:.0...uk.~..H..a5..W(.Y....>-R,.....7/-<..4....G...:.......L.eI..%%B.v..m.Fp....].\[.(.V..};]...]..!7.EL.5.Q..v.x4...t".D.Y..1....v......B.1C....J..CS.\|...4.v.B......")....k2/...c.g..76p.yo#.)\|.T`ZNzX.&..`q.....z....,.+.p.".'x.t......+C0c.....[.^.SO..6,.k....+...!......t...,..M.~)C0.F...y..&.%...CR%##.b.%e:..H ..F....s.. .........+.`..b.A#.)av.N....;t._o...\x........%.CC..5......M.M.[D.....(.5.m.....IT....=...}.....?...]^.......6k.....7.y..j.C8.......X-+.D.....~R".'.-".....r..\| ........p..r.I..p......Lh.....l.>.../.h:..E.U..{...&.D$R.~B.Z_..I2..z'R.=.......Q.y>..~?Vbc...qOjj...w.@..M{..F.k... =_......(.....h.q.K'..:.Y.0...##......Z2d[.Cm..z..).?....\|.%....N...(.!l.CQ.6.~.b.A...M.$<G0........./.P....c....}..2.$..3K.>...9yo*e\|.2<>.........i.F.&y....Lq.W......)....s.@..S..U.4.....Qi.j.<.V.\;y#W$..O.)..?IR

C:\Users\user\Favorites\Twitter.url.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.813736482964648
Encrypted:	false
SSDEEP:	24:0oOrV0uPRf+y8p5atkfGidJOFlbEAxQcPxZ/hhAV:Jc0uZfF8okfGidQF9xQYx9hhA
MD5:	580B75C9A66C0E54B5322962DCDF4C0C
SHA1:	5A59D0E6E1EB68579A986058257B9454233CED7F
SHA-256:	22640393563379F307D4732C1C75D6B2C3E55292161463DFC5EBFF8B67210FC1
SHA-512:	C188F19B9CA4A69BB5B2467A256B7E52932BCCC8D4C303C28F664C2C72D7D28B50F05D3E0BDFACB411788EA370658EEC0374CDD7354A630D6C44BCF8EA26F4B9
Malicious:	false
Preview:	....5h-.a...._.j.i.>....Z...-&.f........+t...r=;.&..n.e...d.<......A@Y.W.%._......W9._..zHL0..........'.<"..i...N.Jg7.&#Q[.vE.......I.R.^...... .N.. ..nX..[n.......=.y$.q....<.i..F..O..u'+a.9...Mu)...fH..O..v...tA..H...,......'..f.>?n.z..Te.....5....a..f...k.>...qG_0............D....c<..f.0/.9........2....!.T.BW5.T.9.R...'..@.iR.........E.3~:..Gc..h}[.r....o..z.].......Z..bOm~.mf.mjS...a....T"./R......;.K:...tkd..#G..M..g.o}..}..#...k.......JXc..hb9.Es....s.V.v(.x.5.WfQ..R....../[.-..zO....=.yG...%.CC..5......:.Yb.....EL.j..I.2..P-=CXE.....`.U8Jw,.O..<.d.i.4m.o...(G....@...o<e.O.y=.ciL`u......8.Ex..m.Q.Z<.{t...#..(.....\....H.k.<.."_...f....].Z....O..5.......i.&_.w.`...G.K.......o .M]k......eiq.v....k..1....3..n.....D.s!>w.8..Lk......,..f.8xh....n".v.s..X.E...-.C..zr.6v..}......h.9....F.B.i.o.+..d.H..H...{,>n..."~C}}..Q..9\...g..fe.b.U.(c`S^@ ...T.2./w.h!....!...". .....Kft.^m.k..R40...&.`.......Vkr..AO...$b....Y$.!;=..5.....m7.%1."o

C:\Users\user\Favorites\Wikipedia.url.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1070
Entropy (8bit):	7.819129761870091
Encrypted:	false
SSDEEP:	24:gWPGP8jnOc0GkxNdIOxqAHBmwa/YaJ4BzA+o5fZvdNc:gxgnO5Gkxv3QwaWkf7Nc
MD5:	8D7FCCBC387584C1977F1C573F07D2CC
SHA1:	DF7A20CFCFAC926BBA0112C197E093D1C2F26378
SHA-256:	B2A6256681759716EE03D468D5F170916640ACBC651C801BE514D7813C79F9EB
SHA-512:	E6C1F7F80418BFF55A1EC9D43D2D91B453C2BF0BEFF5FB6D6473F3B88AFEDDB96DE37EC5B5F45C934FAA346C201D281CF7BB5928DB5006F5AB77E6B2AA439941
Malicious:	false
Preview:	.#7_...<.k?...K....\L.....#.U.7..o.......<. ..iU..... dT^.....;...->.4.Z..(...%..W....i.ez."......R.d..v].%...g............<e9....o..$..3.a.\|_(..:.\|..&...i..t.&N0P..G...:...(PR...`L.=Q...g...c.a..Z..h3...].x.6.....I..A.2Gu.K.....9...Yd....V.n.F....3...%E.K.._..A...8.....R..w..KC..x.=.w?.....z.....6w.......R......r.-E.nfQ.K....Cz.......0.1..d..&.3.P.5.^.Z.uHdW.^C...#.. ..'..Si.M'`.(.2......T.M.1... ..R.I.rV....[..eh&D>...M.-...Q;.{#t..}...J[I.;..+.>QS..'J....M(..A....:..b7r..l4...o.7...v..Q.....69..?....%.CC..5......#..l.e.H.F..R,....o.xh....q...L.....S.....qmY6f.w]..f.z.?........J..h.B#y.[A....?.{.t...c.E...`.bS9..2rl.&.'.'.V..U.....## ..-l.V....ae.v^B.-.:2....w.............%x...&.K.}....B.B6....2z+.4.cV9Wo(.C.\|.....EY......\T*3..0.a......z1...Q;...}.(.&..m.R0@^:5.i..(.3.%kO0.V.r.Kj..!.,O..2t.....\.kB4.V5.iS...iS....6..{J[v.....>Y.5.).....IE.Pf/...v.T.o....P4...C)F.[k....4=......}kkwl..V.R....q.iFf......&.1r.tB.7...G.......2.u

C:\Users\user\Favorites\Youtube.url.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.796175931583772
Encrypted:	false
SSDEEP:	24:dW4HPKamuEDTAgkyQae1yRCC5xNPRJuAqcnzUxHzSOjZEMuy4zpxTK:URUqNkyQ11yRpbjuAAFzSAWjE
MD5:	C175AE8BEC7C539E1E4F0B0D3C7080F8
SHA1:	C1C595BCF85E530AD277239A459B62072841B6D6
SHA-256:	94EDE0DC803273FDE7AD22A9E5736C15D1F0F5BEE8DC863CCF84E53080DF7CD9
SHA-512:	A668A173DC092DEAF3AB9072342D597FD41CBEB1EBCCFD55F02ADDA67A224F7A1EB1233CD442744A52A96EA6673A2244D19358E5F204A11DD32B4B182CBE75A0
Malicious:	false
Preview:	....\.x.g.D.,nlm"...S.1"/."g..@.^-f_1.<DU..D..avX ....7.....`P..}q.?..VrI.....v^<.2f..Hr..Y(Q......G.1.x..:L..px.2x..Fm8$..W.p.v.....Ts.+.F..=p..Z.2..x...3q.k1..._.=......=..P....d...s....K>..).a.a.w{..'N.......K.a.~.\|Q<br...L.8-._..x>.j...^...X...".I...!.F6C'=........m.8.kOJ...'.GH.........Q....JO..} '........u...j........P......'....i.2......d.:w.:.g...FE.M."..-.....)o..~..(.:......By.....\|=.>.7.Ad...^..d...W.......&8t(7b.U"o..=.H...!..?..Z...W\|}.[~.M.7p...u..S.5.k.....x.Gh...AT8.$......n.6..,Ou...%.CC..5......8[..Pg;/-,..D^Wu,.w./!B..b...y.#..1.b4....X.cA....B..c..K....\.9.......X.BU.......vy...R.'.`ZY.f..)E...._...O...4..s?{..cN.D..\|Pm.}.!...M.V..K.6].....7.\v.L..hV.z..g..4.-}jE.Z.Y..'............i.<m.J...n.....g)..D.'..."9....q.v..c1e...H.s....v..<.r.n........)..j.."x`.~t;A.....1>..mY5e^m.\|.#b.#g.r.XtV&K.6.o.bK.b..8).aV.u..H.+.n]u.T5z......*Mv... ?&O>g...Hi.}.E.y....Q..z....Z...Lx.V...Yc2..u......O..&..[..`..$..E......g3....`......

C:\Users\user\MicrosoftEdgeBackups\backups\MicrosoftEdgeBackup20200930\DatastoreBackup\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\Users\user\MicrosoftEdgeBackups\backups\MicrosoftEdgeBackup20200930\DatastoreBackup\edb00001.log.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.82331703710885
Encrypted:	false
SSDEEP:	24:wldNONTafkZi1cTyCgKG4/gNMuByfB902MhmTtcdoZo3:wl7cOMYerGGgNeB98hmTuAu
MD5:	35D7420BEF341C0976E35F1E7D4D12F9
SHA1:	66375FBD4F8324E8C2BD3776199EFD143B668F11
SHA-256:	9DE2D133639C6F540152CC4AFE1CCDB5E19F1520083A0D1A86EE8DDC7F3E71E4
SHA-512:	456ACF9FA7BC9BA2DDEDE2BC45EB8D2307182EF43EA16BA5704D74FE4190C9B075788F1EA07E1F6EC3817EF536CD21DF6606C12E8D08ACF665960D3693E8D2CD
Malicious:	false
Preview:	>.$.....S.....zR-......M.s.=.2......V..b;B..d..{..G...o..j...X.U.:M7b..-...L...l9.....:......t../..n.., g..c...!......\..y.P."..p...=...EZ.4..nep...Aj..^....%.qP...].P.]Z..../m.Vms..3.,......L.~....?._J......Q.G.7......Z@..j.p_W.../2...,...-.,.&..?.>[...rJ.....=.J.'.e.y........5._...G.B.oUT.U....B..\|....l..c8g.G...x.........._..A.E.......Ka.C.....T/R..Wk..aT......r)Hc#.....{.R..7Q..N..3....('..!..VF.5.QO...A$d...01.(....N....f......fc..G...JZ...:...A.A.%..\.$.sSCl.q..'....f.\_.\|..[..1....&.?t8...%.CC..5.........w.f.. (...r.4..~/..o.}.Mz..m.ZF...l.SaK...^C.a},-.Q.........~.W^`...F..=.B..a..3.....N$@..ng."(R.p........}+Z...d\|....\..I%....yr+.`l.....7..Rn.."g.....UQc.pi;.t.^\|&....M8.b.L...D......%Y..{..)..`.h.n.3.d...a.../......g..i.uP%..!'Dg7.}/.Yf..a'@..tPSaO...;...(A.e.....t7..'...P..=.T&&;B.}..8>...kJn\|.t1...1..&..V...)..J:.....:.....f.%. q.b&..l...n..U.Q......H...i..Y...{6:.....).5..J..[...a.}0.y....o8..E.n..+].. ...K.......

C:\Users\user\MicrosoftEdgeBackups\backups\MicrosoftEdgeBackup20200930\DatastoreBackup\edb00002.log.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.829999550081151
Encrypted:	false
SSDEEP:	24:BPt/PXYNaI+5AFOw1hWdkvTFDc/PdNS3gmhESKvyXgfn:D/PXYYz5IOtgF883Nh2yXS
MD5:	DDBC5BB22E240DA052A2BAC312A69350
SHA1:	021085F081D86DA6DF323521286C2C2026780332
SHA-256:	1ABCDCC4B91A6B72B83AF7F2B95F66D4FBAA4C4016E54E269F8414D37AC87CB3
SHA-512:	75F79A8618F5B78F81457984D66E984F4A0329BA4D44AD20BA24034009974C68BE042F2D85343CCA08DF1A29418AF4B0BC9197D2B416866EEF207BA1235BDF63
Malicious:	false
Preview:	rL..j(.k.[q.6...Di`...%Y?.O.......<.F~).D......}........K.M?...X.o,=.`C..w.....E.C}.......z.q;..C......g5..._[?...Nvx\|C{.o,....;...-W9....F.8.....$.......6......U..+2. M.O.Z.b`N'4vGYy...m....Rr..k.`...a..p.C.E{xv......<.s..u...f..e./.z&0......(Z.O.^cn..$s.."...>m...u-.;p0G...:...~..A..D)..J....8+]K........w.....`2)..r^.1.U...4.S.....M...&Z.i.>.8..+I.V....8E11<..[..x...?}).NF..hU._y..~.P\....N.Gi..,.ev.......jx.b..dW...6.......^....(.....\..F8z..FR.[..^P.V.\.:.8Df.)..d..1Z..)B.#.q;Q..G..N..I,....=F...%.CC..5......\|..a.!.~].vf3..q...=..fQw.]........t.i.=..V.H\|.M....T../.N...........BG3.......I...N........w]..5.0..G.........r..v%..^..............fZ.uS...QWU".....O!...\0.7...$.... `.e.c.....KD..Y...K\....._....7p....@!E3...U..TD..)......:...Z....^...M.d....R..7.4..."HM2.......EqK.0%......].E...C...U...B^C....)6V.3.Q8......p...$.......vB-{......IM...q.JA.=lU\|..\Wl...<..`.L.u.+w..B..`.LX.eWM...y.3.q....t.J:G....dI\|NrU....yE)2.....H.'q..U..

C:\Users\user\MicrosoftEdgeBackups\backups\MicrosoftEdgeBackup20200930\DatastoreBackup\schema.txt.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1067
Entropy (8bit):	7.790875444740637
Encrypted:	false
SSDEEP:	24:RX95/LExFXv3hKI0KPlavpFn9pvbw1QvEJn1ceG6724o:JgPEsP8v7XE/vG6K4o
MD5:	0236DD36D0CE11FDB4FB5599412E0DC5
SHA1:	37FF33CBA5BC46EE36014D94E6D7F34CD36667B4
SHA-256:	C41FD8B64F853963BFAC6E4905DB07C2AFEA4CC0878779410058D3F2C86D6358
SHA-512:	52D11D18B8AC8D0C2F801BD908157BA8286FEE56D81CA997B3834C05F5812B5D3A0BC8C97DD55766DC2C9C3540B9F7BE6C6285D4D10427150F7C598F48B77743
Malicious:	false
Preview:	.g......~..?...P..j.e&S.J.Y..N.pn.:..5...$.N$.....\.._,...{wc.g.i....o..8\.J...).Y0..G.........4v...6uj.....%...9...h...Q..j2....u^..B...\.}..h*0i.l......h.....X..z...m......\.e.fs).;..Z......T...:.0..!..+.......F3.q...Gip........4c.t......./m...a..XX:.x./.5.^.Y..._..l..\|.?..si.......N@.~2..a.....Cl..<...w<.H.\.....\...Y.....zu[......t..S.:....Cs....T...-d..-......tS...E.}..(...\......Xr.\..6..l.>0..j..@g.....m....Eo.._.G.a........Z#4....\|.....1..3.._..?...{~..s#..p.`.O2..2E....(.$.td....._.5.,...n{Z.....+.EB.e...%.CC..5.........w.<....q.8...B...!.E(8.q3....l.a`.&k"..w....<.R....3.\|..1.....q..4......o.\|..s.[..v\..{...Q0 N.P.Z...w...l...V.6I.]P..r.?....w....i,...u.>F...$...H.lb\Ri..O._b.X.j.....ny.].Q.>>m.x....y.....u.b....2.@\|........xIW..}L."....m'.(..>l.O..ZJ2.L.A.H......2..../-.c......M...+3V..O.O.2M..j...P...4.d._......fC.i^..q...f......rE.b._..U.:......5...[..'ZB...c.K.Ti.......m..K. u)...J,#;.6QO[.J.O.U`.q.l...h\...c..K..\Z}.X...

C:\Users\user\MicrosoftEdgeBackups\backups\MicrosoftEdgeBackup20200930\DatastoreBackup\spartan.edb.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1056
Entropy (8bit):	7.81081912492266
Encrypted:	false
SSDEEP:	24:XcdK5Nb1EUrGKbKZA8GtQ0y9tj86yOmZ3H:sdsZEUrdbKZA8Ge46mZ3
MD5:	58636154BE71B654DA3246F8D38FD151
SHA1:	2DBD10FCBB093AF54620F4CAD67BCDB95866A60B
SHA-256:	910E286AFA082AAD8421206EB9F7E7ACC9388CFB8EBD3C2D8D590B963E69DBB7
SHA-512:	0CE9FC6C59E23A959551481D9B662C45D6BE91B191916B70CC4E1B41326DE533C4C6B433A64FFFF3375857A2CD1EFE010055DAEA8F318826668E014D0D7E7B48
Malicious:	false
Preview:	.C..`..{..F)Z....#..l.mv...lj...~-7..xJ.V..SP8.J^[.O@..N.9h.....}..G0.D..../T~.OJ3....JJ..N..h=.8..Cb\F.0aW5...+p.q...w.k.y..TJ\|..a.1>..p.?.'\g.qA. .....$.k..X...."TYj.1V$TB-...........j......1.1.-.t...g.\.\....%3......,...o...:.#P....j...{/...u..Sg%..X..9.G=...=.`.....OG)...[.6...2ZGT......bGP..n.j..<......`Y...r....y..s>.....gL2U#.#5..9...N.U.u......2...+....7c.NU..>f,...:S....^)..bw3.vy.:..1...S...0..<..)....A.k..g=c..;..c...f4...YX.Q..s.i.2..0>.0;J?..%T..C.....Y..b..%....>...s...9..~..7..$.....%.CC..5......B.....y...$.`@B:..-..8..D-..}..O.9......U.d7................._.>.R.z.3I_..JQ..F.8....r.6..Kb.....WSZ[f^..5..5.....Q......h.E.">uw ._......O....(.i..)C..5...h.A.\<."j`u.=lf.K...!....J.\.._.?O..?c"FvO#_+.J.1...j,j.b.o`a..i...fS.w.@..".D.{..z].4=.>.....G..LZ.A...C..n....,c..a^..{...c.,.h.Q..y.).<DjTF...`I....O.T.p.G.... .(.n..C..{U..R.'..A..6J..h/T..t..;.~/CV.vg.l.-.%.....$...G ..TT.M...e\G..\...u.....*.S:...U.-.t..R.~.>....k..RQ.%g

C:\Users\user\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	1416
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	24:QQVClCEBC93D0gVClCEBC93D0gVClCEBC93D0gVClCEBC93D0E:2He3wdHe3wdHe3wdHe3wE
MD5:	9D0B63AB1BA526F911E155CD0E0FF82C
SHA1:	8A890EC0B84B3D5FE598E80EB131B70F7BD8A9A6
SHA-256:	338800736D2ED2F8FD6367FC6BDBB132CF9EC324D5AD011646514C81E7D18174
SHA-512:	463138F35DB381D9B2438F62448745414F331E826A24D9B9B1B1BE60126C23519B618901458AC54261FE051D1CC2F6BF6295E61D1D883ABA4B2C1A134A7E9A4F
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m...T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m...T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2.

C:\Users\user\Searches\Everywhere.search-ms.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1064
Entropy (8bit):	7.8510054327934835
Encrypted:	false
SSDEEP:	24:X8pf4lno+xV3MmaaVQN0LNmbAn6zlsSneuP8DKin04PH:CyoqMT1wUc6JsSeYih
MD5:	6773663035ED903928602F101D910516
SHA1:	3CE61981A5E0981EB08A61026CFF38C2FF3D6847
SHA-256:	B591AE0081607913E128E94088D3B9DDEAB6020E109DA50D53C85B04A3E69687
SHA-512:	ADA2759617CF1405AFD998B9507EE569E2DCBCA81ABECE0C546FB2866926CD2AF4854EEB6486F711EA2BAF5AF7474852C93CE34F9B6E21B7C44D2188CD0F1753
Malicious:	false
Preview:	(Y.3.3...J.ae..2..r.."J..1.7....z..+...6....r..P..W.............. A....TS.q.t.......b.o.I..%,..M..B...s..<.7.2.v..fi.....x4. .OO."..s`h.1..v......`...qz'....4....+...o....4'Ka\|..5....b....?..Ad]F!..@.....bk!..AH..3..T.%h..vy....i..H...&vc.`.Bx......C...._.R.i........'i.._.b. .R.l.......pf.Xl..$.......?.......H.P.......R.`..Z.l/S.....xvE....S\..P..\(...Q.,?.@...C$...n......FWh.-S.6......<.+..@.U.<.....t:.VB.i..E.)[.&.......c....%....v.....\|$.C.5.0\g0...I}.#...U4..Pk.Vb...U..F.-.l.......;...)[.7.....%.CC..5......k..\..8C..^.......Eh....n...z^a.V..a....V...^.@(}.;m.^...=......0.\|rL}\4p..m..._e)'.X......1.......Tf...#....i...G.=. ....%..bk.T.X.S.a..'.(..........A.."...+..K....y:..:mDuP..P.....NmE.f..&+u.Jv32.......yj....y.CjEk.6.a=.......P@..W)..../B..PG..a..,.....l..........0.{..!F^.?.f9.;"@%]..&N.d[S..H...}....rK..n.bt.O16c.4,1.J<u..$t.......#..#....z...y.Z.s.^.l....o...q.C..w.....G...../.YG.:zO(o..LcjC../.>.....I:K...&J&6......nZ8.eF.

C:\Users\user\Searches\Indexed Locations.search-ms.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1064
Entropy (8bit):	7.809030916640517
Encrypted:	false
SSDEEP:	24:gO9OJ8NlZK62e3ll/jwf5qEcAHbe0Welm7v:gelj2e3XEBqhA7vlm
MD5:	5B210DF27AB498941D1E0207125B0944
SHA1:	C709F729E1FB330FD2DE122021CB6C47A93CE2A0
SHA-256:	CB65CBDAB5C3682F73ED0349E5E2128BCFA5DD90226C016B23008D84F6C933A3
SHA-512:	468E5AEF97C24099E8C1F512CF188142B926D567F1A64FA1CE199CBC46D1F7218F408D1FD3C98ADC96347C57F107B99F9ED217D78BCFB3FFCD2B65D37FCAFE73
Malicious:	false
Preview:	rM.Bu.k_8...=...ii.b..MA.D..5.q7?..f_.zp$a+~d.`..m....UlNK%\|.<R.._.....bs>k.....Q..@>.Y29...{....B..;%.....\q...&..f9"@6.Q"..8.[..j.9!2p......"...S.....x..m&..;...p...m.[..X..}.......F......W..........g-.rBt..$.hf.r..{....`.(CS..U.o..U..:.Is.g'...V.\|G.+7u.3.!x...'[......\|;..>....\|L./ ..rMr...'hR...J.\|....\..l.0o....p....\|........m..........vNU....0..{Vv.........%.y.....>S...+z...{<..P.?5\.....u~..N........kZ..y5...3f.g..j5..0..p...}OX..\|..$.S....O5N..7'.IG.....G^...K..Y kL..vU.#\U.Y^.....&.Y_...}b....%.CC..5......C<...@...@.!zj...(..e..!... x.0.Pu......5..c.6o......S...&.S..#/._;....y.Z..d..&D.=R...~...`.xPK.j.=......@..j:.!...v....C....a{..`.G-\}T...u.[v.n..a.s..`n.....{]`.......L.@N&.p(.D.c.)f..2%./....G.q].[S....B.r.w.(......c{...y..>..6...v...8..;$...+.....G\|.<.......".P...C$Z..@\|;%....U\|......y../qys%E).g{.f...D....V8...Q.o6..~!].rGg3.q..!.v.]c...~..<7...7...U\.....h..U....i...:.y.3...=..@...2.A.....x.[]..^..dm..:(.....6h..

C:\Users\user\Searches\PAYLOADBIN-README.txt Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	3.4546009930890347
Encrypted:	false
SSDEEP:	6:Qn7KMM0dOLlPq0SlufB6PYxTflE6TcGsZmCulv9l18I30qlAsXQW:Qn7cbLlXSlroNEecdZW9l18Q01y
MD5:	30C95C97318E18000E6CB5682AA9143C
SHA1:	9C90986F29067617D9C13192D99B1104CE1DFBA6
SHA-256:	2A662CAB195B9C81BBEDF676F3D54A6BB326CD8B6112C928404E9616DBB8E851
SHA-512:	10C1D4EAA6FAEBDA3FFBC36668EFFA6E8EE96D3E93E4E8EB34D843432C6A7102FB4212AD01E3593BC3D32F06CE6F3C6264BA4D9238A8BB9314B7154C0E213D57
Malicious:	false
Preview:	..T.h.e. .n.e.t.w.o.r.k. .i.s. .L.O.C.K.E.D. .w.i.t.h. .P.A.Y.L.O.A.D.B.I.N. .r.a.n.s.o.m.w.a.r.e... .D.o.n.'.t. .t.r.y. .t.o. .u.s.e. .o.t.h.e.r. .s.o.f.t.w.a.r.e.......F.o.r. .d.e.c.r.y.p.t.i.o.n. .K.E.Y. .w.r.i.t.e. .H.E.R.E.:. .#.1. .r.i.c.k.h.o.o.d.@.a.r.m.o.r.m.a.i.l...n.e.t. .\|. .#.2. .m.e.r.e.d.i.t.h.p.a.t.r.i.c.k.@.p.r.o.t.o.n.m.a.i.l...c.o.m.

C:\Users\user\Searches\winrt--{S-1-5-21-3853321935-2125563209-4053062332-1002}-.searchconnector-ms.PAYLOADBIN Download File
Process:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
File Type:	data
Category:	dropped
Size (bytes):	1061
Entropy (8bit):	7.804325691546783
Encrypted:	false
SSDEEP:	24:n4xhV7LoU4kQJRXpkqQ+23y0WBduR/JuKLgqBEeSk8EAo7tn:4xhBPQj5ka2C1c/JdgIZUitn
MD5:	86261C76B287EBF4AA1B111E7C4AEDFB
SHA1:	442F245462D3A8929F07D01D9045E953F6747C5B
SHA-256:	AC8465E0B7730D4C676EF24F53C356496EB9C7C689FE82B85BC8A6D69F2C621C
SHA-512:	E7AFD81C9BA772D45D63AB65F8B38B013BEA460CCC215E6225034DE18007D9A74094B12491D0D123DBD86FAF8C8258BD7E8DD6860B404AE4AD41CCD077ED13DA
Malicious:	false
Preview:	0..?..IX9.C3...U^..7.<=.....h.b)..,..d..09...,.G..+.8{#.......ER.7P.y<....8G.....=X`.v.....{.!9..~...'......'~E.....A.=..[ue.y..e((.-...x.....1.q>..F............,HTF....e=...."d:K...w+`#...].....74a.c....0....M2... ..g/...U.....C.r~."m..X...W.A..4..N...Mv.-H..&/+NDwg.W...!N..&...f..J.X[..]..H.C.Xy..uYx...;.<.....\|'Yee.(.n...#%$B..... ..J..6Yw...G.G.y..&(.H.P.?gq..5K...K...x.A....... ...#.w6.zn..........Y.......w..L_......g.syJ..')...X.j.E2.y./..w.X.UB..0<M.x{..s."Ma...gN5..~... .u....#.\J..;.Z.8X....%.CC..5......:..-p.8.#2~....TMDk..j.....#.q/'.ne.;./......=.L1...#.\.b5X...k..c.Wi..o...`\|`.Y.>..L.^.H.......7..p........i.R8@(..Pp.#l....B]....W..z....W.0.p.\_..^..r..1..{.kR...Q.S.......NPv8g..../..L.W.."Kk.J....+..Q.R.V...=.m......6.4<.._..2.)A=...ht.....E.!.....Nr.......D..wS..Y..:5.X..R7k...Xfv~H/.'u...u.u..JS.f4(..q".}:.._V...I....A.E9^.]-ci .2e9..(r..#....f_c.......z....$.S4u.....y.TC...&...y..<A..=q..!..A..../.y.V."..!.Y\}8

Static File Info

General
File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.824876497267196
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Odbc.exe
File size:	2003664
MD5:	063771d5573448ee6a271584a4b6a26a
SHA1:	e23637ea81751e558fca17ef1a54b6e39d2e83c3
SHA256:	69775389eb0207fec3a3f5649a0ad9315856c810f595c086ac49d68cdbc1d136
SHA512:	b17cd1310d4fd2af4659e6e9b2a218c3930f5d1ec439939331c71af789e39865d8afdc7e1fc93b62311aae4ae6adea1eb0d29bbb67427877a8ef60a19cbadabf
SSDEEP:	49152:pW7LRFK0GYI5iqKj9J79f6nSRkvWduwpB+:CO0VMC9JRf6SkWlB+
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U..U4..U4..U4..r...R4..U4...4..Kf..T4..U4..W4..Kf..T4..Kf..T4..RichU4..........PE..d...1..`..........#..................P.....

File Icon


Icon Hash:	7cecfcfcdedede6e

Static PE Info

General
Entrypoint:	0x140005000
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x60B7D831 [Wed Jun 2 19:12:49 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	dcb496818721c21478589ce0b6104cdc

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	A certificate was explicitly revoked by its issuer
Error Number:	-2146762484
Not Before, Not After	3/9/2021 1:00:00 AM 3/10/2022 12:59:59 AM
Subject Chain	CN=TAKE CARE SP Z O O, O=TAKE CARE SP Z O O, STREET=Ul. Kijowska 5, L=Warszawa, S=Mazowieckie, PostalCode=03-738, C=PL
Version:	3
Thumbprint MD5:	90BF4B382F01FD2BEBC2362ED0794E23
Thumbprint SHA-1:	3F53D410D2D959197F4A93D81A898F424941E11F
Thumbprint SHA-256:	781514D6E0184670D9110C37BAE8B6C8DB7CA5D56F33EA125AE52A346509175A
Serial:	00989A33B72A2AA29E32D0A5E155C53963

Entrypoint Preview

Instruction
dec eax
sub esp, 38h
mov dword ptr [001DD1C2h], 00000000h
mov edx, 00000006h
mov ecx, 00000006h
call 00007F0E00CEE928h
call 00007F0E00CEEA33h
mov eax, dword ptr [001DCFDCh]
sub eax, 02h
mov dword ptr [001DCFD3h], eax
dec eax
mov eax, dword ptr [001DD008h]
mov byte ptr [eax+05h], 00000066h
dec eax
mov eax, dword ptr [001DCFFDh]
mov byte ptr [eax+06h], 00000061h
dec eax
mov eax, dword ptr [001DCFF2h]
mov byte ptr [eax+07h], 00000063h
dec eax
mov eax, dword ptr [001DCFE7h]
mov byte ptr [eax+08h], 00000065h
dec eax
mov eax, dword ptr [001DCFDCh]
mov byte ptr [eax], 00000069h
dec eax
mov eax, dword ptr [001DCFD2h]
mov byte ptr [eax+01h], 0000006Eh
dec eax
mov eax, dword ptr [001DCFC7h]
mov byte ptr [eax+02h], 00000074h
dec eax
mov eax, dword ptr [001DCFBCh]
mov byte ptr [eax+03h], 00000065h
dec eax
mov eax, dword ptr [001DCFB1h]
mov byte ptr [eax+04h], 00000072h
dec esp
lea eax, dword ptr [001DD2D6h]
dec eax
mov edx, dword ptr [001DCF9Fh]
mov ecx, dword ptr [001DCF5Dh]
call dword ptr [001DD173h]
dec eax
mov dword ptr [esp+20h], eax
dec eax
cmp dword ptr [esp+20h], 00000000h
je 00007F0E00CEEAB9h
xor eax, eax
jmp 00007F0E00CEEBF8h
call 00007F0E00CEA9EFh
dec eax

Rich Headers

Programming Language:

[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022
[ C ] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e11d4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1e4000	0x73b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1e3000	0x9c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1e6e00	0x24d0	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1e1000	0x168	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1de506	0x1de600	False	0.935872991246	data	7.83285728264	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.text2	0x1e0000	0x3e8	0x400	False	0.0166015625	data	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x1e1000	0x69e	0x800	False	0.34326171875	data	3.98782044271	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1e2000	0x388	0x200	False	0.38671875	data	3.31954373504	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x1e3000	0x9c	0x200	False	0.244140625	data	1.45004148172	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1e4000	0x73b0	0x7400	False	0.392140355603	data	4.96119821193	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
MUI	0x1e4370	0x100	data	English	United States
WEVT_TEMPLATE	0x1e4470	0x2da2	data	English	United States
RT_ICON	0x1e7218	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2291107976, next used block 128	English	United States
RT_ICON	0x1e7500	0x1e8	data	English	United States
RT_ICON	0x1e76e8	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x1e7810	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 14805225, next used block 14873075	English	United States
RT_ICON	0x1e80b8	0x6c8	data	English	United States
RT_ICON	0x1e8780	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x1e8ce8	0x10a8	data	English	United States
RT_ICON	0x1e9d90	0x988	data	English	United States
RT_ICON	0x1ea718	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_RCDATA	0x1eafb0	0x3fc	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States
RT_GROUP_ICON	0x1eab80	0x84	data	English	United States
RT_VERSION	0x1eac08	0x3a8	data	English	United States

Imports

DLL	Import
KERNEL32.dll	LoadLibraryA, CloseHandle, CreateFileMappingW, CreateFileW, CreateProcessW, DeviceIoControl, FlushViewOfFile, FreeEnvironmentStringsW, FreeLibrary, GetCurrentProcess, GetCurrentProcessId, GetDriveTypeW, GetEnvironmentStringsW, GetExitCodeProcess, GetLastError, GetModuleFileNameW, GetModuleHandleW, GetProcAddress, GetTickCount, GetVersion, GetVersionExW, GlobalMemoryStatus, LoadLibraryExW, LoadLibraryW, LocalAlloc, LocalFree, MapViewOfFile, OutputDebugStringW, SetLastError, TerminateProcess, UnmapViewOfFile, VirtualAlloc, VirtualFree, WaitForSingleObject, WriteFile, SetErrorMode, GetSystemTime, GetModuleHandleA
USER32.dll	LoadIconA, GetMessageTime
ADVAPI32.dll	RegOpenKeyA, RegQueryValueExW

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	wsqmcons.exe
FileVersion	6.1.7601.17514 (win7sp1_rtm.101119-1850)
CompanyName	Microsoft Corporation
ProductName	Microsoft Windows Operating System
ProductVersion	6.1.7601.17514
FileDescription	Windows SQM Consolidator
OriginalFilename	wsqmcons.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

• Odbc.exe
• Unistore
• cmd.exe
• conhost.exe
• waitfor.exe
• cmd.exe
• conhost.exe
• waitfor.exe

Click to jump to process

Memory Usage

• Odbc.exe
• Unistore
• cmd.exe
• conhost.exe
• waitfor.exe
• cmd.exe
• conhost.exe
• waitfor.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• Odbc.exe
• Unistore
• cmd.exe
• conhost.exe
• waitfor.exe
• cmd.exe
• conhost.exe
• waitfor.exe

Click to jump to process

System Behavior

Analysis Process: Odbc.exe PID: 7060 Parent PID: 6056

Function Logs

General

Start time:	16:24:00
Start date:	05/06/2021
Path:	C:\Users\user\Desktop\Odbc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\Odbc.exe'
Imagebase:	0x140000000
File size:	2003664 bytes
MD5 hash:	063771D5573448EE6A271584A4B6A26A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

File Opened

File Created

File Written

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Key Enumerated

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Process Created

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: Unistore PID: 4600 Parent PID: 7060

Function Logs

General

Start time:	16:24:05
Start date:	05/06/2021
Path:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\TextNotepad\Unistore /go
Imagebase:	0x140000000
File size:	2003664 bytes
MD5 hash:	063771D5573448EE6A271584A4B6A26A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 37%, Virustotal, Browse Detection: 21%, ReversingLabs
Reputation:	low

Show Windows behavior

File Activities

File Opened

File Created

File Deleted

File Moved

File Written

File Attributes Queried

Directory Queried

Other File Operations

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Key Enumerated

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Created

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: cmd.exe PID: 1320 Parent PID: 4600

Function Logs

General

Start time:	16:24:13
Start date:	05/06/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c waitfor /t 10 pause /d y & del 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore' & rd 'C:\Users\user\AppData\Roaming\TextNotepad\'
Imagebase:	0x7ff622070000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Opened

File Attributes Queried

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Process Activities

Process Created

Process Information Set

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: conhost.exe PID: 4112 Parent PID: 1320

Function Logs

General

Start time:	16:24:13
Start date:	05/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Attributes Queried

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: waitfor.exe PID: 5708 Parent PID: 1320

Function Logs

General

Start time:	16:24:14
Start date:	05/06/2021
Path:	C:\Windows\System32\waitfor.exe
Wow64 process (32bit):	false
Commandline:	waitfor /t 10 pause /d y
Imagebase:	0x7ff71af70000
File size:	39936 bytes
MD5 hash:	9509EC0B3D20348D129183021BF38BBB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: cmd.exe PID: 6156 Parent PID: 7060

Function Logs

General

Start time:	16:24:15
Start date:	05/06/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c waitfor /t 10 pause /d y & del 'C:\Users\user\Desktop\Odbc.exe' & rd 'C:\Users\user\Desktop\'
Imagebase:	0x7ff622070000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Opened

File Attributes Queried

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Process Activities

Process Created

Process Information Set

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: conhost.exe PID: 6176 Parent PID: 6156

Function Logs

General

Start time:	16:24:15
Start date:	05/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Attributes Queried

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: waitfor.exe PID: 5664 Parent PID: 6156

Function Logs

General

Start time:	16:24:16
Start date:	05/06/2021
Path:	C:\Windows\System32\waitfor.exe
Wow64 process (32bit):	false
Commandline:	waitfor /t 10 pause /d y
Imagebase:	0x7ff71af70000
File size:	39936 bytes
MD5 hash:	9509EC0B3D20348D129183021BF38BBB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Show Windows behavior

System Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Analysis Process: Odbc.exe PID: 7060 Parent PID: 6056 Odbc.exeCOMMON

Executed Functions

Function 02346DB0, Relevance: 6.3, APIs: 4, Instructions: 340memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 02346E15
VirtualProtect.KERNELBASE ref: 02346F01
VirtualProtect.KERNELBASE ref: 0234711B
RtlAvlRemoveNode.NTDLL ref: 0234716D

Memory Dump Source

Source File: 00000000.00000002.676050720.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: Virtual$Protect$AllocNodeRemove
String ID:
API String ID: 1018628715-0
Opcode ID: f5ad4ce82ccd153d0ae66c09f5049422d19def1c35f30686fd6acefcd6639f71
Instruction ID: b8acf3ffb287dcd0c0bdbdae7dbd419e6780741c9247157f2e649c87d5180353
Opcode Fuzzy Hash: f5ad4ce82ccd153d0ae66c09f5049422d19def1c35f30686fd6acefcd6639f71
Instruction Fuzzy Hash: D0C1AA30218A488FD784EF5CD499B6AB7E1FB98305F51485DF48AC7261DBB4E881CF02

Uniqueness

Uniqueness Score: -1.00%

Function 023469E0, Relevance: 1.6, APIs: 1, Instructions: 112libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNELBASE ref: 02346A61

Memory Dump Source

Source File: 00000000.00000002.676050720.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 954057f596c1aac3021c8609ad04e9e87fd90db0e1d8f745c95db2d3cea6564b
Instruction ID: a132fdcf5e81153b0dc4a9ad43e64b2053f6612ec8e80944323a04bbe65cffe3
Opcode Fuzzy Hash: 954057f596c1aac3021c8609ad04e9e87fd90db0e1d8f745c95db2d3cea6564b
Instruction Fuzzy Hash: B541D87421CB889FD794EF6CC488B5AB7E0FBA9315F54495DB489C3261DBB4D480CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02347280, Relevance: 1.3, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0234729A

Memory Dump Source

Source File: 00000000.00000002.676050720.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e4246d9dc9ba8a50c6c63862efe4c3955abf94fd68069e510fa4aac1dae286f1
Instruction ID: c94a2907d39cb5b24b92f3599718050f57c167086638959b0477998d58bd6f3d
Opcode Fuzzy Hash: e4246d9dc9ba8a50c6c63862efe4c3955abf94fd68069e510fa4aac1dae286f1
Instruction Fuzzy Hash: 47C08C3060A2004BDB0C6B38D8A9B1F3AE0FB8C300FA0542DF58FC2290C97EC5C24786

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: Unistore PID: 4600 Parent PID: 7060 UnistoreCOMMON

Executed Functions

Function 023D6DB0, Relevance: 6.3, APIs: 4, Instructions: 340memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 023D6E15
VirtualProtect.KERNELBASE ref: 023D6F01
VirtualProtect.KERNELBASE ref: 023D711B
RtlAvlRemoveNode.NTDLL ref: 023D716D

Memory Dump Source

Source File: 00000002.00000002.671505764.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Similarity

API ID: Virtual$Protect$AllocNodeRemove
String ID:
API String ID: 1018628715-0
Opcode ID: f5ad4ce82ccd153d0ae66c09f5049422d19def1c35f30686fd6acefcd6639f71
Instruction ID: c54882b6ab9d9e7aee826cd90bf2626133ac8fb6351e6ba4a9986d7bb6bc7d0a
Opcode Fuzzy Hash: f5ad4ce82ccd153d0ae66c09f5049422d19def1c35f30686fd6acefcd6639f71
Instruction Fuzzy Hash: 57C1A974218A488FD784EF5CD499B6AB7E1FB98305F51486DF48AC7261DBB4E881CF02

Uniqueness

Uniqueness Score: -1.00%

Function 023D69E0, Relevance: 1.6, APIs: 1, Instructions: 112libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNELBASE ref: 023D6A61

Memory Dump Source

Source File: 00000002.00000002.671505764.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 954057f596c1aac3021c8609ad04e9e87fd90db0e1d8f745c95db2d3cea6564b
Instruction ID: 0b73d1f4f266848f5c75b87fa823186d1de714ec37177fc4983081acfdb5cec1
Opcode Fuzzy Hash: 954057f596c1aac3021c8609ad04e9e87fd90db0e1d8f745c95db2d3cea6564b
Instruction Fuzzy Hash: 4F41D57561CB889FD794EF6CC488B6ABBE0FBA8315F54496DB489C3261D7B4D480CB02

Uniqueness

Uniqueness Score: -1.00%

Function 023D7280, Relevance: 1.3, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 023D729A

Memory Dump Source

Source File: 00000002.00000002.671505764.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e4246d9dc9ba8a50c6c63862efe4c3955abf94fd68069e510fa4aac1dae286f1
Instruction ID: c94a2907d39cb5b24b92f3599718050f57c167086638959b0477998d58bd6f3d
Opcode Fuzzy Hash: e4246d9dc9ba8a50c6c63862efe4c3955abf94fd68069e510fa4aac1dae286f1
Instruction Fuzzy Hash: 47C08C3060A2004BDB0C6B38D8A9B1F3AE0FB8C300FA0542DF58FC2290C97EC5C24786

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Odbc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: Odbc.exe PID: 7060 Parent PID: 6056

General